前言
本文的重点是定制一些自己的功能
cydia 分支的代码比较新
打开app 自动激活
//todo 定制一些项目的需求: 比如创建初始化一些基本设置
- 存放cydia 预留源地址的目录
ioast:/private/etc/apt/sources.list.d root# ls -lrt
total 12
-rwxr-xr-x 1 root wheel 227 Feb 16 2017 saurik.list
-rw-r--r-- 1 root wheel 59 Mar 4 19:58 electra-shim.list
-rw-r--r-- 1 root wheel 44 Mar 4 20:05 electra.list
lrwxr-xr-x 1 root wheel 56 Mar 4 21:03 cydia.list -> /var/mobile/Library/Caches/com.saurik.Cydia/sources.list
iRoast:/private/etc/apt/sources.list.d root# cat electra.list
deb https://electrarepo64.coolstar.org/ ./
iRoast:/private/etc/apt/sources.list.d root# cat electra-shim.list
deb https://electrarepo64.coolstar.org/substrate-shim/ ./
iRoast:/private/etc/apt/sources.list.d root# cat saurik.list
# DO NOT EDIT | This is the story of a time long ago, A time of myth and legend, when the Earth was still young.
# The ancient gods were petty and cruel, and they plagued mankind with suffering and beseiged them with terrors.
iRoast:/private/etc/apt/sources.list.d root# cat cydia.list
deb http://apt.saurik.com/ ios/1445.32 main
deb http://apt.thebigboss.org/repofiles/cydia/ stable main
deb http://cydia.zodttd.com/repo/cydia/ stable main
deb http://repo666.ultrasn0w.com/ ./
deb http://apt.touchsprite.com/ ./
deb http://apt.modmyi.com/ stable main
- dylib 存放的目录
iPhone:/usr/lib/TweakInject root# ls -lrt
total 9124
lrwxr-xr-x 1 mobile staff 33 Nov 3 2015 RocketBootstrap.dylib -> /usr/lib/librocketbootstrap.dylib*
<!-- /Layout/Library/MobileSubstrate/DynamicLibraries/ -->
<!-- 此地址已经失效 -->
<!-- librocketbootstrap 要移到这里 -->
正文
system
int rv;
pid_t pd;
rv = posix_spawn(&pd, "/usr/bin/killall", NULL, NULL, (char **)&(const char*[]){ "killall", "-9", "SpringBoard", NULL }, NULL);
char* argv[] = {(char *)cmd, NULL};
// rv = posix_spawn(&pd, "/usr/bin/killall", NULL, NULL,argv, NULL);
waitpid(pd, NULL, 0);
项目研究
build
- error: unknown type name ‘__uint128_t’
In file included from /Users/devzkn/code/re/electra/electra/exploit/kdbg.c:13:
/Users/devzkn/code/re/electra/electra/exploit/arm64_state.h:61:9: error: unknown type name '__uint128_t'
可以不考虑armv7,只考虑arm64
<!-- armv7 -->
./configure armv7 --build x86_64 --host=arm-apple-darwin10 --target=aarch64-apple-darwin CC=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang EXTRA_CFLAGS='-arch arm64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.2.sdk' EXTRA_LDFLAGS='-arch arm64'
<!-- /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -arch arm64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.3.sdk -L/Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Products/Debug-iphoneos -F/Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Products/Debug-iphoneos -filelist /Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Intermediates/electra.build/Debug-iphoneos/electra.build/Objects-normal/arm64/electra.LinkFileList -Xlinker -rpath -Xlinker @executable_path/Frameworks -miphoneos-version-min=11.0 -dead_strip -Xlinker -object_path_lto -Xlinker /Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Intermediates/electra.build/Debug-iphoneos/electra.build/Objects-normal/arm64/electra_lto.o -Xlinker -export_dynamic -Xlinker -no_deduplicate -fobjc-arc -fobjc-link-runtime -framework IOKit -Xlinker -dependency_info -Xlinker /Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Intermediates/electra.build/Debug-iphoneos/electra.build/Objects-normal/arm64/electra_dependency_info.dat -o /Users/devzkn/Library/Developer/Xcode/DerivedData/electra-ciwkmiofnlpesfeycfvrvnsevrie/Build/Products/Debug-iphoneos/electra.app/electra -->
ndefined symbols for architecture arm64:
"_kevent_id", referenced from:
_fill_events in find_port.o
"_inflate", referenced from:
-[NSData(GZIP) gunzippedData] in NSData+GZip.o
"_deflate", referenced from:
-[NSData(GZIP) gzippedDataWithCompressionLevel:] in NSData+GZip.o
"_inflateEnd", referenced from:
-[NSData(GZIP) gunzippedData] in NSData+GZip.o
"_deflateInit2_", referenced from:
-[NSData(GZIP) gzippedDataWithCompressionLevel:] in NSData+GZip.o
"_inflateInit2_", referenced from:
-[NSData(GZIP) gunzippedData] in NSData+GZip.o
"_deflateEnd", referenced from:
-[NSData(GZIP) gzippedDataWithCompressionLevel:] in NSData+GZip.o
ld: symbol(s) not found for architecture arm64
更换Xcode9 进行编译
<!-- iOS 11.1.2 kernel exploit and PoC local kernel debugger by @i41nbeer. This fork will no longer be updated, other forks have progressed much further. https://bugs.chromium.org/p/project-z… -->
https://github.com/benjibobs/async_wake
<!-- // GZIP.m -->
#import <zlib.h>
<!-- make[1]: ldid2: No such file or directory -->
https://github.com/coolstar/electra/issues/160
ldid is a tool made by saurik for modifying a binary's entitlements easily. This repo is a fork of ldid / ldid2 (with SHA256 supported from xerub) from saurik git repository git://git.saurik.com/ldid.git
compile this version of ldid / ldid2 (with SHA256 supported from xerub)
git clone https://github.com/GaryniL/ldid.git
cd ldid
./make_ldid.sh
./make_ldid2.sh
then move them to /usr/local/bin
devzkndeMacBook-Pro:ldid devzkn$ cat make_ldid2.sh
#!/bin/bash
set -e
sudo xcode-select --switch /Applications/Xcode.app
if which xcrun &>/dev/null; then
flags=(xcrun -sdk macosx g++)
flags+=(-mmacosx-version-min=10.9)
for arch in i386 x86_64; do
flags+=(-arch "${arch}")
done
else
flags=(g++)
fi
flags+=(-I.)
set -x
"${flags[@]}" -c -std=c++11 -o ldid.o ldid2.cpp
"${flags[@]}" -o ldid2 ldid.o -x c lookup2.c -x c sha1.c sha224-256.c
devzkndeMacBook-Pro:ldid devzkn$ ./make_ldid2.sh
Password:
+ xcrun -sdk macosx g++ -mmacosx-version-min=10.9 -arch i386 -arch x86_64 -I. -c -std=c++11 -o ldid.o ldid2.cpp
+ xcrun -sdk macosx g++ -mmacosx-version-min=10.9 -arch i386 -arch x86_64 -I. -o ldid2 ldid.o -x c lookup2.c -x c sha1.c sha224-256.c
devzkndeMacBook-Pro:ldid devzkn$ ls -lrt
total 1392
-rw-r--r-- 1 devzkn staff 34520 Mar 26 14:23 COPYING
-rw-r--r-- 1 devzkn staff 649 Mar 26 14:23 README.md
-rw-r--r-- 1 devzkn staff 824 Mar 26 14:23 arid.cpp
-rw-r--r-- 1 devzkn staff 347 Mar 26 14:23 control
-rwxr-xr-x 1 devzkn staff 139 Mar 26 14:23 control.sh
-rwxr-xr-x 1 devzkn staff 418 Mar 26 14:23 ios.sh
-rw-r--r-- 1 devzkn staff 44495 Mar 26 14:23 ldid.cpp
-rw-r--r-- 1 devzkn staff 44502 Mar 26 14:23 ldid2.cpp
-rw-r--r-- 1 devzkn staff 13154 Mar 26 14:23 lookup2.c
-rwxr-xr-x 1 devzkn staff 403 Mar 26 14:23 make_ldid.sh
-rwxr-xr-x 1 devzkn staff 418 Mar 26 14:23 make_ldid2.sh
drwxr-xr-x 7 devzkn staff 224 Mar 26 14:23 minimal
-rw-r--r-- 1 devzkn staff 889 Mar 26 14:23 sha-private.h
-rw-r--r-- 1 devzkn staff 14014 Mar 26 14:23 sha.h
-rw-r--r-- 1 devzkn staff 10655 Mar 26 14:23 sha1.c
-rw-r--r-- 1 devzkn staff 1735 Mar 26 14:23 sha1.h
-rw-r--r-- 1 devzkn staff 18129 Mar 26 14:23 sha224-256.c
-rwxr-xr-x 1 devzkn staff 119 Mar 26 14:23 version.sh
-rw-r--r-- 1 devzkn staff 224456 Mar 26 14:25 ldid.o
-rwxr-xr-x 1 devzkn staff 253500 Mar 26 14:25 ldid2
<!-- devzkndeMacBook-Pro:ldid devzkn$ mv ldid2 ~/bin -->
devzkndeMacBook-Pro:ldid devzkn$ ldid2
usage: ldid2 -S[entitlements.xml] <binary>
ldid2 -e MobileSafari
ldid2 -S cat
ldid2 -Stfp.xml gdb
ok ,至此编译成功
安装
- log
build_id: 15B202
sysname: Darwin
nodename:
release: 17.2.0
version: Darwin Kernel Version 17.2.0: Fri Sep 29 18:14:51 PDT 2017; root:xnu-4570.20.62~4/RELEASE_ARM64_T7000
machine: iPhone7,1
message size for kalloc.4096: 2956
got user client: 0x6e0b
2018-03-26 14:30:43.619660+0800 electra[220:4523] refreshPreferences: HangTracerEnabled: 0
2018-03-26 14:30:43.620035+0800 electra[220:4523] refreshPreferences: HangTracerDuration: 500
2018-03-26 14:30:43.622056+0800 electra[220:4523] refreshPreferences: ActivationLoggingEnabled: 0 ActivationLoggingTaskedOffByDA:0
[+] prepared kqueue
task self: 0xfffffff1117c8650
our task port is at 0xfffffff1117c8650
found target port with suitable allocation page offset: 0xfffffff113bc5e70
replacer_body_size: 0xb74
message_body_offset: 0x448
0
e00002c9
0
0
20
40
60
2018-03-26 14:30:49.410269+0800 electra[220:4671] [BoringSSL] Function boringssl_context_get_peer_sct_list: line 1757 received sct extension length is less than sct data length
80
100
120
140
160
180
got replaced with replacer port 30
found kernel vm_map: 0xfffffff10e17e800
second time got replaced with replacer port 0
will try to read from second port (fake kernel)
kernel read via fake kernel task port worked?
0x0000000000420000
0x0000000000000000
0xfffffff10e1888e0
0xfffffff10e188980
about to build safer tfp0
message buffer: fffffff11d298000
fake_kernel_task_kaddr: fffffff11d298000
read fake_task_refs: d00d
about to test new tfp0
kernel read via second tfp0 port worked?
0x0000000000420000
0x0000000000000000
0xfffffff10e1888e0
0xfffffff10e188980
built safer tfp0
about to clear up
cleared up
tfp0: 188ac0b
slide: 0x0000000007800000
Created fake_vtable at fffffff0008a8000
Copied some of the vtable over
Created fake_client at fffffff0008a9000
Copied the user client over
Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex
found amfid - getting task
found cfprefsd. keeping PID
found backboardd. keeping PID
found launchd
our proc is at 0xfffffff10f9360c0
kern proc is at 0xfffffff00ee19d10
our uid is 0
wrote test file: 0x101300fb8
[remap_kernel_task] kernel task at 0xfffffff10f23c0e0
[remap_kernel_task] remapped successfully to 0xfffffff1109f00e0
[remap_kernel_task] port kaddr: 0xfffffff11308d3f0
remapped tfp0: 0x188b00b
remounting: 0
Did we mount / as read+write? yes
making /bootstrap
[fun] copied the required binaries into the right places
2018-03-26 14:30:53.003 inject_criticald[227:4810] Address is at 000000010034c000
2018-03-26 14:30:53.003 inject_criticald[227:4810] found at: 183db3114
2018-03-26 14:30:53.150 inject_criticald[227:4810] No error occured!
Starting server...
2018-03-26 14:31:25.799025+0800 electra[220:4658] The dragon becomes me!
2018-03-26 14:31:25.799170+0800 electra[220:4658] once it is drawn, it cannot be sheathed without causing death
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
Waiting for jailbreakd...
// MARK: - Post exploit patching
int begin_fun(mach_port_t tfp0, mach_port_t user_client, bool enable_tweaks) {
while (!file_exists("/var/tmp/jailbreakd.pid")){
printf("Waiting for jailbreakd...\n");
usleep(100000); //100 ms
}
<!-- 2018-03-26 14:36:03.856488+0800 electra[233:5739] [process_info] Exiting because our workspace host has disconnected. -->
<!-- devzkndeMacBook-Pro:electra devzkn$ man git-pull -->
<!-- 获取cydia 分支 -->
devzkndeMacBook-Pro:electra devzkn$ git remote show origin
* remote origin
Fetch URL: git@github.com:coolstar/electra.git
Push URL: git@github.com:coolstar/electra.git
HEAD branch: master
Remote branches:
cydia tracked
master tracked
Local branch configured for 'git pull':
master merges with remote master
Local ref configured for 'git push':
master pushes to master (fast-forwardable)
<!-- 此时我要 cydia tracked -->
<!-- 查看远程分支 -->
devzkndeMacBook-Pro:electra devzkn$ git branch -r
origin/HEAD -> origin/master
origin/cydia
origin/master
<!-- 查看所有的分支 -->
devzkndeMacBook-Pro:electra devzkn$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/cydia
remotes/origin/master
devzkndeMacBook-Pro:electra devzkn$ git fetch origin cydia
From github.com:coolstar/electra
* branch cydia -> FETCH_HEAD
<!-- http://www.ruanyifeng.com/blog/2014/06/git_remote.html -->
devzkndeMacBook-Pro:electra devzkn$ git checkout -b cydia origin/cydia
Branch cydia set up to track remote branch cydia from origin.
Switched to a new branch 'cydia'
devzkndeMacBook-Pro:electra devzkn$ git fetch origin
<!-- 总结: 取回远程的一个分支 cydia-->
devzkndeMacBook-Pro:electra devzkn$ git checkout -b cydia origin/cydia
Branch cydia set up to track remote branch cydia from origin.
Switched to a new branch 'cydia'
devzkndeMacBook-Pro:electra devzkn$ git fetch origin
<!-- dyld: could not load inserted library '/usr/lib/SBInject.dylib' because no suitable image found. Did find: -->
/usr/lib/SBInject.dylib: code signing blocked mmap() of '/usr/lib/SBInject.dylib'
Message from debugger: Terminated due to signal 6
Electra app
- fun.c
// MARK: - Post exploit patching
int begin_fun(mach_port_t tfp0, mach_port_t user_client, bool enable_tweaks) {
mkdir("/Library/Frameworks/CydiaSubstrate.framework", 0755);
symlink("/usr/lib/libsubstrate.dylib", "/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate");
unlink("/usr/bin/recache");
cp("/usr/bin/recache","/"BOOTSTRAP_PREFIX"/usr/bin/recache");
chmod("/usr/bin/recache", 0755);
if (!file_exists("/usr/lib/SBInject")) {
rename("/"BOOTSTRAP_PREFIX"/Library/SBInject", "/usr/lib/SBInject");
symlink("/usr/lib/SBInject","/"BOOTSTRAP_PREFIX"/Library/SBInject");
} else {
rv = posix_spawn(&pd, "/bootstrap/bin/rm", NULL, NULL, (char **)&(const char*[]){ "rm", "-rf", "/"BOOTSTRAP_PREFIX"/Library/SBInject", NULL }, NULL);
waitpid(pd, NULL, 0);
symlink("/usr/lib/SBInject","/"BOOTSTRAP_PREFIX"/Library/SBInject");
}
<!-- 考虑建立软连接 -->
# 先备份 cp -r /Library/MobileSubstrate/DynamicLibraries ~/
# rm -rf /Library/MobileSubstrate/DynamicLibraries
# ios11 代码: dylib 干脆给他建立个软连接算了 /bin/ln -s /usr/lib/TweakInject /Library/MobileSubstrate/DynamicLibraries
# cp -r ~/DynamicLibraries /Library/MobileSubstrate/DynamicLibraries
<!-- symlink("/usr/lib/libsubstrate.dylib", "/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate"); -->
<!-- symlink("/usr/lib/SBInject","/"BOOTSTRAP_PREFIX"/Library/SBInject"); -->
- fun_object.m
void update_springboard_plist(){
NSDictionary *springBoardPlist = [NSMutableDictionary dictionaryWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"];
[springBoardPlist setValue:@YES forKey:@"SBShowNonDefaultSystemApps"];
[springBoardPlist writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES];
NSDictionary* attr = [NSDictionary dictionaryWithObjectsAndKeys:[NSNumber numberWithShort:0755], NSFilePosixPermissions,@"mobile",NSFileOwnerAccountName,NULL];
NSError *error = nil;
[[NSFileManager defaultManager] setAttributes:attr ofItemAtPath:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" error:&error];
}
void startDaemons(){
pid_t pd;
NSArray *files = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"/etc/rc.d" error:nil];
for (NSString *fileName in files){
NSString *fullPath = [@"/etc/rc.d" stringByAppendingPathComponent:fileName];
run([fullPath UTF8String]);
}
files = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"/Library/LaunchDaemons/" error:nil];
for (NSString *fileName in files){
if ([fileName isEqualToString:@"jailbreakd.plist"])
continue;
if ([fileName isEqualToString:@"com.openssh.sshd.plist"])
continue;
NSString *fullPath = [@"/Library/LaunchDaemons" stringByAppendingPathComponent:fileName];
posix_spawn(&pd, "/bin/launchctl", NULL, NULL, (char **)&(const char*[]){ "launchctl", "load", [fullPath UTF8String], NULL }, NULL);
waitpid(pd, NULL, 0);
}
}
- SBInject
iRoast:~ root# ls -lrt /usr/lib/SBInject
total 940
-rw-r--r-- 1 mobile staff 57 Dec 23 03:56 Anemone.plist
-rw-r--r-- 1 mobile staff 51 Jan 8 13:27 z_AnemoneIconEffects.plist
-rw-r--r-- 1 mobile staff 50 Jan 8 13:27 AnemoneUIKit.plist
-rw-r--r-- 1 mobile staff 51 Jan 8 13:27 AnemoneIcons.plist
-rw-r--r-- 1 mobile staff 57 Jan 8 13:27 AnemoneHTML.plist
-rw-r--r-- 1 mobile staff 57 Jan 8 13:27 AnemoneDock.plist
-rw-r--r-- 1 mobile staff 82 Jan 8 13:27 AnemoneCore.plist
-rw-r--r-- 1 mobile staff 51 Jan 8 13:27 AnemoneColors.plist
-rw-r--r-- 1 mobile staff 57 Jan 8 13:27 AnemoneAltIconSelector.plist
-rw-r--r-- 1 mobile staff 308 Jan 12 02:39 PreferenceLoader.plist
-rw-r--r-- 1 mobile staff 70544 Jan 12 02:39 PreferenceLoader.dylib
-rw-r--r-- 1 mobile staff 69 Jan 12 11:47 AnemoneMask.plist
-rwxr-xr-x 1 mobile staff 122688 Jan 27 15:33 Anemone.dylib
-rwxr-xr-x 1 mobile staff 70064 Jan 27 15:33 AnemoneUIKit.dylib
-rwxr-xr-x 1 mobile staff 70288 Jan 27 15:33 AnemoneCore.dylib
-rwxr-xr-x 1 mobile staff 103952 Jan 27 15:34 AnemoneColors.dylib
-rwxr-xr-x 1 mobile staff 88128 Jan 27 15:34 AnemoneDock.dylib
-rwxr-xr-x 1 mobile staff 87904 Jan 27 15:34 AnemoneIcons.dylib
-rwxr-xr-x 1 mobile staff 69456 Jan 27 15:34 z_AnemoneIconEffects.dylib
-rwxr-xr-x 1 mobile staff 67792 Jan 27 15:34 AnemoneMask.dylib
-rwxr-xr-x 1 mobile staff 70400 Jan 27 15:34 AnemoneHTML.dylib
-rwxr-xr-x 1 mobile staff 70064 Jan 27 15:34 AnemoneAltIconSelector.dylib
iRoast:~ root# ls -lrt /Library/MobileSubstrate/DynamicLibraries
lrwxr-xr-x 1 root staff 20 Mar 22 19:21 /Library/MobileSubstrate/DynamicLibraries -> /usr/lib/TweakInject
iRoast:~ root# cd /Library/MobileSubstrate/DynamicLibraries
iRoast:/Library/MobileSubstrate/DynamicLibraries root# ls -lrt /usr/lib/TweakInject
- VC.m
// jailbreak 的执行动作
- (IBAction)doit:(id)sender {
[jailbreak setEnabled:NO];
[enableTweaks setEnabled:NO];
[jailbreak setTitle:@"Please Wait (1/3)" forState:UIControlStateNormal];
Usage: “bash unjailbreak.sh”
#!/bin/bash
# Usage: "bash unjailbreak.sh"
echo "About to uninstall the Electra jailbreak toolkit"
echo "Assuming you have not installed any other jailbreak or modified the rootfs directly yourself, you should be on stock iOS once this is complete"
read -p "Press enter to continue. Press Ctrl + C to exit"
rm -rf /Applications/Anemone.app
rm -rf /Applications/SafeMode.app
rm /usr/lib/SBInject.dylib
rm -rf /usr/lib/SBInject
rm /usr/lib/libsubstitute.0.dylib
rm /usr/lib/libsubstitute.dylib
rm /usr/lib/libsubstrate.dylib
rm /usr/lib/libjailbreak.dylib
rm /usr/bin/recache
rm /usr/bin/killall
rm /usr/share/terminfo
rm /usr/libexec/sftp-server
rm -rf /Library/Frameworks/CydiaSubstrate.framework
rm /Library/Themes
uicache
rm -rf /bootstrap
echo "Your device has been wiped clean of all files from CoolStar's iOS 11 development kit!"
echo "Rebooting..."
kill 1
test.m
一个最简单的tweak例子
- test.dylib
// xcrun -sdk iphoneos gcc -dynamiclib -arch arm64 -framework Foundation -o test.dylib test.m
// jtool --sign --inplace test.dylib
#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <mach/mach.h>
#include <mach-o/loader.h>
#include <mach/error.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <dlfcn.h>
#include <sys/mman.h>
#include <spawn.h>
#include <sys/stat.h>
#include <pthread.h>
#include <xpc/xpc.h>
#import <Foundation/Foundation.h>
__attribute__ ((constructor))
static void ctor(void) {
NSLog(@"Unsigned dylib!!");
}
- attribute((constructor(PRIORITY))) 和 attribute((destructor(PRIORITY)))
1、PRIORITY 是指执行的优先级,main 函数执行之前会执行 constructor,main 函数执行后会执行 destructor,+load 会比 constructor 执行的更早点,因为动态链接器加载 Mach-O 文件时会先加载每个类,需要 +load 调用 之后,然后才会调用所有的 constructor 方法。
2、通过这个特性,可以做些比较好玩的事情,比如说类已经 load 完了,是不是可以在 constructor 中对想替换的类进行替换,而不用加在特定类的 +load 方法里。
异常问题
- Cydia的首页无法加载,怎么解决?
devzkndeMacBook-Pro:zhangkn.github.io devzkn$ scp -r usb2222:/var/preferences/* ~/Dow* :/var/preferences root# rm -rf *.networkextension* :/var/preferences root# reboot
- :~ root# cat /etc/hosts,去掉apt.saurik.com 的配置之后,就可以更新deb 目录信息了
<!-- http://apt.saurik.com/cydia --> ## # Host Database # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost 0.0.0.0 apt.saurik.com
CrashReporter
- find . -name ‘SpringBoard*’ -ls
12598152 92 -rw-rw-rw- 1 mobile mobile 94165 Mar 12 16:25 ./private/var/mobile/Library/Logs/CrashReporter/SpringBoard-2018-03-12-162524.ips
- /private/var/mobile/Library/Logs/CrashReporter
-rw-rw-rw- 1 mobile mobile 373035 Mar 12 16:09 panic-2018-03-12-160904.ips -rw-rw-rw- 1 mobile mobile 93633 Mar 12 16:17 SpringBoard-2018-03-12-161753.ips -rw-rw-rw- 1 mobile mobile 94099 Mar 12 16:18 SpringBoard-2018-03-12-161853.ips -rw-rw-rw- 1 mobile mobile 93633 Mar 12 16:20 SpringBoard-2018-03-12-162025.ips -rw-rw-rw- 1 mobile mobile 94015 Mar 12 16:21 SpringBoard-2018-03-12-162151.ips -rw-rw-rw- 1 mobile mobile 94165 Mar 12 16:25 SpringBoard-2018-03-12-162524.ips
see alse
devzkndeMacBook-Pro:knjailbreaktest devzkn$ echo "#include <stdio.h>
> int main()
> {
> printf("Hello, world!\n");
-bash: !\n": event not found
> return 0;
> }" > helloworld.c
devzkndeMacBook-Pro:knjailbreaktest devzkn$ cat helloworld.c
#include <stdio.h>
int main()
{
return 0;
}
<!-- 2、build:devzkndeMacBook-Pro:knjailbreaktest devzkn$ clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c -->
<!-- 3、sign with jtool http://newosxbook.com/tools/jtool.html -->
devzkndeMacBook-Pro:knjailbreaktest devzkn$ ARCH=arm64 jtool --sign --ent ent.xml helloworld
<!-- 4、If this binary is not signed with platform-application entitlement, it will get a ‘Killed’ if it’s under /bin/ -->
<!-- 5、More -->
I wrote a cli based memory editor, which requires more than a hello world.
<!-- 6、patch_setuid() https://github.com/coolstar/electra/blob/master/docs/getting-started.md-->
<!-- Major changes in electra -->
1)Substitute is used as the hooking framework instead of substrate
Please report issues at the electra issues page and we'll look into them
2)setuid(0); does not work out of the box (see below for how to use jailbreakd to patch setuid)
3)platform-application WILL NOT platformize your binary out of the box on electra
<!-- jailbreakd -->
/usr/lib/libjailbreak.dylib. All patches here will require dlopen()-ing the dylib, finding the appropiate symbol, and calling the respective function.
<!-- Setting uid 0 Here is sample code to patch setuid() with electra.
https://github.com/ElectraJailbreak/cydia/blob/master/cydo.cpp#L44-->
void patch_setuid() {
void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
if (!handle)
return;
// Reset errors
dlerror();
typedef void (*fix_setuid_prt_t)(pid_t pid);
fix_setuid_prt_t ptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
const char *dlsym_error = dlerror();
if (dlsym_error)
return;
ptr(getpid());
}
<!-- 这个守护进程提权的问题,cool start 的源码是这么用的:https://github.com/ElectraJailbreak/cydia/blob/master/cydo.cpp#L44 -->
- https://discordapp.com/invite/jb
- jailbreakcharts
- https://ageeky.com/cydia-host-unreachable-fixed/
- substitute
- electra-ipas
- https://coolstar.org/electra/
- https://twitter.com/coolstarorg
For Anemone, make sure to get RocketBootstrap from https://rpetri.ch/repo/
并行是指两个或者多个事件在同一时刻发生;而并发是指两个或多个事件在同一时间间隔内发生
<!-- 1、应用程序使用以下三种形式调用提交到主队列的block -->
dispatch_main
UIApplicationMain(iOS)
在主队列中使用 CFRunLoopRef
获取主队列的方式:dispatch_get_main_queue()
- Building Responsive and Efficient Apps with GCDhttps://developer.apple.com/videos/play/wwdc2015/718/
- Dispatch
- 抽离cycript的choose功能
- substitute 怎么使用:substitute,它有着和substrate一样的api接口。
- 下载tweak的deb http://ipod-touch-max.ru/cydia/index.php?cat=search&keyword=lighttpd
在操作过程或者文章有问题的话欢迎在 原文 里提问或指正。
