Skip to content
/ tns-sockport Public
forked from JakeBlair420/totally-not-spyware

An updated version of TotallyNotSpyware with sockport2 exploit and updated bootstrap

lukezgd.github.io/tns-sockport

License

View license
3 stars 38 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

LukeZGD/tns-sockport

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

160 Commits
glue
glue
 
 
patch
patch
 
 
root
root
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
favicon.ico
favicon.ico
 
 
index.html
index.html
 
 
manifest.appcache
manifest.appcache
 
 
payload
payload
 
 

Repository files navigation

TNS Sockport

An updated version of TotallyNotSpyware with sockport2 exploit and updated bootstrap.

  • Replaced v0rtex with sockport2 for better reliability
  • Installs Zebra v1.1.36 instead of Cydia on initial installation
  • I recommend using MeridianFix instead because of issues with doubleH3lix

[ Live version at lukezgd.github.io/tns-sockport ]

This program is definitely not spyware.
Run it on your 64-bit iOS device as soon as possible.
Your compliance will be rewarded.

Repo structure & building

Frontend and WebKit exploit are in /root.
Kernel exploit is in /glue.
Post-exploitation is in /glue/dep.

DoubleH3lix and Meridian can be built independently into static libraries with make headless and make all respectively, in their directories.
Those are then used to build the payload in /glue, which is the binary that is ran from JIT after the WebKit exploit. Can be built with just a make, and will build all dependencies as needed.
And that is all finally strung together with the WebKit exploit by running make in /root, which will again build dependencies as needed.

Patch

We originally wanted to backport the WebKit patch to 10.x, but ultimately gave up.

See /patch for details, but the gist is:
One part of the WebKit bug was incorrect predictions in JSC::DFG::clobberize, which is basically a huge switch-case. The fix for that was to re-route some values to blocks that are already used for other values.
On the versions we checked, the compiler had generated jump tables for that, so our idea would've been to just find and patch all those jump tables, since the correct code would already be present.
The issue is that the values that everything depends on have changed hundreds of times over the lifetime of iOS 10 (yes, much more frequently than there have been iOS releases), and there seem to be no landmarks anywhere nearby in code, so it's virtually impossible for us to determine which values to patch. :(

Credits

About

An updated version of TotallyNotSpyware with sockport2 exploit and updated bootstrap

lukezgd.github.io/tns-sockport

Resources

Readme

License

View license
Activity

Stars

3 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 44.0%
  • Makefile 18.1%
  • Roff 9.7%
  • Python 7.2%
  • M4 4.1%
  • Perl 3.9%
  • Other 13.0%