fix: fix ptrace jit from roothide, left to fix sandbox2

SerotoninApp · Jul 20, 2024 · 5f24a2c · 5f24a2c
1 parent e8629ed
commit 5f24a2c
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 21 deletions.
diff --git a/RootHelperSample/launchdshim/launchdhook/Makefile b/RootHelperSample/launchdshim/launchdhook/Makefile
@@ -4,9 +4,9 @@ THEOS_PACKAGE_SCHEME = roothide
 include $(THEOS)/makefiles/common.mk
 
 LIBRARY_NAME = launchdhook
-
+FINALPACKAGE=1
 launchdhook_FILES = $(wildcard *.m) $(wildcard *.c) $(wildcard verbose/*.m) $(wildcard jbserver/*.c) $(wildcard jbserver/*.m) $(wildcard fun/*.m) $(wildcard fun/kpf/*.c) $(wildcard fun/kpf/*.m)
-launchdhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error
+launchdhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error -O3
 launchdhook_CODESIGN_FLAGS = -S../launchdentitlements.plist
 launchdhook_LDFLAGS = -F./Frameworks -L./ -lbsm -lhooker -framework IOKit
 launchdhook_EXTRA_FRAMEWORKS += IOMobileFramebuffer IOSurface

diff --git a/RootHelperSample/launchdshim/launchdhook/fun/krw.m b/RootHelperSample/launchdshim/launchdhook/fun/krw.m
@@ -96,8 +96,6 @@ uint64_t kUNSIGN_PTR(uint64_t pac_kaddr) {
     _offsets_init();
     // set gsystemInfo
     gSystemInfo.kernelConstant.slide = ((struct kfd *)_kfd)->perf.kernel_slide;
-    // gPrimitives.kreadbuf = kreadbuf;
-    // gPrimitives.kwritebuf = kwritebuf;
     return _kfd;
 }
 

diff --git a/RootHelperSample/launchdshim/launchdhook/main.m b/RootHelperSample/launchdshim/launchdhook/main.m
@@ -20,6 +20,9 @@
 
 #define PT_DETACH 11    /* stop tracing a process */
 #define PT_ATTACHEXC 14 /* attach to running process with signal exception */
+#define __probable(x)   __builtin_expect(!!(x), 1)
+#define __improbable(x) __builtin_expect(!!(x), 0)
+
 int ptrace(int request, pid_t pid, caddr_t addr, int data);
 
 #define INSTALLD_PATH       "/usr/libexec/installd"
@@ -36,6 +39,7 @@
 #define POSIX_SPAWNATTR_OFF_MEMLIMIT_INACTIVE 0x4C
 
 int posix_spawnattr_set_launch_type_np(posix_spawnattr_t *attr, uint8_t launch_type);
+int unsandbox2(const char* dir, const char* file);
 
 int (*orig_csops)(pid_t pid, unsigned int  ops, void * useraddr, size_t usersize);
 int (*orig_csops_audittoken)(pid_t pid, unsigned int  ops, void * useraddr, size_t usersize, audit_token_t * token);
@@ -139,15 +143,15 @@ int hooked_posix_spawn(pid_t *pid, const char *path, const posix_spawn_file_acti
     return orig_posix_spawn(pid, path, file_actions, attrp, argv, envp);
 }
 
-void log_path(char* path, char* jbroot_path) {
-    FILE *file = fopen("/var/mobile/launchd.log", "a");
-    char output[256];
-    sprintf(output, "[launchd] changing path %s to %s\n", path, jbroot_path);
-    fputs(output, file);
-    fclose(file);
-}
+// void log_path(char* path, char* jbroot_path) {
+//     FILE *file = fopen("/var/mobile/launchd.log", "a");
+//     char output[256];
+//     sprintf(output, "[launchd] changing path %s to %s\n", path, jbroot_path);
+//     fputs(output, file);
+//     fclose(file);
+// }
 char HOOK_DYLIB_PATH[PATH_MAX] = {0};
-bool shouldWeGamble = false;
+bool shouldWeGamble = true;
 int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const posix_spawn_file_actions_t *restrict file_actions, posix_spawnattr_t *attrp, char *argv[restrict], char *const envp[restrict]) {
     change_launchtype(attrp, path);
     if (!strncmp(path, SPRINGBOARD_PATH, strlen(SPRINGBOARD_PATH))) {
@@ -161,23 +165,23 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po
         path = jbroot(MRUI_PATH);
         argv[0] = (char *)path;
         posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-    } else if (!strncmp(path, XPCPROXY_PATH, strlen(XPCPROXY_PATH))) {
+    } else if (__probable(!strncmp(path, XPCPROXY_PATH, strlen(XPCPROXY_PATH)))) {
         path = jbroot(XPCPROXY_PATH);
         argv[0] = (char *)path;
         posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-        if(shouldWeGamble)
+        if(__improbable(shouldWeGamble))
         {
             uint64_t kfd = do_kopen(1024, 2, 1, 1, 1000, true);
             customLog("successfully gambled with kfd!\n");
             customLog("slide: 0x%llx\n, kernproc: 0x%llx\n, kerntask: 0x%llx\n", get_kslide(), get_kernproc(), get_kerntask());
             // customLog("reading pid... %d, getpid ret %d", kread32(((struct kfd *)kfd)->info.kaddr.current_proc + 0x60), getpid());
             // NSString* systemhookFilePath = [NSString stringWithFormat:@"%s/generalhooksigned.dylib", jbroot("/")];
 
-            // int unsandbox2(const char* dir, const char* file);
             // unsandbox2("/usr/lib", systemhookFilePath.fileSystemRepresentation);
+            unsandbox2("/usr/lib", jbroot("/generalhooksigned.dylib"));
 
-            // //new "real path"
-            // snprintf(HOOK_DYLIB_PATH, sizeof(HOOK_DYLIB_PATH), "/usr/lib/generalhooksigned.dylib");
+            //new "real path"
+            snprintf(HOOK_DYLIB_PATH, sizeof(HOOK_DYLIB_PATH), "/usr/lib/generalhooksigned.dylib");
             do_kclose();
             shouldWeGamble = false;
         }
@@ -263,7 +267,8 @@ int memorystatus_control_hook(uint32_t command, int32_t pid, uint32_t flags, voi
 }
 
 __attribute__((constructor)) static void init(int argc, char **argv) {
-    crashreporter_start();
+    // APPARENTLY for no reason, this crashreporter fuckin breaks ptrace in bootstrapd??
+    // crashreporter_start();
     // customLog("launchdhook is running");
     if(gSystemInfo.jailbreakInfo.rootPath) free(gSystemInfo.jailbreakInfo.rootPath);
 
@@ -273,7 +278,7 @@ int memorystatus_control_hook(uint32_t command, int32_t pid, uint32_t flags, voi
         gSystemInfo.jailbreakInfo.jbrand = jbrand();
     }
     // initXPCHooks();
-	// setenv("DYLD_INSERT_LIBRARIES", jbroot("/launchdhook.dylib"), 1);
+	setenv("DYLD_INSERT_LIBRARIES", jbroot("/launchdhook.dylib"), 1);
 	setenv("LAUNCHD_UUID", [NSUUID UUID].UUIDString.UTF8String, 1);
 
     // If Dopamine was initialized before, we assume we're coming from a userspace reboot

diff --git a/RootHelperSample/launchdshim/launchdhook/unsandbox2.m b/RootHelperSample/launchdshim/launchdhook/unsandbox2.m
@@ -119,6 +119,7 @@ int unsandbox2(const char* dir, const char* file)
 		goto failed;
 	}
 	customLog("writing to dirvp...");
+	sleep(1);
 	kwrite32(dirvp + off_vnode_v_usecount, dirvnode.v_usecount+1);
 
     uint64_t filevp = proc_fd_vnode(proc_self(), filefd);
@@ -130,12 +131,14 @@ int unsandbox2(const char* dir, const char* file)
 	struct vnode filevnode;
 	kreadbuf(filevp, &filevnode, sizeof(filevnode));
 	customLog("writing to filevp...");
+	sleep(1);
 	kwrite32(filevp+off_vnode_v_usecount, filevnode.v_usecount+1);
 
 	struct vnode parentvnode;
     uint64_t parentvp = kUNSIGN_PTR((uint64_t) filevnode.v_parent);
 	kreadbuf(parentvp, &parentvnode, sizeof(parentvnode));
 	customLog("writing to parentvp...");
+	sleep(1);
 	kwrite32(parentvp+off_vnode_v_usecount, parentvnode.v_usecount+1);
 
 	customLog("filefd=%d filevp=%llx/%d fileid=%lld parent=%llx/%d dirvp=%llx dirid=%lld ncchildren=%llx:%llx->%llx\n", 
@@ -144,12 +147,14 @@ int unsandbox2(const char* dir, const char* file)
 
     char parentname[32]={0};
     kreadbuf((uint64_t)parentvnode.v_name, parentname, sizeof(parentname));
+	sleep(1);
     customLog("parentname=%s\n", parentname);
 
 
 	struct namecache filenc={0};
 	uint64_t filencp = (uint64_t)filevnode.v_nclinks.lh_first;
 	kreadbuf(filencp, &filenc, sizeof(filenc));
+	sleep(1);
     customLog("filenc=%llx vp=%llx dvp=%llx\n", filencp, filenc.nc_vp, filenc.nc_dvp);
 
 {
@@ -158,6 +163,7 @@ int unsandbox2(const char* dir, const char* file)
 
 		struct namecache nc={0};
 		kreadbuf(ncp, &nc, sizeof(nc));
+		sleep(1);
 
 		char namebuf[128]={0};
 		for(int i=0; i<sizeof(namebuf)/sizeof(namebuf[0]); i++)

diff --git a/RootHelperSample/main.m b/RootHelperSample/main.m
@@ -370,7 +370,7 @@ int main(int argc, char *argv[], char *envp[]) {
                 install_cfprefsd();
 
                 [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"generalhooksigned.dylib"] toPath:jbroot(@"/generalhooksigned.dylib") error:nil];
-                [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"Serotonin.jp2"] toPath:@"/var/mobile/Serotonin.jp2" error:nil];
+//                [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"Serotonin.jp2"] toPath:@"/var/mobile/Serotonin.jp2" error:nil];
             }
         } else if ([action isEqual: @"uninstall"]) {
             NSLog(@"uninstalling");
@@ -399,7 +399,9 @@ int main(int argc, char *argv[], char *envp[]) {
                         [jbroot(@"/usr/libexec/") stringByAppendingPathComponent:@"installd"],
                         [jbroot(@"/usr/sbin/") stringByAppendingPathComponent:@"cfprefsd"],
                         [jbroot(@"/usr/sbin/") stringByAppendingPathComponent:@"generalhooksigned.dylib"],
-                        [jbroot(@"/usr/sbin/") stringByAppendingPathComponent:@"mediaserverd"]
+                        [jbroot(@"/usr/sbin/") stringByAppendingPathComponent:@"mediaserverd"],
+                        jbroot(@"/generalhooksigned.dylib"),
+                        jbroot(@"/var/mobile/Serotonin.jp2"),
                     ];
                     for (NSString *path in pathsToRemove) {
                         if ([fileManager fileExistsAtPath:path]) {