*OS Internals - The Forum

[saltthehash]

I am currently putting together my first jailbreak using voucher_swap and QiLin. I am able to rootify/shaihulud successfully and tested them with getuid() == 0 and writing a file to /var/mobile, respectively. The problem I am running into is that I cannot launch my binaries that I have included (dropbear, bash, and binbag). As I know that QiLin does not currently have a CoreTrust bypass, I signed the binaries with my dev cert and with (what I believe are) the proper entitlements (though I figure skip-library-validation is probably unnecessary for my use case, but it can't hurt, right?):

Code: Select all

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
    <key>com.apple.private.skip-library-validation</key>
    <true/>
</dict>
</plist>

However, I could not execCommand any of them. In fact, I would get a segmentation fault using execCommand. So I tried writing my own version of execCommand using posix_spawn, making sure the binary gets started in a suspended state, platformizing, then continuing the process. However, posix_spawn keeps returning EBADEXEC (though I do get a valid pid). I figured the processes must be getting killed if I am getting a pid... so I checked this by jailbreaking with @Jakeashacks's rootlessJB, logging in and directly executing the binaries from my jailbreak app bundle in the shell, which resulted in killed: 9 (exactly what I suspected). I tried running amfidebilitate (which came with the rootlessJB since it contained the now deprecated binpack) but as I soon learned, it redirects requests for non-self signed processes to MISValidateSignatureAndCopyInfo, and obviously it's pointless for self-signed processes because those will be stopped by CoreTrust.

I feel like I am missing something very basic here... Are any of my assumptions here wrong? How can I execute a binary with QiLin12 that is signed with a dev cert + entitlements without the need to patch the trust cache (the method used by @jakeashacks in jelbreklib)? Thanks!

[morpheus]

There are two methods, and I haven't updated QiLin yet for either. One is, as you point out, injecting to the trust cache. That still works.

The second is to preload the file (mmap it so it creates a vnode object) but NOT execute it. Then, inject a fake CS Blob into it, then execute it. A similar way has been suggested - https://research.dynastic.co/2019/03/01 ... efsrc=dynl. I should point out, though, that it's a bit overhyped as a "complete way to bypass CT". It means you have kernel full r/w, so at that point largely everything is possible.

[saltthehash]

There are two methods, and I haven't updated QiLin yet for either. One is, as you point out, injecting to the trust cache. That still works.

The second is to preload the file (mmap it so it creates a vnode object) but NOT execute it. Then, inject a fake CS Blob into it, then execute it. A similar way has been suggested - https://research.dynastic.co/2019/03/01 ... efsrc=dynl. I should point out, though, that it's a bit overhyped as a "complete way to bypass CT". It means you have kernel full r/w, so at that point largely everything is possible.

Ah ok. But then I am curious, why is this necessary if the binary is signed with an iphone developer certificate? I thought CT is meant to stop ad-hoc code signatures.

[morpheus]

It's necessary to frustrate jailbreakers. It's much more of a pain to sign with a dev provisioning profile - though I agree at the end of the way it's a pretty useless endeavor.. Thankfully, the trust cache injection method still works, despite their best of efforts, even on A12..

[saltthehash]

Yeah its definitely frustrating. But what exactly is happening on iOS 12 that prevents a binary signed with a dev cert from being executed? I don't see this behavior on iOS 11, and CT shouldn't be stopping it since it has an Apple root CA.