Difference between revisions of "AMFID code signing evasion"

By creating a dylib without code, just redefining the signed code verification function with a "return ok" method from another signed library and using lazy binding, the entire code signing requirement gets circumvented. This method has been used by developers for a long time now.

In evasi0n, the amfi.dylib redefines these functions:

• _kMISValidationOptionValidateSignatureOnly (_kCFUserNotificationTokenKey from CoreFoundation)
• _kMISValidationOptionExpectedHash (_kCFUserNotificationTimeoutKey from CoreFoundation)
• _MISValidateSignature (_CFEqual from CoreFoundation)

TODO: some more detailed description missing here.

Usage

• evasi0n jailbreak

See Also

• Overlapping Segment Attack

Credit

• KennyTM~
• maybe others too

References

• networkpx blog post from 2009
• iPhoneDevWiki, Xcode, Developing without Provisioning Profile
• Accuvant Labs analysis of evasi0n