diff --git a/RootHelperSample/launchdshim/launchdhook/Makefile b/RootHelperSample/launchdshim/launchdhook/Makefile index 09879d0..f2e616d 100644 --- a/RootHelperSample/launchdshim/launchdhook/Makefile +++ b/RootHelperSample/launchdshim/launchdhook/Makefile @@ -4,9 +4,9 @@ THEOS_PACKAGE_SCHEME = roothide include $(THEOS)/makefiles/common.mk LIBRARY_NAME = launchdhook - +FINALPACKAGE=1 launchdhook_FILES = $(wildcard *.m) $(wildcard *.c) $(wildcard verbose/*.m) $(wildcard jbserver/*.c) $(wildcard jbserver/*.m) $(wildcard fun/*.m) $(wildcard fun/kpf/*.c) $(wildcard fun/kpf/*.m) -launchdhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error +launchdhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error -O3 launchdhook_CODESIGN_FLAGS = -S../launchdentitlements.plist launchdhook_LDFLAGS = -F./Frameworks -L./ -lbsm -lhooker -framework IOKit launchdhook_EXTRA_FRAMEWORKS += IOMobileFramebuffer IOSurface diff --git a/RootHelperSample/launchdshim/launchdhook/fun/krw.m b/RootHelperSample/launchdshim/launchdhook/fun/krw.m index f184fed..3b25d33 100644 --- a/RootHelperSample/launchdshim/launchdhook/fun/krw.m +++ b/RootHelperSample/launchdshim/launchdhook/fun/krw.m @@ -96,8 +96,6 @@ uint64_t kUNSIGN_PTR(uint64_t pac_kaddr) { _offsets_init(); // set gsystemInfo gSystemInfo.kernelConstant.slide = ((struct kfd *)_kfd)->perf.kernel_slide; - // gPrimitives.kreadbuf = kreadbuf; - // gPrimitives.kwritebuf = kwritebuf; return _kfd; } diff --git a/RootHelperSample/launchdshim/launchdhook/main.m b/RootHelperSample/launchdshim/launchdhook/main.m index 97b855f..199d153 100644 --- a/RootHelperSample/launchdshim/launchdhook/main.m +++ b/RootHelperSample/launchdshim/launchdhook/main.m @@ -20,6 +20,9 @@ #define PT_DETACH 11 /* stop tracing a process */ #define PT_ATTACHEXC 14 /* attach to running process with signal exception */ +#define __probable(x) __builtin_expect(!!(x), 1) +#define __improbable(x) __builtin_expect(!!(x), 0) + int ptrace(int request, pid_t pid, caddr_t addr, int data); #define INSTALLD_PATH "/usr/libexec/installd" @@ -36,6 +39,7 @@ #define POSIX_SPAWNATTR_OFF_MEMLIMIT_INACTIVE 0x4C int posix_spawnattr_set_launch_type_np(posix_spawnattr_t *attr, uint8_t launch_type); +int unsandbox2(const char* dir, const char* file); int (*orig_csops)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize); int (*orig_csops_audittoken)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token); @@ -139,15 +143,15 @@ int hooked_posix_spawn(pid_t *pid, const char *path, const posix_spawn_file_acti return orig_posix_spawn(pid, path, file_actions, attrp, argv, envp); } -void log_path(char* path, char* jbroot_path) { - FILE *file = fopen("/var/mobile/launchd.log", "a"); - char output[256]; - sprintf(output, "[launchd] changing path %s to %s\n", path, jbroot_path); - fputs(output, file); - fclose(file); -} +// void log_path(char* path, char* jbroot_path) { +// FILE *file = fopen("/var/mobile/launchd.log", "a"); +// char output[256]; +// sprintf(output, "[launchd] changing path %s to %s\n", path, jbroot_path); +// fputs(output, file); +// fclose(file); +// } char HOOK_DYLIB_PATH[PATH_MAX] = {0}; -bool shouldWeGamble = false; +bool shouldWeGamble = true; int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const posix_spawn_file_actions_t *restrict file_actions, posix_spawnattr_t *attrp, char *argv[restrict], char *const envp[restrict]) { change_launchtype(attrp, path); if (!strncmp(path, SPRINGBOARD_PATH, strlen(SPRINGBOARD_PATH))) { @@ -161,11 +165,11 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po path = jbroot(MRUI_PATH); argv[0] = (char *)path; posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0); - } else if (!strncmp(path, XPCPROXY_PATH, strlen(XPCPROXY_PATH))) { + } else if (__probable(!strncmp(path, XPCPROXY_PATH, strlen(XPCPROXY_PATH)))) { path = jbroot(XPCPROXY_PATH); argv[0] = (char *)path; posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0); - if(shouldWeGamble) + if(__improbable(shouldWeGamble)) { uint64_t kfd = do_kopen(1024, 2, 1, 1, 1000, true); customLog("successfully gambled with kfd!\n"); @@ -173,11 +177,11 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po // customLog("reading pid... %d, getpid ret %d", kread32(((struct kfd *)kfd)->info.kaddr.current_proc + 0x60), getpid()); // NSString* systemhookFilePath = [NSString stringWithFormat:@"%s/generalhooksigned.dylib", jbroot("/")]; - // int unsandbox2(const char* dir, const char* file); // unsandbox2("/usr/lib", systemhookFilePath.fileSystemRepresentation); + unsandbox2("/usr/lib", jbroot("/generalhooksigned.dylib")); - // //new "real path" - // snprintf(HOOK_DYLIB_PATH, sizeof(HOOK_DYLIB_PATH), "/usr/lib/generalhooksigned.dylib"); + //new "real path" + snprintf(HOOK_DYLIB_PATH, sizeof(HOOK_DYLIB_PATH), "/usr/lib/generalhooksigned.dylib"); do_kclose(); shouldWeGamble = false; } @@ -263,7 +267,8 @@ int memorystatus_control_hook(uint32_t command, int32_t pid, uint32_t flags, voi } __attribute__((constructor)) static void init(int argc, char **argv) { - crashreporter_start(); + // APPARENTLY for no reason, this crashreporter fuckin breaks ptrace in bootstrapd?? + // crashreporter_start(); // customLog("launchdhook is running"); if(gSystemInfo.jailbreakInfo.rootPath) free(gSystemInfo.jailbreakInfo.rootPath); @@ -273,7 +278,7 @@ int memorystatus_control_hook(uint32_t command, int32_t pid, uint32_t flags, voi gSystemInfo.jailbreakInfo.jbrand = jbrand(); } // initXPCHooks(); - // setenv("DYLD_INSERT_LIBRARIES", jbroot("/launchdhook.dylib"), 1); + setenv("DYLD_INSERT_LIBRARIES", jbroot("/launchdhook.dylib"), 1); setenv("LAUNCHD_UUID", [NSUUID UUID].UUIDString.UTF8String, 1); // If Dopamine was initialized before, we assume we're coming from a userspace reboot diff --git a/RootHelperSample/launchdshim/launchdhook/unsandbox2.m b/RootHelperSample/launchdshim/launchdhook/unsandbox2.m index 1f45f9a..9fa90aa 100644 --- a/RootHelperSample/launchdshim/launchdhook/unsandbox2.m +++ b/RootHelperSample/launchdshim/launchdhook/unsandbox2.m @@ -119,6 +119,7 @@ int unsandbox2(const char* dir, const char* file) goto failed; } customLog("writing to dirvp..."); + sleep(1); kwrite32(dirvp + off_vnode_v_usecount, dirvnode.v_usecount+1); uint64_t filevp = proc_fd_vnode(proc_self(), filefd); @@ -130,12 +131,14 @@ int unsandbox2(const char* dir, const char* file) struct vnode filevnode; kreadbuf(filevp, &filevnode, sizeof(filevnode)); customLog("writing to filevp..."); + sleep(1); kwrite32(filevp+off_vnode_v_usecount, filevnode.v_usecount+1); struct vnode parentvnode; uint64_t parentvp = kUNSIGN_PTR((uint64_t) filevnode.v_parent); kreadbuf(parentvp, &parentvnode, sizeof(parentvnode)); customLog("writing to parentvp..."); + sleep(1); kwrite32(parentvp+off_vnode_v_usecount, parentvnode.v_usecount+1); customLog("filefd=%d filevp=%llx/%d fileid=%lld parent=%llx/%d dirvp=%llx dirid=%lld ncchildren=%llx:%llx->%llx\n", @@ -144,12 +147,14 @@ int unsandbox2(const char* dir, const char* file) char parentname[32]={0}; kreadbuf((uint64_t)parentvnode.v_name, parentname, sizeof(parentname)); + sleep(1); customLog("parentname=%s\n", parentname); struct namecache filenc={0}; uint64_t filencp = (uint64_t)filevnode.v_nclinks.lh_first; kreadbuf(filencp, &filenc, sizeof(filenc)); + sleep(1); customLog("filenc=%llx vp=%llx dvp=%llx\n", filencp, filenc.nc_vp, filenc.nc_dvp); { @@ -158,6 +163,7 @@ int unsandbox2(const char* dir, const char* file) struct namecache nc={0}; kreadbuf(ncp, &nc, sizeof(nc)); + sleep(1); char namebuf[128]={0}; for(int i=0; i