Add files via upload

Injector/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Pwn20wnd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Injector/Makefile

@@ -0,0 +1,15 @@
+ARCHS ?= arm64 arm64e
+target ?= iphone:latest:11.0
+CFLAGS = -Iinclude
+GO_EASY_ON_ME=1
+FINALPACKAGE=1
+include $(THEOS)/makefiles/common.mk 
+
+TOOL_NAME = inject
+inject_CODESIGN_FLAGS = -Sentitlements.xml
+inject_CFLAGS += -I. -I./patchfinder64 -I./kernel_call -Wno-unused-variable -Wno-unused-function -Wno-unused-label
+inject_LIBRARIES = mis
+inject_FRAMEWORKS = Foundation CoreFoundation IOKit Security
+inject_FILES = main.m inject.m patchfinder64/patchfinder64.c kern_funcs.c kernel_call/kc_parameters.c kernel_call/kernel_alloc.c kernel_call/kernel_call.c kernel_call/kernel_memory.c kernel_call/kernel_slide.c kernel_call/log.c kernel_call/pac.c kernel_call/parameters.c kernel_call/platform_match.c kernel_call/platform.c kernel_call/user_client.c
+
+include $(THEOS_MAKE_PATH)/tool.mk

Injector/entitlements.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.system-task-ports</key>
+	<true/>
+	<key>task_for_pid-allow</key>
+	<true/>
+	<key>platform-application</key>
+	<true/>
+</dict>
+</plist>

Injector/include/kmem.h

@@ -0,0 +1,70 @@
+#ifndef kmem_h
+#define kmem_h
+
+#include <mach/mach.h>
+
+/***** mach_vm.h *****/
+kern_return_t mach_vm_read(
+                           vm_map_t target_task,
+                           mach_vm_address_t address,
+                           mach_vm_size_t size,
+                           vm_offset_t *data,
+                           mach_msg_type_number_t *dataCnt);
+
+kern_return_t mach_vm_write(
+                            vm_map_t target_task,
+                            mach_vm_address_t address,
+                            vm_offset_t data,
+                            mach_msg_type_number_t dataCnt);
+
+kern_return_t mach_vm_read_overwrite(
+                                     vm_map_t target_task,
+                                     mach_vm_address_t address,
+                                     mach_vm_size_t size,
+                                     mach_vm_address_t data,
+                                     mach_vm_size_t *outsize);
+
+kern_return_t mach_vm_allocate(
+                               vm_map_t target,
+                               mach_vm_address_t *address,
+                               mach_vm_size_t size,
+                               int flags);
+
+kern_return_t mach_vm_deallocate (
+                                  vm_map_t target,
+                                  mach_vm_address_t address,
+                                  mach_vm_size_t size);
+
+kern_return_t mach_vm_protect (
+                               vm_map_t target_task,
+                               mach_vm_address_t address,
+                               mach_vm_size_t size,
+                               boolean_t set_maximum,
+                               vm_prot_t new_protection);
+
+uint32_t rk32(uint64_t kaddr);
+uint64_t rk64(uint64_t kaddr);
+
+void wk32(uint64_t kaddr, uint32_t val);
+void wk64(uint64_t kaddr, uint64_t val);
+
+void wkbuffer(uint64_t kaddr, void* buffer, uint32_t length);
+void rkbuffer(uint64_t kaddr, void* buffer, uint32_t length);
+
+void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
+
+void kmem_protect(uint64_t kaddr, uint32_t size, int prot);
+
+uint64_t kmem_alloc(uint64_t size);
+uint64_t kmem_alloc_wired(uint64_t size);
+void kmem_free(uint64_t kaddr, uint64_t size);
+
+void prepare_rk_via_kmem_read_port(mach_port_t port);
+void prepare_rwk_via_tfp0(mach_port_t port);
+void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0);
+
+// query whether kmem read or write is present
+int have_kmem_read(void);
+int have_kmem_write(void);
+
+#endif

Injector/include/trav.h

@@ -0,0 +1,5 @@
+#ifndef _TRAV_H
+#define _TRAV_H
+#include <sys/time.h>
+#include "../async_wake_ios/async_wake_ios/libjb.h"
+#endif

Injector/inject.h

@@ -0,0 +1,17 @@
+/*
+ *  inject.h
+ *  
+ *  Created by Sam Bingner on 9/27/2018
+ *  Copyright 2018 Sam Bingner. All Rights Reserved.
+ *
+ */
+
+#ifndef _INJECT_H_
+#define _INJECT_H_
+#include <Foundation/Foundation.h>
+
+NSString *cdhashFor(NSString *file);
+int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pmap_load_trust_cache)(uint64_t, size_t));
+bool isInAMFIStaticCache(NSString *path);
+
+#endif

Injector/kern_funcs.c

@@ -0,0 +1,153 @@
+#include <sys/snapshot.h>
+#include <dlfcn.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <copyfile.h>
+#include <spawn.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+#include <libgen.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <dirent.h>
+#include <sys/sysctl.h>
+#include <mach-o/dyld.h>
+#include <sys/mman.h>
+#include <sys/param.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <mach/mach.h>
+#include "patchfinder64.h"
+#include <kmem.h>
+#include "CSCommon.h"
+#include "kern_funcs.h"
+#include "kernel_call.h"
+#include "parameters.h"
+#include "kc_parameters.h"
+#include "kernel_memory.h"
+
+offsets_t offs;
+uint64_t kernel_base;
+static mach_port_t tfp0=MACH_PORT_NULL;
+size_t kread(uint64_t where, void *p, size_t size);
+size_t kwrite(uint64_t where, const void *p, size_t size);
+
+void set_tfp0(mach_port_t port) {
+    tfp0 = port;
+}
+
+void wk32(uint64_t kaddr, uint32_t val) {
+    kwrite(kaddr, &val, sizeof(uint32_t));
+}
+
+void wk64(uint64_t kaddr, uint64_t val) {
+    kwrite(kaddr, &val, sizeof(uint64_t));
+}
+
+uint32_t rk32(uint64_t kaddr) {
+    uint32_t val = 0;
+
+    if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
+        return 0;
+    }
+    return val;
+}
+
+uint64_t rk64(uint64_t kaddr) {
+    uint64_t val = 0;
+
+    if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
+        return 0;
+    }
+    return val;
+}
+
+uint64_t kmem_alloc(uint64_t size) {
+    if (tfp0 == MACH_PORT_NULL) {
+        printf("attempt to allocate kernel memory before any kernel memory write primitives available\n");
+        sleep(3);
+        return 0;
+    }
+
+    kern_return_t err;
+    mach_vm_address_t addr = 0;
+    mach_vm_size_t ksize = round_page_kernel(size);
+    err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE);
+    if (err != KERN_SUCCESS) {
+        printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
+        sleep(3);
+        return 0;
+    }
+    return addr;
+}
+
+size_t kread(uint64_t where, void *p, size_t size)
+{
+    int rv;
+    size_t offset = 0;
+    while (offset < size) {
+        mach_vm_size_t sz, chunk = 2048;
+        if (chunk > size - offset) {
+            chunk = size - offset;
+        }
+        rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
+        if (rv || sz == 0) {
+            fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where));
+            break;
+        }
+        offset += sz;
+    }
+    return offset;
+}
+
+size_t kwrite(uint64_t where, const void *p, size_t size)
+{
+    int rv;
+    size_t offset = 0;
+
+    if (tfp0 == MACH_PORT_NULL) {
+        printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
+        sleep(3);
+        return offset;
+    }
+
+    while (offset < size) {
+        size_t chunk = 2048;
+        if (chunk > size - offset) {
+            chunk = size - offset;
+        }
+        rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, (mach_msg_type_number_t)chunk);
+        if (rv) {
+            fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where));
+            break;
+        }
+        offset += chunk;
+    }
+    return offset;
+}
+
+uint64_t task_self_addr() {
+    uint64_t kernproc = rk64(rk64(GETOFFSET(kernel_task)) + OFFSET(task, bsd_info));
+    uint64_t proc = kernproc;
+    pid_t our_pid = getpid();
+    uint64_t our_proc = 0;
+    while (proc) {
+        if (rk32(proc + OFFSET(proc, p_pid)) == our_pid) {
+            our_proc = proc;
+            break;
+        }
+        proc = rk64(proc + OFFSET(proc, p_list));
+    }
+    uint64_t task_addr = rk64(our_proc + OFFSET(proc, task));
+    uint64_t itk_space = rk64(task_addr + OFFSET(task, itk_space));
+    uint64_t is_table = rk64(itk_space + OFFSET(ipc_space, is_table));
+    mach_port_t port = mach_task_self();
+    uint32_t port_index = port >> 8;
+    const int sizeof_ipc_entry_t = SIZE(ipc_entry);
+    uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));
+    return port_addr;
+}
+
+int (*pmap_load_trust_cache)(uint64_t kernel_trust, size_t length) = NULL;
+int _pmap_load_trust_cache(uint64_t kernel_trust, size_t length) {
+    return (int)kernel_call_7(GETOFFSET(pmap_load_trust_cache), 3, kernel_trust, length, 0);
+}

Injector/kernel_call/IOKitLib.h

@@ -0,0 +1,76 @@
+/*
+ * IOKitLib.h
+ * Brandon Azad
+ */
+#ifndef VOUCHER_SWAP__IOKITLIB_H_
+#define VOUCHER_SWAP__IOKITLIB_H_
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <mach/mach.h>
+
+typedef mach_port_t	io_object_t;
+typedef io_object_t	io_connect_t;
+typedef io_object_t	io_iterator_t;
+typedef io_object_t	io_service_t;
+
+extern const mach_port_t kIOMasterPortDefault;
+
+kern_return_t
+IOObjectRelease(
+	io_object_t	object );
+
+io_object_t
+IOIteratorNext(
+	io_iterator_t	iterator );
+
+io_service_t
+IOServiceGetMatchingService(
+	mach_port_t	masterPort,
+	CFDictionaryRef	matching CF_RELEASES_ARGUMENT);
+
+kern_return_t
+IOServiceGetMatchingServices(
+	mach_port_t	masterPort,
+	CFDictionaryRef	matching CF_RELEASES_ARGUMENT,
+	io_iterator_t * existing );
+
+kern_return_t
+IOServiceOpen(
+	io_service_t    service,
+	task_port_t	owningTask,
+	uint32_t	type,
+	io_connect_t  *	connect );
+
+kern_return_t
+IOServiceClose(
+	io_connect_t	connect );
+
+kern_return_t
+IOConnectCallMethod(
+	mach_port_t	 connection,		// In
+	uint32_t	 selector,		// In
+	const uint64_t	*input,			// In
+	uint32_t	 inputCnt,		// In
+	const void      *inputStruct,		// In
+	size_t		 inputStructCnt,	// In
+	uint64_t	*output,		// Out
+	uint32_t	*outputCnt,		// In/Out
+	void		*outputStruct,		// Out
+	size_t		*outputStructCnt)	// In/Out
+AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;
+
+kern_return_t
+IOConnectTrap6(io_connect_t	connect,
+	       uint32_t		index,
+	       uintptr_t	p1,
+	       uintptr_t	p2,
+	       uintptr_t	p3,
+	       uintptr_t	p4,
+	       uintptr_t	p5,
+	       uintptr_t	p6);
+
+CFMutableDictionaryRef
+IOServiceMatching(
+	const char *	name ) CF_RETURNS_RETAINED;
+
+#endif