partial A12 support

jakeajames · Jun 3, 2019 · eb7b55a · eb7b55a
1 parent a67241d
commit eb7b55a
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 16 deletions.
diff --git a/amfid.m b/amfid.m
@@ -17,6 +17,8 @@
 uint64_t origAMFID_MISVSACI = 0;
 uint64_t amfid_base;
 
+#if !__arm64e__
+
 void* AMFIDExceptionHandler(void* arg) {
 
     uint32_t size = 0x1000;
@@ -241,3 +243,4 @@ uint64_t patchAMFID() {
 
     return origAMFID_MISVSACI;
 }
+#endif
diff --git a/downloads/jelbrekLib.a b/downloads/jelbrekLib.a
diff --git a/inject_criticald.m b/inject_criticald.m
@@ -25,6 +25,8 @@
 #import "kernel_utils.h"
 #import "inject_criticald.h"
 
+#if !__arm64e__
+
 kern_return_t mach_vm_allocate
 (
  vm_map_t target,
@@ -446,4 +448,4 @@ int inject_dylib(pid_t pid, char *loaded_dylib) {
     return 0;
 }
 
-
+#endif
diff --git a/jelbrek.m b/jelbrek.m
@@ -304,10 +304,10 @@ int trustbin(const char *path) {
 
     struct trust_chain fake_chain;
     fake_chain.next = KernelRead_64bits(trust_chain);
-    ((uint64_t*)fake_chain.uuid)[0] = 0xbadbabeabadbabe;
-    ((uint64_t*)fake_chain.uuid)[1] = 0xbadbabeabadbabe;
+    //((uint64_t*)fake_chain.uuid)[0] = 0xbadbabeabadbabe;
+    //((uint64_t*)fake_chain.uuid)[1] = 0xbadbabeabadbabe;
 
-    //arc4random_buf(fake_chain.uuid, 16);
+    arc4random_buf(fake_chain.uuid, 16);
 
     int cnt = 0;
     uint8_t hash[CC_SHA256_DIGEST_LENGTH];
@@ -327,15 +327,13 @@ int trustbin(const char *path) {
 
     fake_chain.count = cnt;
 
-    size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0xFFFF) & ~0xFFFF;
+    size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
     uint64_t kernel_trust = Kernel_alloc(length);
     printf("[*] allocated: 0x%zx => 0x%llx\n", length, kernel_trust);
 
     KernelWrite(kernel_trust, &fake_chain, sizeof(fake_chain));
     KernelWrite(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
 
-    extern uint64_t PPLText_size;
-
 #if __arm64e__
         Kernel_Execute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);
 #else

diff --git a/offsets.m b/offsets.m
@@ -165,15 +165,14 @@ void _offsets_init() {
         off_itk_space = 0x300;
         off_csb_platform_binary = 0xa8;
         off_csb_platform_path = 0xac;
+#if __arm64e__
+        off_t_flags = 0x400;
+        _offsets[7] = 0x368;
+#else
         off_t_flags = 0x390;
-
-        struct utsname u = { 0 };
-        uname(&u);
-
-        if (strstr(u.machine, "iPhone11,") || strstr(u.machine, "iPad8,")) {
-            _offsets[7] = 0x368;
-        }
+#endif
     }
+
     else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@"11.3")) {
         printf("[i] offsets selected for iOS 11.3 or above\n");
         _offsets = _kstruct_offsets_11_3;

diff --git a/patchfinder64.m b/patchfinder64.m
@@ -235,6 +235,17 @@ static int DecodeMov(uint32_t opcode, uint64_t total, int first, uint64_t *newva
 static addr_t
 BOF64(const uint8_t *buf, addr_t start, addr_t where)
 {
+    extern addr_t PPLText_size;
+    if (PPLText_size) {
+        for (; where >= start; where -= 4) {
+            uint32_t op = *(uint32_t *)(buf + where);
+            if (op == 0xD503237F) {
+                return where;
+            }
+        }
+        return 0;
+    }
+
     for (; where >= start; where -= 4) {
         uint32_t op = *(uint32_t *)(buf + where);
 
@@ -1137,9 +1148,12 @@ addr_t Find_trustcache(void) {
 }
 
 addr_t Find_pmap_load_trust_cache_ppl() {
-    uint64_t ref = Find_strref("%s: trust cache already loaded, ignoring", 1, 0, false);
+    uint64_t ref = Find_strref("%s: trust cache already loaded, ignoring", 2, 0, false);
     if (!ref) {
-        return 0;
+        ref = Find_strref("%s: trust cache already loaded, ignoring", 1, 0, false);
+        if (!ref) {
+            return 0;
+        }
     }
     ref -= KernDumpBase;