AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Jailbreaking – Checkra1n Configuration

In this installment, I felt that I should discuss how to use Checkra1n, and how to actually get into the device via 2 methods: localhost (tethered) and WiFi (untethered). This is not a blog to discuss how Checkra1n is doing, what it is doing, or what Checkm8 is doing prior to the device booting. Additionally, you do this at your own risk. Just because it works on one device does not mean it’ll work on the next. This blog is all about what to do AFTER you have jailbroken a device. Largely because I was beating my own head into the desk trying to remember how to do this since it had been so long…and naturally most topics on this are from the early 2010’s and we are about to hit 2020 in a couple weeks! 

First, to download Checkra1n from your MacOS (for the time being) download the .dmg file from https://checkra.in/. You need to actually go into your applications and right-click, open the file initially because your Mac is going to go into nanny state on you. That will unlock the application and you’ll be able to run it no problem. There is also a non-GUI version if you’re so inclined. Frankly, the GUI is pretty legit though, in my opinion. 

Once the phone is jailbroken and you’ve installed Cydia you need to make sure that you have OpenSSH installed on the device. It should be done by default, but just check to be sure. You should see a green check box next to OpenSSH if you have it successfully installed. 

Next, comes the head bashing part. I will admit 100%, I have no idea if this actually was the reason or not. But after I did this — it worked like a charm, so I’m going to go with you do this! You are going to need to have “brew” installed on your Mac. To do this, click here. You need to install libimobiledevice. This is an essential tool for dealing with these phones, so trust me — just do it anyway…even if you’re not jailbreaking. 

With the device connected via Thunderbolt to your MacOS, you are going to run a command called iProxy where you are going to specify your listening SSH port and the SSH port for the iPhone, which is Port 44. For this case, I’m using Mattia Epifani’s suggestion to keep new documentation (as of 2019) as uniform as possible. By the way, you need sudo. Type the following command and you’ll be greeted with a “waiting connection” message. 

Great! That part is easy. Now where I kept messing up. Open a separate terminal window and you are going to SSH using the first port you specified. In this case, we are using Port 23. When SSH’ing into the device while connected, you are doing this via localhost and you need to login with credentials for the phone. That as always is root and the password alpine. However, this can be changed by the user — so remember that if you’re dealing with something already jailbroken! You will be greeted with something like this: 

Boom. We are now into the device! If you look over at your iProxy window you’ll see some activity in there. Note that the UDID is in there. From there you need to know where you’re going. At first glance, you’re only going to see two directories you can traverse to. However, Mattia gave you a mild answer in his blog post here. You are going to “cd” to the following location: 

And from there you have 2 folders of interest. The first is Media. Pretty self explanatory. The second is Library, which is going to show you this: 

In the business, we like to call that a: 

So how do you get the data out? 

Well the reason we are in the phone and traversing is so we can find the specific folders/files you want. While Mattia has made a script, it is not extremely tailored to potentially what YOU want. So you need to run the following: 

sshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination

So if you’re like me and hate seeing all the <blah blah blah> because it distracts you, it should look like the screenshot below: 

And as you can see, the sms.db is in there! Key note to remember, this is case sensitive! 

SSH via Network

This is super simple if you are able to master the localhost aspect. With this method, you don’t need to use iProxy. Remember, this is over the network — so you know, make sure your computer and the device are on the same network! 

Get the mobile device’s IP address. You have 2 ways to do this if you wanted. The first, is from an unlocked device you go to Settings > Wifi. Click the “I” in a circle and you’ll see an IP Address

or the fun way: 

Get the IP Address of your gateway and lets run some good old fashioned nmap scans. In my case it is 172.20.10.1 and lets run zenmap (GUI version of nmap) and see if we can find our device: 

 

And there we go! We now have the IP address. So now instead of running SSH against localhost, you substitute that with the IP address and don’t specify the port. You will be greeted with this: 

Congrats! You are now into the phone via the network and can do the same things you would have done before. Additionally, if you wanted to copy files out — follow the steps above or from Mattia’s blog and you’ll be good to go as well! 

Happy Hunting! 

Related Posts