No Jailbreak Required: How To Gain Full Root Access On iPhone 4 Running iOS 7 Beta

If you’re running iOS 7 beta, you’ve given up the right to a jailbreak if you don’t have any other eligable iOS devices. Unfortunately, there’s no jailbreak for iOS 7 beta, and even after its official release, it may be a while before we see one. The good news is, if you happened to have an iPhone 4, there’s now a way to gain full r/w root access with iOS 7 beta installed. While this isn’t a jailbreak, it’s the next best thing to be able to explore all of the root files on your device and make changes as you see fit. I'm not a developer or a hacker, but I'll explain this process in a way that should be easy to understand. We’ve been provided instructions (original source via NmUn on iFans) on how to enable acf2 on an iPhone 4 running iOS 7 beta 1, and we’re sharing it with you today. Remember, this requires that you have an iPhone 4. Unfortunately, this method will not work on any A5+ devices. If you meet that requirement, and you’re running iOS 7 beta, continue on with this tutorial. This process will work on OS X or Windows and has been tested with iOS 7 beta 1. You’ll need the following applications to get started:

• MSFTGuy's SSH RAMDisk tool (Windows or Mac)
• CyberDuck or WinSCP
• A binary plist editor (TextWrangler will work for OS X)
• TinyUmbrella
• iFunBox

We’ve put together a detailed video tutorial of this method in action. As shown in the video and explained below, this method will give you full read and write access to the iPhone’s root file system. http://www.youtube.com/watch?v=jTU-Ovryc1w

If you can’t see the above video, please click this link.

Below you’ll find written steps for this process: Step 1: Download MSFTGuy's SSH RAMDisk tool here and follow the instructions. You’ll need to put the iPhone 4 into DFU mode. Watch the video above for clarification or click here for instructions. As our source notes:

If the RAMDisk tool has the init mux error, you need Java 6 update 35 for 32bit. So look it up and install it. You’ll also need to remove Java 7 for 32bit for it to use Java 6. If you're on a 64bit PC just install Java 7 64bit and uninstall the Java 7 32bit.

Step 2: Launch CyberDuck or WinSCP and connect to localhost on port 2022 with the username “root” and the password “alpine.” (Both entered without the quotation marks.) Step 3: Open a terminal window using the SSH connection. Most SSH clients will have a dedicated button for this. If you’re unsure of the process check the video or read through the help section for your SSH client. Within Terminal type in the command "mount.sh" and press enter. If this is successful you should see the following:

Mounting /dev/disk0s1s1 on /mnt1 Mounting /dev/disk0s1s2 on /mnt2

Now you can close the terminal window. Step 4: Within the SSH client, navigate to /mnt1/etc and look for a file named “fstab” in that folder. Make a copy of fstab on your desktop and change the name of the file on the device to “fstab.old” without the quotation marks. Step 5: Open the fstab file on your desktop using TextEdit or NotePad depending on your operating system. Within this file, you’re going to need to change something in the first line. Change "/dev/disk0s1s1 / hfs ro 0 1" to read "/dev/disk0s1s1 / hfs rw 0 1" omitting the quotation marks. Once you’re finished, save the file and copy it back to the device. Make sure you set its permissions to 0644. Step 6: Navigate to /mnt1/System/Library/Lockdown and copy the “Services.plist” file to your desktop. Next, change the name of the file on the device to “Services.plist.old” without the quotation marks. Step 7: Open the Services.plist in your preferred binary plist editor and add the following (plain text via Pastie.org found here) entries below the “com.apple.afc” section:

<key>com.apple.afc2</key> <dict> <key>AllowUnactivatedService</key> <true/> <key>Label</key> <string>com.apple.afc2</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/afcd</string> <string>--lockdown</string> <string>-d</string> <string>/</string> </array> </dict>

Next, save the plist file and copy it back to your device. Make sure that you set its permissions to 0644. Step 8: Launch a new terminal window through the SSH client and type “halt” (without the quotation marks) and press enter. The device will turn off and start back up in Recovery Mode. Note: You may need to manually turn on the device. Step 9: Launch TinyUmbrella, select your device from the list on the left side of the application, and click on “Exit Recovery.” Your device should restart and boot into iOS 7. Launch iFunBox and check the status of your device on the left side. If you don’t see “Jailed” next to your device name and iOS version, the process is complete. You’ll know have full r/w access to root files on your iPhone 4. Keep in mind, you can really mess up a device by playing around with files in the root directory. If something goes wrong, you always have the option to restore the device with iTunes.

Related articles