Platform-application

By @sskaje
Link: https://sskaje.me/2018/03/run-helloworld-on-jailbroken-ios-11/

iPhone 5s, iOS 11.1

Jailbroken by Electra

How to jailbreak

Cydia Impactor and a new Apple ID required (You can use your own Apple ID at your risk).

If any error occurs on Cydia Impactor, try to login in Xcode and remove useless app/cert.

Trust your developer certificate in iOS Settings => General => Profiles & Device Management => DEVELOPER APP.

Write HelloWorld

helloworld.c

#include <stdio.h>
int main()
{
    printf("Hello, world!\n");
    return 0;
}

#include <stdio.h>

int main()

{

printf("Hello, world!\n");

return 0;

}

build

clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c

1	clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c

sign with jtool

ARCH=arm64 jtool --sign --ent ent.xml helloworld

1	ARCH=arm64 jtool --sign --ent ent.xml helloworld

ent.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
    </dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>platform-application</key>

<true/>

</dict>

</plist>

upload and run helloworld

iPhone:~ root# /tmp/helloworld 
-sh: /tmp/helloworld: Operation not permitted
iPhone:~ root# mv /tmp/helloworld /bin/
iPhone:~ root# helloworld
Hello, world!

iPhone:~ root# /tmp/helloworld

-sh: /tmp/helloworld: Operation not permitted

iPhone:~ root# mv /tmp/helloworld /bin/

iPhone:~ root# helloworld

Hello, world!

If this binary is not signed with platform-application entitlement, it will get a ‘Killed’ if it’s under /bin/

I wrote a cli based memory editor, which requires more than a hello world.

1 entitlements

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>proc_info-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
        <key>platform-application</key>
        <true/>
    </dict>
</plist>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.springboard.debugapplications</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>proc_info-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

<key>run-unsigned-code</key>

<true/>

<key>platform-application</key>

<true/>

</dict>

</plist>

2 patch_setuid() from coolstar’s example. But I’m using code from electra’s cydia fork, also mentioned after his example.

3 Special thanks to ThisTakenIsUsername.

Run HelloWorld on Jailbroken iOS 11 by @sskaje: https://sskaje.me/2018/03/run-helloworld-on-jailbroken-ios-11/

Tag: platform-application

Run HelloWorld on Jailbroken iOS 11

How to jailbreak

Write HelloWorld

More

Incoming search terms: