Fugu14Untether

[sen0rxol0]

Is there any clues on how to generate closures e.g. analyticsd.closure w/o running the app? Ok, for jailbreakd to be ran it is required to be in userland, otherwise no closures are generated. Although it is possible run jailbreakd from another app.

About Fugu14Untether on arm64 devices: " However, it is in theory possible to install the untether on them (e.g. via checkra1n). "

• *modifying jailbreakd

• adding Fugu14Untether on a checkm8 vulnerable device

1. SSH into device
2. mount rootfs and rename apfs snapshot
3. create directory .Fugu14Untether/ at rootfs mountpoint
4. create directory HOME at path /private/var/mobile/Containers/Data/Fugu14Untether
5. create directory clPath at path /private/var/Fugu14UntetherDYLD/Caches/com.apple.dyld/
6. create symlink at path HOME/Library with destination /private/var/Fugu14UntetherDYLD
7. create symlink at path /.Fugu14Untether/stage2 with destination /System/Library/CoreServices/ReportCrash
8. add jailbreakd, trustcache, * JS files to /.Fugu14Untether/
9. *add generated files analyticsd.closure, stage2.closure to the untether exploit closure folder clPath
10. replace /System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd with /usr/libexec/keybagd
11. modify /etc/master.passwd and /etc/passwd by replacing _analyticsd with _nanalyticsd, set home HOME for user
12. add boostrap.tar files
13. add com.apple.analyticsd.plist to /Library/LaunchDaemons/
14. add launchctl to /.Fugu14Untether/bin/
15. change ownership to 264:264 in HOME, clPath

*: unclear