[iOS Hacker] iOS 11 应用如何获取 root 权限

iOS 11 使用 Electra 越狱，默认没有 root 权限，如果想获取 root 权限，可以参考 https://github.com/coolstar/electra/blob/master/docs/getting-started.md，调用 /usr/lib/libjailbreak.dylib 库里的 jb_oneshot_fix_setuid_now 函数，具体的操作在 main.m，代码如下：

#import <UIKit/UIKit.h>
#import "AppDelegate.h"
#import <dlfcn.h>

void patch_setuid() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle)
        return;
    
    // Reset errors
    dlerror();
    typedef void (*fix_setuid_prt_t)(pid_t pid);
    fix_setuid_prt_t ptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
    
    const char *dlsym_error = dlerror();
    if (dlsym_error)
        return;
    
    ptr(getpid());
}

/* Set platform binary flag */
#define FLAG_PLATFORMIZE (1 << 1)

void platformize_me() {
    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
    if (!handle) return;
    
    // Reset errors
    dlerror();
    typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
    fix_entitle_prt_t ptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
    
    const char *dlsym_error = dlerror();
    if (dlsym_error) return;
    
    ptr(getpid(), FLAG_PLATFORMIZE);
}

void iOS11Root(){
    patch_setuid();
    platformize_me();
    setuid(0);
    setgid(0);
}

int main(int argc, char * argv[]) {
    
    NSLog(@"main");
    iOS11Root();
    
    @autoreleasepool {
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}

#import <UIKit/UIKit.h>

#import "AppDelegate.h"

#import <dlfcn.h>

void patch_setuid() {

void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);

if (!handle)

return;

// Reset errors

dlerror();

typedef void (*fix_setuid_prt_t)(pid_t pid);

fix_setuid_prt_t ptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");

const char *dlsym_error = dlerror();

if (dlsym_error)

return;

ptr(getpid());

}

/* Set platform binary flag */

#define FLAG_PLATFORMIZE (1 << 1)

void platformize_me() {

void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);

if (!handle) return;

// Reset errors

dlerror();

typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);

fix_entitle_prt_t ptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");

const char *dlsym_error = dlerror();

if (dlsym_error) return;

ptr(getpid(), FLAG_PLATFORMIZE);

}

void iOS11Root(){

patch_setuid();

platformize_me();

setuid(0);

setgid(0);

}

int main(int argc, char * argv[]) {

NSLog(@"main");

iOS11Root();

@autoreleasepool {

return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));

}

将下面的 entitlements 配置信息保存为 ent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>platform-application</key>
	<true/>
	<key>com.apple.private.mobileinstall.allowedSPI</key>
	<array>
		<string>Lookup</string>
		<string>Install</string>
		<string>Browse</string>
		<string>Uninstall</string>
		<string>LookupForLaunchServices</string>
		<string>InstallForLaunchServices</string>
		<string>BrowseForLaunchServices</string>
		<string>UninstallForLaunchServices</string>
		<string>CopyDiskUsageForLaunchServices</string>
		<string>InstallLocalProvisioned</string>
	</array>
	<key>com.apple.private.security.no-container</key>
	<true/>
	<key>com.apple.private.skip-library-validation</key>
	<true/>
	<key>com.apple.lsapplicationworkspace.rebuildappdatabases</key>
	<true/>
	<key>com.apple.private.MobileContainerManager.allowed</key>
	<true/>
	<key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>
	<true/>
	<key>com.apple.managedconfiguration.profiled-access</key>
	<true/>
	<key>com.apple.developer.icloud-services</key>
	<array>
		<string>CloudDocuments</string>
		<string>CloudKit</string>
	</array>
	<key>run-unsigned-code</key>
	<true/>
	<key>dynamic-codesigning</key>
	<true/>
	<key>get-task-allow</key>
	<true/>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>platform-application</key>

<true/>

<key>com.apple.private.mobileinstall.allowedSPI</key>

<array>

<string>Lookup</string>

<string>Install</string>

<string>Browse</string>

<string>Uninstall</string>

<string>LookupForLaunchServices</string>

<string>InstallForLaunchServices</string>

<string>BrowseForLaunchServices</string>

<string>UninstallForLaunchServices</string>

<string>CopyDiskUsageForLaunchServices</string>

<string>InstallLocalProvisioned</string>

</array>

<key>com.apple.private.security.no-container</key>

<true/>

<key>com.apple.private.skip-library-validation</key>

<true/>

<key>com.apple.lsapplicationworkspace.rebuildappdatabases</key>

<true/>

<key>com.apple.private.MobileContainerManager.allowed</key>

<true/>

<key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>

<true/>

<key>com.apple.managedconfiguration.profiled-access</key>

<true/>

<key>com.apple.developer.icloud-services</key>

<array>

<string>CloudDocuments</string>

<string>CloudKit</string>

</array>

<key>run-unsigned-code</key>

<true/>

<key>dynamic-codesigning</key>

<true/>

<key>get-task-allow</key>

<true/>

</dict>

</plist>

对可执行文件进行签名

codesign -s - --entitlements ent.plist -f /Users/exchen/Library/Developer/Xcode/DerivedData/iOS11Root-efwgnvzsdoljpwhbapztlfheprsq/Build/Products/Debug-iphoneos/iOS11Root.app/iOS11Root

1	codesign -s - --entitlements ent.plist -f /Users/exchen/Library/Developer/Xcode/DerivedData/iOS11Root-efwgnvzsdoljpwhbapztlfheprsq/Build/Products/Debug-iphoneos/iOS11Root.app/iOS11Root

将 iOS11Root.app 上传到 /Applications，执行命令设置文件的权限，然后使用 uicache 更新，之后再打开应用就是 root 权限

chown root:wheel /Applications
chmod u+s iOS11Root
uicache

chown root:wheel /Applications

chmod u+s iOS11Root

uicache

转载请注明：exchen's blog » [iOS Hacker] iOS 11 应用如何获取 root 权限

与本文相关的文章