making jitterd rn

SerotoninApp · Jul 24, 2024 · d0e76c9 · d0e76c9
1 parent c219987
commit d0e76c9
Show file tree

Hide file tree

Showing 7 changed files with 161 additions and 68 deletions.
diff --git a/RootHelperSample/launchdshim/generalhook/main.m b/RootHelperSample/launchdshim/generalhook/main.m
@@ -29,8 +29,6 @@
 bool gFullyDebugged = false;
 
 int ptrace(int request, pid_t pid, caddr_t addr, int data);
-int (*orig_csops)(pid_t pid, unsigned int  ops, void * useraddr, size_t usersize);
-int (*orig_csops_audittoken)(pid_t pid, unsigned int  ops, void * useraddr, size_t usersize, audit_token_t * token);
 int csops_audittoken(pid_t pid, unsigned int  ops, void * useraddr, size_t usersize, audit_token_t * token);
 int csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize);
 
@@ -93,24 +91,6 @@ static void overwriteMainNSBundle(NSBundle *newBundle) {
 
 //    assert(![NSBundle.mainBundle.executablePath isEqualToString:oldPath]);
 }
-// mark: ellekit hooks
-// int hooked_csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize) {
-//     int result = orig_csops(pid, ops, useraddr, usersize);
-//     if (result != 0) return result;
-//     if (ops == 0) {
-//        *((uint32_t *)useraddr) |= 0x4000001;
-//     }
-//     return result;
-// }
-
-// int hooked_csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token) {
-//     int result = orig_csops_audittoken(pid, ops, useraddr, usersize, token);
-//     if (result != 0) return result;
-//     if (ops == 0) {
-//        *((uint32_t *)useraddr) |= 0x4000001;
-//     }
-//     return result;
-// }
 
 // skidding from Dopamine
 // For the userland, there are multiple processes that will check CS_VALID for one reason or another
@@ -188,15 +168,13 @@ void applySandboxExtensions(void)
 __attribute__((constructor)) static void init(int argc, char **argv, char *envp[]) {
     // @autoreleasepool {
     //     if (argc > 1 && strcmp(argv[1], "--jit") == 0) {
-    //        NSLog(@"generalhook - jitting");
     //         ptrace(0, 0, 0, 0);
     //         exit(0);
     //     } else {
     //         pid_t pid;
     //         char *modified_argv[] = {argv[0], "--jit", NULL };
     //         int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp);
     //         if (ret == 0) {
-    //             NSLog(@"generalhook - jitting 2");
     //             waitpid(pid, NULL, WUNTRACED);
     //             ptrace(11, pid, 0, 0);
     //             kill(pid, SIGTERM);
@@ -216,11 +194,6 @@ void applySandboxExtensions(void)
     // crashes here unless you ptrace yourself?!
     litehook_hook_function(csops, csops_hook);
 	litehook_hook_function(csops_audittoken, csops_audittoken_hook);
-    // const struct LHFunctionHook hooks[] = {
-    //     {(void *)csops, (void *)hooked_csops, (void *)&orig_csops, 0},
-    //     {(void *)csops_audittoken, (void *)hooked_csops_audittoken, (void *)&orig_csops_audittoken, 0}
-    // };
-    // LHHookFunctions(hooks, 2); // no ellekit!!
 
     const char *appPaths[] = {
         "/System/Library/CoreServices/SpringBoard.app/SpringBoard",

diff --git a/RootHelperSample/launchdshim/launchdentitlements.plist b/RootHelperSample/launchdshim/launchdentitlements.plist
@@ -2,6 +2,8 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.private.memorystatus</key>
+	<true/>
 	<key>com.apple.security.get-task-allow</key>
 	<true/>
 	<key>com.apple.system-task-ports.control</key>

diff --git a/RootHelperSample/launchdshim/launchdhook/jbserver/jbdomain_systemwide.c b/RootHelperSample/launchdshim/launchdhook/jbserver/jbdomain_systemwide.c
@@ -17,6 +17,8 @@
 #include "../fun/krw.h"
 #include "spawnRoot.h"
 #include <roothide.h>
+#include "../fun/memoryControl.h"
+
 #define PT_DETACH       11      /* stop tracing a process */
 #define PT_ATTACHEXC    14      /* attach to running process with signal exception */
 int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
@@ -171,7 +173,17 @@ static int systemwide_process_checkin(audit_token_t *processToken, char **rootPa
 	*sandboxExtensionsOut = generate_sandbox_extensions(processToken, isPlatformProcess);
 
 	// Allow invalid pages with ptrace instead :trol:
+	// terrible solution but ideally jitter would become a daemon later. temp fix to see if it works
+	memorystatus_memlimit_properties2_t mmprops;
+	int32_t old_memory_limit = 0;
+	uint32_t new_memory_limit = (uint32_t)(getPhysicalMemorySize() / UINT64_C(1048576)) * 2;
+    int ret = memorystatus_control(MEMORYSTATUS_CMD_GET_MEMLIMIT_PROPERTIES, pid, 0, &mmprops, sizeof(mmprops));
+    if (ret == 0)
+    old_memory_limit = mmprops.v1.memlimit_active;
+    ret = memorystatus_control(MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT, pid, new_memory_limit, NULL, 0);
 	enableJIT(pid);
+	// set it back because yeah
+	ret = memorystatus_control(MEMORYSTATUS_CMD_SET_JETSAM_TASK_LIMIT, pid, old_memory_limit, NULL, 0);
 
 	// bool fullyDebugged = true;
 	// if (is_app_path(procPath) || is_sub_path(JBRootPath("/Applications"), procPath)) {

diff --git a/RootHelperSample/launchdshim/launchdhook/jitter/Makefile b/RootHelperSample/launchdshim/launchdhook/jitter/Makefile
@@ -6,7 +6,7 @@ include $(THEOS)/makefiles/common.mk
 TOOL_NAME = jitter
 
 jitter_FILES = $(wildcard *.c) $(wildcard *.m)
-jitter_CFLAGS = -fobjc-arc -isystem -Wno-error
+jitter_CFLAGS = -fobjc-arc -isystem -Wno-error -O3
 jitter_LDFLAGS = -L./ -lbsm
 jitter_CODESIGN_FLAGS = -Sent.plist
 

diff --git a/RootHelperSample/launchdshim/launchdhook/jitter/jitter.m b/RootHelperSample/launchdshim/launchdhook/jitter/jitter.m
@@ -3,43 +3,126 @@
 #include <unistd.h>
 #include <stdbool.h>
 #include <sys/types.h>
-#include <Foundation/Foundation.h>
+#include <xpc/xpc.h>
+#include <dispatch/dispatch.h>
+#include <mach/mach.h>
+#include <mach/mach_error.h>
+#include <mach/task.h>
+#include <mach/mach_types.h>
+#include <mach/mach_init.h>
+#include "../fun/memoryControl.h"
+#include "../jbserver/bsm/audit.h"
+
 #define PT_DETACH       11      /* stop tracing a process */
 #define PT_ATTACHEXC    14      /* attach to running process with signal exception */
+#define MEMORYSTATUS_CMD_SET_JETSAM_HIGH_WATER_MARK 5
+#define JBD_MSG_DEBUG_ME 24
 
 int ptrace(int request, pid_t pid, caddr_t addr, int data);
-int proc_paused(pid_t pid, bool *paused);
-
+// void JBLogError(const char *format, ...);
+// void JBLogDebug(const char *format, ...);
 int enableJIT(pid_t pid)
 {
     int ret = ptrace(PT_ATTACHEXC, pid, NULL, 0);
-//    NSLog(@"jitter - attach ret");
-    if(ret != 0) return ret;
-    //don't SIGCONT here, otherwise kernel may send exception msg to this process and the traced process keep waiting, kill(pid, SIGCONT);
-    // for(int i=0; i<1000*50; i++)
-    // {
-    //     bool paused=false;
-    //     ret = proc_paused(pid, &paused);
-    //     if(ret != 0) return ret;
-    //     if(paused) break;
-    //     usleep(10);
-    // }
+    if (ret != 0) return ret;
     ret = ptrace(PT_DETACH, pid, NULL, 0);
-//    NSLog(@"jitter - detach ret");
     return ret;
 }
 
-int main(int argc, char *argv[]) {
-    if (argc != 2) {
-        fprintf(stderr, "Usage: %s <pid>\n", argv[0]);
-        return 1;
+kern_return_t bootstrap_check_in(mach_port_t bootstrap_port, const char *service, mach_port_t *server_port);
+
+void setJetsamEnabled(bool enabled)
+{
+    int priorityToSet = enabled ? 10 : -1;
+    int rc = memorystatus_control(MEMORYSTATUS_CMD_SET_JETSAM_HIGH_WATER_MARK, getpid(), priorityToSet, NULL, 0);
+    if (rc < 0) {
+        perror("memorystatus_control");
+        exit(rc);
     }
+}
+
+void jitterd_received_message(mach_port_t machPort, bool systemwide)
+{
+    @autoreleasepool {
+        xpc_object_t message = NULL;
+        int err = xpc_pipe_receive(machPort, &message);
+        if (err != 0) {
+            // JBLogError("xpc_pipe_receive error %d", err);
+            return;
+        }
+
+        xpc_object_t reply = xpc_dictionary_create_reply(message);
+        xpc_type_t messageType = xpc_get_type(message);
+        int64_t msgId = -1;
+
+        if (messageType == XPC_TYPE_DICTIONARY) {
+            audit_token_t auditToken = {};
+            xpc_dictionary_get_audit_token(message, &auditToken);
+            uid_t clientUid = audit_token_to_euid(auditToken);
+            pid_t clientPid = audit_token_to_pid(auditToken);
+            msgId = xpc_dictionary_get_int64(message, "id");
+            char *description = xpc_copy_description(message);
+            free(description);
 
-    pid_t pid = (pid_t)atoi(argv[1]);
-    if (pid <= 0) {
-        fprintf(stderr, "Invalid PID\n");
-        return 1;
+            switch (msgId) {
+                case JBD_MSG_PROC_SET_DEBUGGED: {
+                    int64_t result = 0;
+                    pid_t pid = xpc_dictionary_get_int64(message, "pid");
+                    result = enableJIT(pid);
+                    xpc_dictionary_set_int64(reply, "result", result);
+                    break;
+                }
+                default:
+                    break;
+            }
+        }
+
+        if (reply) {
+            char *description = xpc_copy_description(reply);
+            // JBLogDebug("responding to %s message %lld with %s", systemwide ? "systemwide" : "", msgId, description);
+            free(description);
+            err = xpc_pipe_routine_reply(reply);
+            if (err != 0) {
+                // JBLogError("Error %d sending response", err);
+            }
+        }
     }
+}
+
+int main(int argc, char* argv[])
+{
+    @autoreleasepool {
+        setJetsamEnabled(true);
+
+        mach_port_t machPort = 0;
+        kern_return_t kr = bootstrap_check_in(bootstrap_port, "com.hrtowii.jitterd", &machPort);
+        if (kr != KERN_SUCCESS) {
+            // JBLogError("Failed com.hrtowii.jitterd bootstrap check in: %d (%s)", kr, mach_error_string(kr));
+            return 1;
+        }
 
-    return enableJIT(pid);
+        mach_port_t machPortSystemWide = 0;
+        kr = bootstrap_check_in(bootstrap_port, "com.hrtowii.jitterd.systemwide", &machPortSystemWide);
+        if (kr != KERN_SUCCESS) {
+            // JBLogError("Failed com.hrtowii.jitterd.systemwide bootstrap check in: %d (%s)", kr, mach_error_string(kr));
+            return 1;
+        }
+
+        dispatch_source_t source = dispatch_source_create(DISPATCH_SOURCE_TYPE_MACH_RECV, (uintptr_t)machPort, 0, dispatch_get_main_queue());
+        dispatch_source_set_event_handler(source, ^{
+            mach_port_t lMachPort = (mach_port_t)dispatch_source_get_handle(source);
+            jitterd_received_message(lMachPort, false);
+        });
+        dispatch_resume(source);
+
+        dispatch_source_t sourceSystemWide = dispatch_source_create(DISPATCH_SOURCE_TYPE_MACH_RECV, (uintptr_t)machPortSystemWide, 0, dispatch_get_main_queue());
+        dispatch_source_set_event_handler(sourceSystemWide, ^{
+            mach_port_t lMachPort = (mach_port_t)dispatch_source_get_handle(sourceSystemWide);
+            jitterd_received_message(lMachPort, true);
+        });
+        dispatch_resume(sourceSystemWide);
+
+        dispatch_main();
+        return 0;
+    }
 }
diff --git a/RootHelperSample/launchdshim/launchdhook/jitter/jitterd.plist b/RootHelperSample/launchdshim/launchdhook/jitter/jitterd.plist
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ProcessType</key>
+	<string>Interactive</string>
+	<key>Label</key>
+	<string>com.hrtowii.jitterd</string>
+	<key>MachServices</key>
+	<dict>
+		<key>com.hrtowii.jitterd</key>
+		<dict>
+			<key>HostSpecialPort</key>
+			<integer>16</integer>
+		</dict>
+		<key>com.hrtowii.jitterd.systemwide</key>
+		<true/>
+	</dict>
+	<!-- <key>ProgramArguments</key>
+	<array>
+		<string>basebin/jailbreakd</string>
+	</array> -->
+	<key>UserName</key>
+	<string>root</string>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>
diff --git a/RootHelperSample/launchdshim/launchdhook/main.m b/RootHelperSample/launchdshim/launchdhook/main.m
@@ -183,24 +183,17 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po
             unsandbox2("/usr/lib", jbroot("/generalhooksigned.dylib"));
             //new "real path"
             snprintf(HOOK_DYLIB_PATH, sizeof(HOOK_DYLIB_PATH), "/usr/lib/generalhooksigned.dylib");
-            // do_kclose();
+            do_kclose();
             shouldWeGamble = false;
         }
-    //    } else if (!strncmp(path, MEDIASERVERD_PATH, strlen(MEDIASERVERD_PATH))) {
-    //        log_path(path, jbroot(MEDIASERVERD_PATH));
-    //        path = jbroot(MEDIASERVERD_PATH);
-    //        argv[0] = (char *)path;
-    //        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-    //    }
-    //    } else if (!strncmp(path, installd, strlen(installd))) {
-    //        path = jbroot(installd);
-    //        argv[0] = (char *)path;
-    //        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-    //    }
-    //    } else if (!strncmp(path, nfcd, strlen(nfcd))) {
-    //        path = jbroot(nfcd);
-    //        argv[0] = (char *)path;
-    //        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
+    } else if (!strncmp(path, MEDIASERVERD_PATH, strlen(MEDIASERVERD_PATH))) {
+        path = jbroot(MEDIASERVERD_PATH);
+        argv[0] = (char *)path;
+        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
+    } else if (!strncmp(path, NFCD_PATH, strlen(NFCD_PATH))) {
+        path = jbroot(NFCD_PATH);
+        argv[0] = (char *)path;
+        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
     }
     return orig_posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
 }