Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WWDC.app is downloaded from app store and uploaded over AFC to ~/Media/Downloads
- An IPA containing WWDC.app is uploaded and installed using MobileInstall
- but first, the Info.plist in the WWDC app in the IPA is changed so that CFBundleExecutable points to the untouched copy of the app in Downloads
- when MobileInstall installs the app, it signature checks the copy in Downloads
- signature check passes and app is installed
- WWDC.app/WWDC is overwritten using AFC with a #! script to point to afcd
- the command line in #! will expose the entire / over afc port 8888
- a dylib (gameover) is uploaded which uses a CS bypass (vmsize 0) to neuter sandboxing in afcd using LINKEDIT section
- (afcd starts its sandbox at runtime using sandbox_init*)
- a LaunchServices bug is used to make that app load that library when it runs
- the device reboots and the user is instructed to run the app
- when the app runs, afcd runs exposing /, and the sandbox is neutered, allowing access everywhere
- however, iOS 7 kernel still prevents remapping / as writable
- so it's still just readonly
- at this point, /var/mobile/Library/Logs/AppleSupport is symlinked to /dev/rdisk0s1
- the device is rebooted, and something early in boot (i believe ReportCrash) will chown that path to mobile which chowns rdisk
- they have an HFS library that has an AFC backend
- so they're able to virtually mount the entire system partition via AFC by seeking around on the rdisk using AFC commands
- so using that, they modify the system partition
- the changes to the system partition are adding an executable which is signed with a self-signed cert at /evasi0n7 and a launchd plist to run it at boot
- they use the same CS bypass ued before to modify libmis.dylib which is loaded by amfid (which checks code signatures) to neuter the amfi checks and alwys return true (i.e. to MISValidateSignature)
- so evasi0n will run fine, and at that point it does the kernel portion
- they also have to do this trick involving another codeless library containing this xpcd_cache blob to bypass a change in iOS 7 (or was it 6) where launchctl will only load plists from signed libraries
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement