Advertisement

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Getting root for iOS Application / Cydia app
#1
Question 
Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
Reply
#2
Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.

An example of what I mean can be seen with Zebras supersling and/or cydias cydo
Reply
#3
(06-30-2019, 03:50 PM)Chr0nicT Wrote: Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.

An example of what I mean can be seen with Zebras supersling and/or cydias cydo
I have entitled it with jtool with this plist
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.private.skip-library-validation</key>
        <true/>
        <key>com.apple.private.security.no-container</key>
        <true/>
    </dict>
</plist>
As you can see, once i started up the application it crashes.
Reply
#4
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
Reply
#5
(06-30-2019, 03:53 PM)GeoSn0w Wrote:
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work?
Reply
#6
(06-30-2019, 03:59 PM)Brandon Plank Wrote:
(06-30-2019, 03:53 PM)GeoSn0w Wrote:
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work?
Add the entitlements he listed to your current apps entitlements

Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>


You can also have a function to call jailbreakd to grant your app root permissions.

He also said that you can run the exploit again and call that function (rootify one) but it's not recommended. The entitlements and/or jailbreakd method would be the safest and best option.
Reply
#7
If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
Reply
#8
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?
Reply
#9
(06-30-2019, 04:05 PM)Brandon Plank Wrote:
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?

Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch
Reply
#10
(06-30-2019, 04:07 PM)GeoSn0w Wrote:
(06-30-2019, 04:05 PM)Brandon Plank Wrote:
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?

Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch

https://www.theiphonewiki.com/wiki/Tfp0_patch

I think you should be able to attempt one of those, and if it fails (return 0 or gives an error) try the other one to get tfp0.
If those both fail, it's gotta be an error.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
Video iOS 13.5 - 11 How To Backup / Restore All Your Tweaks (Works For Cydia / Zebra / Sileo / Installer) GeoSn0w 0 36 09-19-2020, 08:26 PM
Last Post: GeoSn0w
Video iOS 13.3.1 / 13.3 / 13.0 CheckRa1n JAILBREAK: How To FIX Most CYDIA Errors / Issues (Simple Fixes) GeoSn0w 0 1,671 03-21-2020, 08:58 PM
Last Post: GeoSn0w
  Cydia wont download repos Alwrex 1 681 02-27-2020, 11:01 AM
Last Post: Hidden96
  Cydia is taking to long to open kokesoul 1 456 02-19-2020, 07:00 AM
Last Post: C3SS97
  Cydia wrong sources petsrdjan 0 349 02-17-2020, 11:03 PM
Last Post: petsrdjan
  cydia crashes 13.2 Jack.rosher 0 319 02-17-2020, 01:45 PM
Last Post: Jack.rosher
  Cydia keeps crashing Inphantum 17 3,655 02-03-2020, 09:36 PM
Last Post: Inphantum
  How to make cydia work on iOS 3.1.2? MrTordse 1 385 02-02-2020, 01:04 PM
Last Post: GeoSn0w
  How to downgrade Cydia substrate? klutz 0 516 01-18-2020, 10:24 AM
Last Post: klutz
  Uninstall cydia after switching to installer 5 Mikfrith 0 423 01-17-2020, 06:00 AM
Last Post: Mikfrith

Forum Jump:


Users browsing this thread: 1 Guest(s)

About Us
    Welcome to the Jailbreak Central Forum! Here you can get the latest iOS Jailbreak News from iDevice Central, ask your jailbreak questions and request help, and find the best iOS modding tools for downgrade, CFW iCloud Bypass, Jailbreak and so on. :-)