Página inicial Explorar Ajuda
Entrar
NitoTV
/
merdian
Observar 3
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 1 Wiki
Tree: 1
Branches Tags
merdian
/
Meridian
/
jailbreakd
/
kern_utils.m

kern_utils.m 10 KB
Link permanente Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314 
  1. #import <Foundation/Foundation.h>
    2. 

  2. #import <sys/stat.h>
    3. 

  3. #import <sys/param.h>
    4. 

  4. #import "kern_utils.h"
    5. 

  5. #import "helpers/kmem.h"
    6. 

  6. #import "helpers/patchfinder64.h"
    7. 

  7. #import "helpers/kexecute.h"
    8. 

  8. #import "helpers/offsetof.h"
    9. 

  9. #import "helpers/osobject.h"
    10. 

  10. #import "sandbox.h"
    11. 

  11. 

  12. #define PROC_PIDPATHINFO_MAXSIZE  (4*MAXPATHLEN)
    13. 

  13. int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
    14. 

  14. 

  15. #define TF_PLATFORM 0x400
    16. 

  16. 

  17. #define	CS_VALID		            0x0000001	/* dynamically valid */
    18. 

  18. #define CS_ADHOC		            0x0000002	/* ad hoc signed */
    19. 

  19. #define CS_GET_TASK_ALLOW	        0x0000004	/* has get-task-allow entitlement */
    20. 

  20. #define CS_INSTALLER		        0x0000008	/* has installer entitlement */
    21. 

  21. 

  22. #define	CS_HARD			            0x0000100	/* don't load invalid pages */
    23. 

  23. #define	CS_KILL			            0x0000200	/* kill process if it becomes invalid */
    24. 

  24. #define CS_CHECK_EXPIRATION	        0x0000400	/* force expiration checking */
    25. 

  25. #define CS_RESTRICT		            0x0000800	/* tell dyld to treat restricted */
    26. 

  26. #define CS_ENFORCEMENT		        0x0001000	/* require enforcement */
    27. 

  27. #define CS_REQUIRE_LV		        0x0002000	/* require library validation */
    28. 

  28. #define CS_ENTITLEMENTS_VALIDATED	0x0004000
    29. 

  29. 

  30. #define	CS_ALLOWED_MACHO	        0x00ffffe
    31. 

  31. 

  32. #define CS_EXEC_SET_HARD	        0x0100000	/* set CS_HARD on any exec'ed process */
    33. 

  33. #define CS_EXEC_SET_KILL	        0x0200000	/* set CS_KILL on any exec'ed process */
    34. 

  34. #define CS_EXEC_SET_ENFORCEMENT	    0x0400000	/* set CS_ENFORCEMENT on any exec'ed process */
    35. 

  35. #define CS_EXEC_SET_INSTALLER	    0x0800000	/* set CS_INSTALLER on any exec'ed process */
    36. 

  36. 

  37. #define CS_KILLED		            0x1000000	/* was killed by kernel for invalidity */
    38. 

  38. #define CS_DYLD_PLATFORM	        0x2000000	/* dyld used to load this is a platform binary */
    39. 

  39. #define CS_PLATFORM_BINARY	        0x4000000	/* this is a platform binary */
    40. 

  40. #define CS_PLATFORM_PATH	        0x8000000	/* platform binary by the fact of path (osx only) */
    41. 

  41. 

  42. #define CS_DEBUGGED                 0x10000000  /* process is currently or has previously been debugged and allowed to run with invalid pages */
    43. 

  43. #define CS_SIGNED                   0x20000000  /* process has a signature (may have gone invalid) */
    44. 

  44. #define CS_DEV_CODE                 0x40000000  /* code is dev signed, cannot be loaded into prod signed code */
    45. 

  45. 

  46. uint64_t proc_find(int pd, int tries) {
    47. 

  47.     while (tries-- > 0) {
    48. 

  48.         uint64_t proc = rk64(kernprocaddr + 0x08);
    49. 

  49.         
    50. 

  50.         while (proc) {
    51. 

  51.             uint32_t proc_pid = rk32(proc + 0x10);
    52. 

  52.             
    53. 

  53.             if (proc_pid == pd) {
    54. 

  54.                 return proc;
    55. 

  55.             }
    56. 

  56.         
    57. 

  57.             proc = rk64(proc + 0x08);
    58. 

  58.         }
    59. 

  59.     }
    60. 

  60.     
    61. 

  61.     return 0;
    62. 

  62. }
    63. 

  63. 

  64. char *proc_name(int pd) {
    65. 

  65.     uint64_t proc = proc_find(pd, 1);
    66. 

  66.     if (proc == 0) {
    67. 

  67.         return NULL;
    68. 

  68.     }
    69. 

  69.     
    70. 

  70.     char *proc_name = (char *)calloc(40, sizeof(char));
    71. 

  71.     
    72. 

  72.     kread(proc + 0x26c, proc_name, 40);
    73. 

  73.     
    74. 

  74.     return proc_name;
    75. 

  75. }
    76. 

  76. 

  77. CACHED_FIND(uint64_t, our_task_addr) {
    78. 

  78.     uint64_t our_proc = proc_find(getpid(), 1);
    79. 

  79. 

  80.     if (our_proc == 0) {
    81. 

  81.         fprintf(stderr, "failed to find our_task_addr!\n");
    82. 

  82.         exit(EXIT_FAILURE);
    83. 

  83.     }
    84. 

  84. 

  85.     return rk64(our_proc + offsetof_task);
    86. 

  86. }
    87. 

  87. 

  88. uint64_t find_port(mach_port_name_t port) {
    89. 

  89.     uint64_t task_addr = our_task_addr();
    90. 

  90.   
    91. 

  91.     uint64_t itk_space = rk64(task_addr + offsetof_itk_space);
    92. 

  92.   
    93. 

  93.     uint64_t is_table = rk64(itk_space + offsetof_ipc_space_is_table);
    94. 

  94.   
    95. 

  95.     uint32_t port_index = port >> 8;
    96. 

  96.     const int sizeof_ipc_entry_t = 0x18;
    97. 

  97.   
    98. 

  98.     uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));
    99. 

  99.     return port_addr;
    100. 

  100. }
    101. 

  101. 

  102. void fixupsetuid(int pid){
    103. 

  103.     char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
    104. 

  104.     bzero(pathbuf, sizeof(pathbuf));
    105. 

  105.     
    106. 

  106.     int ret = proc_pidpath(pid, pathbuf, sizeof(pathbuf));
    107. 

  107.     if (ret < 0){
    108. 

  108.         fprintf(stderr,"Unable to get path for PID %d\n", pid);
    109. 

  109.         return;
    110. 

  110.     }
    111. 

  111.     struct stat file_st;
    112. 

  112.     if (lstat(pathbuf, &file_st) == -1){
    113. 

  113. #ifdef JAILBREAKDDEBUG
    114. 

  114.         fprintf(stderr,"Unable to get stat for file %s\n", pathbuf);
    115. 

  115. #endif
    116. 

  116.         return;
    117. 

  117.     }
    118. 

  118.     if (file_st.st_mode & S_ISUID){
    119. 

  119.         uid_t fileUID = file_st.st_uid;
    120. 

  120. #ifdef JAILBREAKDDEBUG
    121. 

  121.         fprintf(stderr,"Fixing up setuid for file owned by %u\n", fileUID);
    122. 

  122. #endif
    123. 

  123.         
    124. 

  124.         uint64_t proc = proc_find(pid, 3);
    125. 

  125.         if (proc != 0) {
    126. 

  126.             uint64_t ucred = rk64(proc + offsetof_p_ucred);
    127. 

  127.             
    128. 

  128.             uid_t cr_svuid = rk32(ucred + offsetof_ucred_cr_svuid);
    129. 

  129. #ifdef JAILBREAKDDEBUG
    130. 

  130.             fprintf(stderr,"Original sv_uid: %u\n", cr_svuid);
    131. 

  131. #endif
    132. 

  132.             wk32(ucred + offsetof_ucred_cr_svuid, fileUID);
    133. 

  133. #ifdef JAILBREAKDDEBUG
    134. 

  134.             fprintf(stderr,"New sv_uid: %u\n", fileUID);
    135. 

  135. #endif
    136. 

  136.         }
    137. 

  137.     } else {
    138. 

  138. #ifdef JAILBREAKDDEBUG
    139. 

  139.         fprintf(stderr,"File %s is not setuid!\n", pathbuf);
    140. 

  140. #endif
    141. 

  141.         return;
    142. 

  142.     }
    143. 

  143. }
    144. 

  144. 

  145. void set_csflags(uint64_t proc) {
    146. 

  146.     uint32_t csflags = rk32(proc + offsetof_p_csflags);
    147. 

  147.     csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
    148. 

  148.     wk32(proc + offsetof_p_csflags, csflags);
    149. 

  149. }
    150. 

  150. 

  151. void set_tfplatform(uint64_t proc) {
    152. 

  152.     // task.t_flags & TF_PLATFORM
    153. 

  153.     uint64_t task = rk64(proc + offsetof_task);
    154. 

  154.     uint32_t t_flags = rk32(task + offsetof_t_flags);
    155. 

  155.     fprintf(stderr,"Old t_flags: 0x%x\n", t_flags);
    156. 

  156.     t_flags |= TF_PLATFORM;
    157. 

  157.     wk32(task+offsetof_t_flags, t_flags);
    158. 

  158.     fprintf(stderr,"New t_flags: 0x%x\n", t_flags);
    159. 

  159. }
    160. 

  160. 

  161. void set_csblob(uint64_t proc) {
    162. 

  162.     uint64_t textvp = rk64(proc + offsetof_p_textvp); // vnode of executable
    163. 

  163.     off_t textoff = rk64(proc + offsetof_p_textoff);
    164. 

  164.     
    165. 

  165.     if (textvp != 0){
    166. 

  166.       uint32_t vnode_type_tag = rk32(textvp + offsetof_v_type);
    167. 

  167.       uint16_t vnode_type = vnode_type_tag & 0xffff;
    168. 

  168.       uint16_t vnode_tag = (vnode_type_tag >> 16);
    169. 

  169.       
    170. 

  170.       if (vnode_type == 1) {
    171. 

  171.           uint64_t ubcinfo = rk64(textvp + offsetof_v_ubcinfo);
    172. 

  172.           
    173. 

  173.           uint64_t csblobs = rk64(ubcinfo + offsetof_ubcinfo_csblobs);
    174. 

  174.           while (csblobs != 0) {
    175. 

  175.               cpu_type_t csblob_cputype = rk32(csblobs + offsetof_csb_cputype);
    176. 

  176.               unsigned int csblob_flags = rk32(csblobs + offsetof_csb_flags);
    177. 

  177.               off_t csb_base_offset = rk64(csblobs + offsetof_csb_base_offset);
    178. 

  178.               uint64_t csb_entitlements = rk64(csblobs + offsetof_csb_entitlements_offset);
    179. 

  179.               unsigned int csb_signer_type = rk32(csblobs + offsetof_csb_signer_type);
    180. 

  180.               unsigned int csb_platform_binary = rk32(csblobs + offsetof_csb_platform_binary);
    181. 

  181.               unsigned int csb_platform_path = rk32(csblobs + offsetof_csb_platform_path);
    182. 

  182. 

  183.               wk32(csblobs + offsetof_csb_platform_binary, 1);
    184. 

  184. 

  185.               csb_platform_binary = rk32(csblobs + offsetof_csb_platform_binary);
    186. 

  186.               
    187. 

  187.               csblobs = rk64(csblobs);
    188. 

  188.           }
    189. 

  189.       }
    190. 

  190.     }
    191. 

  191. }
    192. 

  192. 

  193. 

  194. const char* abs_path_exceptions[] = {
    195. 

  195.     "/meridian",
    196. 

  196.     "/Library",
    197. 

  197.     "/private/var/mobile/Library",
    198. 

  198.     "/private/var/mnt",
    199. 

  199.     NULL
    200. 

  200. };
    201. 

  201. 

  202. uint64_t get_exception_osarray(void) {
    203. 

  203.     static uint64_t cached = 0;
    204. 

  204.     
    205. 

  205.     if (cached == 0) {
    206. 

  206.         cached = OSUnserializeXML(
    207. 

  207.             "<array>"
    208. 

  208.             "<string>/meridian/</string>"
    209. 

  209.             "<string>/Library/</string>"
    210. 

  210.             "<string>/private/var/mobile/Library/</string>"
    211. 

  211.             "<string>/private/var/mnt/</string>"
    212. 

  212.             "</array>"
    213. 

  213.         );
    214. 

  214.     }
    215. 

  215. 

  216.     return cached;
    217. 

  217. }
    218. 

  218. 

  219. static const char *exc_key = "com.apple.security.exception.files.absolute-path.read-only";
    220. 

  220. 

  221. void set_sandbox_extensions(uint64_t proc) {
    222. 

  222.     uint64_t proc_ucred = rk64(proc + 0x100);
    223. 

  223.     uint64_t sandbox = rk64(rk64(proc_ucred + 0x78) + 0x8 + 0x8);
    224. 

  224. 

  225.     if (sandbox == 0) {
    226. 

  226.         fprintf(stderr, "no sandbox, skipping \n");
    227. 

  227.         return;
    228. 

  228.     }
    229. 

  229. 

  230.     if (has_file_extension(sandbox, abs_path_exceptions[0])) {
    231. 

  231.         fprintf(stderr, "already has '%s', skipping \n", abs_path_exceptions[0]);
    232. 

  232.         return;
    233. 

  233.     }
    234. 

  234. 

  235.     uint64_t ext = 0;
    236. 

  236.     const char** path = abs_path_exceptions;
    237. 

  237.     while (*path != NULL) {
    238. 

  238.         ext = extension_create_file(*path, ext);
    239. 

  239.         if (ext == 0) {
    240. 

  240.             fprintf(stderr, "extension_create_file(%s) failed, panic! \n", *path);
    241. 

  241.             NSLog(@"extension_create_file(%s) failed, panic!", *path);
    242. 

  242.         }
    243. 

  243.         ++path;
    244. 

  244.     }
    245. 

  245.     
    246. 

  246.     if (ext != 0) {
    247. 

  247.         extension_add(ext, sandbox, exc_key);
    248. 

  248.     }
    249. 

  249. }
    250. 

  250. 

  251. void set_amfi_entitlements(uint64_t proc) {
    252. 

  252.     uint64_t proc_ucred = rk64(proc + 0x100);
    253. 

  253.     uint64_t amfi_entitlements = rk64(rk64(proc_ucred + 0x78) + 0x8);
    254. 

  254. 

  255.     OSDictionary_SetItem(amfi_entitlements, "get-task-allow", find_OSBoolean_True());
    256. 

  256.     OSDictionary_SetItem(amfi_entitlements, "com.apple.private.skip-library-validation", find_OSBoolean_True());
    257. 

  257. 

  258.     uint64_t present = OSDictionary_GetItem(amfi_entitlements, exc_key);
    259. 

  259. 

  260.     int rv = 0;
    261. 

  261. 

  262.     if (present == 0) {
    263. 

  263.         rv = OSDictionary_SetItem(amfi_entitlements, exc_key, get_exception_osarray());
    264. 

  264.     } else if (present != get_exception_osarray()) {
    265. 

  265.         unsigned int itemCount = OSArray_ItemCount(present);
    266. 

  266.         
    267. 

  267.         BOOL foundEntitlements = NO;
    268. 

  268.         
    269. 

  269.         uint64_t itemBuffer = OSArray_ItemBuffer(present);
    270. 

  270.         
    271. 

  271.         for (int i = 0; i < itemCount; i++) {
    272. 

  272.             uint64_t item = rk64(itemBuffer + (i * sizeof(void *)));
    273. 

  273.             char *entitlementString = OSString_CopyString(item);
    274. 

  274.             if (strcmp(entitlementString, "/meridian/") == 0){
    275. 

  275.                 foundEntitlements = YES;
    276. 

  276.                 free(entitlementString);
    277. 

  277.                 break;
    278. 

  278.             }
    279. 

  279.             free(entitlementString);
    280. 

  280.         }
    281. 

  281.         
    282. 

  282.         if (!foundEntitlements){
    283. 

  283.             rv = OSArray_Merge(present, get_exception_osarray());
    284. 

  284.         } else {
    285. 

  285.             rv = 1;
    286. 

  286.         }
    287. 

  287.     } else {
    288. 

  288.         rv = 1;
    289. 

  289.     }
    290. 

  290. 

  291.     if (rv != 1) {
    292. 

  292.         NSLog(@"Setting exc FAILED! amfi_entitlements: 0x%llx present: 0x%llx\n", amfi_entitlements, present);
    293. 

  293.     }
    294. 

  294.  
    295. 

  295. }
    296. 

  296. 

  297. int setcsflagsandplatformize(int pid) {
    298. 

  298.     uint64_t proc = proc_find(pid, 3);
    299. 

  299.     if (proc == 0) {
    300. 

  300.         NSLog(@"Unable to find pid %d to entitle!", pid);
    301. 

  301.         return 1;
    302. 

  302.     }
    303. 

  303.     fprintf(stderr,"setcsflagsandplatformize start on PID %d\n", pid);
    304. 

  304.     char name[40] = {0};
    305. 

  305.     kread(proc+0x268, name, 20);
    306. 

  306.     fprintf(stderr,"PID %d name is %s\n", pid, name);
    307. 

  307.     set_csflags(proc);
    308. 

  308.     set_tfplatform(proc);
    309. 

  309.     set_amfi_entitlements(proc);
    310. 

  310.     set_sandbox_extensions(proc);
    311. 

  311.     set_csblob(proc);
    312. 

  312.     return 0;
    313. 

  313. }
    314. 

  314.