You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
com.apple.driver.AppleMobileFileIntegrity and com.apple.driver.LightweightVolumeManager.<br />
The com.apple.driver.AppleMobileFileIntegrity (AMFI) extensi<strong>on</strong> is resp<strong>on</strong>sible for enforcing<br />
<strong>iOS</strong>’s code signing functi<strong>on</strong>ality. The com.apple.driver.LightweightVolumeManager extensi<strong>on</strong> is<br />
resp<strong>on</strong>sible for <str<strong>on</strong>g>the</str<strong>on</strong>g> partiti<strong>on</strong> table <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> main storage device.<br />
Stage 2 locates each <str<strong>on</strong>g>of</str<strong>on</strong>g> extensi<strong>on</strong>s by calling OSKextCopyLoadedKextInfo for each extenti<strong>on</strong>’s<br />
name, which returns a dicti<strong>on</strong>ary object c<strong>on</strong>taining informati<strong>on</strong> about <str<strong>on</strong>g>the</str<strong>on</strong>g> extensi<strong>on</strong>. Within <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
dicti<strong>on</strong>ary is <str<strong>on</strong>g>the</str<strong>on</strong>g> loading <str<strong>on</strong>g>of</str<strong>on</strong>g>fset <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> extensi<strong>on</strong> being queried that Stage 2 turns into <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel<br />
memory address by adding <str<strong>on</strong>g>the</str<strong>on</strong>g> known kernel slide value.<br />
Armed with <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel address <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> AMFI, Stage 2 locates <str<strong>on</strong>g>the</str<strong>on</strong>g> following global variables:<br />
● amfi_get_out_<str<strong>on</strong>g>of</str<strong>on</strong>g>_my_way<br />
● cs_enforcement_disable<br />
These two variables, when set, disable AFMI (amfi_get_out_<str<strong>on</strong>g>of</str<strong>on</strong>g>_my_way) and disable code<br />
signing enforcement (cs_enforcement_disable). Stage 2 <str<strong>on</strong>g>the</str<strong>on</strong>g>n sets two more global<br />
variables: debug_flags and DEBUGflag. These two variables allow for debugging privilege<br />
<strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> victim’s iPh<strong>on</strong>e, fur<str<strong>on</strong>g>the</str<strong>on</strong>g>r reducing <str<strong>on</strong>g>the</str<strong>on</strong>g> restricti<strong>on</strong>s that <str<strong>on</strong>g>the</str<strong>on</strong>g> sandbox (Seatbelt) imposes <strong>on</strong><br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> device.<br />
Next, Stage 2 patches <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel functi<strong>on</strong> vm_map_enter and vm_map_protect in order to<br />
disable code signing verificati<strong>on</strong>s (making it possible to allocate RWX regi<strong>on</strong>s) within <str<strong>on</strong>g>the</str<strong>on</strong>g> virtual<br />
memory manager. Following this, Stage 2 patches <str<strong>on</strong>g>the</str<strong>on</strong>g> _mapForIO functi<strong>on</strong> within <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
LightweightVolumeManager before patching <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel functi<strong>on</strong> csops to disable even more<br />
code signing protecti<strong>on</strong>s.<br />
Remounting <str<strong>on</strong>g>the</str<strong>on</strong>g> Drive<br />
In order to jailbreak a device, <str<strong>on</strong>g>the</str<strong>on</strong>g> root file system must be accessible for writing. Stage 2 tests<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> writability <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> root file system by calling <str<strong>on</strong>g>the</str<strong>on</strong>g> access functi<strong>on</strong> against /sbin/launchd to<br />
determine if Stage 2 has write access to <str<strong>on</strong>g>the</str<strong>on</strong>g> root file system. If <str<strong>on</strong>g>the</str<strong>on</strong>g> file is read-<strong>on</strong>ly, Stage 2<br />
patches <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel functi<strong>on</strong> _mac_mount to disable <str<strong>on</strong>g>the</str<strong>on</strong>g> protecti<strong>on</strong> policy that prevents<br />
remounting <str<strong>on</strong>g>the</str<strong>on</strong>g> filesystem as read/write and <str<strong>on</strong>g>the</str<strong>on</strong>g>n remounts <str<strong>on</strong>g>the</str<strong>on</strong>g> root filesystem as read/write by<br />
calling mount(“hfs”, “/”, MNT_UPDATE, mountData) where mountData specifies <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
/dev/disk0s1s1 device.<br />
Stage 2 is written such that it will <strong>on</strong>ly operate <strong>on</strong> <strong>iOS</strong> 9 series iPh<strong>on</strong>es, but code exists that<br />
suggest it was <strong>on</strong>ce used <strong>on</strong> older <strong>iOS</strong> versi<strong>on</strong>s. As evidence to support this claim, <str<strong>on</strong>g>the</str<strong>on</strong>g>re exists<br />
a functi<strong>on</strong> that is called after Stage 2 remounts <str<strong>on</strong>g>the</str<strong>on</strong>g> root file system that modifies its executi<strong>on</strong><br />
path if it is running <strong>on</strong> <strong>iOS</strong> 7, <strong>iOS</strong> 8, or <strong>iOS</strong> 9. Depending <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>iOS</strong> versi<strong>on</strong>, <str<strong>on</strong>g>the</str<strong>on</strong>g> functi<strong>on</strong> calls<br />
fsctl <strong>on</strong> ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r /bin/launchctl (for <strong>iOS</strong> 7 and 8) or /bin/launchd (for <strong>iOS</strong> 9). The<br />
fsctl call will modify <str<strong>on</strong>g>the</str<strong>on</strong>g> low disk space warning threshold as well as <str<strong>on</strong>g>the</str<strong>on</strong>g> very low disk space<br />
warning threshold, setting <str<strong>on</strong>g>the</str<strong>on</strong>g> values to 8192 and 8208, respectively.<br />
Page 34