From 487bdd105d823d597ebad88391e306988c5e9870 Mon Sep 17 00:00:00 2001 From: Sam Bingner Date: Fri, 29 Mar 2019 22:39:28 -1000 Subject: Update for new in-kernel offset cache --- .gitmodules | 3 +++ Makefile | 4 ++-- control | 2 +- kern_funcs.c | 1 - kern_funcs.h | 25 +++------------------- main.m | 70 +++++++++++++++++++++++++++++++++++++++--------------------- offset-cache | 1 + 7 files changed, 56 insertions(+), 50 deletions(-) create mode 160000 offset-cache diff --git a/.gitmodules b/.gitmodules index 8cafbbc..82056c8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "patchfinder64"] path = patchfinder64 url = git@github.com:sbingner/patchfinder64.git +[submodule "offset-cache"] + path = offset-cache + url = git@github.com:sbingner/offset-cache.git diff --git a/Makefile b/Makefile index 86c2eb2..1f80c82 100644 --- a/Makefile +++ b/Makefile @@ -5,9 +5,9 @@ include $(THEOS)/makefiles/common.mk TOOL_NAME = inject inject_CODESIGN_FLAGS = -Sentitlements.xml -inject_CFLAGS += -I. -I./patchfinder64 -I./kernel_call -Wno-unused-variable -Wno-unused-function -Wno-unused-label +inject_CFLAGS += -I. -Ipatchfinder64 -Ikernel_call -Ioffset-cache -Wno-unused-variable -Wno-unused-function -Wno-unused-label inject_LIBRARIES = mis inject_FRAMEWORKS = Foundation CoreFoundation IOKit Security -inject_FILES = main.m inject.m patchfinder64/patchfinder64.c kern_funcs.c kernel_call/kc_parameters.c kernel_call/kernel_alloc.c kernel_call/kernel_call.c kernel_call/kernel_memory.c kernel_call/kernel_slide.c kernel_call/log.c kernel_call/pac.c kernel_call/parameters.c kernel_call/platform_match.c kernel_call/platform.c kernel_call/user_client.c +inject_FILES = main.m inject.m patchfinder64/patchfinder64.c kern_funcs.c kernel_call/kc_parameters.c kernel_call/kernel_alloc.c kernel_call/kernel_call.c kernel_call/kernel_memory.c kernel_call/kernel_slide.c kernel_call/log.c kernel_call/pac.c kernel_call/parameters.c kernel_call/platform_match.c kernel_call/platform.c kernel_call/user_client.c offset-cache/offsetcache.c include $(THEOS_MAKE_PATH)/tool.mk diff --git a/control b/control index c68b069..807ab3b 100644 --- a/control +++ b/control @@ -1,6 +1,6 @@ Package: trustinjector Name: Trust Cache Injector -Version: 0.4~b4 +Version: 0.4~b5 Architecture: iphoneos-arm Description: Inject files to kernel trust cache Maintainer: Sam Bingner diff --git a/kern_funcs.c b/kern_funcs.c index c701cb3..8c09684 100644 --- a/kern_funcs.c +++ b/kern_funcs.c @@ -25,7 +25,6 @@ #include "kc_parameters.h" #include "kernel_memory.h" -offsets_t offs; uint64_t kernel_base; static mach_port_t tfp0=MACH_PORT_NULL; size_t kread(uint64_t where, void *p, size_t size); diff --git a/kern_funcs.h b/kern_funcs.h index e97e13a..bbeb5a0 100644 --- a/kern_funcs.h +++ b/kern_funcs.h @@ -1,29 +1,10 @@ #ifndef _KERN_FUNCS_H_ #define _KERN_FUNCS_H_ +#include -#define SETOFFSET(offset, val) (offs.offset = val) -#define GETOFFSET(offset) offs.offset +#define SETOFFSET(offset, val) set_offset(#offset, val) +#define GETOFFSET(offset) get_offset(#offset) -typedef struct { - uint64_t trustcache; - uint64_t kernel_task; - uint64_t pmap_load_trust_cache; - uint64_t paciza_pointer__l2tp_domain_module_start; - uint64_t paciza_pointer__l2tp_domain_module_stop; - uint64_t l2tp_domain_inited; - uint64_t sysctl__net_ppp_l2tp; - uint64_t sysctl_unregister_oid; - uint64_t mov_x0_x4__br_x5; - uint64_t mov_x9_x0__br_x1; - uint64_t mov_x10_x3__br_x6; - uint64_t kernel_forge_pacia_gadget; - uint64_t kernel_forge_pacda_gadget; - uint64_t IOUserClient__vtable; - uint64_t IORegistryEntry__getRegistryEntryID; - uint64_t pmap_loaded_trust_caches; -} offsets_t; - -extern offsets_t offs; extern uint64_t kernel_base; extern uint64_t kernel_slide; diff --git a/main.m b/main.m index 0afddec..a4095d1 100644 --- a/main.m +++ b/main.m @@ -10,7 +10,8 @@ #include #include #include -#include "patchfinder64/patchfinder64.h" +#include +#include #include "CSCommon.h" #include "kern_funcs.h" #include "inject.h" @@ -46,31 +47,52 @@ int main(int argc, char* argv[]) { set_tfp0(tfp0); struct task_dyld_info dyld_info = { 0 }; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; - if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) != KERN_SUCCESS || - (kernel_base = dyld_info.all_image_info_addr) == 0) { + if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) == 0 && + dyld_info.all_image_info_addr != 0 && + dyld_info.all_image_info_addr != dyld_info.all_image_info_size + 0xfffffff007004000) { + + size_t blob_size = rk64(dyld_info.all_image_info_addr); + struct cache_blob *blob = create_cache_blob(blob_size); + if (kread(dyld_info.all_image_info_addr, blob, blob_size)) import_cache_blob(blob); + free(blob); + if (get_offset("kernel_slide") == kernel_slide) { +#ifdef DEBUG + print_cache(); +#endif + if (get_offset("kernel_base")) { + kernel_base = get_offset("kernel_base"); + } else { + kernel_base = dyld_info.all_image_info_size + 0xfffffff007004000; + } + } + } else if ((kernel_base = dyld_info.all_image_info_addr) != 0) { + kernel_slide = dyld_info.all_image_info_size; + @autoreleasepool { + NSMutableDictionary *offsets = [NSMutableDictionary dictionaryWithContentsOfFile:@"/jb/offsets.plist"]; + SETOFFSET(trustcache, (uint64_t)strtoull([offsets[@"TrustChain"] UTF8String], NULL, 16)); +#if __arm64e__ + SETOFFSET(kernel_task, (uint64_t)strtoull([offsets[@"KernelTask"] UTF8String], NULL, 16)); + // We should use this on other things but kexecute is broken for i6 at least + SETOFFSET(pmap_load_trust_cache, (uint64_t)strtoull([offsets[@"PmapLoadTrustCache"] UTF8String], NULL, 16)); + SETOFFSET(paciza_pointer__l2tp_domain_module_start, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStart"] UTF8String], NULL, 16)); + SETOFFSET(paciza_pointer__l2tp_domain_module_stop, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStop"] UTF8String], NULL, 16)); + SETOFFSET(l2tp_domain_inited, (uint64_t)strtoull([offsets[@"L2TPDomainInited"] UTF8String], NULL, 16)); + SETOFFSET(sysctl__net_ppp_l2tp, (uint64_t)strtoull([offsets[@"SysctlNetPPPL2TP"] UTF8String], NULL, 16)); + SETOFFSET(sysctl_unregister_oid, (uint64_t)strtoull([offsets[@"SysctlUnregisterOid"] UTF8String], NULL, 16)); + SETOFFSET(mov_x0_x4__br_x5, (uint64_t)strtoull([offsets[@"MovX0X4BrX5"] UTF8String], NULL, 16)); + SETOFFSET(mov_x9_x0__br_x1, (uint64_t)strtoull([offsets[@"MovX9X0BrX1"] UTF8String], NULL, 16)); + SETOFFSET(mov_x10_x3__br_x6, (uint64_t)strtoull([offsets[@"MovX10X3BrX6"] UTF8String], NULL, 16)); + SETOFFSET(kernel_forge_pacia_gadget, (uint64_t)strtoull([offsets[@"KernelForgePaciaGadget"] UTF8String], NULL, 16)); + SETOFFSET(kernel_forge_pacda_gadget, (uint64_t)strtoull([offsets[@"KernelForgePacdaGadget"] UTF8String], NULL, 16)); + SETOFFSET(IOUserClient__vtable, (uint64_t)strtoull([offsets[@"IOUserClientVtable"] UTF8String], NULL, 16)); + SETOFFSET(IORegistryEntry__getRegistryEntryID, (uint64_t)strtoull([offsets[@"IORegistryEntryGetRegistryEntryID"] UTF8String], NULL, 16)); +#endif + } + } else { return -3; } - kernel_slide = dyld_info.all_image_info_size; - @autoreleasepool { - NSMutableDictionary *offsets = [NSMutableDictionary dictionaryWithContentsOfFile:@"/jb/offsets.plist"]; - SETOFFSET(trustcache, (uint64_t)strtoull([offsets[@"TrustChain"] UTF8String], NULL, 16)); #if __arm64e__ - SETOFFSET(kernel_task, (uint64_t)strtoull([offsets[@"KernelTask"] UTF8String], NULL, 16)); - // We should use this on other things but kexecute is broken for i6 at least - SETOFFSET(pmap_load_trust_cache, (uint64_t)strtoull([offsets[@"PmapLoadTrustCache"] UTF8String], NULL, 16)); if (GETOFFSET(pmap_load_trust_cache)) pmap_load_trust_cache = _pmap_load_trust_cache; - SETOFFSET(paciza_pointer__l2tp_domain_module_start, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStart"] UTF8String], NULL, 16)); - SETOFFSET(paciza_pointer__l2tp_domain_module_stop, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStop"] UTF8String], NULL, 16)); - SETOFFSET(l2tp_domain_inited, (uint64_t)strtoull([offsets[@"L2TPDomainInited"] UTF8String], NULL, 16)); - SETOFFSET(sysctl__net_ppp_l2tp, (uint64_t)strtoull([offsets[@"SysctlNetPPPL2TP"] UTF8String], NULL, 16)); - SETOFFSET(sysctl_unregister_oid, (uint64_t)strtoull([offsets[@"SysctlUnregisterOid"] UTF8String], NULL, 16)); - SETOFFSET(mov_x0_x4__br_x5, (uint64_t)strtoull([offsets[@"MovX0X4BrX5"] UTF8String], NULL, 16)); - SETOFFSET(mov_x9_x0__br_x1, (uint64_t)strtoull([offsets[@"MovX9X0BrX1"] UTF8String], NULL, 16)); - SETOFFSET(mov_x10_x3__br_x6, (uint64_t)strtoull([offsets[@"MovX10X3BrX6"] UTF8String], NULL, 16)); - SETOFFSET(kernel_forge_pacia_gadget, (uint64_t)strtoull([offsets[@"KernelForgePaciaGadget"] UTF8String], NULL, 16)); - SETOFFSET(kernel_forge_pacda_gadget, (uint64_t)strtoull([offsets[@"KernelForgePacdaGadget"] UTF8String], NULL, 16)); - SETOFFSET(IOUserClient__vtable, (uint64_t)strtoull([offsets[@"IOUserClientVtable"] UTF8String], NULL, 16)); - SETOFFSET(IORegistryEntry__getRegistryEntryID, (uint64_t)strtoull([offsets[@"IORegistryEntryGetRegistryEntryID"] UTF8String], NULL, 16)); parameters_init(); kernel_task_port = tfp0; current_task = rk64(task_self_addr() + OFFSET(ipc_port, ip_kobject)); @@ -89,8 +111,8 @@ int main(int argc, char* argv[]) { } else { printf("Successfully injected [%d/%d] to trust cache.\n", (int)files.count - errs, (int)files.count); } +#if __arm64e__ kernel_call_deinit(); - +#endif return errs; - } } diff --git a/offset-cache b/offset-cache new file mode 160000 index 0000000..e4bb111 --- /dev/null +++ b/offset-cache @@ -0,0 +1 @@ +Subproject commit e4bb1114e574795b7097783edf556a2626eb685e -- cgit v1.2.3