+---------------+[ How to root OS X ]+---------------+ TOC. --------------------------------------------------------------------------- 1. Disclaimer. 2. Preface. 3. Systems tested. 4. Methods. 5. Having phun. 6. End. --------------------------------------------------------------------------- Section I: Disclaimer. --------------------------------------------------------------------------- All information provided in this document is purely for educational purposes. The author takes NO responsibility for any damages, by means of data loss, productivity, costs of repair, or any other malfunction, learned from the material contained. The content in this document should ONLY be tested on a personal machine, never attempt to try anything on any machine that is not your own or do not have permission to execute any methods described within this document. Again, anything that you screw up is purely your own damn fault. --------------------------------------------------------------------------- Section II: Preface. --------------------------------------------------------------------------- This document is going to be short & sweet. But I am providing some pretty good info about Mac OS X's weak ass security. Hey, I love OS X.. simple to use and still has a rad kernel, and gotta <3 their hardware (even back in the days they knew how to build some pretty l33t hardware). But I mean what is up with this crappy built-in security? I thought this was going to be hard as fuck to break in one of these machines, since they spent so damn much time researching & developing it. Hah, all a person needs is 0.18% unix knowledge and they could own any box that they wanted. Pretty soon I'll show you exactly what I'm talking about. Most of these methods I found are really basic, so you don't need to be a k-rad cracker to understand. But you must have basic Unix knowledge in order for a quick && painless root/destruction to happen. And I'm not going to cover anything newb'ish like using trojans, key loggers, pressing Tab when they are about to enter their passwd, etc. On with the show! --------------------------------------------------------------------------- Section III: Systems tested. --------------------------------------------------------------------------- All of my content should work on any machine that has OS X v10.2.x. Here are all the box's i've played with: -> iMac (all kinds, 333 MHz tray-loaders to 1 GHz lamp shades). -> eMac 800 MHz / 256 MB / PowerPC G4. -> iBook 700 MHz / 256 MB / PowerPC G3. -> PowerBook 867 MHz / 256 MB / PowerPC G4. --------------------------------------------------------------------------- Section IV: Methods. --------------------------------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *NOTE* When I talk about programs that you do not have access to, this does not mean you can bypass system level privileges, such as: -r--r----- 1 root wheel 341 Jul 14 2002 sudoers Say your not part of the wheel group so the above means, "ONLY users in the group wheel, or the root account can read this file. All others would be denied." This is the smart way to disable users having access to files w/in the system. Many administrators would just think the OS X "capabilities" (w/in Accounts [under system prefs]) function would do this for them, it does _not_. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Single-User Mode: This is the quick and dirty way of gaining the machine. See, most *nix box's come prepackaged with "Single-User Mode". And OS X is no different, this mode allows "root" to have a way to change his/her passwd if he/she ever forgot it. Heh, or just the easiest way to root any box (that your physically at). To get into Single-User Mode you gotta reboot/boot the system, and after you hear the famous beep/tone, you press & hold Command + s. Then just wait around til' you see some nice console text. After that you will end up with a message similar to: Tue Aug 19 11:48:20 MDT 2003 Singleuser boot -- fsck not done Root device is mounted read-only If you want to make modifications to files, run '/sbin/fsck -y' first and then '/sbin/mount -uw /' sh-2.05a# Re-read that if you need, cause it just _told_ you how to own it. And actually you really don't even have to run fsck to have phun, just type: /sbin/mount -uw / And press enter, and uh you just got access to the whole system as root. Pretty easy eh? Quirks: ------- Now this method may/may not work, depends on the intelligence lvl of the admin. One way that I personally know how they disable single-user mode is by running a program called Open Firmware Password. Which protects the system from all normal startup keyboard combo's, like: Command + s [singleuser mode] Command + v [verbose mode] c [cd] n [network boot] t [target disk mode], Command + Option + p + r [Parameter RAM reset] Now, if you for some reason you know the password to the Open Firmware Password utility, you can disable it by: Reboot/boot the machine & press & hold Command + Option + o + f, and wait for a prompt like: 0 > _ Now this is what you would need to do: 0 > reset-nvram Enter password: ********** 0 > set-defaults 0 > reset-all Then it will reboot, and you can do all of the startup commands once again. Simple Finder: Here is your "fool-proof" type of Finder. It's made so normal users can't play with things you don't want them to play with, and you can limit which programs they can use (yeah right ;p). How do you know if you have an account with Simple Finder? Simple. If all you see in the Dock is "My Applications", "Documents", and "Shared" && if you click Finder in the menubar it has the option, "Run Full Finder...". Now if you have any applications in your "My Applications" folder then you can either have some phun or do some damage, your pick. Like say for example you have Internet Explorer available to you, but the admin disabled iChat & you would luv to go IM'ing all your friends. Just CTRL + Click on IE and goto "Show Original", it will then browse you over to the Applications folder. Use the buttons @ the bottom of the window (like 1, 2, 3, and left/right arrows) to get you thru out items in the folder. Once you've located iChat, run the beast and it won't matter if it was "disabled" or not, you now have access. Now if your admin was super nice, he/she gave you something like Print Center in your "My Applications". Heh, do the same trick like I explained above and bam you got yourself access to all the rad tools available. Even Terminal ;p! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *NEWB NOTE* Terminal == Is akin to the DOS prompt, this is also known as being in Console/Konsole, XTerm [like Linux has], Term, & pretty much anything else closely relating to that. Every true Unix hax0r plays within Terminal. Since most of Unix is made to run inside of it ;p. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Login Items: This is where you can look really l33t, without much skill involved. I'll show you how to open almost any application that you don't have access, and different ways of getting to Login Items. This trick also works well when Simple Finder is enabled. For some reason Login Items (under system prefs) allow you to run programs that you may not have access to (see the *NOTE* above). How do get to Login Items in Simple Finder? You may ask. Easy. Couple o' ways, if you have a clock in the top right, it's there already. Just click on the date/time in the corner and goto "Open Date & Time". Now you may notice most of the options greyed out, but if you can open Login Items the box is your playground (more in a min). Second way, if they gave you QuickTime run it and goto the "QuickTime Player" menu && goto "Preferences" then "QuickTime Preferences..." And there you go. Now all that is left to do is pick your app. Open up Login Items click on "Add..." scroll to Terminal (under Applications->Utilities) and the box is now your playground. After restarting/logging out of course ;). Best for Last: Okay, this trick only works if Open Firmware Password isn't enabled. You will be in awe after learning about this one. Why? Cause it's SO FUCKING SIMPLE TO DO. k. You need a copy of Mac OS X on a cd. If you can, use the ver for the OS already installed... Like if the box used v10.2.6, get a disc that is for v10.2. I have not had the opportunity to try using a disc that had v10.1 on a box running v10.2 or vice versa (may still work, who knows?). Now don't worry if you get a funky small screen when you boot up, sometimes this happens, this is normal. It's cause your disc isn't the same ver of OS X that is on the HDD, now this really doesn't matter cause you ain't gonna replace the OS (if you did & you had this ghey screen, your S.O.L).. Follow these instructions CAREFULLY! Cause if you fuck this up you are a complete fucking moron. Step one: Insert disc. Step two: Reboot machine. Step three: Hold C while it boots. Step four: > Click on "Installer" menu. > Click "Reset Password..." > Click on "Macintosh HD". > Type passwd. > Click Save. > Quit "Reset Password"/"Installer" & Reboot. Step five: Enjoy ;). --------------------------------------------------------------------------- Section V: Having phun. --------------------------------------------------------------------------- To be honest, if you really want to have phun with OS X you need to learn Unix. That is the only way to truly tap into it's power. Now if you read my *NOTE* up above then you understand that OS X by default does not change your privileges to files on the system. And knowing this, if you had an admin that setup your account as a guest account or something similar, but actually did nothing with chmod to any file on the system you could pretty much delete any file on the system with no problems. I have tried this, I went on as a guest, with a very limited account.. (Simple Finder, only could see certain applications, etc.) && used one of my methods above to get to Terminal, and all I have to do is: > "cd " [change directory] to whatever directory I want to goto. > "rm -rf " [remove "recursively force"] whichever directory I want. > "ls" [list directory] to see if the files have been erased. I am not going to show you every step of doing this, I am not getting paid. & you cannot delete system core files [files own3d by root], unless you are root by using Single User Mode or the change the passwd from the CD method. Something else phun to-do is compiling your own programs. This will let you install plenty of useful tools for your use. But since most OS X v10.2 (unlike Panther) does not contain Xcode (which installs gcc and other types of compilers on the system) this means you'd have to download and install this first off (http://www.apple.com/xcode). Then just find your favorite prog and do something like: > gunzip > tar -xvf > cd > ./configure > make > make install Then play with config's && whatnot and begin exploring. Ok, enough showing you how to have phun, this is really more up to you.. I didn't write this doc to teach anybody how to use Unix, so figure it out for yourself. Just don't have too much fun deleting files, unless this is your objective, cause obviously the system may not work right. --------------------------------------------------------------------------- Section VI: End. --------------------------------------------------------------------------- Over already? Shit has to land sometime. Well I hope you learned some things reading my doc, this was by the way my first. And if by chance a Macintosh systems programmer is reading this, please dear god fix these bugs! I hate patching somebody else's mistakes. I am crossing my fingers awaiting that the arrival of Panther (v10.3) has these already fixed. Since they do have that cool "fast user switching" feature. Thanks for reading! --------------------------------------------------------------------------- /***************************************************** Written by: junktext formatms@yahoo.com /whois *junktext* on UnderNet/GamesNET *****************************************************/