ironha1l & DFOwn - Android iPhone Ownage Tool Suite Demo. (Pwn an iPhone with an Android phone)


Uploaded by Thireus on 06.09.2012

Transcript:
Hi everyone, this is Thireus. I wanted to make a demo video of
a project I've been working on for quite a long time now.
This project which is called ironha1l, is a tool suite
intended to provide an Android application to steal files from an iDevice
using an Android phone via USB.
We have here
an Android phone which is a
Samsung Google Nexus (4.0.3)
and in my right hand we've got an iPhone 4 (5.1.1 unjailbroken)

We have here
a micro usb to usb host adaptor
which will be used later for the demo.
So basically, we have an application
which is called DFOwn on our Android phone
that uses the George Hotz
limera1n exploit to inject a custom ramdisk on the iDevice.
This ramdisk has been created to provide a SSH connection
between the two devices.
We can find some settings for the DFOwn application.

Once the ramdisk injected, we'll be able to access the iPhone partitions
and steal some private data.

I first need to take a picture with my iPhone
to prove I can steal it once Android connected to the pwned device.

Let's take a picture...
All right!
We've got a picture of to steal. ;)

Now what we need to do is shutting down the iPhone
(power off)
and put it in DFU mode.
Let's plug the two devices together with USB

and...
hopefully we will be able to put the...
iPhone
device
in DFU mode.
Let's launch
DFOwn
(already launched)
All right...
The iPhone should be now in DFU mode

And...
let's press the "Pwn Me" button!
So the entire process takes about uh... one minute to compete,
which is quite fast i think.

We have
4 stages to go.


We can see on the screen that i have injected the command bgcolor 0 255 0
(green color)

4 stages to go...
and the custom ramdisk is running on the iPhone
and we can see here
ironha1l
launched on the iPhone 4.
Now what I can do is
to launch a
SFTP client on Android
to access the iPhone data.
The two iPhone partitions are mounted into
two folders
the first one is /mnt1
and the second one is /mnt2.

In /mnt2 we have the data
partition of the iPhone
and hopefully we'll be able to
find the picture we took
previously.
Yep! =)

Let's open it...
And here we've got the picture! :D

This attack is quite fast
and
we can steal any unencrypted files
from the phone,
such as contact database and text message database.
Hope you enjoyed this demo,
you'll find a link in the description of this video
to the related article of ironha1l... hopefully soon.
Thanks for watching!
Bye.