*OS Internals - The Forum

[morpheus]

You probably saw this

https://twitter.com/Morpheus______/stat ... 2246198274

and I'll be releasing detailed directions on how to achieve this (as well as a binary, probably, which you'll need to sign with an Apple ID) soon.

And this is also good news for *OS Internals - Volume I/II, which cover TvOS.
J

[backendbilly]

Excellent work

[morpheus]

Ok. So now that it's made public, and @nitotv tested it, here is a collection of FAQs so I don't get bugged on Twitter:

Where do I get this? From this forum link, ONCE IT IS READY. @nitotv and select others are helping me test/fix offsets. Watch this space - if you see this IT IS NOT READY YET.

Can I beta test? Thank you, no.

Is 10.1.1 JBable? NO. This JB, when eventually released will be for all versions of TvOS up to and including 10.1, but NOT FOR 10.1.1.

What, also version 9.1??

YES. (albeit through a different bug) BUT NOT 10.1.1

Why is 10.1.1 NOT JBable? Because the bug used, CVE-2017-2370, has been patched.

What does the JB provide? A full set of kernel patches which allows running unsigned code and injecting arbitrary libraries into any TvOS process.

And Cydia? No Cydia.

Where's Cydia? Ask Saurik, not me. I personally don't like it much as I use my own binaries. And that's not the purpose of this JB.

So wait, if there's no Cydia, is it a jailbreak? YES. Because it gives you a full shell and you can do whatever you want - side load apps, etc. And in theory a Cydia like App (or even Cydia itself) could easily be created for TvOS.

Will MobileSubstrate run on TvOS? No reason why the 64-bit version won't.

How is TvOS different? Many very small ways. Most important, it does not run any 32-bit code. Also normal iOS IPAs won't work here. Sorry. But CLI binaries work just fine.

So what's in the IPA? A modified 64-bit only bootstrap.tar, containing /bin/sh -> /bin/bash, Some of my tools (in /usr/local/bin), dropbear (a free standing ssh daemon, with its keys in /etc/dropbear), and a few select binaries.[/b]

How do I add more? Two options: Either extract bootstrap.tar to some directory, add whatever you want, and repackage into .tar and into the ipa, or - once you are in the JB:

cd /tmp
/usr/local/bin/wget http://NewOSXBook.com/tools/iosbinpack64.tar
tar xvf iosbinpack64.tar

and then /tmp/bin/ls your way around, followed by /tmp/bin/mv ... files to their usual locations, taking care not to overwrite any system binaries.

Why like that? Because it's an intentional PoC meant for developers and researchers, not for the general public - and provides 100% the functionality that target audience needs, with minimal disruption of the filesystem. And, because I made the mistake of overwriting a stupid binary (/usr/sbin/nvram), which effectively bricked my older TvOS. I had to fork another $149 to get another ATV box, and - once bitten, twice shy.

Why would overwriting built-in binaries be dangerous? because this is a semi-tethered JB. meaning when your ATV reboots, it's not JB anymore. And that means any binaries you introduced have no code signature, and will be slain by that despicable AMFI. So EXERCISE CAUTION WITH WHAT YOU ADD, AND DON'T OVERWRITE ANY EXISTING BINARIES (I have my tar invocation with -k for that)

What are suggested steps once I'm in?

- Disable auto-updates from GUI
- launchctl unload /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist - to make sure the daemon is dead, dead, DEAD
- chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate - to shut up that $%#%$# daemon so it doesn't nag you if reincarnated (i.e. when you reboot)

- make a copy of /System/Library/Caches/apticket.der and save it somewhere SAFE.

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

Wait. That was a good point. Say that again?

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

Are you going to detail the steps you did in customizing Yalu?

- You bet. The jailbreak logic is already detailed in this forum as the free chapter 24 from my book. And I'll post a walk through for the particular mods soon enough. Luca did such an amazing job with Yalu the changes were mostly straightforward.

Where can I learn this stuff? The book http://NewOSXBook.com is a good start. So is the training http://technologeeks.com/course.jl?course=OSSec

Can we donate or support you somehow?

- Aww, shucks! Not really. I mean, you can always get the book (q.v. link from http://NewOSXBook.com/ - if you get it from AMZN get it through there, since their commission isn't as bad). But if you REALLY want to donate, send $25 to any charity of your choice, and DM me a screenshot of the receipt. That will make me happy that you're spreading the good karma!

[miku2007]

@Administrator, can you not do the following instead to stop the daemon from loading without manual action on every boot?

Code: Select all

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist

Also re: unintentional bricking - I was under the impression that jailbreak devs took a NAND dump of their development device as a precaution against bricking - and restored it if they botched their userland.

[morpheus]

So, launchctl -w just adds the disabled key - and you could do that, but I'm not sure if *OS launchctl supports that anymore (seeing as the /S/L/LD is assumed to be read only)

And about a NAND dump, you're missing something here - you can't re flash the NAND without a special device like Ramtin Amin's flash reader/writer. It simply won't work because as soon as you reboot you've lost the JB. short of extirpating the NAND chip and using a dedicated hardware device (Which I hope I can get to do), that TvOS is bricked because I don't want to restore it to 10.1.1.

[miku2007]

And about a NAND dump, you're missing something here - you can't re flash the NAND without a special device like Ramtin Amin's flash reader/writer. It simply won't work because as soon as you reboot you've lost the JB. short of extirpating the NAND chip and using a dedicated hardware device (Which I hope I can get to do), that TvOS is bricked because I don't want to restore it to 10.1.1.

It won't save *that* particular iTV now, but would the following had worked, if you had done it?

- Procure device
- Dismantle, unsolder, make NAND dump
- Screw around with jailbreak exploits and system binaries
- (Sooner or later) "Oh !@#$ I messed something up!"
- Restore NAND dump
- Device is back to stock state

The end result (hopefully) is that as far as the device is concerned, that time interval between the NAND dump and NAND restore never happened.

[morpheus]

dismantling and unsoldering that NAND is harder than you think. That's all I say. But, yeah, it would save that device as well.

[SavageRock]

I read the Official FAQ Great Info ESPECIALLY with the best practice points to follow after The JB. But I saw no info as to getting INTO the file sys of TVOs. I used to use Ifile on my phones ipods/ipads but you advise of dropbear. Do I sideload it to the ATV and use the dropbear client which has been installed to my PC? How to install it? This is my first ATV ever so I'm assuming the internals aren't all that different once i have access to them. I just need to figure out (or be advised) how to get in.

THANK YOU for Your hard work.

You get in via SSH. iFile won't work since it uses AFC and I haven't unsandboxed it. But standard ssh localhost over usbmux will work well. q.v. ssh thread elsewhere here.