tihmstar/jelbrekTime tihmstar/jelbrekTime

  • Stars
    star
    201
  • Rank 194,491 (Top 4 %)
  • Language
    Objective-C
  • Created over 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tihmstar/jelbrekTime
github

tihmstar

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An developer jailbreak for Apple watch S3 watchOS 4.1

jelbrekTime

A developer jailbreak for Apple watch S3 watchOS 4.1
Running this on an apple watch series 3 on watchOS 4.1 will:

Features

  • Exploits kernel using v0rtex
  • Gets tfp0 and stores it to hsp4
  • Applies h3lix kernelpatches
  • Remounts / as rw
  • Extracts bootstrap.tar

Kernelpatches

  • Sets i_can_has_debugger = 1
  • Patches remount to allow remounting / as rw
  • Patches mount to allow mounting without nosuid
  • Sets proc_enforce = 0
  • Disables amfi code signature checks
  • Allows rwx mappings (for cool watch tweaks?)
  • Disables a bunch of sanbox stuff (likely incomplete)

How to run

  • Clone git repo
  • Open in Xcode
  • Select certificate for main app/watch app/watch extension
  • Build and run iOS app on Phone
    • On the phone go to Settings->General->Profiles and trust your certificate
    • Run iOS app on the phone through Xcode again
  • Open jailbreak.m and set a breakpoint at the bottom where it says 'SET A BREAKPOINT HERE'
  • Build and run Watchkit App on the watch
    • Wait for the app to install (this takes ages!!!)
    • Wait for Xcode to tell you launching failed
    • Launch the app manually on the watch
    • Accept the trust certificate on the watch
    • DO NOT CLICK jelbrekTime YET!
  • Run the Watchkit App through Xcode again!
    • Again wait for the app to install (this takes ages!!!)
  • Click on jelbrekTime button in Watchkit App
  • Wait for the breakpoint to hit in Xcode
  • Now you can execute shell commands through the debugger by typing:
    • 'p mysystem("ls /")'
    • 'p mysystem("id")'
    • 'p mysystem("ps aux")'

Update: SSH is now working :D
To connect to the watch you want to use companion_proxy by qwertyoruiop

Support more devices

If you want to run this on anything other than Apple Watch S3 on 4.1 You need to modify this project

watchOS 4.0-4.1

Simply add more offsets to offsetfinder.c and you should be good to go.
For finding offsets you can download watch OTA updates from ipsw.me and run offsetfinder.

watchOS 3.x

While watchOS 3.x (iOS 10.x) is vulnerable to v0rtex, structs like kport_t is different to watchOS 4. To port jelbrekTime to 3.x you need to modify kport_t (and possibly other things) to get v0rtex running. You also very likely need to make some changes to the kernelpatches.
Some resources to get started are doubleH3lix and liboffsetfinder64 (obviously those projects are 64bit, but you need to do similar stuff to a 32bit kernel).

Credits

  • Siguza
  • qwertyoruiop
  • jk9357

Special thanks to @coolstarorg for compiling the bootstrap.tar for armv7k!

More Repositories

1

futurerestore

A hacked up idevicerestore wrapper, which allows specifying SEP and Baseband for restoring
C++
818
star
2

tsschecker

a powerfull tool to check tss signing status of various devices and firmwares
C++
718
star
3

doubleH3lix

Jailbreak for iOS 10.x 64bit devices without KTRR
Objective-C
225
star
4

img4tool

A tool for manipulating IMG4, IM4M and IM4P files
C++
206
star
5

usbmuxd2

A socket daemon written in C++ to multiplex connections from and to iOS devices over USB and WIFI
C++
189
star
6

jbinit

iOS booter ramdisk creator for checkm8 based jailbreaks
C
168
star
7

ra1nsn0w

A tethered booter for 64bit iOS devices vulnerable to checkm8
C++
162
star
8

libtakeover

call functions in a remote process using Mach API
C++
98
star
9

iBoot64Patcher

A reboot of the popular iBoot32Patcher but with twice the amount of bits
C++
90
star
10

partialZipBrowser

a tool for browsing and downloading files from zip files on remote webserver
C++
81
star
11

libpatchfinder

A 64bit offsetfinder. It finds offsets, patches, parses Mach-O and even supports IMG4
C++
77
star
12

v1ntex

getf tfp0 on iOS 11.2 - 11.4.1
Objective-C
68
star
13

desc_race-fun_public

C
67
star
14

v3ntex

getf tfp0 on iOS 12.0 - 12.1.2
Objective-C
64
star
15

libfragmentzip

A library allowing to download single files from a remote zip archive
C
53
star
16

treadm1ll

You don't need to be as fast as lightspeed, but a run on a treadm1ll surely doesn't hurt.
C
50
star
17

noncestatistics

a simple tool to get a bunch of ApNonces from iOS devices
C
50
star
18

igetnonce

C
37
star
19

uido_public

C
33
star
20

libgeneral

general stuff for projects
C++
28
star
21

otachecker

quick and dirty tool to check what ota blobs are being signed by apple
Objective-C
25
star
22

libipatcher

a convinient wrapper for iBoot32Patcher/iBoot64Patcher
C++
23
star
23

gido_public

C++
23
star
24

stool

A tool for parsing/analyzing/extracting with nintendo switch binaries
C
21
star
25

fwkeydb

20
star
26

kDFUApp

C
18
star
27

kdp.py

crappy "debugger"-like memory reader, to inspect 32bit ios kernel after it paniced
Python
16
star
28

cydia-repo.tihmstar.org

Shell
14
star
29

exVasi0n

proof of concept using evasi0n security issue
C
12
star
30

Breakout

Breakout is a free, completely open-source iOS 7 jailbreak.
C
12
star
31

jssy

Tiny json parser written in C
C
11
star
32

libgrabkernel

just a kernelgrabber, for those who can't reach out of sandbox
Makefile
11
star
33

vacuumstreamer

C
10
star
34

prelecta1212

get ready for 1212 jb hax
Objective-C
10
star
35

homepodstuff

Shell
10
star
36

libinsn

C++
9
star
37

uido2hashcat

C++
8
star
38

deadPengu1n

deadPengu1n - Pangu untether bug
Objective-C
8
star
39

webkitcacher

Cache directory with web files (html/js...) to ApplicationCache.db file
C++
7
star
40

micSpy

Objective-C++
7
star
41

ps4-linux-git

Shell
6
star
42

Fuzzyparrot

A Semi-automated remote fuzzing tool for mov files on iOS devices
PHP
6
star
43

kfd_JBKit

C++
6
star
44

dyld-print-to-file-exploit

exploits DYLD_PRINT_TO_FILE, modifys sudoers, cleans up and spawns root shell
C
5
star
45

simpleShellEmu

simple shell Emulator, which runs on Linux
C
4
star
46

fwkeydb_tools

Python
4
star
47

JBKit

C
4
star
48

headsUpDisplay

Logos
3
star
49

libdcsdled

A wrapper library for controlling leds on DCSD cable
C++
3
star
50

mkinitcpio-ps4

Shell
3
star
51

rootpipe2_exploit

rootpipe exploited again on 10.10.3
Objective-C
2
star
52

developerexcuses-App

Little App which grabs the funny jokes from http://www.developerexcuses.com/
Objective-C
2
star
53

rb3converter

C++
2
star
54

slides

1
star
55

freePW_tc7200Eploit

Technicolor TC7200 - Credentials Disclosure CVE : CVE-2014-1677
Objective-C
1
star
56

img2tool

A tool for manipulating IMG2 files
C++
1
star
57

GamecubeControllerAnalyzer

C++
1
star
58

img1tool

A tool for manipulating IMG1 (8900) files
C++
1
star