Fugu14 is an iOS 14 Jailbreak, including an untether (persistence), kernel exploit, kernel PAC bypass and PPL bypass.

Last update: Jun 23, 2022

Fugu14 - Untethered iOS 14 Jailbreak

Fugu14 is an (incomplete) iOS 14 Jailbreak, including an untether (persistence), kernel exploit, kernel PAC bypass and PPL bypass. The CVE numbers of the vulnerabilities are: CVE-2021-30740, CVE-2021-30768, CVE-2021-30769, CVE-2021-30770 and CVE-2021-30773.

Supported Devices/iOS Versions

Fugu14 should support all arm64e devices (iPhone XS and newer) on iOS 14.3 - 14.5.1.
Support for lower versions (down to 14.2) can be added by editing arm/shared/ClosurePwn/Sources/ClosurePwn/PwnClosure.swift and arm/shared/KernelExploit/Sources/KernelExploit/offsets.swift.

arm64 devices are not supported because the exploit to install the Fugu14 App does not work on these devices.
However, it is in theory possible to install the untether on them (e.g. via checkra1n).
Note that all of this code was written specifically for arm64e, so some changes are required to add arm64 support to the untether.

Features

  • The kernel exploit is extremely reliable (it will never trigger a kernel panic)
  • A simple TCP shell is available on port 1337
  • Trustcaches put in /.Fugu14Untether/trustcaches/ will be loaded automatically
  • Executables put in /.Fugu14Untether/autorun/ will be launched during boot (make sure to also create a trust cache for your executable!)
  • Supports Siguza's libkrw library (load /usr/lib/libkrw/libFugu14Krw.dylib and call krw_initializer)
  • (Jailbreak Developers: You can make your jailbreak untethered just by creating a CLI version that supports libkrw, copying it to /.Fugu14Untether/autorun/ and writing a trust cache to /.Fugu14Untether/trustcaches/)

WARNING

  • Messing around with the untether may BOOTLOOP your device
  • The fast untether (disabled unless you edit the source code) HAS NOT BEEN TESTED ON A REAL DEVICE -- DO NOT USE IT
  • Additionally, the fast untether (in case it actually works) is more UNSAFE than the "slow" untether
  • Developers: PLEASE TEST ANY CHANGES YOU MAKE TO THE UNTETHER ON A VIRTUAL DEVICE FIRST

Building and Running

Requirements:

  • You need a supported device running a supported iOS version (see above)
  • The device must be connected via USB
  • You need the IPSW for your device, unzipped
  • You need to have Xcode installed
  • You need to have iproxy and ideviceinstaller installed (brew install usbmuxd ideviceinstaller)

To build and run the iOS Jailbreak, all you have to do is run the ios_install.py script and follow the instructions. In case you get a code signing error, open arm/iOS/Fugu14App/Fugu14App.xcodeproj and edit the code signing options.

Recovery

So you didn't read the warning section and your device is now in a bootloop. Let's hope you didn't enable the fast untether.
Anyway, before updating your device to the latest iOS version, try the following first:

  1. Install irecovery on your computer
  2. Connect your device via USB and boot into the recovery mode
  3. Run irecovery -s on your computer, then enter the following commands:
  • setenv boot-args no_untether
  • saveenv
  • reboot
  1. Your device should now boot again. If it doesn't, repeat step two again, run irecovery -s and then enter these commands:
  • setenv boot-args untether_force_restore
  • saveenv
  • reboot
  1. Device still won't boot? Then you'll have to update it to the latest version unfortunately :/

Credits

Like most software, Fugu14 contains (derived) code which was written by others.
I would therefore like to thank the people below for open-sourcing their code:

  • Samuel Groß: SLOP technique (as used in the dyld exploit) and the JavaScript Int64 library (+ utils)

Currently, the remount patch has copyright issues which I'm trying to resolve ASAP. Apparently, multiple parties think the code is theirs so I don't know what to do right now. I just write this here and hope no one DMCA's me.

Fugu14 also includes various header files from Apple.

For more information, please see credits.txt.

License

Fugu14 is released under the MIT license. Please see the LICENSE file for more information.

GitHub

https://github.com/LinusHenze/Fugu14
Comments
  • 1. Sleep/Wake-up issue - Testers wanted

    Hey everyone,

    I'm currently trying to fix the sleep issue some of you have and need testers who are having this issue and are willing to try out some stuff. First of all, I need to find out if the bug is caused by one of the kernel exploits or if it is caused by replacing analyticsd. ~~If you want to help, could you please try the following:~~ Update: Enough people tested this.

    1. Install irecovery (brew install libirecovery)
    2. Connect your iPhone to your Mac via USB and put the iPhone into recovery mode (From The iPhone Wiki: Press and quickly release the volume up button. Press and quickly release the volume down button. Then, press and hold the side button until you see the recovery mode screen.)
    3. Run irecovery -s and enter the following commands:
    • setenv boot-args no_untether
    • saveenv
    • reboot

    This should disable the untether (you can test that by trying to run unc0ver, if it says unsupported or if the unc0ver Untether App crashes the untether is disabled). Please use your iPhone normally for about an hour or so and comment whether or not you still experience the sleep issue (please also include which iPhone and iOS version). To re-enable the untether, perform steps two and three again, but instead of entering setenv boot-args no_untether enter setenv boot-args x instead.

    Reviewed by LinusHenze at 2021-10-26 10:44
  • 2. com.apple.analyticsd.plist doesn't exist

    iPhone Xs iOS 14.3

    The untether failed to install. Error:
    Failed to install untether: Error
    Domain=NSCocoaErrorDomain
    Code=4 "The file
    *com.apple.analyticsd.plist" doesn't
    exist." Userlnfo=(NSSourceFilePathEr-
    rorKey=/private/var/containers/Bundle/
    Application/532A207C-8001-4810-
    B5D9-71A6B7B4BBD2/
    Fugu14App.app/
    com.apple.analyticsd.plist,
    NSUserStringVariant=(
    Copy
    ), NSDestinationFilePath=/private/var/
    mnt/Library/LaunchDaemons/
    com.apple.analyticsd.plist,
    NSFilePath=/private/var/containers/
    Bundle/Application/
    532A207C-8001-4810-
    B5D9-71A6B7B4BBD2/
    Fugu14App.app/
    com.apple.analyticsd.plist,
    NSUnderlyingError=0x10321ad60
    (Error Domain=NSPOSIXErrorDomain
    Code=2 "No such file or directory"))
    
    Reviewed by goopy13 at 2021-10-25 00:21
  • 3. Restored to orig-fs using SnapBack, fugu now says that it's already installed.

    iPhone 11 iOS 14.5.1

    I restored my rootfs using SnapBack since the fugu app got deleted. I was having some issues so I needed to restore the rootfs. Upon re-installing Fugu after this, I get "Fugu is already installed" after I click Jailbreak + untether, and unc0ver now says Unsupported again, so I'm basically stuck.

    Reviewed by JaxonKEKW at 2021-10-27 10:13
  • 4. “Failed to find a contiguous region!” Fugu14 after patch (iPad Air 4th Gen // iOS 14.4)

    Seems like I'm not the only one having this issue. People on Reddit is having this exact error with this exact device on this exact iPadOS version.

    The iPad Air 4th Gen has the same processor as the iPhone 12 Pro Max (A14 Bionic), and if it works on iPhone 12/Pro/Max, it technically should work on this iPad too.

    Well, no. Not exactly. Attaching a picture below so you can see what's really happening:

    image image

    Reviewed by realrodri at 2021-10-29 13:30
  • 5. Untether.app not appearing (SE2 14.3)

    14.3, SE2, ive roots numerous times, installed, reinstalled fugu & unc0ver, ive updated untether, everything & the app still doesnt show...i followed same process as i did when initially installed fugu, updating fugu after sleep bug & when 7.0.2 dropped (i didnt realise could update u0 without reinstalling fugu completely lol), ive even updated untether via fugu...(install fugu via mac, sideload unc0ver ipa)

    everything installs without any errors & does what it should do....but still untether.app isnt showing...

    any ideas??

    5F3A7DAC-73B4-471B-8826-CEE86A35C658

    Reviewed by thekio1984 at 2021-11-03 22:49
  • 6. Failing to install IPAs

    Hi. Looked through trying to find a solution to this and I tried the ones that were up and they didn't work for me. I feel like the fix is extremely simple but i cant pin point what to do. Can anyone help with this.

    I'm sorry for any inconvenience and thank you.

    (I'm referring to: " cp: ../arm/iOS/Fugu14App/build/Build/Products/Release-iphoneos/Fugu14App.app: No such file or directory Failed to create IPAs! Exit status: 1 " at the bottom of the screenshot.)

    Screen Shot 2021-10-27 at 8 01 26 PM

    Reviewed by braystumble at 2021-10-28 00:02
  • 7. 14.3 se2020, LS camera opens then crashes (likely affecting other ios/device combos)

    Heres a clip of it...

    https://user-images.githubusercontent.com/31554776/139124924-f0a6acfa-066d-4409-a01f-2b2b40eb66a6.MP4

    Does it nearly everytime, the times it doesnt, it just opens to a black screen.

    Reviewed by thekio1984 at 2021-10-27 18:28
  • 8. iMessage bug.

    iPhone 12 Pro Max. 14.5. So I don't get texts on my number. I get green text but not blue. When I reboot to unjailbroken state. It works fine. I think this bug is from uncover. Not fugu14.

    Reviewed by RiskyAppleJuice at 2021-10-29 10:08
  • 9. Untether/Jailbreak fails on iOS 14.3.

    I have installed the app on a iPhone XS Max (iPhone11,6). I have compiled with jailbreakd successfully, however after I had pressed the "jailbreak + untether" button and rebooted, I tried connecting to the device via netcat on port 1337 and it fails to connect. My iOS version is 14.3. I had also been jailbroken with unc0ver on the latest version. I have not restored the root filesystem however.

    Reviewed by Merculous at 2021-10-25 00:24
  • 10. Setup failed - Fugu14App.closure doesn't exist

    So i get the error "The File Fugu14App.closure doesn't exist.

    Here is a Screenshot of that. Any idea How to fix that? I have an Iphone 11 with IOS 14.3 AltStore 1.4.8 and tried to install Unc0ver 8.0.0

    71a63609-246c-44e3-9fa6-279240a17db6 "

    Reviewed by ByQuartz at 2021-12-30 00:30
  • 11. Black Screen on Fugu14

    I get stuck on this black screen after I’m redirected the second time from AltStore https://user-images.githubusercontent.com/93642145/140023559-d63ef48e-1bc6-451d-8b52-80dc8fee7bc4.MP4

    Reviewed by PoetG at 2021-11-03 07:38
  • 12. Fix a race condition in GUI when printing and fix malfunctioning analyticsd daemon.

    Fix a race condition in GUI when printing.

    And it seems the exploitation and post-exploitation work on my iPhone 12 iOS 14.2.1 without any modification.

    Fix malfunctioning analyticsd daemon

    While the patch in Fugu14 preserved the user id and $HOME by changing the name of the user _analyticsd to _nanalyticsd, it seems that some other daemon changes the owner of /private/var/db/analyticsd and its subdirectories to ·_analyticsd·, whose uid has changed to 264. This will cause the _analyticsd.back with uid 263 to not be able to read /private/var/db/analyticsd at all, with error: Home directory is not setup. Waiting to see if it gets repaired....
    This fix is based on the following facts:

    • dyld enables independent closure loading by checking the env $HOME is a subdirectory in /private/var/mobile/Containers/Data/.
    • launchd sets the daemons' $HOME env via getpwname_r.
    • analyticsd get its own working path via getuid and getpwuid.
    • An unknown daemon will set the owner of /private/var/db/analyticsd to the user name _analyticsd.

    So if the passwd and master.passwd have the following contents, things can be easily fixed.

    passwd (master.passwd is similar)
    _nanalyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
    _analyticsd:*:263:263:Haxx Daemon:/private/var/mobile/Containers/Data/Fugu14Untether:/usr/bin/false
    

    And then, after the system is powered on:

    • launchd launches /System/Library/LaunchDaemon/com.apple.analyticsd.plist with username _analyticsd and set $HOME to /private/var/mobile/Containers/Data/Fugu14Untether based on the username.
    • Then the dyld will load the closure exploitation and the system will be jailbroken.
    • The unknown daemon will set the user ID of /private/var/db/analyticsd to 263, based on the username _analyticsd.
    • Then the analyticsd.back with the user name _nanalyticsd is launched, which will use the uid 263. Although there are two user with the same uid 263, it will only pick the first one by getpwuid. So it will use /private/var/db/analyticsd with the correct owner, uid 263

    Then the battery detail in Settings works properly.

    If you have jailbroken by Fugu14, you can try the manual steps below, or remove origin Fugu14 jailbreak modification then and use this PR to jailbreak. Restoring rootfs is a easy way, but loses all tweaks. Or manually undo all modification according "Jailbreak" section in Fugu14 writeup.

    Reviewed by SongXiaoXi at 2022-05-19 17:12
  • 13. Is support for 14.1 and below + tvOS possible?

    Fugu14 supports iOS/iPadOS 14.3-14.5.1 unmodified, and 14.2-14.2.1 by modifying the code. Is it possible to backport the Fugu14 untether to iOS 12.x and iOS/iPadOS 13.0-14.1 on arm64e devices, iOS 9.2-12.5.5 and iOS/iPadOS 13.0-14.1 on arm64 devices, and iOS 9.3.5-10.3.4 on arm32 devices? Also, is it possible for the untether to support tvOS 9.1-14.5?

    Reviewed by LeoI07 at 2022-05-08 18:17
  • 14. Jailbreak’s hijacking of analyticsd breaks many system services

    (Crosspost from Issue #2293 pwn20wndstuff/Undecimus)

    The Fugu14/unc0ver jailbreak evidently hijacks analyticsd, and renames the stock service to analyticsd.back, also editing /etc/passwd to make the analyticsd service use group _nanalytics instead of _analytics, which seems to be the root cause responsible for infamously breaking the Battery Usage settings history logs (BatteryLife/CurrentPowerLog.PLSQL, etc), as well as possibly the AirPlay speakers and CarPlay breakage(?).

    Because these are persistent system modifications, this breaks analyticsd (and thus, services depending on it) even when “not jailbroken”.

    iPad8,4 iPad Pro 11” 3rd gen A12X iOS 14.4 unc0ver 8.0.2

    Place an "x" between the brackets if true:

    • [x] this is a bug others will be able to reproduce
    • [x] this issue is present with all tweaks uninstalled(except for default packages) or disabled
    • [unknown] this issue is present after a rootfs restore
    • [x] this issue is present on the latest version of unc0ver

    I suspect the developer @LinusHenze already knows this perfectly well but felt it should be formally documented, seeing how half the Issues on Undecimus are people trying to get Battery Usage to work again on unc0ver v8.

    Reviewed by badger200 at 2022-05-04 13:12
  • 15. Newly-launched processes randomly spawn frozen (signal STOPped)

    (Cross post of Issue #2291 · pwn20wndstuff/Undecimus)

    This jailbreak tampers with launchd (replacing it altogether and spawning the real thing as a subprocess), randomly causing newly-launched processes to spawn in the frozen state. 👀 ⚠️ It’s definitely the jailbreak’s fault, as the source code has stuff specifically freezing launched processes for some reason. It tries to resume them all, but clearly is less than 100% successful.

    Using ps aux | grep ' T. ', look for processes with "T" (or T+) for Status. They are frozen with signal STOP. Identical to manually freezing a process via kill -STOP (pid).

    I constantly have to search for these and issue kill -CONT (pid), and often I experience very odd glitches where random parts of iOS fail, until I discover which process has been frozen today, and when I CONTinue it, suddenly everything I've tried doing that failed, all executes in a row, as if it has all been queued up/hung, waiting for that frozen process. You’d be surprised at all the nasty bugs that stem from various seemingly-unrelated system services being frozen..

    iPad Pro 11" A12X iPad8,4 Cellular 1TB iOS 14.4 unc0ver 8.0.2

    Place an "x" between the brackets if true:

    • [x] this is a bug others will be able to reproduce
    • [unknown] this issue is present with all tweaks uninstalled(except for default packages) or disabled
    • [unknown] this issue is present after a rootfs restore
    • [x] this issue is present on the latest version of unc0ver

    Doing terminal compiling large projects like LLVM or even smaller ones, using make -j4 for multi core, it's almost impossible to ever compile a project without numerous make processes getting frozen and halting the entire build until I keep hunting them down. (I've made bash shell aliases to make this quicker). Oddly it seems much less likely if I compile a single thread/core.

    Use bash alias stopped='pg '\'' T. '\''' , then you can just type stopped to find them.

    Oddly in CocoaTop64 these frozen processes show a task Status of "DB" which I'm not sure what it means.

    Is there anybody who DOESNT experience this??? For example, is there anyone who can compile a large (5 minute+) program build spanning 100+ objects, and successfully do it 3x in a row, with zero freezes?

    In my opinion this unc0ver 8 / Fugu14 is the least stable jailbreak I've ever used. I'm still grateful as hell for it though. But man I get kernel panics every 3-7 days...

    Reviewed by badger200 at 2022-05-04 13:08
  • 16. fix missing arm64e slice from FuguKrw plugin

    I'm guessing it's incomplete through because the point in the jailbreak that generates the trustcache for the library needs to be adjusted to include both archs.

    Edit: in case anyone is wondering why this is needed, /usr/lib/libkrw/1_unc0ver.dylib is a symlink to /usr/lib/substitute-inserter.dylib which only includes an arm64e arch. By default, libFugu14Krw.dylib only includes an arm64 arch.

    If any users here have noticed stuff like dimentio, fouldecrypt, etc. don't work correctly, you're welcome to grabbing a prebuilt version from this link (which you should thank @halo_michael for) also see https://github.com/LinusHenze/Fugu14/issues/200

    Reviewed by dlevi309 at 2022-05-01 03:06
Related tags
Virgil Core SDK allows developers to get up and running with Virgil Cards Service API quickly and add end-to-end security to their new or existing digital solutions to become HIPAA and GDPR compliant and more.
Virgil Core SDK allows developers to get up and running with Virgil Cards Service API quickly and add end-to-end security to their new or existing digital solutions to become HIPAA and GDPR compliant and more.

Virgil Core SDK Objective-C/Swift Introduction | SDK Features | Installation | Configure SDK | Usage Examples | Docs | Support Introduction Virgil Sec

Aug 11, 2021
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

May 31, 2022
Safe and easy to use crypto for iOS and macOS

Swift-Sodium Swift-Sodium provides a safe and easy to use interface to perform common cryptographic operations on macOS, iOS, tvOS and watchOS. It lev

Jun 15, 2022
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

May 31, 2022
Native and encrypted password manager for iOS and macOS.
Native and encrypted password manager for iOS and macOS.

Open Sesame Native and encrypted password manager for iOS and macOS. What is it? OpenSesame is a free and powerful password manager that lets you mana

Jun 26, 2022
A wrapper to make it really easy to deal with iOS, macOS, watchOS and Linux Keychain and store your user's credentials securely.

A wrapper (written only in Swift) to make it really easy to deal with iOS, macOS, watchOS and Linux Keychain and store your user's credentials securely.

Mar 29, 2022
Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities.

Description Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities. List of vulner

Jun 21, 2022
PGPro can encrypt and decrypt messages as well as manage all your OpenPGP keys. It is free, simple and lightweight. Everything stays on your device. PGPro is made in Switzerland.
PGPro can encrypt and decrypt messages as well as manage all your OpenPGP keys. It is free, simple and lightweight. Everything stays on your device. PGPro is made in Switzerland.

PGPro can encrypt and decrypt messages as well as manage all your OpenPGP keys. It is free, simple and lightweight. Everything stays on your device. P

Jun 24, 2022
Simple, secure password and data management for individuals and teams

Padloc Simple, secure password and data management for individuals and teams (formerly known as Padlock). This repo is split into multiple packages: P

Jun 20, 2022
CCCryptor (AES encryption) wrappers for iOS and Mac in Swift. -- For ObjC, see RNCryptor/RNCryptor-objc

RNCryptor Cross-language AES Encryptor/Decryptor data format. The primary targets are Swift and Objective-C, but implementations are available in C, C

Jun 25, 2022
Helper functions for saving text in Keychain securely for iOS, OS X, tvOS and watchOS.
Helper functions for saving text in Keychain securely for iOS, OS X, tvOS and watchOS.

Helper functions for storing text in Keychain for iOS, macOS, tvOS and WatchOS This is a collection of helper functions for saving text and data in th

Jun 21, 2022
Simple Swift wrapper for Keychain that works on iOS, watchOS, tvOS and macOS.
Simple Swift wrapper for Keychain that works on iOS, watchOS, tvOS and macOS.

KeychainAccess KeychainAccess is a simple Swift wrapper for Keychain that works on iOS and OS X. Makes using Keychain APIs extremely easy and much mor

Jun 22, 2022
A simple Swift Keychain Wrapper for iOS, watchOS, and OS X.

Latch A simple Swift 2.0 Keychain Wrapper for iOS, watchOS 2, and OS X. Usage A proper example of how to use Latch can be seen in the tests. import La

Jan 29, 2022
Simple Objective-C wrapper for the keychain that works on Mac and iOS

SAMKeychain SAMKeychain is a simple wrapper for accessing accounts, getting passwords, setting passwords, and deleting passwords using the system Keyc

Jun 15, 2022
A modal passcode input and validation view controller for iOS
A modal passcode input and validation view controller for iOS

TOPasscodeViewController A modal passcode input and validation view controller for iOS. TOPasscodeViewController is an open-source UIViewController su

Jun 12, 2022
FruitsDic-ios-practice - To Practice onboarding , List, detail and setting View
FruitsDic-ios-practice - To Practice onboarding , List, detail and setting View

?? FruitsDic-ios-practice ?? 기능 상세 OnBoding Screen with Page Tab View Data model

Jan 12, 2022
Decrypts FairPlay applications on iOS 13.4.1 and lower, no jb required
Decrypts FairPlay applications on iOS 13.4.1 and lower, no jb required

yacd (Yet Another Code Decrypter) Decrypts FairPlay (App Store) applications on iOS 13.4.1 and lower, no jb required Use for research purposes only, I

Jun 18, 2022
Pass for iOS - an iOS client compatible with Pass command line application.
Pass for iOS - an iOS client compatible with Pass command line application.

Pass is an iOS client compatible with ZX2C4's Pass command line application. It is a password manager using GPG for encryption and Git for version control.

Jun 20, 2022
CryptoSwift is a growing collection of standard and secure cryptographic algorithms implemented in Swift
CryptoSwift is a growing collection of standard and secure cryptographic algorithms implemented in Swift

CryptoSwift Crypto related functions and helpers for Swift implemented in Swift. (#PureSwift) Note: The master branch follows the latest currently rel

Jun 20, 2022