-
Notifications
You must be signed in to change notification settings - Fork 149
/
README.ios7
86 lines (64 loc) · 4.19 KB
/
README.ios7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// NOTES
// fix image_id to return:
// movs r0, #0
// str r0, [r3]
__text:5FF191D8 29 46 MOV R1, R5
__text:5FF191DA 32 46 MOV R2, R6
__text:5FF191DC FF F7 9E FC BL sub_5FF18B1C ; to MOVS r0, #0; STR r0, [r3]
__text:5FF191E0 00 21 MOVS R1, #0
__text:5FF191E2 00 28 CMP R0, #0
__text:5FF191E4 0C 91 STR R1, [SP,#0xC8+var_98]
FFF79EFC -> 00201860
__text:5FF1ADC6 7E 49 LDR R1, =aRdMd0NandEnabl ; "rd=md0 nand-enable-reformat=1 -progress"...
__text:5FF1ADC8 00 2D CMP R5, #0
__text:5FF1ADCA 7E 4C LDR R4, =unk_5FF35BD8
__text:5FF1ADCC 18 BF IT NE
__text:5FF1ADCE 0C 46 MOV R4, R1
// iOS 7 GM patches?
// --- iBoot Patches ---
// Note for SignatureCheck:
// This one can also be done by looking for:
// --AB 29 46 32 46, and then adding +5, replacing the BL with a 'MOV r0, #0; STR r0, [r3]' tuple.
/* Change ‘BL’ to ‘MOV r0, #0; STR r0, [r3]’ tuple.
29463246FFF79EFC002100280C91 -> 2946324600201860002100280C91 // SignatureCheck
/* Remove conditional checking for RAMdisk, including ‘IT ne’ block. */
002D7E4C18BF -> C046C046C046 // BootArgs Injection
/* Put your bootArgs here. */
"rd=md0 -progress nand-enable-reformat=1" -> "-v amfi=0xff cs_enforcement_disable=1 " // BootArgs
// --- Kernel Patches ---
/* Always return 1. */
7844D0F8240F7047 -> 7844012001207047 // PE_I_can_has_debugger
/* Remove IT ne block. */
002818BF0120C1F8240F -> 002801200120C1F8240F // debug-enabled initializer
/* Neuter sandbox. */
"/private/var/mobile/Applications" -> "/private/var/mobile/XXXXXXXXXXXX" // Remove sandbox path.
"com.apple.private.security.container-required " -> "com.apple.private.security.xxxxxxxxx-required" // Fix Weather.app
78440068007810F0040F -> 78440068042010F0040F // Allow builtin-profile for all platform-apps.
/* AMFI is done by boot-arg amfi=0xff. No need to do it here. */
/* task_for_pid 0. */
02910191BBF1000F00F0BA80 -> 02910191C046C046C046C046 // Remove compare for task port 0.
/* !!! OPTIONAL, ONLY FOR MOBILESUBSTRATE SUPPORT !!! */
/* vm_map_enter. */
/* vm_map_protect. */
/* not here yet! */
com.apple.security.sandbox:__text:8089B194 78 44 ADD R0, PC ; off_8089E264
com.apple.security.sandbox:__text:8089B196 00 68 LDR R0, [R0]
com.apple.security.sandbox:__text:8089B198 00 78 LDRB R0, [R0]
com.apple.security.sandbox:__text:8089B19A 10 F0 04 0F TST.W R0, #4
com.apple.security.sandbox:__text:8089B19E 00 F0 D1 80 BEQ.W loc_8089B344
__TEXT:__text:80295B3E 02 91 STR R1, [SP,#0x50+var_48]
__TEXT:__text:80295B40 01 91 STR R1, [SP,#0x50+var_4C]
__TEXT:__text:80295B42 BB F1 00 0F CMP.W R11, #0
__TEXT:__text:80295B46 00 F0 BA 80 BEQ.W loc_80295CBE
__TEXT:__text:80295B4A 6F F5 93 FA BL _port_name_to_task
__TEXT:__text:80295B4E 02 90 STR R0, [SP,#0x50+var_48]
__TEXT:__text:80295B50 00 28 CMP R0, #0
__TEXT:__text:80295B52 00 F0 B4 80 BEQ.W loc_80295CBE
__TEXT:__text:80295B56 58 46 MOV R0, R11
__TEXT:__text:80295B58 C0 F5 AE F8 BL _proc_find
__TEXT:__text:80295B5C 82 46 MOV R10, R0
__TEXT:__text:80118136 00 28 CMP R0, #0
__TEXT:__text:80118138 18 BF IT NE
__TEXT:__text:8011813A 01 20 MOVNE R0, #1
__TEXT:__text:8011813C C1 F8 24 0F STR.W R0, [R1,#(dword_8037A2B4 - 0x80379390)]
__TEXT:__text:800A26B2 loc_800A26B2 ; CODE XREF: __TEXT:__text:_PE_i_can_has_debugger