iOS: Enable "supervision mode" automatically

[zner0L]

In #44, I investigated how the "supervision mode" can be used to install root CAs without interaction. I'd like to implement this in appstraction as an internal iOS function. In order for that, we need to:

• Generate the SupervisorHostCertificate.
• Place the certificate in the CloudConfigurationDetails.plist
• Restart the device without having to re-jailbreak
• Save the private key somewhere save so we can use it to send configuration profiles

[zner0L]

Using https://github.com/PeculiarVentures/PKI.js, I can generate the X.509 certificate for identification and its private key. However, to save them a common format is the PKCS#12 key store format, which is also used by https://github.com/danielpaulus/go-ios to install profiles. This format is apparently pretty hard to generate on nodejs, because the node implementation of webcrypto doesn’t support the ciphers (or not in the same way as the browsers smh, I am not sure) which are used by openssl (and therefore otherwise the only supported ciphers).

In their examples, https://github.com/PeculiarVentures/PKI.js need quite a lot of custom code, to get PKCS#12 going on nodejs: https://github.com/PeculiarVentures/PKI.js/blob/469c403d102ee5149e8eb9ad19754c9696ed7c55/examples/NodePKCS12Example/NodeEngine.ts
And that even seems to be broken: PeculiarVentures/PKI.js#368

This is a security nightmare.

[baltpeter]

Restart the device without having to re-jailbreak

Is that possible? :o

[zner0L]

I am thinking of trying https://github.com/digitalbazaar/forge, which is a native js implementation of TLS instead of the webcrypto API https://github.com/PeculiarVentures/PKI.js is relying on. I am not sure how much of a security trade of this really is, but since we are basically installing a backdoor on peoples devices, I guess we should at least secure it properly? Then again, PKCS#12 seems to be an extremely badly implemented standard, even in openSSL itself, and using https://github.com/digitalbazaar/forge might be even better security.

[zner0L]

Is that possible? :o

Yes. ldrestart restarts all the user space processes, but keeps the (jailbroken) kernel running.

[baltpeter]

On my iOS 15 device, launchctl reboot userspace seems to kill (and not restart) sshd.

If I just do await ios._internal.userspaceRestart();, the phone does restart but I get the following error:

Error: read ECONNRESET
    at __node_internal_captureLargerStackTrace (node:internal/errors:490:5)
    at __node_internal_errnoException (node:internal/errors:620:12)
    at TCP.onStreamRead (node:internal/stream_base_commons:217:20)
Emitted 'error' event on Client instance at:
    at Socket.<anonymous> (/home/benni/coding/JS/tweasel/appstraction/node_modules/ssh2/lib/client.js:745:12)
    at Socket.emit (node:events:513:28)
    at Socket.emit (node:domain:489:12)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read',
  level: 'client-socket'
}

I can only connect via SSH after I do "Launch Daemons" in the palera1n app.

[baltpeter]

That doesn't happen with ldrestart.

[baltpeter]

Same thing on iOS 16. Here, the SSH session even stays intact with ldrestart.

[baltpeter]

So, if I enable the supervision capability and try to do:

await ios.ensureDevice();
await ios.installCertificateAuthority(caCertPath!);

On iOS 15, this fails:

Error: read ECONNRESET
    at __node_internal_captureLargerStackTrace (node:internal/errors:490:5)
    at __node_internal_errnoException (node:internal/errors:620:12)
    at TCP.onStreamRead (node:internal/stream_base_commons:217:20)
Emitted 'error' event on Client instance at:
    at Socket.<anonymous> (/home/benni/coding/JS/tweasel/appstraction/node_modules/ssh2/lib/client.js:745:12)
    at Socket.emit (node:events:513:28)
    at Socket.emit (node:domain:489:12)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read',
  level: 'client-socket'
}

On iOS 16, it hangs.

[zner0L]

On my iOS 15 device, launchctl reboot userspace seems to kill (and not restart) sshd.

I cannot reproduce this on either my iOS 15 or 16 devices. What version of palera1n are you using?

Yes. ldrestart restarts all the user space processes, but keeps the (jailbroken) kernel running.

This is also not true. This only restarts the LaunchDeamons, but not launchd. So on iOS 15 ldrestart is enough to get the supervision mode activated, on iOS 16 this doesn’t work and needs launchctl reboot userspace.

[baltpeter]

I cannot reproduce this on either my iOS 15 or 16 devices. What version of palera1n are you using?

I'm on 1.4.2, the latest version of the legacy branch.

[zner0L]

I am not using legacy anymore. Can you test jailbreaking with palera1n-c?

[baltpeter]

I am not using legacy anymore. Can you test jailbreaking with palera1n-c?

I've now wasted an hour trying to get that to work, unsuccessfully. I don't know what else to try.