5 years ago · 24f80afc3d
--- a/Meridian/Meridian/bootstrap/meridian-bootstrap.tar
+++ b/Meridian/Meridian/bootstrap/meridian-bootstrap.tar
--- a/Meridian/Meridian/bootstrap/meridian-bootstrap/meridian/amfid_payload.dylib
+++ b/Meridian/Meridian/bootstrap/meridian-bootstrap/meridian/amfid_payload.dylib
--- a/Meridian/Meridian/bootstrap/meridian-bootstrap/meridian/jailbreakd/jailbreakd
+++ b/Meridian/Meridian/bootstrap/meridian-bootstrap/meridian/jailbreakd/jailbreakd
--- a/Meridian/Meridian/bootstrap/meridian-bootstrap/usr/lib/pspawn_hook.dylib
+++ b/Meridian/Meridian/bootstrap/meridian-bootstrap/usr/lib/pspawn_hook.dylib
--- a/Meridian/Meridian/build_time
+++ b/Meridian/Meridian/build_time
@@ -1 +1 @@
 
				-Tue, 07 Aug 2018 13:59:24 -0700
			
 
				+Sun, 18 Nov 2018 22:15:08 -0700
			
--- a/Meridian/amfid/bin/amfid_payload.dylib
+++ b/Meridian/amfid/bin/amfid_payload.dylib
--- a/Meridian/amfid/ent_patching.m
+++ b/Meridian/amfid/ent_patching.m
@@ -180,6 +180,20 @@ uint64_t construct_cs_blob(const void *cs,
 
				     return cs_blob;
			
 
				 }
			
 
				 
			
 
				+uint64_t bluetooth_exception_osarray(void) {
			
 
				+    static uint64_t btcache = 0;
			
 
				+    
			
 
				+    if (btcache == 0) {
			
 
				+        btcache = OSUnserializeXML(
			
 
				+                                   "<array>"
			
 
				+                                   "<string>RemoteBluetoothAddress</string>"
			
 
				+                                   "</array>"
			
 
				+                                   );
			
 
				+    }
			
 
				+    
			
 
				+    return btcache;
			
 
				+}
			
 
				+
			
 
				 int fixup_platform_application(const char *path,
			
 
				                                uint64_t macho_offset,
			
 
				                                const void *blob,
			
@@ -293,6 +307,10 @@ int fixup_platform_application(const char *path,
 
				                                   "<true/>"
			
 
				                                   "<key>com.apple.private.skip-library-validation</key>"    // allow invalid libs
			
 
				                                   "<true/>"
			
 
				+                                  "<key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>"
			
 
				+                                  "<array>"
			
 
				+                                  "<string>RemoteBluetoothAddress</string>"
			
 
				+                                  "</array>"
			
 
				                               "</dict>"
			
 
				                               "</plist>";
			
 
				         
			
@@ -332,7 +350,8 @@ int fixup_platform_application(const char *path,
 
				         OSDictionary_SetItem(dict, "com.apple.private.security.no-container", find_OSBoolean_True());
			
 
				         OSDictionary_SetItem(dict, "get-task-allow", find_OSBoolean_True());
			
 
				         OSDictionary_SetItem(dict, "com.apple.private.skip-library-validation", find_OSBoolean_True());
			
 
				-
			
 
				+        OSDictionary_SetItem(dict, "com.apple.private.security.no-sandbox", find_OSBoolean_True());
			
 
				+        OSDictionary_SetItem(dict, "com.apple.private.MobileGestalt.AllowedProtectedKeys", bluetooth_exception_osarray());
			
 
				         csblob_ent_dict_set(cs_blobs, dict);
			
 
				         
			
 
				         // map the genblob up to csb_entitlements_blob
			
--- a/Meridian/amfid/main.m
+++ b/Meridian/amfid/main.m
@@ -97,7 +97,7 @@ int fake_MISValidateSignatureAndCopyInfo(NSString* file, NSDictionary* options,
 
				     const char *hash_name = get_hash_name(chosen_csdir->hashType);
			
 
				     
			
 
				     INFO(@"magic was performed [%08x (%s)]: %@", ntohl(*(uint64_t *)cd_hash), hash_name, file);
			
 
				-    /*
			
 
				+    
			
 
				     // let's check entitlements, add platform-application if necessary
			
 
				     ret = fixup_platform_application(file.UTF8String,
			
 
				                                      file_off,
			
@@ -110,7 +110,7 @@ int fake_MISValidateSignatureAndCopyInfo(NSString* file, NSDictionary* options,
 
				     if (ret != 0) {
			
 
				         ERROR(@"fixup_platform_application returned: %d", ret);
			
 
				     }
			
 
				-    */
			
 
				+    
			
 
				     close_img(&img);
			
 
				     return 0;
			
 
				 }
			
--- a/Meridian/jailbreakd/Makefile
+++ b/Meridian/jailbreakd/Makefile
@@ -3,7 +3,7 @@ OUTDIR ?= bin
 
				 SRC     = $(wildcard *.c) $(wildcard *.m) $(wildcard */*.c) $(wildcard */*.m)
			
 
				 
			
 
				 #CC      = xcrun -sdk iphoneos gcc -arch arm64
			
 
				-CC      = xcrun -sdk iphoneos gcc -arch arm64
			
 
				+CC      = xcrun -sdk appletvos gcc -arch arm64
			
 
				 LDID    = ldid2
			
 
				 CHMOD   = chmod
			
 
				 
			
--- a/Meridian/jailbreakd/bin/jailbreakd
+++ b/Meridian/jailbreakd/bin/jailbreakd
--- a/Meridian/jailbreakd/kern_utils.m
+++ b/Meridian/jailbreakd/kern_utils.m
@@ -1,5 +1,6 @@
 
				 #import <Foundation/Foundation.h>
			
 
				 #import <sys/stat.h>
			
 
				+#import <sys/param.h>
			
 
				 #import "kern_utils.h"
			
 
				 #import "helpers/kmem.h"
			
 
				 #import "helpers/patchfinder64.h"
			
@@ -290,6 +291,7 @@ void set_amfi_entitlements(uint64_t proc) {
 
				     if (rv != 1) {
			
 
				         NSLog(@"Setting exc FAILED! amfi_entitlements: 0x%llx present: 0x%llx\n", amfi_entitlements, present);
			
 
				     }
			
 
				+ 
			
 
				 }
			
 
				 
			
 
				 int setcsflagsandplatformize(int pid) {
			
--- a/Meridian/jailbreakd/main.m
+++ b/Meridian/jailbreakd/main.m
@@ -4,11 +4,14 @@
 
				 #include <mach/error.h>
			
 
				 #include <string.h>
			
 
				 #include <unistd.h>
			
 
				+#include <sys/types.h>
			
 
				+#include <sys/stat.h>
			
 
				 #include "helpers/patchfinder64.h"
			
 
				 #include "kern_utils.h"
			
 
				 #include "helpers/kmem.h"
			
 
				 #include "helpers/kexecute.h"
			
 
				 #include "mach/jailbreak_daemonServer.h"
			
 
				+#import <sys/param.h>
			
 
				 
			
 
				 //more stuff from electra jailbreakd
			
 
				 
			
--- a/Meridian/meridian.xcodeproj/project.xcworkspace/xcuserdata/kevinbradley.xcuserdatad/UserInterfaceState.xcuserstate
+++ b/Meridian/meridian.xcodeproj/project.xcworkspace/xcuserdata/kevinbradley.xcuserdatad/UserInterfaceState.xcuserstate
--- a/Meridian/meridian.xcodeproj/xcuserdata/kevinbradley.xcuserdatad/xcschemes/xcschememanagement.plist
+++ b/Meridian/meridian.xcodeproj/xcuserdata/kevinbradley.xcuserdatad/xcschemes/xcschememanagement.plist
@@ -17,7 +17,7 @@
 
				 		<key>jailbreakd.xcscheme</key>
			
 
				 		<dict>
			
 
				 			<key>orderHint</key>
			
 
				-			<integer>3</integer>
			
 
				+			<integer>2</integer>
			
 
				 		</dict>
			
 
				 		<key>meridianTV.xcscheme</key>
			
 
				 		<dict>
			
@@ -27,7 +27,7 @@
 
				 		<key>pspawn_hook.xcscheme</key>
			
 
				 		<dict>
			
 
				 			<key>orderHint</key>
			
 
				-			<integer>2</integer>
			
 
				+			<integer>3</integer>
			
 
				 		</dict>
			
 
				 	</dict>
			
 
				 </dict>
			
--- a/Meridian/meridianTV/ViewController.m
+++ b/Meridian/meridianTV/ViewController.m
@@ -133,6 +133,8 @@ bool jailbreak_has_run = false;
 
				     return currentViewController;
			
 
				 }
			
 
				 
			
 
				+    #define PROC_PIDPATHINFO_MAXSIZE  (4*MAXPATHLEN)
			
 
				+
			
 
				 - (void)customTVSetup {
			
 
				     
			
 
				     //redudant
			
@@ -152,6 +154,8 @@ bool jailbreak_has_run = false;
 
				     }
			
 
				     */
			
 
				     
			
 
				+
			
 
				+    
			
 
				     _respringReady = FALSE;
			
 
				     
			
 
				     [self writeTextPlain:@">"];
			
--- a/Meridian/meridianTV/basebinaries.tar
+++ b/Meridian/meridianTV/basebinaries.tar
--- a/Meridian/meridianTV/meridian-bootstrap.tar
+++ b/Meridian/meridianTV/meridian-bootstrap.tar
--- a/Meridian/pspawn_hook/bin/pspawn_hook.dylib
+++ b/Meridian/pspawn_hook/bin/pspawn_hook.dylib
--- a/Meridian/pspawn_hook/pspawn_hook.m
+++ b/Meridian/pspawn_hook/pspawn_hook.m
@@ -63,6 +63,8 @@ kern_return_t bootstrap_look_up(mach_port_t port, const char *service, mach_port
 
				 
			
 
				 mach_port_t jbd_port;
			
 
				 
			
 
				+dispatch_queue_t queue = NULL;
			
 
				+
			
 
				 char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
			
 
				 
			
 
				 #define PSPAWN_HOOK_DYLIB       "/usr/lib/pspawn_hook.dylib"
			
@@ -79,6 +81,7 @@ const char* xpcproxy_blacklist[] = {
 
				     "jailbreakd",                   // don't inject into jbd since we'd have to call to it
			
 
				     "debugserver",           // keeps xcode debugging from working
			
 
				     "reboot",
			
 
				+    "sshd",
			
 
				     NULL
			
 
				 };
			
 
				 
			
@@ -199,11 +202,12 @@ int fake_posix_spawn_common(pid_t *pid, const char *path, const posix_spawn_file
 
				         
			
 
				         if (origret == 0) {
			
 
				             if (pid != NULL) *pid = gotpid;
			
 
				-            
			
 
				+            dispatch_async(queue, ^{
			
 
				             kern_return_t ret = jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT, gotpid);
			
 
				             if (ret != KERN_SUCCESS) {
			
 
				                 DEBUGLOG("err: got %x from jbd_call(sigcont, %d)", ret, gotpid);
			
 
				             }
			
 
				+            });
			
 
				         }
			
 
				     } else if (current_process == PROCESS_XPCPROXY) {
			
 
				         kern_return_t ret = jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_FROM_XPCPROXY, getpid());
			
@@ -237,6 +241,9 @@ void rebind_pspawns(void) {
 
				 
			
 
				 __attribute__ ((constructor))
			
 
				 static void ctor(void) {
			
 
				+    
			
 
				+    queue = dispatch_queue_create("pspawn.queue", NULL);
			
 
				+    
			
 
				     bzero(pathbuf, sizeof(pathbuf));
			
 
				     proc_pidpath(getpid(), pathbuf, sizeof(pathbuf));