How to enable OpenSSh on iOS 10.2

I have sucsessfully jailbroken my iPhone 6s runing on iOS 10.2.

I have installed OpenSSH through Cydia and changed my default password via MobileTerminal.

The only problem is, when I run ssh root@my_iPhone_ip_addr, it just hangs and never connects.

I have tried the SSH toggle springboard application, however it still hangs.

Is there a how I could enable SSH on my phone via a terminal command or some other way?

Solution 1:

OpenSSH is not compatible with iOS 10.2 and will break things in later releases of the jailbreak. You should uninstall both OpenSSH and OpenSSL (dependency).

yalu102 comes with dropbear.

Solution 2:

You should use the built-in Dropbear. As of Yalu Beta 6, you need to first SSH over USB. Then after changing your password you can enable Dropbear on other interfaces.

Linux or macOS:

1. Download gandalf binaries (I had zero luck compiling) from the ocaml-usbmux github page. macOS: gandalf_darwin_10_11_x86_64
2. Connect your device via USB cable, and scan for it.
3. Put the udid into a mapping file. Make sure device_port 22 (ssh) is mapped!
4. Run gandalf with your mapping file
5. SSH to the local_port corresponding to device_port 22 in your mapping file.
6. Log in with the password alpine.
7. CHANGE YOUR PASSWORD!!!

Scan

$ gandalf

Sample Mapping File

[{"udid":"9cdfac9f74c5e18a6eff3611c0927df5cf4f2eca",
  "name":"i11", "forwarding": [{"local_port":2000, "device_port":22},
                               {"local_port":3000, "device_port":1122}]
                               }]

Run Gandalf with Mapping File

$ gandalf -m myMappingFile.txt

SSH to port 2000

$ ssh mobile@localhost -p 2000

Change password(s)

$ passwd
$ su
$ passwd root

Now that you are in your iOS device (your password has been changed, right?) you can enable Dropbear on other interfaces as follows.

1. Create a LaunchDaemon file to launch a second instance of Dropbear.
2. Reboot or use launchctl load

Create LaunchDaemon file:

$ cd /Library/LaunchDaemons
$ cat <<EOF > ssh10022.plist

Paste this into the terminal:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>SSH port 10022</string>
    <key>Program</key>
    <string>/usr/local/bin/dropbear</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/dropbear</string>
        <string>-F</string>
        <string>-R</string>
        <string>-p</string>
        <string>10022</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Type Ctrl-D to end the input. That now creates the file ssh10022.plist

Reboot or use launchctl

launchctl load /Library/LaunchDaemons/ssh10022.plist

Issues:

Dropbear does not like the iOS default permissions on the mobile home directory, so SSH key authentication does not work. After every reboot I have to log in with password and fix the permissions:

$ chmod go-w /var/mobile

To debug Dropbear: Redirect Dropbear logs to stderr (the example below runs yet another instance on port 10023).

$ dropbear -E -p 10023

Solution 3:

You can not connect to ssh over wifi with the 10.2 jailbreak. You need to ssh over USB. They are several options but the easiest is to use iproxy.

1. Install iproxy

   brew install libimobiledevice

2. On the terminal now run the following command.

   iproxy 2222 22

   This will enable you to forward all traffic from port 2222 to port 22 over USB

3. Now you can connect to the iPhone by running ssh

   ssh root@localhost -p 2222

Notice you connect to localhost not the ip address of your phone. If everything went well, you should be presented with the ssh prompt.

If it doesnt work, check if ssh is running on the iPhone by running

telnet <iphone-ip-address-here> 22

If you cant connect make sure you install the openssh package from Cydia.

Solution 4:

@Colin Has a great answer for the Yulu jailbreak, but I did things a little differently that may be useful to people. His answer focuses on creating a new daemon with a new name so that effectively you have two daemons running SSH. One for the USB and one for other TCP connections. I wanted one listener that listened on all interfaces. I was also on Windows and needed something that worked with that, which Galdolf did not. As a result I went with a Python Script, which I forked to make sure it never disappears on me.

To use this, run:

python usbmuxd\pythonclient\tcprelay.py -t 22:2222

The above maps local port 2222 to the remote port 22. Once this is setup you can use your favorite SSH utility in order to connect in. I used Putty.

• Host: 127.0.0.1
• Port: 2222

Default username of "root" and password of "alpine", but a username of "mobile" and a password of "alpine" can also be used to connect.

NOTE: If you don't know the root password, use Filza to change the permissions of /etc/master.passwd to 666, then via SSH as the mobile user, or utilizing your favorite file editor, edit that file to copy the hash from "mobile" over to "root" to make the passwords the same. (The hash for "alpine" is "/smx7MYTQIi2M", if its needed). You then should be able to login as root then, or use su.

Once your logged in you'll want to find the copies of droplist.plist that are currently on your machine. There are probably more efficient ways to do this, but I used the following command:

find . | grep dropbear.plist

Which yielded:

./Library/LaunchDaemons/dropbear.plist
./private/var/containers/Bundle/Application/023FF836-8A0A-4593-A578-6801F2A3F34D/yalu102.app/dropbear.plist

The first entry is the active daemon, but the second one is more important. Its the daemon that Yulu puts in place every time you run the jailbreak (Which you have to do with every reboot). If you only edit /Library/LaunchDaemons/dropbear.plist, it will be replaced every time you reboot.

As a result we're going to edit the one that comes packaged with Yulu, but if you cat the file you'll notice its in a binary PLIST format. To fix this we need Erica Utilities in order to get plutil. You can then run:

plutil -xml dropbear.plist

This will convert the dropbear.plist to XML format. Once this is done you can edit the file in any text editor. I used nano to do the actual editing.

e.g.

nano dropbear.plist

When you're editing the file you want to get rid of the "localhost:" from the last string entry. This will make the listener run on all interfaces instead of only the loopback interface (Which is only available via USB). As a result your file becomes:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>KeepAlive</key>
        <true/>
        <key>Label</key>
        <string>ShaiHulud</string>
        <key>Program</key>
        <string>/usr/local/bin/dropbear</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/local/bin/dropbear</string>
                <string>-F</string>
                <string>-R</string>
                <string>-p</string>
                <string>22</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
</dict>
</plist>

Once you've done that you will want to put the file back in binary format:

plutil -binary dropbear.plist

At this point I suggest you reboot the device and validate that the Yalu dropbear.plist file is properly copied over when you re-jailbreak:

e.g.

reboot

After a reboot you should be able to SSH utilizing your phone's IP address and the standard port 22.

e.g.

• Host: (IP From Settings -> WiFi -> (WIFI NAME)
• Port: 22