Untethered + Unsandboxed code execution haxx as root on iOS 14 - iOS 14.8.1.
Based on CoreTrustDemo, also please note that certificates are not copyrightable.
Note: requires macOS + existing jailbreak
This method works on 14.0-14.6. 14.7 (14.7b1)-14.8.1 requires launchd replacement (see launchd.c
), which is less safe.
- Ensure you have ldid from Procursus Team.
- Modify haxx.c to include your own code (if you need it).
- Run
make
to build. If you're not on macOS, specifyTARGET_SYSROOT
- On the device, Copy
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
to/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd.back
- Then replace
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
with/usr/bin/fileproviderctl
- Create the
/private/var/haxx
directory, mode should be 0777 - Copy
fileproviderctl_internal
andhaxx
generated from the build to/usr/local/bin
on the device, mode should be 0755. - Profit.
After doing the above steps, fileproviderctl
will be broken, to fix it do the following steps
- Grab a copy of
/usr/bin/fileproviderctl
on your device to your mac - Patch the binary with GNU sed:
gsed -i 's|/usr/local/bin/fileproviderctl_internal|/usr/local/bin/fileproviderctl_XXXXXXXX|g' fileproviderctl
- Resign it:
codesign -s "Worth Doing Badly iPhone OS Application Signing" --preserve-metadata=entitlements --force fileproviderctl
- Put the fixed binary back onto your device.
To remove the installation, do the following steps
- Copy
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
to/usr/bin/fileproviderctl
- Move
/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd.back
to/System/Library/PrivateFrameworks/CoreAnalytics.framework/Support/analyticsd
- Delete
/var/haxx
,/usr/local/bin/fileproviderctl_internal
as well as/usr/local/bin/haxx