___________ __ __ __ __ __
/ ____/ ___// / / /___ / /____ / /_/ /_ ___ _____
/ /_ \__ \/ / / / __ \/ __/ _ \/ __/ __ \/ _ \/ ___/
/ __/ ___/ / /_/ / / / / /_/ __/ /_/ / / / __/ /
/_/ /____/\____/_/ /_/\__/\___/\__/_/ /_/\___/_/
by Ingan121
Fucking Simple Untethered code execution PoC for iOS 15, 16, and 17
- Patched in iOS 17.0 Developer Beta 3. See below for more details.
- Since iOS 17.0DB3,
TestFlightServiceExtension
will not run at all if the TestFlight app is not a legitimate Apple-signed app. - Also, even with the legit TestFlight app,
TestFlightServiceExtension
will not run before the first unlock. - Legitimate
TestFlightServiceExtension
still autostarts after the first unlock or after the app install, though. - Installing a dev-signed ipa with the
com.apple.TestFlight
bundle ID is still allowed. - It still starts AFU + on app install if you install it with TrollStore. Tested on 17.0 14PM.
- Get decrypted TestFlight ipa
- Rename it to TestFlight.ipa and place it in the same directory as
build.sh
- Build FSUntether with
build.sh
in the root of the repository.- The script must be run with zsh. Just run
./build.sh
orzsh build.sh
- The script must be run with zsh. Just run
- Install the built IPAs as instructed by
build.sh
- You'll need a paid certificate to retain the original
com.apple.TestFlight
bundle ID, if you're not using TrollStore. - FSUntether currently doesn't work if the bundle ID is changed.
- You'll need a paid certificate to retain the original
- Disable USB restricted mode, connect your phone to your Mac or PC, then reboot the device
- Run
iproxy 1338 1338
andnc localhost 1338
in separate terminals
- TestFlight app will crash on launch, but the untether will work fine.
- Tested versions and devices:
- iPhone Xs: 15.1, 15.4.1
- iPad Pro 12.9 6th gen: 16.1.1, 16.3.1, 16.4, 16.4.1, 16.5, 17.0DB1, 17.0DB2
- iPhone 14 Pro Max: 16.1.2
- On 14.3 (Xs),
TestFlightServiceExtension
starts a few seconds after the first unlock, so there's no BFU code execution. (But there are Fugu14 and permasigning haxx that work BFU on 14, you know.) - Versions below 13 are not tested. Note that the latest TestFlight requires iOS 14 or later. I don't even know if
TestFlightServiceExtension
exists on TestFlight for iOS 13 and below.
TestFlightServiceExtension
ofTestFlight.app
automatically starts on boot, even before first unlock. That's all¯\_(ツ)_/¯
- How did I find this? Just ran sysdiagnose BFU and found this was the only process in
/var
that is started before first unlock. - Getting arbitrary code execution was a bit hard though. Directly replacing
TestFlightServiceExtension
with permasigned binaries didn't seem to work, so I had to modify the library it loads.
- Unsandboxing method varies per version; there are currently four supported build types.
- Fully unsandboxed code execution with CVE-2022-26766 (permasigning) and FSUntetherGUI
- Supported versions: 15.0-15.4.1, 15.5b1-b4, 15.6b1-b5 (AFU supported on 14)
- The code injected to
TestFlightServiceExtension
launches FSUntetherGUI withSBSOpenSensitiveURLAndUnlock
. This works while locked because FSUntetherGUI is replacing the Magnifier app. - And FSUntetherGUI launches unsandboxed, standalone iDownload as root.
- This iDownload is completely unsandboxed. It can access all the files, execute binaries, kill processes, and so on.
- After launching iDownload, FSUntetherGUI will respring the device to get you back in the lock screen. See the related comment for why.
- FSUntetherGUI shows only a black screen when locked. I guess it has to do with the
com.apple.QuartzCore.secure-mode
entitlement (Magnifier, Camera, Notes, Calculator, etc. have it), but I don't know how to use it to get the app contents showing when locked.
- Semi-unsandboxed code execution with CVE-2022-26766 (permasigning)
- Supported versions: same as 1.
- This unsandbox only has filesystem access. Also, it cannot access some sensitive paths like Calendar.
- The latter restriction can be worked around by adding these entitlements to the
TestFlightServiceExtension
but I didn't do that. - Note that adding fully unsandboxing entitlements (like
com.apple.private.security.no-container
) toTestFlightServiceExtension
doesn't work for some reason. Onlycom.apple.security.exception.files.absolute-path.read-write
works, and this is what this unsandbox is using.
- Semi-unsandboxed code execution with CVE-2022-46689 (MacDirtyCow)
- Supported versions: 15.0-15.7.1, 16.0-16.1.2 (14 and below are NOT supported)
- This unsandbox also only has filesystem access and sensitive paths are unavailable either.
- Run
grant_full_disk_access
in iDownload while unlocked to grant the required permissions and get full disk access. After first granting the permission, you can run this command while locked, too.
- Sandboxed code execution
- Supported versions: 15.0-17.0DB2 (AFU supported on 14)
- No unsandboxing at all. Things like
ls /var
will fail.
TestFlightServiceExtension
and the injected code start right after the app is installed.- If the app is signed with an enterprise cert and the cert has not been trusted yet, it doesn't start at all. It can be started after trusting the cert, and it will start when the app is reinstalled or the device is rebooted.
- This might be potentially abused for zero-click over trusted USB or one-click over Safari, on iOS 15 and below?
- Won't be possible with an ad-hoc cert on 16+ because of the new 'developer mode' requirement. Enterprise certs need the separate trust process anyway.
- And no, this isn't useful for iCloud bypasses. iOS blocks app installation over USB when it's activation locked, even without a passcode. Also no installation over the captive portal browser. Just tested this on my 14.3 Xs with the passcode and activation record removed.
- Untether is not that fast. It usually starts 1-3 seconds before or after the Apple logo disappears.
- If you're in Setup.app because of an update, it will not start before first unlock. It starts after unlocking and tapping the first button in Setup.app.
- Setting
ASDTestFlightServiceExtensionServiceTime
to-1
in theInfo.plist
ofTestFlightServiceExtension
makes iDownload run forever. Without this, iDownload will stop three minutes after starting.- Thanks to @alfiecg24 for finding this.
- The process randomly gets restarted in the background when running without
ASDTestFlightServiceExtensionServiceTime
. I don't know the condition and timing. - Note: if iproxy prints
No connected device found
when the connection is failing, it means your device is not being properly detected. Please check if your device is not USB restricted (Settings → Passcode → Accessories must be ON), the cable is OK, or if some software like VMware is interfering with your connection.
- Get the original TestFlight functionality working
- Or get FSU working after changing the bundle ID (it doesn't currently)
- Find out how to build an executable that can directly replace
TestFlightServiceExtension
- Find out how to show the GUI app content when locked
- FSUntetherGUI is currently abandoned as I downgraded my Xs to iOS 14.3
@LinusHenze for iDownload from Fugu14 and the CoreTrust exploit
@opa334 for TrollStore
@comex for sbsutils
@zhuowei for MacDirtyCow codes