Time to go untether

Makefile

@@ -71,6 +71,8 @@ $(APP)/jailbreak-resources.deb:
 
 # TODO: Make more accurate prerequisites
 
+$(SRC_CLI)/control:
+$(SRC_CLI)/postinst:
 $(SRC_CLI)/jboffsets.h:
 $(SRC_CLI)/compile_stage2.sh:
 $(SRC_CLI)/compile_stage3.sh:
@@ -87,9 +89,9 @@ $(SRC_CLI)/install.m: $(SRC_CLI)/jboffsets.h $(SRC_CLI)/generated/stage2_hash3.h
 $(SRC_CLI)/stage2.m: $(SRC_ALL)/*.c $(SRC_CLI)/install.m $(SRC_CLI)/stage1.m $(SRC_CLI)/generated/stage2_hash3.h $(SRC_CLI)/generated/stage2_hash4.h $(SRC_CLI)/stage2.entitlements $(SRC_CLI)/compile_stage2.sh
 	bash $(SRC_CLI)/compile_stage2.sh
 
-$(PAYLOAD): $(UNTETHER_SRC) $(SRC_ALL)/*.m $(SRC_ALL)/*.c $(SRC_CLI)/*.sh $(SRC_CLI)/generated/stage2_hash3.h $(SRC_CLI)/generated/stage2_hash4.h $(SRC_CLI)/stage2.m
+$(PAYLOAD): $(UNTETHER_SRC) $(SRC_ALL)/*.m $(SRC_ALL)/*.c $(SRC_CLI)/*.sh $(SRC_CLI)/generated/stage2_hash3.h $(SRC_CLI)/generated/stage2_hash4.h $(SRC_CLI)/stage2.m $(SRC_CLI)/control $(SRC_CLI)/postinst
 	rm -rf -- $(SRC_CLI)/generated/package && rm -f $(SRC_CLI)/generated/*.deb
-	mkdir -p $(SRC_CLI)/generated/package/DEBIAN && cp $(SRC_CLI)/control $(SRC_CLI)/generated/package/DEBIAN/control
+	mkdir -p $(SRC_CLI)/generated/package/DEBIAN && cp $(SRC_CLI)/control $(SRC_CLI)/generated/package/DEBIAN/control && cp $(SRC_CLI)/postinst $(SRC_CLI)/generated/package/DEBIAN/postinst
 	mkdir -p $(SRC_CLI)/generated/package/private/etc/racoon && cp $(SRC_CLI)/generated/install_stage1_2 $(SRC_CLI)/generated/package/private/etc/racoon/install_stage1_2
 	mkdir -p $(SRC_CLI)/generated/package/usr/sbin && cp $(SRC_CLI)/generated/racoon.dylib $(SRC_CLI)/generated/package/usr/sbin/racoon.dylib
 	mkdir -p $(SRC_CLI)/generated/package/mystuff && cp $(SRC_CLI)/generated/stage4 $(SRC_CLI)/generated/package/mystuff/stage4

README.md

@@ -138,7 +138,7 @@ If you have an issue upgrading essential packages, run `apt --fix-broken install
 
 To install the untether payload (these files are located in ./src/untether/generated):
 1. Install the DEB file (use `make payload` if you can't find it) or manually copy the stage 1-2 install script to `/private/etc/racoon/install_stage1_2`, stage 3 to `/usr/sbin/racoon.dylib`, and stage 4 to `/mystuff/stage4`.
-2. Type `/private/etc/racoon/install_stage1_2` in a terminal or SSH connection. This will create the folder `/var/run/racoon` if it does not yet exist.
+2. If installing manually, type `/private/etc/racoon/install_stage1_2` in a terminal or SSH connection. This will create the folder `/var/run/racoon` if it does not yet exist.
 There will be a lot of output. If successful, the end looks something like:
 ```
 0x1f0214e60: 0x00000000 (NOP)
@@ -148,8 +148,42 @@ There will be a lot of output. If successful, the end looks something like:
 2024-05-11 05:47:33.135 install_stage1_2[4321:134320] Chain will be at: 1afe90d30
 2024-05-11 05:47:33.141 install_stage1_2[4321:134320] 4610 iterations
 ```
+
+If you're running the DEB in Zebra, the last two lines might be replaced with "Finished!".
+
 3. Then execute racoon (the real one in PATH, should be `/usr/sbin/racoon`) till it doesn't kernel panic anymore to make sure you got the right offsets.
 If you get a segfault, and the crash report shows the beast gadget offset listed in your output, you likely need to set `STAGE1FD_SCREAM_TEST` to find the right stage 1 fd in the crash log.
+If successful, the end looks something like:
+
+```
+2024-05-16 00:52:58.174 stage4[597:8713] [jailbreak] generator is set to: 0x1111111111111111
+2024-05-16 00:52:58.174 stage4[597:8713] [jailbreak] task_info ret: 0 ((os/kern) successful)
+2024-05-16 00:52:58.175 stage4[597:8713] [jailbreak] all_image_info_addr: fffffff00f404000
+2024-05-16 00:52:58.175 stage4[597:8713] [jailbreak] all_image_info_size: 8400000
+2024-05-16 00:52:58.176 stage4[597:8713] [jailbreak] bundle path: /mystuff
+2024-05-16 00:52:58.176 stage4[597:8713] [jailbreak] JBOPT_POST_ONLY mode and bootstrap is present, all is well
+2024-05-16 00:52:58.176 stage4[597:8713] [jailbreak] JBOPT_POST_ONLY mode and unrestrict is present, all is well
+2024-05-16 00:52:58.181 stage4[597:8713] [jailbreak] wrote offsets.plist
+```
+
+If you provide a control-C signal, it will either kernel panic or you might respring and receive more output ending in something like:
+
+```
+2024-05-16 01:06:53.425 stage4[597:8713] [jailbreak] finished post exploitation
+2024-05-16 01:06:53.425 stage4[597:8713] [jailbreak] unloading prdaily...
+2024-05-16 01:06:53.436 stage4[597:8713] [sighandler] Stage 4 received signal: 20
+2024-05-16 01:06:53.436 stage4[597:8713] [execprog] contents of /tmp/exec_logs/1715789213:
+2024-05-16 01:06:53.437 stage4[597:8713] [jailbreak] prdaily unloaded
+
+iPhone:~ root# 2024-05-16 01:07:18.920 stage4[597:8713] [sighandler] Stage 4 received signal: 20
+2024-05-16 01:07:18.920 stage4[597:8713] [execprog] contents of /tmp/exec_logs/1715789213:
+2024-05-16 01:07:19.061 stage4[597:8713] [jailbreak] Restoring to mobile and exiting.
+2024-05-16 01:07:19.062 stage4[597:8713] [restore_to_mobile] got ourproc at ffffffe0016cd860
+2024-05-16 01:07:19.062 stage4[597:8713] [restore_to_mobile] our uid is now 501
+```
+
+Another control-C after this will restore control of the SSH connection.
+
 4. Then also set the nvram variable boot-args to "`__developer_mode_enabled`" and check if the system keeps running stable even with racoon (this is the killswitch).
 5. If you did you can then go for the real untether by replacing one of the launch daemons and unsetting the killswitch to run the untether on the next boot.
 

generated

@@ -0,0 +1 @@
+src/untether/generated

src/app/CreditsVC.m

@@ -33,21 +33,21 @@ - (void)loadView
 
     creditLabel = [UILabel new];
     creditLabel.translatesAutoresizingMaskIntoConstraints = NO;
-    creditLabel.numberOfLines = 7;
+    creditLabel.numberOfLines = 0;
     creditLabel.text = @"\
 - JakeBlair420 team for the actual jailbreak\n\
-- Apple for XNU source and leaving CVE-2020-3840 in iOS for years (since iPhoneOS 1.0 if you believe the NVD entry for CVE-2012-3727)\n\
+- Apple for XNU source and patching CVE-2012-3727 wrong\n\
 - National Security Agency for Ghidra\n\
-- planetbeing et al. for xpwntool to decompress the iOS 10 kernel cache\n\
-- PrimePlatypus, LukeZGD, cxdxn1 for explaining that xpwntool exists and how to use it\n\
-- blacktop for the ipsw tool to decompress the iOS 11 kernel cache\n\
+- planetbeing et al. for xpwntool\n\
+- PrimePlatypus, LukeZGD, cxdxn1 for assistance\n\
+- blacktop for the ipsw tool\n\
 - Jonathan Levin for jtool";
     [creditLabel setBackgroundColor:[UIColor colorWithRed:1.00 green:0.00 blue:0.00 alpha:0.0]];
     creditLabel.font = [UIFont systemFontOfSize:14];
 
     [self.view addSubview:creditLabel];
     [self.view addConstraint:[NSLayoutConstraint constraintWithItem:creditLabel attribute:NSLayoutAttributeCenterX relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterX multiplier:1.0 constant:0.0]];
-    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:creditLabel attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:1.7 constant:0.0]];
+    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:creditLabel attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:1.0 constant:0.0]];
 }
 
 @end

src/app/MainVC.h

@@ -2,6 +2,10 @@
 
 @interface MainVC : UIViewController
 
+@property (nonatomic, strong) UITextView *textView;
+
+- (void)showLog:(NSString *)log;
+
 - (id)init;
 
 - (void)actionJailbreak;

src/app/MainVC.m

@@ -7,18 +7,40 @@
 
 #import "MainVC.h"
 
+void sendLog(void* controller, NSString* log) {
+	[(MainVC*)controller showLog:log];
+}
+
 @implementation MainVC
 
 UIButton *jbButton;
-UILabel *titleLabel;
+UILabel *spiceLabel, *titleLabel;
 bool hasJailbroken = false;
 
+-(void)showLog:(NSString *)log
+{
+	NSLog(@"Entered MainVC log function to log: \"%@\"", log);
+    if (![NSThread isMainThread]) {
+        dispatch_async(dispatch_get_main_queue(), ^{
+            [self showLog:log];
+        });
+        return;
+    }
+    NSLog(@"Entered on main thread to log: \"%@\"", log);
+
+    self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"> %@\n", log]];
+    [UIView performWithoutAnimation:^{
+        [self.textView scrollRangeToVisible:NSMakeRange(self.textView.text.length, 0)];
+    }];
+}
+
 - (id)init
 {
     LOG("pullup");
 
     id ret = [super initWithNibName:nil bundle:nil];
     self.tabBarItem = [[UITabBarItem alloc] initWithTitle:@"Jailbreak" image:nil tag:1];
+    self.textView = [[UITextView alloc] init];	
     return ret;
 }
 
@@ -45,15 +67,54 @@ - (void)loadView
     jbButton.titleLabel.font = [UIFont systemFontOfSize:30];
     [jbButton addTarget:self action:@selector(actionJailbreak) forControlEvents:UIControlEventTouchUpInside];
 
+    spiceLabel = [UILabel new];
+    spiceLabel.translatesAutoresizingMaskIntoConstraints = NO;
+    spiceLabel.text = @"Spice";
+    spiceLabel.textColor = [UIColor colorWithRed:110.0/255.0 green:59.0/255.0 blue:38.0/255.0 alpha:1.0];
+    [spiceLabel setBackgroundColor:[UIColor colorWithRed:1.00 green:0.00 blue:0.00 alpha:0.0]];
+    spiceLabel.font = [UIFont systemFontOfSize:24];
+
     titleLabel = [UILabel new];
     titleLabel.translatesAutoresizingMaskIntoConstraints = NO;
     titleLabel.text = @"First untether-upgradable iOS 11 jailbreak";
     [titleLabel setBackgroundColor:[UIColor colorWithRed:1.00 green:0.00 blue:0.00 alpha:0.0]];
     titleLabel.font = [UIFont systemFontOfSize:14];
+
+    self.textView.translatesAutoresizingMaskIntoConstraints = NO;
+	self.textView.backgroundColor = [UIColor colorWithWhite:0.0 alpha:0.7];
+	self.textView.textColor = [UIColor whiteColor];
+
+#if N41_10_3_4
+	self.textView.text = @"[*] Compiled for N41AP on iOS 10.3.4\n";
+#elif N69_11_3
+	self.textView.text = @"[*] Compiled for N69AP on iOS 11.3\n";
+#elif N69_11_4
+	self.textView.text = @"[*] Compiled for N69AP on iOS 11.4\n";
+#elif N71_11_3_1
+	self.textView.text = @"[*] Compiled for N71AP on iOS 11.3.1\n";
+#elif J96_11_1_2
+	self.textView.text = @"[*] Compiled for J96AP on iOS 11.1.2\n";
+#elif J96_11_3_1
+	self.textView.text = @"[*] Compiled for J96AP on iOS 11.3.1\n";
+#else
+	self.textView.text = @"[*] Compiled for unknown device\n";
+#endif
+
+	self.textView.editable = NO;
+	self.textView.scrollEnabled = YES;
+	self.textView.textContainerInset = UIEdgeInsetsMake(0, 15, 15, 15);
+	self.textView.font = [UIFont fontWithName:@"Courier" size:12.0f];
+	self.textView.frame = CGRectMake(50, 150, 300, 150);
+	self.textView.center = self.view.center;
+	[self.view addSubview:self.textView];
 
     [self.view addSubview:jbButton];
     [self.view addConstraint:[NSLayoutConstraint constraintWithItem:jbButton attribute:NSLayoutAttributeCenterX relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterX multiplier:1.0 constant:0.0]];
-    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:jbButton attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:1.1 constant:0.0]];
+    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:jbButton attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:1.7 constant:0.0]];
+
+    [self.view addSubview:spiceLabel];
+    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:spiceLabel attribute:NSLayoutAttributeCenterX relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterX multiplier:1.0 constant:0.0]];
+    [self.view addConstraint:[NSLayoutConstraint constraintWithItem:spiceLabel attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:0.4 constant:0.0]];
 
     [self.view addSubview:titleLabel];
     [self.view addConstraint:[NSLayoutConstraint constraintWithItem:titleLabel attribute:NSLayoutAttributeCenterX relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterX multiplier:1.0 constant:0.0]];
@@ -68,10 +129,13 @@ - (void)actionJailbreak
         return;
     }
 
+	jbButton.selected = NO;
+	jbButton.highlighted = NO;
+	jbButton.enabled = YES;
     [jbButton setTitle:@"Jailbreaking..." forState:UIControlStateNormal];
 
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(void) {
-        int ret = jailbreak(0);
+        int ret = jailbreak(0, self, &sendLog);
         NSLog(@"jailbreak ret: %d", ret);
 
         if (ret != 0) {
@@ -92,13 +156,20 @@ - (void)actionJailbreak
 
 - (void)exploitSucceeded
 {
+	jbButton.selected = NO;
+	jbButton.highlighted = NO;
+	jbButton.enabled = YES;
     hasJailbroken = true;
 
     [jbButton setTitle:@"Respring" forState:UIControlStateNormal];
 }
 
 - (void)exploitFailed
 {
+	jbButton.selected = NO;
+	jbButton.highlighted = NO;
+	jbButton.enabled = YES;
+
 	[jbButton setTitle:@"Failed, try again?" forState:UIControlStateNormal];
 }
 

src/shared/jailbreak.h

@@ -14,6 +14,6 @@ extern task_t kernel_task;
 extern kptr_t kernel_slide;
 extern kptr_t kernproc;
 
-int jailbreak(uint32_t opt);
+int jailbreak(uint32_t opt, void* controller, void (*updateStage)(void*, NSString*));
 
 #endif

src/shared/jailbreak.m

@@ -98,7 +98,7 @@
 kptr_t kernel_slide;
 kptr_t kernproc;
 
-kern_return_t jailbreak(uint32_t opt)
+kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, NSString*))
 {
     kern_return_t ret = 0;
     task_t self = mach_task_self();
@@ -117,11 +117,11 @@ kern_return_t jailbreak(uint32_t opt)
     }
     else
     {
-        suspend_all_threads();
+        //suspend_all_threads();
 
-        ret = pwn_kernel(offs, &kernel_task, &kbase);
+        ret = pwn_kernel(offs, &kernel_task, &kbase, controller, sendLog);
 
-        resume_all_threads();
+        //resume_all_threads();
 
         if(ret != KERN_SUCCESS) goto out;
 
@@ -191,9 +191,8 @@ kern_return_t jailbreak(uint32_t opt)
         MACH(unlock_nvram());
         LOG("patched nvram successfully");
 
-        // set generator 
-        // TODO: set this to 0x0
-        MACH(set_generator("0xcb95ce776496b54f"));
+        // set generator
+        MACH(set_generator("0x1111111111111111"));
 
         const char *current_gen = get_generator();
         LOG("generator is set to: %s", current_gen);
@@ -599,7 +598,7 @@ kern_return_t jailbreak(uint32_t opt)
 
             LOG("prdaily unloaded\n");
 
-            /* hope substrateis running byu this point? */
+            /* hope substrate is running by this point? */
 
             if (access("/usr/bin/ldrestart", F_OK) != 0)
             {
@@ -620,7 +619,8 @@ kern_return_t jailbreak(uint32_t opt)
 
     ret = KERN_SUCCESS;
 
-out:;
+out:
+	LOG("Restoring to mobile and exiting.");
     restore_to_mobile();
 
     term_kexecute();

src/shared/pwn.h

@@ -5,6 +5,6 @@
 
 #include "common.h"
 
-kern_return_t pwn_kernel(offsets_t offsets, task_t *tfp0, kptr_t *kbase);
+kern_return_t pwn_kernel(offsets_t offsets, task_t *tfp0, kptr_t *kbase, void* controller, void (*sendLog)(void*, NSString*));
 
 #endif