jitterd is fucking shit up bruh anyway I got it working, now app and …

…daemon inject
SerotoninApp · Jul 29, 2024 · 87d4cd7 · 87d4cd7
1 parent 0df218d
commit 87d4cd7
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 136 deletions.
diff --git a/Bootstrap/jb.zip b/Bootstrap/jb.zip
diff --git a/RootHelperSample/launchdshim/generalhook/main.m b/RootHelperSample/launchdshim/generalhook/main.m
@@ -25,7 +25,8 @@
 #define PT_ATTACHEXC 14 /* attach to running process with signal exception */
 #define SYSCALL_CSOPS 0xA9
 #define SYSCALL_CSOPS_AUDITTOKEN 0xAA
-
+#define __probable(x)   __builtin_expect(!!(x), 1)
+#define __improbable(x) __builtin_expect(!!(x), 0)
 bool gFullyDebugged = false;
 
 int ptrace(int request, pid_t pid, caddr_t addr, int data);
@@ -107,7 +108,7 @@ int csops_hook(pid_t pid, unsigned int ops, void *useraddr, size_t usersize)
 			uint32_t* csflag = (uint32_t *)useraddr;
 			*csflag |= CS_VALID;
             *csflag |= CS_PLATFORM_BINARY;
-			*csflag &= ~CS_DEBUGGED;
+			// *csflag &= ~CS_DEBUGGED;
 			// if (pid == getpid() && gFullyDebugged) {
 			// 	*csflag |= CS_DEBUGGED;
 			// }
@@ -125,7 +126,7 @@ int csops_audittoken_hook(pid_t pid, unsigned int ops, void *useraddr, size_t us
 			uint32_t* csflag = (uint32_t *)useraddr;
 			*csflag |= CS_VALID;
             *csflag |= CS_PLATFORM_BINARY;
-			*csflag &= ~CS_DEBUGGED;
+			// *csflag &= ~CS_DEBUGGED;
 			// if (pid == getpid() && gFullyDebugged) {
 			// 	*csflag |= CS_DEBUGGED;
 			// }
@@ -166,30 +167,25 @@ void applySandboxExtensions(void)
 }
 
 __attribute__((constructor)) static void init(int argc, char **argv, char *envp[]) {
-    // @autoreleasepool {
-    //     if (argc > 1 && strcmp(argv[1], "--jit") == 0) {
-    //         ptrace(0, 0, 0, 0);
-    //         exit(0);
-    //     } else {
-    //         pid_t pid;
-    //         char *modified_argv[] = {argv[0], "--jit", NULL };
-    //         int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp);
-    //         if (ret == 0) {
-    //             waitpid(pid, NULL, WUNTRACED);
-    //             ptrace(11, pid, 0, 0);
-    //             kill(pid, SIGTERM);
-    //             wait(NULL);
-    //         }
-    //     }
-    // }
-    // jits for me
+    if (argc > 1 && strcmp(argv[1], "--jit") == 0) {
+        ptrace(0, 0, 0, 0);
+        exit(0);
+    } else {
+        if (strstr(argv[0], "/usr/libexec/")) {
+            jitterd(getpid());
+        } else {
+            pid_t pid;
+            char *modified_argv[] = {argv[0], "--jit", NULL };
+            int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp);
+            if (ret == 0) {
+                waitpid(pid, NULL, WUNTRACED);
+                ptrace(11, pid, 0, 0);
+                kill(pid, SIGTERM);
+                wait(NULL);
+            }
+        }
+    }
     int checkinret = jbclient_process_checkin(NULL, NULL, &JB_SandboxExtensions, &gFullyDebugged);
-    // if (checkinret == -1) {
-    //     NSLog(@"generalhook - jbserver no response?");
-    //     goto finish;
-    // } else {
-    //     NSLog(@"generalhook - checkin ret %d", checkinret);
-    // }
     applySandboxExtensions();
     litehook_hook_function(csops, csops_hook);
 	litehook_hook_function(csops_audittoken, csops_audittoken_hook);
@@ -204,14 +200,11 @@ void applySandboxExtensions(void)
         "/usr/libexec/installd",
     };
     for (int i = 0; i < sizeof(appPaths) / sizeof(appPaths[0]); i++) {
-        if (strcmp(argv[0], appPaths[i]) == 0) {
+        if (__improbable(strcmp(argv[0], appPaths[i]) == 0)) {
             setupAppBundle(appPaths[i]);
             break;
         }
     }
     NSLog(@"generalhook - loading tweaks for pid %d", getpid());
-	const char* oldJBROOT = getenv("JBROOT");
-	setenv("JBROOT", jbroot("/"), 1);
 	dlopen(jbroot("/usr/lib/TweakLoader.dylib"), RTLD_NOW);
-	if(oldJBROOT) setenv("JBROOT", oldJBROOT, 1); else unsetenv("JBROOT");
 }
diff --git a/RootHelperSample/launchdshim/launchdhook/jbserver/jbclient_xpc.c b/RootHelperSample/launchdshim/launchdhook/jbserver/jbclient_xpc.c
@@ -253,6 +253,21 @@ int jbclient_process_checkin(char **rootPathOut, char **bootUUIDOut, char **sand
 	return -1;
 }
 
+#define JBD_MSG_PROC_SET_DEBUGGED 23
+int64_t jitterd(pid_t pid)
+{
+	xpc_object_t message = xpc_dictionary_create_empty();
+	xpc_dictionary_set_int64(message, "id", JBD_MSG_PROC_SET_DEBUGGED);
+	xpc_dictionary_set_int64(message, "pid", pid);
+	xpc_object_t reply = sendjitterdMessageSystemWide(message);
+	int64_t result = -1;
+	if (reply) {
+		result  = xpc_dictionary_get_int64(reply, "result");
+		xpc_release(reply);
+	}
+	return result;
+}
+
 extern char **environ;
 kern_return_t bootstrap_look_up(mach_port_t port, const char *service, mach_port_t *server_port);
 

diff --git a/RootHelperSample/launchdshim/launchdhook/jbserver/jbclient_xpc.h b/RootHelperSample/launchdshim/launchdhook/jbserver/jbclient_xpc.h
@@ -22,6 +22,7 @@ int jbclient_patch_spawn(int pid, bool resume);
 int jbclient_patch_exec_add(const char* exec_path, bool resume);
 int jbclient_patch_exec_del(const char* exec_path);
 xpc_object_t sendjitterdMessageSystemWide(xpc_object_t xdict);
+int64_t jitterd(pid_t pid);
 // int jbclient_platform_set_process_debugged(uint64_t pid, bool fullyDebugged);
 // int jbclient_platform_stage_jailbreak_update(const char *updateTar);
 // int jbclient_platform_jbsettings_get(const char *key, xpc_object_t *valueOut);

diff --git a/RootHelperSample/launchdshim/launchdhook/jbserver/jbdomain_systemwide.c b/RootHelperSample/launchdshim/launchdhook/jbserver/jbdomain_systemwide.c
@@ -40,7 +40,6 @@ char *jbrootC(char* path) {
     return result;
 }
 
-#define JBD_MSG_PROC_SET_DEBUGGED 23
 #define PT_DETACH       11      /* stop tracing a process */
 #define PT_ATTACHEXC    14      /* attach to running process with signal exception */
 int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
@@ -52,19 +51,19 @@ int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
 // 	int ret = spawnRoot(jbrootC("/jitter"), pid, NULL, NULL);
 // 	return ret;
 // }
-int64_t jitterd(pid_t pid)
-{
-	xpc_object_t message = xpc_dictionary_create_empty();
-	xpc_dictionary_set_int64(message, "id", JBD_MSG_PROC_SET_DEBUGGED);
-	xpc_dictionary_set_int64(message, "pid", pid);
-	xpc_object_t reply = sendjitterdMessageSystemWide(message);
-	int64_t result = -1;
-	if (reply) {
-		result  = xpc_dictionary_get_int64(reply, "result");
-		xpc_release(reply);
-	}
-	return result;
-}
+// int64_t jitterd(pid_t pid)
+// {
+// 	xpc_object_t message = xpc_dictionary_create_empty();
+// 	xpc_dictionary_set_int64(message, "id", JBD_MSG_PROC_SET_DEBUGGED);
+// 	xpc_dictionary_set_int64(message, "pid", pid);
+// 	xpc_object_t reply = sendjitterdMessageSystemWide(message);
+// 	int64_t result = -1;
+// 	if (reply) {
+// 		result  = xpc_dictionary_get_int64(reply, "result");
+// 		xpc_release(reply);
+// 	}
+// 	return result;
+// }
 
 // extern bool stringStartsWith(const char *str, const char* prefix);
 // extern bool stringEndsWith(const char* str, const char* suffix);
@@ -193,79 +192,11 @@ static int systemwide_process_checkin(audit_token_t *processToken, char **rootPa
 	if (proc_pidpath(pid, procPath, sizeof(procPath)) <= 0) {
 		return -1;
 	}
-	// Find proc in kernelspace
-	// uint64_t proc = proc_find(pid);
-	// if (!proc) {
-	// 	return -1;
-	// }
-
-	// Get jbroot and boot uuid
 	systemwide_get_jbroot(rootPathOut);
 	systemwide_get_boot_uuid(bootUUIDOut);
-
-
 	struct statfs fs;
 	bool isPlatformProcess = statfs(procPath, &fs)==0 && strcmp(fs.f_mntonname, "/private/var") != 0;
-
-	// Generate sandbox extensions for the requesting process
 	*sandboxExtensionsOut = generate_sandbox_extensions(processToken, isPlatformProcess);
-	jitterd(pid);
-	// Allow invalid pages with ptrace instead :trol:
-	// terrible solution but ideally jitter would become a daemon later. temp fix to see if it works
-	// memorystatus_memlimit_properties2_t mmprops;
-	// int32_t old_memory_limit = 0;
-	// uint32_t new_memory_limit = (uint32_t)(getPhysicalMemorySize() / UINT64_C(1048576)) * 2;
-    // int ret = memorystatus_control(MEMORYSTATUS_CMD_GET_MEMLIMIT_PROPERTIES, pid, 0, &mmprops, sizeof(mmprops));
-    // if (ret == 0)
-    // old_memory_limit = mmprops.v1.memlimit_active;
-    // ret = memorystatus_control(MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT, pid, new_memory_limit, NULL, 0);
-	// enableJIT(pid);
-	// ret = memorystatus_control(MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT, pid, old_memory_limit, NULL, 0);
-
-	// bool fullyDebugged = true;
-	// if (is_app_path(procPath) || is_sub_path(JBRootPath("/Applications"), procPath)) {
-	// 	// This is an app, enable CS_DEBUGGED based on user preference
-	// 	if (jbsetting(markAppsAsDebugged)) {
-	// 		fullyDebugged = true;
-	// 	}
-	// }
-	// *fullyDebuggedOut = fullyDebugged;
-
-	// Allow invalid pages
-	// cs_allow_invalid(proc, fullyDebugged);
-
-	// Fix setuid
-	// struct stat sb;
-	// if (stat(procPath, &sb) == 0) {
-	// 	if (S_ISREG(sb.st_mode) && (sb.st_mode & (S_ISUID | S_ISGID))) {
-	// 		uint64_t ucred = proc_ucred(proc);
-	// 		if ((sb.st_mode & (S_ISUID))) {
-	// 			kwrite32(proc + koffsetof(proc, svuid), sb.st_uid);
-	// 			kwrite32(ucred + koffsetof(ucred, svuid), sb.st_uid);
-	// 			kwrite32(ucred + koffsetof(ucred, uid), sb.st_uid);
-	// 		}
-	// 		if ((sb.st_mode & (S_ISGID))) {
-	// 			kwrite32(proc + koffsetof(proc, svgid), sb.st_gid);
-	// 			kwrite32(ucred + koffsetof(ucred, svgid), sb.st_gid);
-	// 			kwrite32(ucred + koffsetof(ucred, groups), sb.st_gid);
-	// 		}
-	// 		uint32_t flag = kread32(proc + koffsetof(proc, flag));
-	// 		if ((flag & P_SUGID) != 0) {
-	// 			flag &= ~P_SUGID;
-	// 			kwrite32(proc + koffsetof(proc, flag), flag);
-	// 		}
-	// 	}
-	// }
-
-	// In iOS 16+ there is a super annoying security feature called Protobox
-	// Amongst other things, it allows for a process to have a syscall mask
-	// If a process calls a syscall it's not allowed to call, it immediately crashes
-	// Because for tweaks and hooking this is unacceptable, we update these masks to be 1 for all syscalls on all processes
-	// That will at least get rid of the syscall mask part of Protobox
-	// if (__builtin_available(iOS 16.0, *)) {
-	// 	proc_allow_all_syscalls(proc);
-	// }
-
 	// For whatever reason after SpringBoard has restarted, AutoFill and other stuff stops working
 	// The fix is to always also restart the kbd daemon alongside SpringBoard
 	// Seems to be something sandbox related where kbd doesn't have the right extensions until restarted
@@ -282,27 +213,6 @@ static int systemwide_process_checkin(audit_token_t *processToken, char **rootPa
 			});
 		}
 	}
-	// For the Dopamine app itself we want to give it a saved uid/gid of 0, unsandbox it and give it CS_PLATFORM_BINARY
-	// This is so that the buttons inside it can work when jailbroken, even if the app was not installed by TrollStore
-	// else if (stringEndsWith(procPath, "/Dopamine.app/Dopamine")) {
-	// 	char roothidefile[PATH_MAX];
-	// 	snprintf(roothidefile, sizeof(roothidefile), "%s.roothide",procPath);
-	// 	if(access(roothidefile, F_OK)==0) {
-	// 		// svuid = 0, svgid = 0
-	// 		uint64_t ucred = proc_ucred(proc);
-	// 		kwrite32(proc + koffsetof(proc, svuid), 0);
-	// 		kwrite32(ucred + koffsetof(ucred, svuid), 0);
-	// 		kwrite32(proc + koffsetof(proc, svgid), 0);
-	// 		kwrite32(ucred + koffsetof(ucred, svgid), 0);
-
-	// 		// platformize
-	// 		proc_csflags_set(proc, CS_PLATFORM_BINARY);
-	// 	} else {
-	// 		kill(pid, SIGKILL);
-	// 	}
-	// }
-
-	// proc_rele(proc);
 	return 0;
 }
 

diff --git a/RootHelperSample/launchdshim/launchdhook/jitter/jitter.m b/RootHelperSample/launchdshim/launchdhook/jitter/jitter.m
@@ -96,10 +96,10 @@ int main(int argc, char* argv[])
         setJetsamEnabled(true);
         if (shouldUiCache == true) {
             pid_t pid;
-            char *argv[] = {"/var/jb/usr/bin/uicache", "-p", "/var/jb/Applications/Sileo.app", NULL};
+            char *argv[] = {"/var/jb/usr/bin/uicache", "-a", NULL};
             posix_spawn(&pid, argv[0], NULL, NULL, argv, environ);
             shouldUiCache = false;
-        }   
+        }
         mach_port_t machPort = 0;
         kern_return_t kr = bootstrap_check_in(bootstrap_port, "com.hrtowii.jitterd", &machPort);
         if (kr != KERN_SUCCESS) {

diff --git a/RootHelperSample/main.m b/RootHelperSample/main.m
@@ -381,7 +381,7 @@ int main(int argc, char *argv[], char *envp[]) {
                 [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"generalhooksigned.dylib"] toPath:jbrootobjc(@"/generalhooksigned.dylib") error:nil];
                 [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"jitterd"] toPath:jbrootobjc(@"/jitterd") error:nil];
                 [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"jitterd.plist"] toPath:jbrootobjc(@"/Library/LaunchDaemons/com.hrtowii.jitterd.plist") error:nil];
-                spawnRoot(@"/var/jb/usr/bin/uicache", @[@"-p", @"/var/jb/Applications/Sileo.app"], nil, nil);
+                spawnRoot(@"/var/jb/usr/bin/uicache", @[@"-a"], nil, nil);
 //                [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"Serotonin.jp2"] toPath:@"/var/mobile/Serotonin.jp2" error:nil];
             }
         } else if ([action isEqual: @"uninstall"]) {