Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

add a readme

  • Loading branch information...
commit 1ab4a46705a8f7e891decb2880c5ab40970a10a5 1 parent 840664f
@comex authored
Showing with 29 additions and 1 deletion.
  1. +26 −0 README
  2. +2 −0  apply_patchfile.c
  3. +1 −1  pf2c.py
View
26 README
@@ -4,3 +4,29 @@ git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache
+
+Patchfile format:
+
+field length
+--------------------
+namelen 4
+name namelen
+addr 4
+datalen 4
+data datalen
+
+- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".
+
+- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd. You can remove that, but the idea is that the filesystem looks like this:
+
+/sbin/launchd: untether exploit that execs /sbin/lunchd
+/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
+/sbin/launchd.real: the original /sbin/launchd
+
+This is the lunchd script:
+
+ #!/bin/bash
+ shopt -s nullglob
+ dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
+ export DYLD_INSERT_LIBRARIES=${dylibs%:}
+ exec -a /sbin/launchd /sbin/launchd.real
View
2  apply_patchfile.c
@@ -36,6 +36,8 @@ int main(int argc, char **argv) {
assert(read(patchfd, stuff, size) == (ssize_t) size);
if(addr == 0) goto skip;
+ // Patches starting with "+" only make sense to apply after the kernel has already booted.
+ // They may be in BSS.
if(name[0] == '+') goto skip;
if(argv[4] && !strcmp(argv[4], "-i")) {
View
2  pf2c.py
@@ -22,7 +22,7 @@ def read(f, size):
sysent_patch_orig, = struct.unpack('I', data)
elif name == 'scratch':
scratch, = struct.unpack('I', data)
- if addr == 0 or len(data) == 0 or name.startswith('+'): # in place only
+ if addr == 0 or len(data) == 0:
continue
print '// %s' % name
Please sign in to comment.
Something went wrong with that request. Please try again.