Open petroid opened 1 year ago
jjolano
commented
1 year ago Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
petroid
commented
1 year ago Sorry for late reply, for some reason github did not notify me that you replied.
Apps I'm having problems with are the same versions as they were on ios13. In fact, I tried all versions I could downgrade them to. I did not know LL included app-specific bypasses, but I hardly believe that it included bypasses for these particular apps as they are kinda niche. This app, version 1.06 (latest at the moment) was bypassed by LL on ios13 but to be bypassed by Shadow on ios15, I had to downgrade it way down to 1.02. This app also did not get an update since I've updated ios from 13 to 15. Both of these apps detect jb even in not-jailbroken state so I believe they rely on something trivial like checking some jb-specific files existence. Is there a way to strace on ios?
I'm using palera1n 2.0.0 (rootful) on iphone 8 ios 15.7.2.
jjolano
commented
1 year ago There is a fs_usage utility.. this will log all file accesses but can be pretty chatty in logs. See if you are able to run this. Not sure if it needs to be resigned with ldid on device. Also if you are able to compile shadow from source as a debug build it will output logs of every file access as well. Any suspicious paths you can retest with the shdw command.
https://www.icloud.com/iclouddrive/0d8k3XS2hYmOUyS7zbxfSAp7g#fs_usage
petroid
commented
1 year ago Thanks. I will investigate and report. fs_usage is included in palera1n setup btw
petroid
commented
1 year ago Tried banking app first.
I see some suspicious stat64 calls in log, but some of them may be not for jb-specific things. Should I add all of them with shdw? And what does shdw do exactly? usage: shdw [-g] | <path> [path [...]] is not very helpful
| call | errno | path |
|---|---|---|
| stat64 | [ 2] | /Applications/Cydia.app |
| stat64 | [ 2] | /Library/MobileSubstrate/MobileSubstrate.dylib |
| stat64 | [ 2] | private/var/tmp/cydia.log |
| stat64 | /usr/sbin/sshd | |
| stat64 | /usr/libexec/ssh-keysign | |
| lstat64 | [ 2] | /usr/arm-apple-darwin9 |
| lstat64 | /usr/include | |
| lstat64 | /usr/libexec | |
| lstat64 | /usr/share | |
| stat64 | [ 2] | /Applications/blackra1n.app |
| stat64 | [ 2] | /Applications/FakeCarrier.app |
| stat64 | [ 2] | /Applications/Icy.app |
| stat64 | [ 2] | /Applications/IntelliScreen.app |
| stat64 | [ 2] | /Applications/MxTube.app |
| stat64 | [ 2] | /Applications/RockApp.app |
| stat64 | [ 2] | /Applications/SBSetttings.app |
| stat64 | [ 2] | /Applications/WinterBoard.app |
| stat64 | [ 2] | /private/var/tmp/cydia.log |
| stat64 | [ 2] | /private/var/stash |
| stat64 | /usr/libexec/cydia | |
| stat64 | [ 2] | /usr/binsshd |
| stat64 | [ 2] | /usr/sbinsshd |
| stat64 | /usr/libexec/sftp-server | |
| stat64 | private/var/cache/apt | |
| stat64 | private/var/lib/apt | |
| stat64 | private/var/lib/cydia | |
| stat64 | [ 2] | private/var/log/syslog |
| stat64 | /private/var/cache/apt | |
| stat64 | /private/var/lib/apt | |
| stat64 | /private/var/lib/cydia | |
| stat64 | [ 2] | /private/var/log/syslog |
| stat64 | /usr/bin/bash | |
| stat64 | /usr/bin/dash | |
| stat64 | /private/etc/apt | |
| stat64 | private/etc/apt | |
| stat64 | /private/etc/ssh/sshd_config | |
| stat64 | private/etc/ssh/sshd_config |
How ancient is their code anyway, blackra1n is ios 3 jailbreak...
jjolano
commented
1 year ago shdw, when given a path will simply test if that path is a jailbreak-related path and is pretty much the basis of most of the logic for hiding paths aside from the hooks.
It is also possible that I may be "hiding" too many paths and that itself can trigger a flag... for example if I were to hide /Applications/App Store.app that can be seen as suspicious because it exists on stock iOS
petroid
commented
1 year ago I thought shdw adds given paths to blocklist 😅 maybe sometime in the future 😉
If path is "hidden", shouldn't it cause some error on stat64 call from app? The listing above was captured while Shadow enabled for this app.
jjolano
commented
1 year ago It is possible to manually add your own paths by creating a ruleset plist.. 😆 although this is likely for more advanced users and not really necessary for the most part
Those calls will still come though. The capture appears to be what the kernel sees, but Shadow modifies what the app sees.
petroid
commented
1 year ago Okay, out of all paths checked by banking app only these are "allowed":
/Applications/blackra1n.app
/Applications/Cydia.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSetttings.app
/Applications/WinterBoard.app
/usr/binsshd
/usr/libexec
/usr/sbinsshd
/usr/shareOut of which only these actually exist on my iphone:
/usr/libexec
/usr/shareProbably they should be allowed as they contain non-jb stuff.
The other app is also doing some suspicious calls, out of which these are "allowed":
/Applications/Cydia.app
/Applications/AppStore.app
/Applications/RockApp.app
/Applications/Icy.app
/Applications/WinterBoard.app
/Applications/SBSettings.app
/Applications/MxTube.app
/Applications/IntelliScreen.app
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plistOut of which only /Applications/AppStore.app exist.
I guess you were right from the beginning and these apps use other detection methods. Or rather combination of methods.
edwin170
commented
1 year ago Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
jjolano
commented
1 year ago Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
edwin170
commented
1 year ago Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
ohh well, ok
edwin170
commented
1 year ago Is there a possibility that the app was updated since iOS 13 with new detection methods? I believe LL includes app-specific bypasses, something that Shadow is not designed for.
why not use snaputil in order to mount the snap and get the system partition without jailbreak so they will think that you are not jailbroken
I would like to see your proof of concept on that.
Besides, the secondary goal for Shadow is to allow tweaks to run while bypassing detection. This differentiates it from other bypass tweaks with not as good tweak compatibility or lack of tweaks at all.
have you ever tried amazon music app ? i tried but this doesn't work on it probably because it has implemented the DRM jailbreak detection widevine_cdm_secured_ios.framework. i tried all jailbreak bypass and none works. what do you think they did to get unbypassable ?
jjolano
commented
1 year ago Last i tried, it works with vnodebypass. So its quite possible they have injection detection plus filesystem detection via supervised syscalls. (The latter of which is currently not handled by Shadow yet)
petroid
commented
1 year ago Last i tried, it works with vnodebypass.
I can't install vnodebypass for testing. The package from alias20 repo gives "unable to locate package" error, the one from ichitaso repo crashes dpkg.
edwin170
commented
1 year ago It is possible to manually add your own paths by creating a ruleset plist.. 😆 although this is likely for more advanced users and not really necessary for the most part
Those calls will still come though. The capture appears to be what the kernel sees, but Shadow modifies what the app sees.
i add my paths file to the JailbreakMisc.plist so could you please tell me if it automatically will bypass that files that i add ?
First of all, great work. There really aren’t that much working bypasses for iOS 14+ and Shadow is the best in my opinion. Sadly it still doesn’t bypass some of apps I used to use back on iOS 13 with Liberty Lite. One of the apps I use actually crashes when jailbroken and using Liberty on it stopped it from crashing, which Shadow sadly doesn’t help with. Is there any chance that you could get some insights from Liberty Lite to implement missing bypass functionality into Shadow? Maybe even getting in touch with developer. That would be great! I could share whatever little information I got like apps ids/versions, iOS version and jb I’m using.