| Follow @lancinimarco

Reading time ~2 minutes

iOS 9: Effective Jailbreak

If you have an iDevice running iOS 9.2 or 9.3.3, by now you might have realized that the latest jailbreak from Pangu comes bundled with a series of issues.

First of all, the certificate used to sign the jailbreak IPA expires in 7 days, meaning that if your certificate gets expired, you’ll need to install the jailbreak IPA again. However, Pangu now offers the option to use an embedded certificate effective until April 2017. This means that, before April 2017, you will not need reinstall the Pangu jailbreak app.

The second issue that users are facing consists in the fact that the jailbreak leaves basically no free space in the /System partition, so that is nearly impossible to install any 3rd party package on the (newly) jailbroken device. This has also been noted by a few users of Needle, who raised some issues on Github:

Hi, as you can see from the error log you posted above:

failed in buffer_write(fd) (7, ret=-1): backend dpkg-deb: No space left on device

the device you are using has no space left on disk. If you want to install other tools you’ll have to free up some space first. – Marco Lancini

Stashing (the dangerous way)

Stashing basically means moving several folders containing iOS system components (like Wallpapers, Ringtones, etc.) to /var/stash, in order to make space on the system partition.

Many tutorials can be found online that explains how perform this action on a jailbroken iOS 9.X:

These tutorials, however, suggest a different approach: rather than stash iOS system components, they recommend to stash the tweaks and themes from Cydia instead.

Even though it is supposed to be a safer approach than traditional stashing, this resulted in (many) devices being bricked.

Stashing (without bricking devices)

The rough process is:

  • the system fonts are stored in /System/Library/Fonts
  • we can move them to /private/var (which is where we have loads of space)
  • then we can create a unix symlink in the old location pointing to the new one

If we take a look at the available space before this procedure, we see that / is fully utilised:

marcos-iPod:~ root# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/disk0s1s1  2.7G  2.7G     0 100% /
devfs            47K   47K     0 100% /dev
/dev/disk0s1s2   13G  878M   12G   8% /private/var

Let’s proceed to stash the system fonts:

marcos-iPod:/private/var root# mv /System/Library/Fonts/ /private/var/
marcos-iPod:/private/var root# ln -s /private/var/Fonts /System/Library/Fonts

If we check again, we can now see that we freed 140M on /, which for example are more than enough to install all Needle’s dependencies:

marcos-iPod:/private/var root# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/disk0s1s1  2.7G  2.6G  140M  95% /
devfs            47K   47K     0 100% /dev
/dev/disk0s1s2   13G  1.2G   11G  10% /private/var

[Please note that even this method is not bulletproof!.]

Marco Lancini

Marco Lancini
Hi, I'm Marco Lancini. I'm a Security Engineer, mainly interested in cloud native technologies, devops, and network security...  

Currently Working On

Currently, my areas of focus are two: cloud native tech and red teaming. Here is a short list of what I’m currently working on in my spare time.

  1. Cloud Native Tech
    • Cloud Security (AWS, Azure, GCP)
    • Container Security (docker, kubernetes)
      1. So I Heard You Want to Learn Kubernetes -- An attempt to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects.
      2. My Arsenal of Cloud Native (Security) Tools -- A curated list of (security) tools that can help assessing the security of AWS, Docker, Kubernetes, and even Git repositories.
    • Infrastructure-as-Code (Consul, Vault, Packer, Terraform, Ansible)
      1. Docker + Consul + Vault: A Practical Guide -- How to use docker-compose to spin up a Vault instance backed by Consul.
      2. Offensive Infrastructure with Modern Technologies -- An N-part blog post series, to record my journey and the lessons learned while building a secure, disposable, and completely automated infrastructure to be used in offensive operations.
  2. Red Teaming
    • Techniques
      1. Red Teaming Mind Map from The Hacker Playbook 3 -- A high-level mind map to summarize all the techniques/tools covered by Peter Kim’s book.
    • Tooling
      1. Offensive ELK -- Custom Elasticsearch setup, aiming to show how traditional defensive tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results.
      2. GoScan -- An interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.
      3. Robtex-Go -- A library that provides a little wrapper over such APIs, and can be quickly integrated in any other Go codebase.
Continue reading