0

I finally jailbroke my first device, and I want to try and run an app, built in Xcode, as root.

I tried running setuid(0) on my main.c as the first thing I do and it fails.

Also tried to run the following solution: [Gaining root permissions on iOS for NSFileManager (Jailbreak)

The problem is, I can only do this manually after the app is already installed via Xcode. In addition, I was unable, even manually, to successfully run the app this way, as it crashes on launch.

Anyone has any idea how to progress from here?

iOS Version: 11.4.1

Unc0ver version: 3.3.0

Thank you in advance!

YanivH
  • 539
  • 4
  • 18

2 Answers2

0

Unc0ver jailbreak exports the necessary offsets to get yourself tfp0 (task_for_pid(0)) or the kernel task port. Using those, you can then patch your own credentials in the kernel memory. Let me give you an example.

Unc0ver Jailbreak stores the offsets including the kernel task port in a file at this path: /var/offsets.plist. Make sure you toggle the "Export TFP0" in Unc0ver settings before jailbreaking.

Once jailbroken, parse the offsets file, each in its own variable. For the tfp0 variable, you need to make it a task_port_t type. The kernel_slide and kernel_base are default uint64_t.

Once you parsed them from the plist, you need to do the following to get the valid tfp0 from HSP4 (Host Special Port #4) which Unc0ver sets for you so that you can get tfp0 and elevate your own privileges.

Here's some sample code for that:

task_port_t tfp0 = null;
kern_return_t ret = host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &tfp0);
    printf("Task FOR PID: 0x%x\n", tfp0);

This will basically get you the real kernel task port. At this point, you can follow GeoSn0w's guide on how to elevate your own privileges to root, and how to escape the sandbox. The guide and the patches are available on his Jailbreak Development forum, but I will add them here just in case.

To get root privileges, according to GeoSn0w:

uint64_t selfProc = findOurselves();
    uint64_t creds = kernel_read64(selfProc + off_p_ucred);

    // GID
    kernel_write32(selfProc + off_p_gid, 0);
    kernel_write32(selfProc + off_p_rgid, 0);
    kernel_write32(creds + off_ucred_cr_rgid, 0);
    kernel_write32(creds + off_ucred_cr_svgid, 0);
    printf("[i] STILL HERE!!!!\n");

    // UID
    creds = kernel_read64(selfProc + off_p_ucred);
    kernel_write32(selfProc + off_p_uid, 0);
    kernel_write32(selfProc + off_p_ruid, 0);
    kernel_write32(creds + off_ucred_cr_uid, 0);
    kernel_write32(creds + off_ucred_cr_ruid, 0);
    kernel_write32(creds + off_ucred_cr_svuid, 0);
    printf("[i] Set UID = 0\n");

The kernel_write32, kernel_write64, kernel_read32, and kernel_read64 are primitives found in Google Project Zero exploits usually. You will need to import them into your program so that you can call them. They can be found on GitHub, but they are merely wrappers over the system functions such as mach_vm_read_overwrite(...), and mach_vm_write(...).

That's all. At that point, you should have escalated your privileges to root. Of course, you need to re-implement a lot of jailbreak functions such as the afore-mentioned kernel read and write primitives, you need the Unc0ver offsets, and you also need an offset table for things such as off_ucred_cr_ruid, off_p_gid, etc. which change from iOS version to iOS version.

It's easier to just make a tweak and have it installed by Cydia. Cydia Substrate would rootify it for you.

iBreakiOS
  • 31
  • 7
0

You need to create a file inside your application bundle called e.g. bootstrap with the following content:

#!/bin/bash
myAppPath=$(dirname "$0")
exec "$myAppPath"/MyAppBinary "$@"

... where MyAppBinary is your app's binary name.

Then inside main.m before the UIApplicationMain call add:

// Set uid and gid
        if (!(setuid(0) == 0 && setgid(0) == 0))
        {
            NSLog(@"Failed to gain root privileges, aborting...");
            exit(EXIT_FAILURE);
        }

Set your application's startup file to bootstrap instead of your binary name, and finally, upon installation either in your deb file's postinst or manually from a root ssh session, set the suid flag on both bootstrap and your binary, and set owner to root:

chown root:wheel /Applications/MyApp.app/bootstrap
chmod 6755 /Applications/MyApp.app/bootstrap
chown root:wheel /Applications/MyApp.app/MyAppBinary 
chmod 755 /Applications/MyApp.app/MyAppBinary 
uicache

From thereon your application should run as root, though it's not going to be as simple to update it as just a rebuild in Xcode :-)

akasaka
  • 310
  • 1
  • 14