Difference between revisions of "Launchd.conf Untether"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
m (5urd moved page Launchd.conf untether to Launchd.conf Untether: capitalization)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
{{lowercase}}
 
{{lowercase}}
 
[[launchd]] is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed.
 
[[launchd]] is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed.
  +
  +
Apple fixed this in iOS 7 by adding a <code>__RESTRICT</code> segment to amfid, which prevents dylibs from hooking into it.
   
 
<code>launchd.conf</code> in [[evasi0n]]:
 
<code>launchd.conf</code> in [[evasi0n]]:

Latest revision as of 15:27, 16 March 2015

launchd is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed.

Apple fixed this in iOS 7 by adding a __RESTRICT segment to amfid, which prevents dylibs from hooking into it.

launchd.conf in evasi0n:

bsexec .. /sbin/mount -u -o rw,suid,dev /
setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib
load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist
bsexec .. /private/var/evasi0n/evasi0n
unsetenv DYLD_INSERT_LIBRARIES
bsexec .. /bin/rm -f /private/var/evasi0n/sock
bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock

External Links