Untethered + Unsandboxed code execution haxx as root on iOS 14 - iOS 14.8.1.
Based on CoreTrustDemo, also please note that certificates are not copyrightable.
Usage
Note: requires macOS + existing jailbreak
Get up and running
- On your mac import dev_certificate.p12 into the keychain, and the password is
password
. - Modify haxx.c to include your own code (if you need it).
- Run
make
to build - On the device, Copy
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
to/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd.back
- Then replace
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
with/usr/bin/fileproviderctl
- Create the
/private/var/haxx
directory, mode should be 0777 - Copy
fileproviderctl_internal
andhaxx
generated from the build to/usr/local/bin
on the device, mode should be 0755. - Profit.
Fixing fileproviderctl
After doing the above steps, fileproviderctl
will be broken, to fix it do the following steps
- Grab a copy of
/usr/bin/fileproviderctl
on your device to your mac - Patch the binary with GNU sed:
gsed -i 's|/usr/local/bin/fileproviderctl_internal|/usr/local/bin/fileproviderctl_XXXXXXXX|g' fileproviderctl
- Resign it:
codesign -s "Worth Doing Badly iPhone OS Application Signing" --preserve-metadata=entitlements --force fileproviderctl
- Put the fixed binary back onto your device.
Removal
To remove the installation, do the following steps
- Copy
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
to/usr/bin/fileproviderctl
- Move
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd.back
to/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
- Delete
/var/haxx
,/usr/local/bin/fileproviderctl_internal
as well as/usr/local/bin/haxx