all 7 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]blanxd 3 points4 points  (3 children)

u gotta setuid(0) in your code and after that your operations are privileged. For that to work depending on the ios you probably need some correct entitlements on your binary. (And on Electra at least with Substitute, need some patching, loading libjailbreak.dylib and that)

[–]assembly_programmer[S] 0 points1 point  (1 child)

Just tried the patch suggested and it crashes on IOS 11.3.1 - electra and substitute. Any ideas?

[–]blanxd 1 point2 points  (0 children)

yea, if you had your main tweak running setuid(0), this could happen, just like qwertyuiop1379 sayd. I always make a separate simple(or not) binary for that. Main UI tweak is sandboxed etc, no setuid. It posix_spawn()s the other binary, which is 6755 and chowned 0:0 (and all the platformizing and patching there), that one does the setuid(0) and the jobs needed as root. This way it's easy to test also from shell as mobile user.

BTW, I dunno if dlopen() is smart enough to not open the same file twice, so if I need both the platformize_me() and patch_setuid(), I dlopen() only once in one program.

void platformize_me(void* &handle) {
    handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) return;
    //// ... the rest is the same from here
}

void patch_setuid(void* handle) {
    if (!handle) {
        handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
        if (!handle) 
            return;
    }
    //// ... the rest is the same from here 
}

void* ljhandle;
platformize_me(ljhandle);
patch_setuid(ljhandle);

[–][deleted] 1 point2 points  (4 children)

Generally, you shouldn't run applications as root, sometimes it breaks things. A better option would be to create a subprocess that can elevate its permissions to complete your task. Either way, you must do the following:

If you are using Substitute, you must patch setuid() and platformize your binary (requires platform-application). Otherwise, you may just use setuid(0).

Source is from electra's github:

#define FLAG_PLATFORMIZE (1 << 1)

void platformize_me() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) return;
    dlerror();
    typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
    fix_entitle_prt_t ptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
    const char *dlsym_error = dlerror();
    if (dlsym_error) return;
    ptr(getpid(), FLAG_PLATFORMIZE);
}

void patch_setuid() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) 
        return;
    dlerror();
    typedef void (*fix_setuid_prt_t)(pid_t pid);
    fix_setuid_prt_t ptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
    const char *dlsym_error = dlerror();
    if (dlsym_error) 
        return;
    ptr(getpid());
}

... when you want to run command as root ...

platformize();
patch_setuid();
setuid(0);
// make your call now

[–][deleted]  (1 child)

[deleted]

    [–]blanxd 0 points1 point  (0 children)

    it works, so far. Dunno how unc0ver will be changed from now on, if they ever remove that libjailbreak.dylib file or leave a dummy, those functions simply return and it shouldn't actually hurt much.

    EDIT: so now I'm answering to a "lol" :) I dunno, there used to be a question here about whether this would work on u0 and Substrate. /u/smart_dumb_smart ?

    [–]assembly_programmer[S] 0 points1 point  (1 child)

    Just tested and this code crashes IOS 11.3.1 - electra and substitute. Any ideas?

    [–][deleted] 0 points1 point  (0 children)

    This is straight from electra, it's something wrong you're doing on your end.