Skip to main content

Apple TV 4 Jailbreak for tvOS 10

Thanks to the combined effort of Jonathan Levin, Marco Grassi and Luca Todesco we now have a semi untethered tvOS 10 jailbreak for the Apple TV 4. 

PLEASE NOTE THIS WILL NOT WORK WITH TVOS 10.1.1 or HIGHER
So far its only been tested on 10.1 and 10.0.1 with possible lower firmware compatibility in the future. (ex tvOS 9.1 - 10) If you are on any firmware besides these two in the green I strongly recommend you wait till they are tested, you were warned 

Taken from the FAQ page from Jonathan Levin's website...
Quote:
Ok. So now that it's made public, @nitotv (10.1) ,@KeithMLeonard (10.0.1) and myself (10.1) tested it, here is a collection of FAQs so I don't get bugged on Twitter:

Is 10.1.1 JBable? NO. This JB, when eventually released will be for all versions of TvOS up to and including 10.1, but NOT FOR 10.1.1.

What, also version 9.1??

YES. (albeit through a different bug) BUT NOT 10.1.1

Why is 10.1.1 NOT JBable? Because the bug used, CVE-2017-2370, has been patched.

How do I install it? Using Cydia Impactor.

What, every seven days?!?! Hell no. Only if you reboot. How often do you restart your TV STB? 'nuff said.

Is it fool proof? That depends on how foolish the fools are. Basically, it should exploit successfully every time, but KPP is presently at roughly 1/4. That means you might panic, but then all you need - if you don't succeed at first - try, try again. Once it works, it works, period, and you will not need to run it again unless you reboot.[/b]

Why is the GUI so poor? Because I'm a kernel hacker, not a GUI developer. Sorry. It's no small miracle I suffered through Xcode and objective-C long enough to create a functional GUI.

What does the JB provide? A full set of kernel patches which allows running unsigned code and injecting arbitrary libraries into any TvOS process.

And Cydia? No Cydia.

Where's Cydia? Ask Saurik, not me. I personally don't like it much as I use my own binaries. And that's not the purpose of this JB.

So wait, if there's no Cydia, is it a jailbreak? YES. Because it gives you a full shell and you can do whatever you want - side load apps, etc. And in theory a Cydia like App (or even Cydia itself) could easily be created for TvOS. And me, all I wanted is to have an open tvOS so I can document its inner workings for Vol I of *OS Internals.

Now that you mention it, how's that coming along?? Super, thank you. Lots of details I'm adding now. Hoping for a release around May.

So back to tvOS -- Will MobileSubstrate run on TvOS? No reason why the 64-bit version won't. But I did not include it.

How is TvOS different from iOS? Many very small ways. Most important, it does not run any 32-bit code. Also normal iOS IPAs won't work here. Sorry. But CLI binaries work just fine.

So what's in the IPA? A modified 64-bit only bootstrap.tar, containing /bin/sh -> /bin/bash, Some of my tools (in /usr/local/bin), dropbear (a free standing ssh daemon, with its keys in /etc/dropbear), and a few select binaries. Dropbear has been modified to run from /tmp, and the entire tar opens up in /tmp as well, so as to negate any remote chance of bricking.[/b]

How do I add more? Two options: Either extract bootstrap.tar to some directory, add whatever you want, and repackage into .tar and into the ipa, or - once you are in the JB:

cd /tmp

and then /tmp/bin/ls your way around, followed by /tmp/bin/mv ... files to their usual locations, taking care not to overwrite any system binaries.

Why like that? Because it's an intentional PoC meant for developers and researchers, not for the general public - and provides 100% the functionality that target audience needs, with minimal disruption of the filesystem. And, because I made the mistake of overwriting a stupid binary (/usr/sbin/nvram), which effectively bricked my older TvOS. I had to fork another $149 to get another ATV box, and - once bitten, twice shy.

Why would overwriting built-in binaries be dangerous? because this is a semi-tethered JB. meaning when your ATV reboots, it's not JB anymore. And that means any binaries you introduced have no code signature, and will be slain by that despicable AMFI. So EXERCISE CAUTION WITH WHAT YOU ADD, AND DON'T OVERWRITE ANY EXISTING BINARIES (I have my tar invocation with -k for that)

Why doesn't it work every time? Because even though the bug is exploited very reliably (95% , thanks to tweaks), KPP bypassing has some.. issues which I still need to iron out (due to more RAM in TV than there is in your average phone). So expect at least three panics for every successful run. If you get a warning about "this will likely fail", try it anyway. Most of the time liberTV can detect its inevitable demise, but sometimes it's wrong..

What does the Jailbreak report if "Increment J's counter" is selected? Absolutely nothing identifying - just the Vendor UDID, and the jailbreak flow, so I can figure out the success rate, and the slides. You want to leave this on if I am to improve the KPP reliability.

What are suggested steps once I'm in?


The jailbreak will automatically do this:
- chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate - to shut up that $%#%$# software updated daemon so it doesn't nag you if reincarnated (i.e. when you reboot)

which in my experience has shut up autoupdates. But you might also want to make sure:
- Disable auto-updates from GUI
- launchctl unload /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist - to make sure the daemon is dead, dead, DEAD

- make a copy of /System/Library/Caches/apticket.der and save it somewhere SAFE.

- create a /var/root/.ssh/authorized_keys and put an SSH key from your host there. AND CHANGE THE DEFAULT PASSWORD FROM alpine.

- exercise extreme caution. I AM NOT RESPONSIBLE IF YOU BRICK YOUR TV, AND IF YOU DO, APPLE'S #@$#@$#@ DRACONIAN TYRANNICAL WHIM IS TO FORCE YOU TO UPGRADE TO 10.1.1, WHICH IS NOT JAILBREAKABLE
SOURCE: NEWOSXBOOK.COM


DOWNLOAD LINK FOR JAILBREAK IPA
http://NewOSXBook.com/libertv/libertv.ipa

DOWNLOAD LINK FOR CYDIA IMPACTOR TO SIDELOAD THE IPA
Cydia Impactor

A word from NitoTV...

You heard the man, dont try it 

A updated version of NitoTV for tvOS 10 is in the works. 



https://twitter.com/nitoTV

Are you wanting to buy an ATV4 with a Jailbreakable tvOS version? - SiNfuL iPhone

Comments

Post a Comment

Popular posts from this blog

[HACK] 8 Ball Pool™ v3.8.5

Requirements: Jailbreak Cydia Substrate PreferenceLoader Hack Features: Unlimited Size Of GuideLine. You can not miss. Show the GuideLines in "No Guidelines" Tables/Tournaments Anti-Ban/Warning (BETA.. USE AT YOUR OWN RISK) Instructions: -Download:  Click the   button below. -Send it to your device. -Locate where you saved it using iFile and tap on it. -Press 'Installer' on the pop up menu. -Respring or Reboot -Go in your iDevice's Settings then '8 Ball Pool Hacks' to enable or disable hacks. -Launch the game -Enjoy If you get errors when installing the hack, It might be because you have previous 8 ball pool hacks installed. Go to cydia > installed tap > find the 8 ball pool hack packages and remove them. Now try again and install the new deb.
Post a Comment
Read more

[O] SpringboardOrganiser 1.1-29

Compatible with iOS 8 Sort your icons by most used, by the app name, or by the colour of the icon. Configure options from Settings. Click the button below org.thebigboss.springboardorganiser_v1.1-29_iphoneos-arm
Post a Comment
Read more

[O] SpringboardOrganiser 1.1-29

Compatible with iOS 8 Sort your icons by most used, by the app name, or by the colour of the icon. Configure options from Settings. Click the button below org.thebigboss.springboardorganiser_v1.1-29_iphoneos-arm
Post a Comment
Read more