Talk:Pangu8

From The iPhone Wiki
Revision as of 20:48, 2 November 2014 by 5urd (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Research

Pangu8 uses the same method as evasi0n7 did to run the kernel exploit. Here are some light details on the files in the untether package;

  • libmis.dylib - Same as in evasi0n7, overrides symbols in amfid to make the signature check return 0, this is used in conjunction with the codesign hack.
  • pangu_xpcd.dylib - handles codesigning hacks(?)
  • xpcd_cache.dylib - this dylib gets loaded by launchd on boot, this file is a new home for LaunchDaemons, Pangu8 replaces the old dylib with this patched version that includes an entry into the plist that gets returned that specifies xuanyuansword to be ran on boot (only once)
  • xuanyuansword - this is the file that contains all the kernel exploit goodies that runs on every boot
  • io.pangu.untether.plist - the launch daemon for the untether binary that gets used after the xpcd cache is rebuilt?

I went through and checked each dynamic library with IDA Pro for imports/exports and what functions each hack overrided, and grepped through launchd using strings command like so; 'strings launchd_binary | grep xpcd_cache.dylib' to see if the system path for xpcd_cache is defined in the iOS version of launchd like it is in the OSX launchctl source --Haifisch (talk) 07:54, 2 November 2014 (UTC)