Remotely Control iPhone via SSH and VNC

This is an issue I spent far too much time time on. I stumbled upon a great new game, Threes, and had become consumed with the internal workings – how the game chooses what card to produce, where to place it, etc. In order to get some real data to work with I needed to complete a multitude of games, all while keeping track of which cards were produced and where. This is the type of menial task I have no patience for and I quickly began to seek a method to do this automatically.

I had a jailbroken phone – something you will need to do have if you are interested in any of the methods I am about to describe. This method is 99.9% effective and, if something goes wrong, you can completely fix it by restoring through iTunes. Unlocking your phone is dangerous – it has the possibility of leading to a “bricked” iPhone. Jailbreaking is not unlocking. If you’re interested in jailbreaking check out evasi0n – the latest version of their tool is working on iOS 7.0.6.

With that out of the way, here’s what you’ll need and why:

  • OpenSSH: SSH is ubiquitous method of remotely accessing another system through the command line. This is how we’ll interact with the iPhone and send it the commands we want.
  • SimulateTouch: This package allows you to (you guessed it) send touch events to your iPhone using command line tools.
  • Optional Veency: This is a VNC server that runs on the iPhone. VNC is another tool that allows you to remotely access devices. However, unlike SSH, it allows you to see the screen of the remote device and send things like touch and keyboard events. But I thought we were using SimulateTouch to send touch events? Yes, that’s right. Though Veency can be used this way as well I’ve found it to be far less reliable than the SimulateTouch library. Sometimes the commands I send are just lost in the ether.
  • Optional Activator: This allows you to set up a handful (read: a ton) of custom gestures and actions that can do anything from launch applications to disable WiFi to restart your iPhone. It also, conveniently, has a command line interface which can be used to activate any of its abilities via SSH – no gestures needed.

That’s it for the software! Everything I just listed can be downloaded, for free, through Cydia. Cydia is installed automatically when you jailbreak and is the de facto way of installing 3rd party software.

So, now that we have all these tools – how do we use them?! I’m a big python buff so all of my examples are going to be in python. You can use any language you like, but you’ll have to interpret the mysterious code I provide you.

Before I start with examples, here’s the biggest pitfall of our setup:

We don’t have a way to view the current screen in applications that run at 30 FPS or more. Veency simply can’t keep up and provides a distorted display. I’ll explain how I’ve been getting around this in my examples below.

Connecting via SSH:

I’m using Spur as my SSH interface. You can use whatever you want. We use the username ‘root’ because we want full access to the iPhone filesystem. The default SSH_PASSWORD is ‘alpine’ (and has been forever) – I recommend you change this as it is somewhat of a security issue.

Connecting via VNC:

Here I’m using the vncDoTool. Again, use what you want. You can set up the VNC_PASSWORD in the Veency settings.

Sending Touch Events:

The SimulateTouch library makes this dead simple. My example above shows how to make a swipe in any direction. You provide the X,Y coordinates of the start position and the end position. The last two commands are the duration of the swipe and the orientation of the device (1 = portrait).

Taking a ScreenShot:

My first example instructs Activator to take a screenshot. My second example uses VNC to hold down the power button, press the home button, and release the power button – all in quick succession. As you probably know, this is the built in way to take screenshots in iOS. These screenshots will be stored in your camera roll.

Accessing the ScreenShot:

This is a little more complicated. What we’re doing is listing the files in our screenshot directory by their creation time (yours may not be 108APPLE but it will be in the same DCIM directory). We grab the first of these files and assume (correctly) that it’s the screenshot we just took. We then open this file with SSH – this effectively stores the image in memory. Then we use python to open a file for writing – this is where we’ll store the screenshot. We use shutil to copy the screenshot from memory to the file location we opened. Finally, we close out both of our file streams.

In the second to last command I delete the screenshot file. Unfortunately, Apple has made their screenshot system ridiculously complicated. If you navigate to your Camera Roll you’ll find your image is still there. Click on it and a blank screen will be loaded. We’ve deleted the image file it’s trying to load but haven’t gotten rid of the image reference or the associated thumbnail that was created. I haven’t found a way around this.

The final command stores our image into the program memory so I can use it elsewhere without having to read the file from disk each time.

Well, this concludes this fairly verbose tutorial. If you have any questions I’ll do my best to answer them in the comments. I’ll leave you with close to 1000 lines of Python code for you to peruse. This is the code I came up with for automating the gameplay of the addictive and beautiful new game Threes.


Programmatically Add Default UITextField

I haven’t posted anything in a while, but I’ve been programming much more often and figured I’d share some answers to questions that had me stuck for a while. Now, if you’ve ever tried to add a UITextField purely through code you’ve probably noticed that what you get is a blank area that you can double-tap and add text to. When you add it using Interface Builder you get this pretty rectangle with rounded edges – what gives?

Well, I have no idea what gives. But what I do know is how to use a whole bunch of extra code to fix it. Here’s some nicely commented code that shows what I’m talking about:

That method will return a nicely formatted UITextField. It may not look precisely like the one you get from IB, but I challenge you to get it closer. If you don’t want any placeholder text just send nil or edit the method to take no instance variables.