nitoTV 4 tvOS update

Overall update

I apologize from the bottom of my heart for how long its taken to get an update one this. I truly am really sorry and appreciate all the patience for those of you who have stuck around and kept your AppleTV's on a compatible version for this jailbreak.

That being said, I know I said on twitter that I was going to cover a big setback when I thought of how to phrase it diplomatically. I've decided theres no way to do that and it was a setback that is unavoidable and it was a pretty bad one, on the backend side. It is in no way jaywalkers fault either. Thats as much as I've deemed necessary to say about it.

Backend update

Due to the fact that I got layed off from my job this week my "free" time has increased (so to speak). I've decided to take over any work that has been done on the backend with regards to the toolchain. I know i avoided talking about details above, suffice it to say the toolchain needs to be started over completely and I'm taking that work off of Justin's hands because he doesn't have the time to do it and I do now.

That being said at this very moment I'm going to spin up a linux VM and start / resume building with any notes that he needs to provide me. I don't have any estimate on how long that will take me, doing it all in straight up linux which isn't my normal wheelhouse. Not that I'm not comfortable there based on my darwin experience on OS X, but also in the interest of full disclosure.

Application loading

Not going to bore you with all the details of why alternate locations for Application loading has been necessary to move things forward, covered it pretty well in posts prior to this one.

Over the course of defcon, and a few additional days afterwards working with qwerty this conundrum has MOSTLY been solved. We can load applications from any location that we like, we have chosen /var/mobile/Applications/ (for now) as the target to load applications from.

This works reliably, for tvOS 9 and 10 now. There are still some issues regarding folder / keychain / etc sharing between top shelf plugins and applications, but aside from that it seems to be solved.

Potential Problem:

That being said, there is a new issue that has arisen since this solution has been found and I'm not sure if it is related. Ever since I've been using this new solution I can no longer successfully sideload tvOS applications from Xcode. It complains that "No such file or directory: /usr/libexec/springboardservicesrelay" is now an issue, strangely enough, that binary is not even part of a standard tvOS installation. This needs to be eliminated as a potential side effect to our process before anything can be released as well. Going to work on this in tandem to working on updating the toolchain.

Conclusion

tl:dr the following things are in progress and need to be taken care of to get nitoTV released for this and any future versions of tvOS jailbreaks;

1. update the toolchain to 64bit (which i am now personally working on) 2. figure out how i broke Xcode app sideloading 3. finish any UI work to tie it together with the finished backend / toolchain.

Final thoughts

I know this sounds like a mountain of work, but now that I'm unemployed at the moment I have more time to focus on this and I'm hoping that facilitates it getting done quicker.

The backstory of the Electra jailbreak, and how it eventually turned into a nightmare

Back in December 2017, the async_wake exploit was released by Ian Beer for iOS 11.0 - 11.1.2. Shortly after, some other developers (ninjaprawn and stek29) got Dropbear and some basic tools running by using xerub’s trust-cache injection.

My iPad was sitting unused on 9.3.3 for a while, so I figured I’d update it and see what I could do on 11.1.2. I quickly replaced the bootstrap with some freshly compiled GNU core utilities. Meanwhile, ninjaprawn built an initial payload to inject into amfid to try getting arbitrary executables to load. I then (at the same time as, but independently from Morpheus) figured out we needed to add the platform-application entitlement for our fancy new amfid patch to work, and we were off to the paces.

However, we still couldn’t inject tweaks just yet. Our injector could inject dylibs into SpringBoard, however, library validation prevented our dylibs from working unless they were in trust cache. Furthermore, there were timing issues with the dylibs injecting too late. Something better needed to be done.

I began working on a “jailbreakd” that would take the kernel task port given by async_wake and hold onto it, so we could do modifications in the kernel as needed (by having jailbreakd receive commands over UDP from localhost). Starting off with injecting codesigning flags and injecting entitlements, I was quickly able to disable library validation, and was able to get dylibs loaded. However, we still needed a better solution. With some modifications to our injector, I was able to get injection into launchd working. However, the latest build of substrate (this was back in December 2017, but is still valid as of March 2018) failed to work and was giving vague assertion failures when our own injector was working fine.

I decided to reach out to saurik to see if he was interested in getting substrate working, as it would be a fairly trivial task at this point. However, he stated he was not interested at all. Having come this far (and with the stock icons on my iPad still looking ugly), I decided to start building my own solution. I built my own payloads for launchd and xpcproxy which would inject the necessary DYLD_INSERT_LIBRARIES environment variable and call jailbreakd to fixup entitlements and codesigning as needed.

However, we still needed a library for tweaks to hook method calls, as we couldn’t expect everyone to only rely on bundling fishhook or using the Objective-C runtime directly. With substrate closed source,non-functional and the developer uninterested, I looked out for alternatives and remembered comex’s substitute. Substitute is supported on iOS, however it had previously only been tested on iOS 8, and definitely not in mass-deployment. However, with some further patches to our injector to lower codesigning restrictions, surprisingly substitute worked on iOS 11.

With substitute working, I was able to get Anemone not just running, but almost fully functional on iOS 11. The entire stack was fairly new and in beta, but I decided it would be cool to share it so tweak developers could get tweaks working on iOS 11 while the stack was worked on simultaneously. Thus on January 12, 2018, I released Electra beta 1 - a toolkit that installed Dropbear, GNU coreutilities, Substitute, Tweak Injector (then known as SBInject), PreferenceLoader and Anemone. The beta was contained in /bootstrap to have the least issues and for easy cleanup and upgrade path.

Electra beta 1 (and the async_awake fork it was prior to that) were open source, so Electra received some notable contributions. Contributions were received for setting host special port 4, for loading our own launch daemons, for setting jailbreakd as a launchd service, and for mitigating sandbox restrictions.

All was working well and good, one would think.

However, we quickly ran into some issues. Remember that jailbreakd used UDP for receiving commands. However, UDP could potentially drop packets if too many messages were sent (especially since jailbreakd used NSLog() for debug logging, which could halt the thread and cause packets to drop even on localhost). This was most notable if we attempted to reload all launch daemons, which is necessary for tweaks to load into all processes.

A contribution was received to swap jailbreakd to XPC, in launchd, xpcproxy, and everywhere else. However, I noticed with the XPC changes my test devices froze after 30 minutes of usage. I suspected the issue was with our hack to get XPC working in launchd, so I switched launchd back to UDP. However, we were still left with the problem with packets being dropped. So I decided to implement TCP in launchd and let it use XPC everywhere else. This fixed the issue with packets being dropped as they were simply re-transmitted. However, launch daemons were still getting stuck when we were reloading all of them at once...

Until I realized it was NSLog() that was causing problems all along. With some patches to swap it for fprintf’s, the issue was alleviated and we could reload without any problems, and the freezing issue was gone from my own device, so I decided to release these updates as beta 11.

I ran some stress tests to check the stability of the jailbreak by reloading all launch daemons several times, and it was working perfectly, so I decided it was time we start making it the full jailbreak it could be. I started rebuilding all the dependencies needed to run Debian’s APT and dpkg from the latest upstream sources (from both GNU and Apple/BSD respectively), since the newer sources built fairly easily for iOS, so it made sense to use them rather than using the patches saurik used back on iOS 2.0. I was then provided some scripts by nitoTV to build APT and dpkg. After building a new bootstrap (which had to be extracted to the rootfs, couldn’t sandbox it anymore), I was able to get apt-get working!

With some patches to Cydia (binary patches mind you, since the main Cydia app was near impossible to build), I managed to get it working on iOS 11 with our versions of dpkg, APT, etc. I took a look at my iOS 10 device to see how the packages were set up, and setup the layout for Electra’s packages so that it would be an easy upgrade path, should saurik decide to support iOS 11 and provide updates for it (with possible interchanging of packages, should his also support iOS 11 -- this was tested on iOS 10 and does work). As none of saurik’s packages were updated since October 2017, I didn’t expect him to post any updates until he decided to start supporting iOS 11. So I marked Electra’s packages as the versions they really were (since most of the tools were quite possibly a decade newer than saurik’s [being built in 2018 rather than 2009]), and where we were using the same version as saurik’s tools, I incremented the version by 1 and added the “-coolstar” suffix (this was only for APT, uikittools and cydia).

I built Release Candidate builds and began submitting them privately to developers to test, as some wanted a more realistic setup with dpkg and APT to be able to test certain packages. However, with our setup not finalized yet, I didn’t want to make it public, since we could potentially make breaking changes with no upgrade path past one minor RC version (since keeping track of all changes from RC 1 to final release 1.0 could potentially be a huge burden if any major breaking changes were made, as we couldn’t simply wipe /bootstrap and place a new one in). Furthermore, with the SHSH window closed I didn’t want to potentially bootloop devices by overwriting files, so I used tar’s “-k” option to keep existing files.

The situation was already complicated by the fact that the device the jailbreak would be installed to might not have been on stock iOS to begin with (something all other jailbreaks assumed). For example, the “topanga” toolkit installed the iOS 10 bootstrap (which doesn’t work at all on iOS 11 due to usage of 32 bit binaries, which Apple dropped support for in 11). Furthermore, since we configured tar to not overwrite files already on the filesystem, if the filesystem wasn’t clean, our bootstrap could potentially not extract at all, resulting in a messy situation.

I decided to compromise by detecting these problematic files and indicating to the user that they installed “topanga” and needed to either uninstall it somehow or futurerestore their device to stock iOS 11.

However, one of the developers who was given the RC 1.2 build (initial testers only got RC 1.1 due to some delays with RC 1.2′s rollout) decided to leak it. Normally I wouldn’t care about a beta leak, however, with the SHSH window closed, this caused the already sticky situation with topanga to get even worse, as we had to deal with potential users already having the RC that should have been private, especially as the bootstrap layout wasn’t finalized yet.

I decided not to deal with this, especially as it wasn’t an official release, and simply issue warnings against installing the RC, and state that people using the RC may not be able to upgrade as it wasn’t finalized and we could make breaking changes.

This was when everything turned into a nightmare. People on /r/jailbreak and on twitter began spewing all sorts of conspiracy theories about how we were adding “DRM” into Electra by checking for topanga and/or the leaked RC (we actually don’t check for the leaked RC), when these in reality are safety checks. Furthermore, certain individuals on /r/jailbreak were trying to pull out the “that guy’s childish” card on us, when in reality, we have every right not to support such an unclean installation of iOS. (/r/jailbreak moderators, where were you???)

I decided that the noise was enough for the time, so I temporarily deactivated my twitter to work on it privately. Meanwhile, I issued the release candidates out to more developers and testing appeared to go well.

On February 26th, I was then able to finally announce the release of Electra 1.0, as most of the developers I gave the RC’s out to privately didn’t complain about any issues, neither did I notice any issues in my own testing. I even updated my other iOS 10 device (my iPhone 6S) to iOS 11, since I noticed how stable 1.0 was on my iPad Air 2.

A day after, however, saurik decided to push an update for APT (both late at night, and unexpectedly after months of no updates), which was missing 64 bit support or the necessary entitlements entirely, and thus wouldn’t work on iOS 11, breaking Cydia on Electra if the update was installed. As Cydia broke on iOS 11 devices, saurik made a post, which was quickly misinterpreted by a majority of people on reddit (who then created conspiracy theories all over again and filling the subreddit with spam -- where are the moderators????). Eventually I was able to address the issue by stopping updates from saurik’s repo (since he indicated he didn’t want to support Electra, and his packages were all non-functional on Electra anyways even if they were downloaded and could actualy cause problems) and by installing the correct APT version in 1.0.2.

Later, however, several iPhone X users and some users of other devices began reporting issues with the device freezing randomly (very similar to what I noticed with the original XPC change before I switched launchd off XPC). These reports ranged from constructive feedback to downright insults. All of this, mind you, was with my own iPhone 6S and iPad Air 2 running perfectly fine.

I suspected the issue could possibly be a bad tweak (as safe mode only protects SpringBoard and backboardd, not system daemons) or a bad launch daemon simply crashing and looping when it was restarted by launchd. As a test I decided to load the broken build of RocketBootstrap  (version 1.0.5, before it was fixed in 1.0.6), which was missing the “platform-application” entitlement in rocketd. As expected, rocketd was crash-looping as it was started by launchd and then killed by sandbox for missing the entitlement. This was hogging up plenty of resources and actually also preventing launchd from starting new processes other than rocketd, which also manifested itself in the UI as a significant device slowdown with the device entirely freezing up after a few minutes.

When the problematic tweak removed, the freezing was gone and my device was back to normal, with everything working correctly. I decided to take a survey using Google Forms and noticed a substantial number of the responses had people using pirated tweaks. Normally I don’t care about piracy, however, in situations where the device is unstable, it can be a legitimate problem. Piracy repos, by definition, are re-hosting tweaks (sometimes even free ones), which are often outdated compared to their original source, depending on the repo. Some of them could definitely contain bad launch daemons (e.g. older versions of RocketBootstrap, the current version of Filza, and some other tools) that are missing the necessary entitlement to run on iOS 11.

Thus, I had every right to believe that the issue was caused by tweaks (although I later found out that 1.0.2 did actually have an issue on certain devices from using XPC in xpcproxy). However, many obvious pirates in particular were spamming my social media channels about the very issue, making it very difficult to see any messages from non-pirates. (It’s very easy to ignore a few people, but if they reach the 100′s of people, it becomes very difficult, as their spam takes up most of the visible space when looking at twitter/reddit). 

To be clear, I quite frankly don’t care what people install on their own devices; however, it gets annoying when hundreds of people submit bug reports with their device clearly having pirated packages (some of which were outdated and definitely problematic). I made a retortical comment about how blocking piracy repos would make Electra less buggy. This was very much true as it would lower the number of potentially problematic tweaks (as piracy repos often ship outdated tweaks with modified version numbers -- see Appsync Unified). However, this also caused huge outcry as people began clamoring thinking I’d permanently block piracy repos; although I don’t care if users are using them. However, they should not have them as they alone can cause the same issue that was also caused by the same bug in the jailbreak at the time.

Meanwhile, a certain prominent developer decided to try claiming I was lying by stating *after the final release* that he was having issues with freezing. (Keep in mind, this developer had access to the release candidates, most definitely downloaded and installed them, and didn’t report a single issue). This developer was being very passive-aggressive when asked for logs and info that would be useful (which he didn’t provide by the way) and was stating he’d rather wait for the tool saurik hinted at, even though Electra was already complete and only needed that bug fix. 

With some help from the PokeGo++ developer (thank you), I was able to fix this bug in 1.0.3, confirm the bug was fixed, and make the update available. However, the conspiracy theories from the earlier tweet spiraled out of control both on /r/jailbreak and my personal twitter that it became absolutely insane to try and handle.

As of right now, 1.0.3 is the latest version of Electra with no major known bugs (the launchd issue seems more of an issue with how launchd is implemented on iOS, as daemons shouldn’t crash constantly on iOS). Maybe issues will be discovered and fixed, maybe not. However, 1.0.3 works perfectly on my device as well as many others. The entire situation, unfortunately has become too complicated, as it’s near-impossible to attempt to debug issues that could crop up from 3rd party packages, especially if they can exhibit the same issues that can crop up from a bug in the jailbreak itself. (And the spam from people who think they know more than someone who has actually worked on the jailbreak they’re talking about)

So at the end of the day, while Electra has definitely benefited from being open, it also has ended up becoming a nightmare to maintain, with some reasons that were external, and some that were from Electra being open. However, the amount of spam and hatred I’ve been receiving from conspiracy theorists putting words in my mouth has gotten to a level that it seems better to do devleopment in private and occasionally only pop up to release...

Unc0ver tvOS Jailbreak

You can get Unc0ver tvOS jailbreak now also with its latest version iOS 13.5. And also you have the possibility now to download Uncover latest beta version 5.1.0 and you can work with Apple TV HD and Apple TV 4K models on tvOS 13.4.5 and with its older versions.

tvOS Jailbreak with unc0ver 5.1.0 beta

You may have a question about why you should jailbreak your tvOS. There are more valuable reasons for the jailbreak process. We have mentioned some of them below. Take a look at them.

First thing is that you can sideload applications on your tvOS which you like to use.

Second thing is we all love play games So, after you did this jailbreaking process you will be able to Install any kind of game emulators witch you would like to play

Third one is you will install new tweaks and utilities which you do not have authorize to use in the App Store.

Uncover also said this in their website clearly that Unc0ver gives the full permission for you to do whatever you want to do with your Apple TV device. It allows you to change and operate your purview. If I say in short it released the true power of your Apple TV.

Currently you have Unc0ver TV beta 2 released and it has these changes and bug fixes.

You can enable tvOS 12.4 with this beta version

You have the possibility to launch image

There is option in settings for rename Cydia to NitoTV

And also it create failure to purge updates non-fatal

If you are new to the jailbreak world no need to worry, all you need to do is simply visit here www.cydiacloud.com/jailbreak/unc0ver. You will know about all you want to know.

Jailbreaking procedure for tvOS 13.4.5

Jailbreaking an Apple tvOS is not easier than jailbreaking your iPhone or your iPad using Unc0ver. Here we included the jailbreaking steps. So, follow these steps carefully then you can have to experience new features on your Apple tvOS. But you should have Xcode and iOS App Signer on macOS to follow these steps.

First you need to provide Xcode and iOS App Signer on macOS if you don't have them.

Then create a new tvOS Single View App project using Xcode

Then you have to set up the project and create a Provisioning Profile using your Apple Developer Account 

If you use a free account it is okay and also you need to get signing certificate

After that open iOS App Singer and drag and drop the Unc0ver IPA file to that application window.

Then choose your Apple ID under Signing Certificate dropdown menu and the Provisioning Profile

After that click on "start" to sign your application

Then open the Xcode and navigate to Window > Devices

Then connect with your Apple TV

Now you need to click on "+" button inside "Installed Apps"

Then signed to Unc0ver IPA file

Then go to your Apple TV and open Unc0ver application there

Then click on "jailbreak" button

Now it will begin to restart and complete the jailbreak process

That's all.

http://twitter.com/nitoTV/status/1204503680751267842

what a pussy. lol, “you need gov permission for everything” did you get a receipt when you gave up your balls?

— kb (@nitoTV) April 11, 2020

Checkra1n Jailbreak Released for Apple TV 4

Checkra1n Jailbreak Released for Apple TV 4

The checkra1n jailbreak has been updated with support for the Apple TV 4. The release was announced on Twitter by @nitoTV.

At this time the checkra1n jailbreak for tvOS only works on the fourth generation (HD) Apple TV.

Support for the 4K Apple TV is possible but it will require a cable that doesn’t exist yet and a reliable way to get into DFU mode. There are no ETAs on either.

If you have a…

View On WordPress

brief update

nitoTV and co have been updated to support tvOS 11.x utilizing work from electra project (jailbreakd et al) This includes app and tweak loading. Some tweaks may require extra work to be compatible with jailbreakd, but most things have been pretty seamless. currently 11.1 is supported using async_awake exploit. 11.3 support will currently only be posdible utilizing empty_list exploit, multi_path is not applicanle without additional sandbox escape. since baseline support is mostly complete for 11.x the sights are turning to 10.2.2 being updated with kppless jailbreak, thanks to PyschoTea providing me with meridian code this should be a low impact change that i can exeute pretty quickly. From there and somewhat in parallel with the rest jaywalker will help get empty_list working properly on tvos. after all of that is complete we can release. TL;DR: 1. 11.1 support is essentially complete 2. 10.2.2 jailbreak becoming kppless is next priority 3. get empty_list under control on tvOS for 11.3 support 4. clean up bootstrap , last minute touches stay tuned!!

Apple hid a Lightning connector for debugging in the Apple TV 4K’s ethernet port

As it turns out, the Apple TV 4K includes a hidden Lightning port. This discovery was first made on Twitter by Kevin Bradley, better known as nitoTV on Twitter. This could lead to access to the Apple TV 4K’s firmware.<p>While earlier Apple TV models had Micro USB and USB-C, the Apple TV 4K dropped all … source https://9to5mac.com/2019/10/17/apple-tv-4k-lightning-port/

ChimeraTV v1.3.6 Jailbreak released with Sock Puppet improvements and a newer iteration of nitoTV

ChimeraTV v1.3.6 Jailbreak released with Sock Puppet improvements and a newer iteration of nitoTV

Earlier today, the Electra Team released version 1.3.6 of the iOS 12-centric Chimera jailbreak with improvements for the Sock Puppet exploit and a fix for random crashes after jailbreaking, and as it would seem, they’ve just now pushed a similar update for the tvOS-centric ChimeraTV jailbreak.

The Electra Team announced ChimeraTV v1.3.6 via Twitter just a few minutes ago: Source link www.idown…

View On WordPress

Electra Compatible with iOS 11.0 – 11.4.1

Electra Compatible with iOS 11.0 – 11.4.1

For all iPhones, iPods touch, iPads and Apple TVs

Download

SHA1: 1b35c1364c791aeceab2ded5f04e74bf27d131b1

Mirror: Mega

Download tvOS

Thanks to nitoTV and Jaywalker for the tvOS port!

SHA1: d2017d0af76b0f6de3cd18fae555535df3cbda70 Mirror: Mega

Important: Make sure to delete OTA update, install tvOS profile (only install tvOS profile on iOS) and reboot before using Electra!

Change…

View On WordPress

How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore

After using nitoTV on the tvOS 10.2.2 greeng0blin jailbreak for a while, I’ve decided it’s not quite there for me yet. With the ability to sideload my favourite movie-watching and media streaming apps without a jailbreak, and very few other tweaks yet available on nitoTV, the downsides outweigh the benefits of having a tvOS 10.2.2 […]

The post How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore appeared first on Information Overload News.

from Information Overload News http://www.informationoverload.news/how-to-restore-an-apple-tv-4-from-tvos-10-to-tvos-11-with-futurerestore/

How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore

After using nitoTV on the tvOS 10.2.2 greeng0blin jailbreak for a while, I’ve decided it’s not quite there for me yet. With the ability to sideload my favourite movie-watching and media streaming apps without a jailbreak, and very few other tweaks yet available on nitoTV, the downsides outweigh the benefits of having a tvOS 10.2.2 […]

The post How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore appeared first on Information Overload News.

from Information Overload News http://www.informationoverload.news/how-to-restore-an-apple-tv-4-from-tvos-10-to-tvos-11-with-futurerestore/

How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore

After using nitoTV on the tvOS 10.2.2 greeng0blin jailbreak for a while, I’ve decided it’s not quite there for me yet. With the ability to sideload my favourite movie-watching and media streaming apps without a jailbreak, and very few other tweaks yet available on nitoTV, the downsides outweigh the benefits of having a tvOS 10.2.2 […]

The post How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore appeared first on Information Overload News.

from Information Overload News http://www.informationoverload.news/how-to-restore-an-apple-tv-4-from-tvos-10-to-tvos-11-with-futurerestore/

How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore

After using nitoTV on the tvOS 10.2.2 greeng0blin jailbreak for a while, I’ve decided it’s not quite there for me yet. With the ability to sideload my favourite movie-watching and media streaming apps without a jailbreak, and very few other tweaks yet available on nitoTV, the downsides outweigh the benefits of having a tvOS 10.2.2 […]

The post How to restore an Apple TV 4 from tvOS 10 to tvOS 11 with futurerestore appeared first on Information Overload News.

from Information Overload News http://www.informationoverload.news/how-to-restore-an-apple-tv-4-from-tvos-10-to-tvos-11-with-futurerestore/