forked from jakeajames/jelbrekLib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjelbrek.h
322 lines (289 loc) · 8.06 KB
/
jelbrek.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
//----utilities----//
#import "kernel_utils.h"
#import "patchfinder64.h"
#import "utils.h"
#import "offsets.h"
#import "offsetof.h"
#import "kexecute.h"
#import "vnode_utils.h"
#import "snapshot_utils.h"
#import "offsetof.h"
#import "offsets.h"
#import "amfi_utils.h"
#import "osobject.h"
#import "kernelSymbolFinder.h"
#import "cs_blob.h"
//---standard C stuff---//
#import <string.h>
#import <stdlib.h>
#import <stdio.h>
#import <unistd.h>
#import <spawn.h>
#import <sys/mman.h>
#import <sys/attr.h>
//---stuff---//
#import <mach/mach.h>
#import <sys/types.h>
#import <CommonCrypto/CommonDigest.h>
//---Obj-c stuff---//
#import <Foundation/Foundation.h>
typedef int (*kexecFunc)(uint64_t function, size_t argument_count, ...);
typedef char hash_t[20];
extern uint32_t KASLR_Slide;
extern uint64_t KernelBase;
extern mach_port_t TFP0;
extern kexecFunc kernel_exec;
/*
Purpose: Initialize jelbrekLib (first thing you have to call)
Parameters:
kernel task port (tfp0)
Return values:
1: tfp0 port not valid
2: Something messed up while finding the kernel base
3: patchfinder didn't initialize properly
4: kernelSymbolFinder didn't initialize properly
*/
typedef int (*kexecFunc)(uint64_t function, size_t argument_count, ...);
int init_jelbrek(mach_port_t tfpzero);
int init_with_kbase(mach_port_t tfpzero, uint64_t kernelBase, kexecFunc kexec); // iOS 12
/*
Purpose: Free memory used by jelbrekLib & clean up (last thing you have to call)
*/
void term_jelbrek(void);
/*
Purpose:
Add a macho binary on the AMFI trustcache
Parameters:
A path to single macho or a directory for recursive patching. Binaries must be signed with SHA256
Return values:
-1: path doesn't exist
-2: Couldn't find valid macho in directory
2: Binary not an executable
3: Binary bigger than 0x4000 bytes or something weird happened when running lstat
4: Permission denied when trying to open file
5: Something weird happened when reading data from the file
6: Binary is not a macho
7: file mmap() failed
*/
int trustbin(const char *path);
int trust_hash(hash_t hash);
/*
Purpose:
Bypass all codesign checks for a macho. Binary can be signed with SHA1 or SHA256
Parameters:
A path to a macho
Return values:
-1: error
0: success
*/
int bypassCodeSign(const char *macho);
/*
Purpose:
Unsandboxes a process
Parameters:
The process ID
Return values:
pointer to original sandbox slot: successfully unsandboxed or already unsandboxed
false: something went wrong
*/
uint64_t unsandbox(pid_t pid);
/*
Purpose:
Sandboxes a process
Parameters:
The process ID
Kernel pointer to sandbox slot
Return values:
true: successfully sandboxed
false: something went wrong
*/
BOOL sandbox(pid_t pid, uint64_t sb);
/*
Purpose:
Sets special codesigning flags on a process
Parameters:
The process ID
Return values:
true: successfully patched or already has flags
false: something went wrong
*/
BOOL setcsflags(pid_t pid);
/*
Purpose:
Patches the UID & GID of a process to 0
Parameters:
The process ID
Return values:
true: successfully patched or already has root
false: something went wrong
*/
BOOL rootify(pid_t pid);
/*
Purpose:
Sets TF_PLATFORM flag on a process & CS_PLATFORM_BINARY csflag
Parameters:
The process ID
Return values:
true: successfully patched or already has root
false: something went wrong
*/
void platformize(pid_t pid);
/*
Purpose:
Adds a new entitlement on ones stored by AMFI (not the actual entitlements of csblob)
Parameters:
The process ID
The entitlement (eg. com.apple.private.skip-library-validation)
Entitlement value, either true or false
Return values:
true: successfully patched or already has entitlement
false: something went wrong
*/
BOOL entitlePidOnAMFI(pid_t pid, const char *ent, BOOL val);
/*
Purpose:
Replaces entitlements stored on the csblob & ones on AMFI. Differently from above function this will FULLY REPLACE entitlements. Adding new ones on top is doable but for now this works.
Parameters:
The process ID
The entitlement string (e.g. "<key>task_for_pid-allow</key><true/>")
Return values:
true: successfully patched
false: something went wrong
*/
BOOL patchEntitlements(pid_t pid, const char *entitlementString);
/*
Purpose:
Borrows credentials from another process ID
Parameters:
The target's process ID
The donor's process ID
Return values:
Original credentials (use to revert later)
*/
uint64_t borrowCredsFromPid(pid_t target, pid_t donor);
/*
Purpose:
Spawns a binary and borrows credentials from it
Parameters:
The target's process ID
The donor binary path & up to 6 arguments (Leave NULL if not using)
Return values:
Success: Original credentials (use to revert later)
Error: posix_spawn return value
*/
uint64_t borrowCredsFromDonor(pid_t target, char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Undoes crenetial dontaion
Parameters:
The target's process ID
The original credentials
*/
void undoCredDonation(pid_t target, uint64_t origcred);
/*
Purpose:
Spawn a process as platform binary
Parameters:
Binary path
Up to 6 arguments (Leave NULL if not using)
environment variables (Leave NULL if not using)
Return values:
Success: child exit status
Error: posix_spawn return value
*/
int launchAsPlatform(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Spawn a process
Parameters:
Binary path
Up to 6 arguments (Leave NULL if not using)
environment variables (Leave NULL if not using)
Return values:
Success: child exit status
Error: posix_spawn return value
*/
int launch(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Spawn a process suspended
Parameters:
Binary path
Up to 6 arguments (Leave NULL if not using)
environment variables (Leave NULL if not using)
Return values:
Success: child pid
Error: posix_spawn return value
*/
int launchSuspended(char *binary, char *arg1, char *arg2, char *arg3, char *arg4, char *arg5, char *arg6, char**env);
/*
Purpose:
Mount a device as read and write on a specified path
Parameters:
Device name
Path to mount
Return values:
mount() return value
*/
int mountDevAtPathAsRW(const char* devpath, const char* path);
/*
Purpose:
Mount / as read and write on iOS 10.3-11.4b3
Return values:
0: mount succeeded
-1: mount failed
*/
int remountRootFS(void);
/*
Purpose:
Get the kernel vnode pointer for a specified path
Parameters:
Target path
Return values:
Vnode pointer of path
*/
uint64_t getVnodeAtPath(const char *path);
/*
Purpose:
Patch host type to make hgsp() work
Parameters:
host port. mach_host_self() for the host port of this process
Return value:
YES: Success or already good
NO: Failure
WARNING:
DO **NOT** USE WITH mach_host_self() ON A PROCESS THAT WAS MEANT TO RUN AS "mobile" (ANY app),
ON A DEVICE WITH SENSTIVE INFORMATION OR IN A NON-DEVELOPER JAILBREAK
THAT IN COMBINATION WITH setHSP4() WILL GIVE ANY APP THE ABILITY TO GET THE KERNEL TASK, FULL CONTROL OF YOUR DEVICE
On a developer device, you can do that and will probably be very helpful for debugging :)
The original idea was implemented by Ian Beer. Another example of this patch can be found inside FakeHostPriv() which creates a dummy port which acts like mach_host_self() of a root process
*/
BOOL PatchHostPriv(mach_port_t host);
/*
Purpose:
Do a hex dump I guess
Parameters:
Address in kernel from where to get data
Size of data to get
*/
void HexDump(uint64_t addr, size_t size);
/*
Purpose:
Make a path invisible
Parameters:
path
Return value:
true: Success
false: Failure
*/
BOOL hidePath(char *path);
/*
Purpose:
Allow mmap of executable from every process with read access to it
Parameters:
path
Return value:
true: Success
false: Failure
*/
BOOL fixMmap(char *path);