Posts: 16
Threads: 4
Joined: Jun 2019
Reputation:
3
06-30-2019, 03:42 PM
(This post was last modified: 06-30-2019, 04:11 PM by GeoSn0w.)
Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
Posts: 7
Threads: 1
Joined: Jun 2019
Reputation:
3
Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.
An example of what I mean can be seen with Zebras supersling and/or cydias cydo
Posts: 16
Threads: 4
Joined: Jun 2019
Reputation:
3
(06-30-2019, 03:50 PM)Chr0nicT Wrote: Give it proper entitlements for some stuff (platform-application would probably be your best bet) but also give it an option to pull for jailbreakd because some jailbreaks will honor that, instead.
An example of what I mean can be seen with Zebras supersling and/or cydias cydo I have entitled it with jtool with this plist
Code: <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
</dict>
</plist>
As you can see, once i started up the application it crashes.
Posts: 1,340
Threads: 935
Joined: Jun 2019
Reputation:
85
(06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
Hi Brandon.
Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.
For sandbox escape entitlements:
Code: com.apple.private.security.no-sandbox
com.apple.security.app-sandbox
Make sure you also have these entitlements:
Code: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.container-required</key>
<false/>
</dict>
</plist>
As for running as root, you have 3 options on iOS 12 / 11: - Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:
Code: void getRootForPid(pid_t pid) { // Your Application's PID
uint64_t proc = proc_of_pid(pid);
uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
- Or have jailbreakd grant you permissions.
- Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
Posts: 16
Threads: 4
Joined: Jun 2019
Reputation:
3
(06-30-2019, 03:53 PM)GeoSn0w Wrote: (06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
Hi Brandon.
Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.
For sandbox escape entitlements:
Code: com.apple.private.security.no-sandbox
com.apple.security.app-sandbox
Make sure you also have these entitlements:
Code: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.container-required</key>
<false/>
</dict>
</plist>
As for running as root, you have 3 options on iOS 12 / 11:- Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:
Code: void getRootForPid(pid_t pid) { // Your Application's PID
uint64_t proc = proc_of_pid(pid);
uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
- Or have jailbreakd grant you permissions.
- Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work?
Posts: 7
Threads: 1
Joined: Jun 2019
Reputation:
3
(06-30-2019, 03:59 PM)Brandon Plank Wrote: (06-30-2019, 03:53 PM)GeoSn0w Wrote: (06-30-2019, 03:42 PM)Brandon Plank Wrote: Hey, I am having some issues getting apps to inherit root privileges. Since the app will not use jailbreakd i am wondering how to go about this. Any help? * Note * the app IS installed to /Applications.
Hi Brandon.
Normally, on a jailbroken iOS device the privilege escalation for installed applications is done by the jailbreakd daemon, or a separate root daemon. It does not matter that the app is in /Applications, if you wanna rootify it and unsandbox it, you must make sure the right entitlements are set in the binary and that it can get root somehow.
For sandbox escape entitlements:
Code: com.apple.private.security.no-sandbox
com.apple.security.app-sandbox
Make sure you also have these entitlements:
Code: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.container-required</key>
<false/>
</dict>
</plist>
As for running as root, you have 3 options on iOS 12 / 11:- Make a daemon cli program that is owned by root:wheel, and give it tfp0 + the logic to find your App's pid and write the patched data to the kernel memory, something like this:
Code: void getRootForPid(pid_t pid) { // Your Application's PID
uint64_t proc = proc_of_pid(pid);
uint64_t ucred = ReadAnywhere64(proc + off_p_ucred);
WriteAnywhere_32(ucred + off_ucred_cr_uid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_ruid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svuid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_rgid, 0);
WriteAnywhere_32(ucred + off_ucred_cr_svgid, 0);
}
- Or have jailbreakd grant you permissions.
- Include the exploit in your Application to automatically get root (NOT RECOMMENDED!)
So basically if i call that during the view did load, It should work? Add the entitlements he listed to your current apps entitlements
Code: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.container-required</key>
<false/>
</dict>
</plist>
You can also have a function to call jailbreakd to grant your app root permissions.
He also said that you can run the exploit again and call that function (rootify one) but it's not recommended. The entitlements and/or jailbreakd method would be the safest and best option.
Posts: 1,340
Threads: 935
Joined: Jun 2019
Reputation:
85
06-30-2019, 04:03 PM
(This post was last modified: 06-30-2019, 04:07 PM by GeoSn0w.)
If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so.
Posts: 16
Threads: 4
Joined: Jun 2019
Reputation:
3
06-30-2019, 04:05 PM
(This post was last modified: 06-30-2019, 04:07 PM by GeoSn0w.)
(06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so. The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?
Posts: 1,340
Threads: 935
Joined: Jun 2019
Reputation:
85
(06-30-2019, 04:05 PM)Brandon Plank Wrote: (06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so. The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?
Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch
Posts: 7
Threads: 1
Joined: Jun 2019
Reputation:
3
(06-30-2019, 04:07 PM)GeoSn0w Wrote: (06-30-2019, 04:05 PM)Brandon Plank Wrote: (06-30-2019, 04:03 PM)GeoSn0w Wrote: If you wanna grant yourself privileges from the viewDIDLoad(), you need tfp0. If it is exported (HGSP4), then you can do so. The real question is does the jailbreaks for iOS 8 - 10.3.3 do it?
Here is a list of those that do: https://www.theiphonewiki.com/wiki/Hgsp4_patch
https://www.theiphonewiki.com/wiki/Tfp0_patch
I think you should be able to attempt one of those, and if it fails (return 0 or gives an error) try the other one to get tfp0.
If those both fail, it's gotta be an error.
|
