Automatically unlock devices (without passcode set)

[zner0L]

Because our analysis starts apps, we need the screen to be unlocked. This should be done automatically, to ensure the device is ready.

[zner0L]

On Android, this is straightforward, we can just imitate a lock button press via adb (https://stackoverflow.com/a/38032038):

$ adb shell input keyevent 26 #Pressing the lock button

[zner0L]

On iOS, this is more tricky and took a bit of reverse engineering. In his MA thesis, @baltpeter used libactivator to imitate home button presses, but this doesn’t work anymore. I thought that the "Assistive Touch" feature of iOS could help us reimplement that feature, so I poked around in assistivetouchd for a while. It seems to be kinda unstable with frida and often crashed while frida tried to get the ObjC.classes autocomplete.

Other vectors, such as this stackoverflow answer were outdated and didn’t work anymore. But I found this promising scan of the AssistiveTouch.app headers from iOS 9. And here we find our winner: If I attach to assitivetouchd (it needs to be activated in the settings for that), I can get an instance of HNDAssistiveTouchServer, which has a _home() method.

And if I run this script in frida, I can simulate a home button press:

var server = ObjC.classes.HNDAssistiveTouchServer.sharedInstance();
server._home()

The frida process crashes after that, but before that, we get a simulated home button press. We can also do this from the lock screen to unlock the iPhone (if no passcode has been set).

[zner0L]

To find out whether the screen is unlocked, there are several methods on Android. However, I found that the most reliable method seems to look for mAwake=true and mDreamingLockscreen=false in adb shell dumpsys window.

[zner0L]

When i tried to use the frida script in the REPL, it only worked if I ran the method after I used frida’s autocomplete feature. Without using it, I got a TypeError: not a function. After digging into the REPL code, it turns out frida needs Object.getOwnPropertyNames() to be run on the HNDAssistiveTouchServer instance.

[zner0L]

Finding out if an iOS device is locked is a bit harder. You need to listen to the com.apple.springboard.lockstate notification and then read out the state of it. We can subscribe to the event via a lockdown service, but we can not get the value of the state this way. I feel like this is out of scope and we don’t really need to, because on the iPhone a two home button presses always unlock the phone, but do no harm if it is already unlocked.