daily pastebin goal
48%
SHARE
TWEET

Untitled

a guest Dec 23rd, 2013 11,484 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. WWDC.app is downloaded from app store and uploaded over AFC to ~/Media/Downloads
  2.  
  3. An IPA containing WWDC.app is uploaded and installed using MobileInstall
  4.         but first, the Info.plist in the WWDC app in the IPA is changed so that CFBundleExecutable points to the untouched copy of the app in Downloads
  5.  
  6. when MobileInstall installs the app, it signature checks the copy in Downloads
  7.         signature check passes and app is installed
  8.  
  9. WWDC.app/WWDC is overwritten using AFC with a #! script to point to afcd
  10.         the command line in #! will expose the entire / over afc port 8888
  11.  
  12. a dylib (gameover) is uploaded which uses a CS bypass (vmsize 0) to neuter sandboxing in afcd using LINKEDIT section
  13.         (afcd starts its sandbox at runtime using sandbox_init*)
  14.  
  15. a LaunchServices bug is used to make that app load that library when it runs
  16.         the device reboots and the user is instructed to run the app
  17.  
  18. when the app runs, afcd runs exposing /, and the sandbox is neutered, allowing access everywhere
  19.         however, iOS 7 kernel still prevents remapping / as writable
  20.         so it's still just readonly
  21.  
  22. at this point, /var/mobile/Library/Logs/AppleSupport is symlinked to /dev/rdisk0s1
  23.         the device is rebooted, and something early in boot (i believe ReportCrash) will chown that path to mobile which chowns rdisk
  24.  
  25. they have an HFS library that has an AFC backend
  26.         so they're able to virtually mount the entire system partition via AFC by seeking around on the rdisk using AFC commands
  27.         so using that, they modify the system partition
  28.                 the changes to the system partition are adding an executable which is signed with a self-signed cert at /evasi0n7 and a launchd plist to run it at boot
  29.  
  30. they use the same CS bypass ued before to modify libmis.dylib which is loaded by amfid (which checks code signatures) to neuter the amfi checks and alwys return true (i.e. to MISValidateSignature)
  31.  
  32. so evasi0n will run fine, and at that point it does the kernel portion
  33.  
  34. they also have to do this trick involving another codeless library containing this xpcd_cache blob to bypass a change in iOS 7 (or was it 6) where launchctl will only load plists from signed libraries
RAW Paste Data
Top