What changes in a jailbroken kernel?

Question

Having seen this question on protecting your app from being cracked, I saw that the top answerer mentioned something about being able to see if a device was jailbroken by some internal imbalance in the kernel. Having looked into it a bit more, I discovered the Kernel Architecture Overview guide, and have knowledge of ways to interact with the Mach-BSD kernel. All I need to know is: What am I looking for? Is there some kind of key or internal state that changes when the device is jailbroken in the context of the kernel?

To be clear, I'm not looking for code (I know how to do these things myself), I'm looking for what to look for... As weird as that sounds. I've seen the answers in the linked questions, I know that they work, but I'm wondering about an all kernel route, which seems more of a generic and efficient way to check instead of searching for directories that might change or plist keys that might have different names.

I also don't intend to disable any functionality on the part of the app because of piracy (just show a message or something based on a condition).

Answer 1

All the "modern" kernel patches are based on comex's patches.

the main things which are being patched are:

• security.mac.proc_enforce
• cs_enforcement_disable (kernel and AMFI)
• PE_i_can_has_debugger
• vm_map_enter
• vm_map_protect
• …

Oh, and there are sandbox patches too. If you wanna read more about all these patches I suggest you take a look at iOS Hacker's Handbook.

Edit: I just came up with a simple idea to check if the device is jailbroken, but I'm not sure if Apple allows the use of these functions:

1. allocate some memory using mach_vm_allocate()

2. change the protection of that page via mach_vm_protect() to VM_PROT_READ | VM_PROT_EXECUTE | VM_PROT_COPY

3. Since the stock iOS doesn't allow VM_PROT_EXECUTE from inside your app this will fail, check the return value of mach_vm_protect(), when not jailbroken, but succeed if the device is jailbroken.

Answer 2

About a year ago, saurik wrote a comment on Hacker News with a list of the "'best practice' patches that jailbreaks install by default". I'd suggest reading that comment for all the details, but here is a preview of what he says (with lots of explanation that I snipped out):

1. AFC2: allows you to access, over USB, all of / as root instead of just /var/mobile/Media as mobile.

2. fstab / rw: makes / be mounted read-write.

3. fstab /var suid dev: allows setuid executables and device nodes on the user data partition.

4. codesign: allow code that has not been signed by anyone to execute.

5. codehash: allow processes with "corrupt" pages of code to execute.

6. rw->rx: supports changing a page of memory from writable to executable.

7. rwx: allows memory to be marked for write and execute at the same time.

8. sandbox: allow processes to access files that are outside of their sandbox based on Unix permissions rather than the normal sandbox rules.

9. crazeles: a ludicrously complicated hack by planetbeing that neuters the FairPlay DRM checks that cause iBooks to refuse to operate correctly on jailbroken devices.