iPhone 5s, iOS 11.1
Jailbroken by Electra
How to jailbreak
Cydia Impactor and a new Apple ID required (You can use your own Apple ID at your risk).
If any error occurs on Cydia Impactor, try to login in Xcode and remove useless app/cert.
Trust your developer certificate in iOS Settings => General => Profiles & Device Management => DEVELOPER APP.
Write HelloWorld
helloworld.c
|
1 2 3 4 5 6 |
#include <stdio.h> int main() { printf("Hello, world!\n"); return 0; } |
build
|
1 |
clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c |
sign with jtool
|
1 |
ARCH=arm64 jtool --sign --ent ent.xml helloworld |
ent.xml
|
1 2 3 4 5 6 7 8 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>platform-application</key> <true/> </dict> </plist> |
upload and run helloworld
|
1 2 3 4 5 |
iPhone:~ root# /tmp/helloworld -sh: /tmp/helloworld: Operation not permitted iPhone:~ root# mv /tmp/helloworld /bin/ iPhone:~ root# helloworld Hello, world! |
If this binary is not signed with platform-application entitlement, it will get a ‘Killed’ if it’s under /bin/
More
I wrote a cli based memory editor, which requires more than a hello world.
1 entitlements
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>proc_info-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> <key>platform-application</key> <true/> </dict> </plist> |
2 patch_setuid() from coolstar’s example. But I’m using code from electra’s cydia fork, also mentioned after his example.
3 Special thanks to ThisTakenIsUsername.