iOS Jailbreaks, SSH, and root Password

May 26th, 2020 by Ivan Ponurovskiy
Category: «Mobile», «Tips & Tricks»

Users of iOS Forensic Toolkit who are using jailbreak-based acquisition sometimes have issues connecting to the device. More often than not, the issues are related to SSH. The SSH server may be missing or not installed with a jailbreak (which is particularly common for iOS 9 and 10 devices). A less common issue is a non-default root password. Learn how to identify these issues and how to deal with them.

Modern jailbreaks, in addition to removing several iOS restrictions (for example, disabling signature verification, escalating privileges or bypassing the sandbox), allow obtaining low-level access to the device’s file system. This allows connecting to an iOS device via SSH and gaining almost unlimited access to the system. Some jailbreaks install an OpenSSH (or dropbear) server immediately as they are installed. If not, then SSH can be installed manually from the Cydia repository (OpenSSH package). In this article, I’ll discuss several issues related to SSH, including the following.

  1. How to understand if SSH is installed and working on the device?
  2. How to change the root password?
  3. How to reset the root password to its default value if one is unknown?

Is SSH installed?

You can check it in several ways. First, you can try connecting to the device directly by issuing the following command (the password is “alpine”):

SSH -p <PORT> root@<ip_address>

As a rule of thumb, SSH is listening on port 22. Some jailbreaks (including Meridian and checkra1n) use port 44 instead.

After issuing this command, you can expect one of the three results.

  1. Connection successful. You’ll gain shell access on the device.
  2. Connection refused. This can mean that SSH is not installed or the device is not jailbroken. You have to install the package from Cydia or jailbreak the device.
  3. Permission denied, please try again. SSH is installed, but the default password is not “alpine”. You can reset such passwords (read below for instructions).

You can also use the nmap tool, which will scan the ports on the target device and list services listening on these ports. Use the following command:

nmap -p 1-100 <ip_address>    (scans ports 1 to 100)
nmap -p- <ip_address>         (scans all ports)

Changing the root password

You can change the default root password to something else by typing passwd and entering the new password twice.

Resetting the root password

In some cases, the default root password can be changed. If you don’t know the new root password, you won’t be able to use SSH. You will have to reset the root password back to its default value.

Method 1

Download and install Filza File Manager from Cydia. This file manager will allow accessing the file system after you jailbreak the device. Use Filza to edit the /private/etc/master.passwd. This file contains hashes to all passwords of iOS users. Find the root record and modify it to the following value:

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

The password is now ‘alpine’.

Method 2

Install Apple File Conduit “2” from Cydia (available in BigBoss repository). This packet is an unofficial extension of the native iOS Apple File Conduit (AFC) service. The original AFC can only access the /var/mobile/Media/ folder, while the unofficial AFC2 can access the entire file system. After installing the service, you can connect to the device using a desktop file manager (e.g. Explorer or iFunBox) and edit the /private/etc/master.passwd file as described above.

Note that you will absolutely need access to the device in order to install these packages. If the iOS device is locked and you cannot get past the lock screen, you won’t be able to reset the root password.