The Future of the /var/jb Root Path #1378
Comments
|
|
Fugu15 Max already installs the bootstrap in |
This comment was marked as off-topic.
This comment was marked as off-topic.
Because of the existence of the /var/jb fixed path, the random path in preboot is still easy to detect. I've been building this idea since the early days of the xina jailbreak, but no one seems to really care about the future of jailbreaks. |
|
Yes, but it's much easier to temporarily remove one symlink or hide it using hooking than a ton of different paths. |
I take offense at this, we created rootless because it's the future of jailbreaks. Anyways, your idea doesn't work. I can build every package 238,328 times, once for each /var/jb-XXX, and people can't package their tweaks that many times. It's just not possible. |
temporarily remove the symlink of /var/jb will cause many problems, https://theapplewiki.com/wiki/Rootless#Dilemmas It is a feasible way to redirect the path by using hook, but it will also bring some stability and compatibility problems. How about randomizing /var/jb and using a unified environment variable to access this random path, after all, environment variables can be isolated for each process individually. |
Forgive my wording, I totally agree that rootless is a great project. I just have some ideas about the fixed path for /var/jb, we dont need build ervery package many times, we only need to randomize the path of /var/jb, and then use a method that can be isolated for each process to access this randomized path, such as setting an environment variable. After all, environment variables can be set individually for each process. |
|
almost all of the bootstrap are not jailbreak specific software and it is entirely unfeasible to patch them so they can use a random prefix |
|
there is no point in this, /var/jb could already be hidden easily and the boot manifest hash would take years to crack |
|
Until apps just do |
|
to clarify, boot manifest hash is visible to every app on iOS 16, so the path under the boot manifest hash would also need to be random there (like /p/p/XXXXX/jb-YYYY) |
Environment variables can be set individually for each process. In the future, we only need to build a blacklist selector app to allow users to select apps that need to hide this special environment variable. Other processes not in the blacklist can still access this environment variable normally, without any impact on compatibility and stability. The detection of /var/jb fixed path is fundamentally different from other jailbreak detections. As the upstream of the jailbreak community, I think it is our responsibility to take the lead in addressing and addressing this hassle. |
yes, Fugu15Max already randomize the jailbreak directory in the preboot. but /var/jb is still a fixed path. |
|
When you have a working dpkg patch to allow packages to be installed into these randomized paths without having to repackage, let me know, until then this will stay closed and this discussion will end. |
And there is a prerequisite for redirecting the path of /var/jb through hooks, that is, the JIT privilege of the process is required. |
|
There's always the trivial solution of removing the symlink entirely and rebooting to unjailbroken state, which will always work, assuming the path under It may not be perfect if you also want to use tweaks in the apps you're trying to bypass, but that's always been more problematic anyway. |
I mean for apps that don't need to use tweak, we can hide the visibility of /var/jb to it, by randomizing. There are too many apps that even if you don't use the tweaks for it, it will still endlessly prompt you that jailbreak has been detected and deny service, and may even ban you. This really makes jailbreak less and less popular, and the entire jailbreak community got into trouble. |
|
I am locking this thread until you can give me a working patch for dpkg. |
Since the SSV security mechanism of ios15, jailbreak has encountered great challenges and difficulties, but with the efforts of big names such as xina and opa334, we have seen a new dawn. They use the rootless mechanism to successfully avoid the restrictions of SSV, Let the jailbreak enter a new era.
But for the /var/jb root path, I have been very worried. Rootless jailbreak stores all data and files in it, it is a completely fixed path. All jailbreak apps, deamon, tweaks will refer to this path, and hard Encoded into the final released binary.
So what is /var/jb, it is the interface of rootless jailbreak, once the jailbreak community in the rootless era forms this specification, it is very difficult for anyone to change and adjust it.
But the fixed path is very easy to be detected, only one line of code is needed to call the acess/stat function, and any ios development rookie can detect it.
Although we can temporarily remove the /var/jb symlink (like xina15 did), but I think this is a lazy way, and this way will cause two things that will cause major trouble in the future:
1: It's really annoying that people have to repeatedly remove and restore it when opening different apps, and people get tired of it very quickly.
2: Almost all jailbreak apps, deamon, tweaks will use this path, when you temporarily remove it, maybe a jailbreak app, deamon, tweak is accessing this path, or is about to access this path, and then they will not be able to find it Well, this would create a confusing situation.
I think we have a better way to deal with this problem, first we add a random suffix to the /var/jb path, like /var/jb-xxxxx, and then use environment variables as the rootless jailbreak interface, for example, we Create an environment variable named "JBRoot" and set it to /var/jb-xxxx, we can also easily access this environment variable:
in shell code:
cd $JBRoot
in Objective-C code:
NSString* my_file_path = [NSString stringWithFormat:@"%s/my_file_path", getenv("JBRoot")];
in C/C++ code:
char my_file_path[PATH_MAX]={0};
snprintf(my_file_path, sizeof(my_file_path), "%s/my_file_path", getenv("JBRoot"));
So what is the difference between this method and the fixed path of directly using /var/jb?
The difference is that the fixed path of /var/jb is visible to all processes, but environment variables can be set individually for each process. In the future, we can create a blacklist, and we can choose to hide the "JBRoot" environment variable for Some APPs. In this way, they will not be able to detect the existence of /var/jb-xxxx, and will not interfere with other rootless jailbreak apps/deamon/tweak's access to /var/jb-xxxx.
Why is hiding /var/jb so important and urgent?
Some people may ask, even if we hide /var/jb, there are still many other ways to detect jailbreak, why do we have to deal with /var/jb first.
First of all, the data in the file system is the easiest to detect. As I said before, any rookie in ios development can detect the existence of /var/jb with a single line of code. This will make the detection of /var/jb very difficult Widespread and ubiquitous, eventually a large number of apps will detect this path, making jailbreaking difficult to use if you don't handle /var/jb.
Secondly, the /var/jb path is used as the interface standard for rootless jailbreaks, and every jailbreak app/deamon/tweak will use it, and it is hard-coded into the released binary, which means that if we do not deal with it now, we will not be able to deal with this problem in the future up.
As a loyal jailbreak fan, I have witnessed the brilliance of jailbreak from ios5 to ios9, and also witnessed the wisdom of the jailbreak community starting from ios10, and starting from ios15, jailbreak has entered a new era, I sincerely hope that the masters of the jailbreak community can consider this issue.
The text was updated successfully, but these errors were encountered: