Last active
May 12, 2024 20:41
-
-
Save kasnder/91a64a555e962d08cd05b52f7114b897 to your computer and use it in GitHub Desktop.
Grant the location permission to an iOS app. More permissions here: https://gist.github.com/kasnder/3eb32449512a4dba4a92949c8d337a92
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Todo: This currently fails to replace an existing entry in the location permission database. Would be better add to the end of the clients.plist file. | |
# Usage:./grant_ios_location_permission.sh [bundleId] | |
# Example: ./grant_ios_location_permission.sh com.spotify.client | |
# Requirements: | |
# - iOS device with checkra1n jailbreak (tested on 14.8) | |
# - Installed `sqlite3` on iOS device from Cydia | |
# - iOS device plugged into computed and forwarded SSH port with `iproxy 2222 44` | |
# - Installed public ssh key on your device: `ssh-copy-id -p 2222 root@localhost` | |
if [ -z "$1" ]; then | |
echo "Please pass bundleId" | |
exit -1 | |
fi | |
# Get bundleId from argument (e.g. cn.DGNorya.Norya) | |
bundleId=$1 | |
# Create backup (-n makes sure to not overwrite existing backup) | |
ssh -T -p 2222 root@localhost "cp -n /private/var/root/Library/Caches/locationd/clients.plist ~/clients.backup.plist" | |
# Get path to executable from install logs | |
executable=`ssh -T -p 2222 root@localhost "cat /private/var/installd/Library/Logs/MobileInstallation/mobile_installation.log.* | grep 'Made container live for $bundleId at /private/var/containers/Bundle/Application/' | sort | tail -n1"` | |
executable=${executable##*Made container live for $bundleId at } | |
executable=`ssh -T -p 2222 root@localhost "find $executable/*.app/ -maxdepth 1 -perm -111 -type f -exec readlink -f {} \;"` | |
# Download binary plist file | |
scp -P 2222 root@localhost:/private/var/root/Library/Caches/locationd/clients.plist ./clients.old.plist | |
# Cleanup if exists | |
rm ./clients.new.xml || true | |
# Add to downloaded binary plist file | |
n=0 | |
echo "`plistutil -i ./clients.old.plist -o -`" | while read p ; do | |
echo "$p" >> ./clients.new.xml | |
if [[ "$p" =~ '<dict>' && $n = 0 ]]; then | |
echo "<key>$bundleId</key> | |
<dict> | |
<key>Authorization</key> | |
<integer>2</integer> | |
<key>BundleId</key> | |
<string>$bundleId</string> | |
<key>Executable</key> | |
<string>$executable</string> | |
<key>Registered</key> | |
<string>$executable</string> | |
<key>SupportedAuthorizationMask</key> | |
<integer>7</integer> | |
<key>Whitelisted</key> | |
<false/> | |
</dict>" >> ./clients.new.xml | |
n=1 | |
fi | |
done | |
# Convert plist back to binary | |
plistutil -i ./clients.new.xml -o ./clients.new.plist | |
echo "Created new clients configuration at ./clients.new.plist" | |
echo "Now copy this file to your device, as described here: https://kollnig.net/2022/01/app-research-circumventing-permissions/" | |
# Stop location service | |
#ssh -T -p 2222 root@localhost "launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist" | |
#sleep 1 | |
# Copy over new plist file | |
#scp -P 2222 ./clients.new.plist /private/var/root/Library/Caches/locationd/clients.plist | |
# Start location service | |
#ssh -T -p 2222 root@localhost "launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist" | |
# Cleanup | |
#rm ./clients.new.plist |
Hm, locationd appends "com.apple.locationd.executable" ahead of executables and not apps?
Not sure! I think this is only aimed at regular apps. Other apps should have root access anyway?
Even with root access, locationd only allows access if they are in a .app
bundle
Much, much, MUCH experimentation later - I've come with a suitable solution, check it out here
Thanks again!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should I expect this to work for cli apps? I was hoping this would allow me to access perms such as location through cli apps.
It doesn't seem to be working on ios 14 and locationManager.authorizationStatus remains restricted.
I know I'm doing it right as it allows me to bypass the prompt in an app.
I'm on 14.4, fugu14.