Installing Dropbear SSH on iOS 10.3.3
In December last year, @thimstar and @S1guza released H3lix a semi-untether jailbreak for all 32-bit devices on iOS 10.0 to 10.3.3. This is amazing, it means devices like the iPhone 5 and 5c are jailbroken for life! (since iOS 10.3.3 is the last Apple-OS that supports those devices).
Coming back from the holiday break I decided to upgrade my old iPhone5 (it was on a jailbroken iOS 8) and use H3lix to jailbreak it, it was a success! The only bad part was, OpenSSH didn't work, even though it installed fine from Cydia, Luca mentioned it when he released yalu102. Sadly H3lix (at least not up to RC4) doesn't come with dropbear, being a noob in the scene, I decided to give it a try and install it on my own and learn from it.
First I decided to compile my own 32-bit version of dropbear for iOS, yes there is already a DEB package and @Morpheus______'s original binpack includes the 32-bit version of dropbear, but I wanted to do it for the sake of learning. I found a GitHub repo that is already configured for iOS and thought I just needed to compile it, wrong!
Compiling Dropbear for 32-bit ARM devices
- Clone the GitHub repo: https://github.com/Comsecuris/ios_dropbear
- Open the
build.sh
script - Change arch to
ARCH="armv7"
and sdk toSDK="iphoneos10.3"
, if you are using the latest version of Xcode (at the time of this writing Xcode 9.2) it comes with iphoneos11.2 which doesn't support 32-bit devices. But we can download Xcode 8.3.3 from https://developer.apple.com/downloads (Developer ID needed). - Copy
~/Downloads/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneOS.sdk
to~/Desktop/tmp/iPhoneOS.sdk
- Rename
iPhoneOS.sdk
toiPhoneOS10.3.sdk
- Copy
iPhoneOS10.3.sdk
to~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/
- Open
~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Info.plist
and change theMinimumSDKVersion
value to something lower, otherwise you'll get this error:
[MT] DVTSDK: Skipped SDK /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.3.sdk; its version (10.3) is below required minimum (11.2) for the iphoneos platform.
- Run
xcodebuild -showsdks
, you should see this-sdk iphoneos10.3
now. - Try building dropbear by executing the build.sh script:
./build.sh
You may get the following error:
ld: library not found for -lcrt1.3.1.o
To fix this download Xcode 5.1.1 from (again) https://developer.apple.com/downloads (Developer ID needed)
- Open
~/Downloads/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk/usr/lib/
- Copy
crt1.3.1.o
andcrt1.o
to~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneOS10.3.sdk/usr/lib/
- Now we can finally build dropbear by executing the build.sh script:
./build.sh
Creating a DEB package from the dropbear binaries
- Create a
dropbearios32
folder (and subfolders):
mkdir dropbearios32 && mkdir dropbearios32/DEBIAN && mkdir dropbearios32/Library/LaunchDaemons && mkdir dropbearios32/etc/dropbear && mkdir dropbearios32/usr/local/bin/
- Copy
dbclient
,dropbear
,dropbearconvert
,dropbearkey
todropbearios32/usr/local/bin/
- Create a
control
file indropbearios32/DEBIAN
with this text:
Package: dropbearios32
Version: 32
Maintainer: Ivan Rodriguez
Architecture: iphoneos-arm
Description: Dropbear SSH server for iOS (32 bits)
- Create a
postinst
file indropbearios32/DEBIAN
, this scrip is executed after the .deb package is installed
#!/bin/sh
launchctl load /Library/LaunchDaemons/dropbear.plist
- Make the
postinst
script executable:
chmod +x postinst
- Create a
dropbear.plist
file indropbearios32/Library/LaunchDaemons
with this text:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.ivrodriguez.dropbear</string>
<key>Program</key>
<string>/usr/local/bin/dropbear</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/dropbear</string>
<string>-F</string>
<string>-R</string>
<string>-p</string>
<string>127.0.0.1:22</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
- Create the DEB package:
dpkg-deb -Zgzip -b dropbearios32
Note: dpkg-deb --build
uses XZ
compression which is not compatible with iOS
Installing the DEB package and configuring Dropbear
- Install Apple File Conduit 2 (AFC2) from Cydia and transfer the dropbearios32.deb (I used iExplorer)
- Install Filza File Manager from Cydia, navigate to where you copied the dropbearios32.deb package and install it
- Install MobileTerminal (MTermial) from Cydia
- On
MTerminal
, create the RSA, ECDSA and DSS (DSA) keys:
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
This was a fun way of learning how to install Dropbear SSH on a jailbroken iPhone. Questions and/or comments @ivRodriguezCA
Photo by Fabian Grohs on Unsplash