Is there any clues on how to generate closures e.g. analyticsd.closure w/o running the app?
Ok, for jailbreakd to be ran it is required to be in userland, otherwise no closures are generated.
Although it is possible run jailbreakd from another app.
About Fugu14Untether on arm64 devices:
" However, it is in theory possible to install the untether on them (e.g. via checkra1n). "
*modifying jailbreakd
adding Fugu14Untether on a checkm8 vulnerable device
SSH into device
mount rootfs and rename apfs snapshot
create directory .Fugu14Untether/ at rootfs mountpoint
create directory HOME at path /private/var/mobile/Containers/Data/Fugu14Untether
create directory clPath at path /private/var/Fugu14UntetherDYLD/Caches/com.apple.dyld/
create symlink at path HOME/Library with destination /private/var/Fugu14UntetherDYLD
create symlink at path /.Fugu14Untether/stage2 with destination /System/Library/CoreServices/ReportCrash
add jailbreakd, trustcache, * JS files to /.Fugu14Untether/
*add generated files analyticsd.closure, stage2.closure to the untether exploit closure folder clPath
replace /System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd with /usr/libexec/keybagd
modify /etc/master.passwd and /etc/passwd by replacing _analyticsd with _nanalyticsd, set home HOME for user
add boostrap.tar files
add com.apple.analyticsd.plist to /Library/LaunchDaemons/
Is there any clues on how to generate closures e.g.Ok, foranalyticsd.closure
w/o running the app?jailbreakd
to be ran it is required to be inuserland
, otherwise no closures are generated. Although it is possible runjailbreakd
from another app.About Fugu14Untether on arm64 devices: " However, it is in theory possible to install the untether on them (e.g. via checkra1n). "
*modifying jailbreakd
adding Fugu14Untether on a checkm8 vulnerable device
.Fugu14Untether/
at rootfs mountpointHOME
at path/private/var/mobile/Containers/Data/Fugu14Untether
clPath
at path/private/var/Fugu14UntetherDYLD/Caches/com.apple.dyld/
HOME/Library
with destination/private/var/Fugu14UntetherDYLD
/.Fugu14Untether/stage2
with destination/System/Library/CoreServices/ReportCrash
jailbreakd
,trustcache
,* JS
files to/.Fugu14Untether/
analyticsd.closure
,stage2.closure
to the untether exploit closure folderclPath
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
with/usr/libexec/keybagd
/etc/master.passwd
and/etc/passwd
by replacing_analyticsd
with_nanalyticsd
, set homeHOME
for userboostrap.tar
filescom.apple.analyticsd.plist
to/Library/LaunchDaemons/
launchctl
to/.Fugu14Untether/bin/
264:264
inHOME
,clPath
*: unclear