haxi0
commented
9 months ago please install ellekit in Sileo
Closed znexo closed 9 months ago
haxi0
commented
9 months ago please install ellekit in Sileo
znexo
commented
9 months ago Okay thanks, that fixed the boot loop but springboard injection still doesn’t seem to work. I’m not sure what’s wrong as everything seems right. Here’s a couple attachments
imperialwool
commented
9 months ago if you using bootstrap from roothide just enter the bootstrap app, restart server if it asks to and do respring it works for me
edit: if only serotonin did job right, in settings enable verbose boot to find out it worked or not
znexo
commented
9 months ago if you using bootstrap from roothide just enter the bootstrap app, restart server if it asks too and do respring it works for me
edit: if only serotonin did job right, in settings enable verbose boot to find out it worked or not
So these are some screenshots of me switching to bootstrap, restarting the server, then respringing after user space reboot was successful. It also enables me to turn on verbose boot, no issue with that. Springboard injection still doesn’t work though.
whoeevee
commented
9 months ago SpringBoard injection also doesn’t work for me (iPhone 13 on iOS 16.2), only a userspace reboot occurs, and toggling Verbose Boot has no effect
znexo
commented
9 months ago SpringBoard injection also doesn’t work for me (iPhone 13 on iOS 16.2), only a userspace reboot occurs, and toggling Verbose Boot has no effect
Yup, me including 3 others on two separate discord servers also have the same exact effect. Something definitely has to be re-written I think.
edit: All on iOS 16.2 as well!
imperialwool
commented
9 months ago It also enables me to turn on verbose boot, no issue with that. Springboard injection still doesn’t work though.
if in restart you didn't see any lines of code it means that injection failed as far as i understand
so maybe there is need of some tricks or things
i tested on my se 2020 on ios 16.5 btw and it just works
joeyoropesa-dev
commented
9 months ago Why RootHide doesn't support AppSync tweak if this Serotonin (tool) is patching launchd and able to execute any binary (daemon) as platform binary with platform binary permissions so in theory, trustcache injection service or something should be able to work (to inject trustcaches and have kernel rw permissions to inject any code into any processes if ElleKit requires it to work properly)...
And is there any reasons why bootloops happens and since this is not untethered jailbreak, how users exit from bootlooping after using this tool.
Why RootHide bootstrap when it's used it's sileo doesn't have sileo:// uri and why many rootless repos are not supported.
And why tweak injection is not started normally as a service if we have patched launchd via this tool so that RootHide bootstrapper app can be avoided to run tweaks in apps - it would be nice to run ElleKit as an service (LaunchDaemons) so it can run any tweak that is installed and inject it into system and other processes that the target tweak requires. Simply if on each tweak installation (including ElleKit tweak injection itself) CoreTrust bug is applied, it should not kernel panic if an tweak is tried to be injected into some process. It should be fully supported
And can this be somehow executed during boot so that we can be in CT jailbroken mode by default on each boot
And why if all this can be applied above (from the beginning), why it's still called not/semi jailbroken
Verification system: BootROM checks iBoot (BootROM exploits cannot give fully untethered jb experience but the good thing about them is that they cannot be fixed by Apple - once the bug exist physically in the target iDevice, every iOS version on that device can and will be vulnerable to execute jailbreak - that type of jailbreaks are usually semi-tethered and tethered jailbreaks) > iBoot checks kernel and other hashes and caches etc... (If that can be patched these days, we could have fully untethered jailbreak without any extra works on the target iOS version and device) > Kernel checks launchd binary (usually kernel exploits like kfd can patch kernel easly without triggering panics by iBoot) > launchd binary checks every daemon executions so Apple launchd is executing stuff that are so critical that runs CoreTrust and every other services so that iOS can work (This tool says that it's patching launchd so it should allow an real jailbreak to be executed on target iDevice and iOS version) > CoreTrust is checking everything else that runs as system (Usually System and semi-system apps and that is patched by TS these days on supported iOS versions) > trustd and other iOS services are checking all executions that are running as user.
So basically if launchd can be patched with this tool like the desc says about this tool and don't trigger kernel panics since kernel is checking launchd to be sure that nothing is modified there (that could be also called launchd exploit, not just launchd patching), every other security feature that prevemts unsigned code execution and real jailbreak can be bypassed easly and run an real jailbreak
But the question is can launchd be patched like that but to survive reboots?
And did tweaks requires kernel rw access to inject into processes or this method can provide rw access safetly using launchd hack to run CoreTrust-signed daemons that will be executed as platform binaries and platform binaries by default have all permissions (including to temporary write in kernel, to write trustcaches and do many things) so tweaks could actually work with this launchd patch/hack (can be called launchd exploit) and CoreTrust bug.
Thanks in advance for explanations and giving me more details on this topic to understand better why can and why can't be done.
znexo
commented
9 months ago Serotonin is now working for me with this build! https://github.com/mineek/Serotonin/issues/27#issue-2071515048 Anyone else who experienced similar issues like the above, use this build from haxi0!
joeyoropesa-dev
commented
9 months ago Why RootHide doesn't support AppSync tweak if this Serotonin (tool) is patching launchd and able to execute any binary (daemon) as platform binary with platform binary permissions so in theory, trustcache injection service or something should be able to work (to inject trustcaches and have kernel rw permissions to inject any code into any processes if ElleKit requires it to work properly)...
And is there any reasons why bootloops happens and since this is not untethered jailbreak, how users exit from bootlooping after using this tool.
Why RootHide bootstrap when it's used it's sileo doesn't have sileo:// uri and why many rootless repos are not supported.
And why tweak injection is not started normally as a service if we have patched launchd via this tool so that RootHide bootstrapper app can be avoided to run tweaks in apps - it would be nice to run ElleKit as an service (LaunchDaemons) so it can run any tweak that is installed and inject it into system and other processes that the target tweak requires. Simply if on each tweak installation (including ElleKit tweak injection itself) CoreTrust bug is applied, it should not kernel panic if an tweak is tried to be injected into some process. It should be fully supported
And can this be somehow executed during boot so that we can be in CT jailbroken mode by default on each boot
And why if all this can be applied above (from the beginning), why it's still called not/semi jailbroken
Verification system: BootROM checks iBoot (BootROM exploits cannot give fully untethered jb experience but the good thing about them is that they cannot be fixed by Apple - once the bug exist physically in the target iDevice, every iOS version on that device can and will be vulnerable to execute jailbreak - that type of jailbreaks are usually semi-tethered and tethered jailbreaks) > iBoot checks kernel and other hashes and caches etc... (If that can be patched these days, we could have fully untethered jailbreak without any extra works on the target iOS version and device) > Kernel checks launchd binary (usually kernel exploits like kfd can patch kernel easly without triggering panics by iBoot) > launchd binary checks every daemon executions so Apple launchd is executing stuff that are so critical that runs CoreTrust and every other services so that iOS can work (This tool says that it's patching launchd so it should allow an real jailbreak to be executed on target iDevice and iOS version) > CoreTrust is checking everything else that runs as system (Usually System and semi-system apps and that is patched by TS these days on supported iOS versions) > trustd and other iOS services are checking all executions that are running as user.
So basically if launchd can be patched with this tool like the desc says about this tool and don't trigger kernel panics since kernel is checking launchd to be sure that nothing is modified there (that could be also called launchd exploit, not just launchd patching), every other security feature that prevemts unsigned code execution and real jailbreak can be bypassed easly and run an real jailbreak
But the question is can launchd be patched like that but to survive reboots?
And did tweaks requires kernel rw access to inject into processes or this method can provide rw access safetly using launchd hack to run CoreTrust-signed daemons that will be executed as platform binaries and platform binaries by default have all permissions (including to temporary write in kernel, to write trustcaches and do many things) so tweaks could actually work with this launchd patch/hack (can be called launchd exploit) and CoreTrust bug.
Thanks in advance for explanations and giving me more details on this topic to understand better why can and why can't be done.
@mineek (sorry for the ping but since this issue is now closed, I need to be sure that it will be in your notifications or somewhere you will be able to see this message instead of creating an new github issue just for this)
znexo
commented
9 months ago Why RootHide doesn't support AppSync tweak if this Serotonin (tool) is patching launchd and able to execute any binary (daemon) as platform binary with platform binary permissions so in theory, trustcache injection service or something should be able to work (to inject trustcaches and have kernel rw permissions to inject any code into any processes if ElleKit requires it to work properly)... And is there any reasons why bootloops happens and since this is not untethered jailbreak, how users exit from bootlooping after using this tool. Why RootHide bootstrap when it's used it's sileo doesn't have sileo:// uri and why many rootless repos are not supported. And why tweak injection is not started normally as a service if we have patched launchd via this tool so that RootHide bootstrapper app can be avoided to run tweaks in apps - it would be nice to run ElleKit as an service (LaunchDaemons) so it can run any tweak that is installed and inject it into system and other processes that the target tweak requires. Simply if on each tweak installation (including ElleKit tweak injection itself) CoreTrust bug is applied, it should not kernel panic if an tweak is tried to be injected into some process. It should be fully supported And can this be somehow executed during boot so that we can be in CT jailbroken mode by default on each boot And why if all this can be applied above (from the beginning), why it's still called not/semi jailbroken Verification system: BootROM checks iBoot (BootROM exploits cannot give fully untethered jb experience but the good thing about them is that they cannot be fixed by Apple - once the bug exist physically in the target iDevice, every iOS version on that device can and will be vulnerable to execute jailbreak - that type of jailbreaks are usually semi-tethered and tethered jailbreaks) > iBoot checks kernel and other hashes and caches etc... (If that can be patched these days, we could have fully untethered jailbreak without any extra works on the target iOS version and device) > Kernel checks launchd binary (usually kernel exploits like kfd can patch kernel easly without triggering panics by iBoot) > launchd binary checks every daemon executions so Apple launchd is executing stuff that are so critical that runs CoreTrust and every other services so that iOS can work (This tool says that it's patching launchd so it should allow an real jailbreak to be executed on target iDevice and iOS version) > CoreTrust is checking everything else that runs as system (Usually System and semi-system apps and that is patched by TS these days on supported iOS versions) > trustd and other iOS services are checking all executions that are running as user. So basically if launchd can be patched with this tool like the desc says about this tool and don't trigger kernel panics since kernel is checking launchd to be sure that nothing is modified there (that could be also called launchd exploit, not just launchd patching), every other security feature that prevemts unsigned code execution and real jailbreak can be bypassed easly and run an real jailbreak But the question is can launchd be patched like that but to survive reboots? And did tweaks requires kernel rw access to inject into processes or this method can provide rw access safetly using launchd hack to run CoreTrust-signed daemons that will be executed as platform binaries and platform binaries by default have all permissions (including to temporary write in kernel, to write trustcaches and do many things) so tweaks could actually work with this launchd patch/hack (can be called launchd exploit) and CoreTrust bug. Thanks in advance for explanations and giving me more details on this topic to understand better why can and why can't be done.
@mineek (sorry for the ping but since this issue is now closed, I need to be sure that it will be in your notifications or somewhere you will be able to see this message instead of creating an new github issue just for this)
Wouldn’t making tweak Injection c Ellekit into a launch daemon cause extreme jailbreak detection issues? I’m sure bootstrap is configured this way to avoid most jailbreak checks. Let alone, this is not a jailbreak, and will never be im sure of it. This is only the beginning to the iOS 16 jailbreak.
joeyoropesa-dev
commented
9 months ago Why RootHide doesn't support AppSync tweak if this Serotonin (tool) is patching launchd and able to execute any binary (daemon) as platform binary with platform binary permissions so in theory, trustcache injection service or something should be able to work (to inject trustcaches and have kernel rw permissions to inject any code into any processes if ElleKit requires it to work properly)... And is there any reasons why bootloops happens and since this is not untethered jailbreak, how users exit from bootlooping after using this tool. Why RootHide bootstrap when it's used it's sileo doesn't have sileo:// uri and why many rootless repos are not supported. And why tweak injection is not started normally as a service if we have patched launchd via this tool so that RootHide bootstrapper app can be avoided to run tweaks in apps - it would be nice to run ElleKit as an service (LaunchDaemons) so it can run any tweak that is installed and inject it into system and other processes that the target tweak requires. Simply if on each tweak installation (including ElleKit tweak injection itself) CoreTrust bug is applied, it should not kernel panic if an tweak is tried to be injected into some process. It should be fully supported And can this be somehow executed during boot so that we can be in CT jailbroken mode by default on each boot And why if all this can be applied above (from the beginning), why it's still called not/semi jailbroken Verification system: BootROM checks iBoot (BootROM exploits cannot give fully untethered jb experience but the good thing about them is that they cannot be fixed by Apple - once the bug exist physically in the target iDevice, every iOS version on that device can and will be vulnerable to execute jailbreak - that type of jailbreaks are usually semi-tethered and tethered jailbreaks) > iBoot checks kernel and other hashes and caches etc... (If that can be patched these days, we could have fully untethered jailbreak without any extra works on the target iOS version and device) > Kernel checks launchd binary (usually kernel exploits like kfd can patch kernel easly without triggering panics by iBoot) > launchd binary checks every daemon executions so Apple launchd is executing stuff that are so critical that runs CoreTrust and every other services so that iOS can work (This tool says that it's patching launchd so it should allow an real jailbreak to be executed on target iDevice and iOS version) > CoreTrust is checking everything else that runs as system (Usually System and semi-system apps and that is patched by TS these days on supported iOS versions) > trustd and other iOS services are checking all executions that are running as user. So basically if launchd can be patched with this tool like the desc says about this tool and don't trigger kernel panics since kernel is checking launchd to be sure that nothing is modified there (that could be also called launchd exploit, not just launchd patching), every other security feature that prevemts unsigned code execution and real jailbreak can be bypassed easly and run an real jailbreak But the question is can launchd be patched like that but to survive reboots? And did tweaks requires kernel rw access to inject into processes or this method can provide rw access safetly using launchd hack to run CoreTrust-signed daemons that will be executed as platform binaries and platform binaries by default have all permissions (including to temporary write in kernel, to write trustcaches and do many things) so tweaks could actually work with this launchd patch/hack (can be called launchd exploit) and CoreTrust bug. Thanks in advance for explanations and giving me more details on this topic to understand better why can and why can't be done.
@mineek (sorry for the ping but since this issue is now closed, I need to be sure that it will be in your notifications or somewhere you will be able to see this message instead of creating an new github issue just for this)
Wouldn’t making tweak Injection c Ellekit into a launch daemon cause extreme jailbreak detection issues? I’m sure bootstrap is configured this way to avoid most jailbreak checks. Let alone, this is not a jailbreak, and will never be im sure of it. This is only the beginning to the iOS 16 jailbreak.
I've asked for possibility, not that - I see that you had problems with this tool so I guess that you're not an jb dev nor an ios hacker that finds ios vulns and make exploits for jailbreak devs to build jailbreak for all of us
So devs usually knows exactly details why can or why cannot.
I don't want to risk with my only primary device to do experiments with it so I'm asking people who have enough experience in making jailbreaks and exploits to tell me is it possible or not and why.
That's why I pinged one of devs of this repo to respond, they for sure knows the reason in details but anyway, thank you for trying to answer me, I appreciate any help! ✨
iOS 16.2 iPhone 14 Pro After successful exploitation of launchd, next step would be to reboot userspace. But doing so, kicks my device into a boot loop.