Open petroid opened 1 year ago
Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
Sorry for late reply, for some reason github did not notify me that you replied.
Apps I'm having problems with are the same versions as they were on ios13. In fact, I tried all versions I could downgrade them to. I did not know LL included app-specific bypasses, but I hardly believe that it included bypasses for these particular apps as they are kinda niche. This app, version 1.06 (latest at the moment) was bypassed by LL on ios13 but to be bypassed by Shadow on ios15, I had to downgrade it way down to 1.02. This app also did not get an update since I've updated ios from 13 to 15. Both of these apps detect jb even in not-jailbroken state so I believe they rely on something trivial like checking some jb-specific files existence. Is there a way to strace on ios?
I'm using palera1n 2.0.0 (rootful) on iphone 8 ios 15.7.2.
There is a fs_usage utility.. this will log all file accesses but can be pretty chatty in logs. See if you are able to run this. Not sure if it needs to be resigned with ldid on device. Also if you are able to compile shadow from source as a debug build it will output logs of every file access as well. Any suspicious paths you can retest with the shdw command.
https://www.icloud.com/iclouddrive/0d8k3XS2hYmOUyS7zbxfSAp7g#fs_usage
Thanks. I will investigate and report. fs_usage is included in palera1n setup btw
Tried banking app first.
I see some suspicious stat64 calls in log, but some of them may be not for jb-specific things. Should I add all of them with shdw? And what does shdw do exactly? usage: shdw [-g] | <path> [path [...]]
is not very helpful
call | errno | path |
---|---|---|
stat64 | [ 2] | /Applications/Cydia.app |
stat64 | [ 2] | /Library/MobileSubstrate/MobileSubstrate.dylib |
stat64 | [ 2] | private/var/tmp/cydia.log |
stat64 | /usr/sbin/sshd | |
stat64 | /usr/libexec/ssh-keysign | |
lstat64 | [ 2] | /usr/arm-apple-darwin9 |
lstat64 | /usr/include | |
lstat64 | /usr/libexec | |
lstat64 | /usr/share | |
stat64 | [ 2] | /Applications/blackra1n.app |
stat64 | [ 2] | /Applications/FakeCarrier.app |
stat64 | [ 2] | /Applications/Icy.app |
stat64 | [ 2] | /Applications/IntelliScreen.app |
stat64 | [ 2] | /Applications/MxTube.app |
stat64 | [ 2] | /Applications/RockApp.app |
stat64 | [ 2] | /Applications/SBSetttings.app |
stat64 | [ 2] | /Applications/WinterBoard.app |
stat64 | [ 2] | /private/var/tmp/cydia.log |
stat64 | [ 2] | /private/var/stash |
stat64 | /usr/libexec/cydia | |
stat64 | [ 2] | /usr/binsshd |
stat64 | [ 2] | /usr/sbinsshd |
stat64 | /usr/libexec/sftp-server | |
stat64 | private/var/cache/apt | |
stat64 | private/var/lib/apt | |
stat64 | private/var/lib/cydia | |
stat64 | [ 2] | private/var/log/syslog |
stat64 | /private/var/cache/apt | |
stat64 | /private/var/lib/apt | |
stat64 | /private/var/lib/cydia | |
stat64 | [ 2] | /private/var/log/syslog |
stat64 | /usr/bin/bash | |
stat64 | /usr/bin/dash | |
stat64 | /private/etc/apt | |
stat64 | private/etc/apt | |
stat64 | /private/etc/ssh/sshd_config | |
stat64 | private/etc/ssh/sshd_config |
How ancient is their code anyway, blackra1n is ios 3 jailbreak...
shdw
, when given a path will simply test if that path is a jailbreak-related path and is pretty much the basis of most of the logic for hiding paths aside from the hooks.
It is also possible that I may be "hiding" too many paths and that itself can trigger a flag... for example if I were to hide /Applications/App Store.app
that can be seen as suspicious because it exists on stock iOS
I thought shdw
adds given paths to blocklist 😅 maybe sometime in the future 😉
If path is "hidden", shouldn't it cause some error on stat64 call from app? The listing above was captured while Shadow enabled for this app.
It is possible to manually add your own paths by creating a ruleset plist.. 😆 although this is likely for more advanced users and not really necessary for the most part
Those calls will still come though. The capture appears to be what the kernel sees, but Shadow modifies what the app sees.
Okay, out of all paths checked by banking app only these are "allowed":
/Applications/blackra1n.app
/Applications/Cydia.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSetttings.app
/Applications/WinterBoard.app
/usr/binsshd
/usr/libexec
/usr/sbinsshd
/usr/share
Out of which only these actually exist on my iphone:
/usr/libexec
/usr/share
Probably they should be allowed as they contain non-jb stuff.
The other app is also doing some suspicious calls, out of which these are "allowed":
/Applications/Cydia.app
/Applications/AppStore.app
/Applications/RockApp.app
/Applications/Icy.app
/Applications/WinterBoard.app
/Applications/SBSettings.app
/Applications/MxTube.app
/Applications/IntelliScreen.app
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
Out of which only /Applications/AppStore.app
exist.
I guess you were right from the beginning and these apps use other detection methods. Or rather combination of methods.
Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
ohh well, ok
Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
have you ever tried amazon music app ? i tried but this doesn't work on it probably because it has implemented the DRM jailbreak detection widevine_cdm_secured_ios.framework. i tried all jailbreak bypass and none works. what do you think they did to get unbypassable ?
Last i tried, it works with vnodebypass. So its quite possible they have injection detection plus filesystem detection via supervised syscalls. (The latter of which is currently not handled by Shadow yet)
Last i tried, it works with vnodebypass.
I can't install vnodebypass for testing. The package from alias20 repo gives "unable to locate package" error, the one from ichitaso repo crashes dpkg.
It is possible to manually add your own paths by creating a ruleset plist.. 😆 although this is likely for more advanced users and not really necessary for the most part
Those calls will still come though. The capture appears to be what the kernel sees, but Shadow modifies what the app sees.
i add my paths file to the JailbreakMisc.plist so could you please tell me if it automatically will bypass that files that i add ?
First of all, great work. There really aren’t that much working bypasses for iOS 14+ and Shadow is the best in my opinion. Sadly it still doesn’t bypass some of apps I used to use back on iOS 13 with Liberty Lite. One of the apps I use actually crashes when jailbroken and using Liberty on it stopped it from crashing, which Shadow sadly doesn’t help with. Is there any chance that you could get some insights from Liberty Lite to implement missing bypass functionality into Shadow? Maybe even getting in touch with developer. That would be great! I could share whatever little information I got like apps ids/versions, iOS version and jb I’m using.