last

m1zole · Dec 7, 2023 · 88cbf0d · 88cbf0d
1 parent 3a69bf0
commit 88cbf0d
Show file tree

Hide file tree

Showing 12 changed files with 239 additions and 128 deletions.
diff --git a/kfd.xcodeproj/project.pbxproj b/kfd.xcodeproj/project.pbxproj
@@ -24,7 +24,7 @@
  D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4562AB5812A002E9836 /* SearchBar.swift */; };
  D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4572AB5812A002E9836 /* DirtyJITView.swift */; };
  D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4582AB5812A002E9836 /* AppsView.swift */; };
- D52BA4692AB582C9002E9836 /* ApplicationManager2.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */; };
+ D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4512AB5812A002E9836 /* ApplicationManager.swift */; };
  D52BA46B2AB5866D002E9836 /* TextField++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46A2AB5866D002E9836 /* TextField++.swift */; };
  D52BA46D2AB586BF002E9836 /* Alert++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46C2AB586BF002E9836 /* Alert++.swift */; };
  D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */ = {isa = PBXBuildFile; fileRef = D58653622ABBB28D005A2379 /* vm_unaligned_copy_switch_race.c */; };
@@ -46,6 +46,8 @@
  D5AFB5BF2ABE1671006266EA /* LogView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5BE2ABE1671006266EA /* LogView.swift */; };
  D5AFB5C32ABE1691006266EA /* SwiftfulLoadingIndicators in Frameworks */ = {isa = PBXBuildFile; productRef = D5AFB5C22ABE1691006266EA /* SwiftfulLoadingIndicators */; };
  D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5C42ABE1781006266EA /* Logger.swift */; };
+ D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */ = {isa = PBXBuildFile; fileRef = D58653602ABBB28D005A2379 /* grant_full_disk_access.m */; };
+ D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D586507E2AB9F2AF005A2379 /* FileManager.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
@@ -89,7 +91,7 @@
  D51A38072AB56F8400C147E2 /* cs_blobs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = cs_blobs.m; sourceTree = "<group>"; };
  D51A38102AB5717500C147E2 /* files */ = {isa = PBXFileReference; lastKnownFileType = folder; path = files; sourceTree = "<group>"; };
  D52BA4352AB57EC9002E9836 /* DirtyCowKit */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = DirtyCowKit; sourceTree = "<group>"; };
- D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ApplicationManager2.swift; sourceTree = "<group>"; };
+ D52BA4512AB5812A002E9836 /* ApplicationManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ApplicationManager.swift; sourceTree = "<group>"; };
  D52BA4562AB5812A002E9836 /* SearchBar.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SearchBar.swift; sourceTree = "<group>"; };
  D52BA4572AB5812A002E9836 /* DirtyJITView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DirtyJITView.swift; sourceTree = "<group>"; };
  D52BA4582AB5812A002E9836 /* AppsView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppsView.swift; sourceTree = "<group>"; };
@@ -233,7 +235,7 @@
  isa = PBXGroup;
  children = (
  D58654902ABD55B3005A2379 /* Info.plist */,
- D58654382ABD508B005A2379 /* filemanager_by akusio */,
+ D58654382ABD508B005A2379 /* filemanager_by_akusio */,
  D52BA44F2AB5812A002E9836 /* JIT */,
  2948BA6A2A3162C600B2ED3C /* libkfd */,
  6E75BFA62A8475790056ABDA /* fun */,
@@ -304,7 +306,7 @@
  isa = PBXGroup;
  children = (
  D52BA4532AB5812A002E9836 /* DirtyJIT */,
- D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */,
+ D52BA4512AB5812A002E9836 /* ApplicationManager.swift */,
  );
  path = JIT;
  sourceTree = "<group>";
@@ -321,7 +323,7 @@
  path = DirtyJIT;
  sourceTree = "<group>";
  };
- D58654382ABD508B005A2379 /* filemanager_by akusio */ = {
+ D58654382ABD508B005A2379 /* filemanager_by_akusio */ = {
  isa = PBXGroup;
  children = (
  D58654592ABD508B005A2379 /* ViewController.m */,
@@ -356,7 +358,7 @@
  D586545D2ABD508B005A2379 /* Main.storyboard */,
  D58654662ABD508B005A2379 /* liblzfse.a */,
  );
- name = "filemanager_by akusio";
+ name = filemanager_by_akusio;
  path = MiniRootFileManager15/filemanager_by_akusio;
  sourceTree = SOURCE_ROOT;
  };
@@ -448,13 +450,15 @@
  isa = PBXSourcesBuildPhase;
  buildActionMask = 2147483647;
  files = (
+ D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */,
+ D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */,
  D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */,
  D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */,
  D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */,
  D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */,
  D58654892ABD508B005A2379 /* lzssdec.cpp in Sources */,
  D5AFB5B72ABE074C006266EA /* KFD-manager.m in Sources */,
- D52BA4692AB582C9002E9836 /* ApplicationManager2.swift in Sources */,
+ D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */,
  D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */,
  D51A380A2AB56F8400C147E2 /* vnode.m in Sources */,
  D51A380C2AB56F8400C147E2 /* cs_blobs.m in Sources */,

diff --git a/kfd/ContentView.swift b/kfd/ContentView.swift
@@ -32,6 +32,7 @@ struct ContentView: View {
  @State private var isTweaksPopoverPresented = false
  @State private var isFilePopoverPresented = false
  @State private var isJITPopoverPresented = false
+ @State private var isSwiftFilePopoverPresented = false
 
  @State private var isLogPopoverPresented = false
  @State var advancedLogsTemporarilyEnabled: Bool = true
@@ -157,6 +158,11 @@ struct ContentView: View {
  .onTapGesture {
  isJITPopoverPresented.toggle()
  }
+ Text("Swift File Manager")
+ .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1))
+ .onTapGesture {
+ isSwiftFilePopoverPresented.toggle()
+ }
  Text("File Manager")
  .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1))
  .onTapGesture {
@@ -182,6 +188,9 @@ struct ContentView: View {
  .popover(isPresented: $isFilePopoverPresented, arrowEdge: .bottom) {
  FileManagerUIKitViewControllerWrapper()
  }
+ .popover(isPresented: $isSwiftFilePopoverPresented, arrowEdge: .bottom) {
+ FileManagerView()
+ }
  }
  }
 

diff --git a/kfd/JIT/ApplicationManager2.swift → kfd/JIT/ApplicationManager.swift b/kfd/JIT/ApplicationManager2.swift → kfd/JIT/ApplicationManager.swift
diff --git a/kfd/JIT/DirtyJIT/DirtyJITView.swift b/kfd/JIT/DirtyJIT/DirtyJITView.swift
@@ -39,7 +39,6 @@ struct DirtyJITView: View {
  }
  }
  unsandboxing()
-
  DispatchQueue.main.asyncAfter(deadline: .now() + 3) {
  UIApplication.shared.dismissAlert(animated: false)
 

diff --git a/kfd/KFD-manager.m b/kfd/KFD-manager.m
@@ -15,6 +15,7 @@
 #include "fun/cs_blobs.h"
 #include "fun/fun.h"
 #include "fun/grant_full_disk_access.h"
+#include "fun/thanks_opa334dev_htrowii.h"
 #include "kfd-Swift.h"
 
 uint64_t orig_to_v_data = 0;
@@ -49,6 +50,69 @@ uint64_t do_getTask(char* process) {
  return 0;
 }
 
+void readtmplog(NSString* file) {
+ NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"];
+
+ uint64_t var_tmp_vnode = getVnodeAtPathByChdir("/var/tmp");
+
+ printf("[i] /var/tmp vnode: 0x%llx\n", var_tmp_vnode);
+
+ uint64_t orig_to_v_data = createFolderAndRedirect(var_tmp_vnode, mntPath);
+
+ NSError *error;
+
+ printf("unredirecting from tmp\n");
+
+ printf("reading log\n");
+
+ NSLog(@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file);
+ NSString *log = [NSString stringWithContentsOfFile:[NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file] encoding:NSUTF8StringEncoding error:&error];
+ NSLog(@"%@", log);
+
+ UnRedirectAndRemoveFolder(orig_to_v_data, mntPath);
+}
+
+void getappslist(void) {
+ printf("[i] chown /var/containers/Bundle/Application\n");
+ funVnodeChownFolder("/var/containers/Bundle/Application", 501, 501);
+
+ printf("[i] mounting /var/containers/Bundle/Application\n");
+
+ NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"];
+
+ uint64_t containers_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application");
+ printf("[i] /var/containers/Bundle/Application vnode: 0x%llx\n", containers_vnode);
+
+ orig_to_v_data = createFolderAndRedirect(containers_vnode, mntPath);
+
+ NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL];
+ NSLog(@"/var/containers/Bundle/Application directory list:\n %@", dirs);
+
+ UnRedirectAndRemoveFolder(orig_to_v_data, mntPath);
+
+ NSString *appstage1mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage1/"];
+ if (![[NSFileManager defaultManager] fileExistsAtPath:appstage1mntPath]) {
+ [[NSFileManager defaultManager] createDirectoryAtPath:appstage1mntPath withIntermediateDirectories:YES attributes:nil error:nil];
+ }
+ NSString *appstage2mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage2/"];
+ if (![[NSFileManager defaultManager] fileExistsAtPath:appstage2mntPath]) {
+ [[NSFileManager defaultManager] createDirectoryAtPath:appstage2mntPath withIntermediateDirectories:YES attributes:nil error:nil];
+ }
+
+ for(NSString *dir in dirs) {
+ NSString *path = [NSString stringWithFormat:@"%s/%@", "/var/containers/Bundle/Application", dir];
+ [[NSFileManager defaultManager] removeItemAtPath:path error:nil];
+ NSLog(@"full path:\n %@", path);
+ //funVnodeChownFolder((char *) [path UTF8String], 501, 501);
+ NSString *appmntPath = [NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/appstage1/", dir];
+ uint64_t containers_vnode = getVnodeAtPathByChdir((char *) [path UTF8String]);
+ createFolderAndRedirect(containers_vnode, appmntPath);
+ NSArray* targetdirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:appmntPath error:NULL];
+ NSLog(@"appstage1 directory list: %@", targetdirs);
+ }
+}
+
+
 void prepare(void) {
  _offsets_init();
 
@@ -79,6 +143,23 @@ void prepare(void) {
  //});
 }
 
+uint64_t mountusrDir(void) {
+
+ NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"];
+
+ uint64_t libexec_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application/CF553F26-ED5C-44A5-8AE5-0C1267BFFA8C/Tips.app");
+ printf("[i] folder vnode: 0x%llx\n", libexec_vnode);
+
+ orig_to_v_data = createFolderAndRedirect(libexec_vnode, mntPath);
+
+ NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL];
+ NSLog(@"Tips directory list:\n %@", dirs);
+
+ //UnRedirectAndRemoveFolder(orig_to_v_data, mntPath);
+
+ return orig_to_v_data;
+}
+
 void do_tasks(void) {
  _offsets_init();
 
@@ -96,11 +177,23 @@ void do_tasks(void) {
  funUcred(selfProc);
  funProc(selfProc);
  printf("[i] pid: %d\n", getpid());
- funCSFlags("kfd");
+ //funCSFlags("kfd");
+ //funTask("kfd");
  mach_port_t host_self = mach_host_self();
  printf("[i] mach_host_self: 0x%x\n", host_self);
  fun_ipc_entry_lookup(host_self);
- fun_nvram_dump();
+ //fun_nvram_dump();
+ //readtmplog(@"ps.log");
+ usleep(1000);
+ //getappslist();
+ printf("[i] vnode: %llx\n", getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app"));
+ printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app"), "Books.app"));
+ printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/mobile"), "TCC.framework"));
+
+ //funVnodeOverwriteFile("/System/Library/PrivateFrameworks/TCC.framework/Support/tccd", "/Developer/System/Library/PrivateFrameworks/TCC.framework/Support/tccd_ori");
+ //kfd_grant_full_disk_access(^(NSError* error) {
+ // NSLog(@"[-] grant_full_disk_access returned error: %@", error);
+ //});
 }
 
 uint64_t mountselectedDir(NSString* path) {
@@ -121,25 +214,6 @@ uint64_t mountselectedDir(NSString* path) {
  return orig_to_v_data;
 }
 
-uint64_t mountusrDir(void) {
-
- printf("[i] mounting /usr\n");
-
- NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"];
-
- uint64_t libexec_vnode = getVnodeAtPathByChdir("/usr");
- printf("[i] /usr vnode: 0x%llx\n", libexec_vnode);
-
- orig_to_v_data = createFolderAndRedirect(libexec_vnode, mntPath);
-
- NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL];
- NSLog(@"/usr directory list:\n %@", dirs);
-
- UnRedirectAndRemoveFolder(orig_to_v_data, mntPath);
-
- return 0;
-}
-
 void unmountselectedDir(uint64_t orig_to_v_data, NSString* mntPath) {
  printf("[i] orig_to_v_data: %llx", orig_to_v_data);
  onlyUnRedirectFolder(orig_to_v_data, mntPath);

diff --git a/kfd/files/PersistenceHelper_Embedded b/kfd/files/PersistenceHelper_Embedded
diff --git a/kfd/fun/fun.m b/kfd/fun/fun.m
@@ -106,8 +106,8 @@ int funTask(char* process) {
  #define TFRO_PAC_EXC_FATAL 0x00010000 /* task is marked a corpse if a PAC exception occurs */
  #define TFRO_PAC_ENFORCE_USER_STATE 0x01000000 /* Enforce user and kernel signed thread state */
 
- uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro);
- printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro);
+ //uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro);
+ //printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro);
 
  return 0;
 }

diff --git a/kfd/fun/grant_full_disk_access.m b/kfd/fun/grant_full_disk_access.m
@@ -15,7 +15,7 @@
 
 #import "proc.h"
 #import "offsets.h"
-//#import "krw.h"
+#import "krw.h"
 #import "vnode.h"
 
 typedef NSObject* xpc_object_t;
@@ -328,7 +328,7 @@ static bool overwrite_file(int fd, NSData* sourceData) {
  kwrite32(to_vnode + off_vnode_v_writecount, to_vnode_v_writecount + 1);
  printf("[+] overwrite_file vnode->v_writecount: %d\n", kread32(to_vnode + off_vnode_v_writecount));
  }
-
+ /*
  for (int off = 0; off < sourceData.length; off += 0x4000) {
  bool success = false;
  for (int i = 0; i < 2; i++) {
@@ -344,7 +344,9 @@ static bool overwrite_file(int fd, NSData* sourceData) {
  kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag);
  return false;
  }
- }
+ }*/
+ [sourceData writeToFile: [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] atomically: true];
+ funVnodeOverwriteFile((char *) [[NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] UTF8String], "/System/Library/PrivateFrameworks/TCC.framework/Support/tccd");
  kwrite32(fileglob + off_fg_flag, O_RDONLY);
  kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag);
  return true;
@@ -373,7 +375,7 @@ static void grant_full_disk_access_impl(void (^completion)(NSString* extension_t
  }
 
  if (!overwrite_file(fd, sourceData)) {
- overwrite_file(fd, originalData);
+ //overwrite_file(fd, originalData);
  munmap(targetMap, targetLength);
  completion(
  nil, [NSError errorWithDomain:@"com.worthdoingbadly.fulldiskaccess"

diff --git a/kfd/fun/offsets.m b/kfd/fun/offsets.m
@@ -85,17 +85,17 @@ void _offsets_init(void) {
  //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487
  off_p_list_le_prev = 0x8;
  off_p_proc_ro = 0x18;
- off_p_ppid = 0x20;
- off_p_original_ppid = 0x24;
- off_p_pgrpid = 0x28;
+ off_p_ppid = 0x20;//ok
+ off_p_original_ppid = 0x24;//ok
+ off_p_pgrpid = 0x28;//ok
  off_p_uid = 0x2c;
  off_p_gid = 0x30;
  off_p_ruid = 0x34;
  off_p_rgid = 0x38;
  off_p_svuid = 0x3c;
  off_p_svgid = 0x40;
- off_p_sessionid = 0x44;
- off_p_puniqueid = 0x48;
+ off_p_sessionid = 0x44;//ok
+ off_p_puniqueid = 0x48;//ok
  off_p_pid = 0x60;
  off_p_pfd = 0xf8;
  off_p_textvp = 0x350;
@@ -177,25 +177,25 @@ void _offsets_init(void) {
  //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487
  off_p_list_le_prev = 0x8;//ok
  off_p_proc_ro = 0x18;
- off_p_ppid = 0x20;
- off_p_original_ppid = 0x24;
- off_p_pgrpid = 0x28;
+ off_p_ppid = 0x20;//ok
+ off_p_original_ppid = 0x24;//ok
+ off_p_pgrpid = 0x28;//ok
  off_p_uid = 0x2c;
  off_p_gid = 0x30;
  off_p_ruid = 0x34;
  off_p_rgid = 0x38;
  off_p_svuid = 0x3c;
  off_p_svgid = 0x40;
- off_p_sessionid = 0x44;
- off_p_puniqueid = 0x48;
+ off_p_sessionid = 0x44;//ok
+ off_p_puniqueid = 0x48;//ok
  off_p_pid = 0x60;//ok
  off_p_pfd = 0xf8;//p_fd__fd_ofiles? ok
  off_p_textvp = 0x548;
  off_p_name = 0x579;//ok
 
  //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/proc_ro.h#L59
- off_p_ro_p_csflags = 0x1c;
- off_p_ro_p_ucred = 0x20;
+ off_p_ro_p_csflags = 0x1c;//ok
+ off_p_ro_p_ucred = 0x20;//ok
  off_p_ro_pr_proc = 0;
  off_p_ro_pr_task = 0x8;
  off_p_ro_t_flags_ro = 0x78;
@@ -216,7 +216,7 @@ void _offsets_init(void) {
  off_cr_flags = 0x5c;
 
  //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/osfmk/kern/task.h#L280
- off_task_t_flags = 0x3D0;
+ off_task_t_flags = 0x3D0;//ok
 
  //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/filedesc.h#L138
  off_fd_ofiles = 0;

diff --git a/kfd/fun/vnode.h b/kfd/fun/vnode.h
@@ -122,4 +122,5 @@ uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from);
 
 uint64_t funVnodeOverwriteFileUnlimitSizeWithVnode(uint64_t to_vnode, char* from);
 uint64_t funVnodeChownFolder(char* filename, uid_t uid, gid_t gid);
+uint64_t funVnodeChmodFolder(char* filename, mode_t mode);
 uint64_t funVnodeFolderForFileManager(NSString* filename, uid_t uid, gid_t gid);