Skip to content

Instantly share code, notes, and snippets.

@novitae

novitae/README.md

Last active September 5, 2023 12:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save novitae/2f04999039a6012813fb122d35a4c044 to your computer and use it in GitHub Desktop.
Save novitae/2f04999039a6012813fb122d35a4c044 to your computer and use it in GitHub Desktop.
Download ZIP
Palera1n & SSL Pinning / Reverse Cheatsheet
Raw
README.md

Palera1n & SSL Pinning / Reverse Cheatsheet

Jailbreak

  • Download latest release of palera1n.
  • Connect iphone to computer.
  • Jailbreak using palera1n --setup-fakefs --fakefs. This will setup fakefs to access to sudo later.
  • Once phone is running, run palera1n -f to load fakefs. Do it everytime you restart the phone to rejailbreak it, no need to do previous step if the phone wasn't reset.

Terminal

Connecting to SSH

  • Ensure openssh package is installed on Sileo
  • You can then connect to ssh mobile@IP
  • Password should be alpine

Access to sudo

  • Run sudo zsh and setup the sudo password

SSL Pinning

Changing root certificate

  • Download the certificate as a profile. Your proxy must have a way to do it.
  • Here is the full tutorial for me on Proxyman.
  • Follow the steps to the end, and you are done after enabling the cert in Settings -> General -> About -> Certificate Trust Settings.

SSL Kill Switch 2

  • Download the .deb latest release of ssl kill switch 2 on the phone.
  • Make sure package preferenceloader and dpkg are installed in Sileo.
  • dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb (install package, doable with sileo, never tried).
  • killall -9 backboardd (resping, possible to do in palera1n app).
  • Go to Settings -> SSL Kill Switch 2 and enable Disable Certificate Validation.

Setting up the proxy

  • Go to Settings -> Wi-Fi
  • Click on the (i) n the line of the wifi you're connected to.
  • Scroll down to HTTP PROXY -> Configure Proxy -> Manual.
  • Set the local ip of your computer (192.168.1.???) and the port of the proxy.
  • Save.

Reverse

Installing frida on IOS

  • On Sileo, go to Sources -> +.
  • Add source https://build.frida.re.
  • Open the source once cloned, go to All Categories and install Frida.

Dumping IPA files

  • Must have frida on phone.
  • git clone https://github.com/AloneMonkey/frida-ios-dump
  • cd frida-ios-dump
  • pip install .
  • In a new terminal window, run iproxy 2222 22 (if you have issues further, try iproxy 2222 44, some jailbreak use different ports).
  • Run python dump.py <name app of identifier> -u mobile -P alpine
    • You can list apps with frida-ps -Uai for apps only (recommended), or frida-ps -U for all processes.
  • The app will be in the frida-ios-dump directory.
  • Unpack it using unzip <appname>.ipa.

Installing signature-corrupted IPAs

  • Add to sileo sources https://cydia.akemi.ai/.
  • From it, install Appsync Unified.
  • You can now install unisgned apps.
  • You can install them using the app described in the next section.
  • Navigate to the .ipa file, click on it, and on upper right corner, click Install.
  • If the app crashes when opening it:
    • In sileo, install TrollStore Helper.
    • Open the app TrollHelper, and install trollstore.
    • Open the app TrollStore, go to settings, in signing category, install Idid.
    • Go back to your .ipa file on filza -> Open in -> TrollStore -> (wait for a popup with infos of the app to appear) Install.
    • Now it should work.

Get a decent file browser (Filza)

  • Add to sileo sources http://tigisoftware.com/repo/.
  • From it, install Filza File Manager (64-bits or not, idk, i took 64 bits on iphone 7).
  • In it, you can find the ipa file you scped on the phone, and install it easily.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment