[Question] Can you inject the Project 0 Exploit through a created daemon?
#1
Hey Geosn0w,
First off, apologies for my stupidity in my previous post, I was uneducated about the inner workings of iOS.

Anyways, after doing a bit more research I decided to study the inner workings of the Project 0 Exploit.

Now, I didn't jailbreak iOS 10.1.1, so my understanding might be wrong, but is it true to say that the Project 0 Exploit was the mach_portal application?

So basically my idea is that the Project 0 Exploit is compiled in a similar fashion, then launched at boot by creating a daemon with the RunAtLoad Boolean. On top of this, processes that try to prevent the daemon from running will need to be written out with other keys. Obviously, this will need a jailbreak already installed haha Tongue

Is this possible for iOS 10.2? And if not, can you please explain why?

- Peachy
Reply
#2
This is not possible due to the way iOS security works in the first place. Even if you do have a Jailbreak, if it is semi-tethered like Yalu / Project 0 is, you need to re-apply it after every reboot. During this "application" phase, the Kernel gets patched (KPP, AMFI, tfp0 for VM_WRITE and VM_READ, etc). When you restart the device, unless you open the app and patch the kernel again, the kernel will be the stock untouched one (either way it won't boot on a tethered Jailbreak).

Being the stock kernel means that AMFI (Apple Mobile File Integrity), KPP (Kernel Patch Protection) and various other stuff like cs_enforcement (Code Sign) are working freely, which prevents you unsigned daemon from loading whatever you specified. Also, launchd (launch daemon), which is the head of any other daemon that runs on iOS was patched to no longer parse and run any daemon from the Plist at boot time, which means you will need to Jailbreak to run the said daemon, which is exactly what you don't have after reboot.

This is the main reason this Jailbreak is semi-tethered. Hope I was clear.
Anyways, if you like iOS hacking, let me introduce you to my Reverse Engineering playlist: https://www.youtube.com/playlist?list=PL...9QK9v5sRk9
Reply
#3
Okay thanks Smile I understand now
Reply
#4
Wait so I'm guessing you can't patch launchd then?
Reply
#5
Okay before I start reverse engineering, do you mind answering these questions I have?

1. Do you have a log of how the Yalu jailbreak is removed upon reboot?
2. Is there a program for printing the logs of the processes during reboot? (Seperate from 1st question)
3. Is there an iphonewiki page describing the functions of tasks during reboot?
4. Can I find the logs from question 1&2 for previous untetherable firmwares? And if so then how/where?

I really appreciate the time you're putting in to answering my questions, and everyone else's on this forum. I really don't know how you feel like this, but I'm only asking this because I feel like I can contribute to the jailbreak community. Hope you understand Tongue
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

About Us
    Welcome to F.C.E. 365 Forum! This forum is a place where you can discuss technology at its finest. We provide you a place to ask questions or to read / watch various tech-related tutorials.