launchd is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed.
Apple fixed this in iOS 7 by adding a
__RESTRICT segment to amfid, which prevents dylibs from hooking into it.
launchd.conf in evasi0n:
bsexec .. /sbin/mount -u -o rw,suid,dev / setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist bsexec .. /private/var/evasi0n/evasi0n unsetenv DYLD_INSERT_LIBRARIES bsexec .. /bin/rm -f /private/var/evasi0n/sock bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock