Page 1 of 1

CSOPS and Jailbreak Detection

PostPosted: Fri May 04, 2018 6:43 pm
by darkknight
@S1guza
I had a question about this project you started sometime ago - https://twitter.com/s1guza/status/932444509933326336. What options are you using to determine the state of code signing...CS_OPS_[CDHASH/STATUS] etc?

Re: CSOPS and Jailbreak Detection

PostPosted: Sat May 05, 2018 3:41 pm
by Siguza
Syscall 169 (csops() in bsd/kern/kern_proc.c).

Re: CSOPS and Jailbreak Detection

PostPosted: Sat May 05, 2018 5:39 pm
by darkknight
Right...so the question was more geared towards the flag you were using ie _IDENTITY/CDHASH etc sycall(SYS_csops, pid, CS_OPS_IDENTITY, buff, 4096) etc

Makes sense?

Re: CSOPS and Jailbreak Detection

PostPosted: Sat May 05, 2018 7:20 pm
by Siguza
Oh I see, sorry.
Code: Select all
uint32_t ret = 0;
csops(0, CS_OPS_STATUS, &ret, sizeof(ret)); // 0 here means "current process"

Re: CSOPS and Jailbreak Detection

PostPosted: Sun May 06, 2018 7:48 pm
by darkknight
Siguza wrote:Oh I see, sorry.
Code: Select all
uint32_t ret = 0;
csops(0, CS_OPS_STATUS, &ret, sizeof(ret)); // 0 here means "current process"

Kewl thanks man....

Re: CSOPS and Jailbreak Detection

PostPosted: Mon May 07, 2018 1:13 am
by morpheus
Note that this can't reliably detect any jailbreak. Flags could still be toggled to CS_VALID | whatever. Also there are some cops() operations (notably IDENT) which AAPL now applies a MACF hook for