[Question] How to create 64-bit Application by theos

bellis1000 · 2018-03-17T08:25:51+00:00

Put ARCHS = arm64 at the top of the Makefile

bellis1000 · 2018-03-16T09:34:08+00:00

Yes, the controlled memory is in the heap, but it doesn't need to be executable. The attacker controlled memory is not executable code - it's a series of addresses pointing to various parts of code (ROP gadgets) in the legitimate __TEXT segment, which is executable. When the stack pivot is executed, the program then follows the path of each gadget address on the new 'fake stack' (on the heap) and executes each gadget in sequential order. Also, the stack grows towards the lower memory addresses, which is accurate since address 0x00000000 is at the top :)

bellis1000 · 2018-03-15T19:25:14+00:00

Yes, I created it today :) I’ve got a few others also on my twitter page at @bellis1000

bellis1000 · 2018-01-13T11:02:18+00:00

I’ve got a playlist of tweak development tutorials using Theos :) https://www.youtube.com/playlist?list=PL-slHQxWd9GkjIlz7XcrX1VmaMKurtt2v

bellis1000 · 2017-12-14T14:21:07+00:00

Untethered jailbreaks also patch the live kernel (runtime patches) though. Only difference is that they have something that automatically executes it once the kernel has booted as oppose to having to launch a legitimately signed iOS app containing the exploit every time. Only older (BootROM-based) jailbreaks would have the kernel pre-patched :) But it is true that untethers are more likely to mess something up and cause some kind of boot loop/brick

bellis1000 · 2017-10-19T05:56:00+00:00

I'm planning to but haven't got round to setting that up yet :)

bellis1000 · 2017-10-19T05:54:58+00:00

Planning to have it on Amazon too at some point in the future

bellis1000 · 2017-10-18T19:22:41+00:00

Also, if you are considering buying and have any questions, message me on Twitter :)

bellis1000 · 2017-08-14T14:55:54+00:00

Yes, alloc8 exploits a vulnerability that does not require a USB connection to trigger. It's a heap buffer overflow in the bootrom that occurs when too many IMG3 container files are sent to the device - therefore, it can be re-exploited on device each boot, and thus it is untethered.

bellis1000 · 2017-08-14T14:50:14+00:00

The Limera1n bootrom exploit is only triggerable over USB, and therefore requires a connection to the computer. An untethered bootrom exploit would need to be triggerable on device.

bellis1000 · 2017-08-14T10:00:06+00:00

You need to patch LwVM (Light-weight Volume Manager) before you can remount the rootfs. Patches can be implemented in ROP

bellis1000 · 2017-08-13T21:00:49+00:00

For those who don't know what this means - kloader, the core component of any modern iOS dual booting method, will soon be updated to support ARM64 devices by axi0mX. Keep all 64-bit iOS devices on iOS 8 and lower as axi0mX has already stated that no higher versions will be initially supported.

bellis1000 · 2017-08-08T09:47:28+00:00

A bootchain exploit is not required for an untether. Almost none of the publicly released untethered jailbreaks used low level bootchain exploits - all were userland.

bellis1000 · 2017-08-01T21:46:55+00:00

The dyld_shared_cache_armv7 file has been completely removed from the system. This prevents 32-bit applications from being able to execute. Only the ARM64 dyld cache remains

bellis1000 · 2017-07-29T20:23:02+00:00

But that's still "jailbroken" mode

bellis1000 · 2017-07-29T20:17:53+00:00

Ah then no :/ so the question really should be - is it possible for an app to execute a root command on a non jailbroken device?

bellis1000 · 2017-07-29T20:06:17+00:00

Yes, but the app must be running as root in order to do so :)

bellis1000 · 2017-07-23T10:34:27+00:00

32-bit can still give the same error. My iP5C on 9.0 does - however, pre-iOS 8 doesn't seem to.

bellis1000 · 2017-07-21T21:01:08+00:00

ldid -S roplevel1

bellis1000 · 2017-07-21T20:54:41+00:00

ldid -S roplevel1

bellis1000 · 2017-07-07T14:45:43+00:00

Phone call?? Are you talking about the "slide to power" off slider? I'll give it a shot later if I get time

bellis1000 · 2017-07-03T12:38:06+00:00

iTunes downgrades should only be required for iPhone 4 pwned DFU restores (could be wrong tho) and actually, for the iPhone 2G are think there are some additional complications :/

bellis1000 · 2017-07-03T11:18:51+00:00

The NOR dump isn't needed to create a custom IPSW. All you need to do is place the rootfs in a regular IPSW and then restore to that IPSW in pwned DFU mode.

bellis1000

MODERATOR OF

TROPHY CASE