The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Launchd.conf Untether"
(initial page) |
m (5urd moved page Launchd.conf untether to Launchd.conf Untether: capitalization) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{lowercase}} |
{{lowercase}} |
||
[[launchd]] is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed. |
[[launchd]] is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed. |
||
+ | |||
+ | Apple fixed this in iOS 7 by adding a <code>__RESTRICT</code> segment to amfid, which prevents dylibs from hooking into it. |
||
<code>launchd.conf</code> in [[evasi0n]]: |
<code>launchd.conf</code> in [[evasi0n]]: |
Latest revision as of 15:27, 16 March 2015
launchd is a unified, open-source service management framework for starting, stopping and managing daemons, applications, processes and scripts. As this controls the start of programs, this is a good place to place untether code. But because code needs to be signed, the file cannot simply be patched in order to start software after reboot. But what can be done is to configure this with the launchd.conf file in order to start a program after boot. The vulnerability is that the configuration file does not need to be signed.
Apple fixed this in iOS 7 by adding a __RESTRICT
segment to amfid, which prevents dylibs from hooking into it.
launchd.conf
in evasi0n:
bsexec .. /sbin/mount -u -o rw,suid,dev / setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist bsexec .. /private/var/evasi0n/evasi0n unsetenv DYLD_INSERT_LIBRARIES bsexec .. /bin/rm -f /private/var/evasi0n/sock bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock