Fugu16 - Untethered iOS 16 Jailbreak

Fugu16 is an (incomplete) iOS 16 Jailbreak, including an untether (persistence), kernel exploit, kernel PAC bypass and PPL bypass. The CVE numbers of the vulnerabilities are: CVE-2021-30740, CVE-2021-30768, CVE-2021-30769, CVE-2021-30770 and CVE-2021-30773.

Supported Devices/iOS Versions

Fugu16 should support all arm64e devices (iPhone XS and newer) on iOS 16.
Support for lower versions (down to 15.2) can be added by editing arm/shared/ClosurePwn/Sources/ClosurePwn/PwnClosure.swift and arm/shared/KernelExploit/Sources/KernelExploit/offsets.swift.

arm64 devices are not supported because the exploit to install the Fugu16 App does not work on these devices.
However, it is in theory possible to install the untether on them (e.g. via checkra1n).
Note that all of this code was written specifically for arm64e, so some changes are required to add arm64 support to the untether.

Features

The kernel exploit is extremely reliable (it will never trigger a kernel panic)
A simple TCP shell is available on port 1337
Trustcaches put in /.Fugu16Untether/trustcaches/ will be loaded automatically
Executables put in /.Fugu16Untether/autorun/ will be launched during boot (make sure to also create a trust cache for your executable!)
Supports Siguza's libkrw library (load /usr/lib/libkrw/libFugu16Krw.dylib and call krw_initializer)
(Jailbreak Developers: You can make your jailbreak untethered just by creating a CLI version that supports libkrw, copying it to /.Fugu16Untether/autorun/ and writing a trust cache to /.Fugu16Untether/trustcaches/)

WARNING

Messing around with the untether may BOOTLOOP your device
The fast untether (disabled unless you edit the source code) HAS NOT BEEN TESTED ON A REAL DEVICE -- DO NOT USE IT
Additionally, the fast untether (in case it actually works) is more UNSAFE than the "slow" untether
Developers: PLEASE TEST ANY CHANGES YOU MAKE TO THE UNTETHER ON A VIRTUAL DEVICE FIRST

Building and Running

Requirements:

You need a supported device running a supported iOS version (see above)
The device must be connected via USB
You need the IPSW for your device, unzipped
You need to have Xcode installed
You need to have iproxy and ideviceinstaller installed (brew install usbmuxd ideviceinstaller)

To build and run the iOS Jailbreak, all you have to do is run the ios_install.py script and follow the instructions. In case you get a code signing error, open arm/iOS/Fugu16App/Fugu16App.xcodeproj and edit the code signing options.

Recovery

So you didn't read the warning section and your device is now in a bootloop. Let's hope you didn't enable the fast untether.
Anyway, before updating your device to the latest iOS version, try the following first:

Install irecovery on your computer
Connect your device via USB and boot into the recovery mode
Run irecovery -s on your computer, then enter the following commands:
- setenv boot-args no_untether
- saveenv
- reboot
Your device should now boot again. If it doesn't, repeat step two again, run irecovery -s and then enter these commands:
- setenv boot-args untether_force_restore
- saveenv
- reboot
Device still won't boot? Then you'll have to update it to the latest version unfortunately :/

Credits

Like most software, Fugu16 contains (derived) code which was written by others.
I would therefore like to thank the people below for open-sourcing their code:

Elliot Godfrey: SLOP technique (as used in the dyld exploit) and the JavaScript Int64 library (+ utils)

Currently, the remount patch has copyright issues which I'm trying to resolve ASAP. Apparently, multiple parties think the code is theirs so I don't know what to do right now. I just write this here and hope no one DMCA's me.

Fugu16 also includes various header files from Apple due to its file system change in iOS 16. You can find more details on iOS 16 Jailbreak here

For more information, please see credits.txt.

License

Fugu16 is released under the MIT license. Please see the LICENSE file for more information.

epeth0mus / Fugu16

readme