commit e7b740283d8f32ab54bb51f124f94e9010f69d7c
Author: Launchcore <me@momokko.moe>
Date:   Sun Nov 16 18:15:08 2025 +0800

    Initial commit

diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 0000000..d2a1cc2
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,6 @@
+# 默认忽略的文件
+/shelf/
+/workspace.xml
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/.idea/dataSources.xml b/.idea/dataSources.xml
new file mode 100644
index 0000000..d60d4ee
--- /dev/null
+++ b/.idea/dataSources.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="DataSourceManagerImpl" format="xml" multifile-model="true">
+    <data-source source="LOCAL" name="BLDatabaseManager" uuid="ce2bbdd9-2f7e-4efe-bf5a-41d0172b403b">
+      <driver-ref>sqlite.xerial</driver-ref>
+      <synchronize>true</synchronize>
+      <jdbc-driver>org.sqlite.JDBC</jdbc-driver>
+      <jdbc-url>jdbc:sqlite:$PROJECT_DIR$/BLDatabaseManager.sqlite</jdbc-url>
+      <working-dir>$ProjectFileDir$</working-dir>
+    </data-source>
+    <data-source source="LOCAL" name="downloads.28" uuid="9f61f5e1-fbb5-4494-9977-4974f6a6ea8a">
+      <driver-ref>sqlite.xerial</driver-ref>
+      <synchronize>true</synchronize>
+      <jdbc-driver>org.sqlite.JDBC</jdbc-driver>
+      <jdbc-url>jdbc:sqlite:$PROJECT_DIR$/downloads.28.sqlitedb</jdbc-url>
+      <working-dir>$ProjectFileDir$</working-dir>
+      <libraries>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/xerial/sqlite-jdbc/3.45.1.0/sqlite-jdbc-3.45.1.0.jar</url>
+        </library>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar</url>
+        </library>
+      </libraries>
+    </data-source>
+  </component>
+</project>
\ No newline at end of file
diff --git a/1.txt b/1.txt
new file mode 100644
index 0000000..d5586ae
--- /dev/null
+++ b/1.txt
@@ -0,0 +1 @@
+ACB0A0B8-C75D-445A-9B72-DF8605D649E5
\ No newline at end of file
diff --git a/BLDatabaseManager.sqlite b/BLDatabaseManager.sqlite
new file mode 100644
index 0000000..5faf8cb
Binary files /dev/null and b/BLDatabaseManager.sqlite differ
diff --git a/Downloads/downloads.28.sqlitedb b/Downloads/downloads.28.sqlitedb
new file mode 100644
index 0000000..b4f7039
Binary files /dev/null and b/Downloads/downloads.28.sqlitedb differ
diff --git a/Downloads/downloads.28.sqlitedb-shm b/Downloads/downloads.28.sqlitedb-shm
new file mode 100644
index 0000000..832d452
Binary files /dev/null and b/Downloads/downloads.28.sqlitedb-shm differ
diff --git a/Downloads/downloads.28.sqlitedb-wal b/Downloads/downloads.28.sqlitedb-wal
new file mode 100644
index 0000000..98b67b8
Binary files /dev/null and b/Downloads/downloads.28.sqlitedb-wal differ
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d56b84e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,24 @@
+# bl_sbx
+## itunesstored & bookassetd Sandbox Escape
+
+This repository contains a proof-of-concept demonstrating how maliciously crafted `downloads.28.sqlitedb` and `BLDatabaseManager.sqlite` databases can escape the sandbox of **itunesstored** and **bookassetd** on iOS. By abusing their download mechanisms, the POC enables writing arbitrary `mobile`-owned files to restricted locations in `/private/var/`, including MobileGestalt cache files—allowing device modifications such as spoofing the device type.
+
+### Key Points
+- Compatible with iOS **26.2b1 and below** (tested on iPhone 12, iOS 26.0.1).
+- **Stage 1 (itunesstored):** Delivers a crafted `BLDatabaseManager.sqlite` to a writable container.
+- **Stage 2 (bookassetd):** Downloads attacker-controlled EPUB payloads to arbitrary file paths.
+- Writable paths include:
+  - `/private/var/containers/Shared/SystemGroup/.../Library/Caches/`
+  - `/private/var/mobile/Library/FairPlay/`
+  - `/private/var/mobile/Media/`
+- Demonstrates modifying `com.apple.MobileGestalt.plist` to validate successful exploitation.
+
+### Outcome
+iOS fails to block crafted download tasks, allowing unauthorized file writes unless the target path requires `root` ownership (or the fileowner is not `mobile`).
+
+**Check the blogpost for more information**
+
+### Disclaimer
+This project is for **educational purposes only**.  
+Do **not** use it for illegal activities.  
+Apple may patch this behavior at any time.
diff --git a/downloads.28.sqlitedb b/downloads.28.sqlitedb
new file mode 100644
index 0000000..7503e5a
Binary files /dev/null and b/downloads.28.sqlitedb differ
diff --git a/iPhone13,2_26.0.1_MobileGestalt.epub b/iPhone13,2_26.0.1_MobileGestalt.epub
new file mode 100644
index 0000000..ab64f84
Binary files /dev/null and b/iPhone13,2_26.0.1_MobileGestalt.epub differ
diff --git a/iTunesMetadata.plist b/iTunesMetadata.plist
new file mode 100644
index 0000000..0f10f89
Binary files /dev/null and b/iTunesMetadata.plist differ
diff --git a/miniserve-0.29.0.exe b/miniserve-0.29.0.exe
new file mode 100644
index 0000000..6cf6b10
Binary files /dev/null and b/miniserve-0.29.0.exe differ