如何创建一个rootapp
1.先安装iosOpendev,详见(iOS之逆向学习之 iOSOpendev安装)
2.创建一个原生app工程
3.点击+号 Add User-defined settings,添加iOSOpenDev配置项,最主要的是添加CODE_SIGNING_ALLOWED为NO,关闭签名
4.还要手动设置证书为空,Targets-->buildSetting里搜索sign,@1 将Code Signing Identity设置为空 @2设置Code Signning Entitlements为本地的entitlements
entitlements内容为:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.mobileinstall.allowedSPI</key>
<array>
<string>Lookup</string>
<string>Install</string>
<string>Browse</string>
<string>Uninstall</string>
<string>LookupForLaunchServices</string>
<string>InstallForLaunchServices</string>
<string>BrowseForLaunchServices</string>
<string>UninstallForLaunchServices</string>
<string>CopyDiskUsageForLaunchServices</string>
<string>InstallLocalProvisioned</string>
</array>
<key>com.apple.private.security.no-container</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
<key>com.apple.lsapplicationworkspace.rebuildappdatabases</key>
<true/>
<key>com.apple.private.MobileContainerManager.allowed</key>
<true/>
<key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>
<true/>
<key>com.apple.managedconfiguration.profiled-access</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>dynamic-codesigning</key>
<true/>
<key>get-task-allow</key>
<true/>
</dict>
</plist>
5.在工程目录下创建一个Package目录,在其下创建Applications和DEBIAN两个文件夹,DEBIAN下创建prerm 、postinst、preinst、postrm、control三个文件
prerm:该脚本负责停止与软件包相关联的daemon服务。它在删除软件包关联文件之前执行。内容为:
#!/bin/bash
killall -9 TestRootApp > /dev/null
postinst
该脚本的主要任务是完成安装包时的配置工作。许多“postinst”脚本负责执行有关命令为新安装或升级的软件重启服务。内容为:
#!/bin/bash
get_ios_ver()
{
OSVERLINE=`grep -n 'ProductVersion' /System/Library/CoreServices/SystemVersion.plist | sed 's/:.*//'`
((OSVERLINE+=1))
OSVER=`cat /System/Library/CoreServices/SystemVersion.plist | sed -n "${OSVERLINE}p" | sed 's/^.*<string>//' | sed 's/<\/string>.*//'`
echo ${OSVER}
}
#cd "/Applications/TestRootApp.app/"
#
## process origin binary
#mv TestRootApp TestRootApp_
#chown root.wheel TestRootApp_
#chmod +s TestRootApp_
#
#cont=`cat <<"EOF"
##!/bin/bash
#dir=$(dirname "$0")
#exec "${dir}"/TestRootApp_ "$@"
#EOF
#`
## create new fake binary
#echo -e "$cont" > TestRootApp
#chown root.wheel TestRootApp
#chmod +x TestRootApp
echo "Set permission..."
chown -R root:wheel /Applications/TestRootApp.app
chmod -R u=rwx,go=rx /Applications/TestRootApp.app
chmod ug=rwx,o=rx /Applications/TestRootApp.app
chown root:wheel /Applications/TestRootApp.app/TestRootApp /Applications/TestRootApp.app/libs/* /Applications/TestRootApp.app/*.png /Applications/TestRootApp.app/*.plist
chown -R mobile:mobile /private/var/mobile/Media/TestRootApp
iOSVer=`get_ios_ver`
iOSVerArray=(${iOSVer//./ })
iOSVerCount=${#iOSVerArray[*]}
if [[ ${iOSVerCount} > 1 ]]; then
if [[ ${iOSVerArray[0]} == 11 ]]; then
chmod u+s /Applications/TestRootApp.app/TestRootApp
fi
fi
echo "Clean icon cache..."
su -c /usr/bin/uicache mobile > /dev/null
#The RESPRING script after Install
declare -a cydia
cydia=($CYDIA)
if [[ $1 == install || $1 == upgrade ]]; then
if [[ ${CYDIA+@} ]]; then
eval "echo 'finish:restart' >&${cydia[0]}"
fi
fi
exit 0
preinst,在Deb包文件解包之前,将会运行该脚本。许多“preinst”脚本的任务是停止作用于待升级软件包的服务,直到软件包安装或升级完成.内容为:
#!/bin/bash
#echo "Stop IDBScannerTool services..."
#killall -9 SlionDaemon STask IDBScannerTool > /dev/null
echo "Remove old files..."
rm -rf /Applications/IDBScannerTool.app > /dev/null
postrm.该脚本负责修改软件包链接或文件关联,或删除由它创建的文件。内容为:
#!/bin/bash
echo "Clean icon cache..."
su -c /usr/bin/uicache mobile > /dev/null
#rm -rf /Applications/TouchSprite.app
declare -a cydia
cydia=($CYDIA)
if [[ ${CYDIA+@} ]]; then
eval "echo 'finish:respring' >&${cydia[0]}"
else
echo "Please respring your device after this!"
fi
exit 0
control,主要是设置版本号、包名、依赖系统版本
Package: com.xx.crashDemo.TestRootApp
Name: rootApp
Version: 1.0.0
Description:
Section: System
Depends: firmware (>= 5.0)
Conflicts:
Replaces:
Priority: optional
Architecture: iphoneos-arm
Author: XX
dev:
Homepage:
Depiction:
Maintainer:XX
Icon:
6.在RunScript脚本里加上/opt/iOSOpenDev/bin/iosod --xcbp
7.打包,只能通过Profiling方式打包,xcode-->product-->Build For-->Profiling
8.经历7步骤首次打包还没有问题,多次打包之后会报copy 错误,要解决这个要删除工程里的Package/Applications下的.app,可以写一个脚本专门删除这玩意,在RunScript里运行
work_path=$(dirname $0)
cd ${work_path} # 当前位置跳到脚本位置
rm -rf Package/Applications/*
ps: 我用rootapp里面有个网络请求,我发现用un0cover越狱之后,网络请求死活是 the internet connection appears to be offline,这种情况先的确定是代码问题还是网络权限问题,我们随便写一个百度的get请求发现也是报这个错.顺速是网络权限没开.关键我首次打开app的时候,也没弹提示框啊,这就尴尬了,是不是rootapp都不弹这玩意,那咋能有网呢,我也很懵逼啊,越狱真不是人玩的.我在想各大做越狱root app的厂商也可能有这问题啊,于是玩找到了触动精灵的官网官网一顿找,反正就在常见问题和各种问题里一顿找,终于让我知道这个网站https://www.touchsprite.com/d...
于是发现他们教程里要三个系统联网配置文件
rm -rf /private/var/preferences/com.apple.networkextension.plist
rm -rf /private/var/preferences/com.apple.networkextensioncache.plist
rm -rf /private/var/preferences/com.apple.networkextension.necp.plist
killall -9 SpringBoard
真正试验发现只在iOS14上有效果(我只有13、14的机型),在iOS13没效果,我查了半天试了下面方式:
rm -rf /private/var/preferences/com.apple.networkextension.plist
killall -9 CommCenter
为了兼容就写成
rm -rf /private/var/preferences/com.apple.networkextension.plist
rm -rf /private/var/preferences/com.apple.networkextensioncache.plist
rm -rf /private/var/preferences/com.apple.networkextension.necp.plist
killall -9 CommCenter
killall -9 SpringBoard
本文章引用https://www.touchsprite.com/d...、https://juejin.cn/post/684490...