Top 20 Essential Terminal Commands for iOS Exploitation

Written and Edited by Apple Tech 752, Security Researcher and Bypass Expert

We all know the feeling of being stuck. That helpless sensation of staring at your computer for hours on end, googling frantically for a solution only to find absolutely nothing. Everything was working fine, until a small error or challenging situation got in your way and shut down the entire process. This is extremely hard if you have no idea what to do next!

Luckily, it turns out that a few simple commands have the power to fix the most persistant, undocumented issues in iOS hacking. You might spend half your day scouring the internet just to find that the solution was a single line of code. So with this ultimate guide, you can say goodbye to hours of wasted time. Below are the 20 most useful, helpful, and ohhh-yeaaaah commands for the MacOS Terminal that will turn all your desperate bypassing moments into home screen dreams!

1. sudo killall -STOP usbd

Ding. Ding. Ding. Ding. ENOUGH! You plugged in your iPhone or iPad, but its going crazy and just keeps on charging-not charging charging-not charging! Checkra1n will never detect a device in this ridiculous, possessed state, but luckily the fix is so simple! Pop open a terminal window and type this command, enter your login password, click enter, and ahhhhh finally the charging sound stops dinging and your USB connection is back to normal. Problem solved!

2. sudo codesign --force --deep --sign - /path/to/executable

If you are trying to open an application or executable and it crashes immediately with a long error log, stops bouncing on the dock, or throws Killed 9, this command is for you! Apple added all kinds of weird codesigning checks that cause unexpected crashes, but we can still force-sign individual apps with a powerful signature that makes them open anyways!

3. sudo chmod 755 /path/to/file

If you just need access to a single file located anywhere on your computer, this command gets the job done. MacOS is an operating system with many predefined permissions, user privilege limitations, and restrictions to prevent unauthorized modifications, but this often gets in the way of our needs. The good news is that whenever a file is locked, inaccessible, or you need permission to open it, go ahead and run this command in Terminal to give yourself access!

4. sudo chmod -R 755 /path/to/folder

Whenever there are multiple files in a folder that you cannot modify, or if the folder itself has a red Not Permitted icon on it, this is the perfect command. For example, Finder cannot open the Desktop of another user on MacOS High Sierra, but if you run sudo chmod -R 755 /Users/another_user/Desktop then you can view everything on their Desktop. Its also needed when running an application with Shell Scripts, because newer MacOS versions prevent an app from accessing its own Resources! The -R stands for Recursively, which targets everything in a folder.

5. sudo chmod +x /path/to/executable

This command is very similar to chmod 755 but its designed for executables. Its super useful if you have a file that MacOS recognizes as a random, undefined piece of paper with a white icon, and you want to tell MacOS: Hold up, thats an executable! Run this command in Terminal on a specific file and it will immediately change the icon from a white paper to a black EXEC object. Like chmod 755, chmod +x also grants you permission to access the file. If you have a folder of executables to convert to EXEC, you can also place -R on this command for Recursively.

6. sudo xattr -rd com.apple.quarantine /Applications/MyApp.app/

Quarantine and Malware Detection were introducted to restrict apps from running on your computer if Apple does not agree with their intentions. For example, Apple does not support iCloud Bypassing or Downgrading to iOS 10.3.3, so obviously they dont want people opening Sliver or LeetDown. They attempt to hide this by saying the app is damaged and needs to go to the Trash, but in reality theres nothing wrong with the app. Every time that someone dismisses the Move To Trash popup with the checkbox ticked it sends a report to Apple so they can label the app as dangerous and stop people from using it. This is unfortunate for uninformed users who might actually believe the app is broken, because with this simple and easy Terminal command, you can free the app from quarantine and allow it to run!

7. /Applications/MyApp.app/Contents/MacOS/MyApp &

This trick is definitely one of my all time favorites. If you have an old MacOS version and find an application with the gray Not Permitted logo, type this command into Terminal to force-open the executable. For example, Apple stopped supporting iPhoto when they switched to Photos, so iPhoto became unlaunchable on High Sierra. This awesome command totally ignores any requirements and fires up the application anyways! It does not work on all apps or if the framework is incompatible, but its always worth a try. You can also use it to run apps in the Terminal to see error logs and output. If you want to run Sliver in the Terminal, use /Applications/Sliver.app/Contents/MacOS/Sliver &. Dont forget the ampersand!

8. ps -fA | grep python

When SSH refuses to connect, its possible that too many connections are open on your Mac at the same time, causing a process conflict. Usually a reboot will free up enough space for whatever you are trying to do, but it always helps to know this command, which lists all the active ports on your computer that are python-related. If more than one port is listed, you can terminate it by typing kill x, where x represents the number of the port. For instance, if ports 486 and 507 were both listed, I might type sudo kill 507 to resolve a potential conflict. Just keep in mind that killing ports usually ends any active SSH sessions between your iDevice and the computer.

9. rm -rf ~/.ssh/known_hosts

One of the most common issues when trying to manually SSH into an iDevice is the Remote Host Identification has Changed message. The first time you see it, this error looks very scary and threatening, it says someone might be trying to do something nasty and warns you of a Man In The Middle attack. But its completely harmless, all it means is that you forgot to clear your SSH history. Your Mac only allows one SSH connection at a time, so each time you want to do a new device, just clear the known_hosts file using this simple command. Boom!

10. irecovery -n

Most of the time, devices in the Recovery Mode with the Connect to iTunes logo need a factory reset through iTunes or 3uTools. The main reason that your device will go into recovery mode naturally is if the operating system is corrupted, or half-restored. However, if you are experimenting with ipwndfu exploitation, OTA downgrades, ramdisk loading, or something else, theres a possibility that your device will spontaneously enter Recovery Mode and refuse to boot normally, even after a hard reboot. When this happens, a restore is a waste of time, because you can initiate a normal boot with irecovery -n. If you get irecovery: command not found, run dependencies.sh from the latest version of Sliver to link irecovery to the Terminal.

11. idevicepair pair

If you are struggling with the No Device Detected message in normal mode and the USB connection is perfect, often your device just needs a little boost. This command is the best way to tell your device to connect. Most of the time you will need to run it once, then click Trust on your device and run it again to pair up successfully. It is a perfect fix for the Could Not Connect to Lockdownd error, and solves most detection issues in normal mode. This command requires libimobiledevice, which is installed by Sliver through dependencies.sh.

12. idevicediagnostics shutdown

Broken power button? Bad display? No problem! If you want to power off your device to save battery or perform a hardware repair, this command is a lifesaver. When you cannot access Slide to Power Off, this command will do it for you! However, it does require the device to pair to the computer first with idevicepair pair.

13. ideviceactivation activate -s https://www.myhost.com/server.php -d

This is the go-to command for every iCloud Bypass developer in the community. Libimobiledevice provides an incredible mechanism for activating iDevices with a custom activation server, and both GSM and MEID No Signal use this command to fetch the activation ticket for your device. It is also used for iPad 2 activation with the Private Server method. Simply host your PHP and reference it with ideviceactivation for a device that can accept a custom ticket. This command requires libimobiledevice, which is installed by Sliver through dependencies.sh.

14. cd /folder/with/tcprelay && ./tcprelay.py -t 44:2222

This is the essential command for Relay Device Info. It forwards the contents of your device to port 2222 so that you can SSH through Terminal or CyberDuck and access the root filesystem. Apple does not allow SSH access by default, it requires a jailbreak. For checkra1n devices, use 44 2222. After loading a ramdisk with Sliver, use 22 2222.

15. ssh root@localhost -p2222

The easiest way to gain instant SSH access over USB to your jailbroken or ramdisk-loaded device is by typing this command into the Terminal. When combined with TCPRelay, this simple command followed by the password alpine opens up the entire root filesystem of your device. For checkra1n and ramdisk devices, openSSH is enabled by default, but for other jailbreaks like Phoenix and H3lix, you need to install openssh and openssl or dropbear from Cydia to start the connection. To enable read-write access, use the command mount -o rw,union,update /

16. rm -rf /mnt1/Applications/Setup.app

After successfully SSHing into your device, you might be asking Whats Next? Well, the most common filesystem operation for iCloud Bypassing is to delete Setup.app. But its more complicated than you think, because the Setup actually a folder comprised of many different plists, images, and binaries responsible for the Hello screen. The real setup assistant is Setup.app/Setup (the executable that loads when your device boots up), but our goal is to delete the entire Setup folder so that everything related to the white screen of death is gone forever. The rm -rf command says Delete Folder, and /Applications/Setup.app is the location of the Setup folder. Over SSH ramdisks, app folders are located inside of /mnt1, so we tack that onto the first part. Note that most modern-day Setup.app methods on iOS 14 and higher do not just delete the Setup, instead they apply spoofed activation records. Read the Blog for more detailed information.

17. hdiutil resize /path/to/ramdisk.dmg -size 150MB

If you are working with DMG files or decrypting ramdisks, this one is extremely important. Most ramdisk images are 31.5 megabytes by default, which is not enough space to for custom modifications. The command is applicable to any standard DMG image that is smaller or larger than desired. Just specify the size you want in MB, and hdiutil will shrink it or expand it accordingly. Unless the file is locked or unaccessible, you should not need sudo, but it never hurts to add it on just in case. The input file will be modified, there is no additional output.

18. tar xvf /path/to/archive.tar

Tar expansion is a must-know skill for developers. If you have an archive full of files that you want to copy to specific individual locations within a directory, then this command can totally save the day! All you have to do is CD into your working directory where you want files to be written to, then type tar xvf and drag and drop the tar archive. Assuming you specified where to put each file when creating the tar archive, then this command will plop each file into its perfect location within the working directory automatically. Programmatic placement works like magic!

19. echo $(./ipwndfu -p 2>&1)

Want to know exactly when an exploit fails or succeeds? If you are running ipwndfu in the Terminal, then its simple because the errors are written directly onto the screen. But if you try to create a script or a tool that runs this command for you and uses conditionals to determine failure or success, the only noticeable print is the standard output, exploit failure is not noticeable. This very specific structure effectively reroutes all ipwndfu error messages to the standard output so that your custom programs can read everything! While not very useful as a copy/paste command directly in the Terminal, I had to include this one because it saved so much time in the development process of apps and programs.

20. xcode-select --install

Last but certainly not least we have the command tools installation command! No need to consider this one if you already ran dependencies.sh from Sliver, but its worth mentioning because the Xcode Command Line Tools are some of the most essential, core dependencies that are required for almost any method. Without them, you will often get Command Not Found and things will just fail with no explanation. So I highly recommend slamming this one into Terminal right away to install the tools you need for iOS exploitation!

Thats It! If one of these commands saved the day, tell us about it on Reddit. Its the best place to share knowledge about this stuff and help out the community!