Device Setup

Guide for setting up a physical device for iOS security research.

Device Chip checkm8 Good for
iPhone X A11 Yes Best for learning – checkm8 + powerful enough
iPhone 8 A11 Yes Budget option, same A11
iPhone SE 2 A13 No iOS 15-16 research (Dopamine)
iPhone 11 A13 No iOS 15-16 research
iPhone 13 A15 No SPTM research (iOS 17+)

Tips for Buying a Device

  • Buy second-hand, the older the iOS version the better
  • Check the iOS version BEFORE buying (Settings, General, About)
  • Do not update iOS after purchase
  • Best case: device already on iOS 15.x or 16.x

Jailbreak Setup

palera1n (checkm8 devices, iOS 15-17)

# Install palera1n
git clone --recursive https://github.com/palera1n/palera1n
cd palera1n

# Put device in DFU mode:
# iPhone X: Hold Side + Volume Down β†’ release Side when Apple logo
#           β†’ Keep holding Volume Down until DFU screen

# Run palera1n
./palera1n.sh --tweaks

# Wait for device to boot jailbroken
# Open palera1n app β†’ Install Sileo

Dopamine (iOS 15-16, A9-A16)

1. Install TrollStore (if available for the iOS version)
2. Download Dopamine.tipa
3. Install via TrollStore
4. Open Dopamine β†’ Jailbreak
5. Install Sileo from Dopamine

Post-Jailbreak Essential Setup

SSH Access

# Install OpenSSH on device (via Sileo)
# Connect from Mac:
ssh root@DEVICE_IP
# Default password: alpine (CHANGE THIS!)
passwd

# USB tunnel (if not on the same WiFi)
iproxy 2222 22 &
ssh root@localhost -p 2222

Essential Packages (Install via Sileo)

- OpenSSH              # Remote access
- Filza File Manager   # GUI file browser
- NewTerm              # Terminal app on device
- AppSync Unified      # Install unsigned IPAs
- Frida                # Dynamic instrumentation
- ldid                 # Code signing tool

File System Exploration

# Key directories
/System/Library/                   # System frameworks, daemons
/System/Library/Sandbox/Profiles/  # Sandbox profiles
/usr/lib/                          # System libraries
/private/var/mobile/               # User data
/private/var/containers/Bundle/    # App bundles
/private/var/containers/Data/      # App data

# Kernelcache location
/System/Library/Caches/com.apple.kernelcaches/kernelcache

# Interesting binaries
/usr/libexec/amfid                 # Code signing daemon
/usr/libexec/mobileassetd          # Asset management
/usr/libexec/lsd                   # Launch Services daemon
/usr/sbin/mediaserverd             # Media server

Safety Tips

  1. Do not update iOS – the jailbreak may be lost
  2. Backup before jailbreaking – iTunes/Finder full backup
  3. Change root password – the default β€œalpine” is well-known
  4. Use a separate device – do not use your daily driver for research
  5. Snapshot state – if using Corellium, snapshot before making changes