Around Christmas I bought myself a brand new shiny iPhone 3GS which currently running OS version 3.1.3 (7E18), Carrier O2 5.1. I have decided to use this phone within this project which requires a few tests and a little hacking. To begin, access to the file system must be granted. To do this, the phone is jailbroken and a number of tools are installed to enable remote SSH access for ease during the project.
Until recently, @geohot‘s blackra1n only offered an tethered jailbreak for the iPhone. This meant that if the phone died or was switched off, it was necessary to hook up the phone to a system which could run blackra1n to inject the exploit code again. Luckily for me, an untethered jailbreak was released which eased the process. This application is called Spirit and is a quick plug-in and click job. It is important to note that this application doesn’t offer any carrier unlock but as I’m already on O2 this is fine.
Once unlocked, Cydia (a package management application) is upgraded and installed. Using this we can install OpenSSH as per http://www.hackthatphone.com/2x/open_ssh.html. This allowed me open an SSH connection to the iPhone from Terminal.app thus gaining access to the filesystem.
As a side note, there are two usable accounts on all iPhones by default. Inspecting the /etc/passwd file shows:
Note, the root password by default is “alpine” and is used as the system administrator account. The mobile account is used for standard usage (launching applications from the UI etc) and can be accessed via SSH or by logging in as root and issuing “su — mobile” on the command line. If logged in as the mobile user, use “login -pf root” to become root.
At this point, I played around with the filesystem and explored the various commands available. Being familiar with BSD 4.4 FS (Thank you FreeBSD!) and Darwin (Thank you Macbook), a lot of the basic commands were missing: ps, man, netstat, text editor, etc. Exploring Cydia, I found some of these tools were easily downloadable.