The following write-up corresponds to the hash I posted here.

I will also be publishing a better write-up in the coming days. Lastly, the contents of the following write-up are under the CC-BY-SA 2.0. You're welcome to use this for whatever you wish, as long as you give credit in a end-user accessible manner, and include a link back to this post if you can (I know you can).

Remounting the root filesystem R/W on 11.2.6+
=============================================

1. APFS.kext reverts to a snapshot derived from the boot manifest hash on
   every boot.

2. There are no integrity checks on the snapshot, except that it can't be
   deleted after boot.

3. We can rename the snapshot to whatever we please and setup a new snapshot
   with our data. As long as the new snapshot's name matches the old, iOS will
   boot from it just fine.

Thanks
======

I'd like to thank the following people and organizations, in no particular
order:

- Coolstar and Nullpixel from the Electra team
- Siguza
- Viktor Oreshkin (@stek29)
- @Pwn20wnd
- Corellium (while I don't have an account there, their VMs are pretty dope.
Won't hesitate selling a kidney to get one.)
- AppTapp, Inc. for letting me stop working on Meteorite for the past few weeks.

and pretty much everyone else in #developer-backroom for putting up with me.

Cheers!

=================
Umang Raghuvanshi
[email protected]
GitHub: ur0, Twitter: @umanghere

I'd also like to thank @PsychoTea, who I forgot to include above.

TLDR?

We replace Apple's read only copy of the disk with our own. Beep boop.

Why are you burning this?

This builds upon the excellent work by @SparkZheng and @bxl1989, and the ability to write to / is required to make it work. There is little use of saving this for iOS 12 as the original workaround is long gone (also, I have a few other things in store for iOS 12).

Why release this now and not with Electra/LiberiOS/whatever?

It's pretty rare for the community to have multiple functional jailbreaks at a moment and it'd be unfair of me to selfishly keep this to myself just to ensure that any particular one rolls out first.

Show me the code!

Here's @Pwn20wned's implementation of the exploit: https://github.com/pwn20wndstuff/iOS-Apfs-Persistence-Exploit/blob/master/main.c I've verified it personally, and it works as expected.

I have a question!

I'd love to answer it, as long as it's more on the technical side of things. You can DM me on Twitter or PM me on Reddit. If you need to mail me, please send it here. Doing any of this means that I'll be able to get to you instead of having to wade through an already full inbox.