• Welcome to Jailbreak Central!
  • Do not forget to Subscribe to our YouTube channel for the latest news!
  • You can contact GeoSn0w on Twitter: @FCE365
Hello There, Guest! Login Register

Advertisement


Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Getting root for iOS Application / Cydia app
#1
Question 
Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
 
Reply
#2
Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.

An example of what I mean can be seen with Zebras supersling and/or cydias cydo
 
Reply
#3
(06-30-2019, 03:50 PM)Chr0nicT Wrote: Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.

An example of what I mean can be seen with Zebras supersling and/or cydias cydo
I have entitled it with jtool with this plist
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.private.skip-library-validation</key>
        <true/>
        <key>com.apple.private.security.no-container</key>
        <true/>
    </dict>
</plist>
As you can see, once i started up the application it crashes.
 
Reply
#4
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
 
Reply
#5
(06-30-2019, 03:53 PM)GeoSn0w Wrote:
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work?
 
Reply
#6
(06-30-2019, 03:59 PM)Brandon Plank Wrote:
(06-30-2019, 03:53 PM)GeoSn0w Wrote:
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.

Hi Brandon.

Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.

For sandbox escape entitlements:
Code:
com.apple.private.security.no-sandbox
com.apple.security.app-sandbox

Make sure you also have these entitlements:
Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>

As for running as root, you have 3 options on iOS 12 / 11:
  • Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:

Code:
void getRootForPid(pid_t pid) { // Your Application's PID
  uint64_t proc = proc_of_pid(pid);
  uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
  WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
  WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
  • Or have jailbreakd grant you permissions.
  • Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work?
Add the entitlements he listed to your current apps entitlements

Code:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
  <dict>
    <key>platform-application</key>
      <true/>
    <key>com.apple.private.security.container-required</key>
     <false/>
  </dict>
</plist>


You can also have a function to call jailbreakd to grant your app root permissions.

He also said that you can run the exploit again and call that function (rootify one) but it's not recommended. The entitlements and/or jailbreakd method would be the safest and best option.
 
Reply
#7
If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
 
Reply
#8
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?
 
Reply
#9
(06-30-2019, 04:05 PM)Brandon Plank Wrote:
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?

Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch
 
Reply
#10
(06-30-2019, 04:07 PM)GeoSn0w Wrote:
(06-30-2019, 04:05 PM)Brandon Plank Wrote:
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?

Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch

https://www.theiphonewiki.com/wiki/Tfp0_patch

I think you should be able to attempt one of those, and if it fails (return 0 or gives an error) try the other one to get tfp0.
If those both fail, it's gotta be an error.
 
Reply
  


Forum Jump:


Browsing: 1 Guest(s)