diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj index 3eafae9..26b3754 100644 --- a/yalu102.xcodeproj/project.pbxproj +++ b/yalu102.xcodeproj/project.pbxproj @@ -7,6 +7,10 @@ objects = { /* Begin PBXBuildFile section */ + DEB213951FA5915F008227DA /* sftp in Resources */ = {isa = PBXBuildFile; fileRef = DEB213901FA5915E008227DA /* sftp */; }; + DEB213961FA5915F008227DA /* openssl.zip in Resources */ = {isa = PBXBuildFile; fileRef = DEB213911FA5915F008227DA /* openssl.zip */; }; + DEB213971FA5915F008227DA /* sftp-server in Resources */ = {isa = PBXBuildFile; fileRef = DEB213921FA5915F008227DA /* sftp-server */; }; + DEB213981FA5915F008227DA /* scp in Resources */ = {isa = PBXBuildFile; fileRef = DEB213931FA5915F008227DA /* scp */; }; EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; }; EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; }; EA1A3BAD1E399006009CA025 /* reload in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BAC1E399006009CA025 /* reload */; }; @@ -28,6 +32,10 @@ /* End PBXBuildFile section */ /* Begin PBXFileReference section */ + DEB213901FA5915E008227DA /* sftp */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = sftp; sourceTree = ""; }; + DEB213911FA5915F008227DA /* openssl.zip */ = {isa = PBXFileReference; lastKnownFileType = archive.zip; path = openssl.zip; sourceTree = ""; }; + DEB213921FA5915F008227DA /* sftp-server */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = "sftp-server"; sourceTree = ""; }; + DEB213931FA5915F008227DA /* scp */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = scp; sourceTree = ""; }; EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = ""; }; EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = ""; }; @@ -105,6 +113,10 @@ EA9900F71E1E9F060056FEBD /* Info.plist */, EA9901051E219FF10056FEBD /* bootstrap.tar */, EA9901091E21A04C0056FEBD /* tar */, + DEB213911FA5915F008227DA /* openssl.zip */, + DEB213931FA5915F008227DA /* scp */, + DEB213901FA5915E008227DA /* sftp */, + DEB213921FA5915F008227DA /* sftp-server */, EA99010B1E21A0520056FEBD /* launchctl */, EA9901131E21A1B00056FEBD /* iokitmig64.o */, EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */, @@ -152,12 +164,12 @@ EA9900DB1E1E9F060056FEBD /* Project object */ = { isa = PBXProject; attributes = { - LastUpgradeCheck = 0820; + LastUpgradeCheck = 0900; ORGANIZATIONNAME = kimjongcracks; TargetAttributes = { EA9900E21E1E9F060056FEBD = { CreatedOnToolsVersion = 8.2.1; - DevelopmentTeam = CGTX3WH3ZS; + DevelopmentTeam = Z2U66H6MHA; ProvisioningStyle = Automatic; }; }; @@ -187,13 +199,17 @@ files = ( EA99010A1E21A04C0056FEBD /* tar in Resources */, EA99010C1E21A0520056FEBD /* launchctl in Resources */, + DEB213961FA5915F008227DA /* openssl.zip in Resources */, EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */, + DEB213971FA5915F008227DA /* sftp-server in Resources */, + DEB213981FA5915F008227DA /* scp in Resources */, EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */, EAA7F7C71E3EE4AF00BE3C64 /* dropbear.plist in Resources */, EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */, EA1A3BAD1E399006009CA025 /* reload in Resources */, EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */, EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */, + DEB213951FA5915F008227DA /* sftp in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -239,13 +255,14 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; - ARCHS = armv7; CLANG_ANALYZER_NONNULL = YES; CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_MODULES = YES; CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; CLANG_WARN_DOCUMENTATION_COMMENTS = YES; @@ -253,7 +270,11 @@ CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; + CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; @@ -290,13 +311,14 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; - ARCHS = armv7; CLANG_ANALYZER_NONNULL = YES; CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_MODULES = YES; CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; CLANG_WARN_DOCUMENTATION_COMMENTS = YES; @@ -304,7 +326,11 @@ CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; + CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; @@ -334,18 +360,23 @@ EA9900FB1E1E9F060056FEBD /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; - DEVELOPMENT_TEAM = CGTX3WH3ZS; + DEVELOPMENT_TEAM = Z2U66H6MHA; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/yalu102", + ); INFOPLIST_FILE = yalu102/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; LIBRARY_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102", ); - PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; + ONLY_ACTIVE_ARCH = NO; + PRODUCT_BUNDLE_IDENTIFIER = com.ohmza.yalu102; PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos; VALID_ARCHS = armv7; }; name = Debug; @@ -353,18 +384,22 @@ EA9900FC1E1E9F060056FEBD /* Release */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = armv7; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; CLANG_ENABLE_OBJC_ARC = NO; - DEVELOPMENT_TEAM = CGTX3WH3ZS; + DEVELOPMENT_TEAM = Z2U66H6MHA; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/yalu102", + ); INFOPLIST_FILE = yalu102/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; LIBRARY_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)/yalu102", ); - PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102; + PRODUCT_BUNDLE_IDENTIFIER = com.ohmza.yalu102; PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos; VALID_ARCHS = armv7; }; name = Release; diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 96d6368..d31f437 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -469,29 +469,29 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) #define PMK (PSZ-1) -#define RemapPage_(address) \ -pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\ -uint64_t tte = ReadAnywhere64(tte_addr);\ -if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\ -NSLog(@"breakup!");\ -uint64_t fakep = physalloc(PSZ);\ -uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\ -TTE_SETB(tte, TTE_IS_TABLE_MASK);\ -for (int i = 0; i < PSZ/8; i++) {\ -TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\ -WriteAnywhere64(fakep+i*8, tte);\ -}\ -TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\ -WriteAnywhere64(tte_addr, tte);\ -}\ -uint64_t newt = physalloc(PSZ);\ -copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\ -copyout(newt, bbuf, PSZ);\ -TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\ -TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\ -TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ -WriteAnywhere64(tte_addr, tte);\ -}, level1_table, isvad ? 1 : 2); +#define RemapPage_(address)\ + pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\ + uint64_t tte = ReadAnywhere64(tte_addr);\ + if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\ + NSLog(@"breakup!");\ + uint64_t fakep = physalloc(PSZ);\ + uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\ + TTE_SETB(tte, TTE_IS_TABLE_MASK);\ + for (int i = 0; i < PSZ/8; i++) {\ + TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\ + WriteAnywhere64(fakep+i*8, tte);\ + }\ + TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\ + WriteAnywhere64(tte_addr, tte);\ + }\ + uint64_t newt = physalloc(PSZ);\ + copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\ + copyout(newt, bbuf, PSZ);\ + TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\ + TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\ + TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\ + WriteAnywhere64(tte_addr, tte);\ + }, level1_table, isvad ? 1 : 2); #define NewPointer(origptr) (((origptr) & PMK) | findphys_real(origptr) - gPhysBase + gVirtBase) @@ -501,19 +501,19 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) #define RemapPage(x)\ -{\ -int fail = 0;\ -for (int i = 0; i < remapcnt; i++) {\ -if (remappage[i] == (x & (~PMK))) {\ -fail = 1;\ -}\ -}\ -if (fail == 0) {\ -RemapPage_(x);\ -RemapPage_(x+PSZ);\ -remappage[remapcnt++] = (x & (~PMK));\ -}\ -} + {\ + int fail = 0;\ + for (int i = 0; i < remapcnt; i++) {\ + if (remappage[i] == (x & (~PMK))) {\ + fail = 1;\ + }\ + }\ + if (fail == 0) {\ + RemapPage_(x);\ + RemapPage_(x+PSZ);\ + remappage[remapcnt++] = (x & (~PMK));\ + }\ + } level1_table = physp - gPhysBase + gVirtBase; WriteAnywhere64(ReadAnywhere64(pmap_store), level1_table); @@ -860,12 +860,11 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) unlink("/bin/launchctl"); copyfile(jl, "/bin/tar", 0, COPYFILE_ALL); - chmod("/bin/tar", 0777); - jl="/bin/tar"; // + chmod("/bin/tar", 0755); chdir("/"); - posix_spawn(&pd, jl, 0, 0, (char**)&(const char*[]){jl, "--preserve-permissions", "--no-overwrite-dir", "-xvf", [bootstrap UTF8String], NULL}, NULL); + posix_spawn(&pd, "/bin/tar", 0, 0, (char**)&(const char*[]){"/bin/tar", "--preserve-permissions", "--no-overwrite-dir", "-xvf", [bootstrap UTF8String], NULL}, NULL); NSLog(@"pid = %x", pd); waitpid(pd, 0, 0); @@ -880,20 +879,51 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) open("/.cydia_no_stash",O_RDWR|O_CREAT); - system("echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts"); - system("echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts"); + posix_spawn(&pd, "/bin/bash", 0, 0, (char**)&(const char*[]){"/bin/bash", "-c", """echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts""", NULL}, NULL); + posix_spawn(&pd, "/bin/bash", 0, 0, (char**)&(const char*[]){"/bin/bash", "-c", """echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts""", NULL}, NULL); - system("/usr/bin/uicache"); + posix_spawn(&pd, "/usr/bin/uicache", 0, 0, (char**)&(const char*[]){"/usr/bin/uicache", NULL}, NULL); + waitpid(pd, 0, 0); - system("killall -SIGSTOP cfprefsd"); + posix_spawn(&pd, "killall", 0, 0, (char**)&(const char*[]){"killall", "-SIGSTOP", "cfprefsd", NULL}, NULL); NSMutableDictionary* md = [[NSMutableDictionary alloc] initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]; [md setObject:[NSNumber numberWithBool:YES] forKey:@"SBShowNonDefaultSystemApps"]; [md writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:YES]; - system("killall -9 cfprefsd"); + posix_spawn(&pd, "killall", 0, 0, (char**)&(const char*[]){"killall", "-9", "cfprefsd", NULL}, NULL); + + } + + + int g = open("/.installed_yaluXPatched", O_RDONLY); + + if (g == -1) { + posix_spawn(&pd, "/bin/launchctl", 0, 0, (char**)&(const char*[]){"/bin/launchctl", "unload", "-w", "/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist", NULL}, NULL); + posix_spawn(&pd, "/bin/mv", 0, 0, (char**)&(const char*[]){"/bin/mv", "/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist", "/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist.disabled", NULL}, NULL); + + unlink("/var/root/Media/Cydia/AutoInstall/openssl.deb"); + + chdir("/var/root/"); + + posix_spawn(&pd, "/bin/mkdir", 0, 0, (char**)&(const char*[]){"/bin/mkdir", "-p", "Media/Cydia/AutoInstall", NULL}, NULL); + waitpid(pd, 0, 0); + + chmod("/var/root/Media", 0755); + chmod("/var/root/Media/Cydia", 0755); + chmod("/var/root/Media/Cydia/AutoInstall", 0755); + chown("/var/root/Media", 0, 0); + chown("/var/root/Media/Cydia", 0, 0); + chown("/var/root/Media/Cydia/AutoInstall", 0, 0); + + NSString* openssl = [execpath stringByAppendingPathComponent:@"openssl.zip"]; + + copyfile([openssl UTF8String], "/var/root/Media/Cydia/AutoInstall/openssl.deb", 0, COPYFILE_ALL); + chmod("/var/root/Media/Cydia/AutoInstall/openssl.deb", 0644); + open("/.installed_yaluXPatched", O_RDWR|O_CREAT); } + { NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"]; char* jl = [jlaunchctl UTF8String]; @@ -903,6 +933,30 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) chown("/usr/libexec/reload", 0, 0); } + { + NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"sftp-server"]; + char* jl = [jlaunchctl UTF8String]; + unlink("/usr/libexec/sftp-server"); + copyfile(jl, "/usr/libexec/sftp-server", 0, COPYFILE_ALL); + chmod("/usr/libexec/sftp-server", 0755); + chown("/usr/libexec/sftp-server", 0, 0); + } + { + NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"scp"]; + char* jl = [jlaunchctl UTF8String]; + unlink("/usr/bin/scp"); + copyfile(jl, "/usr/bin/scp", 0, COPYFILE_ALL); + chmod("/usr/bin/scp", 0755); + chown("/usr/bin/scp", 0, 0); + } + { + NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"sftp"]; + char* jl = [jlaunchctl UTF8String]; + unlink("/usr/bin/sftp"); + copyfile(jl, "/usr/bin/sftp", 0, COPYFILE_ALL); + chmod("/usr/bin/sftp", 0755); + chown("/usr/bin/sftp", 0, 0); + } { NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"]; char* jl = [jlaunchctl UTF8String]; @@ -919,17 +973,18 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) chmod("/Library/LaunchDaemons/dropbear.plist", 0644); chown("/Library/LaunchDaemons/dropbear.plist", 0, 0); } - unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist"); - + { + chmod("/private", 0777); + chmod("/private/var", 0777); + chmod("/private/var/mobile", 0777); + chmod("/private/var/mobile/Library", 0777); + chmod("/private/var/mobile/Library/Preferences", 0777); + posix_spawn(&pd, "/bin/bash", 0, 0, (char**)&(const char*[]){"/bin/bash", "-c", """echo 'really jailbroken'""", NULL}, NULL); + posix_spawn(&pd, "/bin/launchctl", 0, 0, (char**)&(const char*[]){"/bin/launchctl", "load", "/Library/LaunchDaemons/0.reload.plist", NULL}, NULL); + waitpid(pd, 0, 0); + } } } - chmod("/private", 0777); - chmod("/private/var", 0777); - chmod("/private/var/mobile", 0777); - chmod("/private/var/mobile/Library", 0777); - chmod("/private/var/mobile/Library/Preferences", 0777); - system("rm -rf /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; touch /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chown 0:0 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate"); - system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&"); WriteAnywhere64(bsd_task+0x100, orig_cred); sleep(2); diff --git a/yalu102/openssl.zip b/yalu102/openssl.zip new file mode 100644 index 0000000..ba38f57 Binary files /dev/null and b/yalu102/openssl.zip differ diff --git a/yalu102/scp b/yalu102/scp new file mode 100644 index 0000000..2f2483b Binary files /dev/null and b/yalu102/scp differ diff --git a/yalu102/sftp b/yalu102/sftp new file mode 100644 index 0000000..581617b Binary files /dev/null and b/yalu102/sftp differ diff --git a/yalu102/sftp-server b/yalu102/sftp-server new file mode 100644 index 0000000..3659a96 Binary files /dev/null and b/yalu102/sftp-server differ