This repository has been archived by the owner on Dec 26, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
100 changed files
with
3,943 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2018 Pwn20wnd | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
ARCHS ?= arm64 arm64e | ||
target ?= iphone:latest:11.0 | ||
CFLAGS = -Iinclude | ||
GO_EASY_ON_ME=1 | ||
FINALPACKAGE=1 | ||
include $(THEOS)/makefiles/common.mk | ||
|
||
TOOL_NAME = inject | ||
inject_CODESIGN_FLAGS = -Sentitlements.xml | ||
inject_CFLAGS += -I. -I./patchfinder64 -I./kernel_call -Wno-unused-variable -Wno-unused-function -Wno-unused-label | ||
inject_LIBRARIES = mis | ||
inject_FRAMEWORKS = Foundation CoreFoundation IOKit Security | ||
inject_FILES = main.m inject.m patchfinder64/patchfinder64.c kern_funcs.c kernel_call/kc_parameters.c kernel_call/kernel_alloc.c kernel_call/kernel_call.c kernel_call/kernel_memory.c kernel_call/kernel_slide.c kernel_call/log.c kernel_call/pac.c kernel_call/parameters.c kernel_call/platform_match.c kernel_call/platform.c kernel_call/user_client.c | ||
|
||
include $(THEOS_MAKE_PATH)/tool.mk |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>com.apple.system-task-ports</key> | ||
<true/> | ||
<key>task_for_pid-allow</key> | ||
<true/> | ||
<key>platform-application</key> | ||
<true/> | ||
</dict> | ||
</plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
#ifndef kmem_h | ||
#define kmem_h | ||
|
||
#include <mach/mach.h> | ||
|
||
/***** mach_vm.h *****/ | ||
kern_return_t mach_vm_read( | ||
vm_map_t target_task, | ||
mach_vm_address_t address, | ||
mach_vm_size_t size, | ||
vm_offset_t *data, | ||
mach_msg_type_number_t *dataCnt); | ||
|
||
kern_return_t mach_vm_write( | ||
vm_map_t target_task, | ||
mach_vm_address_t address, | ||
vm_offset_t data, | ||
mach_msg_type_number_t dataCnt); | ||
|
||
kern_return_t mach_vm_read_overwrite( | ||
vm_map_t target_task, | ||
mach_vm_address_t address, | ||
mach_vm_size_t size, | ||
mach_vm_address_t data, | ||
mach_vm_size_t *outsize); | ||
|
||
kern_return_t mach_vm_allocate( | ||
vm_map_t target, | ||
mach_vm_address_t *address, | ||
mach_vm_size_t size, | ||
int flags); | ||
|
||
kern_return_t mach_vm_deallocate ( | ||
vm_map_t target, | ||
mach_vm_address_t address, | ||
mach_vm_size_t size); | ||
|
||
kern_return_t mach_vm_protect ( | ||
vm_map_t target_task, | ||
mach_vm_address_t address, | ||
mach_vm_size_t size, | ||
boolean_t set_maximum, | ||
vm_prot_t new_protection); | ||
|
||
uint32_t rk32(uint64_t kaddr); | ||
uint64_t rk64(uint64_t kaddr); | ||
|
||
void wk32(uint64_t kaddr, uint32_t val); | ||
void wk64(uint64_t kaddr, uint64_t val); | ||
|
||
void wkbuffer(uint64_t kaddr, void* buffer, uint32_t length); | ||
void rkbuffer(uint64_t kaddr, void* buffer, uint32_t length); | ||
|
||
void kmemcpy(uint64_t dest, uint64_t src, uint32_t length); | ||
|
||
void kmem_protect(uint64_t kaddr, uint32_t size, int prot); | ||
|
||
uint64_t kmem_alloc(uint64_t size); | ||
uint64_t kmem_alloc_wired(uint64_t size); | ||
void kmem_free(uint64_t kaddr, uint64_t size); | ||
|
||
void prepare_rk_via_kmem_read_port(mach_port_t port); | ||
void prepare_rwk_via_tfp0(mach_port_t port); | ||
void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0); | ||
|
||
// query whether kmem read or write is present | ||
int have_kmem_read(void); | ||
int have_kmem_write(void); | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#ifndef _TRAV_H | ||
#define _TRAV_H | ||
#include <sys/time.h> | ||
#include "../async_wake_ios/async_wake_ios/libjb.h" | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
/* | ||
* inject.h | ||
* | ||
* Created by Sam Bingner on 9/27/2018 | ||
* Copyright 2018 Sam Bingner. All Rights Reserved. | ||
* | ||
*/ | ||
|
||
#ifndef _INJECT_H_ | ||
#define _INJECT_H_ | ||
#include <Foundation/Foundation.h> | ||
|
||
NSString *cdhashFor(NSString *file); | ||
int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pmap_load_trust_cache)(uint64_t, size_t)); | ||
bool isInAMFIStaticCache(NSString *path); | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
#include <sys/snapshot.h> | ||
#include <dlfcn.h> | ||
#include <sys/stat.h> | ||
#include <sys/mount.h> | ||
#include <copyfile.h> | ||
#include <spawn.h> | ||
#include <sys/utsname.h> | ||
#include <unistd.h> | ||
#include <libgen.h> | ||
#include <sys/socket.h> | ||
#include <netinet/in.h> | ||
#include <dirent.h> | ||
#include <sys/sysctl.h> | ||
#include <mach-o/dyld.h> | ||
#include <sys/mman.h> | ||
#include <sys/param.h> | ||
#include <CoreFoundation/CoreFoundation.h> | ||
#include <mach/mach.h> | ||
#include "patchfinder64.h" | ||
#include <kmem.h> | ||
#include "CSCommon.h" | ||
#include "kern_funcs.h" | ||
#include "kernel_call.h" | ||
#include "parameters.h" | ||
#include "kc_parameters.h" | ||
#include "kernel_memory.h" | ||
|
||
offsets_t offs; | ||
uint64_t kernel_base; | ||
static mach_port_t tfp0=MACH_PORT_NULL; | ||
size_t kread(uint64_t where, void *p, size_t size); | ||
size_t kwrite(uint64_t where, const void *p, size_t size); | ||
|
||
void set_tfp0(mach_port_t port) { | ||
tfp0 = port; | ||
} | ||
|
||
void wk32(uint64_t kaddr, uint32_t val) { | ||
kwrite(kaddr, &val, sizeof(uint32_t)); | ||
} | ||
|
||
void wk64(uint64_t kaddr, uint64_t val) { | ||
kwrite(kaddr, &val, sizeof(uint64_t)); | ||
} | ||
|
||
uint32_t rk32(uint64_t kaddr) { | ||
uint32_t val = 0; | ||
|
||
if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) { | ||
return 0; | ||
} | ||
return val; | ||
} | ||
|
||
uint64_t rk64(uint64_t kaddr) { | ||
uint64_t val = 0; | ||
|
||
if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) { | ||
return 0; | ||
} | ||
return val; | ||
} | ||
|
||
uint64_t kmem_alloc(uint64_t size) { | ||
if (tfp0 == MACH_PORT_NULL) { | ||
printf("attempt to allocate kernel memory before any kernel memory write primitives available\n"); | ||
sleep(3); | ||
return 0; | ||
} | ||
|
||
kern_return_t err; | ||
mach_vm_address_t addr = 0; | ||
mach_vm_size_t ksize = round_page_kernel(size); | ||
err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE); | ||
if (err != KERN_SUCCESS) { | ||
printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err); | ||
sleep(3); | ||
return 0; | ||
} | ||
return addr; | ||
} | ||
|
||
size_t kread(uint64_t where, void *p, size_t size) | ||
{ | ||
int rv; | ||
size_t offset = 0; | ||
while (offset < size) { | ||
mach_vm_size_t sz, chunk = 2048; | ||
if (chunk > size - offset) { | ||
chunk = size - offset; | ||
} | ||
rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz); | ||
if (rv || sz == 0) { | ||
fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where)); | ||
break; | ||
} | ||
offset += sz; | ||
} | ||
return offset; | ||
} | ||
|
||
size_t kwrite(uint64_t where, const void *p, size_t size) | ||
{ | ||
int rv; | ||
size_t offset = 0; | ||
|
||
if (tfp0 == MACH_PORT_NULL) { | ||
printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); | ||
sleep(3); | ||
return offset; | ||
} | ||
|
||
while (offset < size) { | ||
size_t chunk = 2048; | ||
if (chunk > size - offset) { | ||
chunk = size - offset; | ||
} | ||
rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, (mach_msg_type_number_t)chunk); | ||
if (rv) { | ||
fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where)); | ||
break; | ||
} | ||
offset += chunk; | ||
} | ||
return offset; | ||
} | ||
|
||
uint64_t task_self_addr() { | ||
uint64_t kernproc = rk64(rk64(GETOFFSET(kernel_task)) + OFFSET(task, bsd_info)); | ||
uint64_t proc = kernproc; | ||
pid_t our_pid = getpid(); | ||
uint64_t our_proc = 0; | ||
while (proc) { | ||
if (rk32(proc + OFFSET(proc, p_pid)) == our_pid) { | ||
our_proc = proc; | ||
break; | ||
} | ||
proc = rk64(proc + OFFSET(proc, p_list)); | ||
} | ||
uint64_t task_addr = rk64(our_proc + OFFSET(proc, task)); | ||
uint64_t itk_space = rk64(task_addr + OFFSET(task, itk_space)); | ||
uint64_t is_table = rk64(itk_space + OFFSET(ipc_space, is_table)); | ||
mach_port_t port = mach_task_self(); | ||
uint32_t port_index = port >> 8; | ||
const int sizeof_ipc_entry_t = SIZE(ipc_entry); | ||
uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t)); | ||
return port_addr; | ||
} | ||
|
||
int (*pmap_load_trust_cache)(uint64_t kernel_trust, size_t length) = NULL; | ||
int _pmap_load_trust_cache(uint64_t kernel_trust, size_t length) { | ||
return (int)kernel_call_7(GETOFFSET(pmap_load_trust_cache), 3, kernel_trust, length, 0); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
/* | ||
* IOKitLib.h | ||
* Brandon Azad | ||
*/ | ||
#ifndef VOUCHER_SWAP__IOKITLIB_H_ | ||
#define VOUCHER_SWAP__IOKITLIB_H_ | ||
|
||
#include <CoreFoundation/CoreFoundation.h> | ||
#include <mach/mach.h> | ||
|
||
typedef mach_port_t io_object_t; | ||
typedef io_object_t io_connect_t; | ||
typedef io_object_t io_iterator_t; | ||
typedef io_object_t io_service_t; | ||
|
||
extern const mach_port_t kIOMasterPortDefault; | ||
|
||
kern_return_t | ||
IOObjectRelease( | ||
io_object_t object ); | ||
|
||
io_object_t | ||
IOIteratorNext( | ||
io_iterator_t iterator ); | ||
|
||
io_service_t | ||
IOServiceGetMatchingService( | ||
mach_port_t masterPort, | ||
CFDictionaryRef matching CF_RELEASES_ARGUMENT); | ||
|
||
kern_return_t | ||
IOServiceGetMatchingServices( | ||
mach_port_t masterPort, | ||
CFDictionaryRef matching CF_RELEASES_ARGUMENT, | ||
io_iterator_t * existing ); | ||
|
||
kern_return_t | ||
IOServiceOpen( | ||
io_service_t service, | ||
task_port_t owningTask, | ||
uint32_t type, | ||
io_connect_t * connect ); | ||
|
||
kern_return_t | ||
IOServiceClose( | ||
io_connect_t connect ); | ||
|
||
kern_return_t | ||
IOConnectCallMethod( | ||
mach_port_t connection, // In | ||
uint32_t selector, // In | ||
const uint64_t *input, // In | ||
uint32_t inputCnt, // In | ||
const void *inputStruct, // In | ||
size_t inputStructCnt, // In | ||
uint64_t *output, // Out | ||
uint32_t *outputCnt, // In/Out | ||
void *outputStruct, // Out | ||
size_t *outputStructCnt) // In/Out | ||
AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER; | ||
|
||
kern_return_t | ||
IOConnectTrap6(io_connect_t connect, | ||
uint32_t index, | ||
uintptr_t p1, | ||
uintptr_t p2, | ||
uintptr_t p3, | ||
uintptr_t p4, | ||
uintptr_t p5, | ||
uintptr_t p6); | ||
|
||
CFMutableDictionaryRef | ||
IOServiceMatching( | ||
const char * name ) CF_RETURNS_RETAINED; | ||
|
||
#endif |
Oops, something went wrong.