jakeblair420 / totally-not-spyware Goto Github PK

webkit; but pwned

License: Other

HTML 0.01% JavaScript 0.47% CSS 0.03% Objective-C 1.66% Makefile 18.20% Shell 3.31% C++ 3.27% C 44.40% Objective-C++ 0.10% CMake 0.96% M4 4.08% Batchfile 0.36% D 0.56% Perl 3.88% DTrace 0.01% Roff 9.72% Awk 0.03% DIGITAL Command Language 1.65% Python 7.20% VBScript 0.12%

totally-not-spyware's Introduction

TotallyNotSpyware

This program is definitely not spyware.
Run it on your 64-bit iOS device as soon as possible.
Your compliance will be rewarded.

[ Live version at totally-not.spyware.lol ]

Repo structure & building

Frontend and WebKit exploit are in /root.
Kernel exploit is in /glue.
Post-exploitation is in /glue/dep.

DoubleH3lix and Meridian can be built independently into static libraries with make headless and make all respectively, in their directories.
Those are then used to build the payload in /glue, which is the binary that is ran from JIT after the WebKit exploit. Can be built with just a make, and will build all dependencies as needed.
And that is all finally strung together with the WebKit exploit by running make in /root, which will again build dependencies as needed.

Patch

We originally wanted to backport the WebKit patch to 10.x, but ultimately gave up.

See /patch for details, but the gist is:
One part of the WebKit bug was incorrect predictions in JSC::DFG::clobberize, which is basically a huge switch-case. The fix for that was to re-route some values to blocks that are already used for other values.
On the versions we checked, the compiler had generated jump tables for that, so our idea would've been to just find and patch all those jump tables, since the correct code would already be present.
The issue is that the values that everything depends on have changed hundreds of times over the lifetime of iOS 10 (yes, much more frequently than there have been iOS releases), and there seem to be no landmarks anywhere nearby in code, so it's virtually impossible for us to determine which values to patch. :(

Credits

The final ~~countdown~~ product: Jake Blair
The entire frontend, website, etc.: FoxletFox
WebKit exploit: Niklas Baumstark, with part of Samuel Groß' code patched in.
Everyone credited for the DoubleH3lix and Meridian jailbreaks.

totally-not-spyware's People

Contributors

Stargazers

Watchers

totally-not-spyware's Issues

Host the patched version on like /patch or something on the server

Please

iPhone 5S on iOS 10.2.1 beta 2 crashes

When trying to run TotallyNotSpyware on my old iPhone 5S, the website would proceed as usual until I have a choice of doubleh3lix or meridian. Since the 5S is an A7 device, I chose doubleh3lix, only for the website to crash.

iPhone 5s on iOS 10.3.3 freezing

After jailbreaking with Totally Not Spyware (doubleh3lix) the device freezes after unlocking

32-bit support?

I know this would be a repetitive question, but don't you think it would benefit, maybe even more, for the 32-bit devices running iOS 10.x? I'd assume it wouldn't take much work to fix a few things to have this project working for 32-bit. I'm terrible with coding (can barely make a working program) and I'd assume other users that are running iOS 10.x on a 32-bit device would ask the same question. It'd be great to have this ported over, assuming its possible. Anyways, It'd be great to have this for all devices since iOS 10.3.3 is max iOS version for 32-bit devices, on the other hand, it should've been targeted for all devices, but I'm no developer. Assuming that people have iOS 10.x blobs for 64-bit, I understand, and completely agree that this was only for shits and giggles, but more or less, a great platform to pwn a device from RCE, LPE, and etc.

Is it possible to replace doubleh3lix with sockh3lix

Hi JakeBlair420, would it be possible to replace meridian and doubleH3lix with sockH3lix, it jailbreaks 64bit devices in under a second and its more stable.

I had tried to edit the makefile to point to sockHelix to produce sockHelix.a but it hasnt got the arguments to compile c source code. I tried for many hours to create the necessary arguments but ultimately failed.

Xcode can sucessfully build the sockHelix project to an IPA, so i can assume i have all dependancies, i copied the sockhelix.a file xcode had made into your dep folder and changed the makefile to look for that file but ultimately the webpage just failed. I realised doublehelix has "#inDef HEADLESS" code to build without a GUI. With my limited c knowledge i wouldnt know if im putting the headless code it the correct part.

Ive been trying to research what debugging tools i can use to help me understand if the patch is loading sockH3lix and if it is where its failing.

Maybe a Developer thats interested in picking up this, it would be greatly appreciated.

Always reboots

I was jailbroken with TNS (DoubleH3lix), and I used Cydia Eraser. I then tried to jailbreak with TNS (I was going to use Meridian), but it always reboots after ~10 - 20 seconds.

iPhone 6
iOS 10.2.1

"failed to grab teh bootstrip files! ret: -1" and "failed to remount the root fs: 1"

Greetings. Thank you all for your hard work on TotallyNotSpyware. I'm having some trouble getting the exploit working on my iPhone, however.

I have an iPhone 7 running iOS 10.1 (the version it shipped with for me) and I keep encountering this error when trying to "slide for spyware":

"Running exploit" appears on the screen, and then:

Spyware announcement

Kernel has been pwned >:D

Waiting for about a second will make the prompt disappear automatically and the following message appears shortly after:

spyware fail

failed to grab teh bootstrip files! ret: -1
pls make sure u have internets

Pressing any of the message options reloads the webpage. Pressing the "noot noot" button on the first prompt in time leads to the same result.

Trying it a second time, sans rebooting the phone manually, the success message appears like before but returns this error instead:

spyware fail

failed to remount the root fs: 1

I thought maybe my VPN connection was causing some sort of conflict. I disabled it but still had no luck.

Rebooting the phone manually repeats those aforementioned errors. Trying further attempts, sans rebooting, results in the same failed to remount the root fs: 1.

I'm using the exploit hosted on https://totally-not.spyware.lol/ as of 2023-01-09 22:49:23 UTC.

User agent is Mozilla/5.0 (iPhone; CPU iPhone OS 10_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B72c Safari/602.1, if that helps any.

Thank you.

this is pure spam or joke, everytime i execute it IT FAILS TO EVERYTHING

yall scammers, this is not even a malware or jailbreak

Enable JIT CS_DEBUGGED ?

Is it possible to enable native JIT functions using this exploit ?
Or even enable CS_DEBUGGED to allow the workaround for JIT to work correctly ?

Freeze after ~20hrs on iOS 10.3.1 / iPhone 6

Hey,

I used to jailbreak my phone using g0blin JB until last week resigning did not work anymore using latest impactor0.9.51. That was the first time I used totally-not-spyware JB the first time very successfully after rebooting my phone. Unfortunately about every 20-22hrs my phone froze and I had to reset and reboot... Any idea what is/was causing that ? I'm now back to g0blin at the moment as signing yesterday worked again for me but would like to try your JB as it seemed draining much less my battery than g0blin..

Regards,
Oliver

"Header is invalid"

On the iphone 5c, under the captive portal whilst still in OOBE (note to self: don't buy icloud locked stuff off ebay) the error:

"FAIL: header is invalid: 0x4f44213c"

is thrown.

Interestingly, adding "alert(arrayBuf)" right before the check results in what atleast LOOKS "correct" (as in, it looks like the memory safety violation worked).