Ok. So now that it's made public, and @nitotv tested it, here is a collection of FAQs so I don't get bugged on Twitter:
Where do I get this? From this forum link, ONCE IT IS READY. @nitotv and select others are helping me test/fix offsets. Watch this space - if you see this IT IS NOT READY YET.
Can I beta test? Thank you, no.
Is 10.1.1 JBable? NO. This JB, when eventually released will be for all versions of TvOS up to and including 10.1, but
NOT FOR 10.1.1.
What, also version 9.1??YES. (albeit through a different bug) BUT
NOT 10.1.1
Why is 10.1.1 NOT JBable? Because the bug used, CVE-2017-2370, has been patched.
What does the JB provide? A full set of kernel patches which allows running unsigned code and injecting arbitrary libraries into any TvOS process.
And Cydia? No Cydia.
Where's Cydia? Ask Saurik, not me. I personally don't like it much as I use my own binaries. And that's not the purpose of this JB.
So wait, if there's no Cydia, is it a jailbreak? YES. Because it gives you a full shell and you can do whatever you want - side load apps, etc. And in theory a Cydia like App (or even Cydia itself) could easily be created for TvOS.
Will MobileSubstrate run on TvOS? No reason why the 64-bit version won't.
How is TvOS different? Many very small ways. Most important,
it does not run any 32-bit code. Also normal iOS IPAs won't work here. Sorry. But CLI binaries work just fine.
So what's in the IPA? A modified 64-bit only bootstrap.tar, containing /bin/sh -> /bin/bash, Some of my tools (in /usr/local/bin), dropbear (a free standing ssh daemon, with its keys in /etc/dropbear), and a few select binaries.[/b]
How do I add more? Two options: Either extract bootstrap.tar to some directory, add whatever you want, and repackage into .tar and into the ipa, or - once you are in the JB:
cd /tmp
/usr/local/bin/wget
http://NewOSXBook.com/tools/iosbinpack64.tartar xvf iosbinpack64.tar
and then /tmp/bin/ls your way around, followed by /tmp/bin/mv ... files to their usual locations,
taking care not to overwrite any system binaries.
Why like that? Because it's an intentional PoC meant for developers and researchers, not for the general public - and provides 100% the functionality that target audience needs, with minimal disruption of the filesystem. And, because I made the mistake of overwriting a stupid binary (/usr/sbin/nvram), which effectively bricked my older TvOS. I had to fork another $149 to get another ATV box, and - once bitten, twice shy.
Why would overwriting built-in binaries be dangerous? because this is a semi-tethered JB. meaning when your ATV reboots, it's not JB anymore. And that means any binaries you introduced have no code signature, and will be slain by that despicable AMFI. So
EXERCISE CAUTION WITH WHAT YOU ADD, AND DON'T OVERWRITE ANY EXISTING BINARIES (I have my tar invocation with -k for that)
What are suggested steps once I'm in? - Disable auto-updates from GUI
- launchctl unload /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist - to make sure the daemon is dead, dead, DEAD
- chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate - to shut up that $%#%$# daemon so it doesn't nag you if reincarnated (i.e. when you reboot)
- make a copy of /System/Library/Caches/apticket.der and save it somewhere SAFE.
- exercise extreme caution.
I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE Wait. That was a good point. Say that again? - exercise extreme caution.
I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE - exercise extreme caution.
I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE - exercise extreme caution.
I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE Are you going to detail the steps you did in customizing Yalu? - You bet. The jailbreak logic is already detailed in this forum as the free chapter 24 from my book. And I'll post a walk through for the particular mods soon enough. Luca did such an amazing job with Yalu the changes were mostly straightforward.
Where can I learn this stuff? The book
http://NewOSXBook.com is a good start. So is the training
http://technologeeks.com/course.jl?course=OSSec Can we donate or support you somehow? - Aww, shucks! Not really. I mean, you can always get the book (q.v. link from
http://NewOSXBook.com/ - if you get it from AMZN get it through there, since their commission isn't as bad). But if you REALLY want to donate, send $25 to any charity of your choice, and DM me a screenshot of the receipt. That will make me happy that you're spreading the good karma!