Fugu14Untether
sen0rxol0 opened this issue · 0 comments
sen0rxol0 commented
Is there any clues on how to generate closures e.g. analyticsd.closure
w/o running the app?
Ok, for jailbreakd
to be ran it is required to be in userland
, otherwise no closures are generated.
Although it is possible run jailbreakd
from another app.
About Fugu14Untether on arm64 devices:
" However, it is in theory possible to install the untether on them (e.g. via checkra1n). "
-
*modifying jailbreakd
-
adding Fugu14Untether on a checkm8 vulnerable device
- SSH into device
- mount rootfs and rename apfs snapshot
- create directory
.Fugu14Untether/
at rootfs mountpoint - create directory
HOME
at path/private/var/mobile/Containers/Data/Fugu14Untether
- create directory
clPath
at path/private/var/Fugu14UntetherDYLD/Caches/com.apple.dyld/
- create symlink at path
HOME/Library
with destination/private/var/Fugu14UntetherDYLD
- create symlink at path
/.Fugu14Untether/stage2
with destination/System/Library/CoreServices/ReportCrash
- add
jailbreakd
,trustcache
,* JS
files to/.Fugu14Untether/
- *add generated files
analyticsd.closure
,stage2.closure
to the untether exploit closure folderclPath
- replace
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
with/usr/libexec/keybagd
- modify
/etc/master.passwd
and/etc/passwd
by replacing_analyticsd
with_nanalyticsd
, set homeHOME
for user - add
boostrap.tar
files - add
com.apple.analyticsd.plist
to/Library/LaunchDaemons/
- add
launchctl
to/.Fugu14Untether/bin/
- change ownership to
264:264
inHOME
,clPath
*: unclear