Merge pull request #2 from xerub/master

Make up to date with root

extra_recipe.xcodeproj/project.pbxproj

@@ -310,7 +310,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 10.1;
+				IPHONEOS_DEPLOYMENT_TARGET = 10.0;
 				MTL_ENABLE_DEBUG_INFO = YES;
 				ONLY_ACTIVE_ARCH = YES;
 				SDKROOT = iphoneos;
@@ -358,7 +358,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 10.1;
+				IPHONEOS_DEPLOYMENT_TARGET = 10.0;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				SDKROOT = iphoneos;
 				SWIFT_OPTIMIZATION_LEVEL = "-Owholemodule";

extra_recipe/jailbreak.c

@@ -853,8 +853,8 @@ unjail(void)
     uint64_t val = kread_uint64(kernel_base);
     printf("read from kernel memory: 0x%016llx\n", val);
 #else
-    extern int unjail2(uint64_t surfacevt);
-    rv = unjail2(surfacevt);
+    extern int unjail2(void);
+    rv = unjail2();
 #endif
 
     kwrite_uint64(our_proc + offsetof_p_ucred, our_cred);

extra_recipe/offsets.h

@@ -36,9 +36,9 @@ extern uint64_t k_uuid_copy;
 
 extern uint64_t allproc;
 extern uint64_t realhost;
-extern uint64_t surfacevt;
 extern uint64_t call5;
 
 int init_offsets(void);
+uint64_t constget(int idx);
 
 #endif /* offsets_h */

extra_recipe/offsets.m

@@ -31,9 +31,61 @@
 
 uint64_t allproc = 0;
 uint64_t realhost = 0;
-uint64_t surfacevt = 0;
 uint64_t call5 = 0;
 
+static NSMutableArray *consttable = nil;
+static NSMutableArray *collide = nil;
+
+static int
+constload(void)
+{
+    struct utsname uts;
+    uname(&uts);
+    if (strstr(uts.version, "Marijuan")) {
+        return -2;
+    }
+
+    NSString *strv = [NSString stringWithUTF8String:uts.version];
+    NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]];
+    int m = 0;
+    collide = [NSMutableArray new];
+
+    for (NSDictionary *dict in dp) {
+        if ([dict[@"vers"] isEqualToString:strv]) {
+            [collide setObject:[NSMutableArray new] atIndexedSubscript:m];
+            int i = 0;
+            for (NSString *str in dict[@"val"]) {
+                [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i];
+                i++;
+            }
+            m++;
+        }
+    }
+    if (m) {
+        return 0;
+    }
+    return -1;
+}
+
+static char
+affine_const_by_surfacevt(uint64_t surfacevt_slid)
+{
+    for (NSArray *arr in collide) {
+        if ((surfacevt_slid & 0xfffff) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) {
+            NSLog(@"affined");
+            consttable = arr;
+            return 0;
+        }
+    }
+    return -1;
+}
+
+uint64_t
+constget(int idx)
+{
+    return [[consttable objectAtIndex:idx] unsignedLongLongValue];
+}
+
 int
 init_offsets(void)
 {
@@ -51,6 +103,7 @@
 
     if (!strncmp(uts.machine, "iPhone9,", sizeof("iPhone9"))) {
         // iPhone 7 (plus)
+        uint64_t surfacevt;
         if ([version compare:@"10.1" options:NSNumericSearch] == NSOrderedAscending) {
             // 10.0[.x]
             mp = "@executable_path/mach-portal";
@@ -74,6 +127,9 @@
             surfacevt = 0xfffffff006e521e0;
             call5 = 0xfffffff006337e10;
         }
+        if (constload() || affine_const_by_surfacevt(surfacevt)) {
+            return ERR_INTERNAL;
+        }
     } else if (!strcmp(uts.machine, "iPhone8,1")) {
         // iPhone 6s
         if ([version compare:@"10.2" options:NSNumericSearch] == NSOrderedSame) {
@@ -84,7 +140,6 @@
             k_uuid_copy = 0xfffffff007459378;
             allproc = 0xfffffff0075ac438;
             realhost = 0xfffffff007538a98;
-            surfacevt = 0xfffffff006e84820;
             call5 = 0xfffffff0063cfe10;
             return ERR_UNSUPPORTED_YET; // TODO: remove after writing KPP bypass
         }

extra_recipe/unjail.m

@@ -19,61 +19,8 @@
   return rv;
 }
 
-NSMutableArray *consttable = nil;
-NSMutableArray *collide = nil;
-
-static int
-constload(void)
-{
-    struct utsname uts;
-    uname(&uts);
-    if (strstr(uts.version, "Marijuan")) {
-        return -2;
-    }
-
-    NSString *strv = [NSString stringWithUTF8String:uts.version];
-    NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]];
-    int m = 0;
-    collide = [NSMutableArray new];
-
-    for (NSDictionary *dict in dp) {
-        if ([dict[@"vers"] isEqualToString:strv]) {
-            [collide setObject:[NSMutableArray new] atIndexedSubscript:m];
-            int i = 0;
-            for (NSString *str in dict[@"val"]) {
-                [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i];
-                i++;
-            }
-            m++;
-        }
-    }
-    if (m) {
-        return 0;
-    }
-    return -1;
-}
-
-static char
-affine_const_by_surfacevt(uint64_t surfacevt_slid)
-{
-    for (NSArray *arr in collide) {
-        if ((surfacevt_slid & 0xfffff) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) {
-            NSLog(@"affined");
-            consttable = arr;
-            return 0;
-        }
-    }
-    return -1;
-}
-
-static uint64_t
-constget(int idx)
-{
-    return [[consttable objectAtIndex:idx] unsignedLongLongValue];
-}
-
 int
-unjail2(uint64_t surfacevt)
+unjail2(void)
 {
     void *h;
     int rv;
@@ -84,16 +31,6 @@
 
         // @qwertyoruiop's memprot bypass
 
-        if (constload()) {
-            printf("err: constload\n");
-            return ERR_INTERNAL;
-        }
-
-        if (affine_const_by_surfacevt(surfacevt)) {
-            printf("err: affine\n");
-            return ERR_INTERNAL;
-        }
-
         h = dlopen(mp, RTLD_NOW | RTLD_LOCAL);
         if (!h) {
             printf("err: %s\n", dlerror());