To "/var/mobile/Library/Caches/.plist" I'll add the "EnvironmentVariables" to the -Release app. Let me grab all your cache files, one sec. Oh snap, it's a relative symlink, let me traverse from "/var/mobile/Media/tmp" like "./(Media)./(mobile)./(var)./(private)./tmp" Rename("Downloads/a/a/a/a/a/link", "tmp") That's cool, right? Still in the sandbox, count the. But you see, afc is clever enough to make sure I don't symlink out of it's directory. From afc, remember, this is still a sandboxed afc, I want to access "/tmp", so let's create a symlink. = Configuring system (1/2) =Īhh, the first of a needlessly burned exploit. Exploit, if S_ATTR_LOC_RELOC is set on all the executable sections, the +x is removed from the sections after the header is +x checked, but before +x pages are mapped, to pass the check but avoid triggering codesign.Īfcd inits the sandbox from inside the binary, so by overriding the dylib (note that LC_ID_DYLIB of gameover is "/usr/lib/system/libsystem_sandbox.dylib"), the sandbox is never initted and afcd is free to write anywhere.īut how do I convince the dylib to load? Let us configure the system a little, together. _sandbox_init_with_parameters (_sync from libSystem) _sandbox_free_error (_sync from libSystem) _sandbox_extension_issue_file (_sync from libSystem) _sandbox_extension_consume (_sync from libSystem) _SANDBOX_CHECK_NO_REPORT (_kCFBooleanTrue from CoreFoundation) "-S" so I can access special files, "-d /" so afcd runs in the root, and "-p 8888" to run on port 8888.Īhh, but afcd has a sandbox profile, how can it access anything cool? By injecting gameover.dylib of dyldinfo -export gameover.dylib Get it, the app is just a shebang to run afcd. "Downloads/WWDC.app/WWDC" with contents "#!/usr/libexec/afcd -S -d / -p 8888" (the chmod +x stays) Now the fun begins, I push two more files over afc. And yay, installd chmods the app +x, and makes a pretty icon appear. Upload pkg.ipa, run _proxy on the ipa, also change the picture to the official evad3rs logo thing. Get it? When the code signature is checked, it passes because that's a real copy of the app. Let me modify the real app host side a little now, give ist a new ExecutableFile "././././././var/mobile/Media/Downloads/WWDC.app/WWDC". Note that the main app("/var/mobile/Media/Downloads/WWDC.app/WWDC") is not chmodded +x, since afc creates new files 644. Okay, so I'm not really going to really install the app yet, but I will upload an unzipped copy to "/var/mobile/Media/Downloads/WWDC.app" through afc. "evasi0n-install/extras.tar" = Injecting evasi0n app (1/2) = Let me push a few files through afc for untarring later. Namely cydia, or, you know, that other app store. This is an app for people at WWDC I assume, I don't know since I just do what the plist says. To figure out where to get one, let me grab "", ahh nice, a URL and some cookies. I need a real codesigned app, for reasons that'll be apparent later. This journey stops at root for now, since the /evasi0n7 binary is supa obfuscated good. Okay, please click "Jailbreak" to begin our journey to root. Recall that afc runs in the "/var/mobile/Media" directory, so the full path is "/var/mobile/Media/.evasi0n7_installed" I'm looking for the file ".evasi0n7_installed" using afc. Hi, first I am going to check if you already jailbroke your device. No more jailbreaks ever?Īlso, for the hell of it, check out the sha hash of "" and Ok, let's begin, changing voice to. That jailbreak overlapped this one 80%, partly due to leaks, but mainly due to the exploits and methodology being the obvious choice(great minds, well you know), meaning the exploits won't be usable next time. Full disclosure time, I was working on a public, free of charge, china not involved, old school jailbreak with a few others. If I ever touch jailbreaking again, which is unlikely(until ARM128 comes out, I only touched the game again for the love of ARM64), no more secrets. Also note, I found nothing sketchy in my reversing, your phones most likely aren't being backdoored by Chinese. Note that this writeup doesn't help Apple, I got this by reversing the public evasi0n binary, which they can, and do do. This writeup takes place from the perspective of evasi0n7. I tried to sell it to the Chinese for $7 and a trip to the Pizza Hut salad bar, but it turns out all the Pizza Huts in China don't have salad bars anymore, so the deal was called off. I was bored, reversed, wrote this write-up, and wanted to do something with it. ******* geohot( presents an evasi0n7 writeup ******* = Intro = Hi, I'm on a plane from SFO to New York, and made something for you.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |