ios 16 handle_eval_rootauth

palera1n · Mar 22, 2023 · 772dfca · 772dfca
1 parent 75d8e1e
commit 772dfca
Showing 1 changed file with 38 additions and 4 deletions.
diff --git a/checkra1n/kpf/main.c b/checkra1n/kpf/main.c
@@ -1957,6 +1957,30 @@ bool kpf_apfs_rootauth(struct xnu_pf_patch *patch, uint32_t *opcode_stream) {
     return true;
 }
 
+bool kpf_apfs_rootauth_new(struct xnu_pf_patch *patch, uint32_t *opcode_stream) {
+    opcode_stream[0] = NOP;
+    opcode_stream[1] = 0x52800000 | (opcode_stream[1] & 0x1f); /* mov wN, 0 */
+
+    uint32_t *ret_stream = follow_call(opcode_stream[2]);
+
+    if (!ret_stream) {
+        printf("KPF: failed to follow branch!");
+        return false;
+    }
+
+    uint32_t *mov = find_next_insn(ret_stream, 0x10, 0xaa0003e0, 0xffe0ffff);
+
+    if (!mov) {
+        printf("KPF: failed to find mov\n");
+        return false;
+    }
+
+    mov[0] = 0xd2800000; /* mov x0, 0 */
+
+    puts("KPF: found handle_eval_rootauth");
+    return true;
+}
+
 bool kpf_apfs_vfsop_mount(struct xnu_pf_patch *patch, uint32_t *opcode_stream) {
     opcode_stream[0] = 0x52800000; /* mov w0, 0 */
 
@@ -2056,7 +2080,7 @@ void kpf_apfs_patches(xnu_pf_patchset_t* patchset, bool have_union, bool ios16)
 
     xnu_pf_maskmatch(patchset, "apfs_vfsop_mount", remount_matches, remount_masks, sizeof(remount_masks) / sizeof(uint64_t), !have_union, (void *)kpf_apfs_vfsop_mount);
 
-    if (!have_union && !ios16) {
+    if (!have_union) {
         uint64_t rootauth_matches[] = {
             0x37280068, // tbnz w8, 5, 0xc
             0x52800a00, // mov w0, 0x50
@@ -2067,9 +2091,19 @@ void kpf_apfs_patches(xnu_pf_patchset_t* patchset, bool have_union, bool ios16)
             0xffffffff,
             0xffffffff
         };
-        xnu_pf_maskmatch(patchset, "handle_eval_rootauth", rootauth_matches, rootauth_masks,
-                         sizeof(rootauth_masks) / sizeof(uint64_t), true,
-                         (void *)kpf_apfs_rootauth);
+        xnu_pf_maskmatch(patchset, "handle_eval_rootauth", rootauth_matches, rootauth_masks, sizeof(rootauth_masks) / sizeof(uint64_t), false, (void *)kpf_apfs_rootauth);
+
+        uint64_t rootauth2_matches[] = {
+            0x37280068, // tbnz w8, 5, 0xc
+            0x52800a00, // mov wN, 0x50
+            0x14000000  // b
+        };
+        uint64_t rootauth2_masks[] = {
+            0xffffffff,
+            0xffffffe0,
+            0xfc000000
+        };
+         xnu_pf_maskmatch(patchset, "handle_eval_rootauth", rootauth_matches, rootauth_masks, sizeof(rootauth_masks) / sizeof(uint64_t), false, (void *)kpf_apfs_rootauth_new);
     }
 }