15

I am developing an app targeted at jailbroken iOS devices. It is to assist in automating some tasks. I need to create a simple text file (actually a .lua file) in /private/var/mobile/Library. Obviously, the debugger throws an access denied exception. The App is named 'CreateFile' for now for the purposes of testing.

I have attempted the following steps to gain root access:

  1. Build the app normally.
  2. Create a copy of the executable file in the app bundle.

  3. Open the original executable file and replace its content with this script:

    #!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/CreateFile "$@"

    Directly launching a root app fails on iOS. Therefore we replace the app's main executable with a script that launches the root executable.

  4. In terminal, navigate to the app bundle.

  5. chmod 0775 the original executable file and chmod 6775 the copied executable file.
  6. Copy the app bundle to /Applications to a device. Restart SpringBoard and you should be good to go. If the app doesn't launch then repeat step 5 & 6 on the device.

Using this method I can successfully install the app to the /Applications folder and get it to launch, however I expect that I still do not have root permissions because as soon as the app tries the write operation it crashes.

If anyone can shed some light on this situation I would be very grateful!

Edit:

Did some additional testing at @creker 's advice. When I try to create a file in an allowed directory like the app's documents, it creates just fine with no issues. Because of this, I am certain that the file creation is not causing the crash and that it is solely the inaccessible folder path.

Also at @creker 's advice I tried installing the app to /Applications without any launch scripts. The app crashes upon open this way. If I chmod the application executable to 775 after installation, the app will open but still crashes when trying to create the file.

I looked into the syslog from crash reporter. here is the crash line:

System.UnauthorizedAccessException: Access to the path "/private/var/mobile/Library/test.txt" is denied

Still hoping to remedy the issue, any ideas are welcome!

Jim Tierney
  • 4,078
  • 3
  • 27
  • 48
Kikootwo
  • 360
  • 2
  • 14
  • You don't need root permissions to create a file in `/var/mobile/Library`. `/var/mobile` is a home directory for the `mobile` user. Unless you're limited by the sandbox rules, that directory is fully accessible. – creker Aug 24 '16 at 23:22
  • Then I must be limited by sandbox rules as I get an access denied violation when I attempt to write to that directory. Are the steps to getting around that any different? – Kikootwo Aug 24 '16 at 23:41
  • 1
    No, you just need to be in `/Applications` directory. You don't even need a launch script. Maybe your app crashes for a different reason. – creker Aug 25 '16 at 12:58
  • Hmm, I will try taking out the launch script and doing some more testing to see if maybe something else is crashing the app. – Kikootwo Aug 25 '16 at 15:33
  • Did some additional testing @creker Any new thoughts? – Kikootwo Aug 26 '16 at 01:59
  • Which iOS version are you testing this on? – creker Aug 26 '16 at 22:24
  • the jailbroken device is on iOS 9.0.2 but the app build is targeted at 8.0+ – Kikootwo Aug 27 '16 at 02:47
  • When you ssh the device with user `mobile`, can you create the file in that location? – thedp Dec 22 '16 at 15:20
  • I believe what you're looking for has been answered both here: https://stackoverflow.com/a/15968998/209855 and here: http://blog.ib-soft.net/2013/01/ios-run-application-with-root-privileges.html Also, take a look at Cydia and iFile's launch scripts for examples. – Aaron Ash Oct 05 '17 at 03:56

1 Answers1

1

Getting root access on iOS is increasingly hard as security measures go up, even with a jailbreak. The root account is getting fewer privileges with each release, but it's still possible to use this account. You can do this by making sure your app binary is owned by root:wheel, and then has the SETUID bit set.

chown root:wheel app_binary
chmod +s app_binary

and then in your app add the following to take advantage of it

@autoreleasepool
{
    // Set uid and gid
    if (!(setuid(0) == 0 && setgid(0) == 0))
    {
        NSLog(@"Failed to gain root privileges, aborting...");
        exit(EXIT_FAILURE);
    }

    // Launch app
    return UIApplicationMain(argc, argv, nil, NSStringFromClass([MyAppDelegate class]));
    /* you'll need to modify this return line to match your app */
}

You will also need a launch script to make use of this in iOS above version 6

#!/bin/bash
myAppPath=$(dirname "$0")
exec "$myAppPath"/myApp_ "$@"
phyrrus9
  • 1,441
  • 11
  • 26