Source Link: http://www.saurik.com/id/8

Due to popular demand, I am putting some of the content I have written for the Cydia information portal here on my website so people can link to it directly. Given the original distribution medium, the material is therefore quite condensed. If I have time I may flesh out more details.

Starting with the recent beta releases of the iPhoneOS, Apple has started requiring that all code on the device is signed. This is mostly to make it impossible for programs running through Apple's AppStore to download more software and run it (so no competition for AppStore).

In order to get around this (and thereby to install our own code onto the device) the iPhone Dev Team has patched the signature verification out of the kernel. However, another half of the codesign problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is A) difficult (especially to track as Apple makes changes) and B) of marginal benefit as adding these hashes is easy. This means you do still have to at least pay lipservice to the code signature process. There are currently three viable options.

Option #1: Self-Signing

This method is the simplest to understand: using Apple's codesign tool to sign the binary. Because the signature verification checks have been hacked out of the kernel, you can use any signature to do this, not just ones that are approved by Apple's developer program. For instructions on how to make a self-signing certificate you can read this article from Apple's website: Obtaining a Signing Identity.

mac$ platform=/Developer/Platforms/iPhoneOS.platform mac$ allocate=${platform}/Developer/usr/bin/codesign_allocate mac$ export CODESIGN_ALLOCATE=${allocate} mac$ codesign -fs "Name" Program mac$ scp Program mobile@iphone:

Option #2: Pseudo-Signing

For me, the previous option just doesn't work. I do not use Macs to do my development and the entire codesign path requires not only a Mac but console access because codesign is, at some level, a graphical utility (the way it uses Keychain to get the signatures may prompt, with dialogs, for passwords). To get around this, I wrote a tool called ldid that, among other things, can generate the SHA1 hashes that are checked by Apple's iPhoneOS kernel. This tool is easily installed on the iPhone using Cydia or APT.

iphone# apt-get install ldid iphone$ scp user@desktop:Program . iphone$ ldid -S Program

Supposedly you actually can run codesign over SSH by first running security unlock-keychain. Thanks goes to Sam Clegg for pointing this out! (I will be honest and say I haven't tested this yet.

Option #3: Disable Checks

Finally, an option that is really convenient for development purposes is just to disable the check. Now, technically, this disables a lot more than just the codesign check, and its also more disabling the penalty than the check itself. I have run my phone for a while in this state, but I have heard that in some (many?) configurations it causes problems: being unable to connect to insecure WiFi networks being the largest. This is done by using sysctl to deactivate the enforcement and can be undone either by resetting the variables back on or by rebooting the phone.

sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0

As this does seem to cause some problems, I'll make a note about how to undo this (as it's really simple). You just need to reset the variables back to 1 or reboot the device (every time the phone starts these default back to on).

sysctl -w security.mac.proc_enforce=1 sysctl -w security.mac.vnode_enforce=1

Entitlements

Every executable also has an XML file (specifically an Objective-C Property List) that is signed into it that is its block of "entitlements". This area is read (I'm not certain by who, but I'd guess the kernel) to determine what seatbelt profile to apply to that process and what extra abilities it gets.

To dump or set the entitlements of a binary we can use ldid. Dumping uses -e and setting involves passing an argument to -S as you sign the file. You can also pass --entitlements to codesign.

iphone$ ldid -e Program iphone$ ldid -Sblock.xml Program mac$ codesign -fs "Name" --entitlements block.xml Program

As an example of where this comes up, programs that wish to use [UIApplication launchApplicationWithIdentifier:suspended:], as of iPhoneOS 2.1, get the error message Entitlement com.apple.springboard.launchapplications required to use _SBXXLaunchApplication. To fix this, we can sign our program with the following entitlement block.

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.launchapplications</key> <true/> </dict> </plist>

Have more questions about code signatures? Send them to me and I might put up more information (if I have it) here. One thing I do intend to discuss more is entitlements.

 

[转]Bypassing iPhone Code Signatures的更多相关文章

  1. Bypassing iPhone Code Signatures

    [Bypassing iPhone Code Signatures] Starting with the recent beta releases of the iPhoneOS, Apple has ...

  2. Code Sign error: Provisioning profile XXXX can't be found

    [iphone]Code Sign error: Provisioning profile XXXX can't be found 如果你更新了profile,再编译iphone项目,发现下面的错误, ...

  3. iPhone较为基础的代码片段

    Iphone代码片段导航 1.给UITableViewController添加ToolBar. self.navigationController.toolbarHidden = NO; //默认是隐 ...

  4. ipa重签名

    为什么要研究重签名问题?将程序打包成ipa包后,ipa包中会包含Provisioning Profile和_CodeSignature等文件,里面包含了对整个ipa的签名信息. 一旦改动ipa中的不论 ...

  5. An iOS zero-click radio proximity exploit odyssey

    NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 1 ...

  6. github上所有大于800 star OC框架

    https://github.com/XCGit/awesome-objc-frameworks#awesome-objc-frameworks awesome-objc-frameworks ID ...

  7. IOS常用加密GTMBase64

    GTMDefines.h // // GTMDefines.h // // Copyright 2008 Google Inc. // // Licensed under the Apache Lic ...

  8. 验证Xcode真伪的方法,来自苹果官网

    验证Xcode真伪的方法,来自苹果官网   Xcode的验证你的版本 2015年9月22日    注意:中文为有道翻译,看下验证方法即可.   我们最近将应用程序从应用程序商店,还建有Xcode的假冒 ...

  9. iOS使用MD5 - 字符串加密至MD5&获取文件MD5

    iOS 字符串加密至MD5 + (NSString *) md5:(NSString *)str { unsigned ]; CC_MD5( cStr, strlen(cStr), result ); ...

随机推荐

  1. Visual Studio GitHub For Windows部署

    使用GitHub For Windows部署Visual Studio项目 因为最近同时再看很多技术方面的书,书上的例子有很多自己想亲自尝试一下,但是每次写例子都得创建一个新项目未免太麻烦,索性就整理 ...

  2. js 实现键盘记录 兼容FireFox和IE

    这两天突然想弄弄js的键盘记录,所以就小研究了一下. 主要分四个部分 第一部分:浏览器的按键事件 第二部分:兼容浏览器 第三部分:代码实现和优化 第四部分:总结 第一部分:浏览器的按键事件 用js实现 ...

  3. uva10718 - Bit Mask(贪心)

    题目:uva10718 - Bit Mask(贪心) 题目大意:给出32位无符号的整数n ,给定边界L和R,要求在这个边界里面找出一个整数,它和N做或运算得到的值最大. 解题思路:要求做或运算得到的值 ...

  4. Swift中文教程(六)--枚举和结构

    原文:Swift中文教程(六)--枚举和结构 Enumerations 枚举 使用 enum 来创建一个枚举.跟Classes(类)和其他类型的命名方式一样,枚举也可以有Method(方法). enu ...

  5. CSharp设计模式读书笔记(18):中介者模式(学习难度:★★★☆☆,使用频率:★★☆☆☆)

    中介者模式(Mediator Pattern):用一个中介对象(中介者)来封装一系列的对象交互,中介者使各对象不需要显式地相互引用,从而使其耦合松散,而且可以独立地改变它们之间的交互,中介者模式又称为 ...

  6. 《java系统性能调优》--1.发现瓶颈

    性能啊!性能! 之所以想写写性能调优,也是有感于我们的项目,我们採用一些手段使得系统性能上升了一个台阶,总是须要把这点经验沉淀一下.随着工作的深入,关于系统性能的事肯定还有非常多,也算是通过这个系列文 ...

  7. Content-Type boundary 问题

    我并不知道问题怎么描述清楚一些. 事情是这样的,使用  Microsoft Dynamics CRM Server 2016 做CRM系统的时候用到 使用 Web API 执行批处理操作(参见SDK或 ...

  8. Cocos2d-x学习笔记(14)(更新函数scheduleUpdate、进度计时器CCProgressTo、滚动视图CCScrollView)

    一.scheduleUpdate 1.scheduleUpdate:此函数是CCNode的函数,每一个CCNode仅仅要调用scheduleUpdate更新函数,那么这个CCNode就会响应当前类的u ...

  9. DbModel

    DbModel 前言 我们都知道EF可以生成Dbmodel,系统生成的Model有时候并不是我们想要的,如何我们要生成自己的Model,那么久需要我们手动的去修改T4模版,T4是对“Text Temp ...

  10. Socket 学习(二)

    1对1的发送和接收 Client 端         void ThreadReceive()         {             try             {              ...