You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
pszJBFilenamePath = "/private/var/tmp/jb-install";<br />
}<br />
else<br />
{<br />
assert();<br />
writeLog(3, "%.2s%5.5d\n", "bh.c", 134);<br />
exit(-1);<br />
pszJBFilenamePath = 0;<br />
}<br />
}<br />
else<br />
{<br />
pszJBFilenamePath = "/sbin/mount_nfs.temp";<br />
}<br />
The code snippet shows that for <strong>iOS</strong> versi<strong>on</strong> 7, <str<strong>on</strong>g>the</str<strong>on</strong>g> install path for <str<strong>on</strong>g>the</str<strong>on</strong>g> next stage’s binary is<br />
ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r /bin/sh or /private/var/tmp/jb-install (if flag is n<strong>on</strong>-zero). For <strong>iOS</strong> versi<strong>on</strong>s<br />
older than 7, <str<strong>on</strong>g>the</str<strong>on</strong>g> assert callback is called and <str<strong>on</strong>g>the</str<strong>on</strong>g> program terminates. For <strong>iOS</strong> 8 and greater,<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> install path is specified as /sbin/mount_nfs.temp.<br />
The size <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> data blob c<strong>on</strong>taining <str<strong>on</strong>g>the</str<strong>on</strong>g> next stage binary is verified to be n<strong>on</strong>-zero. If <str<strong>on</strong>g>the</str<strong>on</strong>g> size is<br />
zero, <str<strong>on</strong>g>the</str<strong>on</strong>g> assert callback occurs and Stage 2 is terminated. The BZ2_* API functi<strong>on</strong>s are <str<strong>on</strong>g>the</str<strong>on</strong>g>n<br />
used by Stage 2 to decompress <str<strong>on</strong>g>the</str<strong>on</strong>g> data into two files: <str<strong>on</strong>g>the</str<strong>on</strong>g> first file is <str<strong>on</strong>g>the</str<strong>on</strong>g> next stage binary,<br />
which, for <strong>iOS</strong> 9, is stored at /sbin/mount_nfs.temp. The sec<strong>on</strong>d file is <str<strong>on</strong>g>the</str<strong>on</strong>g> c<strong>on</strong>figurati<strong>on</strong><br />
file, which is stored at /private/var/tmp/jb_cfg.<br />
The permissi<strong>on</strong>s <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> two files are changed to 0755 (making <str<strong>on</strong>g>the</str<strong>on</strong>g> files executable) before<br />
c<strong>on</strong>trol returns to <str<strong>on</strong>g>the</str<strong>on</strong>g> main thread.<br />
The final functi<strong>on</strong> that Stage 2 calls before terminating is resp<strong>on</strong>sible for moving <str<strong>on</strong>g>the</str<strong>on</strong>g> binary<br />
dropped by <str<strong>on</strong>g>the</str<strong>on</strong>g> previous step. For <strong>iOS</strong> versi<strong>on</strong>s 8 and 9, <str<strong>on</strong>g>the</str<strong>on</strong>g> file /sbin/mount_nfs.temp is<br />
renamed to /sbin/mount_nfs. If <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>iOS</strong> <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> victim’s ph<strong>on</strong>e is <strong>iOS</strong> 9, an attempt is made<br />
to delete /sbin/mount_nfs prior to <str<strong>on</strong>g>the</str<strong>on</strong>g> renaming operati<strong>on</strong>. After renaming <str<strong>on</strong>g>the</str<strong>on</strong>g> file, <str<strong>on</strong>g>the</str<strong>on</strong>g> assert<br />
callback functi<strong>on</strong> is called followed by <str<strong>on</strong>g>the</str<strong>on</strong>g> exit functi<strong>on</strong>, terminating Stage 2.<br />
Once executi<strong>on</strong> returns to <str<strong>on</strong>g>the</str<strong>on</strong>g> main thread, Stage 2 terminates silently.<br />
Existing Jailbreak Detecti<strong>on</strong><br />
As menti<strong>on</strong>ed previously, <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2 binary operates in two distinct modes. The first, which has<br />
already been discussed, c<strong>on</strong>stitutes a complete <strong>iOS</strong> exploit and jailbreak. The sec<strong>on</strong>d is <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
code path taken when <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2 binary is run <strong>on</strong> a system that has already been jailbroken. In<br />
this mode, Stage 2 simply takes advantage <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> existing jailbreak backdoors to install <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
<str<strong>on</strong>g>Pegasus</str<strong>on</strong>g>-specific kernel patches.<br />
Page 36