Application Penetration Testing

Jailbreaking iOS 13 with unc0ver

our services

This guide will take us through using Cydia Impactor to jailbreak iOS 13.5.0 (and lower) devices. This process is highly helpful for performing iOS pentesting, but will be useful for anyone who just wants to sideload apps or tweaks.

Note: iPhone 5 (A7) devices on iOS 12 are not supported by this unc0ver jailbreak at the moment. For this please see our guide to using checkra1n jailbreak.

At a high level we will do the following:

  1. Create an app specific password (Impactor needs to authenticate with Apple)
  2. Download Cydia Impactor
  3. Download the unc0ver IPA file.
  4. Use Impactor to sideload the IPA to the device
  5. Run the unc0ver app to perform the jailbreak.

1. Create an app-specific password

Head over to https://appleid.apple.com/account/home

iOS app-specific password

Click ‘Generate Password..’ to enter a label and create the password. You should now have a password, keep this in a password safe:

ios app password

2. Download Cydia Impactor

First head on over to the Cydia Impactor site and download the latest tarball:

http://www.cydiaimpactor.com/

Cydia Impactor download

Extract the archive:

$ tar zxvf Impactor64_0.9.52.tgz

This will extract Impactor to the current directory. Now run Impactor:

$ sudo ./Impactor

If your phone is detected, you should see the device ID appear in the first field:

sudo ./Impactor

If you don’t see the device ID, ensure the device is plugged in and ‘trusted’.

3. Download unc0ver IPA

Now head on over to the unc0ver jailbreak site at https://unc0ver.dev/

unc0ver jailbreak site

4. Run Impactor

Download the ipa file and drag and drop that over the Impactor GUI.

You should see a prompt appear for you Apple login ID and password:

apple login

If you’re curious if this is safe, you can confirm with Wireshark that Impactor only communicates with idmsa.apple.com:

Impactor Wireshark capture

Note for ubuntu users: If the drag and drop doesn’t work, pay close attention to where on the screen you are dropping. There is a very limited space where you can actually drop the IPA into the window – you should see a + character appear on the hand icon when you are mousing over a valid spot.

The yellow area shows where you can drop the IPA:

impactor drag and drop

5. Running the unc0ver app

You should now see the unc0ver app on SpringBoard:

unc0ver springboard

Open the unc0ver app and hit Jailbreak:

unc0ver app

If successful you should see Cydia installed on SpringBoard, if not, just repeat the process until successful:

cydia installed

The device should now be jailbroken. This is one of the most important steps to start pentesting iOS applications.

Troubleshooting

LOCKDOWN_E_INVALID_CONF errors

If at any time you see lockdown.cpp:57 LOCKDOWN_E_INVALID_CONF Errors

You have unlocked your phone and is active. You have trusted the computer from your iPhone/iPad and verified with your passcode. Ensure you are active on your computer via iTunes Ensure that you have started Impactor after your phone has been plugged in and trusted.

Developer agreements

If you get the following error:

You currently don't have access to this membership resource. To resolve this issue, agree to the latest Program License Agreement in your developer account.

You must visit https://developer.apple.com/membercenter/index.action#agreements to accept the updated terms and conditions.

Getting Started Pentesting

If you want to use your jailbreak to get started pentesting, check out our guide to using Frida and objection for iOS pentesting.

We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS