-
Notifications
You must be signed in to change notification settings - Fork 57
/
jelbrekLib.h
279 lines (252 loc) · 6.5 KB
/
jelbrekLib.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
extern uint32_t kaslr_slide;
extern uint64_t kernel_base;
extern mach_port_t tfp0;
/*
Purpose: Initialize jelbrekLib (first thing you have to call)
Parameters:
kernel task port (tfp0)
Return values:
1: tfp0 port not valid
2: Something messed up while finding the kernel base
3: patchfinder didn't initialize properly
4: kernelSymbolFinder didn't initialize properly
*/
int init_jelbrek(mach_port_t tfpzero);
/*
Purpose: Free memory used by jelbrekLib & clean up (last thing you have to call)
*/
void term_jelbrek(void);
/*
Purpose:
Add a macho binary on the AMFI trustcache
Parameters:
A path to single macho or a directory for recursive patching
Return values:
-1: path doesn't exist
-2: Couldn't find valid macho in directory
2: Binary not an executable
3: Binary bigger than 0x4000 bytes or something weird happened when running lstat
4: Permission denied when trying to open file
5: Something weird happened when reading data from the file
6: Binary is not a macho
7: file mmap() failed
*/
int trustbin(const char *path);
/*
Purpose:
Unsandboxes a process
Parameters:
The process ID
Return values:
true: successfully unsandboxed or already unsandboxed
false: something went wrong
*/
BOOL unsandbox(pid_t pid);
/*
Purpose:
Sets special codesigning flags on a process
Parameters:
The process ID
Return values:
true: successfully patched or already has flags
false: something went wrong
*/
BOOL setcsflags(pid_t pid);
/*
Purpose:
Patches the UID & GID of a process to 0
Parameters:
The process ID
Return values:
true: successfully patched or already has root
false: something went wrong
*/
BOOL rootify(pid_t pid);
/*
Purpose:
Sets TF_PLATFORM flag on a process & CS_PLATFORM_BINARY csflag
Parameters:
The process ID
Return values:
true: successfully patched or already has root
false: something went wrong
*/
void platformize(pid_t pid);
/*
Purpose:
Patches entitlements stored on the AMFI slot of the credentials label (not the actual entitlements, so this doesn't work with every entitlement)
Parameters:
The process ID
The entitlement (eg. com.apple.private.skip-library-validation)
Entitlement value, either true or false
Return values:
true: successfully patched or already has entitlement
false: something went wrong
*/
BOOL entitlePid(pid_t pid, const char *ent, BOOL val);
/*
Purpose:
Borrows credentials from another process ID
Parameters:
The target's process ID
The donor's process ID
Return values:
Original credentials (use to revert later)
*/
uint64_t borrowCredsFromPid(pid_t target, pid_t donor);
/*
Purpose:
Spawns a binary and borrows credentials from it
Parameters:
The target's process ID
The donor binary path & up to 6 arguments (Leave NULL if not using)
Return values:
Original credentials (use to revert later)
*/
uint64_t borrowCredsFromDonor(pid_t target, char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Undoes crenetial dontaion
Parameters:
The target's process ID
The original credentials
*/
void undoCredDonation(pid_t target, uint64_t origcred);
/*
Purpose:
Spawn a process as platform binary
Parameters:
Binary path
Up to 6 arguments (Leave NULL if not using)
environment variables (Leave NULL if not using)
Return values:
posix_spawn's return value
*/
int launchAsPlatform(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Spawn a process
Parameters:
Binary path
Up to 6 arguments (Leave NULL if not using)
environment variables (Leave NULL if not using)
Return values:
posix_spawn's'return value
*/
int launch(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Mount a device as read and write on a specified path
Parameters:
Device name
Path to mount
Return values:
mount() return value
*/
int mountDevAtPathAsRW(const char* devpath, const char* path);
/*
Purpose:
Mount / as read and write on iOS 10.3-11.4b3
Return values:
0: mount succeeded
-1: mount failed
*/
int remountRootFS(void);
/*
Purpose:
Get the kernel vnode pointer for a specified path
Parameters:
Target path
Return values:
Vnode pointer of path
*/
uint64_t getVnodeAtPath(const char *path);
/*
Purpose:
Do a hex dump I guess
Parameters:
Address in kernel from where to get data
Size of data to get
*/
void HexDump(uint64_t addr, size_t size);
/*
Purpose:
Execute code within the kernel
Parameters:
Slid address of function
Up to 7 arguments
Return address:
Return address of called function (must call zm_fix_addr before using returned pointers)
*/
uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
uint64_t zm_fix_addr(uint64_t addr);
/*
Purpose:
Find a kernel symbol
Parameters:
Name of symbol
Whether to print info or not
Return value:
Address of kernel symbol
*/
uint64_t find_symbol(const char *symbol, bool verbose); //powered by kernelSymbolFinder ;)
/*
Purpose:
Remap tfp0 as host_special_port 4
Return value:
1: Error
0: Success
*/
int setHGSP4(void);
/*
Purpose:
Unlock nvram memory
*/
void unlocknvram(void);
/*
Purpose:
Reock nvram memory. unlocknvmram() must have been used beforehand
Return value:
-1: Error
0: Success
*/
int locknvram(void);
/*
Purpose:
Find kernel base
Return value:
Kernel base?
*/
uint64_t find_kernel_base(void);
/*
Purpose:
Internal vnode utilities
*/
int vnode_lookup(const char *path, int flags, uint64_t *vnode, uint64_t vfs_context);
uint64_t get_vfs_context(void);
int vnode_put(uint64_t vnode);
/*
Purpose:
Internal snapshot utilities
*/
int list_snapshots(const char *vol);
char *find_system_snapshot(void);
int do_rename(const char *vol, const char *snap, const char *nw);
char *copyBootHash(void);
/*
Purpose:
Patchfinding (by xerub & ninjaprawn)
*/
uint64_t find_allproc(void);
uint64_t find_add_x0_x0_0x40_ret(void);
uint64_t find_copyout(void);
uint64_t find_bzero(void);
uint64_t find_bcopy(void);
uint64_t find_rootvnode(void);
uint64_t find_trustcache(void);
uint64_t find_amficache(void);
uint64_t find_OSBoolean_True(void);
uint64_t find_OSBoolean_False(void);
uint64_t find_zone_map_ref(void);
uint64_t find_osunserializexml(void);
uint64_t find_smalloc(void);