• Breaking News

    Friday, January 10, 2020

    Home Unlabelled iOS Jailbreak [Discussion] Jailbreak Detection: Defragging the methodology

    iOS Jailbreak [Discussion] Jailbreak Detection: Defragging the methodology

    January 10, 2020

    iOS Jailbreak [Discussion] Jailbreak Detection: Defragging the methodology

    [Discussion] Jailbreak Detection: Defragging the methodology

    Posted: 09 Jan 2020 09:44 AM PST

    Hello everyone. Just a heads-up, this is going to be a long thread. In it, I'm going to share and detail the methodology used in some jailbreak-detection, with the purpose of enlightening some aspects on why some apps to this day remain intact with no bypasses, just as this will also serve the purpose of helping not just those who are new to development, but also to the users who may wonder how a jailbroken device is detected and why it is difficult to bypass it, most of the times.

    I am also sharing some of the known methods that used (and are currently used, to some extent) to be applied by popular banking apps and some popular games (such as Fortnite, Pokémon GO, Animal Crossing, Switch Online, etc), and how these methods work.

    1. Detection Methods

    1.1 API Detection

    In case you're unfamiliar with what API stands for and what it is, take this brief explanation: an API, or, an Application Program Inferface is pretty much a set of protocols and tools that are used to structure a software application. An API is required to specify how certain software components should interact, both among each others, and with the software itself. There are also web-based APIs that work with URLs by performing requests to the web in order to establish its components.

    Now, some apps take advantage of APIs to detect a jailbroken device. This is possible due to how APIs behave differently on jailbroken devices, and this makes it harder to be bypassed since the app performs API calls to jailbreak-check the device.

    To understand how APIs behavior can be affected due to being jailbroken, we need to take into consideration process forking. Process forking isn't possible on non-jailbroken devices since it is denied by the sandbox. Apps can check, through APIs, the returned pid on fork() to state if the process was successful or not. In case it was successful, it can be determined that the device is jailbroken.

    Process forking isn't the only thing that you need to worry about when checking for a jailbreak using APIs. Calling the system() function with a NULL argument on a non-jailbroken device will return 0, while on a jailbroken device it will return 1. This occurs due to the performed check of system() that will determine if /bin/sh exists, and I'll elaborate further in this write-up how some developers have accomplished to bypass this.

    One of the most used API-based detection methods is checking dyld functions and its libraries as well (which I'll cover too later on). This is performed by calling functions such as _dyld_image_count() and _dyld_get_image_name() to check on what dylibs are currently loaded, and determine if it is a "third-party" dylib.

    1.2 System Files Check

    This is the most known jailbreak detection method, it's one of the most basic methods and one of the easier to bypass, most of the times.

    As you obviously know, a jailbroken device has different system files than a non-jailbroken device, which is a necessity when jailbroken, and some apps take advantage of this necessity to check for a jailbreak.

    Some directories/files that are checked to determine whether a device is or is not jailbroken are the following:

    /jb
    /private/var/stash
    /private/var/lib/apt
    /private/var/tmp/cydia.log
    /private/var/lib/cydia
    /private/var/mobile/Library
    /Library/MobileSubstrate/MobileSubstrate.dylib
    /Library/MobileSubstrate/DynamicLibraries
    /System/Library/LaunchDaemons/
    /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
    /var/cache/apt
    /var/lib/apt
    /var/lib/cydia
    /var/log/syslog
    /var/tmp/cydia.log
    /bin/bash
    /bin/sh
    /usr/sbin/sshd
    /usr/libexec/ssh-keysign
    /usr/sbin/sshd
    /usr/bin/sshd
    /usr/libexec/sftp-server
    /etc/ssh/sshd_config
    /etc/apt
    /Applications/Cydia.app

    As you can see from the above example, which is still small, a lot of apps rely on reading directories and files to determine if your device is jailbroken. Some apps even go further as reading specific tweaks directories such as WinterBoard.app, iCleaner.app, CocoaTop.app, Flex.app, etc. Many other tweaks could be targeted as well, since these are just some of the ones that were previously targeted by certain apps/games.

    Reading directories/files isn't the only system-file based detection method. Some apps rely on the jailbreak detection by checking permissions in certain directories and files, which are changed upon jailbreaking, other ways of detection could be: dylib libraries, size of directories/files, specific paths, etc.

    For example, we could use determine if a device is jailbroken by checking the size of /etc/fstab or /etc/hosts. Even without permissions to read these files, we can still base-check their size, which was a common technique used to determine a jailbroken device. Although this isn't a viable method anymore since /etc/fstab can have its size modified by default entries upon updating the firmware of your device.

    Take the following piece of code as an example of a system file detection technique: 

    bool check_jailbroken(){ string[] paths = new string[10] { "/Applications/Cydia.app", "/private/var/lib/cydia", "/private/var/tmp/cydia.log", "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/usr/libexec/sftp-server", "/usr/bin/sshd", "/usr/sbin/sshd", "/Applications/iCleaner.app", "/Applications/Flex.app", "/Applications/WinterBoard.app",}; int i; bool jailbroken = false; for (i = 0; i < paths.Length; i++) { if (System.IO.File.Exists(paths[i]){ jailbroken = true; } } return jailbroken; }

    The most common way to know if an app detected a jailbroken device (when it does not warn you with an alert) is when the app suddenly closes without previewing a single thing. Below you'll understand how this is performed: 

    if(check_jailbroken()){ //If the device is jailbroken the void will return true, so if it is jailbroken, it will execute this code Application.Quit;//Quits the application, just an example }

    1.2.1 Symbolic Links Detection

    When a device is jailbroken, some of the directories that were originally located in the small system partition are overwritten and relocated to a larger partition. To maintain the stability of your device as a whole, symbolic links are created to transfer the original path of these directories towards the new location, so it doesn't fail upon checking for a directory in a previous path.

    Some jailbreak detection methods take advantage of this and they perform a check on the existence of symbolic links in specific directories/files. If a symbolic link is detected, a device could be determined as a jailbroken device.

    Some example-ish directories with symbolic links that are commonly checked are as follows:

    /Library/Ringtones
    /Library/Wallpaper
    /usr/libexec
    /usr/share
    /Applications

    1.2.2 Open-SSH Services Detection

    This is one of the most flawed methods used in jailbreak detection. Basically, an app can detect if your device is jailbroken by checking background services running that belong to OpenSSH. This can be easily bypassed by changing the port used in an OpenSSH connection. Note that this is also flawed due to how slow the detection method occurs since this is not pre-installed upon jailbreaking and much likely isn't running 24/7 unless you're that kind of person.

    1.2.3 Calling Cydia's URL Scheme

    Let's say you've moved Cydia.app to some other location to avoid a jailbreak check, but you forgot one thing that also helps: cydia's scheme URL. That's right, some apps not only check the path and existence of Cydia.app, but they also check if you're jailbroken by calling cydia:// from within their app. If this proves to be successful, the device is determined as being jailbroken.

    While changing the Cydia.app path may seem easy, changing its scheme URL isn't as quite as easy, but it's still bypassable by simply removing Cydia from an app's detection.

    1.3 Loaded Libraries

    When it comes to jailbreak detection through checking loaded libraries (dylib libraries), you need to take into account that some apps perform this on a low-level while other apps perform this on a high-level.

    Take the game app Fortnite as an example, and Pokémon GO. They use this method to detect a jailbroken device, but this is done on a high-level. Not to mention that they also use other different detection methods alongside this one. Some of Nintendo apps like Switch Online, among others, also rely on loaded libraries as a jailbreak detection method.

    This detection method is performed either by using the API-based detection or calling functions to check the current loaded libraries. This is why even when unjailbroken, some users still experience a detection in Pokémon GO. They do not only check dylib libraries, they also check system files, which some users still have these leftover files in their device from a malfunctioned removal of a jailbreak tool or residual jailbreak files from an iCloud/iTunes backup.

    A simple example of this is as follows: 

    Application.sandboxType == SandboxBroken // Application is running in broken sandbox.

    If we dive deep into this method by checking the loaded libraries, we can check the way that Fortnite detects a jailbreak.

    By defining and using MACH_TASK_BASIC_INFO, it successfully calls upon the virtual memory to allow a check on the loaded dylibs, the existing threads that belong in total_user, total_system; it can also perform a check on kernel memory in terms to define if it is alloc'ed_ or freed. Here's an example of how this works behind the scenes: 

    #define TASK_ABSOLUTETIME_INFO 1 struct task_absolutetime_info { uint64_t total_user; uint64_t total_system; uint64_t threads_user; /* existing threads only */ uint64_t threads_system; }; typedef struct task_absolutetime_info task_absolutetime_info_data_t; typedef struct task_absolutetime_info *task_absolutetime_info_t; #define TASK_ABSOLUTETIME_INFO_COUNT ((mach_msg_type_number_t) \ (sizeof >(task_absolutetime_info_data_t) / sizeof >(natural_t))) #define TASK_KERNELMEMORY_INFO 7 struct task_kernelmemory_info { uint64_t total_palloc; /* private kernel mem alloc'ed */ uint64_t total_pfree; /* private kernel mem freed */ uint64_t total_salloc; /* shared kernel mem alloc'ed */ uint64_t total_sfree; /* shared kernel mem freed */ };

    And in the case of checking the loaded libraries: 

    #define TASK_DYLD_INFO 17 struct task_dyld_info { mach_vm_address_t all_image_info_addr; mach_vm_size_t all_image_info_size; integer_t all_image_info_format };

    I'll provide the full documentation for task_info.h in the end of the thread. Or you can also check it on Apple's developer documentation, specially since it is open-sourced and worth taking a look into.

    1.4 Unity Engine & other Plug-ins

    Some of you may or may not know, but Nintendo utilizes a very different jailbreak detection technique other than checking the loaded libraries. Nintendo wrote a jailbreak detection based on Unity Engine that gathers help from external plug-ins to detect if a device is jailbroken by submitting analytical data over the web, most similar to a web-based API detection method. Although I couldn't find much on this, I was able to find some of the code written by Nintendo. This is the detection method used in Animal Crossing, which belongs to Nintendo.

    This method utilizes an Unity Project ID (UPID) and the API key belonging to Unity Engine. It sends a request by calling the arguments startDate and endDate, which is a 31 day limited request. This request can be performed every time the app is started, keeping the data available in a RAW export sent to Unity Analytics.

    An example to this request's response is as follows: 

    { "id":"8228d1e9-31b3-4a5e-aabe-55d9c8afa052", "upid":"beff3f49-b9ed-41a4-91ea-677e9b85e71e", "createdAt":"2016-05-10T10:10:10.100+0000", "status":"running", "duration" : 0, "request":{ "startDate":"2016-05-01", "endDate":"2016-05-02", "format":"json", "dataset":"appRunning" } }

    But let's fast forward to where the jailbreak detection takes part. The piece of code written/modified by Nintendo was done in C#, making it impossible to hook with theos, or specifically, to DeviceInfoEvent due to it being compiled with il2cpp, and being a C# method.

    This uses the boolean rooted_jailbroken, located in UnityEngine::Analytics::DeviceInfoEvent at the offset 0000000100C5AF70.

    Take a look at how DeviceInfo performs this event: 

    { "namespace":"com.unity.analytics.commons.schema", "name":"DeviceInfoEvent", "type":"record", "fields":[ {"name": "ts", "type": "long", "default": 0}, {"name": "appid", "type": "string", "default": ""}, {"name": "type", "type": "string", "default": ""}, {"name": "userid", "type": "string", "default": ""}, {"name": "sessionid", "type": "string", "default": ""}, {"name": "platform", "type": "string", "default": ""}, {"name": "sdk_ver", "type": "string", "default": ""}, {"name": "debug_device", "type": "boolean", "default": false}, {"name": "user_agent", "type": "string", "default": ""}, {"name": "submit_time", "type": "long", "default": 0}, {"name": "debug_build", "type": "boolean", "default": false}, {"name": "rooted_jailbroken", "type": "boolean", "default": false}, {"name": "processor_type", "type": "string", "default": ""}, {"name": "system_memory_size", "type": "string", "default": ""}, {"name": "make", "type": "string", "default": ""}, {"name": "app_ver", "type": "string", "default": ""}, {"name": "license_type", "type": "string", "default": ""}, {"name": "app_install_mode", "type": "string", "default": ""}, {"name": "model", "type": "string", "default": ""}, {"name": "engine_ver", "type": "string", "default": ""}, {"name": "os_ver", "type": "string", "default": ""}, {"name": "app_name", "type": "string", "default": ""}, {"name": "timezone", "type": "string", "default": ""}, {"name": "ads_tracking", "type": "boolean", "default": false} ] }

    2. Jailbreak Detection Bypass

    Since not many jailbreak detection bypasses are open-sourced due to obvious reasons (to keep it unpatchable for as long as possible), I've taken the most common and used techniques for this demonstration, as well as a few open-sourced bypasses available to the public.

    As shown in the source code of the tweak Shadow by jjolano, here's an useful way of preventing an app from checking symbolic links in your device: 

    [_shadow addLinkFromPath:path toPath:resolved_path_ns]

    The full source code will be linked in the end of this thread, in it you'll find the whole code detailed.

    In the source code you'll find various detailed ways that extend beyond symbolic links detection. You also have a majority of code written to prevent an app from accessing certain directories/files, its size, filters, permissions, etc. such as the following line of code that detects whether the app is soliciting to check the delete permissions of specified files: 

    - (BOOL)isDeletableFileAtPath:(NSString *)path

    Or the following example of how to prevent certain libraries from being correctly read by an app detection attempt: 

    %group hook_dyld_image %hookf(uint32_t, _dyld_image_count) { if(dyld_array_count > 0) { return dyld_array_count;

    3. Useful Links and Developer Documentation

    If you have any other links that you may find useful for users to take a look into or for aspiring developers, please share them in the comments and I'll add them here.

    4. Final Remarks

    I'm not an expert on the matter, so I apologize in advanced if something that I've stated here is incorrect or badly explained. If you're kind enough, please do point it out to me in the comments and I'll make the changes as soon as possible.

    In case you have some questions about this whole write-up or you're curious at some of the things that were stated in this thread, leave a question for me or for other people so we can try to help you and better explain it to you.

    I made this write-up due to do interest in the subject and I thought about sharing it with the community so that some users may have an insight of how jailbreak detection has evolved and how difficult it is to bypass, in some cases. This is also supposed to help aspiring developers to better understand how these processes occur, and possibly to inspire them to try and challenge themselves by creating unique bypasses or by throwing in together some thoughts and ideas on how to better improve the creation of jailbreak detection bypasses.

    EDIT 1: Added a documentation to useful links, on banking apps and its detection on jailbroken devices. This seems like an interesting read to further enlighten the detection methods used by banking apps. Link provided by u/_SarahB_

    submitted by /u/alex_png
    [link] [comments]

    [Discussion] This concep l think looks awesome! Similar to Android but look much better! Control center and notifications in one swipe!

    Posted: 09 Jan 2020 11:43 AM PST

    [Discussion] Add Jailbreak type to flair

    Posted: 09 Jan 2020 04:34 PM PST

    Anyone else think that you should be able to add which jailbreak you have to your user flair? Like Chimera, Unc0ver, Yalu, CheckRa1n, etc. A lot of people ask questions in this sub and it'd be a lot easier if we could tell which jailbreak they're on just by looking at their flair.

    submitted by /u/nate_w2020
    [link] [comments]

    [Request] iOS 13 darkmode system wide on iOS 13. At the moment it's only on apps that allow system darkmode, but apps such as WhatsApp, Facebook and more are not dark. Also safari isn't dark in web page view

    Posted: 09 Jan 2020 10:33 PM PST

    [Update] Whoops now finally supports iOS13.

    Posted: 09 Jan 2020 02:23 PM PST

    [Request] The “first AirPod” charging status on lockscreen

    Posted: 09 Jan 2020 11:27 AM PST

    [Request]iCloud Keychain concept for the lockscreen

    Posted: 09 Jan 2020 10:26 AM PST

    [Request] classic style brightness and volume sliders for [[Centaur]]

    Posted: 09 Jan 2020 05:34 PM PST

    [Update] AltDeploy v1.0.1 - macOS High Sierra support

    Posted: 09 Jan 2020 11:18 AM PST

    [Giveaway] 3 copies of HapticKeys

    Posted: 09 Jan 2020 06:38 PM PST

    Let's start out by saying thank you to everyone who's been supporting my work. Words can't express how much it really helps me out and for that reason I'd like to give back to the community and give 3 copies of HapticKeys away.

    What is HapticKeys you ask? Give your keyboard a modern feel by adding haptic feedback to key presses and more!

    To enter, simply comment below your Packix username. I'll select and notify the winners at the end of the giveaway.

    P.S Feel free to follow my Twitter, won't hurt your chances. Please don't downvote in a giveaway, be kind.

    submitted by /u/cabralcole
    [link] [comments]

    [Request] Firewall iP for iOS 12.X/A12 devices would be great

    Posted: 09 Jan 2020 03:08 PM PST

    [Update] AlarmGroups v2.0 - Support iOS 13

    Posted: 09 Jan 2020 05:45 AM PST

    This update adds iOS 13 support by creating a new section on top of the table for the groups.

    Available for free on my repo https://apt.fouadraheb.com

    Release post

    Twitter @FouadRaheb

    submitted by /u/FouadRaheb
    [link] [comments]

    [Question] Ra1nUSB for windows.I’m a pretty much new to jailbreaking, had my phone jailbroken on ios12 and loved it. But since I’m a windows user I’m getting pretty inpatient with waiting so I found this solution. Is it better to wait for checkrain or use this method. What are the pros and cons?

    Posted: 09 Jan 2020 12:54 PM PST

    [Request] Typestatus 2 for A12 phones. I’ll donate 100 to the bounty and I’d pay 20 dollars for a license. Let’s make it happen

    Posted: 09 Jan 2020 07:52 AM PST

    Typestatus 2 for A12 phones. I'll donate 100 to the bounty and I'd pay 20 dollars for a license. Let's make it happen. It's always been my favorite tweak and I've literally been waiting on it forever, let's find someone to make it happen!

    submitted by /u/gaginmyjag
    [link] [comments]

    [Discussion] Chickfila Account Limit Bypass

    Posted: 09 Jan 2020 02:20 PM PST

    Hey jailbreakers! So if any of you guys like CFA, this could help us all. CFA's app only allows you to log in to up to 2 accounts. However. there are promotions where you get points when you make a new account so if we could use some jailbreak techniques to be able to log in to as many accounts as we want, we could get a bunch of free CFA. If anyone has an idea please share! i'm thinking maybe something with Flex tweaks or some app duplication tweak.... Thanks in advance!

    submitted by /u/Cooolastic
    [link] [comments]

    [Question] SuperLPM for IphoneX

    Posted: 09 Jan 2020 08:21 PM PST

    Does anyone know what happened to the SuperLPM for iPhone X? There was a release for it for ios 13 on https://superlpm.yourepo.com/ repo but I only see superlpm for iphone 8+

    submitted by /u/duvalstylz
    [link] [comments]

    [Question]Will there be an Iphone XS Max Jailbreak 12.3.1 coming soon?

    Posted: 09 Jan 2020 08:11 PM PST

    Anyone know or heard if there will be a jailbreak for iphone xs max version 12.3.1. Purchase an Iphone with that version. Hope theres an jailbreak to come soon.

    submitted by /u/Mingo2120
    [link] [comments]

    [Help]Does anyone know what the .espl substrate add on is for ?

    Posted: 09 Jan 2020 05:27 PM PST

    [Tip] How to get Ra1nUSB working on most custom PCs (NVIDIA GPUs)

    Posted: 09 Jan 2020 08:18 AM PST

    I don't know who this might help, but I've tried Ra1nUSB, and Ra1nStorm and could never get them to work until today. This should work for you if you're getting hung up on the ACPI error. This happens because Mac is notorious for not recognizing Nvidia graphics cards. When you boot up the clover menu, go down to options. In the boot arguments section, enter ONE of the following:

    (add -v in front of any of these for verbose boot)

    1. npci=0x3000
    2. npci=0x2000
    3. UseKernelCache=No npci=0x20000 -f
    4. PCIRootUID=1 npci=0x2000
    5. -x -graphicsenabler=yes

    The very first one worked like a charm for me. I used to use a Mac, but got kicked out of my house recently and only have access to a pc currently. Hopefully this helps some of you, I'm by no means an expert, just thought I'd share this even if it only helps one person.

    submitted by /u/nate_w2020
    [link] [comments]

    [Question] I want to jailbreak using Checkra1n, but have some questions.

    Posted: 09 Jan 2020 04:14 PM PST

    1. Can this be undone? If so, how?
    2. If not, is there an undoable alternative for 13.3?
    3. Can I update while jailbroken? If not, what if I were to undo whatever jailbreak I have, update, then reapply the jailbreak assuming that the jailbreak for that version is out?
    4. What exactly can be done with jailbreaking besides Cydia?
    5. What are the worst cons and best pros to jailbreaking?

    Sorry if these questions are stupid, I don't want to completely mess up my device, which is new, I might add. Thanks in advance to all of the answers. I really want to know whether or not it's worth it. Again, sorry if these questions are dumb.

    submitted by /u/AlternativeAlgae6
    [link] [comments]

    [Request]These two buttons on music widget?

    Posted: 09 Jan 2020 06:12 AM PST

    [Question] Tapping on Shortlook notification

    Posted: 09 Jan 2020 10:37 PM PST

    Just purchased shortlook and had a question, I can't tap on a notification to open it. Is that not something that's possible? Seems like the intuitive thing that tapping on a notification will take you to that app? Thanks

    submitted by /u/Qasim311
    [link] [comments]

    [Question] I received an IPhone 8 as a secondary/travel phone. It came with 12.2 installed. Is 13.3 recommended? Or should I stay with 12.2?

    Posted: 09 Jan 2020 01:55 PM PST

    [Question] is there a working jailbreak bypass for current version Amazon Music?

    Posted: 09 Jan 2020 07:34 PM PST

    I am aware that version 8.9x works when downgrading with appadmin, however I am using AmazonHD and cannot take advantage of the higher bitrate unless I'm on AmazonMusic 9.3.x or higher.

    I have used [[Shadow]] [[LibertyLite]] [[unsub]]. Nothing has worked for me, unfortunately. Any last ditch methods?

    submitted by /u/Nick3RH812
    [link] [comments]
    Read more
    at

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel