iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak

August 24th, 2017 by Oleg Afonin

If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.

Back to Phoenix. This thing is for real. Phoenix claims support for iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.3.5. We were able to verify these claims by successfully jailbreaking several test devices and using Elcomsoft iOS Forensic Toolkit to perform full physical acquisition (as in imaging and decrypting the physical data partition).

With Phoenix jailbreak, iOS Forensic Toolkit can perform physical acquisition of Apple’s 32-bit devices running iOS 9.3.5, which happens to be the last version of iOS 9. Users of iOS Forensic Toolkit can perform physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and enjoy full unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.

You can download the Phoenix jailbreak and instructions from https://phoenixpwn.com/.

The Phoenix jailbreak is “semi-untethered”, or “semi-tethered”. This means that, while the jailbreak will survive through reboots, you will have to re-run the jailbreak app every time after the device restarts. In addition, the signing certificate expires after 7 days, so you would have to re-sign the IPA file and re-upload the jailbreak to your device if you still need the jailbreak. Alternatively, you can make this jailbreak untethered by following instructions on installing BetterHomeDepot. This, however, is not required and should be avoided for forensic purposes.

Steps to jailbreak:

  1. Back up data with iTunes (if backup password is empty, specify and record a temporary password)
  2. Obtain and install the Phoenix jailbreak tool using the link(s) below. This includes two files:
    1. Phoenix jailbreak IPA file ipa available at https://phoenixpwn.com/
    2. Cydia Impactor available at http://www.cydiaimpactor.com/
  3. Cydia Impactor (developed by Saurik) is used to sign the IPA file so that the jailbreak tool can be executed on iOS devices. You will need to use valid Apple ID credentials for signing the IPA. We recommend using a newly created Apple ID for signing the certificate.
  4. Connect the iOS device to the computer, trust the computer on the iOS device and launch Cydia Impactor.
  5. Drag ipa onto Cydia Impactor app.
  6. Provide Apple ID and password when prompted. Click OK to allow Cydia Impactor to sign the IPA and upload it onto the iOS device.
  7. On the iOS device, open Settings > General > Device Management. You will see a developer profile under the “Apple ID” heading. Tap the profile to establish trust for this developer. (An Internet connection is required to verify the app developer’s certificate when establishing trust.)
  8. On the iOS device, find the jailbreak and run it.
  9. Click the “Start” button to jailbreak the device.
  10. After the jailbreak is complete, launch Cydia to install OpenSSH.

 

Tags: , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

5 Comments on "iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak"

Notify of
avatar
Bartosz Gaca
Guest
Bartosz Gaca

Great ios but still androi is way better guys

Vladimir Katalov
Admin
Vladimir Katalov

Well, that’s questionable, but we do not compare at all, we only find new ways to get as much data as possible!

Luca Romano
Guest
Luca Romano

Running Phoenix on my iPad mini. Works great so far. I have been dabbling in iOS security lately and this, for sure, is advanced level stuff. I never thought this could be possible from a simple jailbreak tool

Barti
Guest

IOS works very smoothly. I call IOS rather than android because android lands scary.

BadCase
Guest

“Alternatively, you can make this jailbreak untethered by following instructions on installing BetterHomeDepot.”
BetterHomeDepot is for versions 9.1-9.3.4 per the article you linked.
That aside great article and how to guide.

wpDiscuz