Sign in Subscribe
Jailbreaking

Installing Dropbear SSH on iOS 10.3.3

Ivan

4 min read
Installing Dropbear SSH on iOS 10.3.3

In December last year, @thimstar and @S1guza released H3lix a semi-untether jailbreak for all 32-bit devices on iOS 10.0 to 10.3.3. This is amazing, it means devices like the iPhone 5 and 5c are jailbroken for life! (since iOS 10.3.3 is the last Apple-OS that supports those devices).

Coming back from the holiday break I decided to upgrade my old iPhone5 (it was on a jailbroken iOS 8) and use H3lix to jailbreak it, it was a success! The only bad part was, OpenSSH didn't work, even though it installed fine from Cydia, Luca mentioned it when he released yalu102. Sadly H3lix (at least not up to RC4) doesn't come with dropbear, being a noob in the scene, I decided to give it a try and install it on my own and learn from it.

First I decided to compile my own 32-bit version of dropbear for iOS, yes there is already a DEB package and @Morpheus______'s original binpack includes the 32-bit version of dropbear, but I wanted to do it for the sake of learning. I found a GitHub repo that is already configured for iOS and thought I just needed to compile it, wrong!

Compiling Dropbear for 32-bit ARM devices

  • Clone the GitHub repo: https://github.com/Comsecuris/ios_dropbear
  • Open the build.sh script
  • Change arch to ARCH="armv7" and sdk to SDK="iphoneos10.3", if you are using the latest version of Xcode (at the time of this writing Xcode 9.2) it comes with iphoneos11.2 which doesn't support 32-bit devices. But we can download Xcode 8.3.3 from https://developer.apple.com/downloads (Developer ID needed).
  • Copy ~/Downloads/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneOS.sdk to ~/Desktop/tmp/iPhoneOS.sdk
  • Rename iPhoneOS.sdk to iPhoneOS10.3.sdk
  • Copy iPhoneOS10.3.sdk to ~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/
  • Open ~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Info.plist and change the MinimumSDKVersion value to something lower, otherwise you'll get this error:
[MT] DVTSDK: Skipped SDK /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.3.sdk; its version (10.3) is below required minimum (11.2) for the iphoneos platform.
  • Run xcodebuild -showsdks, you should see this -sdk iphoneos10.3 now.
  • Try building dropbear by executing the build.sh script: ./build.sh

You may get the following error:

ld: library not found for -lcrt1.3.1.o

To fix this download Xcode 5.1.1 from (again) https://developer.apple.com/downloads (Developer ID needed)

  • Open ~/Downloads/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk/usr/lib/
  • Copy crt1.3.1.o and crt1.o to ~/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneOS10.3.sdk/usr/lib/
  • Now we can finally build dropbear by executing the build.sh script: ./build.sh

Creating a DEB package from the dropbear binaries

  • Create a dropbearios32 folder (and subfolders):
mkdir dropbearios32 && mkdir dropbearios32/DEBIAN && mkdir dropbearios32/Library/LaunchDaemons && mkdir dropbearios32/etc/dropbear && mkdir dropbearios32/usr/local/bin/
  • Copy dbclient, dropbear, dropbearconvert, dropbearkey to dropbearios32/usr/local/bin/
  • Create a control file in dropbearios32/DEBIAN with this text:
Package: dropbearios32
Version: 32
Maintainer: Ivan Rodriguez
Architecture: iphoneos-arm
Description: Dropbear SSH server for iOS (32 bits)
  • Create a postinst file in dropbearios32/DEBIAN, this scrip is executed after the .deb package is installed
#!/bin/sh
launchctl load /Library/LaunchDaemons/dropbear.plist
  • Make the postinst script executable:
chmod +x postinst
  • Create a dropbear.plist file in dropbearios32/Library/LaunchDaemons with this text:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>Label</key>
     <string>com.ivrodriguez.dropbear</string>
     <key>Program</key>
     <string>/usr/local/bin/dropbear</string>
     <key>ProgramArguments</key>
     <array>
          <string>/usr/local/bin/dropbear</string>
          <string>-F</string>
          <string>-R</string>
          <string>-p</string>
          <string>127.0.0.1:22</string>
     </array>
     <key>RunAtLoad</key>
     <true/>
     <key>KeepAlive</key>
     <true/>
</dict>
</plist>
  • Create the DEB package:
dpkg-deb -Zgzip -b dropbearios32

Note: dpkg-deb --build uses XZ compression which is not compatible with iOS

Installing the DEB package and configuring Dropbear

  • Install Apple File Conduit 2 (AFC2) from Cydia and transfer the dropbearios32.deb (I used iExplorer)
  • Install Filza File Manager from Cydia, navigate to where you copied the dropbearios32.deb package and install it
  • Install MobileTerminal (MTermial) from Cydia
  • On MTerminal, create the RSA, ECDSA and DSS (DSA) keys:
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key

This was a fun way of learning how to install Dropbear SSH on a jailbroken iPhone. Questions and/or comments @ivRodriguezCA

Photo by Fabian Grohs on Unsplash

Sign up for more like this.

Enter your email
Subscribe