Apple TV showcasing VPN feature via jailbroken tvOS

By: Kevin Bradley @nitoTV

While recently working on a new feature for Guardian Pro users, I had an epiphany moment that I could not pass up taking a moment to explore. The feature would grant the ability to generate extra VPN authentication credentials and share mobileconfig files from the iOS application (Guardian Firewall) to other platforms such as macOS. Of course, it got me thinking, why can’t this work on tvOS? For those of you that don’t know me, I have worked with and on multiple jailbreaks for the Apple TV platform for many years now. For a very long time, one of the most frequently requested features I’ve been asked to research is VPN functionality on tvOS. For no discernable reason, Apple has forbidden developers from providing VPN services to their Apple TV customers. However, those days will be coming to an end soon!

Initially, any feature or process described herein requires a jailbroken AppleTV, as seen in this short video.

Generally, when I’m trying to enable a feature that exists on iOS and is forbidden on tvOS, I do some investigation into how these services work on a jailbroken iPhone device. With a combination of class dumped headers, IDA/Hopper dumps, cycript & FLEX, I can usually get to the bottom of how a feature works with minimal effort. In this case, I did some logification with theos on a few chosen classes of the target, (i.e.: MCConfigurationProfile, MCVPNPayloadBase, NEVPNManager, etc.) while dropping a VPN profile onto the iPhone to see what kind of output I would get, in order to know where I needed to focus my attention.

At first, I tried to force tvOS to accept these profiles without any additional modification through Apple Configurator 2. I was immediately met by errors proclaiming I was doing something off-limits. After some digging around, I smoked out what needed to be done to get these profiles installed without error. Either way, Apple Configurator was likely to prevent the installation no matter what I did. So I used some previous knowledge of research regarding how to install mobileconfig profiles via code (it’s actually quite simple).

MCProfileConnection * share = [MCProfileConnection sharedConnection];
NSData *data = [NSData dataWithContentsOfURL:[NSURL URLWithString:@""]]
[share installProfileData: data outError: nil];

Easy peasy. A few extra entitlements are required to get this working, but otherwise, the installation process (with no user interaction or awareness mind you!) of mobileconfig profiles is astoundingly simple.

These profiles still take some effort to get working properly with a VPN connection, and while this proof of concept is now working, I still have a bit more work to do. I’ve found another workaround to get VPN working, but I can’t divulge all of the secrets on how we got this moving. Start to finish to figure out the process only took about a day, pretty exciting development! Stay tuned for more info.

Suffice it to say the video that accompanies this blog post showcases THREE different features that Apple will not allow on tvOS. (1) AirDropping files to the AppleTV (that’s how we send the mobileconfig), (2) VPN on AppleTV, and (3) a web browser on AppleTV. It’s a pleasure to continue to unlock these devices to their full potential. As usual, a jailbreak is required on the tvOS device to experience this breakthrough. Thankfully, these devices are jailbroken for life via checkra1n! So far this feature has only been tested on tvOS 13 & 14, but should work as far back as tvOS 11.

Join the privacy revolution for $124.99/year

Take back control of your privacy and network-connected devices.