Fugu14 is an iOS 14 Jailbreak, including an untether (persistence), kernel exploit, kernel PAC bypass and PPL bypass.

Related tags

Security Fugu14
Overview

Fugu14 - Untethered iOS 14 Jailbreak

Fugu14 is an (incomplete) iOS 14 Jailbreak, including an untether (persistence), kernel exploit, kernel PAC bypass and PPL bypass. The CVE numbers of the vulnerabilities are: CVE-2021-30740, CVE-2021-30768, CVE-2021-30769, CVE-2021-30770 and CVE-2021-30773.

Supported Devices/iOS Versions

Fugu14 should support all arm64e devices (iPhone XS and newer) on iOS 14.3 - 14.5.1.
Support for lower versions (down to 14.2) can be added by editing arm/shared/ClosurePwn/Sources/ClosurePwn/PwnClosure.swift and arm/shared/KernelExploit/Sources/KernelExploit/offsets.swift.

arm64 devices are not supported because the exploit to install the Fugu14 App does not work on these devices.
However, it is in theory possible to install the untether on them (e.g. via checkra1n).
Note that all of this code was written specifically for arm64e, so some changes are required to add arm64 support to the untether.

Features

  • The kernel exploit is extremely reliable (it will never trigger a kernel panic)
  • A simple TCP shell is available on port 1337
  • Trustcaches put in /.Fugu14Untether/trustcaches/ will be loaded automatically
  • Executables put in /.Fugu14Untether/autorun/ will be launched during boot (make sure to also create a trust cache for your executable!)
  • Supports Siguza's libkrw library (load /usr/lib/libkrw/libFugu14Krw.dylib and call krw_initializer)
  • (Jailbreak Developers: You can make your jailbreak untethered just by creating a CLI version that supports libkrw, copying it to /.Fugu14Untether/autorun/ and writing a trust cache to /.Fugu14Untether/trustcaches/)

WARNING

  • Messing around with the untether may BOOTLOOP your device
  • The fast untether (disabled unless you edit the source code) HAS NOT BEEN TESTED ON A REAL DEVICE -- DO NOT USE IT
  • Additionally, the fast untether (in case it actually works) is more UNSAFE than the "slow" untether
  • Developers: PLEASE TEST ANY CHANGES YOU MAKE TO THE UNTETHER ON A VIRTUAL DEVICE FIRST

Building and Running

Requirements:

  • You need a supported device running a supported iOS version (see above)
  • The device must be connected via USB
  • You need the IPSW for your device, unzipped
  • You need to have Xcode installed
  • You need to have iproxy and ideviceinstaller installed (brew install usbmuxd ideviceinstaller)

To build and run the iOS Jailbreak, all you have to do is run the ios_install.py script and follow the instructions. In case you get a code signing error, open arm/iOS/Fugu14App/Fugu14App.xcodeproj and edit the code signing options.

Recovery

So you didn't read the warning section and your device is now in a bootloop. Let's hope you didn't enable the fast untether.
Anyway, before updating your device to the latest iOS version, try the following first:

  1. Install irecovery on your computer
  2. Connect your device via USB and boot into the recovery mode
  3. Run irecovery -s on your computer, then enter the following commands:
  • setenv boot-args no_untether
  • saveenv
  • reboot
  1. Your device should now boot again. If it doesn't, repeat step two again, run irecovery -s and then enter these commands:
  • setenv boot-args untether_force_restore
  • saveenv
  • reboot
  1. Device still won't boot? Then you'll have to update it to the latest version unfortunately :/

Credits

Like most software, Fugu14 contains (derived) code which was written by others.
I would therefore like to thank the people below for open-sourcing their code:

  • Samuel Groß: SLOP technique (as used in the dyld exploit) and the JavaScript Int64 library (+ utils)

Currently, the remount patch has copyright issues which I'm trying to resolve ASAP. Apparently, multiple parties think the code is theirs so I don't know what to do right now. I just write this here and hope no one DMCA's me.

Fugu14 also includes various header files from Apple.

For more information, please see credits.txt.

License

Fugu14 is released under the MIT license. Please see the LICENSE file for more information.

Comments
  • Sleep/Wake-up issue - Testers wanted

    Sleep/Wake-up issue - Testers wanted

    Hey everyone,

    I'm currently trying to fix the sleep issue some of you have and need testers who are having this issue and are willing to try out some stuff. First of all, I need to find out if the bug is caused by one of the kernel exploits or if it is caused by replacing analyticsd. ~~If you want to help, could you please try the following:~~ Update: Enough people tested this.

    1. Install irecovery (brew install libirecovery)
    2. Connect your iPhone to your Mac via USB and put the iPhone into recovery mode (From The iPhone Wiki: Press and quickly release the volume up button. Press and quickly release the volume down button. Then, press and hold the side button until you see the recovery mode screen.)
    3. Run irecovery -s and enter the following commands:
    • setenv boot-args no_untether
    • saveenv
    • reboot

    This should disable the untether (you can test that by trying to run unc0ver, if it says unsupported or if the unc0ver Untether App crashes the untether is disabled). Please use your iPhone normally for about an hour or so and comment whether or not you still experience the sleep issue (please also include which iPhone and iOS version). To re-enable the untether, perform steps two and three again, but instead of entering setenv boot-args no_untether enter setenv boot-args x instead.

    help wanted 
    opened by LinusHenze 68
  • com.apple.analyticsd.plist doesn't exist

    com.apple.analyticsd.plist doesn't exist

    iPhone Xs iOS 14.3

    The untether failed to install. Error:
    Failed to install untether: Error
    Domain=NSCocoaErrorDomain
    Code=4 "The file
    *com.apple.analyticsd.plist" doesn't
    exist." Userlnfo=(NSSourceFilePathEr-
    rorKey=/private/var/containers/Bundle/
    Application/532A207C-8001-4810-
    B5D9-71A6B7B4BBD2/
    Fugu14App.app/
    com.apple.analyticsd.plist,
    NSUserStringVariant=(
    Copy
    ), NSDestinationFilePath=/private/var/
    mnt/Library/LaunchDaemons/
    com.apple.analyticsd.plist,
    NSFilePath=/private/var/containers/
    Bundle/Application/
    532A207C-8001-4810-
    B5D9-71A6B7B4BBD2/
    Fugu14App.app/
    com.apple.analyticsd.plist,
    NSUnderlyingError=0x10321ad60
    (Error Domain=NSPOSIXErrorDomain
    Code=2 "No such file or directory"))
    
    opened by goopy13 20
  • Restored to orig-fs using SnapBack, fugu now says that it's already installed.

    Restored to orig-fs using SnapBack, fugu now says that it's already installed.

    iPhone 11 iOS 14.5.1

    I restored my rootfs using SnapBack since the fugu app got deleted. I was having some issues so I needed to restore the rootfs. Upon re-installing Fugu after this, I get "Fugu is already installed" after I click Jailbreak + untether, and unc0ver now says Unsupported again, so I'm basically stuck.

    opened by JaxonKEKW 18
  • “Failed to find a contiguous region!” Fugu14 after patch (iPad Air 4th Gen // iOS 14.4)

    “Failed to find a contiguous region!” Fugu14 after patch (iPad Air 4th Gen // iOS 14.4)

    Seems like I'm not the only one having this issue. People on Reddit is having this exact error with this exact device on this exact iPadOS version.

    The iPad Air 4th Gen has the same processor as the iPhone 12 Pro Max (A14 Bionic), and if it works on iPhone 12/Pro/Max, it technically should work on this iPad too.

    Well, no. Not exactly. Attaching a picture below so you can see what's really happening:

    image image

    opened by realrodri 13
  • Untether.app not appearing (SE2 14.3)

    Untether.app not appearing (SE2 14.3)

    14.3, SE2, ive roots numerous times, installed, reinstalled fugu & unc0ver, ive updated untether, everything & the app still doesnt show...i followed same process as i did when initially installed fugu, updating fugu after sleep bug & when 7.0.2 dropped (i didnt realise could update u0 without reinstalling fugu completely lol), ive even updated untether via fugu...(install fugu via mac, sideload unc0ver ipa)

    everything installs without any errors & does what it should do....but still untether.app isnt showing...

    any ideas??

    5F3A7DAC-73B4-471B-8826-CEE86A35C658

    opened by thekio1984 10
  • Failing to install IPAs

    Failing to install IPAs

    Hi. Looked through trying to find a solution to this and I tried the ones that were up and they didn't work for me. I feel like the fix is extremely simple but i cant pin point what to do. Can anyone help with this.

    I'm sorry for any inconvenience and thank you.

    (I'm referring to: " cp: ../arm/iOS/Fugu14App/build/Build/Products/Release-iphoneos/Fugu14App.app: No such file or directory Failed to create IPAs! Exit status: 1 " at the bottom of the screenshot.)

    Screen Shot 2021-10-27 at 8 01 26 PM

    opened by braystumble 10
  • 14.3 se2020, LS camera opens then crashes (likely affecting other ios/device combos)

    14.3 se2020, LS camera opens then crashes (likely affecting other ios/device combos)

    Heres a clip of it...

    https://user-images.githubusercontent.com/31554776/139124924-f0a6acfa-066d-4409-a01f-2b2b40eb66a6.MP4

    Does it nearly everytime, the times it doesnt, it just opens to a black screen.

    opened by thekio1984 9
  • iMessage bug.

    iMessage bug.

    iPhone 12 Pro Max. 14.5. So I don't get texts on my number. I get green text but not blue. When I reboot to unjailbroken state. It works fine. I think this bug is from uncover. Not fugu14.

    opened by RiskyAppleJuice 6
  • Untether/Jailbreak fails on iOS 14.3.

    Untether/Jailbreak fails on iOS 14.3.

    I have installed the app on a iPhone XS Max (iPhone11,6). I have compiled with jailbreakd successfully, however after I had pressed the "jailbreak + untether" button and rebooted, I tried connecting to the device via netcat on port 1337 and it fails to connect. My iOS version is 14.3. I had also been jailbroken with unc0ver on the latest version. I have not restored the root filesystem however.

    opened by Merculous 6
  • Setup failed - Fugu14App.closure doesn't exist

    Setup failed - Fugu14App.closure doesn't exist

    So i get the error "The File Fugu14App.closure doesn't exist.

    Here is a Screenshot of that. Any idea How to fix that? I have an Iphone 11 with IOS 14.3 AltStore 1.4.8 and tried to install Unc0ver 8.0.0

    71a63609-246c-44e3-9fa6-279240a17db6 "

    opened by ByQuartz 5
  • Black Screen on Fugu14

    Black Screen on Fugu14

    I get stuck on this black screen after I’m redirected the second time from AltStore https://user-images.githubusercontent.com/93642145/140023559-d63ef48e-1bc6-451d-8b52-80dc8fee7bc4.MP4

    opened by PoetG 5
  • Crashing

    Crashing

    Hello I've recently installed uncover jailbreak and with the package fugi but it is crashing and I've goto re jail break device any help would be appreciated thanks

    opened by Bullseye6979 0
  • IOS 14.2. FUGU14

    IOS 14.2. FUGU14

    Hello. Sorry to disturb When will there be a port/revision of fugu 14 for ios 14.2 and will it be at all?

    P.S. English isn't my first/native language, sorry for mistakes

    opened by Genudza 0
  • Fix a race condition in GUI when printing and fix malfunctioning analyticsd daemon.

    Fix a race condition in GUI when printing and fix malfunctioning analyticsd daemon.

    Fix a race condition in GUI when printing.

    And it seems the exploitation and post-exploitation work on my iPhone 12 iOS 14.2.1 without any modification.

    Fix malfunctioning analyticsd daemon

    While the patch in Fugu14 preserved the user id and $HOME by changing the name of the user _analyticsd to _nanalyticsd, it seems that some other daemon changes the owner of /private/var/db/analyticsd and its subdirectories to ·_analyticsd·, whose uid has changed to 264. This will cause the _analyticsd.back with uid 263 to not be able to read /private/var/db/analyticsd at all, with error: Home directory is not setup. Waiting to see if it gets repaired....
    This fix is based on the following facts:

    • dyld enables independent closure loading by checking the env $HOME is a subdirectory in /private/var/mobile/Containers/Data/.
    • launchd sets the daemons' $HOME env via getpwname_r.
    • analyticsd get its own working path via getuid and getpwuid.
    • An unknown daemon will set the owner of /private/var/db/analyticsd to the user name _analyticsd.

    So if the passwd and master.passwd have the following contents, things can be easily fixed.

    passwd (master.passwd is similar)
    _nanalyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
    _analyticsd:*:263:263:Haxx Daemon:/private/var/mobile/Containers/Data/Fugu14Untether:/usr/bin/false
    

    And then, after the system is powered on:

    • launchd launches /System/Library/LaunchDaemon/com.apple.analyticsd.plist with username _analyticsd and set $HOME to /private/var/mobile/Containers/Data/Fugu14Untether based on the username.
    • Then the dyld will load the closure exploitation and the system will be jailbroken.
    • The unknown daemon will set the user ID of /private/var/db/analyticsd to 263, based on the username _analyticsd.
    • Then the analyticsd.back with the user name _nanalyticsd is launched, which will use the uid 263. Although there are two user with the same uid 263, it will only pick the first one by getpwuid. So it will use /private/var/db/analyticsd with the correct owner, uid 263

    Then the battery detail in Settings works properly.

    If you have jailbroken by Fugu14, you can try the manual steps below, or remove origin Fugu14 jailbreak modification then and use this PR to jailbreak. Restoring rootfs is a easy way, but loses all tweaks. Or manually undo all modification according "Jailbreak" section in Fugu14 writeup.

    opened by SongXiaoXi 39
  • Is support for 14.1 and below + tvOS possible?

    Is support for 14.1 and below + tvOS possible?

    Fugu14 supports iOS/iPadOS 14.3-14.5.1 unmodified, and 14.2-14.2.1 by modifying the code. Is it possible to backport the Fugu14 untether to iOS 12.x and iOS/iPadOS 13.0-14.1 on arm64e devices, iOS 9.2-12.5.5 and iOS/iPadOS 13.0-14.1 on arm64 devices, and iOS 9.3.5-10.3.4 on arm32 devices? Also, is it possible for the untether to support tvOS 9.1-14.5?

    opened by LeoI07 0
  • Jailbreak’s hijacking of analyticsd breaks many system services

    Jailbreak’s hijacking of analyticsd breaks many system services

    (Crosspost from Issue #2293 pwn20wndstuff/Undecimus)

    The Fugu14/unc0ver jailbreak evidently hijacks analyticsd, and renames the stock service to analyticsd.back, also editing /etc/passwd to make the analyticsd service use group _nanalytics instead of _analytics, which seems to be the root cause responsible for infamously breaking the Battery Usage settings history logs (BatteryLife/CurrentPowerLog.PLSQL, etc), as well as possibly the AirPlay speakers and CarPlay breakage(?).

    Because these are persistent system modifications, this breaks analyticsd (and thus, services depending on it) even when “not jailbroken”.

    iPad8,4 iPad Pro 11” 3rd gen A12X iOS 14.4 unc0ver 8.0.2

    Place an "x" between the brackets if true:

    • [x] this is a bug others will be able to reproduce
    • [x] this issue is present with all tweaks uninstalled(except for default packages) or disabled
    • [unknown] this issue is present after a rootfs restore
    • [x] this issue is present on the latest version of unc0ver

    I suspect the developer @LinusHenze already knows this perfectly well but felt it should be formally documented, seeing how half the Issues on Undecimus are people trying to get Battery Usage to work again on unc0ver v8.

    opened by badger200 0
Owner
Linus Henze
Linus Henze
Virgil Core SDK allows developers to get up and running with Virgil Cards Service API quickly and add end-to-end security to their new or existing digital solutions to become HIPAA and GDPR compliant and more.

Virgil Core SDK Objective-C/Swift Introduction | SDK Features | Installation | Configure SDK | Usage Examples | Docs | Support Introduction Virgil Sec

Virgil Security, Inc. 27 Jul 26, 2022
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

Kitura 122 Dec 16, 2022
Safe and easy to use crypto for iOS and macOS

Swift-Sodium Swift-Sodium provides a safe and easy to use interface to perform common cryptographic operations on macOS, iOS, tvOS and watchOS. It lev

Frank Denis 483 Jan 5, 2023
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

Kitura 122 Dec 16, 2022
Native and encrypted password manager for iOS and macOS.

Open Sesame Native and encrypted password manager for iOS and macOS. What is it? OpenSesame is a free and powerful password manager that lets you mana

OpenSesame 432 Jan 7, 2023
A wrapper to make it really easy to deal with iOS, macOS, watchOS and Linux Keychain and store your user's credentials securely.

A wrapper (written only in Swift) to make it really easy to deal with iOS, macOS, watchOS and Linux Keychain and store your user's credentials securely.

Ezequiel Aceto 2 Mar 29, 2022
Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities.

Description Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities. List of vulner

Oversecured Inc 135 Dec 15, 2022
Simple, secure password and data management for individuals and teams

Padloc Simple, secure password and data management for individuals and teams (formerly known as Padlock). This repo is split into multiple packages: P

Padloc 2.1k Jan 8, 2023
PGPro can encrypt and decrypt messages as well as manage all your OpenPGP keys. It is free, simple and lightweight. Everything stays on your device. PGPro is made in Switzerland.

PGPro can encrypt and decrypt messages as well as manage all your OpenPGP keys. It is free, simple and lightweight. Everything stays on your device. P

Luca Näf 250 Jan 4, 2023
Cloak Swift - a tool and Tuist plugin to encrypt secrets and then pass them in an obfuscated form into applications

This is Cloak Swift - a tool and Tuist plugin to encrypt secrets and then pass them in an obfuscated form into applications.

Andrew Lord 3 Nov 9, 2022
CCCryptor (AES encryption) wrappers for iOS and Mac in Swift. -- For ObjC, see RNCryptor/RNCryptor-objc

RNCryptor Cross-language AES Encryptor/Decryptor data format. The primary targets are Swift and Objective-C, but implementations are available in C, C

null 3.3k Dec 30, 2022
Helper functions for saving text in Keychain securely for iOS, OS X, tvOS and watchOS.

Helper functions for storing text in Keychain for iOS, macOS, tvOS and WatchOS This is a collection of helper functions for saving text and data in th

Evgenii Neumerzhitckii 2.3k Dec 28, 2022
Simple Swift wrapper for Keychain that works on iOS, watchOS, tvOS and macOS.

KeychainAccess KeychainAccess is a simple Swift wrapper for Keychain that works on iOS and OS X. Makes using Keychain APIs extremely easy and much mor

Kishikawa Katsumi 7.2k Dec 30, 2022
A simple Swift Keychain Wrapper for iOS, watchOS, and OS X.

Latch A simple Swift 2.0 Keychain Wrapper for iOS, watchOS 2, and OS X. Usage A proper example of how to use Latch can be seen in the tests. import La

Danielle 56 Oct 25, 2022
Simple Objective-C wrapper for the keychain that works on Mac and iOS

SAMKeychain SAMKeychain is a simple wrapper for accessing accounts, getting passwords, setting passwords, and deleting passwords using the system Keyc

Sam Soffes 5.4k Dec 29, 2022
A modal passcode input and validation view controller for iOS

TOPasscodeViewController A modal passcode input and validation view controller for iOS. TOPasscodeViewController is an open-source UIViewController su

Tim Oliver 381 Dec 5, 2022
FruitsDic-ios-practice - To Practice onboarding , List, detail and setting View

?? FruitsDic-ios-practice ?? 기능 상세 OnBoding Screen with Page Tab View Data model

Jacob Ko 0 Jan 12, 2022
Decrypts FairPlay applications on iOS 13.4.1 and lower, no jb required

yacd (Yet Another Code Decrypter) Decrypts FairPlay (App Store) applications on iOS 13.4.1 and lower, no jb required Use for research purposes only, I

Derek 669 Dec 10, 2022
A client library to multiplex connections from and to iOS devices

libusbmuxd A client library for applications to handle usbmux protocol connections with iOS devices. Features This project is a client library to mult

libimobiledevice 469 Dec 30, 2022