1 files changed, 245 insertions, 0 deletions

diff --git a/inject.c b/inject.c
new file mode 100644
index 0000000..82a0c57
--- /dev/null
+++ b/inject.c
@@ -0,0 +1,245 @@
+#include <sys/snapshot.h>
+#include <dlfcn.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <copyfile.h>
+#include <spawn.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+#include <libgen.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <dirent.h>
+#include <sys/sysctl.h>
+#include <mach-o/dyld.h>
+#include <sys/mman.h>
+#include <sys/param.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <mach/mach.h>
+#include "async_wake_ios/async_wake_ios/libjb.h"
+#include "patchfinder64.h"
+#include <kmem.h>
+ 
+mach_port_t tfp0 = MACH_PORT_NULL;
+ 
+void wk32(uint64_t kaddr, uint32_t val) {
+    if (tfp0 == MACH_PORT_NULL) {
+        printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
+        sleep(3);
+        return;
+    }
+   
+    kern_return_t err;
+    err = mach_vm_write(tfp0,
+                        (mach_vm_address_t)kaddr,
+                        (vm_offset_t)&val,
+                        (mach_msg_type_number_t)sizeof(uint32_t));
+   
+    if (err != KERN_SUCCESS) {
+        printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
+        return;
+    }
+}
+ 
+void wk64(uint64_t kaddr, uint64_t val) {
+    uint32_t lower = (uint32_t)(val & 0xffffffff);
+    uint32_t higher = (uint32_t)(val >> 32);
+    wk32(kaddr, lower);
+    wk32(kaddr+4, higher);
+}
+ 
+uint32_t rk32(uint64_t kaddr) {
+    kern_return_t err;
+    uint32_t val = 0;
+    mach_vm_size_t outsize = 0;
+    err = mach_vm_read_overwrite(tfp0,
+                                 (mach_vm_address_t)kaddr,
+                                 (mach_vm_size_t)sizeof(uint32_t),
+                                 (mach_vm_address_t)&val,
+                                 &outsize);
+    if (err != KERN_SUCCESS){
+        printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
+        sleep(3);
+        return 0;
+    }
+   
+    if (outsize != sizeof(uint32_t)){
+        printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
+        sleep(3);
+        return 0;
+    }
+    return val;
+}
+ 
+uint64_t rk64(uint64_t kaddr) {
+    uint64_t lower = rk32(kaddr);
+    uint64_t higher = rk32(kaddr+4);
+    uint64_t full = ((higher<<32) | lower);
+    return full;
+}
+ 
+uint64_t kmem_alloc(uint64_t size) {
+    if (tfp0 == MACH_PORT_NULL) {
+        printf("attempt to allocate kernel memory before any kernel memory write primitives available\n");
+        sleep(3);
+        return 0;
+    }
+   
+    kern_return_t err;
+    mach_vm_address_t addr = 0;
+    mach_vm_size_t ksize = round_page_kernel(size);
+    err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE);
+    if (err != KERN_SUCCESS) {
+        printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
+        sleep(3);
+        return 0;
+    }
+    return addr;
+}
+ 
+// https://github.com/JonathanSeals/kernelversionhacker/blob/3dcbf59f316047a34737f393ff946175164bf03f/kernelversionhacker.c#L92
+ 
+#define IMAGE_OFFSET 0x2000
+#define MACHO_HEADER_MAGIC 0xfeedfacf
+#define MAX_KASLR_SLIDE 0x21000000
+#define KERNEL_SEARCH_ADDRESS 0xfffffff007004000
+ 
+#define ptrSize sizeof(uintptr_t)
+ 
+static vm_address_t get_kernel_base(mach_port_t tfp0)
+{
+    uint64_t addr = 0;
+    addr = KERNEL_SEARCH_ADDRESS+MAX_KASLR_SLIDE;
+   
+    while (1) {
+        char *buf;
+        mach_msg_type_number_t sz = 0;
+        kern_return_t ret = vm_read(tfp0, addr, 0x200, (vm_offset_t*)&buf, &sz);
+       
+        if (ret) {
+            goto next;
+        }
+       
+        if (*((uint32_t *)buf) == MACHO_HEADER_MAGIC) {
+            int ret = vm_read(tfp0, addr, 0x1000, (vm_offset_t*)&buf, &sz);
+            if (ret != KERN_SUCCESS) {
+                printf("Failed vm_read %i\n", ret);
+                goto next;
+            }
+           
+            for (uintptr_t i=addr; i < (addr+0x2000); i+=(ptrSize)) {
+                mach_msg_type_number_t sz;
+                int ret = vm_read(tfp0, i, 0x120, (vm_offset_t*)&buf, &sz);
+               
+                if (ret != KERN_SUCCESS) {
+                    printf("Failed vm_read %i\n", ret);
+                    exit(-1);
+                }
+                if (!strcmp(buf, "__text") && !strcmp(buf+0x10, "__PRELINK_TEXT")) {
+                    return addr;
+                }
+            }
+        }
+       
+    next:
+        addr -= 0x200000;
+    }
+}
+ 
+size_t
+kread(uint64_t where, void *p, size_t size)
+{
+    int rv;
+    size_t offset = 0;
+    while (offset < size) {
+        mach_vm_size_t sz, chunk = 2048;
+        if (chunk > size - offset) {
+            chunk = size - offset;
+        }
+        rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
+        if (rv || sz == 0) {
+            fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where));
+            break;
+        }
+        offset += sz;
+    }
+    return offset;
+}
+ 
+size_t
+kwrite(uint64_t where, const void *p, size_t size)
+{
+    int rv;
+    size_t offset = 0;
+    while (offset < size) {
+        size_t chunk = 2048;
+        if (chunk > size - offset) {
+            chunk = size - offset;
+        }
+        rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, (mach_msg_type_number_t)chunk);
+        if (rv) {
+            fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where));
+            break;
+        }
+        offset += chunk;
+    }
+    return offset;
+}
+ 
+mach_port_t try_restore_port() {
+    mach_port_t port = MACH_PORT_NULL;
+    kern_return_t err;
+    err = host_get_special_port(mach_host_self(), 0, 4, &port);
+    if (err == KERN_SUCCESS && port != MACH_PORT_NULL) {
+        printf("got persisted port!\n");
+        // make sure rk64 etc use this port
+        return port;
+    }
+    printf("unable to retrieve persisted port\n");
+    return MACH_PORT_NULL;
+}
+ 
+int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amficache) {
+    printf("Injecting to trust cache...\n");
+    struct trust_mem mem;
+    size_t length = 0;
+    uint64_t kernel_trust = 0;
+   
+    mem.next = rk64(trust_chain);
+    *(uint64_t *)&mem.uuid[0] = 0xabadbabeabadbabe;
+    *(uint64_t *)&mem.uuid[8] = 0xabadbabeabadbabe;
+   
+    for (int i = 1; i < argc; i++) {
+        int rv = grab_hashes(argv[i], kread, amficache, mem.next);
+        if (rv) {
+            printf("Failed to inject to trust cache.\n");
+            return -1;
+        }
+    }
+   
+    length = (sizeof(mem) + numhash * 20 + 0xFFFF) & ~0xFFFF;
+    kernel_trust = kmem_alloc(length);
+    printf("alloced: 0x%zx => 0x%llx\n", length, kernel_trust);
+   
+    mem.count = numhash;
+    kwrite(kernel_trust, &mem, sizeof(mem));
+    kwrite(kernel_trust + sizeof(mem), allhash, numhash * 20);
+    wk64(trust_chain, kernel_trust);
+    printf("Successfully injected to trust cache.\n");
+    return 0;
+}
+ 
+int main(int argc, char* argv[]) {
+    if (argc < 2) {
+        fprintf(stderr,"Usage: inject /full/path/to/executable\n");
+        fprintf(stderr,"Inject executables to trust cache\n");
+        return -1;
+    }
+    tfp0 = try_restore_port();
+    uint64_t kernel_base = get_kernel_base(tfp0);
+    init_kernel(kernel_base, NULL);
+    uint64_t trust_chain = find_trustcache();
+    uint64_t amficache = find_amficache();
+    term_kernel();
+    return injectTrustCache(argc, argv, trust_chain, amficache);
+}