Redsn0w+usbmux
comex edited this page Oct 19, 2010
·
1 revision
Related to this thing.
To get the iPhone to show up as a USB device under the kernel, some configuration is needed. restored_external does this on the restore ramdisk and some weird SystemConfiguration thing does it on the regular filesystem, but nothing does it in the redsn0w ramdisk.
If you modify the 'jailbreak' binary in the redsn0w ramdisk to run this and then exec whatever, you can start accepting TCP connections...
#include <CoreFoundation/CoreFoundation.h>
#include <AvailabilityMacros.h>
#define MAC_OS_X_VERSION_MIN_REQUIRED MAC_OS_X_VERSION_10_5
#include "IOUSBDeviceControllerLib.h"
#include <IOKit/IOCFPlugIn.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <assert.h>
#define kIOSomethingPluginID CFUUIDGetConstantUUIDWithBytes(NULL, \
0x9E, 0x72, 0x21, 0x7E, 0x8A, 0x60, 0x11, 0xDB, \
0xBF, 0x57, 0x00, 0x0D, 0x93, 0x6D, 0x06, 0xD2)
#define kIOWhatTheFuckID CFUUIDGetConstantUUIDWithBytes(NULL, \
0xEA, 0x33, 0xBA, 0x4F, 0x8A, 0x60, 0x11, 0xDB, \
0x84, 0xDB, 0x00, 0x0D, 0x93, 0x6D, 0x06, 0xD2)
void init_usb() {
IOUSBDeviceDescriptionRef desc = IOUSBDeviceDescriptionCreateFromDefaults(NULL);
IOUSBDeviceDescriptionSetSerialString(desc, CFSTR("blah"));
IOUSBDeviceControllerRef controller;
assert(!IOUSBDeviceControllerCreate(NULL, &controller));
assert(!IOUSBDeviceControllerSetDescription(controller, desc));
CFMutableDictionaryRef match = IOServiceMatching("IOUSBDeviceInterface");
CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(dict, CFSTR("USBDeviceFunction"), CFSTR("PTP"));
CFDictionarySetValue(match, CFSTR("IOPropertyMatch"), dict);
io_service_t service;
while(1) {
service = IOServiceGetMatchingService(kIOMasterPortDefault, match);
if(!service) {
printf("Didn't find, trying again\n");
sleep(1);
} else {
break;
}
}
IOCFPlugInInterface **iface;
SInt32 score;
printf("123\n");
assert(!IOCreatePlugInInterfaceForService(
service,
kIOSomethingPluginID,
kIOCFPlugInInterfaceID,
&iface,
&score
));
void *thing;
assert(!((*iface)->QueryInterface)(iface, CFUUIDGetUUIDBytes(kIOWhatTheFuckID), &thing));
IOReturn (**table)(void *, ...) = *((void **) thing);
assert(!table[0x10/4](thing, 0));
assert(!table[0x2c/4](thing, 0xff, 0));
assert(!table[0x30/4](thing, 0x50, 0));
assert(!table[0x34/4](thing, 0x43, 0));
assert(!table[0x44/4](thing, 0));
IODestroyPlugInInterface(iface);
//assert(!table[0x14/4](thing, 0));
}
void init_tcp() {
// from launchd
struct ifaliasreq ifra;
struct ifreq ifr;
int s;
memset(&ifr, 0, sizeof(ifr));
strcpy(ifr.ifr_name, "lo0");
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
return;
if (ioctl(s, SIOCGIFFLAGS, &ifr) != -1) {
ifr.ifr_flags |= IFF_UP;
assert(ioctl(s, SIOCSIFFLAGS, &ifr) != -1);
}
memset(&ifra, 0, sizeof(ifra));
strcpy(ifra.ifra_name, "lo0");
((struct sockaddr_in *)&ifra.ifra_addr)->sin_family = AF_INET;
((struct sockaddr_in *)&ifra.ifra_addr)->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
((struct sockaddr_in *)&ifra.ifra_addr)->sin_len = sizeof(struct sockaddr_in);
((struct sockaddr_in *)&ifra.ifra_mask)->sin_family = AF_INET;
((struct sockaddr_in *)&ifra.ifra_mask)->sin_addr.s_addr = htonl(IN_CLASSA_NET);
((struct sockaddr_in *)&ifra.ifra_mask)->sin_len = sizeof(struct sockaddr_in);
assert(ioctl(s, SIOCAIFADDR, &ifra) != -1);
assert(close(s) == 0);
}