ghost
commented
7 years ago It would be cool for someone to give it a shot (if its possible.)
Closed nerdtron123 closed 7 years ago
ghost
commented
7 years ago It would be cool for someone to give it a shot (if its possible.)
ztipnis
commented
7 years ago I'm not an expert but I'm fairly certain LaunchDaemons must be signed and verified by TeamID. During a jailbreak, code signing is bypassed, but since this is a semi-untethered jailbreak, this happens as part of the code after launching the app and pressing go, so it wouldn't let us arbitrarily load LaunchDaemons unless there was an exploit in code signing (override MISValidateSignature, something else super clever, etc.)
Furthermore, this is not a code-related issue so: #64 #162
If you are interested in the mechanics of untethered jailbreaks, I suggest Team Pangu's presentation regarding iOS 8.1 https://cansecwest.com/slides/2015/CanSecWest2015_Final.pdf. I don't know of any more recent writeups regarding iOS 9.
Edit: Checkout kpwn's second-most-popular repo iOSRE, specifically: https://papers.put.as/papers/ios/2015/POC2015_RUXCON2015.pdf
TL;DR After two (three?) semi-untethered jailbreaks in a row, if it were that easy, don't you think SOMEONE would have thought of that?
If someone took the jailbreak, compiled it in to one binary that would jailbreak when executed, signed it, and then made it a launchdaemon, would that possibly be untethered jailbreak? Or is there things that need to load before jailbreaking?