Getting inject running

6 files changed, 51 insertions, 41 deletions

diff --git a/control b/control
index 2bfa61c..c68b069 100644
--- a/control
+++ b/control
@@ -1,6 +1,6 @@
 Package: trustinjector
 Name: Trust Cache Injector
-Version: 0.4~b3
+Version: 0.4~b4
 Architecture: iphoneos-arm
 Description: Inject files to kernel trust cache
 Maintainer: Sam Bingner <maintainer@sbdhi.com>
diff --git a/inject.m b/inject.m
index 5f39e2b..a99c811 100644
--- a/inject.m
+++ b/inject.m
@@ -89,7 +89,7 @@ NSString *cdhashFor(NSString *file) {
     NSUInteger algoIndex = [algos indexOfObject:@(requiredHash)];
     
     if (cdhashes == nil) {
-        printf("%s: no cdhashes\n", filename);
+        //printf("%s: no cdhashes\n", filename);
     } else if (algos == nil) {
         printf("%s: no algos\n", filename);
     } else if (algoIndex == NSNotFound) {
@@ -158,7 +158,8 @@ int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pma
 
     mem.next = rk64(trust_chain);
     mem.count = 0;
-    arc4random_buf(&mem.uuid, 16);
+    uuid_generate(mem.uuid);
+
     NSMutableDictionary *hashes = [NSMutableDictionary new];
     int errors=0;
 
@@ -166,13 +167,14 @@ int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pma
         NSString *cdhash = cdhashFor(file);
         if (cdhash == nil) {
             errors++;
+            continue;
+        }
+
+        if (hashes[cdhash] == nil) {
+            //printf("%s: OK\n", file.UTF8String);
+            hashes[cdhash] = file;
         } else {
-            if (hashes[cdhash] == nil) {
-                printf("%s: OK\n", file.UTF8String);
-                hashes[cdhash] = file;
-            } else {
-                printf("%s: same as %s (ignoring)", file.UTF8String, [hashes[cdhash] UTF8String]);
-            }
+            printf("%s: same as %s (ignoring)\n", file.UTF8String, [hashes[cdhash] UTF8String]);
         }
     }
     unsigned numHashes = (unsigned)[hashes count];
@@ -190,7 +192,7 @@ int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pma
         return errors;
     }
 
-    size_t length = (sizeof(mem) + hashesToInject * TRUST_CDHASH_LEN + 0x3FFF) & ~0x3FFF;
+    size_t length = (32 + hashesToInject * TRUST_CDHASH_LEN + 0x3FFF) & ~0x3FFF;
     char *buffer = malloc(hashesToInject * TRUST_CDHASH_LEN);
     if (buffer == NULL) {
         fprintf(stderr, "Unable to allocate memory for cdhashes: %s\n", strerror(errno));
@@ -206,7 +208,13 @@ int injectTrustCache(NSArray <NSString*> *files, uint64_t trust_chain, int (*pma
     mem.count = hashesToInject;
     kwrite(kernel_trust, &mem, sizeof(mem));
     kwrite(kernel_trust + sizeof(mem), buffer, mem.count * TRUST_CDHASH_LEN);
-    pmap_load_trust_cache(kernel_trust, length);
+    if (pmap_load_trust_cache != NULL) {
+      if (pmap_load_trust_cache(kernel_trust, length) != ERR_SUCCESS) {
+        return -4;
+      }
+    } else {
+        wk64(trust_chain, kernel_trust);
+    }
 
     return (int)errors;
   }
diff --git a/kern_funcs.c b/kern_funcs.c
index 553d25c..c701cb3 100644
--- a/kern_funcs.c
+++ b/kern_funcs.c
@@ -147,6 +147,7 @@ uint64_t task_self_addr() {
     return port_addr;
 }
 
+int (*pmap_load_trust_cache)(uint64_t kernel_trust, size_t length) = NULL;
 int _pmap_load_trust_cache(uint64_t kernel_trust, size_t length) {
     return (int)kernel_call_7(GETOFFSET(pmap_load_trust_cache), 3, kernel_trust, length, 0);
 }
diff --git a/kern_funcs.h b/kern_funcs.h
index e6633a7..e97e13a 100644
--- a/kern_funcs.h
+++ b/kern_funcs.h
@@ -36,6 +36,7 @@ uint64_t kmem_alloc(uint64_t size);
 size_t kread(uint64_t where, void *p, size_t size);
 size_t kwrite(uint64_t where, const void *p, size_t size);
 uint64_t task_self_addr(void);
+extern int (*pmap_load_trust_cache)(uint64_t kernel_trust, size_t length);
 int _pmap_load_trust_cache(uint64_t kernel_trust, size_t length);
 
 #endif // _KERN_FUNCS_H_
diff --git a/kernel_call/kernel_slide.c b/kernel_call/kernel_slide.c
index 832a179..0718af2 100755
--- a/kernel_call/kernel_slide.c
+++ b/kernel_call/kernel_slide.c
@@ -43,7 +43,7 @@ is_kernel_base(uint64_t base) {
 
 bool
 kernel_slide_init() {
-	if (kernel_slide != 0) {
+	if (kernel_slide != -1) {
 		return true;
 	}
 	// Get the address of the host port.
@@ -63,7 +63,7 @@ kernel_slide_init() {
 
 bool
 kernel_slide_init_with_kernel_image_address(uint64_t address) {
-	if (kernel_slide != 0) {
+	if (kernel_slide != -1) {
 		return true;
 	}
 	// Find the highest possible kernel base address that could still correspond to the given
@@ -73,7 +73,7 @@ kernel_slide_init_with_kernel_image_address(uint64_t address) {
 	base = base + ((address - base) / kernel_slide_step) * kernel_slide_step;
 	// Now walk backwards from that kernel base one kernel slide at a time until we find the
 	// real kernel base.
-	while (base > STATIC_ADDRESS(kernel_base)) {
+	while (base >= STATIC_ADDRESS(kernel_base)) {
 		bool found = is_kernel_base(base);
 		if (found) {
 			kernel_slide = base - STATIC_ADDRESS(kernel_base);
diff --git a/main.m b/main.m
index b342996..0afddec 100644
--- a/main.m
+++ b/main.m
@@ -19,15 +19,12 @@
 #include "kc_parameters.h"
 #include "kernel_memory.h"
 
-#define PF(x) SETOFFSET(x, find_ ## x ())
-
 mach_port_t try_restore_port() {
     mach_port_t port = MACH_PORT_NULL;
     kern_return_t err;
 
     err = host_get_special_port(mach_host_self(), 0, 4, &port);
     if (err == KERN_SUCCESS && port != MACH_PORT_NULL) {
-        fprintf(stderr, "got persisted port!\n");
         // make sure rk64 etc use this port
         return port;
     }
@@ -42,48 +39,51 @@ int main(int argc, char* argv[]) {
         return -1;
     }
     mach_port_t tfp0 = try_restore_port();
-    if (tfp0 == MACH_PORT_NULL)
+    if (tfp0 == MACH_PORT_NULL) {
+        fprintf(stderr, "Unable to obtain tfp0\n");
         return -2;
+    }
     set_tfp0(tfp0);
     struct task_dyld_info dyld_info = { 0 };
     mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
     if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) != KERN_SUCCESS ||
-        (kernel_base = dyld_info.all_image_info_addr) == 0 ||
-        (kernel_slide = dyld_info.all_image_info_size) == 0) {
+        (kernel_base = dyld_info.all_image_info_addr) == 0) {
         return -3;
     }
-    init_kernel(kread, kernel_base, NULL);
-    uint64_t trust_chain = find_trustcache();
-    PF(trustcache);
-    PF(kernel_task);
-    PF(pmap_load_trust_cache);
+    kernel_slide = dyld_info.all_image_info_size;
+  @autoreleasepool {
+    NSMutableDictionary *offsets = [NSMutableDictionary dictionaryWithContentsOfFile:@"/jb/offsets.plist"];
+    SETOFFSET(trustcache, (uint64_t)strtoull([offsets[@"TrustChain"] UTF8String], NULL, 16));
 #if __arm64e__
-    PF(paciza_pointer__l2tp_domain_module_start);
-    PF(paciza_pointer__l2tp_domain_module_stop);
-    PF(l2tp_domain_inited);
-    PF(sysctl__net_ppp_l2tp);
-    PF(sysctl_unregister_oid);
-    PF(mov_x0_x4__br_x5);
-    PF(mov_x9_x0__br_x1);
-    PF(mov_x10_x3__br_x6);
-    PF(kernel_forge_pacia_gadget);
-    PF(kernel_forge_pacda_gadget);
-#endif
-    PF(IOUserClient__vtable);
-    PF(IORegistryEntry__getRegistryEntryID);
-    term_kernel();
+    SETOFFSET(kernel_task, (uint64_t)strtoull([offsets[@"KernelTask"] UTF8String], NULL, 16));
+    // We should use this on other things but kexecute is broken for i6 at least
+    SETOFFSET(pmap_load_trust_cache, (uint64_t)strtoull([offsets[@"PmapLoadTrustCache"] UTF8String], NULL, 16));
+    if (GETOFFSET(pmap_load_trust_cache)) pmap_load_trust_cache = _pmap_load_trust_cache;
+    SETOFFSET(paciza_pointer__l2tp_domain_module_start, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStart"] UTF8String], NULL, 16));
+    SETOFFSET(paciza_pointer__l2tp_domain_module_stop, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStop"] UTF8String], NULL, 16));
+    SETOFFSET(l2tp_domain_inited, (uint64_t)strtoull([offsets[@"L2TPDomainInited"] UTF8String], NULL, 16));
+    SETOFFSET(sysctl__net_ppp_l2tp, (uint64_t)strtoull([offsets[@"SysctlNetPPPL2TP"] UTF8String], NULL, 16));
+    SETOFFSET(sysctl_unregister_oid, (uint64_t)strtoull([offsets[@"SysctlUnregisterOid"] UTF8String], NULL, 16));
+    SETOFFSET(mov_x0_x4__br_x5, (uint64_t)strtoull([offsets[@"MovX0X4BrX5"] UTF8String], NULL, 16));
+    SETOFFSET(mov_x9_x0__br_x1, (uint64_t)strtoull([offsets[@"MovX9X0BrX1"] UTF8String], NULL, 16));
+    SETOFFSET(mov_x10_x3__br_x6, (uint64_t)strtoull([offsets[@"MovX10X3BrX6"] UTF8String], NULL, 16));
+    SETOFFSET(kernel_forge_pacia_gadget, (uint64_t)strtoull([offsets[@"KernelForgePaciaGadget"] UTF8String], NULL, 16));
+    SETOFFSET(kernel_forge_pacda_gadget, (uint64_t)strtoull([offsets[@"KernelForgePacdaGadget"] UTF8String], NULL, 16));
+    SETOFFSET(IOUserClient__vtable, (uint64_t)strtoull([offsets[@"IOUserClientVtable"] UTF8String], NULL, 16));
+    SETOFFSET(IORegistryEntry__getRegistryEntryID, (uint64_t)strtoull([offsets[@"IORegistryEntryGetRegistryEntryID"] UTF8String], NULL, 16));
     parameters_init();
     kernel_task_port = tfp0;
     current_task = rk64(task_self_addr() + OFFSET(ipc_port, ip_kobject));
     kernel_task = rk64(GETOFFSET(kernel_task));
     kernel_call_init();
+#endif
     printf("Injecting to trust cache...\n");
-  @autoreleasepool {
     NSMutableArray *files = [NSMutableArray new];
     for (int i=1; i<argc; i++) {
         [files addObject:@( argv[i] )];
     }
-    int errs = injectTrustCache(files, trust_chain, pmap_load_trust_cache);
+
+    int errs = injectTrustCache(files, GETOFFSET(trustcache), pmap_load_trust_cache);
     if (errs < 0) {
         printf("Error %d injecting to trust cache.\n", errs);
     } else {