Home Explore Help
Sign In
NitoTV
/
merdian
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 1 Wiki
Branch: master
Branches Tags
merdian
/
Meridian
/
meridianTV
/
electra_extras
/
basebinaries
/
jailbreakd
/
kern_utils.m

kern_utils.m 12 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363 
  1. #import <Foundation/Foundation.h>
    2. 

  2. #import <sys/stat.h>
    3. 

  3. #import "kern_utils.h"
    4. 

  4. #import "kmem.h"
    5. 

  5. #import "patchfinder64.h"
    6. 

  6. #import "kexecute.h"
    7. 

  7. #import "offsetof.h"
    8. 

  8. #import "osobject.h"
    9. 

  9. #import "sandbox.h"
    10. 

  10. 

  11. #define PROC_PIDPATHINFO_MAXSIZE  (4*MAXPATHLEN)
    12. 

  12. int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
    13. 

  13. 

  14. #define TF_PLATFORM 0x400
    15. 

  15. 

  16. #define	CS_VALID		0x0000001	/* dynamically valid */
    17. 

  17. #define CS_ADHOC		0x0000002	/* ad hoc signed */
    18. 

  18. #define CS_GET_TASK_ALLOW	0x0000004	/* has get-task-allow entitlement */
    19. 

  19. #define CS_INSTALLER		0x0000008	/* has installer entitlement */
    20. 

  20. 

  21. #define	CS_HARD			0x0000100	/* don't load invalid pages */
    22. 

  22. #define	CS_KILL			0x0000200	/* kill process if it becomes invalid */
    23. 

  23. #define CS_CHECK_EXPIRATION	0x0000400	/* force expiration checking */
    24. 

  24. #define CS_RESTRICT		0x0000800	/* tell dyld to treat restricted */
    25. 

  25. #define CS_ENFORCEMENT		0x0001000	/* require enforcement */
    26. 

  26. #define CS_REQUIRE_LV		0x0002000	/* require library validation */
    27. 

  27. #define CS_ENTITLEMENTS_VALIDATED	0x0004000
    28. 

  28. 

  29. #define	CS_ALLOWED_MACHO	0x00ffffe
    30. 

  30. 

  31. #define CS_EXEC_SET_HARD	0x0100000	/* set CS_HARD on any exec'ed process */
    32. 

  32. #define CS_EXEC_SET_KILL	0x0200000	/* set CS_KILL on any exec'ed process */
    33. 

  33. #define CS_EXEC_SET_ENFORCEMENT	0x0400000	/* set CS_ENFORCEMENT on any exec'ed process */
    34. 

  34. #define CS_EXEC_SET_INSTALLER	0x0800000	/* set CS_INSTALLER on any exec'ed process */
    35. 

  35. 

  36. #define CS_KILLED		0x1000000	/* was killed by kernel for invalidity */
    37. 

  37. #define CS_DYLD_PLATFORM	0x2000000	/* dyld used to load this is a platform binary */
    38. 

  38. #define CS_PLATFORM_BINARY	0x4000000	/* this is a platform binary */
    39. 

  39. #define CS_PLATFORM_PATH	0x8000000	/* platform binary by the fact of path (osx only) */
    40. 

  40. 

  41. #define CS_DEBUGGED         0x10000000  /* process is currently or has previously been debugged and allowed to run with invalid pages */
    42. 

  42. #define CS_SIGNED         0x20000000  /* process has a signature (may have gone invalid) */
    43. 

  43. #define CS_DEV_CODE         0x40000000  /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
    44. 

  44. 

  45. uint64_t proc_find(int pd, int tries) {
    46. 

  46.   // TODO use kcall(proc_find) + ZM_FIX_ADDR
    47. 

  47.   while (tries-- > 0) {
    48. 

  48.     uint64_t proc = rk64(find_allproc());
    49. 

  49.     while (proc) {
    50. 

  50.       uint32_t pid = rk32(proc + offsetof_p_pid);
    51. 

  51.       if (pid == pd) {
    52. 

  52.         return proc;
    53. 

  53.       }
    54. 

  54.       proc = rk64(proc);
    55. 

  55.     }
    56. 

  56.   }
    57. 

  57.   return 0;
    58. 

  58. }
    59. 

  59. 

  60. CACHED_FIND(uint64_t, our_task_addr) {
    61. 

  61.   uint64_t our_proc = proc_find(getpid(), 1);
    62. 

  62. 

  63.   if (our_proc == 0) {
    64. 

  64.     fprintf(stderr,"failed to find our_task_addr!\n");
    65. 

  65.     exit(EXIT_FAILURE);
    66. 

  66.   }
    67. 

  67. 

  68.   uint64_t addr = rk64(our_proc + offsetof_task);
    69. 

  69.   fprintf(stderr,"our_task_addr: 0x%llx\n", addr);
    70. 

  70.   return addr;
    71. 

  71. }
    72. 

  72. 

  73. uint64_t find_port(mach_port_name_t port){
    74. 

  74.   uint64_t task_addr = our_task_addr();
    75. 

  75.   
    76. 

  76.   uint64_t itk_space = rk64(task_addr + offsetof_itk_space);
    77. 

  77.   
    78. 

  78.   uint64_t is_table = rk64(itk_space + offsetof_ipc_space_is_table);
    79. 

  79.   
    80. 

  80.   uint32_t port_index = port >> 8;
    81. 

  81.   const int sizeof_ipc_entry_t = 0x18;
    82. 

  82.   
    83. 

  83.   uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));
    84. 

  84.   return port_addr;
    85. 

  85. }
    86. 

  86. 

  87. void fixupsetuid(int pid){
    88. 

  88.     char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
    89. 

  89.     bzero(pathbuf, sizeof(pathbuf));
    90. 

  90.     
    91. 

  91.     int ret = proc_pidpath(pid, pathbuf, sizeof(pathbuf));
    92. 

  92.     if (ret < 0){
    93. 

  93.         fprintf(stderr,"Unable to get path for PID %d\n", pid);
    94. 

  94.         return;
    95. 

  95.     }
    96. 

  96.     struct stat file_st;
    97. 

  97.     if (lstat(pathbuf, &file_st) == -1){
    98. 

  98. #ifdef JAILBREAKDDEBUG
    99. 

  99.         fprintf(stderr,"Unable to get stat for file %s\n", pathbuf);
    100. 

  100. #endif
    101. 

  101.         return;
    102. 

  102.     }
    103. 

  103.     if (file_st.st_mode & S_ISUID){
    104. 

  104.         uid_t fileUID = file_st.st_uid;
    105. 

  105. #ifdef JAILBREAKDDEBUG
    106. 

  106.         fprintf(stderr,"Fixing up setuid for file owned by %u\n", fileUID);
    107. 

  107. #endif
    108. 

  108.         
    109. 

  109.         uint64_t proc = proc_find(pid, 3);
    110. 

  110.         if (proc != 0) {
    111. 

  111.             uint64_t ucred = rk64(proc + offsetof_p_ucred);
    112. 

  112.             
    113. 

  113.             uid_t cr_svuid = rk32(ucred + offsetof_ucred_cr_svuid);
    114. 

  114. #ifdef JAILBREAKDDEBUG
    115. 

  115.             fprintf(stderr,"Original sv_uid: %u\n", cr_svuid);
    116. 

  116. #endif
    117. 

  117.             wk32(ucred + offsetof_ucred_cr_svuid, fileUID);
    118. 

  118. #ifdef JAILBREAKDDEBUG
    119. 

  119.             fprintf(stderr,"New sv_uid: %u\n", fileUID);
    120. 

  120. #endif
    121. 

  121.         }
    122. 

  122.     } else {
    123. 

  123. #ifdef JAILBREAKDDEBUG
    124. 

  124.         fprintf(stderr,"File %s is not setuid!\n", pathbuf);
    125. 

  125. #endif
    126. 

  126.         return;
    127. 

  127.     }
    128. 

  128. }
    129. 

  129. 

  130. void set_csflags(uint64_t proc) {
    131. 

  131.     uint32_t csflags = rk32(proc + offsetof_p_csflags);
    132. 

  132. #ifdef JAILBREAKDDEBUG
    133. 

  133.     fprintf(stderr,"Previous CSFlags: 0x%x\n", csflags);
    134. 

  134. #endif
    135. 

  135.     csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
    136. 

  136. #ifdef JAILBREAKDDEBUG
    137. 

  137.     fprintf(stderr,"New CSFlags: 0x%x\n", csflags);
    138. 

  138. #endif
    139. 

  139.     wk32(proc + offsetof_p_csflags, csflags);
    140. 

  140. }
    141. 

  141. 

  142. void set_tfplatform(uint64_t proc) {
    143. 

  143.     // task.t_flags & TF_PLATFORM
    144. 

  144.     uint64_t task = rk64(proc + offsetof_task);
    145. 

  145.     uint32_t t_flags = rk32(task + offsetof_t_flags);
    146. 

  146. #ifdef JAILBREAKDDEBUG
    147. 

  147.     fprintf(stderr,"Old t_flags: 0x%x\n", t_flags);
    148. 

  148. #endif
    149. 

  149.     t_flags |= TF_PLATFORM;
    150. 

  150.     wk32(task+offsetof_t_flags, t_flags);
    151. 

  151. #ifdef JAILBREAKDDEBUG
    152. 

  152.     fprintf(stderr,"New t_flags: 0x%x\n", t_flags);
    153. 

  153. #endif
    154. 

  154. }
    155. 

  155. 

  156. void set_csblob(uint64_t proc) {
    157. 

  157.     uint64_t textvp = rk64(proc + offsetof_p_textvp); //vnode of executable
    158. 

  158.     off_t textoff = rk64(proc + offsetof_p_textoff);
    159. 

  159.     
    160. 

  160. #ifdef JAILBREAKDDEBUG
    161. 

  161.     fprintf(stderr,"\t__TEXT at 0x%llx. Offset: 0x%llx\n", textvp, textoff);
    162. 

  162. #endif
    163. 

  163.     if (textvp != 0){
    164. 

  164.       uint32_t vnode_type_tag = rk32(textvp + offsetof_v_type);
    165. 

  165.       uint16_t vnode_type = vnode_type_tag & 0xffff;
    166. 

  166.       uint16_t vnode_tag = (vnode_type_tag >> 16);
    167. 

  167. #ifdef JAILBREAKDDEBUG
    168. 

  168.       fprintf(stderr,"\tVNode Type: 0x%x. Tag: 0x%x.\n", vnode_type, vnode_tag);
    169. 

  169. #endif
    170. 

  170.       
    171. 

  171.       if (vnode_type == 1){
    172. 

  172.           uint64_t ubcinfo = rk64(textvp + offsetof_v_ubcinfo);
    173. 

  173. #ifdef JAILBREAKDDEBUG
    174. 

  174.           fprintf(stderr,"\t\tUBCInfo at 0x%llx.\n\n", ubcinfo);
    175. 

  175. #endif
    176. 

  176.           
    177. 

  177.           uint64_t csblobs = rk64(ubcinfo + offsetof_ubcinfo_csblobs);
    178. 

  178.           while (csblobs != 0){
    179. 

  179. #ifdef JAILBREAKDDEBUG
    180. 

  180.               fprintf(stderr,"\t\t\tCSBlobs at 0x%llx.\n", csblobs);
    181. 

  181. #endif
    182. 

  182.               
    183. 

  183.               cpu_type_t csblob_cputype = rk32(csblobs + offsetof_csb_cputype);
    184. 

  184.               unsigned int csblob_flags = rk32(csblobs + offsetof_csb_flags);
    185. 

  185.               off_t csb_base_offset = rk64(csblobs + offsetof_csb_base_offset);
    186. 

  186.               uint64_t csb_entitlements = rk64(csblobs + offsetof_csb_entitlements_offset);
    187. 

  187.               unsigned int csb_signer_type = rk32(csblobs + offsetof_csb_signer_type);
    188. 

  188.               unsigned int csb_platform_binary = rk32(csblobs + offsetof_csb_platform_binary);
    189. 

  189.               unsigned int csb_platform_path = rk32(csblobs + offsetof_csb_platform_path);
    190. 

  190. 

  191. #ifdef JAILBREAKDDEBUG
    192. 

  192.               fprintf(stderr,"\t\t\tCSBlob CPU Type: 0x%x. Flags: 0x%x. Offset: 0x%llx\n", csblob_cputype, csblob_flags, csb_base_offset);
    193. 

  193.               fprintf(stderr,"\t\t\tCSBlob Signer Type: 0x%x. Platform Binary: %d Path: %d\n", csb_signer_type, csb_platform_binary, csb_platform_path);
    194. 

  194. #endif
    195. 

  195.               wk32(csblobs + offsetof_csb_platform_binary, 1);
    196. 

  196. 

  197.               csb_platform_binary = rk32(csblobs + offsetof_csb_platform_binary);
    198. 

  198. #ifdef JAILBREAKDDEBUG
    199. 

  199.               fprintf(stderr,"\t\t\tCSBlob Signer Type: 0x%x. Platform Binary: %d Path: %d\n", csb_signer_type, csb_platform_binary, csb_platform_path);
    200. 

  200.               
    201. 

  201.               fprintf(stderr,"\t\t\t\tEntitlements at 0x%llx.\n", csb_entitlements);
    202. 

  202. #endif
    203. 

  203.               csblobs = rk64(csblobs);
    204. 

  204.           }
    205. 

  205.       }
    206. 

  206.     }
    207. 

  207. }
    208. 

  208. 

  209. const char* abs_path_exceptions[] = {
    210. 

  210.   "/Library",
    211. 

  211.   // XXX there's some weird stuff about linking and special
    212. 

  212.   // handling for /private/var/mobile/* in sandbox
    213. 

  213.   "/private/var/mobile/Library",
    214. 

  214.   "/private/var/mnt",
    215. 

  215.   "/private/var/db",
    216. 

  216.   "/private/var/stash",
    217. 

  217.   NULL
    218. 

  218. };
    219. 

  219. 

  220. uint64_t get_exception_osarray(void) {
    221. 

  221.   static uint64_t cached = 0;
    222. 

  222. 

  223.   if (cached == 0) {
    224. 

  224.     // XXX use abs_path_exceptions
    225. 

  225.     cached = OSUnserializeXML("<array>"
    226. 

  226.     "<string>/Library/</string>"
    227. 

  227.     "<string>/private/var/mobile/Library/</string>"
    228. 

  228.     "<string>/private/var/mnt/</string>"
    229. 

  229.     "<string>/private/var/db/</string>"
    230. 

  230.     "<string>/private/var/stash/</string>"
    231. 

  231.     "</array>");
    232. 

  232.   }
    233. 

  233. 

  234.   return cached;
    235. 

  235. }
    236. 

  236. 

  237. static const char *exc_key = "com.apple.security.exception.files.absolute-path.read-only";
    238. 

  238. 

  239. void set_sandbox_extensions(uint64_t proc) {
    240. 

  240.   uint64_t proc_ucred = rk64(proc+0x100);
    241. 

  241.   uint64_t sandbox = rk64(rk64(proc_ucred+0x78) + 8 + 8);
    242. 

  242. 

  243. #ifdef JAILBREAKDDEBUG
    244. 

  244.   fprintf(stderr,"proc = 0x%llx & proc_ucred = 0x%llx & sandbox = 0x%llx\n", proc, proc_ucred, sandbox);
    245. 

  245. #endif
    246. 

  246.     
    247. 

  247.   if (sandbox == 0) {
    248. 

  248. #ifdef JAILBREAKDDEBUG
    249. 

  249.     fprintf(stderr,"no sandbox, skipping\n");
    250. 

  250. #endif
    251. 

  251.     return;
    252. 

  252.   }
    253. 

  253. 

  254.   if (has_file_extension(sandbox, abs_path_exceptions[0])) {
    255. 

  255. #ifdef JAILBREAKDDEBUG
    256. 

  256.     fprintf(stderr,"already has '%s', skipping\n", abs_path_exceptions[0]);
    257. 

  257. #endif
    258. 

  258.     return;
    259. 

  259.   }
    260. 

  260. 

  261.   uint64_t ext = 0;
    262. 

  262.   const char** path = abs_path_exceptions;
    263. 

  263.   while (*path != NULL) {
    264. 

  264.     ext = extension_create_file(*path, ext);
    265. 

  265.     if (ext == 0) {
    266. 

  266.       fprintf(stderr,"extension_create_file(%s) failed, panic!\n", *path);
    267. 

  267.     }
    268. 

  268.     ++path;
    269. 

  269.   }
    270. 

  270. 

  271. #ifdef JAILBREAKDDEBUG
    272. 

  272.   fprintf(stderr,"last extension_create_file ext: 0x%llx\n", ext);
    273. 

  273. #endif
    274. 

  274. 

  275.   if (ext != 0) {
    276. 

  276.     extension_add(ext, sandbox, exc_key);
    277. 

  277.   }
    278. 

  278. }
    279. 

  279. 

  280. void set_amfi_entitlements(uint64_t proc) {
    281. 

  281.     // AMFI entitlements
    282. 

  282. #ifdef JAILBREAKDDEBUG
    283. 

  283.     fprintf(stderr,"AMFI:\n");
    284. 

  284. #endif
    285. 

  285.     uint64_t proc_ucred = rk64(proc+0x100);
    286. 

  286.     uint64_t amfi_entitlements = rk64(rk64(proc_ucred+0x78)+0x8);
    287. 

  287. #ifdef JAILBREAKDDEBUG
    288. 

  288.     fprintf(stderr,"Setting Entitlements...\n");
    289. 

  289. #endif
    290. 

  290. 

  291.     OSDictionary_SetItem(amfi_entitlements, "get-task-allow", find_OSBoolean_True());
    292. 

  292.     OSDictionary_SetItem(amfi_entitlements, "com.apple.private.skip-library-validation", find_OSBoolean_True());
    293. 

  293. 

  294.     uint64_t present = OSDictionary_GetItem(amfi_entitlements, exc_key);
    295. 

  295. 

  296.     int rv = 0;
    297. 

  297. 

  298.     if (present == 0) {
    299. 

  299.       rv = OSDictionary_SetItem(amfi_entitlements, exc_key, get_exception_osarray());
    300. 

  300.     } else if (present != get_exception_osarray()) {
    301. 

  301.         unsigned int itemCount = OSArray_ItemCount(present);
    302. 

  302. #ifdef JAILBREAKDDEBUG
    303. 

  303.         fprintf(stderr,"present != 0 (0x%llx)! item count: %d\n", present, itemCount);
    304. 

  304. #endif
    305. 

  305.         BOOL foundEntitlements = NO;
    306. 

  306.         
    307. 

  307.         uint64_t itemBuffer = OSArray_ItemBuffer(present);
    308. 

  308.         
    309. 

  309.         for (int i = 0; i < itemCount; i++){
    310. 

  310.             uint64_t item = rk64(itemBuffer + (i * sizeof(void *)));
    311. 

  311. #ifdef JAILBREAKDDEBUG
    312. 

  312.             fprintf(stderr,"Item %d: 0x%llx\n", i, item);
    313. 

  313. #endif
    314. 

  314.             char *entitlementString = OSString_CopyString(item);
    315. 

  315.             if (strcmp(entitlementString, "/bootstrap/") == 0){
    316. 

  316.                 foundEntitlements = YES;
    317. 

  317.                 free(entitlementString);
    318. 

  318.                 break;
    319. 

  319.             }
    320. 

  320.             free(entitlementString);
    321. 

  321.         }
    322. 

  322.         
    323. 

  323.         if (!foundEntitlements){
    324. 

  324.             rv = OSArray_Merge(present, get_exception_osarray());
    325. 

  325.         } else {
    326. 

  326.             rv = 1;
    327. 

  327.         }
    328. 

  328.     } else {
    329. 

  329. #ifdef JAILBREAKDDEBUG
    330. 

  330.       fprintf(stderr,"Not going to merge array with itself :P\n");
    331. 

  331. #endif
    332. 

  332.       rv = 1;
    333. 

  333.     }
    334. 

  334. 

  335.     if (rv != 1) {
    336. 

  336.       fprintf(stderr,"Setting exc FAILED! amfi_entitlements: 0x%llx present: 0x%llx\n", amfi_entitlements, present);
    337. 

  337.     }
    338. 

  338. }
    339. 

  339. 

  340. int setcsflagsandplatformize(int pid){
    341. 

  341.   uint64_t proc = proc_find(pid, 3);
    342. 

  342.   if (proc != 0) {
    343. 

  343. #ifdef JAILBREAKDDEBUG
    344. 

  344.     fprintf(stderr,"setcsflagsandplatformize start on PID %d\n", pid);
    345. 

  345.     char name[40] = {0};
    346. 

  346.     kread(proc+0x268, name, 20);
    347. 

  347.     fprintf(stderr,"PID %d name is %s\n", pid, name);
    348. 

  348. #endif
    349. 

  349.       
    350. 

  350.     set_csflags(proc);
    351. 

  351.     set_tfplatform(proc);
    352. 

  352.     set_amfi_entitlements(proc);
    353. 

  353.     set_sandbox_extensions(proc);
    354. 

  354.     set_csblob(proc);
    355. 

  355. #ifdef JAILBREAKDDEBUG
    356. 

  356.     fprintf(stderr,"setcsflagsandplatformize done on PID %d\n", pid);
    357. 

  357. #endif
    358. 

  358.     return 0;
    359. 

  359.   }
    360. 

  360.   fprintf(stderr,"Unable to find PID %d to entitle!\n", pid);
    361. 

  361.   return 1;
    362. 

  362. }
    363. 

  363.