Home Explore Help
Sign In
NitoTV
/
merdian
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 1 Wiki
Branch: master
Branches Tags
merdian
/
Meridian
/
meridianTV
/
electra_extras
/
basebinaries
/
pspawn_payload
/
pspawn_payload.m

pspawn_payload.m 9.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303 
  1. #include <dlfcn.h>
    2. 

  2. #include <stdio.h>
    3. 

  3. #include <mach/mach.h>
    4. 

  4. #include <mach/error.h>
    5. 

  5. #include <mach/message.h>
    6. 

  6. #include <string.h>
    7. 

  7. #include <unistd.h>
    8. 

  8. #include <spawn.h>
    9. 

  9. #include <sys/types.h>
    10. 

  10. #include <errno.h>
    11. 

  11. #include <stdlib.h>
    12. 

  12. #include <sys/sysctl.h>
    13. 

  13. #include <dlfcn.h>
    14. 

  14. #include <sys/mman.h>
    15. 

  15. #include <sys/stat.h>
    16. 

  16. #include <pthread.h>
    17. 

  17. #include <Foundation/Foundation.h>
    18. 

  18. #include "fishhook.h"
    19. 

  19. #include "mach/jailbreak_daemonUser.h"
    20. 

  20. 

  21. int file_exist(const char *filename) {
    22. 

  22.     struct stat buffer;
    23. 

  23.     int r = stat(filename, &buffer);
    24. 

  24.     return (r == 0);
    25. 

  25. }
    26. 

  26. 

  27. #define PSPAWN_PAYLOAD_DEBUG 1
    28. 

  28. 

  29. //#ifdef PSPAWN_PAYLOAD_DEBUG
    30. 

  30. #define LAUNCHD_LOG_PATH "/var/log/pspawn_payload_launchd.log"
    31. 

  31. // XXX multiple xpcproxies opening same file
    32. 

  32. // XXX not closing logfile before spawn
    33. 

  33. #define XPCPROXY_LOG_PATH "/var/log//pspawn_payload_xpcproxy.log"
    34. 

  34. FILE *log_file;
    35. 

  35. #define DEBUGLOG(fmt, args...)\
    36. 

  36. do {\
    37. 

  37. if (log_file == NULL) {\
    38. 

  38. log_file = fopen((current_process == PROCESS_LAUNCHD) ? LAUNCHD_LOG_PATH : XPCPROXY_LOG_PATH, "a"); \
    39. 

  39. if (log_file == NULL) break; \
    40. 

  40. } \
    41. 

  41. fprintf(log_file, fmt "\n", ##args); \
    42. 

  42. fflush(log_file); \
    43. 

  43. } while(0)
    44. 

  44. /*
    45. 

  45. #else
    46. 

  46. #define DEBUGLOG(fmt, args...)
    47. 

  47. #endif
    48. 

  48. */
    49. 

  49. #define PSPAWN_PAYLOAD_DYLIB "/electra/pspawn_payload.dylib"
    50. 

  50. #define AMFID_PAYLOAD_DYLIB "/electra/amfid_payload.dylib"
    51. 

  51. #define SBINJECT_PAYLOAD_DYLIB "/usr/lib/TweakInject.dylib"
    52. 

  52. 

  53. // since this dylib should only be loaded into launchd and xpcproxy
    54. 

  54. // it's safe to assume that we're in xpcproxy if getpid() != 1
    55. 

  55. enum currentprocess {
    56. 

  56.     PROCESS_LAUNCHD,
    57. 

  57.     PROCESS_XPCPROXY,
    58. 

  58. };
    59. 

  59. 

  60. int current_process = PROCESS_XPCPROXY;
    61. 

  61. 

  62. #define JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT 2
    63. 

  63. #define JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_FROM_XPCPROXY 3
    64. 

  64. 

  65. kern_return_t bootstrap_look_up(mach_port_t port, const char *service, mach_port_t *server_port);
    66. 

  66. 

  67. mach_port_t jbd_port;
    68. 

  68. 

  69. 

  70. const char* xpcproxy_blacklist[] = {
    71. 

  71.     "com.apple.diagnosticd",  // syslog
    72. 

  72.     "MTLCompilerService",     // ?_?
    73. 

  73.     "mapspushd",              // stupid Apple Maps
    74. 

  74.     "OTAPKIAssetTool",        // h_h
    75. 

  75.     "cfprefsd",               // o_o
    76. 

  76.     "jailbreakd",             // don't inject into jbd since we'd have to call to it
    77. 

  77.     "mediaremoted",           // keeps remote app from working
    78. 

  78.     "debugserver",           // keeps xcode debugging from working
    79. 

  79.     "reboot",
    80. 

  80.     //"com.nito.nitoTV4",
    81. 

  81.     //"com.nito.nitoTV4.nitoTVTopShelf",
    82. 

  82.     /*
    83. 

  83.     "PineBoard",              // for now
    84. 

  84.     "com.apple.PineBoard",
    85. 

  85.     "com.apple.HeadBoard",
    86. 

  86.     "HeadBoard",
    87. 

  87.     "com.firecore.infuse.pro",
    88. 

  88.     "com.apple.accessibility.AccessibilityUIServer",
    89. 

  89.     "com.apple.TVAirPlay",
    90. 

  90.     "com.apple.mediaserverd",
    91. 

  91.     "com.apple.SiriViewService",
    92. 

  92.     "com.apple.syncdefaultsd",
    93. 

  93.     "com.apple.TVWatchList",
    94. 

  94.     "com.apple.TVAppStore",
    95. 

  95.     "com.apple.TVIdleScreen",
    96. 

  96.     "com.apple.TVSettings",
    97. 

  97.      */
    98. 

  98.     NULL
    99. 

  99. };
    100. 

  100. 

  101. typedef int (*pspawn_t)(pid_t * pid, const char* path, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, char const* argv[], const char* envp[]);
    102. 

  102. 

  103. pspawn_t old_pspawn, old_pspawnp;
    104. 

  104. 

  105. int fake_posix_spawn_common(pid_t * pid, const char* path, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, char const* argv[], const char* envp[], pspawn_t old) {
    106. 

  106.     DEBUGLOG("We got called (fake_posix_spawn)! %s", path);
    107. 

  107.     
    108. 

  108.     const char *inject_me = NULL;
    109. 

  109.     
    110. 

  110.     if (current_process == PROCESS_LAUNCHD) {
    111. 

  111.         if (strcmp(path, "/usr/libexec/xpcproxy") == 0) {
    112. 

  112.             inject_me = PSPAWN_PAYLOAD_DYLIB;
    113. 

  113.             
    114. 

  114.             const char* startd = argv[1];
    115. 

  115.             if (startd != NULL) {
    116. 

  116.                 const char **blacklist = xpcproxy_blacklist;
    117. 

  117.                 
    118. 

  118.                 while (*blacklist) {
    119. 

  119.                     if (strstr(startd, *blacklist)) {
    120. 

  120.                         DEBUGLOG("xpcproxy for '%s' which is in blacklist, not injecting", startd);
    121. 

  121.                         inject_me = NULL;
    122. 

  122.                         break;
    123. 

  123.                     }
    124. 

  124.                     
    125. 

  125.                     ++blacklist;
    126. 

  126.                 }
    127. 

  127.             }
    128. 

  128.         }
    129. 

  129.     } else if (current_process == PROCESS_XPCPROXY) {
    130. 

  130.         // XXX inject both SBInject & amfid payload into amfid?
    131. 

  131.         // note: DYLD_INSERT_LIBRARIES=libfoo1.dylib:libfoo2.dylib
    132. 

  132.         if (strcmp(path, "/usr/libexec/amfid") == 0) {
    133. 

  133.             DEBUGLOG("Starting amfid -- special handling");
    134. 

  134.             inject_me = AMFID_PAYLOAD_DYLIB;
    135. 

  135.         } else {
    136. 

  136.             inject_me = SBINJECT_PAYLOAD_DYLIB;
    137. 

  137.         }
    138. 

  138.     }
    139. 

  139.     
    140. 

  140.     // XXX log different err on inject_me == NULL and nonexistent inject_me
    141. 

  141.     if (inject_me == NULL || !file_exist(inject_me)) {
    142. 

  142.         DEBUGLOG("Nothing to inject");
    143. 

  143.         return old(pid, path, file_actions, attrp, argv, envp);
    144. 

  144.     }
    145. 

  145.     
    146. 

  146.     DEBUGLOG("Injecting %s into %s", inject_me, path);
    147. 

  147.     
    148. 

  148. #ifdef PSPAWN_PAYLOAD_DEBUG
    149. 

  149.     if (argv != NULL){
    150. 

  150.         DEBUGLOG("Args: ");
    151. 

  151.         const char** currentarg = argv;
    152. 

  152.         while (*currentarg != NULL){
    153. 

  153.             DEBUGLOG("\t%s", *currentarg);
    154. 

  154.             currentarg++;
    155. 

  155.         }
    156. 

  156.     }
    157. 

  157. #endif
    158. 

  158.     
    159. 

  159.     int envcount = 0;
    160. 

  160.     
    161. 

  161.     if (envp != NULL){
    162. 

  162.         DEBUGLOG("Env: ");
    163. 

  163.         const char** currentenv = envp;
    164. 

  164.         while (*currentenv != NULL){
    165. 

  165.             DEBUGLOG("\t%s", *currentenv);
    166. 

  166.             if (strstr(*currentenv, "DYLD_INSERT_LIBRARIES") == NULL) {
    167. 

  167.                 envcount++;
    168. 

  168.             }
    169. 

  169.             currentenv++;
    170. 

  170.         }
    171. 

  171.     }
    172. 

  172.     
    173. 

  173.     char const** newenvp = malloc((envcount+2) * sizeof(char **));
    174. 

  174.     int j = 0;
    175. 

  175.     for (int i = 0; i < envcount; i++){
    176. 

  176.         if (strstr(envp[j], "DYLD_INSERT_LIBRARIES") != NULL){
    177. 

  177.             continue;
    178. 

  178.         }
    179. 

  179.         newenvp[i] = envp[j];
    180. 

  180.         j++;
    181. 

  181.     }
    182. 

  182.     
    183. 

  183.     char *envp_inject = malloc(strlen("DYLD_INSERT_LIBRARIES=") + strlen(inject_me) + 1);
    184. 

  184.     
    185. 

  185.     envp_inject[0] = '\0';
    186. 

  186.     strcat(envp_inject, "DYLD_INSERT_LIBRARIES=");
    187. 

  187.     strcat(envp_inject, inject_me);
    188. 

  188.     
    189. 

  189.     newenvp[j] = envp_inject;
    190. 

  190.     newenvp[j+1] = NULL;
    191. 

  191.     
    192. 

  192. #if PSPAWN_PAYLOAD_DEBUG
    193. 

  193.     DEBUGLOG("New Env:");
    194. 

  194.     const char** currentenv = newenvp;
    195. 

  195.     while (*currentenv != NULL){
    196. 

  196.         DEBUGLOG("\t%s", *currentenv);
    197. 

  197.         currentenv++;
    198. 

  198.     }
    199. 

  199. #endif
    200. 

  200.     
    201. 

  201.     posix_spawnattr_t attr;
    202. 

  202.     
    203. 

  203.     posix_spawnattr_t *newattrp = &attr;
    204. 

  204.     
    205. 

  205.     if (attrp) {
    206. 

  206.         
    207. 

  207.         DEBUGLOG("attrp!\n");
    208. 

  208.         
    209. 

  209.         newattrp = attrp;
    210. 

  210.         short flags;
    211. 

  211.         posix_spawnattr_getflags(attrp, &flags);
    212. 

  212.         flags |= POSIX_SPAWN_START_SUSPENDED;
    213. 

  213.         posix_spawnattr_setflags(attrp, flags);
    214. 

  214.     } else {
    215. 

  215.         
    216. 

  216.         DEBUGLOG("attrp else\n");
    217. 

  217.         posix_spawnattr_init(&attr);
    218. 

  218.         posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
    219. 

  219.     }
    220. 

  220.     
    221. 

  221.     int origret;
    222. 

  222.     
    223. 

  223. #define FLAG_ATTRIBUTE_XPCPROXY (1 << 17)
    224. 

  224.     
    225. 

  225.     if (current_process == PROCESS_XPCPROXY) {
    226. 

  226.         // dont leak logging fd into execd process
    227. 

  227.         
    228. 

  228.          DEBUGLOG("dont leak logging fd into execd process\n");
    229. 

  229. #ifdef PSPAWN_PAYLOAD_DEBUG
    230. 

  230.         if (log_file != NULL) {
    231. 

  231.             fclose(log_file);
    232. 

  232.             log_file = NULL;
    233. 

  233.         }
    234. 

  234. #endif
    235. 

  235.         jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_FROM_XPCPROXY, getpid());
    236. 

  236.         
    237. 

  237.         
    238. 

  238.         // dont leak jbd fd into execd process
    239. 

  239.         origret = old(pid, path, file_actions, newattrp, argv, newenvp);
    240. 

  240.         DEBUGLOG("origret %i for xpcproxy\n", origret);
    241. 

  241.     } else {
    242. 

  242.         int gotpid;
    243. 

  243.         origret = old(&gotpid, path, file_actions, newattrp, argv, newenvp);
    244. 

  244.         DEBUGLOG("origret %i for not xpcproxy\n", origret);
    245. 

  245.         if (origret == 0) {
    246. 

  246.             if (pid != NULL) *pid = gotpid;
    247. 

  247.             DEBUGLOG("we in here\n");
    248. 

  248.             jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT, gotpid);
    249. 

  249.         }
    250. 

  250.     }
    251. 

  251.     
    252. 

  252.     return origret;
    253. 

  253. }
    254. 

  254. 

  255. 

  256. int fake_posix_spawn(pid_t * pid, const char* file, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, const char* argv[], const char* envp[]) {
    257. 

  257.     return fake_posix_spawn_common(pid, file, file_actions, attrp, argv, envp, old_pspawn);
    258. 

  258. }
    259. 

  259. 

  260. int fake_posix_spawnp(pid_t * pid, const char* file, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, const char* argv[], const char* envp[]) {
    261. 

  261.     return fake_posix_spawn_common(pid, file, file_actions, attrp, argv, envp, old_pspawnp);
    262. 

  262. }
    263. 

  263. 

  264. 

  265. void rebind_pspawns(void) {
    266. 

  266.     struct rebinding rebindings[] = {
    267. 

  267.         {"posix_spawn", (void *)fake_posix_spawn, (void **)&old_pspawn},
    268. 

  268.         {"posix_spawnp", (void *)fake_posix_spawnp, (void **)&old_pspawnp},
    269. 

  269.     };
    270. 

  270.     
    271. 

  271.     rebind_symbols(rebindings, 2);
    272. 

  272. }
    273. 

  273. 

  274. void* thd_func(void* arg){
    275. 

  275.     NSLog(@"In a new thread!");
    276. 

  276.     rebind_pspawns();
    277. 

  277.     return NULL;
    278. 

  278. }
    279. 

  279. 

  280. __attribute__ ((constructor))
    281. 

  281. static void ctor(void) {
    282. 

  282.     if (getpid() == 1) {
    283. 

  283.         if (host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 15, &jbd_port)) {
    284. 

  284.             DEBUGLOG("Can't get hgsp15 :(");
    285. 

  285.             return;
    286. 

  286.         }
    287. 

  287.         DEBUGLOG("Got jbd port: %llx", jbd_port);
    288. 

  288.         
    289. 

  289.         current_process = PROCESS_LAUNCHD;
    290. 

  290.         pthread_t thd;
    291. 

  291.         pthread_create(&thd, NULL, thd_func, NULL);
    292. 

  292.     } else {
    293. 

  293.         if (bootstrap_look_up(bootstrap_port, "org.coolstar.jailbreakd", &jbd_port)) {
    294. 

  294.             DEBUGLOG("Can't get bootstrap port :(");
    295. 

  295.             return;
    296. 

  296.         }
    297. 

  297.         DEBUGLOG("Got jbd port: %llx", jbd_port);
    298. 

  298.         
    299. 

  299.         current_process = PROCESS_XPCPROXY;
    300. 

  300.         rebind_pspawns();
    301. 

  301.     }
    302. 

  302. }
    303. 

  303.