Some of you may think that since Apple has been adding lots of features that that means that the jailbreaking scene is dead. On the contrary, today’s release, though not a full-fledged jailbreak (and still in the beta stage), shows that there is still a love for tinkerers to get into places that they were told they can’t go. We’ll explain what Houdini does, what it doesn’t do yet (like for example it runs on all 10.x except 10.3.3), and how to get it on your device. Let’s dive right in!
So what is Houdini if it’s not technically a jailbreak?
‘It’s a proof-of-concept tool that utilizes just a privilege escalation (root) exploit to mimic some jailbreak functionalities.’
How does this work?
‘Unlike a full jailbreak, we do not have / mounted as RW. In this case, there isn’t much for us to do. That’s where Houdini’s magic comes to place. Houdini uses launchd’s task port (root) to perform a long list of workarounds by reading and editing/overwriting certain files in /var and eventually, mimic a “semi-jailbroken” experience.
Once Houdini runs, it will also run a daemon,
jailbreakd, that makes sure Houdini has the root task port at all times. Please note that
jailbreakd has been disabled in alpha due to some issues along with battery drainage :/
While it is technically possible to inject user-installed apps with code and then pass the privileged port using
jailbreakd, it is will require a lot of work since the injected code needs to have a valid signature. There might be a way to improve triple_fetch’s amfid patch but that will take a lot of work.
Another possible method (the hard way), is to pre-bundle code that works with
jailbreakd and sideload the app. Once the user runs the app, the bundled dylib will wait for
jailbreakd to pass the privileged task port and from there, you can tweak the app itself.
To clarify this, the method above won’t work on system apps (such as Springboard).’
But what can this do?
- ‘Theme user-installed apps
- Hide/rename user-installed apps’ labels
- Add Cydia sources and install themes
- Clean all apps cache
- Change device’s display resolution
- Hide/rename 3D Touch icons’ shortcuts.
- Edit Siri’s suggestions list
- Theme passcode keypad (iOS 11 style or custom pictures)
- Colorize and resize icon badges.
- Theme Control center icons and sliders
- Theme Lock Screen ‘Music Control’ icons’
Here’s a demonstration of Houdini in action.
How do I run this?
- ‘Download the .ipa file and Cydia Impactor
- Open Cydia Impactor and connect your device
- Drag the Houdini.ipa file onto the Cydia Impactor window
- Enter your Apple ID (email and password). Ignore any PLIST_STRING errors.
- Open Settings → General → Profiles & Device Management
- Trust the new certificate → open Houdini
- Tap ‘start’ and enjoy! (Note: this might fail a couple of times at escaping sandbox)’
Here are some things to note and be aware of!
‘Milkshake and Aspect are the only themes that’s been tested at the moment. Unfortunately, other free themes I tried were using LZMA compression method and I didn’t get the chance yet to add a support for that.
Also, you can not install paid themes. But, you paste the direct download link in Houdini’s “Download .deb” feature and it’ll apply the theme for you.
Adding some sources might not work. I have to work on improving it.
Direct link to Aspect theme by @UnixDesign: https://www.dropbox.com/s/6loq5feciet93my/aspect_theme.deb?dl=1
(use download .deb option to apply this theme)
This can potentially run on future versions of iOS when we have a priv escalation exploit. Also, let’s hope Apple doesn’t “patch/change” the workarounds Houdini is doing.
Edit: if you want to go back to stock iOS, set all the utilities back to ‘Original’ and then reset theme.’
Stay tuned here on Hackinformer.com for more reviews and follow us on Twitter @Hackinformer
If you like the author’s work follow him on Twitter @V1RACY