failed to add installd :/

SerotoninApp · Jul 17, 2024 · 613bca1 · 613bca1
1 parent 0c1f378
commit 613bca1
Show file tree

Hide file tree

Showing 19 changed files with 394 additions and 795 deletions.
diff --git a/RootHelperSample/exepatch.c b/RootHelperSample/exepatch.c
@@ -18,7 +18,9 @@
 #include <libgen.h>
 
 #define SYSLOG(...)   //  do {printf(__VA_ARGS__);printf("\n");} while(0)
-char* BOOTSTRAP_INSTALL_NAME = "@loader_path/generalhooksigned.dylib";
+#include <choma/MachO.h>
+#include <choma/Host.h>
+//char* BOOTSTRAP_INSTALL_NAME = "";
 
 extern void abort(void); //???
 static size_t write_uleb128(uint64_t val, uint8_t buf[10])
@@ -256,7 +258,7 @@ void* rebind(struct mach_header_64* header, enum bindtype type, void* data, uint
     return NULL;
 }
 
-int patch_macho(int fd, struct mach_header_64* header)
+int patch_macho(int fd, struct mach_header_64* header, const char* insert_path)
 {
     int libOrdinal=1;
     int prelibOrdinal=0;
@@ -286,7 +288,12 @@ int patch_macho(int fd, struct mach_header_64* header)
                 char* name = (char*)((uint64_t)idcmd + idcmd->dylib.name.offset);
                 SYSLOG("libOrdinal=%d, %s\n", libOrdinal, name);
 
-                if(strcmp(name, BOOTSTRAP_INSTALL_NAME)==0) {
+//                if(strcmp(name, BOOTSTRAP_INSTALL_NAME)==0) {
+//                    SYSLOG("bootstrap library exists @ %d!\n", libOrdinal);
+//                    prelibOrdinal = libOrdinal;
+//                    found_new_bootstrap = true;
+//                }
+                if(strcmp(name, insert_path)==0) {
                     SYSLOG("bootstrap library exists @ %d!\n", libOrdinal);
                     prelibOrdinal = libOrdinal;
                     found_new_bootstrap = true;
@@ -352,19 +359,21 @@ int patch_macho(int fd, struct mach_header_64* header)
         lc = (struct load_command *) ((char *)lc + lc->cmdsize);
 	}
 
-//    if(prelibOrdinal > 0) {
-//        //keep old way, assert(prelibOrdinal == 1);
-//        return 0;
-//    }
-    if(found_new_bootstrap) {
+    if(prelibOrdinal > 0) {
+        //keep old way, assert(prelibOrdinal == 1);
         return 0;
     }
+//    if(found_new_bootstrap) {
+//        return 0;
+//    }
 
     struct stat st;
     assert(fstat(fd, &st)==0);
     assert(st.st_size == (linkedit_seg->fileoff+linkedit_seg->filesize));
 
-	int addsize = sizeof(struct dylib_command) + strlen(BOOTSTRAP_INSTALL_NAME) + 1;
+//	int addsize = sizeof(struct dylib_command) + strlen(BOOTSTRAP_INSTALL_NAME) + 1;
+    int addsize = sizeof(struct dylib_command) + strlen(insert_path) + 1;
+
 	if(addsize%sizeof(void*)) addsize = (addsize/sizeof(void*) + 1) * sizeof(void*); //align
 	if(first_sec_off < (sizeof(*header)+header->sizeofcmds+addsize))
 	{
@@ -563,7 +572,8 @@ int patch_macho(int fd, struct mach_header_64* header)
 	newlib->dylib.current_version = 0;
 	newlib->dylib.compatibility_version = 0;
 	newlib->dylib.name.offset = sizeof(*newlib);
-	strcpy((char*)newlib+sizeof(*newlib), BOOTSTRAP_INSTALL_NAME);
+//	strcpy((char*)newlib+sizeof(*newlib), BOOTSTRAP_INSTALL_NAME);
+    strcpy((char*)newlib+sizeof(*newlib), insert_path);
 
 	header->sizeofcmds += addsize;
 	header->ncmds++;
@@ -577,7 +587,7 @@ int patch_macho(int fd, struct mach_header_64* header)
 	return 0;
 }
 
-int patch_executable(const char* file, uint64_t offset, uint64_t size)
+int patch_executable(const char* file, uint64_t offset, uint64_t size, const char* insert_path)
 {
 	int fd = open(file, O_RDWR);
     if(fd < 0) {
@@ -609,7 +619,7 @@ int patch_executable(const char* file, uint64_t offset, uint64_t size)
 
     struct mach_header_64* header = (struct mach_header_64*)((uint64_t)macho + 0);
 
-	int retval = patch_macho(fd, header);
+	int retval = patch_macho(fd, header, insert_path);
 	SYSLOG("patch macho @ %x : %d", offset, retval);
 
     munmap(macho, st.st_size);
@@ -619,18 +629,12 @@ int patch_executable(const char* file, uint64_t offset, uint64_t size)
     return retval;
 }
 
-#include <choma/MachO.h>
-#include <choma/Host.h>
 int patch_app_exe(const char* file, char* insert_path)
 {
-    if (insert_path != NULL && insert_path[0] != '\0') {
-        BOOTSTRAP_INSTALL_NAME = insert_path;
-    }
     FAT *fat = fat_init_from_path(file);
     if (!fat) return -1;
     MachO *macho = fat_find_preferred_slice(fat);
     if (!macho) return -1;
     // printf("offset=%llx size=%llx\n", macho->archDescriptor.offset, macho->archDescriptor.size);
-	return patch_executable(file, macho->archDescriptor.offset, macho->archDescriptor.size);
+    return patch_executable(file, macho->archDescriptor.offset, macho->archDescriptor.size, insert_path);
 }
-
diff --git a/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m b/RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m
@@ -27,7 +27,7 @@ int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) {
     int result = orig_csops(pid, ops, useraddr, usersize);
     if (result != 0) return result;
     if (ops == 0) {
-        *((uint32_t *)useraddr) |= 0x4000000;
+       *((uint32_t *)useraddr) |= 0x4000001;
     }
     return result;
 }
@@ -36,7 +36,7 @@ int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t
     int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token);
     if (result != 0) return result;
     if (ops == 0) {
-        *((uint32_t *)useraddr) |= 0x4000000;
+       *((uint32_t *)useraddr) |= 0x4000001;
     }
     return result;
 }

diff --git a/RootHelperSample/launchdshim/generalhook/installdents.plist b/RootHelperSample/launchdshim/generalhook/installdents.plist
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>platform-application</key>
+	<true/>
+	<key>com.apple.private.security.no-container</key>
+	<true/>
+	<key>get-task-allow</key>
+	<true/>
+	<key>task_for_pid-allow</key>
+	<true/>
+    <key>com.apple.private.security.no-sandbox</key>
+	<true/>
+	<key>com.apple.private.domain-extension</key>
+	<true/>
+	<key>com.apple.private.security.container-required</key>
+	<false/>
+	<key>com.apple.private.security.no-container</key>
+	<true/>
+	<key>com.apple.private.xpc.domain-extension</key>
+	<true/>
+	<key>com.apple.private.xpc.domain-extension.proxy</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.app-state-manager</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.enable-disable-system-services</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.event-monitor</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.loginitem-bootstrapper</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.loginitem-outside-bundle</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.obliterator</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.per-user-create.mbsetupuser</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.per-user-lookup</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.reboot</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.service-hold</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.userspace-reboot</key>
+	<true/>
+	<key>com.apple.private.xpc.launchd.userspace-reboot-now</key>
+	<true/>
+	<key>com.apple.private.xpc.persona-creator</key>
+	<true/>
+	<key>com.apple.private.xpc.persona-manager</key>
+	<true/>
+	<key>com.apple.private.persona-mgmt</key>
+	<true/>
+	<key>com.apple.private.xpc.service-attach</key>
+	<true/>
+	<key>com.apple.private.xpc.service-configure</key>
+	<true/>
+	<key>com.apple.private.set-launch-type.internal</key>
+	<true/>
+	<key>com.apple.security.exception.mach-lookup.global-name</key>
+	<array>
+		<string>com.apple.mmaintenanced</string>
+		<string>com.apple.memory-maintenance</string>
+	</array>
+	<key>com.apple.apfs.get-dev-by-role</key>
+	<true/>
+	<key>com.apple.private.amfi.can-allow-non-platform</key>
+	<true/>
+	<key>com.apple.private.iokit.system-nvram-allow</key>
+	<true/>
+	<key>com.apple.private.kernel.system-override</key>
+	<true/>
+	<key>com.apple.private.pmap.load-trust-cache</key>
+	<array>
+		<string>cryptex1.boot.os</string>
+		<string>cryptex1.boot.app</string>
+		<string>cryptex1.safari-downlevel</string>
+	</array>
+	<key>com.apple.private.record_system_event</key>
+	<true/>
+	<key>com.apple.private.roots-installed-read-write</key>
+	<true/>
+	<key>com.apple.private.security.disk-device-access</key>
+	<true/>
+	<key>com.apple.private.security.storage.driverkitd</key>
+	<true/>
+	<key>com.apple.private.security.storage.launchd</key>
+	<true/>
+	<key>com.apple.private.security.system-mount-authority</key>
+	<true/>
+	<key>com.apple.private.set-atm-diagnostic-flag</key>
+	<true/>
+	<key>com.apple.private.spawn-panic-crash-behavior</key>
+	<true/>
+	<key>com.apple.private.spawn-subsystem-root</key>
+	<true/>
+	<key>com.apple.private.vfs.allow-low-space-writes</key>
+	<true/>
+	<key>com.apple.private.vfs.graftdmg</key>
+	<true/>
+	<key>com.apple.private.vfs.pivot-root</key>
+	<true/>
+	<key>com.apple.rootless.restricted-block-devices</key>
+	<true/>
+	<key>com.apple.rootless.storage.early_boot_mount</key>
+	<true/>
+	<key>com.apple.rootless.volume.Preboot</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+    <key>com.apple.mkb.usersession.info</key>
+    <true/>
+    <key>com.apple.multitasking.termination</key>
+    <true/>
+    <key>com.apple.private.MobileContainerManager.allowed</key>
+    <true/>
+    <key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>
+    <array>
+        <string>UniqueDeviceID</string>
+        <string>ProvisioningUniqueDeviceID</string>
+    </array>
+    <key>com.apple.private.MobileInstallationHelperService.InstallDaemonOpsEnabled</key>
+    <true/>
+    <key>com.apple.private.MobileInstallationHelperService.allowed</key>
+    <true/>
+    <key>com.apple.private.amfi.can-check-trust-cache</key>
+    <true/>
+    <key>com.apple.private.coreservices.can-perform-rebuild-registration</key>
+    <true/>
+    <key>com.apple.private.coreservices.can-register-install-results</key>
+    <true/>
+    <key>com.apple.private.kernel.override-cpumon</key>
+    <true/>
+    <key>com.apple.private.keychain.appclipdeletion</key>
+    <true/>
+    <key>com.apple.private.mis.online_auth_agent</key>
+    <true/>
+    <key>com.apple.private.security.daemon-container</key>
+    <true/>
+    <key>com.apple.private.security.storage.AppBundles</key>
+    <true/>
+    <key>com.apple.private.uninstall.deletion</key>
+    <true/>
+    <key>com.apple.usermanagerd.persona.fetch</key>
+    <true/>
+    <key>fairplay-client</key>
+    <integer>2033844765</integer>
+    <key>keychain-cloud-circle</key>
+    <true/>
+    <key>seatbelt-profiles</key>
+    <array>
+        <string>installd</string>
+    </array>
+</dict>
+</plist>
diff --git a/RootHelperSample/launchdshim/generalhook/main.m b/RootHelperSample/launchdshim/generalhook/main.m
@@ -89,7 +89,7 @@ int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) {
     int result = orig_csops(pid, ops, useraddr, usersize);
     if (result != 0) return result;
     if (ops == 0) {
-        *((uint32_t *)useraddr) |= 0x4000000;
+       *((uint32_t *)useraddr) |= 0x4000001;
     }
     return result;
 }
@@ -98,7 +98,7 @@ int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t
     int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token);
     if (result != 0) return result;
     if (ops == 0) {
-        *((uint32_t *)useraddr) |= 0x4000000;
+       *((uint32_t *)useraddr) |= 0x4000001;
     }
     return result;
 }

diff --git a/RootHelperSample/launchdshim/launchdhook/main.m b/RootHelperSample/launchdshim/launchdhook/main.m
@@ -16,6 +16,9 @@
 
 #define PT_DETACH 11    /* stop tracing a process */
 #define PT_ATTACHEXC 14 /* attach to running process with signal exception */
+#define MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT 6
+#define POSIX_SPAWNATTR_OFF_MEMLIMIT_ACTIVE 0x48
+#define POSIX_SPAWNATTR_OFF_MEMLIMIT_INACTIVE 0x4C
 int ptrace(int request, pid_t pid, caddr_t addr, int data);
 
 int posix_spawnattr_set_launch_type_np(posix_spawnattr_t *attr, uint8_t launch_type);
@@ -28,13 +31,16 @@
                         char *const argv[ __restrict], char *const envp[ __restrict]);
 
 int (*orig_posix_spawnp)(pid_t *restrict pid, const char *restrict path, const posix_spawn_file_actions_t *restrict file_actions, const posix_spawnattr_t *restrict attrp, char *const argv[restrict], char *const envp[restrict]);
+xpc_object_t (*xpc_dictionary_get_value_orig)(xpc_object_t xdict, const char *key);
+int (*memorystatus_control_orig)(uint32_t command, int32_t pid, uint32_t flags, void *buffer, size_t buffersize);
+bool (*xpc_dictionary_get_bool_orig)(xpc_object_t dictionary, const char *key);
 
 
 int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) {
     int result = orig_csops(pid, ops, useraddr, usersize);
     if (result != 0) return result;
     if (ops == 0) { // CS_OPS_STATUS
-        *((uint32_t *)useraddr) |= 0x4000000; // CS_PLATFORM_BINARY
+       *((uint32_t *)useraddr) |= 0x4000001; // CS_PLATFORM_BINARY
     }
     return result;
 }
@@ -43,7 +49,7 @@ int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t
     int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token);
     if (result != 0) return result;
     if (ops == 0) { // CS_OPS_STATUS
-        *((uint32_t *)useraddr) |= 0x4000000; // CS_PLATFORM_BINARY
+       *((uint32_t *)useraddr) |= 0x4000001; // CS_PLATFORM_BINARY
     }
     return result;
 }
@@ -128,6 +134,33 @@ bool hook_xpc_dictionary_get_bool(xpc_object_t dictionary, const char *key) {
     else return xpc_dictionary_get_bool_orig(dictionary, key);
 }
 
+xpc_object_t hook_xpc_dictionary_get_value(xpc_object_t dict, const char *key) {
+    xpc_object_t retval = xpc_dictionary_get_value_orig(dict, key);
+
+    if (strcmp(key, "Paths") == 0) {
+        const char *paths[] = {
+            "/var/jb/Library/LaunchDaemons",
+            "/var/jb/System/Library/LaunchDaemons",
+            "/var/jb/Library/LaunchAgents",
+            "/var/jb/System/Library/LaunchAgents"
+        };
+
+        for (size_t i = 0; i < sizeof(paths) / sizeof(paths[0]); ++i) {
+            xpc_array_append_value(retval, xpc_string_create(paths[i]));
+        }
+    }
+
+    return retval;
+}
+
+int memorystatus_control_hook(uint32_t command, int32_t pid, uint32_t flags, void *buffer, size_t buffersize)
+{
+    if (command == MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT) {
+        return 0;
+    }
+    return memorystatus_control_orig(command, pid, flags, buffer, buffersize);
+}
+
 void initVerboseFramebuffer(void);
 int bootscreend_main();
 __attribute__((constructor)) static void init(int argc, char **argv) {
@@ -168,6 +201,8 @@ bool hook_xpc_dictionary_get_bool(xpc_object_t dictionary, const char *key) {
         {"csops_audittoken", hooked_csops_audittoken, (void *)&orig_csops_audittoken},
         {"posix_spawnp", hooked_posix_spawnp, (void *)&orig_posix_spawnp},
         {"xpc_dictionary_get_bool", hook_xpc_dictionary_get_bool, (void *)&xpc_dictionary_get_bool_orig},
+        {"xpc_dictionary_get_value", hook_xpc_dictionary_get_value, (void *)&xpc_dictionary_get_value_orig},
+        {"memorystatus_control", memorystatus_control_hook, (void *)&memorystatus_control_orig},
     };
     rebind_symbols(rebindings, sizeof(rebindings)/sizeof(struct rebinding));
 }