FAQ

Issues relating to the upcoming LiberTV TvOS < 11.2 JB. NO MORON "wen eta" though - unless you want to be banned.
Forum rules
  • NO IDIOTIC QUESTIONS ABOUT "WEN ETA JB".
  • Read the FAQ before asking.
  • Otherwise, open discussion and/or requests welcome.

FAQ

Postby morpheus » Fri Mar 03, 2017 4:31 am

Ok. So now that it's made public, @nitotv (10.1) ,@KeithMLeonard (10.0.1) and myself (10.1) tested it, here is a collection of FAQs so I don't get bugged on Twitter. Note I update this regularly, hence the "v1.x" designation.

FAQ v1.2 - clarifications for upcoming 10.1.1

Where do I get this? http://NewOSXBook.com/libertv/libertv.ipa

Any mirrors for this? Plenty. And they probably all have malware. Good luck.

Is 10.1.1 JBable? EDIT (03/28) Yes. And I'm working on finding a suitable bug which will be "backwards combuggable" with 9.x. Expect more when I find one.[/b]

Why it 10.1.1 NOT JBable RIGHT NOW ? Because the bug used, CVE-2017-2370, has been patched. But I'm finding another bug. 10.2 brought on so many kernel bug patches that it's ridiculous. I'll use one of them.

What about those #%$#%$# REBOOTS? Luca's KPP had a bug when applied to large RAM spaces such as the TV. This will be fixed in future update.[/b]

Who's behind this jailbreak?

Bug was supplied by Marco Grassi, and Luca did the amazing KPP work. Adaptation to TvOS and future bug fixes are Me, myself and I.


OLDER QUESTIONS

How do I install it? Using Cydia Impactor.

What, every seven days?!?! Hell no. Only if you reboot. How often do you restart your TV STB? 'nuff said.

Is it fool proof? That depends on how foolish the fools are. Basically, it should exploit successfully every time, but KPP is presently at roughly 1/4. That means you might panic, but then all you need - if you don't succeed at first - try, try again. Once it works, it works, period, and you will not need to run it again unless you reboot.[/b]

Why is the GUI so poor? Because I'm a kernel hacker, not a GUI developer. Sorry. It's no small miracle I suffered through Xcode and objective-C long enough to create a functional GUI.

What does the JB provide? A full set of kernel patches which allows running unsigned code and injecting arbitrary libraries into any TvOS process.

And Cydia? No Cydia.

Where's Cydia? Ask Saurik, not me. I personally don't like it much as I use my own binaries. And that's not the purpose of this JB.

So wait, if there's no Cydia, is it a jailbreak? YES. Because it gives you a full shell and you can do whatever you want - side load apps, etc. And in theory a Cydia like App (or even Cydia itself) could easily be created for TvOS. And me, all I wanted is to have an open tvOS so I can document its inner workings for Vol I of *OS Internals.

Now that you mention it, how's that coming along?? Super, thank you. Lots of details I'm adding now. Hoping for a release around May.

So back to tvOS -- Will MobileSubstrate run on TvOS? No reason why the 64-bit version won't. But I did not include it.

How is TvOS different from iOS? Many very small ways. Most important, it does not run any 32-bit code. Also normal iOS IPAs won't work here. Sorry. But CLI binaries work just fine.

So what's in the IPA? A modified 64-bit only bootstrap.tar, containing /bin/sh -> /bin/bash, Some of my tools (in /usr/local/bin), dropbear (a free standing ssh daemon, with its keys in /etc/dropbear), and a few select binaries. Dropbear has been modified to run from /tmp, and the entire tar opens up in /tmp as well, so as to negate any remote chance of bricking.[/b]

How do I add more? Two options: Either extract bootstrap.tar to some directory, add whatever you want, and repackage into .tar and into the ipa, or - once you are in the JB:

cd /tmp

and then /tmp/bin/ls your way around, followed by /tmp/bin/mv ... files to their usual locations, taking care not to overwrite any system binaries.

alternatively: you can

Code: Select all
export PATH=/tmp/bin:/tmp/usr/bin:/tmp/usr/local/bin:/tmp/sbin

which makes your life real easy.

IF YOUR SSH DROPS AFTER A WHILE THE TV IS UP, PLEASE SEE RELATED POST. You can easily avoid this by installing the SSH binaries (dropbear and related conflict files) to your root filesystem

Why like that? Because it's an intentional PoC meant for developers and researchers, not for the general public - and provides 100% the functionality that target audience needs, with minimal disruption of the filesystem. And, because I made the mistake of overwriting a stupid binary (/usr/sbin/nvram), which effectively bricked my older TvOS. I had to fork another $149 to get another ATV box, and - once bitten, twice shy.

Why would overwriting built-in binaries be dangerous? because this is a semi-tethered JB. meaning when your ATV reboots, it's not JB anymore. And that means any binaries you introduced have no code signature, and will be slain by that despicable AMFI. So EXERCISE CAUTION WITH WHAT YOU ADD, AND DON'T OVERWRITE ANY EXISTING BINARIES (I have my tar invocation with -k for that)

Why doesn't it work every time? Because even though the bug is exploited very reliably (95% , thanks to tweaks), KPP bypassing has some.. issues which I still need to iron out (due to more RAM in TV than there is in your average phone). So expect at least three panics for every successful run. If you get a warning about "this will likely fail", try it anyway. Most of the time liberTV can detect its inevitable demise, but sometimes it's wrong..

What does the Jailbreak report if "Increment J's counter" is selected? Absolutely nothing identifying - just the Vendor UDID, and the jailbreak flow, so I can figure out the success rate, and the slides. You want to leave this on if I am to improve the KPP reliability.

What are suggested steps once I'm in?


The jailbreak will automatically do this:
- chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate - to shut up that $%#%$# software updated daemon so it doesn't nag you if reincarnated (i.e. when you reboot)

which in my experience has shut up autoupdates. But you might also want to make sure:
- Disable auto-updates from GUI
- launchctl unload /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist - to make sure the daemon is dead, dead, DEAD

- make a copy of /System/Library/Caches/apticket.der and save it somewhere SAFE.

- create a /var/root/.ssh/authorized_keys and put an SSH key from your host there. AND CHANGE THE DEFAULT PASSWORD FROM alpine.

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

Wait. That was a good point. Say that again?

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE

Are you going to detail the steps you did in customizing Yalu?

- You bet. The jailbreak logic is already detailed in this forum as the free chapter 24 from my book. And I'll post a walk through for the particular mods soon enough. Luca did such an amazing job with Yalu the changes were mostly straightforward.

Where can I learn this stuff? The book http://NewOSXBook.com is a good start. So is the training http://technologeeks.com/course.jl?course=OSSec

Is there a license to this JB? Unlimited for personal use. PLEASE NO commercial and/or pirate use.

Can we donate or support you somehow?

- Aww, shucks! Not really. I mean, you can always get the book (q.v. link from http://NewOSXBook.com/ - if you get it from AMZN get it through there, since their commission isn't as bad). But if you REALLY want to donate, send $25 to any charity of your choice, and just tweet a screenshot of the receipt with a hashtag of #libertv, please. That will make me happy that you're spreading the good karma!
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: FAQ

Postby Siguza » Tue Apr 11, 2017 4:16 pm

I split off all replies and locked the thread. If you have questions or experience trouble, please create a new one.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am


Return to LiberTV

Who is online

Users browsing this forum: No registered users and 0 guests