Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
iOS Triage Process
This describes the process need to been done when a new iOS version is updated.
List of tools new needed
- Xcode Developer Disk Image (DMG)
- Install Xcode
- find DMG in xcode directory
- put with other DMG ( redux/res/dmg )
Saline
- get saline_manifest
- compile saline
- get testdylib_manifest
- compile test testdylib
- run saline
- ../Dist/Release-MacOSX/saline ../test_dylib/Build/Release-iPhoneOS/testdylib/testmain
Adderall
- Get adderall_manifest
- in nightversion/python/nv_kern_read_command.py
- update kern start
- in get_ios_type, verify correct version number is in there
- update early.mk add new prefix to new to list
- early-bokken
- early-close
- early-persist
- early-remote
- update saline and rana
- update match function in rana/ranas/<proper>_rana.py\
- adderall.py
- Hopefully have execution
Symdra / Elsym
- python symdra/ -h
- python symdra/ full -k /tmp/> -a <results folder> -g <ghidra_dir> -b <min_build_version>
- /tmp should have IPSW from adderall
- a copy should be up on the share
- ghidra must be at least 6
- build version is your target
- When done symbol.db in the analysis directory
- This will be feed into Elsym
- sqlite3 <output folder>/<IPSW>/symbol.db
- select * from [ Master_symbol ];
- .exit
- cd ../elsym
- git status
- git branch feature/ios-<version>
- git checkout feature/ios-<version>
- el.py
- make sure build number is in the list
- might need to change "EL_CONFIG_LWVM_PARITION_FLAG_OFFSET"
- run and see what happens
- ZOO_IPSW_PATH=<results folder> make copyonedist ZOO_TARGET=<target>
- _kernel_memory_allocate is only used for the development
- ls ../elsym-dist/<IPSW>.plist
- python verify ../elsym-dist/
- no back files found ( doesn't mean that all files are good, just didn't find it)
- print_config.py ../elsym-dist/<IPSW>.plist
Nightvision
- can be done under the adderral or the ios manifest
- cd adderral
- cd nightvision
- make
- ../Dist/Release-iPhoneOs/nv -c ../early/elsym-dist/ get -o <outdir>/
- find /private/var/root in file list to verify privilege escalation worked
El_util
- cd early_manifest
- make ZOO_IPSW="<target>"
- el_runo.sh don't use even if it is in the directoru
- cd ../rana
- make
- python ../Build/Release-MacOS/rana.pyz -a execute Build/Relase-iPhoneOS/elutil/<IPSW>/el_priv
- should be "uid = 0, euid = 0"
El_unit
- cd elunit
- ZOO_ISPW_PATH=~/tmp/ make
- need a device on the developer profile
- should only have 1 failed test
El_ssh
Remote
Persistence
Related articles
('contentbylabel' missing)
('details' missing)