Habemus Libertatem!

Important news

Habemus Libertatem!

Postby morpheus » Thu Dec 21, 2017 3:08 am

So, Ian Beer's amazing work has CVE-2017-13861 working on all Darwin 17 devices I tested, i.e.

- iPod Touch (iPod7,1)
- iPad Pro 12.9 (iPad6,8)
- iPhone8 (iPhone10,4)
- iPhone X. (iPhone10,6)
- Apple TV 4 (AppleTV,5,..)
- Apple TV 4k (AppleTV6,..)

That means it can work across ALL 64-bit devices (EDIT: GEEZUS, OF COURSE THIS MEANS the 5S and the 6, and the 6S, and the 7 too - and guess what - also the 7+). And possibly the Watch, with some adjustments.

Q: What iOS versions exactly?

11.0.x, 11.1.x. Also TvOS. Still haven't tested on WatchOS 4.0.x and 4.1, because that requires 32-bit porting.
But see below about 10.x.

Q: What if I'm not on one of these versions?

Tough. I only mentioned 4 times on Twitter that you should have updated when you still could.

Q: Can I downgrade with this?


Q: Can I downgrade to a version this works on?


Q: Can this be used for an iCloud bypass?

NO. And don't steal other people's devices.

Q: So wen ETA Jailbreak? - If by "Jailbreak" you mean Cydia and tweaks - then IDK. If you mean a fully working shell environment with arbitrary unsigned binaries, any side loading of any App you want, KPP-less jailbreak, that's in a few days. You know, for Christmas.

Q: Why not Cydia? - Several reasons. A) I hate Cydia. B) CydiaSubstrate code injection requires getting past a sandbox hook (mmap-executable, to be exact), which I don't get around because getting around the sandbox is a technique I DO NOT WANT TO BLOW IN A PUBLIC JAILBREAK.

Edit: Actually, Cydia (as an app) can run fine, and even install out-of-app-store binaries. What WILL NOT work at the moment is code injection

What's that sandbox thing?

It's the "other" MACF policy, which is even more anal than its sister AMFI. I'm leaving it largely untouched, because my method of bypassing it is something I know AAPL can close in two minutes of thought and an hour of work. Btw, this also means you can't run binaries from /tmp or /var/[root/mobile], but it's easy to run binaries from pretty much anywhere else - and the rootfilesystem is mounted r/w, so it can really be anywhere else.

Q: Ok, no Cydia (Substrate), but what?

- Root filesystem remount
- Sandbox escape
- Root, obviously
- Arbitrary binaries, so long as they are self signed with jtool (sorry ldid[2]'ers - get a real code signing tool...)
- Run with any entitlements you want.
- App continues to run as "jailbreakd" to handle process/app launches.

- Code injection (for DYLD_INSERT, coeruption, and - yes - CydiaSubstrate) to be added in the future
- In-memory patching of AMFId to neuter it (rather than have a jailbreakd) also to be added in the future. I was going to add it now, but having a jailbreakd listen on every process has its advantages. I'm thinking of making a SuperSU-style app out of it.

Q: So how does it work? - Long story, and a full writeup shall be detailed soon (I'm also adding Chapter 25 to Volume III of MOXiI in order to cover this). The short version, is I perform all patches in the process list. And one in the root vnode.`

Q: How do you get past code signing? by touching that despicable amfid in its private parts. This allows me to not touch the trust cache (thanks for blowing that method publicly...), and get notified of every process launch.

Q: I tried that and it still didn't work for me. There's the sandbox and the container crap to get around So you get around it. Wait for details.

Q: So why aren't you releasing? Honestly? Because I have absolutely no UI yet. But it will be ready for xmas.

Q: will this be open source? Yes - The .h file surely, and probably most of the implementation. BUT WITH A LICENSE.

Q: LICENSE? Yes. Relax. Just asking you to give credit and say "Powered by ...." or something like that. Credit where credit is due.

Q: Is this untetehed?

NO. Untethered requires a very early exploit (+ persistence) which is technically possible in one of several ways, each of which is a major 0-day in and of itself. Again - NO.

Q: Is this related to the jailbreak toolkit? This IS the jailbreak toolkit. At least the parts I can expose in open source - AAPLites see these things too, and I'm sure they have ideas as how to correct them by iOS 12.

Q: And can I use the toolkit to JB?

Actually, yes. The idea is that the toolkit enables you to achieve the same functionality described above with 10 lines of code a total n00b could write. Calling on functions I expose (A C header file - .h)

Q: Can this be used for iOS 10.x? TvOS 10.x

First, thank you for actually reading intently. YES Just give me the kernel_task port and the two offsets I need. But that requires either the S1guza v0rtex style methods (great work, man), and/or a reliable kernel info leak bug. The one used by Ian (CVE-2017-13865) was only introduced in Darwin.

Q: Does your JBToolkit need offsets?

The public version , yes. By ripping some of JTool's code I could deduce the two symbols I need (_kernproc and _rootvnode) directly from the in memory image, but I'm not about to make that part open source. Simply hard code or feed the offsets when you get the source (and when I get a UI for this). It'll be easy.

Q: Are you using async_wake? Yep. I stand on the shoulders of giants. Well, THE Giant. Ian Beer. He's the man. Though I admit I kind of hate that he blows bugs used in private jailbreaks.

Q: Are you using xerub's patches? Some patches overlap, but - not his code or any of the numerous GitHub clones people are trying to pass as jailbreaks. I've been using my own set of "KPP-less" (as coined by Xerub), but rather than using offsets I actually got the kernel headers to compile in user mode.. My method of code signing evasion is different than his, and (again) draws from Ian Beer's. The code is 100% mine and draws from no other person, nationality, or anything.

Q: Is <fill in the blank> jailbreak fake?

I don't know. But nothing beats open source, and this will be released as such. Most of the would be jailbreakers directly clone off the async_wake GitHub sources I've seen. (That's why this JB will have that above mentioned license..)

Can I donate? Yes, but not to me - to a charity of your choice - and as much as you think this work is worth to you. Spread the word - do it, post a screenshot (redact the details, whatever) and just say it's for the jailbreak. #Libertas or something.

What if I use this and I brick my device?

Then it's on you. The powers of root are not for the feint of heart or the feeble of mind.

Happy Holidays, people! Consider this one guaranteed Christmas (and belated Hannukah) gift :-)
Site Admin
Posts: 694
Joined: Thu Apr 11, 2013 6:24 pm

Re: Habemus Libertam!

Postby septium » Thu Dec 21, 2017 11:18 am

J, thank you for this awesome work!

You said:
Code injection (for DYLD_INSERT, coeruption, and - yes - CydiaSubstrate) to be added in the future

getting around the sandbox is a technique I DO NOT WANT TO BLOW IN A PUBLIC JAILBREAK

But how can you add code injection without blowing the secret MACF sandbox-escaping exploit?

Edit: Because there is a way to bypass library validation just by patching the process list, I believe. But I need to test it.
Posts: 38
Joined: Thu May 04, 2017 10:04 am

Re: Habemus Libertam!

Postby ninjaprawn » Thu Dec 21, 2017 12:56 pm

"Q: So how does it work?" - Will there be any differences between the writeup and the additional chapter?

You mention a 'jailbreakd' process will be running that "handles process/app launches" - will the source of the process be part of the open source package, or a method that can be used to alert another process that app/process X has launched?

How will this be future-proofed? Say in the future, Apple does fix some of the things you do in iOS 12. Will this toolkit be updated?

A: I'm contemplating the jailbreakd. I'm thinking of making it into a full blown supersu type, in which case it might be closed.
A: Apple can't fix data only that easily - they need hardware assistance to do that, as well as a redesign. The day they do, JBing will be gone forever. For now, we're ok.
Posts: 3
Joined: Thu Dec 21, 2017 12:41 pm

Re: Habemus Libertam!

Postby JailbreakReal » Thu Dec 21, 2017 1:17 pm

Good work :geek:
Posts: 1
Joined: Thu Dec 21, 2017 1:08 pm

Re: Habemus Libertam!

Postby rubenwgs » Thu Dec 21, 2017 1:27 pm

First of all: Thank you SO much for everything you are doing for the JB community (I know it can be quiety a shitty community sometimes)!!!

One questions sits in my mind since I'm following every tweet you post.
For me as a complet tech/coding/whatever noob (I'm just the type of guy that enjoys jailbreaking but doesn't understand shit about the process itself):
Does your tool allow me/us to have a "normal" jailbreak with the possibility to install Cydia (or have Cydia installed straight away) and install tweaks as it was in the good old days?

You are talking about Q: So wen ETA Jailbreak? - If by "Jailbreak" you mean Cydia and tweaks - then IDK., which seems for me that it is not possible.
Then you say Edit: Actually, Cydia (as an app) can run fine, and even install out-of-app-store binaries. What WILL NOT work at the moment is code injection, which for me as a noob isn't clear. What are out-of-app-store binaries?
If code injection isn't possible, can we not run any tweaks?

I hope you understand that these might seem silly questions for you, but not for me as a standart user xD

Would appreciate an explanation if you have the time to do so :)

Greetings from Switzerland!

Cydia = the installer App + tweak engine. The installer app can run right now and install any third party app - not tweak - you want. The tweak engine requires code injection, for which there is a subtle way to do it but I don't want AAPL to close it. If I can get another workaround, I will, and then tweaks will work as well.
Posts: 1
Joined: Thu Dec 21, 2017 1:17 pm

Re: Habemus Libertam!

Postby Blackeg880 » Thu Dec 21, 2017 1:54 pm

My question is
With this tool can i inistall "deb" file using filza or ifile?
Thank you for the great work
Posts: 1
Joined: Thu Dec 21, 2017 1:51 pm

Re: Habemus Libertam!

Postby karwan » Thu Dec 21, 2017 2:07 pm

this is nice hope we hands on it son asap!
Posts: 1
Joined: Thu Dec 21, 2017 2:02 pm

Re: Habemus Libertam!

Postby skimaskngun » Thu Dec 21, 2017 3:24 pm

CydiaSubstrate code injection requires getting past a sandbox hook (mmap-executable, to be exact), which I don't get around because getting around the sandbox is a technique I DO NOT WANT TO BLOW IN A PUBLIC JAILBREAK.

does this mean when saurik finishes his part and mobile substrate gets updated will we ever be able to use cydia the way we’ve always used it? and will another dev need to push another ipa that includes cydia/ms i guess i don’t understand how we will install tweaks ect.....btw thank you very much for this. MERRRY CHRISTMAS

A: If I can get my jailbreakd solution to bypass Apple's sandbox mmap restriction, then yes. And you're welcome.
Posts: 1
Joined: Thu Dec 21, 2017 3:19 pm

Re: Habemus Libertam!

Postby digitalD » Thu Dec 21, 2017 3:25 pm

Great work there!! Thanks.

I had a few questions:
1. Other than the 'safe mode' is there any advantage of using cydia substrate to build the tweaks?

2. Will/Can there be any other similar mechanism to disable all JB tweaks if the developers choose to go without cydia substrate?

3. While the answer may differ for each tweak, how much effort it would be to convert a substrate based tweak to a direct tweak, in general? And should Devs even invest into this task?
Posts: 1
Joined: Thu Dec 21, 2017 3:09 pm

Re: Habemus Libertam!

Postby stinger » Thu Dec 21, 2017 4:33 pm

This is awesome. Thank you! Today should be a good day... I read this post, and I am supposed to get the #MOXiI Volume I book today. So, this is what I will be doing over the holiday break.
Posts: 1
Joined: Thu Dec 21, 2017 4:12 pm


Return to Fresh off the press

Who is online

Users browsing this forum: No registered users and 1 guest