diff --git a/Makefile b/Makefile index ca88b422..dcfedeb4 100644 --- a/Makefile +++ b/Makefile @@ -3,10 +3,22 @@ SHELL = /usr/bin/env bash LDID = ldid MACOSX_SYSROOT = $(shell xcrun -sdk macosx --show-sdk-path) TARGET_SYSROOT = $(shell xcrun -sdk iphoneos --show-sdk-path) - +SB_SHIM = RootHelperSample/launchdshim/SpringBoardShim/ +CFPREFSD_SHIM = RootHelperSample/launchdshim/cfprefsdshim/ all: Serotonin.tipa +shims: + echo "[*] Building cfprefsdshim" + $(MAKE) -C $(CFPREFSD_SHIM) + /Users/ibarahime/Downloads/ldid_macosx_arm64 -S$(CFPREFSD_SHIM)ent.plist $(CFPREFSD_SHIM).theos/obj/debug/cfprefsdshim + /Users/ibarahime/dev/ChOma/ct_bypass -i $(CFPREFSD_SHIM).theos/obj/debug/cfprefsdshim -r -o $(CFPREFSD_SHIM)cfprefsdshimsignedinjected + echo "[*] Building springboardshim" + $(MAKE) -C $(SB_SHIM) + /Users/ibarahime/Downloads/ldid_macosx_arm64 -S$(SB_SHIM)SpringBoardEnts.plist $(SB_SHIM).theos/obj/debug/springboardshim + /Users/ibarahime/dev/ChOma/ct_bypass -i $(SB_SHIM).theos/obj/debug/springboardshim -r -o $(SB_SHIM)springboardshimsignedinjected + + Serotonin.tipa: $(wildcard **/*.c **/*.m **/*.swift **/*.plist **/*.xml) echo "[*] Building ChOma for host" $(MAKE) -C ChOma diff --git a/RootHelperSample/launchdshim/SpringBoardShim/Makefile b/RootHelperSample/launchdshim/SpringBoardShim/Makefile index 1cf8fbce..7824acb5 100644 --- a/RootHelperSample/launchdshim/SpringBoardShim/Makefile +++ b/RootHelperSample/launchdshim/SpringBoardShim/Makefile @@ -1,4 +1,4 @@ -TARGET := iphone:clang:latest +TARGET := iphone:clang:16.5 ARCHS = arm64 include $(THEOS)/makefiles/common.mk @@ -11,6 +11,7 @@ springboardshim_LDFLAGS = -L./ -lbsm springboardshim_CODESIGN_FLAGS = -SSpringBoardEnts.plist #springboardshim_PRIVATE_FRAMEWORKS = SpringBoard SpringBoardServices Foundation // adding SpringBoard to privateframeworks here will add it into load command before the tweak dylib is loaded, which causes the platform check to fail - thanks DuyKhanhTran +# EDIT THE LIBHOOKER TBD TO USE @loader_path/.jbroot/usr/lib/libhooker.dylib in $THEOS/vendor/lib/libhooker.tbd after-package:: ct_bypass -i .theos/obj/debug/springboardshim -o springboardshimsigned diff --git a/RootHelperSample/launchdshim/SpringBoardShim/build.sh b/RootHelperSample/launchdshim/SpringBoardShim/build.sh index d7e7d8ca..1b3d6a21 100755 --- a/RootHelperSample/launchdshim/SpringBoardShim/build.sh +++ b/RootHelperSample/launchdshim/SpringBoardShim/build.sh @@ -1,13 +1,4 @@ -function replaceByte() { - printf "\x00\x00\x00\x00" | dd of="$1" bs=1 seek=$2 count=4 conv=notrunc &> /dev/null -} - make -# /Users/ibarahime/insert_dylib/insert_dylib/insert_dylib /var/jb/usr/lib/ellekit/libinjector.dylib .theos/obj/debug/arm64e/springboardshim springboardshiminjected --all-yes -# /Users/ibarahime/insert_dylib/insert_dylib/insert_dylib /var/jb/usr/lib/libellekit.dylib springboardshiminjected springboardshiminjected --all-yes -# /Users/ibarahime/dev/insert_dylib/insert_dylib/a.out @loader_path/springboardhook.dylib .theos/obj/debug/arm64/springboardshim springboardshiminjected --all-yes - -# replaceByte 'springboardshiminjected' 8 /Users/ibarahime/Downloads/ldid_macosx_arm64 -SSpringBoardEnts.plist springboardshiminjected /Users/ibarahime/dev/ChOma/ct_bypass -i springboardshiminjected -r -o springboardshimsignedinjected diff --git a/RootHelperSample/launchdshim/SpringBoardShim/fishhook.c b/RootHelperSample/launchdshim/SpringBoardShim/fishhook.c deleted file mode 100644 index e6d92d1d..00000000 --- a/RootHelperSample/launchdshim/SpringBoardShim/fishhook.c +++ /dev/null @@ -1,277 +0,0 @@ -// Copyright (c) 2013, Facebook, Inc. -// All rights reserved. -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// * Redistributions of source code must retain the above copyright notice, -// this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// * Neither the name Facebook nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific -// prior written permission. -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#include "fishhook.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#if __has_include() -#include -#endif - -#ifdef __LP64__ -typedef struct mach_header_64 mach_header_t; -typedef struct segment_command_64 segment_command_t; -typedef struct section_64 section_t; -typedef struct nlist_64 nlist_t; -#define LC_SEGMENT_ARCH_DEPENDENT LC_SEGMENT_64 -#else -typedef struct mach_header mach_header_t; -typedef struct segment_command segment_command_t; -typedef struct section section_t; -typedef struct nlist nlist_t; -#define LC_SEGMENT_ARCH_DEPENDENT LC_SEGMENT -#endif - -#ifndef SEG_DATA_CONST -#define SEG_DATA_CONST "__DATA_CONST" -#endif - -struct rebindings_entry { - struct rebinding *rebindings; - size_t rebindings_nel; - struct rebindings_entry *next; -}; - -static struct rebindings_entry *_rebindings_head; - -static int prepend_rebindings(struct rebindings_entry **rebindings_head, - struct rebinding rebindings[], - size_t nel) { - struct rebindings_entry *new_entry = (struct rebindings_entry *) malloc(sizeof(struct rebindings_entry)); - if (!new_entry) { - return -1; - } - new_entry->rebindings = (struct rebinding *) malloc(sizeof(struct rebinding) * nel); - if (!new_entry->rebindings) { - free(new_entry); - return -1; - } - memcpy(new_entry->rebindings, rebindings, sizeof(struct rebinding) * nel); - new_entry->rebindings_nel = nel; - new_entry->next = *rebindings_head; - *rebindings_head = new_entry; - return 0; -} - -#if 0 -static int get_protection(void *addr, vm_prot_t *prot, vm_prot_t *max_prot) { - mach_port_t task = mach_task_self(); - vm_size_t size = 0; - vm_address_t address = (vm_address_t)addr; - memory_object_name_t object; -#ifdef __LP64__ - mach_msg_type_number_t count = VM_REGION_BASIC_INFO_COUNT_64; - vm_region_basic_info_data_64_t info; - kern_return_t info_ret = vm_region_64( - task, &address, &size, VM_REGION_BASIC_INFO_64, (vm_region_info_64_t)&info, &count, &object); -#else - mach_msg_type_number_t count = VM_REGION_BASIC_INFO_COUNT; - vm_region_basic_info_data_t info; - kern_return_t info_ret = vm_region(task, &address, &size, VM_REGION_BASIC_INFO, (vm_region_info_t)&info, &count, &object); -#endif - if (info_ret == KERN_SUCCESS) { - if (prot != NULL) - *prot = info.protection; - - if (max_prot != NULL) - *max_prot = info.max_protection; - - return 0; - } - - return -1; -} -#endif - -static void perform_rebinding_with_section(struct rebindings_entry *rebindings, - section_t *section, - intptr_t slide, - nlist_t *symtab, - char *strtab, - uint32_t *indirect_symtab) { - uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1; - void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr); - - for (uint i = 0; i < section->size / sizeof(void *); i++) { - uint32_t symtab_index = indirect_symbol_indices[i]; - if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL || - symtab_index == (INDIRECT_SYMBOL_LOCAL | INDIRECT_SYMBOL_ABS)) { - continue; - } - uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx; - char *symbol_name = strtab + strtab_offset; - bool symbol_name_longer_than_1 = symbol_name[0] && symbol_name[1]; - struct rebindings_entry *cur = rebindings; - while (cur) { - for (uint j = 0; j < cur->rebindings_nel; j++) { - if (symbol_name_longer_than_1 && strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) { - kern_return_t err; - - if (cur->rebindings[j].replaced != NULL && indirect_symbol_bindings[i] != cur->rebindings[j].replacement) - *(cur->rebindings[j].replaced) = indirect_symbol_bindings[i]; - - /** - * 1. Moved the vm protection modifying codes to here to reduce the - * changing scope. - * 2. Adding VM_PROT_WRITE mode unconditionally because vm_region - * API on some iOS/Mac reports mismatch vm protection attributes. - * -- Lianfu Hao Jun 16th, 2021 - **/ - err = vm_protect (mach_task_self (), (uintptr_t)indirect_symbol_bindings, section->size, 0, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY); - if (err == KERN_SUCCESS) { - /** - * Once we failed to change the vm protection, we - * MUST NOT continue the following write actions! - * iOS 15 has corrected the const segments prot. - * -- Lionfore Hao Jun 11th, 2021 - **/ - #if !__has_feature(ptrauth_calls) - indirect_symbol_bindings[i] = cur->rebindings[j].replacement; - #else - void *replacement = cur->rebindings[j].replacement; - if (!strcmp(section->sectname, "__auth_got")) { - void *stripped = ptrauth_strip(replacement, ptrauth_key_process_independent_code); - replacement = ptrauth_sign_unauthenticated(stripped, ptrauth_key_process_independent_code, &indirect_symbol_bindings[i]); - } - indirect_symbol_bindings[i] = replacement; - #endif - } - goto symbol_loop; - } - } - cur = cur->next; - } - symbol_loop:; - } -} - -static void rebind_symbols_for_image(struct rebindings_entry *rebindings, - const struct mach_header *header, - intptr_t slide) { - Dl_info info; - if (dladdr(header, &info) == 0) { - return; - } - - segment_command_t *cur_seg_cmd; - segment_command_t *linkedit_segment = NULL; - struct symtab_command* symtab_cmd = NULL; - struct dysymtab_command* dysymtab_cmd = NULL; - - uintptr_t cur = (uintptr_t)header + sizeof(mach_header_t); - for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) { - cur_seg_cmd = (segment_command_t *)cur; - if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) { - if (strcmp(cur_seg_cmd->segname, SEG_LINKEDIT) == 0) { - linkedit_segment = cur_seg_cmd; - } - } else if (cur_seg_cmd->cmd == LC_SYMTAB) { - symtab_cmd = (struct symtab_command*)cur_seg_cmd; - } else if (cur_seg_cmd->cmd == LC_DYSYMTAB) { - dysymtab_cmd = (struct dysymtab_command*)cur_seg_cmd; - } - } - - if (!symtab_cmd || !dysymtab_cmd || !linkedit_segment || - !dysymtab_cmd->nindirectsyms) { - return; - } - - // Find base symbol/string table addresses - uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff; - nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff); - char *strtab = (char *)(linkedit_base + symtab_cmd->stroff); - - // Get indirect symbol table (array of uint32_t indices into symbol table) - uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff); - - cur = (uintptr_t)header + sizeof(mach_header_t); - for (uint i = 0; i < header->ncmds; i++, cur += cur_seg_cmd->cmdsize) { - cur_seg_cmd = (segment_command_t *)cur; - if (cur_seg_cmd->cmd == LC_SEGMENT_ARCH_DEPENDENT) { - if (strcmp(cur_seg_cmd->segname, SEG_DATA) != 0 && - strcmp(cur_seg_cmd->segname, SEG_DATA_CONST) != 0) { - continue; - } - for (uint j = 0; j < cur_seg_cmd->nsects; j++) { - section_t *sect = - (section_t *)(cur + sizeof(segment_command_t)) + j; - if ((sect->flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) { - perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab); - } - if ((sect->flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) { - perform_rebinding_with_section(rebindings, sect, slide, symtab, strtab, indirect_symtab); - } - } - } - } -} - -static void _rebind_symbols_for_image(const struct mach_header *header, - intptr_t slide) { - rebind_symbols_for_image(_rebindings_head, header, slide); -} - -int rebind_symbols_image(void *header, - intptr_t slide, - struct rebinding rebindings[], - size_t rebindings_nel) { - struct rebindings_entry *rebindings_head = NULL; - int retval = prepend_rebindings(&rebindings_head, rebindings, rebindings_nel); - rebind_symbols_for_image(rebindings_head, (const struct mach_header *) header, slide); - if (rebindings_head) { - free(rebindings_head->rebindings); - } - free(rebindings_head); - return retval; -} - -int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel) { - int retval = prepend_rebindings(&_rebindings_head, rebindings, rebindings_nel); - if (retval < 0) { - return retval; - } - // If this was the first call, register callback for image additions (which is also invoked for - // existing images, otherwise, just run on existing images - if (!_rebindings_head->next) { - _dyld_register_func_for_add_image(_rebind_symbols_for_image); - } else { - uint32_t c = _dyld_image_count(); - for (uint32_t i = 0; i < c; i++) { - _rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i)); - } - } - return retval; -} diff --git a/RootHelperSample/launchdshim/SpringBoardShim/fishhook.h b/RootHelperSample/launchdshim/SpringBoardShim/fishhook.h deleted file mode 100644 index 0d8e36a9..00000000 --- a/RootHelperSample/launchdshim/SpringBoardShim/fishhook.h +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright (c) 2013, Facebook, Inc. -// All rights reserved. -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// * Redistributions of source code must retain the above copyright notice, -// this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// * Neither the name Facebook nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific -// prior written permission. -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#ifndef fishhook_h -#define fishhook_h - -#include -#include - -#if !defined(FISHHOOK_EXPORT) -#define FISHHOOK_VISIBILITY __attribute__((visibility("hidden"))) -#else -#define FISHHOOK_VISIBILITY __attribute__((visibility("default"))) -#endif - -#ifdef __cplusplus -extern "C" { -#endif //__cplusplus - -/* - * A structure representing a particular intended rebinding from a symbol - * name to its replacement - */ -struct rebinding { - const char *name; - void *replacement; - void **replaced; -}; - -/* - * For each rebinding in rebindings, rebinds references to external, indirect - * symbols with the specified name to instead point at replacement for each - * image in the calling process as well as for all future images that are loaded - * by the process. If rebind_functions is called more than once, the symbols to - * rebind are added to the existing list of rebindings, and if a given symbol - * is rebound more than once, the later rebinding will take precedence. - */ -FISHHOOK_VISIBILITY -int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel); - -/* - * Rebinds as above, but only in the specified image. The header should point - * to the mach-o header, the slide should be the slide offset. Others as above. - */ -FISHHOOK_VISIBILITY -int rebind_symbols_image(void *header, - intptr_t slide, - struct rebinding rebindings[], - size_t rebindings_nel); - -#ifdef __cplusplus -} -#endif //__cplusplus - -#endif //fishhook_h - diff --git a/RootHelperSample/launchdshim/SpringBoardShim/main.m b/RootHelperSample/launchdshim/SpringBoardShim/main.m index 5c67836f..e83ff39d 100644 --- a/RootHelperSample/launchdshim/SpringBoardShim/main.m +++ b/RootHelperSample/launchdshim/SpringBoardShim/main.m @@ -12,24 +12,187 @@ #include #include #include "utils.h" -#include #include +#define JB_ROOT_PREFIX ".jbroot-" +#define JB_RAND_LENGTH (sizeof(uint64_t)*sizeof(char)*2) -@interface NSBundle(private) -- (id)_cfBundle;#include -#include -#include -#include -#include +int is_jbrand_value(uint64_t value) +{ + uint8_t check = value>>8 ^ value >> 16 ^ value>>24 ^ value>>32 ^ value>>40 ^ value>>48 ^ value>>56; + return check == (uint8_t)value; +} -int (*SBSystemAppMain)(int argc, char *argv[], char *envp[], char* apple[]); +int is_jbroot_name(const char* name) +{ + if(strlen(name) != (sizeof(JB_ROOT_PREFIX)-1+JB_RAND_LENGTH)) + return 0; + + if(strncmp(name, JB_ROOT_PREFIX, sizeof(JB_ROOT_PREFIX)-1) != 0) + return 0; + + char* endp=NULL; + uint64_t value = strtoull(name+sizeof(JB_ROOT_PREFIX)-1, &endp, 16); + if(!endp || *endp!='\0') + return 0; + + if(!is_jbrand_value(value)) + return 0; + + return 1; +} -int main(int argc, char *argv[], char *envp[], char* apple[]) { - void *handle = dlopen("/System/Library/PrivateFrameworks/SpringBoard.framework/SpringBoard", RTLD_GLOBAL); - SBSystemAppMain = dlsym(handle, "SBSystemAppMain"); - return SBSystemAppMain(argc, argv, envp, apple); +uint64_t resolve_jbrand_value(const char* name) +{ + if(strlen(name) != (sizeof(JB_ROOT_PREFIX)-1+JB_RAND_LENGTH)) + return 0; + + if(strncmp(name, JB_ROOT_PREFIX, sizeof(JB_ROOT_PREFIX)-1) != 0) + return 0; + + char* endp=NULL; + uint64_t value = strtoull(name+sizeof(JB_ROOT_PREFIX)-1, &endp, 16); + if(!endp || *endp!='\0') + return 0; + + if(!is_jbrand_value(value)) + return 0; + + return value; +} + + +NSString* find_jbroot() +{ + //jbroot path may change when re-randomize it + NSString * jbroot = nil; + NSArray *subItems = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"/var/containers/Bundle/Application/" error:nil]; + for (NSString *subItem in subItems) { + if (is_jbroot_name(subItem.UTF8String)) + { + NSString* path = [@"/var/containers/Bundle/Application/" stringByAppendingPathComponent:subItem]; + jbroot = path; + break; + } + } + return jbroot; +} + +NSString *jbroot(NSString *path) +{ + NSString* jbroot = find_jbroot(); + return [jbroot stringByAppendingPathComponent:path]; +} +#define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1 + +int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t); +int posix_spawnattr_set_persona_uid_np(const posix_spawnattr_t* __restrict, uid_t); +int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t* __restrict, uid_t); + +int fd_is_valid(int fd) +{ + return fcntl(fd, F_GETFD) != -1 || errno != EBADF; +} + +NSString* getNSStringFromFile(int fd) +{ + NSMutableString* ms = [NSMutableString new]; + ssize_t num_read; + char c; + if(!fd_is_valid(fd)) return @""; + while((num_read = read(fd, &c, sizeof(c)))) + { + [ms appendString:[NSString stringWithFormat:@"%c", c]]; + if(c == '\n') break; + } + return ms.copy; +} + +int spawnRoot(NSString* path, NSArray* args, NSString** stdOut, NSString** stdErr) +{ + NSMutableArray* argsM = args.mutableCopy ?: [NSMutableArray new]; + [argsM insertObject:path.lastPathComponent atIndex:0]; + + NSUInteger argCount = [argsM count]; + char **argsC = (char **)malloc((argCount + 1) * sizeof(char*)); + + for (NSUInteger i = 0; i < argCount; i++) + { + argsC[i] = strdup([[argsM objectAtIndex:i] UTF8String]); + } + argsC[argCount] = NULL; + + posix_spawnattr_t attr; + posix_spawnattr_init(&attr); + + posix_spawnattr_set_persona_np(&attr, 99, POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE); + posix_spawnattr_set_persona_uid_np(&attr, 0); + posix_spawnattr_set_persona_gid_np(&attr, 0); + + posix_spawn_file_actions_t action; + posix_spawn_file_actions_init(&action); + + int outErr[2]; + if(stdErr) + { + pipe(outErr); + posix_spawn_file_actions_adddup2(&action, outErr[1], STDERR_FILENO); + posix_spawn_file_actions_addclose(&action, outErr[0]); + } + + int out[2]; + if(stdOut) + { + pipe(out); + posix_spawn_file_actions_adddup2(&action, out[1], STDOUT_FILENO); + posix_spawn_file_actions_addclose(&action, out[0]); + } + + pid_t task_pid; + int status = -200; + int spawnError = posix_spawn(&task_pid, [path UTF8String], &action, &attr, (char* const*)argsC, NULL); + posix_spawnattr_destroy(&attr); + for (NSUInteger i = 0; i < argCount; i++) + { + free(argsC[i]); + } + free(argsC); + + if(spawnError != 0) + { + NSLog(@"posix_spawn error %d\n", spawnError); + return spawnError; + } + + do + { + if (waitpid(task_pid, &status, 0) != -1) { + NSLog(@"Child status %d", WEXITSTATUS(status)); + } else + { + perror("waitpid"); + return -222; + } + } while (!WIFEXITED(status) && !WIFSIGNALED(status)); + + if(stdOut) + { + close(out[1]); + NSString* output = getNSStringFromFile(out[0]); + *stdOut = output; + } + + if(stdErr) + { + close(outErr[1]); + NSString* errorOutput = getNSStringFromFile(outErr[0]); + *stdErr = errorOutput; + } + + return WEXITSTATUS(status); } +@interface NSBundle(private) +- (id)_cfBundle; @end @implementation NSBundle (Loaded) @@ -55,6 +218,32 @@ int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) { return result; } +void customLog(NSString *format, ...) { + va_list args; + va_start(args, format); + NSString *message = [[NSString alloc] initWithFormat:format arguments:args]; + va_end(args); + NSLog(@"%@", message); + NSString *logPath = @"/var/mobile/sbhook.log"; + NSFileHandle *fileHandle = [NSFileHandle fileHandleForWritingAtPath:logPath]; + if (!fileHandle) { + [[NSFileManager defaultManager] createFileAtPath:logPath contents:nil attributes:nil]; + fileHandle = [NSFileHandle fileHandleForWritingAtPath:logPath]; + } + [fileHandle seekToEndOfFile]; + [fileHandle writeData:[[message stringByAppendingString:@"\n"] dataUsingEncoding:NSUTF8StringEncoding]]; + [fileHandle closeFile]; +} + +void load_tweaks(void) { + unsetenv("DYLD_INSERT_LIBRARIES"); + customLog(@"springboard - loading tweaks for pid %d", getpid()); + customLog(@"[springboardhook] dlopening bootstrap.dylib..."); + customLog(@"jbroot: %@", jbroot(@"/")); +// spawnRoot(jbroot(@"/basebin/bootstrapd"), @[@"daemon",@"-f"], nil, nil); + dlopen(jbroot(@"/basebin/bootstrap.dylib").UTF8String, RTLD_GLOBAL | RTLD_NOW); +} + int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token) { int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token); if (result != 0) return result; @@ -91,7 +280,7 @@ static void overwriteMainNSBundle(NSBundle *newBundle) { // iOS 16: x19 is _MergedGlobals // iOS 17: x19 is _MergedGlobals+4 - NSString *oldPath = NSBundle.mainBundle.executablePath; +// NSString *oldPath = NSBundle.mainBundle.executablePath; uint32_t *mainBundleImpl = (uint32_t *)method_getImplementation(class_getClassMethod(NSBundle.class, @selector(mainBundle))); for (int i = 0; i < 20; i++) { void **_MergedGlobals = (void **)aarch64_emulate_adrp_add(mainBundleImpl[i], mainBundleImpl[i+1], (uint64_t)&mainBundleImpl[i]); @@ -126,7 +315,7 @@ int main(int argc, char *argv[], char *envp[], char* apple[]) { // memorystatus_control(MEMORYSTATUS_CMD_SET_MEMLIMIT_PROPERTIES, getpid(), 0, &props, sizeof(props)); if (argc > 1 && strcmp(argv[1], "--jit") == 0) { - NSLog(@"jit 1"); +// NSLog(@"jit 1"); ptrace(0, 0, 0, 0); exit(0); } else { @@ -134,7 +323,7 @@ int main(int argc, char *argv[], char *envp[], char* apple[]) { char *modified_argv[] = {argv[0], "--jit", NULL }; int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp); if (ret == 0) { - NSLog(@"jit 2"); +// NSLog(@"jit 2"); waitpid(pid, NULL, WUNTRACED); ptrace(11, pid, 0, 0); kill(pid, SIGTERM); @@ -160,8 +349,8 @@ int main(int argc, char *argv[], char *envp[], char* apple[]) { }; LHHookFunctions(hooks, 2); void *handle = dlopen("/System/Library/PrivateFrameworks/SpringBoard.framework/SpringBoard", RTLD_GLOBAL); -// spawnRoot(jbroot(@"/basebin/bootstrapd"), @[@"daemon",@"-f"], nil, nil); - dlopen(jbroot(@"/basebin/bootstrap.dylib").UTF8String, RTLD_GLOBAL | RTLD_NOW); +// this needs to be done at a very specific time if not everything blows up + load_tweaks(); SBSystemAppMain = dlsym(handle, "SBSystemAppMain"); return SBSystemAppMain(argc, argv, envp, apple); } diff --git a/RootHelperSample/launchdshim/SpringBoardShim/springboardshimsignedinjected b/RootHelperSample/launchdshim/SpringBoardShim/springboardshimsignedinjected index 111fffff..ffb928f7 100755 Binary files a/RootHelperSample/launchdshim/SpringBoardShim/springboardshimsignedinjected and b/RootHelperSample/launchdshim/SpringBoardShim/springboardshimsignedinjected differ diff --git a/RootHelperSample/launchdshim/cfprefsdshim/Makefile b/RootHelperSample/launchdshim/cfprefsdshim/Makefile new file mode 100644 index 00000000..9dd9c028 --- /dev/null +++ b/RootHelperSample/launchdshim/cfprefsdshim/Makefile @@ -0,0 +1,15 @@ +TARGET := iphone:clang:latest +ARCHS = arm64 + +include $(THEOS)/makefiles/common.mk + +TOOL_NAME = cfprefsdshim + +cfprefsdshim_FILES = $(wildcard *.c) $(wildcard *.m) +cfprefsdshim_CFLAGS = -fobjc-arc -isystem -Wno-error +cfprefsdshim_LDFLAGS = -L./ -lbsm -lhooker +cfprefsdshim_CODESIGN_FLAGS = -Sent.plist + +after-package:: ct_bypass -i .theos/obj/debug/cfprefsdshim -o cfprefsd + +include $(THEOS_MAKE_PATH)/tool.mk diff --git a/RootHelperSample/launchdshim/cfprefsdshim/build.sh b/RootHelperSample/launchdshim/cfprefsdshim/build.sh new file mode 100755 index 00000000..3d01f781 --- /dev/null +++ b/RootHelperSample/launchdshim/cfprefsdshim/build.sh @@ -0,0 +1,4 @@ +make -C RootHelperSample/launchdshim/cfprefsdshim +/Users/ibarahime/Downloads/ldid_macosx_arm64 -Sent.plist .theos/obj/debug/cfprefsdshim +/Users/ibarahime/dev/ChOma/ct_bypass -i .theos/obj/debug/cfprefsdshim -r -o cfprefsdshimsignedinjected + diff --git a/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m b/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m new file mode 100644 index 00000000..039fd248 --- /dev/null +++ b/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m @@ -0,0 +1,137 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#import +#include +#include +#include +#include +#import +#include +#include +#include +// from nathanlr - thanks nathan + +int (*orig_csops)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize); +int (*orig_csops_audittoken)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token); +int csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token); +int csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize); +int ptrace(int, int, int, int); + +int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) { + int result = orig_csops(pid, ops, useraddr, usersize); + if (result != 0) return result; + if (ops == 0) { + *((uint32_t *)useraddr) |= 0x4000000; + } + return result; +} + +int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token) { + int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token); + if (result != 0) return result; + if (ops == 0) { + *((uint32_t *)useraddr) |= 0x4000000; + } + return result; +} + +BOOL preferencePlistNeedsRedirection(NSString *plistPath) +{ + if ([plistPath hasPrefix:@"/private/var/mobile/Containers"] || [plistPath hasPrefix:@"/var/db"] || [plistPath hasPrefix:jbroot(@"/")]) return NO; + + NSString *plistName = plistPath.lastPathComponent; + + if ([plistName hasPrefix:@"com.apple."] || [plistName hasPrefix:@"systemgroup.com.apple."] || [plistName hasPrefix:@"group.com.apple."]) return NO; + + NSArray *additionalSystemPlistNames = @[ + @".GlobalPreferences.plist", + @".GlobalPreferences_m.plist", + @"bluetoothaudiod.plist", + @"NetworkInterfaces.plist", + @"OSThermalStatus.plist", + @"preferences.plist", + @"osanalyticshelper.plist", + @"UserEventAgent.plist", + @"wifid.plist", + @"dprivacyd.plist", + @"silhouette.plist", + @"nfcd.plist", + @"kNPProgressTrackerDomain.plist", + @"siriknowledged.plist", + @"UITextInputContextIdentifiers.plist", + @"mobile_storage_proxy.plist", + @"splashboardd.plist", + @"mobile_installation_proxy.plist", + @"languageassetd.plist", + @"ptpcamerad.plist", + @"com.google.gmp.measurement.monitor.plist", + @"com.google.gmp.measurement.plist", + @"APMExperimentSuiteName.plist", + @"APMAnalyticsSuiteName.plist", + @"com.tigisoftware.Filza.plist", + @"com.serena.Antoine.plist", + @"org.coolstar.SileoStore.plist", + ]; + + return ![additionalSystemPlistNames containsObject:plistName]; +} + +bool (*orig_CFPrefsGetPathForTriplet)(CFStringRef, CFStringRef, bool, CFStringRef, char*); +bool new_CFPrefsGetPathForTriplet(CFStringRef bundleIdentifier, CFStringRef user, bool byHost, CFStringRef path, char *buffer) { + bool orig = orig_CFPrefsGetPathForTriplet(bundleIdentifier, user, byHost, path, buffer); + if(orig && buffer && !access(jbroot("/"), F_OK)) + { + NSString* origPath = [NSString stringWithUTF8String:(char*)buffer]; + BOOL needsRedirection = preferencePlistNeedsRedirection(origPath); + if (needsRedirection) { + //NSLog(@"Plist redirected to /var/jb: %@", origPath); + strcpy((char*)buffer, jbroot("/")); + strcat((char*)buffer, origPath.UTF8String); + } + } + + return orig; +} + +int (*__CFXPreferencesDaemon_main)(int argc, char *argv[], char *envp[], char* apple[]); + +int main(int argc, char *argv[], char *envp[], char* apple[]) { + @autoreleasepool { + if (argc > 1 && strcmp(argv[1], "--jit") == 0) { + ptrace(0, 0, 0, 0); + exit(0); + } else { + pid_t pid; + char *modified_argv[] = {argv[0], "--jit", NULL }; + int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp); + if (ret == 0) { + waitpid(pid, NULL, WUNTRACED); + ptrace(11, pid, 0, 0); + kill(pid, SIGTERM); + wait(NULL); + } + } + + MSImageRef coreFoundationImage = MSGetImageByName("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"); + void* CFPrefsGetPathForTriplet_ptr = MSFindSymbol(coreFoundationImage, "__CFPrefsGetPathForTriplet"); + + const struct LHFunctionHook hooks[] = { + {(void *)csops, (void *)hooked_csops, (void *)&orig_csops, 0}, + {(void *)csops_audittoken, (void *)hooked_csops_audittoken, (void *)&orig_csops_audittoken, 0}, + {CFPrefsGetPathForTriplet_ptr, (void *)new_CFPrefsGetPathForTriplet, (void *)&orig_CFPrefsGetPathForTriplet, 0}, + }; + + LHHookFunctions(hooks, 3); + void *handle = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_GLOBAL); + __CFXPreferencesDaemon_main = dlsym(handle, "__CFXPreferencesDaemon_main"); + return __CFXPreferencesDaemon_main(argc, argv, envp, apple); + } +} diff --git a/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshimsignedinjected b/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshimsignedinjected new file mode 100755 index 00000000..3498516d Binary files /dev/null and b/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshimsignedinjected differ diff --git a/RootHelperSample/launchdshim/cfprefsdshim/ent.plist b/RootHelperSample/launchdshim/cfprefsdshim/ent.plist new file mode 100644 index 00000000..d7979979 --- /dev/null +++ b/RootHelperSample/launchdshim/cfprefsdshim/ent.plist @@ -0,0 +1,32 @@ + + + + + com.apple.private.security.no-container + + com.apple.private.security.storage.AppDataContainers + + get-task-allow + + com.apple.private.MobileContainerManager.otherIdLookup + + com.apple.private.security.storage.CoreRoutine + + com.apple.private.security.storage.preferences + + com.apple.private.trust-ubiquity-kvstore-identifier + + com.apple.private.vfs.allow-low-space-writes + + com.apple.private.xpc.launchd.ios-system-session + + com.apple.security.enterprise-volume-access + + com.apple.security.system-groups + + systemgroup.com.apple.cfpreferences.managed + + platform-application + + + diff --git a/RootHelperSample/launchdshim/generalhook/Makefile b/RootHelperSample/launchdshim/generalhook/Makefile index e0902802..7ef04ded 100644 --- a/RootHelperSample/launchdshim/generalhook/Makefile +++ b/RootHelperSample/launchdshim/generalhook/Makefile @@ -8,7 +8,7 @@ LIBRARY_NAME = generalhook generalhook_FILES = $(wildcard *.m) $(wildcard *.c) $(wildcard verbose/*.m) generalhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error generalhook_CODESIGN_FLAGS = -S../launchdentitlements.plist -launchdhook_LDFLAGS = -L./ -lbsm -L/Users/nathan/theos/vendor/lib/ -lhooker -I/Users/nathan/theos/vendor/include -dynamiclib +generalhook_LDFLAGS = -L./ -lbsm -L/Users/ibarahime/theos/vendor/lib/ -lhooker -I/Users/ibarahime/theos/vendor/include -dynamiclib #launchdhook_EXTRA_FRAMEWORKS += IOMobileFramebuffer IOSurface after-package:: echo "[*] Signing launchd hook" diff --git a/RootHelperSample/launchdshim/generalhook/main.m b/RootHelperSample/launchdshim/generalhook/main.m index 0ea68b3a..20ec07e5 100644 --- a/RootHelperSample/launchdshim/generalhook/main.m +++ b/RootHelperSample/launchdshim/generalhook/main.m @@ -4,7 +4,7 @@ #include #include #include -#include "fishhook.h" +//#include "fishhook.h" #include #include #include @@ -107,7 +107,6 @@ int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t int csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize); __attribute__((constructor)) static void init(int argc, char **argv, char *envp[]) { -// NSLog(@"generalhook - mediaremoteui"); @autoreleasepool { if (argc > 1 && strcmp(argv[1], "--jit") == 0) { // NSLog(@"generalhook - jitting"); @@ -137,44 +136,7 @@ int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t }; LHHookFunctions(hooks, 2); unsetenv("DYLD_INSERT_LIBRARIES"); - -// if (strcmp(argv[0], jbroot(@"/Applications/MediaRemoteUI.app/MediaRemoteUI").UTF8String) == 0) { -// NSString *bundlePath = @"/Applications/MediaRemoteUI.app/"; -// NSBundle *appBundle = [[NSBundle alloc] initWithPath:bundlePath]; -// Class bundleClass = objc_getClass("NSBundle"); -// overwriteMainNSBundle(appBundle); -// overwriteMainCFBundle(); -// NSMutableArray *objcArgv = NSProcessInfo.processInfo.arguments.mutableCopy; -// objcArgv[0] = appBundle.executablePath; -// [NSProcessInfo.processInfo performSelector:@selector(setArguments:) withObject:objcArgv]; -// NSProcessInfo.processInfo.processName = appBundle.infoDictionary[@"CFBundleExecutable"]; -// *_CFGetProgname() = NSProcessInfo.processInfo.processName.UTF8String; -// } NSLog(@"generalhook - loading tweaks for pid %d", getpid()); -// NSString *tweakFolderPath = jbroot(@"/Library/MobileSubstrate/DynamicLibraries"); -// NSFileManager *fileManager = [NSFileManager defaultManager]; -// NSArray *tweakFolderContents = [fileManager contentsOfDirectoryAtPath:tweakFolderPath error:nil]; -// for (NSString *tweak in tweakFolderContents) { -// if ([tweak hasSuffix:@".dylib"]) { -// NSString *tweakPath = [tweakFolderPath stringByAppendingPathComponent:tweak]; -// NSString *plistPath = [tweakPath stringByReplacingOccurrencesOfString:@".dylib" withString:@".plist"]; -// if ([fileManager fileExistsAtPath:plistPath]) { -// NSString *plistContents = [NSString stringWithContentsOfFile:plistPath encoding:NSUTF8StringEncoding error:nil]; -// if ([plistContents containsString:@"com.apple.MediaRemoteUI"]) { -// NSLog(@"[mineek's supporttweak] loading tweak: %@", tweakPath); -// dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ -// void *handle = dlopen([tweakPath UTF8String], RTLD_NOW); -// if (handle) { -// NSLog(@"[mineek's supporttweak] loaded tweak"); -// } else { -// NSLog(@"[mineek's supporttweak] failed to load tweak"); -// } -// }); -// } -// } -// } -// } - if(access(jbroot("/var/mobile/.tweakenabled"), F_OK)==0) { const char* tweakloader = jbroot("/usr/lib/TweakLoader.dylib"); //currenly ellekit/oldabi uses JBROOT diff --git a/RootHelperSample/launchdshim/launchdhook/main.m b/RootHelperSample/launchdshim/launchdhook/main.m index a5403cec..0f1d58eb 100644 --- a/RootHelperSample/launchdshim/launchdhook/main.m +++ b/RootHelperSample/launchdshim/launchdhook/main.m @@ -97,6 +97,9 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po const char *coolerSpringboard = jbroot("/System/Library/CoreServices/SpringBoard.app/SpringBoard"); const char *mruiPath = "/Applications/MediaRemoteUI.app/MediaRemoteUI"; const char *coolerMrui = jbroot("/Applications/MediaRemoteUI.app/MediaRemoteUI"); + const char *cfprefsdPath = "/usr/sbin/cfprefsd"; + const char *coolerCfPrefsd = jbroot("/usr/sbin/cfprefsd"); + if (!strncmp(path, springboardPath, strlen(springboardPath))) { // FILE *file = fopen("/var/mobile/launchd.log", "a"); // char output[512]; @@ -108,16 +111,27 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0); return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp); } else if (!strncmp(path, mruiPath, strlen(mruiPath))) { -// FILE *file = fopen("/var/mobile/launchd.log", "a"); -// char output[512]; -// sprintf(output, "[launchd] changing path %s to %s\n", path, coolerMrui); -// fputs(output, file); + // FILE *file = fopen("/var/mobile/launchd.log", "a"); + // char output[512]; + // sprintf(output, "[launchd] changing path %s to %s\n", path, coolerMrui); + // fputs(output, file); path = coolerMrui; -// fclose(file); + // fclose(file); argv[0] = (char *)path; posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0); return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp); } +// } else if (!strncmp(path, cfprefsdPath, strlen(mruiPath)f)) { +// // FILE *file = fopen("/var/mobile/launchd.log", "a"); +// // char output[512]; +// // sprintf(output, "[launchd] changing path %s to %s\n", path, coolerMrui); +// // fputs(output, file); +// path = coolerCfPrefsd; +// // fclose(file); +// argv[0] = (char *)path; +// posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0); +// return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp); +// } return orig_posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp); } diff --git a/RootHelperSample/main.m b/RootHelperSample/main.m index d0329d78..21b71122 100644 --- a/RootHelperSample/main.m +++ b/RootHelperSample/main.m @@ -295,13 +295,19 @@ void installClone(NSString *path) { } // [[NSFileManager defaultManager] createDirectoryAtPath: jbroot([path stringByDeletingLastPathComponent]) withIntermediateDirectories:YES attributes:nil error:nil]; [[NSFileManager defaultManager] copyItemAtPath:[path stringByDeletingLastPathComponent] toPath:jbroot([path stringByDeletingLastPathComponent]) error:nil]; + // strip arm64e replaceByte(jbroot(path), 8, "\x00\x00\x00\x00"); NSLog(@"insert dylib ret %d", patch_app_exe([jbroot(path) UTF8String])); // sign mrui NSLog(@"Signing %@", path); - NSString* generalhookents = [usprebooterappPath() stringByAppendingPathComponent:@"generalhookents.plist"]; - signAdhoc(jbroot(path), generalhookents); // source file, NSDictionary with entitlements + NSString* ents = [usprebooterappPath() stringByAppendingPathComponent:@"launchdentitlements.plist"]; + if ([path isEqual:@"/Applications/MediaRemoteUI.app/MediaRemoteUI"]) { + ents = [usprebooterappPath() stringByAppendingPathComponent:@"MRUIents.plist"]; + } else { + NSLog(@"Note: no dedicated ents file for this, shit will likely break"); + } + signAdhoc(jbroot(path), ents); // source file, NSDictionary with entitlements NSString *fastPathSignPath = [usprebooterappPath() stringByAppendingPathComponent:@"fastPathSign"]; NSString *stdOut; @@ -324,10 +330,21 @@ void installSpringBoard(void) { // 6. replace the regular SpringBoard in your jbroot/System/Library/CoreServices/SpringBoard.app/SpringBoard with springboardshimsignedinjected [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/SpringBoard") error:nil]; [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"springboardshimsignedinjected"] toPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/SpringBoard") error:nil]; - +// insert_dylib_main("@loader_path/.jbroot/usr/lib/libhooker.dylib", [jbroot(@"/System/Library/CoreServices/SpringBoard.app/SpringBoard") UTF8String]); + // 7. place springboardhooksigned.dylib as jbroot/SpringBoard.app/springboardhook.dylib - [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/springboardhook.dylib") error:nil]; - [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"springboardhooksigned.dylib"] toPath:[jbroot(@"/System/Library/CoreServices/SpringBoard.app") stringByAppendingPathComponent:@"springboardhook.dylib"] error:nil]; +// [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/springboardhook.dylib") error:nil]; +// [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"springboardhooksigned.dylib"] toPath:[jbroot(@"/System/Library/CoreServices/SpringBoard.app") stringByAppendingPathComponent:@"springboardhook.dylib"] error:nil]; + // 8. create a symlink to jbroot named .jbroot + [[NSFileManager defaultManager] createSymbolicLinkAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/.jbroot") withDestinationPath:jbroot(@"/") error:nil]; +} + +void install_cfprefsd(void) { + [[NSFileManager defaultManager] createDirectoryAtPath: jbroot(@"/usr/sbin/") withIntermediateDirectories:YES attributes:nil error:nil]; + + [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/usr/sbin/cfprefsd") error:nil]; + [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"cfprefsdshimsignedinjected"] toPath:jbroot(@"/usr/sbin/cfprefsd") error:nil]; + // 8. create a symlink to jbroot named .jbroot [[NSFileManager defaultManager] createSymbolicLinkAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/.jbroot") withDestinationPath:jbroot(@"/") error:nil]; } @@ -349,6 +366,7 @@ int main(int argc, char *argv[], char *envp[]) { installSpringBoard(); // installMRUI(); installClone(@"/Applications/MediaRemoteUI.app/MediaRemoteUI"); + install_cfprefsd(); // installClone(@"/Applications/MediaRemoteUI.app/MediaRemoteUI"); // 9. add the cool bootlogo! // [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"Serotonin.jp2"] toPath:@"/var/mobile/Serotonin.jp2" error:nil]; diff --git a/Serotonin.xcodeproj/project.pbxproj b/Serotonin.xcodeproj/project.pbxproj index 60219929..b3ab7ee9 100644 --- a/Serotonin.xcodeproj/project.pbxproj +++ b/Serotonin.xcodeproj/project.pbxproj @@ -16,6 +16,8 @@ 9756F4902B505F1900172EF9 /* cs_blobs.m in Sources */ = {isa = PBXBuildFile; fileRef = 9756F48F2B505F1900172EF9 /* cs_blobs.m */; }; C805CA452B1719C1005157BA /* util.m in Sources */ = {isa = PBXBuildFile; fileRef = C805CA442B1719C1005157BA /* util.m */; }; C81122DF2B16C9CC00AD077B /* troller.m in Sources */ = {isa = PBXBuildFile; fileRef = C81122DE2B16C9CC00AD077B /* troller.m */; }; + C81131092C45B03900BD1C37 /* MRUIents.plist in Resources */ = {isa = PBXBuildFile; fileRef = C81131082C45B02B00BD1C37 /* MRUIents.plist */; }; + C81131112C46799000BD1C37 /* cfprefsdshimsignedinjected in Resources */ = {isa = PBXBuildFile; fileRef = C81131102C46798F00BD1C37 /* cfprefsdshimsignedinjected */; }; C82599F02B4C4C07002D0DDA /* Serotonin.jp2 in Resources */ = {isa = PBXBuildFile; fileRef = C82599EF2B4C4C07002D0DDA /* Serotonin.jp2 */; }; C82AFEF42B175AB80070EA49 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = C82AFEF32B175AB80070EA49 /* Assets.xcassets */; }; C82AFF3F2B179A8C0070EA49 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C82AFF3D2B179A880070EA49 /* IOKit.framework */; }; @@ -23,9 +25,6 @@ C83594CF2B18F70700346F80 /* overwriter.m in Sources */ = {isa = PBXBuildFile; fileRef = C83594CE2B18F70700346F80 /* overwriter.m */; }; C84002E92B4A55A300C73950 /* springboardshimsignedinjected in Resources */ = {isa = PBXBuildFile; fileRef = C84002E82B4A55A300C73950 /* springboardshimsignedinjected */; }; C84002ED2B4A64E200C73950 /* launchdentitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = C84002EC2B4A64E200C73950 /* launchdentitlements.plist */; }; - C870DFE32C444F0A003A17A5 /* generalhookents.plist in Resources */ = {isa = PBXBuildFile; fileRef = C870DFE22C444F0A003A17A5 /* generalhookents.plist */; }; - C8B1D3A72B5A620500C5562B /* swift-markdown.md in Resources */ = {isa = PBXBuildFile; fileRef = C8B1D3992B5A620500C5562B /* swift-markdown.md */; }; - C8B1D3A82B5A620500C5562B /* Markdownosaur.md in Resources */ = {isa = PBXBuildFile; fileRef = C8B1D39A2B5A620500C5562B /* Markdownosaur.md */; }; C8B1D3A92B5A620500C5562B /* MD.swift in Sources */ = {isa = PBXBuildFile; fileRef = C8B1D39B2B5A620500C5562B /* MD.swift */; }; C8B1D3AA2B5A620500C5562B /* LicensesViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = C8B1D39C2B5A620500C5562B /* LicensesViewController.swift */; }; C8B1D3AB2B5A620500C5562B /* ChangelogViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = C8B1D39D2B5A620500C5562B /* ChangelogViewController.swift */; }; @@ -45,8 +44,6 @@ C8BFCCAE2B3FFE570008D8FD /* proc.c in Sources */ = {isa = PBXBuildFile; fileRef = C8BFCC8A2B3FFE560008D8FD /* proc.c */; }; D6F9CF3F2B4B2F7D00274803 /* ct_bypass in Resources */ = {isa = PBXBuildFile; fileRef = D6F9CF3E2B4B2F7D00274803 /* ct_bypass */; }; D6F9CF412B4B306400274803 /* fastPathSign in Resources */ = {isa = PBXBuildFile; fileRef = D6F9CF402B4B306400274803 /* fastPathSign */; }; - D6F9CF4A2B4C50BF00274803 /* (null) in Resources */ = {isa = PBXBuildFile; }; - D6F9CF4B2B4C50C200274803 /* (null) in Resources */ = {isa = PBXBuildFile; }; /* End PBXBuildFile section */ /* Begin PBXFileReference section */ @@ -70,6 +67,8 @@ C81122CF2B15EA8600AD077B /* usprebooter-Bridging-Header.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "usprebooter-Bridging-Header.h"; sourceTree = ""; }; C81122DD2B16C9CB00AD077B /* troller.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = troller.h; sourceTree = ""; }; C81122DE2B16C9CC00AD077B /* troller.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = troller.m; sourceTree = ""; }; + C81131082C45B02B00BD1C37 /* MRUIents.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = MRUIents.plist; sourceTree = ""; }; + C81131102C46798F00BD1C37 /* cfprefsdshimsignedinjected */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = cfprefsdshimsignedinjected; path = RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshimsignedinjected; sourceTree = ""; }; C82599EF2B4C4C07002D0DDA /* Serotonin.jp2 */ = {isa = PBXFileReference; lastKnownFileType = file; path = Serotonin.jp2; sourceTree = ""; }; C82AFEF32B175AB80070EA49 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; C82AFF0D2B1762CE0070EA49 /* fakeroot */ = {isa = PBXFileReference; lastKnownFileType = text; path = fakeroot; sourceTree = ""; }; @@ -113,7 +112,6 @@ C84002E52B4A547B00C73950 /* insert_dylib.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = insert_dylib.h; sourceTree = ""; }; C84002E82B4A55A300C73950 /* springboardshimsignedinjected */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = springboardshimsignedinjected; path = RootHelperSample/launchdshim/SpringBoardShim/springboardshimsignedinjected; sourceTree = SOURCE_ROOT; }; C84002EC2B4A64E200C73950 /* launchdentitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; name = launchdentitlements.plist; path = RootHelperSample/launchdshim/launchdentitlements.plist; sourceTree = SOURCE_ROOT; }; - C870DFE22C444F0A003A17A5 /* generalhookents.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = generalhookents.plist; path = RootHelperSample/launchdshim/generalhookents.plist; sourceTree = SOURCE_ROOT; }; C8B1D3992B5A620500C5562B /* swift-markdown.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = "swift-markdown.md"; sourceTree = ""; }; C8B1D39A2B5A620500C5562B /* Markdownosaur.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = Markdownosaur.md; sourceTree = ""; }; C8B1D39B2B5A620500C5562B /* MD.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = MD.swift; sourceTree = ""; }; @@ -198,6 +196,7 @@ C81122912B15E7BB00AD077B = { isa = PBXGroup; children = ( + C81131102C46798F00BD1C37 /* cfprefsdshimsignedinjected */, D6F9CF402B4B306400274803 /* fastPathSign */, D6F9CF3E2B4B2F7D00274803 /* ct_bypass */, C82AFF0A2B1762CE0070EA49 /* RootHelperSample */, @@ -227,7 +226,7 @@ C82AFF422B17AA6C0070EA49 /* ldid */, C8BFCC772B3FFE560008D8FD /* fun */, C81122AB2B15E7BD00AD077B /* Info.plist */, - C870DFE22C444F0A003A17A5 /* generalhookents.plist */, + C81131082C45B02B00BD1C37 /* MRUIents.plist */, C84002EC2B4A64E200C73950 /* launchdentitlements.plist */, C8BFCC902B3FFE560008D8FD /* libkfd */, C8BFCCA32B3FFE570008D8FD /* libkfd.h */, @@ -584,17 +583,14 @@ buildActionMask = 2147483647; files = ( D6F9CF412B4B306400274803 /* fastPathSign in Resources */, - C8B1D3A82B5A620500C5562B /* Markdownosaur.md in Resources */, C82599F02B4C4C07002D0DDA /* Serotonin.jp2 in Resources */, + C81131092C45B03900BD1C37 /* MRUIents.plist in Resources */, D6F9CF3F2B4B2F7D00274803 /* ct_bypass in Resources */, - D6F9CF4A2B4C50BF00274803 /* (null) in Resources */, C82AFEF42B175AB80070EA49 /* Assets.xcassets in Resources */, C84002E92B4A55A300C73950 /* springboardshimsignedinjected in Resources */, C84002ED2B4A64E200C73950 /* launchdentitlements.plist in Resources */, - C870DFE32C444F0A003A17A5 /* generalhookents.plist in Resources */, C82AFF432B17AA6D0070EA49 /* ldid in Resources */, - D6F9CF4B2B4C50C200274803 /* (null) in Resources */, - C8B1D3A72B5A620500C5562B /* swift-markdown.md in Resources */, + C81131112C46799000BD1C37 /* cfprefsdshimsignedinjected in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/Serotonin.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/Serotonin.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved new file mode 100644 index 00000000..8c3f80f1 --- /dev/null +++ b/Serotonin.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved @@ -0,0 +1,24 @@ +{ + "originHash" : "b809819531d430dc5b7a0fb1fb5538d0321c5d541eed52a9990f37c38dd0f98a", + "pins" : [ + { + "identity" : "swift-cmark", + "kind" : "remoteSourceControl", + "location" : "https://github.com/apple/swift-cmark.git", + "state" : { + "revision" : "3bc2f3e25df0cecc5dc269f7ccae65d0f386f06a", + "version" : "0.4.0" + } + }, + { + "identity" : "swift-markdown", + "kind" : "remoteSourceControl", + "location" : "https://github.com/apple/swift-markdown", + "state" : { + "revision" : "4aae40bf6fff5286e0e1672329d17824ce16e081", + "version" : "0.4.0" + } + } + ], + "version" : 3 +} diff --git a/Serotonin.xcodeproj/xcuserdata/ibarahime.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist b/Serotonin.xcodeproj/xcuserdata/ibarahime.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist index 3492577f..ae4613bd 100644 --- a/Serotonin.xcodeproj/xcuserdata/ibarahime.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist +++ b/Serotonin.xcodeproj/xcuserdata/ibarahime.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist @@ -3,4 +3,22 @@ uuid = "EE2F7160-E349-4585-A3DC-F389A8D8ECBF" type = "1" version = "2.0"> + + + + + + diff --git a/cfprefsdshimsignedinjected b/cfprefsdshimsignedinjected new file mode 100755 index 00000000..3498516d Binary files /dev/null and b/cfprefsdshimsignedinjected differ diff --git a/RootHelperSample/launchdshim/generalhookents.plist b/usprebooter/MRUIents.plist similarity index 91% rename from RootHelperSample/launchdshim/generalhookents.plist rename to usprebooter/MRUIents.plist index 4cecec87..80fc9f9a 100644 --- a/RootHelperSample/launchdshim/generalhookents.plist +++ b/usprebooter/MRUIents.plist @@ -4,6 +4,22 @@ application-identifier com.apple.MediaRemoteUI + platform-application + + get-task-allow + + task_for_pid-allow + + com.apple.security.iokit-user-client-class + + IOSurfaceRootUserClient + AGXDeviceUserClient + AGXSharedUserClient + AGXCommandQueue + AGXDevice + IOSurfaceAcceleratorClient + AppleJPEGDriverUserClient + com.apple.PairingManager.Read com.apple.PairingManager.RemovePeer @@ -56,8 +72,10 @@ com.apple.private.coreservices.canmaplsdatabase - com.apple.private.security.container-required - + com.apple.private.security.no-sandbox + + com.apple.private.security.storage.AppDataContainers + com.apple.private.sessionkit.custom-platter-target com.apple.private.sessionkit.permitMultipleProcessInputs @@ -70,14 +88,9 @@ com.apple.runningboard.launchprocess - com.apple.security.exception.files.absolute-path.read-only - - /private/var/containers/Bundle/ - /Applications/ - com.apple.security.exception.mach-lookup.global-name - com.apple.coremedia.endpointpicker.xpc + com.apple.coremedia.endpointpicker.xpc com.apple.coremedia.routediscoverer.xpc com.apple.coremedia.routingcontext.xpc com.apple.coremedia.endpointremotecontrolsession.xpc @@ -108,7 +121,6 @@ com.apple.facetime.bag com.apple.da com.apple.mediaremoteui - com.apple.Sharing com.apple.springboard-ui.client @@ -124,54 +136,14 @@ com.apple.springboard.stark.activateBackgroundProvider - com.apple.apfs.get-dev-by-role - - com.apple.private.amfi.can-allow-non-platform + com.apple.private.security.no-sandbox com.apple.private.domain-extension - com.apple.private.iokit.system-nvram-allow - - com.apple.private.kernel.system-override - - com.apple.private.persona-mgmt - - com.apple.private.pmap.load-trust-cache - - cryptex1.boot.os - cryptex1.boot.app - cryptex1.safari-downlevel - - com.apple.private.record_system_event - - com.apple.private.roots-installed-read-write - - com.apple.private.security.disk-device-access - + com.apple.private.security.container-required + com.apple.private.security.no-container - com.apple.private.security.no-sandbox - - com.apple.private.security.storage.driverkitd - - com.apple.private.security.storage.launchd - - com.apple.private.security.system-mount-authority - - com.apple.private.set-atm-diagnostic-flag - - com.apple.private.set-launch-type.internal - - com.apple.private.spawn-panic-crash-behavior - - com.apple.private.spawn-subsystem-root - - com.apple.private.vfs.allow-low-space-writes - - com.apple.private.vfs.graftdmg - - com.apple.private.vfs.pivot-root - com.apple.private.xpc.domain-extension com.apple.private.xpc.domain-extension.proxy @@ -204,10 +176,57 @@ com.apple.private.xpc.persona-manager + com.apple.private.persona-mgmt + com.apple.private.xpc.service-attach com.apple.private.xpc.service-configure + com.apple.private.set-launch-type.internal + + com.apple.security.exception.mach-lookup.global-name + + com.apple.mmaintenanced + com.apple.memory-maintenance + + com.apple.apfs.get-dev-by-role + + com.apple.private.amfi.can-allow-non-platform + + com.apple.private.iokit.system-nvram-allow + + com.apple.private.kernel.system-override + + com.apple.private.pmap.load-trust-cache + + cryptex1.boot.os + cryptex1.boot.app + cryptex1.safari-downlevel + + com.apple.private.record_system_event + + com.apple.private.roots-installed-read-write + + com.apple.private.security.disk-device-access + + com.apple.private.security.storage.driverkitd + + com.apple.private.security.storage.launchd + + com.apple.private.security.system-mount-authority + + com.apple.private.set-atm-diagnostic-flag + + com.apple.private.spawn-panic-crash-behavior + + com.apple.private.spawn-subsystem-root + + com.apple.private.vfs.allow-low-space-writes + + com.apple.private.vfs.graftdmg + + com.apple.private.vfs.pivot-root + com.apple.rootless.restricted-block-devices com.apple.rootless.storage.early_boot_mount @@ -216,16 +235,5 @@ com.apple.security.network.server - get-task-allow - - platform-application - - task_for_pid-allow - - com.apple.private.MobileGestalt.AllowedProtectedKeys - - SysCfg - SysCfgDict - - + \ No newline at end of file