First commit

.gitignore

@@ -0,0 +1,12 @@
+*.db
+*.cache
+*.swp
+headers
+f
+out
+config.cflags
+config.json
+.ran_zero
+outpad
+gvalue.txt
+gvalue2.txt

Makefile

@@ -0,0 +1,22 @@
+all: 
+	make -C misc essential
+	make -C dsc
+	make -C install
+	make -C installui
+	make -C sandbox
+	make -C goo
+	make -C cff
+
+clean:
+	rm -rf staged
+	make -C install clean
+	make -C installui clean
+	make -C misc clean
+	make -C cff clean
+	make -C dsc clean
+	make -C goo clean
+	make -C sandbox clean
+
+distclean:
+	make clean
+	rm -f config/config.cflags config/config.json config/config*cache

README

@@ -0,0 +1,14 @@
+- Not documented at all.
+- To compile:
+1. Make sure you have MacPorts installed, and python26, plus fuse if you want to compile dsc.c (which isn't necessary).
+2. Copy stuff into bs/, e.g.
+bs/iPhone2,1_4.0.1
+bs/iPhone2,1_4.0.1/cache
+bs/iPhone2,1_4.0.1/kern
+bs/iPhone2,1_4.0.1/launchd
+
+where cache is /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv[67], launchd is /sbin/launchd, and kern is the decrypted kernel.  Note that you can get 'kern' on platforms like the iPhone 4 where we don't have keys yet by using /dev/kmem and bs/unload.py, but there's a chance the kernel already overwrote __LINKEDIT with crap.
+
+3. config/config.py iPhone2,1_4.0.1
+4. make
+5. look at cff/out.pdf

bs/unload.py

@@ -0,0 +1,27 @@
+# Turn a memory dump into something like the original Mach-O file (containing segments at the right location)
+# Usage: python unload.py input-dump starting-address-of-input-dump output
+# You can get input-dump by dd-ing from /dev/kmem starting at either c0000001 or 80000001 (or something around there)
+import sys, struct
+f = open(sys.argv[1], 'rb')
+addy = int(sys.argv[2], 16)
+g = open(sys.argv[3], 'wb')
+f.seek(0x1000 - (addy & 0xfff))
+assert f.read(4) == '\xce\xfa\xed\xfe'
+cputype, cpusubtype, \
+filetype, ncmds, sizeofcmds, flags = struct.unpack('IIIIII', f.read(24))
+for ci in xrange(ncmds):
+    z = f.tell() 
+    cmd, cmdsize = struct.unpack('II', f.read(8))
+    if cmd == 1: # LC_SEGMENT
+        segname = f.read(16)
+        vmaddr, vmsize, fileoff, filesize = struct.unpack('IIII', f.read(16))
+        print segname, hex(vmaddr), hex(fileoff), hex(filesize)
+        if vmaddr >= addy:
+            f.seek(vmaddr - addy)
+            g.seek(fileoff)
+            g.write(f.read(filesize))
+        else:
+            print 'fail'
+    f.seek(z + cmdsize)
+f.close()
+g.close()

cff/Makefile

@@ -0,0 +1,7 @@
+all: out.pdf
+out.pdf: out.cff mkpdf.py
+	python mkpdf.py
+out.cff: stage1.txt stage2.txt outcff.py
+	python outcff.py || rm -f out.cff
+clean:
+	rm -f out.cff out.pdf gvalue[12].txt stage[12].txt *.o *.bin

cff/cff.py

@@ -0,0 +1,244 @@
+import struct, sys
+from cStringIO import StringIO
+class vfile:
+    def __init__(self, f):
+        self.f = f
+        self.off = f.tell()
+    def seek(self, x, y=0):
+        if y == 1:
+            self.off += x 
+        else:
+            self.off = x
+    def read(self, x):
+        old = self.f.tell()
+        self.f.seek(self.off)
+        ret = self.f.read(x)
+        self.off += x
+        self.f.seek(old)
+        return ret
+    def tell(self):
+        return self.off
+def rb(f):
+    try:
+        return ord(f.read(1))
+    except TypeError:   
+        return None
+def rh(f):
+    return struct.unpack('>H', f.read(2))[0]
+def rw(f):
+    return struct.unpack('>I', f.read(4))[0]
+
+def read_off(offsize, f):
+    s = '\0' * (4 - offsize) + f.read(offsize)
+    return struct.unpack('>I', s)[0]
+
+def read_realop(f):
+    def i():
+        while True:
+            byte = rb(f)
+            yield (byte >> 4)
+            yield (byte & 0xf)
+    s = ''
+    for nib in i():
+        if 0 <= nib <= 9:
+            s += str(nib)
+        elif nib == 0xa:
+            s += '.'
+        elif nib == 0xb:
+            s += 'E'
+        elif nib == 0xc:
+            s += 'E-'
+        elif nib == 0xd:
+            raise ValueError(nib)
+        elif nib == 0xe:
+            s += '-'
+        elif nib == 0xf:
+            return s
+
+def read_intop(f):
+    b0 = rb(f)
+    if 32 <= b0 <= 246:
+        return b0-139
+    elif 247 <= b0 <= 250:
+        b1 = rb(f)
+        return (b0-247)*256 + b1 + 108
+    elif 251 <= b0 <= 254:
+        b1 = rb(f)
+        return -(b0-251)*256 - b1 - 108
+    elif b0 == 28:
+        return rh(f)
+    elif b0 == 29:
+        return rw(f)
+    elif b0 == 30:
+        return read_realop(f)
+    elif b0 == 255:
+        return float(struct.unpack('>i', f.read(4))[0]) / 65536
+    else:
+        raise ValueError(b0)
+
+def read_index(f):
+    count = rh(f)
+    if count == 0:
+        return []
+    offsize = rb(f)
+    offbase = f.tell() + offsize*(count+1) - 1
+    offs = vfile(f)
+    offs = [read_off(offsize, offs) for i in xrange(count+1)]
+    data = []
+    for i in xrange(count):
+        f.seek(offs[i] + offbase)
+        data.append(f.read(offs[i+1] - offs[i]))
+    f.seek(offs[count] + offbase)
+    return data
+
+def read_dict(f):
+    opnds = []
+    ret = []
+    while True:
+        b0 = rb(f)
+        if b0 is None: break
+        if b0 <= 21:
+            if b0 == 12:
+                op = (b0, rb(f))
+            else:
+                op = b0
+            ret.append((op, opnds[0] if len(opnds) == 1 else tuple(opnds)))
+            opnds = []
+        else:
+            f.seek(-1, 1)
+            op = read_intop(f)
+            opnds.append(op)
+    return ret
+
+def read_csop(f):
+    b0 = rb(f)
+    if b0 is None:
+        return None
+    elif b0 == 12:
+        b1 = rb(f)
+        return tbops[b1]
+    elif 0 <= b0 <= 11 or 13 <= b0 <= 18 or 19 <= b0 <= 20 or 21 <= b0 <= 27 or 29 <= b0 <= 31:
+        return ops[b0]
+    else:
+        f.seek(-1, 1)
+        return read_intop(f)
+
+ops = {
+    0: '0??',
+    1: 'hstem',
+    2: '2??',
+    3: 'vstem',
+    4: 'vmoveto',
+    5: 'rlineto',
+    6: 'hlineto',
+    7: 'vlineto',
+    8: 'rrcurveto',
+    9: '9??',
+    10:'callsubr',
+    11:'return',
+    13:'13??',
+    14:'endchar',
+    15:'15??',
+    16:'16??',
+    17:'17??',
+    18:'hstemhm',
+    19:'hintmask',
+    20:'cntrmask',
+    21:'rmoveto',
+    22:'hmoveto',
+    23:'vstemhm',
+    24:'rcurveline',
+    25:'rlinecurve',
+    26:'vvcurveto',
+    27:'hhcurveto',
+    29:'callgsubr',
+    30:'vhcurveto',
+    31:'hvcurveto',
+}
+tbops = {
+    0: 'dotsection',
+    3: 'and',
+    4: 'or',
+    5: 'not',
+    9: 'abs',
+    10:'add',
+    11:'sub',
+    12:'div',
+    14:'neg',
+    15:'eq',
+    18:'drop',
+    20:'put',
+    21:'get',
+    22:'ifelse',
+    23:'random',
+    24:'mul',
+    26:'sqrt',
+    27:'dup',
+    28:'exch',
+    29:'index',
+    30:'roll',
+    34:'hflex',
+    35:'flex',
+    36:'hflex1',
+    37:'flex1',
+
+}
+
+def read_cs(f):
+    while True:
+        dec = read_csop(f)
+        print dec,
+        if dec == 'endchar' or dec is None:
+            print
+            break
+        elif type(dec) == str:
+            print
+
+
+
+
+def read_cff(f):
+    # Header
+    major = rb(f)
+    minor = rb(f)
+    hdrsize = rb(f)
+    absoffsize = rb(f)
+
+    names = read_index(f)
+    print 'Fonts:', names
+
+    topdicts = [read_dict(StringIO(x)) for x in read_index(f)]
+
+    strings = read_index(f)
+    print 'Strings:', strings
+
+    for font in topdicts:
+        print '--font--'
+        font = dict(font)
+        print font
+        for i in (0, 1, 2, 3, 4):
+            print 'font[%d]:' % i,
+            x = font.get(i)
+            if x is None: 
+                print 'notdef'
+            elif x > 390:
+                print strings[x - 391]
+            else:
+                print '<standard: %d>' % x
+
+        #encoding_off = font[16]
+        #charset_off = font[15]
+        charstring_off = font[17]
+        private_off = font[18]
+        charstringtype = font.get((12, 6), 2)
+        if charstringtype == 2:
+            f.seek(charstring_off)
+            for charstring in read_index(f):
+                g = vfile(f)
+                g.seek(0)
+                print g.read(10485760).find(charstring)
+                print '-'*80
+                read_cs(StringIO(charstring))
+            #print read_cs(g)
+
+read_cff(open(sys.argv[1]))

cff/mkpdf.py

@@ -0,0 +1,7 @@
+import zlib
+u = open('out.cff').read()
+z = zlib.compress(u)
+pdf = open('out.pdf.template').read()
+pdf = pdf.replace('XXX', z).replace('YYY', str(len(z)))#'x\x01' + z)#[2:-4]
+open('out.pdf', 'w').write(pdf)
+