35

Having seen this question on protecting your app from being cracked, I saw that the top answerer mentioned something about being able to see if a device was jailbroken by some internal imbalance in the kernel. Having looked into it a bit more, I discovered the Kernel Architecture Overview guide, and have knowledge of ways to interact with the Mach-BSD kernel. All I need to know is: What am I looking for? Is there some kind of key or internal state that changes when the device is jailbroken in the context of the kernel?

To be clear, I'm not looking for code (I know how to do these things myself), I'm looking for what to look for... As weird as that sounds. I've seen the answers in the linked questions, I know that they work, but I'm wondering about an all kernel route, which seems more of a generic and efficient way to check instead of searching for directories that might change or plist keys that might have different names.

I also don't intend to disable any functionality on the part of the app because of piracy (just show a message or something based on a condition).

Community
  • 1
  • 1
CodaFi
  • 42,165
  • 8
  • 102
  • 150
  • 12
    it's a simple system call: `beTharPiratesHere()` – Chris Eberle May 04 '12 at 05:15
  • Use the suggestion about creating the incorrectly signed app from the question you mentioned, that seems most reliable to me. – Jesus Ramos May 04 '12 at 05:22
  • Oh, I know about that. I'm asking about the kernel route (it seems more accurate to me from what the answerers were talking about) specifically. It's more hypothetical/conceptual than anything. – CodaFi May 04 '12 at 05:24
  • 12
    I find it rather weird to down vote this question. It is rather clear in writing, is answerable by hinting a coding solution, is researched and has not been asked before in this form. – Till May 04 '12 at 05:52
  • @Chris if there was a way to down vote comments I would do it with yours. The jailbreak wasn't invented to enable piracy, it's just a sad byproduct – YllierDev May 05 '12 at 22:13
  • 1
    @Till I agree, this is a great question to have on the site. I would like to see more answers posted to this question, it could be a great reference for current and future users.(cough as well as myself) – Mick MacCallum May 06 '12 at 08:00
  • 2
    @YllierDev clearly you're not familiar with the concept of sarcasm. It's a joke. – Chris Eberle May 06 '12 at 13:51
  • 2
    @Chris I'm sorry if it was indeed pure sarcasm. I'm pissed at devs and people putting jailbreak on the same level as piracy. And as you might know, comments like the one you made usually express exactly that :( – YllierDev May 06 '12 at 18:16

2 Answers2

24

All the "modern" kernel patches are based on comex's patches.

the main things which are being patched are:

  • security.mac.proc_enforce
  • cs_enforcement_disable (kernel and AMFI)
  • PE_i_can_has_debugger
  • vm_map_enter
  • vm_map_protect

Oh, and there are sandbox patches too. If you wanna read more about all these patches I suggest you take a look at iOS Hacker's Handbook.

Edit: I just came up with a simple idea to check if the device is jailbroken, but I'm not sure if Apple allows the use of these functions:

  1. allocate some memory using mach_vm_allocate()

  2. change the protection of that page via mach_vm_protect() to VM_PROT_READ | VM_PROT_EXECUTE | VM_PROT_COPY

  3. Since the stock iOS doesn't allow VM_PROT_EXECUTE from inside your app this will fail, check the return value of mach_vm_protect(), when not jailbroken, but succeed if the device is jailbroken.

YllierDev
  • 561
  • 3
  • 16
2

About a year ago, saurik wrote a comment on Hacker News with a list of the "'best practice' patches that jailbreaks install by default". I'd suggest reading that comment for all the details, but here is a preview of what he says (with lots of explanation that I snipped out):

  1. AFC2: allows you to access, over USB, all of / as root instead of just /var/mobile/Media as mobile.

  2. fstab / rw: makes / be mounted read-write.

  3. fstab /var suid dev: allows setuid executables and device nodes on the user data partition.

  4. codesign: allow code that has not been signed by anyone to execute.

  5. codehash: allow processes with "corrupt" pages of code to execute.

  6. rw->rx: supports changing a page of memory from writable to executable.

  7. rwx: allows memory to be marked for write and execute at the same time.

  8. sandbox: allow processes to access files that are outside of their sandbox based on Unix permissions rather than the normal sandbox rules.

  9. crazeles: a ludicrously complicated hack by planetbeing that neuters the FairPlay DRM checks that cause iBooks to refuse to operate correctly on jailbroken devices.

britta
  • 155
  • 8
  • Just as *anecdotal* info, iBooks seems to work fine on my evasi0n iPhone 5. Great answer, though, and I've [previously linked to that same, super-useful thread](http://stackoverflow.com/a/15970080/119114), too. – Nate Sep 12 '13 at 04:48