diff --git a/Makefile b/Makefile index 5bc75f5..8fb5789 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SHELL = /bin/bash TARGET_GUI = Spice TARGET_CLI = spice PACKAGE = lol.spyware.spicy -VERSION = 1.0.171 +VERSION = 1.0.172 BIN = bin RES = res diff --git a/README.md b/README.md index 84fecad..8fa162b 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,9 @@ The following devices are also present in offsets.m (and the binaries in /docs) * **iPhone 5S (GSM) (iPhone6,1), iOS 11.2.6** * **iPhone 6 Plus (iPhone7,1), iOS 11.2.6** * **iPhone 6 (iPhone7,2), iOS 11.4** +* **iPhone 6S (iPhone8,1), iOS 11.4.1** * **iPhone SE (1st gen) (iPhone8,4), iOS 11.4.1** +* **iPod touch 6 (iPod7,1), iOS 11.4.1** Any other device will require offsets to be added. PRs are welcomed to speed this up, but an actual device will be needed to provide the final offset (`DYLD_CACHE_FD`) if you desire support. diff --git a/docs/Packages b/docs/Packages index b64e278..e884c51 100644 --- a/docs/Packages +++ b/docs/Packages @@ -1,43 +1,43 @@ Package: lol.spyware.spiceuntether.fd5 -Version: 1.0.171 +Version: 1.0.172 Architecture: iphoneos-arm Maintainer: UInt2048 Depends: firmware (>= 11.0), firmware (<= 11.4.1) -Filename: ./lol.spyware.spiceuntether.fd5_1.0.171_iphoneos-arm.deb -Size: 140340 -MD5sum: 927ef72b58e7de33b796ec8c0b01c106 -SHA1: 594d376d72ddfb8f50b45b50528ec03a7da13f7a -SHA256: 56b2e2b4b50a5ebee11eb7d903f6d06047d4a00dac60418c54ee93e13185bc3f +Filename: ./lol.spyware.spiceuntether.fd5_1.0.172_iphoneos-arm.deb +Size: 140308 +MD5sum: 5af75261e9386f2ab71d9084f1eecbfd +SHA1: d8d8ff3dd6c2972998a0b4567ba066a6cdc80c28 +SHA256: ccae9e5a0aafc71c66cd4f463a761e019170d9f83ce8250e88bc2c8112c72c9e Section: System Description: Upgrades the Spice jailbreak to untethered Author: JakeBlair420 Name: Spice Untether Payload (FD5) Package: lol.spyware.spiceuntether.fd6 -Version: 1.0.171 +Version: 1.0.172 Architecture: iphoneos-arm Maintainer: UInt2048 Depends: firmware (>= 11.0), firmware (<= 11.4.1) -Filename: ./lol.spyware.spiceuntether.fd6_1.0.171_iphoneos-arm.deb -Size: 140260 -MD5sum: 187a187041d6941445c5f689d3e752f0 -SHA1: 3d1aae2cded5422c42c9bb4c3321b85b6bbec626 -SHA256: 6188732de321d59f663c78863058be4e2b59bd2bdfd548510abd0413ba6c267f +Filename: ./lol.spyware.spiceuntether.fd6_1.0.172_iphoneos-arm.deb +Size: 140420 +MD5sum: 71adda1103ba23896484ff5d788addfc +SHA1: 07b61bb392e7e3fe04cfb20cb94ba63e27f8f374 +SHA256: 61d613d5f5752740cbd52405e80cfc24bdf316be56357bb7433aa219c6ef6348 Section: System Description: Upgrades the Spice jailbreak to untethered Author: JakeBlair420 Name: Spice Untether Payload (FD6) Package: lol.spyware.spiceuntether.fdscream -Version: 1.0.171 +Version: 1.0.172 Architecture: iphoneos-arm Maintainer: UInt2048 Depends: firmware (>= 11.0), firmware (<= 11.4.1) -Filename: ./lol.spyware.spiceuntether.fdscream_1.0.171_iphoneos-arm.deb -Size: 140260 -MD5sum: c8b417981b7cd4a8278a8819ceba7f09 -SHA1: b015ee424525a8448bbdf4fde378cade02ae383a -SHA256: ca3ff1ecb56941034fbfbd501acee426624136fe0eb9ba9154c63f9edc4d7233 +Filename: ./lol.spyware.spiceuntether.fdscream_1.0.172_iphoneos-arm.deb +Size: 140448 +MD5sum: 5fff5eea715c9b2a20f4ca94a2097152 +SHA1: f39b6db689ea15341af6c9a1bac528b0747c04e9 +SHA256: 8423b55c6bf8577101f5df51d8e524f3cada96285f975c22776a2c7c986eae1d Section: System Description: Upgrades the Spice jailbreak to untethered Author: JakeBlair420 diff --git a/docs/Packages.bz2 b/docs/Packages.bz2 index 3cbe69b..09f8c1a 100644 Binary files a/docs/Packages.bz2 and b/docs/Packages.bz2 differ diff --git a/docs/Spice-arm64-1.0.171-DEV.ipa b/docs/Spice-arm64-1.0.172-DEV.ipa similarity index 99% rename from docs/Spice-arm64-1.0.171-DEV.ipa rename to docs/Spice-arm64-1.0.172-DEV.ipa index 2d3f66f..2016e05 100644 Binary files a/docs/Spice-arm64-1.0.171-DEV.ipa and b/docs/Spice-arm64-1.0.172-DEV.ipa differ diff --git a/docs/lol.spyware.spiceuntether.fd5_1.0.171_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fd5_1.0.171_iphoneos-arm.deb deleted file mode 100644 index 9d20689..0000000 Binary files a/docs/lol.spyware.spiceuntether.fd5_1.0.171_iphoneos-arm.deb and /dev/null differ diff --git a/docs/lol.spyware.spiceuntether.fd5_1.0.172_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fd5_1.0.172_iphoneos-arm.deb new file mode 100644 index 0000000..c3d34c9 Binary files /dev/null and b/docs/lol.spyware.spiceuntether.fd5_1.0.172_iphoneos-arm.deb differ diff --git a/docs/lol.spyware.spiceuntether.fd6_1.0.171_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fd6_1.0.171_iphoneos-arm.deb deleted file mode 100644 index 547f6d2..0000000 Binary files a/docs/lol.spyware.spiceuntether.fd6_1.0.171_iphoneos-arm.deb and /dev/null differ diff --git a/docs/lol.spyware.spiceuntether.fd6_1.0.172_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fd6_1.0.172_iphoneos-arm.deb new file mode 100644 index 0000000..1142ea7 Binary files /dev/null and b/docs/lol.spyware.spiceuntether.fd6_1.0.172_iphoneos-arm.deb differ diff --git a/docs/lol.spyware.spiceuntether.fdscream_1.0.171_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fdscream_1.0.171_iphoneos-arm.deb deleted file mode 100644 index 1cb3f10..0000000 Binary files a/docs/lol.spyware.spiceuntether.fdscream_1.0.171_iphoneos-arm.deb and /dev/null differ diff --git a/docs/lol.spyware.spiceuntether.fdscream_1.0.172_iphoneos-arm.deb b/docs/lol.spyware.spiceuntether.fdscream_1.0.172_iphoneos-arm.deb new file mode 100644 index 0000000..fc4f7c3 Binary files /dev/null and b/docs/lol.spyware.spiceuntether.fdscream_1.0.172_iphoneos-arm.deb differ diff --git a/src/shared/offsets.m b/src/shared/offsets.m index cd872cd..7ab7e32 100644 --- a/src/shared/offsets.m +++ b/src/shared/offsets.m @@ -59,8 +59,12 @@ uint32_t get_anchor(void) return (0xfffffff007625998 & 0xfffffff); } else if (DEVICE_EQUAL_TO(@"iPhone8,4") && SYSTEM_VERSION_EQUAL_TO(@"11.4")) { return (0xfffffff007621968 & 0xfffffff); + } else if (DEVICE_EQUAL_TO(@"iPhone8,1") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { + return (0xfffffff0076219a8 & 0xfffffff); } else if (DEVICE_EQUAL_TO(@"iPhone8,4") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { return (0xfffffff0076219a8 & 0xfffffff); + } else if (DEVICE_EQUAL_TO(@"iPod7,1") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { + return (0xfffffff0076259d8 & 0xfffffff); } #else if (DEVICE_EQUAL_TO(@"iPhone5,1") && SYSTEM_VERSION_EQUAL_TO(@"10.3.4")) { @@ -781,6 +785,84 @@ bool populate_offsets(offsets_t* liboffsets, offset_struct_t* offsets) offsets->fcntl_raw_syscall = 0x18097c434; // dlsym of ___fcntl offsets->rootdomainUC_vtab = 0xfffffff00708e158; // find __ZTV20RootDomainUserClient in kernel, first non-zero byte offsets->swapprefix_addr = 0xfffffff0075ad8cc; // search for the string "/private/var/vm/swapfile" (or "/var/vm/swapfile" on 10.3.4) in the kernel, that's the right address + } else if (DEVICE_EQUAL_TO(@"iPhone8,1") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { + foundOffsets = true; // These offsets exist + liboffsets->flags = FLAG_SOCK_PORT | FLAG_LIGHTSPEED; + liboffsets->constant.old_cache_addr = 0x180000000; // static (SHARED_REGION_BASE_ARM64 in ) + liboffsets->constant.new_cache_addr = 0x1c0000000; // static (SHARED_REGION_SIZE_ARM64 is 0x40000000 until iOS 12) + liboffsets->constant.kernel_image_base = 0xfffffff007004000; // static + liboffsets->funcs.copyin = 0xfffffff0071a72d4; // symbol (_copyin) + liboffsets->funcs.copyout = 0xfffffff0071a74f8; // symbol (_copyout) + liboffsets->funcs.current_task = 0xfffffff0070f4c58; // symbol (_current_task) + liboffsets->funcs.get_bsdtask_info = 0xfffffff00710a354; // symbol (_get_bsdtask_info) + liboffsets->funcs.vm_map_wire_external = 0xfffffff00715367c; // symbol (_vm_map_wire_external) + liboffsets->funcs.vfs_context_current = 0xfffffff0071f9cd4; // symbol (_vfs_context_current) + liboffsets->funcs.vnode_lookup = 0xfffffff0071db9e0; // symbol (_vnode_lookup) + liboffsets->funcs.osunserializexml = 0xfffffff0074e2fb4; // symbol (__Z16OSUnserializeXMLPKcPP8OSString) + liboffsets->funcs.smalloc = 0xfffffff006b0dcb0; // found by searching for "sandbox memory allocation failure" + liboffsets->funcs.proc_find = 0xfffffff0073f3fe0; // symbol (_proc_find) + liboffsets->funcs.proc_rele = 0xfffffff0073f3f50; // symbol (_proc_rele) + liboffsets->funcs.ipc_port_alloc_special = 0xfffffff0070b915c; // \"ipc_processor_init\" in processor_start -> call above + liboffsets->funcs.ipc_kobject_set = 0xfffffff0070cf30c; // above _mach_msg_send_from_kernel_proper (2nd above for 10.3.4) + liboffsets->funcs.ipc_port_make_send = 0xfffffff0070b88d8; // first call in long path of KUNCUserNotificationDisplayFromBundle + liboffsets->gadgets.add_x0_x0_ret = 0xfffffff0073ca0d0; // gadget (or _csblob_get_cdhash) + liboffsets->data.realhost = 0xfffffff0075deb98; // _host_priv_self -> adrp addr + liboffsets->data.zone_map = 0xfffffff0075fbe50; // str 'zone_init: kmem_suballoc failed', first qword above + liboffsets->data.kernel_task = 0xfffffff0075d9048; // symbol (_kernel_task) + liboffsets->data.kern_proc = 0xfffffff0075d90a0; // symbol (_kernproc) + liboffsets->data.rootvnode = 0xfffffff0075d9088; // symbol (_rootvnode) + liboffsets->data.osboolean_true = 0xfffffff007648468; // __ZN9OSBoolean11withBooleanEb -> first adrp addr (isn't used anywhere tho) + liboffsets->data.trust_cache = 0xfffffff0076b4ee8; // (on iOS 10.3.4, use "%s: trust cache already loaded with matching UUID, ignoring\n", store below call to _lck_mtx_lock in same function) "%s: trust cache loaded successfully.\n" store above + liboffsets->vtabs.iosurface_root_userclient = 0xfffffff006e81010; // search "IOSurfaceRootUserClient", store in function below first reference (or, on iOS 11 only, 'iometa -Csov IOSurfaceRootUserClient kernel', vtab=...) + liboffsets->struct_offsets.is_task_offset = 0x28; // "ipc_task_init", lower of two final offsets to a local variable in decompiled code + liboffsets->struct_offsets.task_itk_self = 0xe0; // first reference of "ipc_task_reset", offset after _lck_mtx_lock + liboffsets->struct_offsets.itk_registered = 0x2f0; // "ipc_task_init", first comparison below to parameter, first str offset in not zero branch + liboffsets->struct_offsets.ipr_size = 0x8; // "ipc_object_copyout_dest: strange rights", function below, offset of second ldr (ipc_port_request->name->size, long path: search all instances of 0x10000003 to find _kernel_rpc_mach_port_construct_trap, needs to have a copyin call, and travel chain) + liboffsets->struct_offsets.sizeof_task = 0x5c8; // str "tasks", mov offset below (size of entire task struct) + liboffsets->struct_offsets.proc_task = 0x18; // "PMTellAppWithResponse - Suspended", second ldr offset above (proc->task) + liboffsets->struct_offsets.proc_p_csflags = 0x2a8; // _cs_restricted, first ldr offset (proc->p_csflags) + liboffsets->struct_offsets.task_t_flags = 0x3a0; // __ZN12IOUserClient18clientHasPrivilegeEPvPKc, in equal to 0 branch of foregroud strncmp, in function on iOS 10 (task->t_flags) + liboffsets->struct_offsets.task_all_image_info_addr = 0x3a8; // "created task is not a member of a resource coalition", search 0x5f (task->all_image_info_addr, theoretically just +0x8 from t_flags) + liboffsets->struct_offsets.task_all_image_info_size = 0x3b0; // "created task is not a member of a resource coalition", search 0x5f (task->all_image_info_size, theoretically just +0x10 from t_flags) + liboffsets->iosurface.create_outsize = 0xbc8; // dispatch table starts at 20 * sizeof(kptr_t) after IOUserClient::getExternalTrapForIndex in vtab + liboffsets->iosurface.create_surface = 0; // IOSurfaceRootUserClient::s_create_surface is method 0 + liboffsets->iosurface.set_value = 9; // IOSurfaceRootUserClient::s_set_value is method 9 + liboffsets->userland_funcs.IOConnectTrap6 = (void*)(0x18116031c + CACHE_DIFF); // dlsym of _IOConnectTrap6 + liboffsets->userland_funcs.mach_ports_lookup = (void*)(0x18095ead0 + CACHE_DIFF); // dlsym of _mach_ports_lookup + liboffsets->userland_funcs.mach_task_self = (void*)(0x180973fdc + CACHE_DIFF); // dlsym of _mach_task_self + liboffsets->userland_funcs.mach_vm_remap = (void*)(0x18097bb28 + CACHE_DIFF); // dlsym of _mach_vm_remap + liboffsets->userland_funcs.mach_port_destroy = (void*)(0x18095c35c + CACHE_DIFF); // dlsym of _mach_port_destroy + liboffsets->userland_funcs.mach_port_deallocate = (void*)(0x18095c83c + CACHE_DIFF); // dlsym of _mach_port_deallocate + liboffsets->userland_funcs.mach_port_allocate = (void*)(0x18095cbc8 + CACHE_DIFF); // dlsym of _mach_port_allocate + liboffsets->userland_funcs.mach_port_insert_right = (void*)(0x18095cc24 + CACHE_DIFF); // dlsym of _mach_port_insert_right + liboffsets->userland_funcs.mach_ports_register = (void*)(0x18096c630 + CACHE_DIFF); // dlsym of _mach_ports_register + liboffsets->userland_funcs.mach_msg = (void*)(0x18095bc18 + CACHE_DIFF); // dlsym of _mach_msg + liboffsets->userland_funcs.posix_spawn = (void*)(0x180976310 + CACHE_DIFF); // dlsym of _posix_spawn + + offsets->dns4_array_to_lcconf = 0x1000670e0 - (0x100067c10 + 0x8); // lcconf = "failed to set my ident: %s", value being offset by 0xb0 (0x6c on 32-bit), then isakmp_config_dns4 = subtract second reference of "No more than %d DNS", first adr in switch case 0x77, add 0x8 + offsets->str_buff_offset = 8; // based on the pivot gadget below (the x21 gadget will do a double deref based on specific value on a buffer we control so we need to know its offset) + offsets->max_slide = 0x4650000; // read 8 bytes at OFF_OLD_CACHE_ADDR + 0xf0 + offsets->slide_value = 0x4000; // hardcode that one + offsets->pivot_x21 = 0x199c5893c; // search the dyld cache for a8 06 40 f9 09 01 40 f9 29 1d 40 f9 e1 03 00 aa e0 03 08 aa 20 01 3f d6, or original: a8 06 40 f9 09 01 40 f9 29 29 40 f9 e3 07 40 f9 e2 03 00 aa e0 03 08 aa e1 03 16 aa e4 03 14 aa e5 03 13 aa 20 01 3f d6 + offsets->pivot_x21_x9_offset = 0x38; // 11.3 and higher use 0x38 in the gadget instead of 0x50 (since the original is not present) + offsets->memmove = 0x1ab7d0d50; // strlcpy second branch, adrp offset in thunk (get from the actual bl instruction, not from decompiler) + offsets->lcconf_counter_offset = 0x10c; // "error allocating splitdns list buffer", switch case 0x87 below, first str offset + offsets->cache_text_seg_size = 0x30000000; // we can get that by parsing the segments from the cache (but this is always enough) + offsets->BEAST_GADGET = 0x1a16fe494; // search the dyld cache for e4 03 16 aa e5 03 14 aa e6 03 15 aa e7 03 13 aa e0 03 1a aa e1 03 19 aa e2 03 18 aa e3 03 17 aa 60 03 3f d6 fd 7b 47 a9 f4 4f 46 a9 f6 57 45 a9 f8 5f 44 a9 fa 67 43 a9 fc 6f 42 a9 e9 23 41 6d ff 03 02 91 c0 03 5f d6 + offsets->str_x0_gadget = 0x197e2bac8; // search the dyld cache for 60 16 00 f9 00 00 80 52 fd 7b 41 a9 f4 4f c2 a8 c0 03 5f d6 + offsets->str_x0_gadget_offset = 0x28; // based on the gadget above (at which offset it stores x0 basically) + offsets->cbz_x0_gadget = 0x188d369dc; // __ZN3rtc9TaskQueue12QueueContext13DeleteContextEPv + offsets->cbz_x0_x16_load = 0x1b1d96508; // decode the gadget above, there will be a jump, follow that jump and decode the adrp and add there + offsets->add_x0_gadget = 0x18519eb90; // search the dyld cache for a0 02 14 8b fd 7b 42 a9 f4 4f 41 a9 f6 57 c3 a8 c0 03 5f d6 + offsets->errno_offset = 0x1b3287ff8 + CACHE_DIFF; // we can get that by getting a raw syscall (for example ___mmap, then searching for a branch following that and then searching for an adrp and a str) + offsets->mach_msg_offset = 0x1b1a1d018 + CACHE_DIFF; // address of label _NDR_record, we need to map it before using it + offsets->longjmp = 0x180b126e8; // dlsym of __longjmp + offsets->mmap = 0x18097cbe8; // dlsym of ___mmap + offsets->memcpy = 0x18095d614; // dlsym of _memcpy + offsets->open = 0x18097ce4c; // dlsym of ___open + offsets->fcntl_raw_syscall = 0x18097c404; // dlsym of ___fcntl + offsets->rootdomainUC_vtab = 0xfffffff00708e188; // find __ZTV20RootDomainUserClient in kernel, first non-zero byte + offsets->swapprefix_addr = 0xfffffff0075ad8cc; // search for the string "/private/var/vm/swapfile" (or "/var/vm/swapfile" on 10.3.4) in the kernel, that's the right address } else if (DEVICE_EQUAL_TO(@"iPhone8,4") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { foundOffsets = true; // These offsets exist liboffsets->flags = FLAG_SOCK_PORT | FLAG_LIGHTSPEED; @@ -859,6 +941,84 @@ bool populate_offsets(offsets_t* liboffsets, offset_struct_t* offsets) offsets->fcntl_raw_syscall = 0x18097c404; // dlsym of ___fcntl offsets->rootdomainUC_vtab = 0xfffffff00708e188; // find __ZTV20RootDomainUserClient in kernel, first non-zero byte offsets->swapprefix_addr = 0xfffffff0075ad8cc; // search for the string "/private/var/vm/swapfile" (or "/var/vm/swapfile" on 10.3.4) in the kernel, that's the right address + } else if (DEVICE_EQUAL_TO(@"iPod7,1") && SYSTEM_VERSION_EQUAL_TO(@"11.4.1")) { + foundOffsets = true; // These offsets exist + liboffsets->flags = FLAG_SOCK_PORT | FLAG_LIGHTSPEED; + liboffsets->constant.old_cache_addr = 0x180000000; // static (SHARED_REGION_BASE_ARM64 in ) + liboffsets->constant.new_cache_addr = 0x1c0000000; // static (SHARED_REGION_SIZE_ARM64 is 0x40000000 until iOS 12) + liboffsets->constant.kernel_image_base = 0xfffffff007004000; // static + liboffsets->funcs.copyin = 0xfffffff0071aaa00; // symbol (_copyin) + liboffsets->funcs.copyout = 0xfffffff0071aac24; // symbol (_copyout) + liboffsets->funcs.current_task = 0xfffffff0070f4d8c; // symbol (_current_task) + liboffsets->funcs.get_bsdtask_info = 0xfffffff00710a96c; // symbol (_get_bsdtask_info) + liboffsets->funcs.vm_map_wire_external = 0xfffffff007155168; // symbol (_vm_map_wire_external) + liboffsets->funcs.vfs_context_current = 0xfffffff0071fe578; // symbol (_vfs_context_current) + liboffsets->funcs.vnode_lookup = 0xfffffff0071e01f8; // symbol (_vnode_lookup) + liboffsets->funcs.osunserializexml = 0xfffffff0074e9a4c; // symbol (__Z16OSUnserializeXMLPKcPP8OSString) + liboffsets->funcs.smalloc = 0xfffffff006b18cb0; // found by searching for "sandbox memory allocation failure" + liboffsets->funcs.proc_find = 0xfffffff0073f9584; // symbol (_proc_find) + liboffsets->funcs.proc_rele = 0xfffffff0073f94f4; // symbol (_proc_rele) + liboffsets->funcs.ipc_port_alloc_special = 0xfffffff0070b9328; // \"ipc_processor_init\" in processor_start -> call above + liboffsets->funcs.ipc_kobject_set = 0xfffffff0070cf2c8; // above _mach_msg_send_from_kernel_proper (2nd above for 10.3.4) + liboffsets->funcs.ipc_port_make_send = 0xfffffff0070b8aa4; // first call in long path of KUNCUserNotificationDisplayFromBundle + liboffsets->gadgets.add_x0_x0_ret = 0xfffffff0073cf13c; // gadget (or _csblob_get_cdhash) + liboffsets->data.realhost = 0xfffffff0075e2b98; // _host_priv_self -> adrp addr + liboffsets->data.zone_map = 0xfffffff0075ffe50; // str 'zone_init: kmem_suballoc failed', first qword above + liboffsets->data.kernel_task = 0xfffffff0075dd048; // symbol (_kernel_task) + liboffsets->data.kern_proc = 0xfffffff0075dd0a0; // symbol (_kernproc) + liboffsets->data.rootvnode = 0xfffffff0075dd088; // symbol (_rootvnode) + liboffsets->data.osboolean_true = 0xfffffff00764c4a8; // __ZN9OSBoolean11withBooleanEb -> first adrp addr (isn't used anywhere tho) + liboffsets->data.trust_cache = 0xfffffff0076b8ee8; // (on iOS 10.3.4, use "%s: trust cache already loaded with matching UUID, ignoring\n", store below call to _lck_mtx_lock in same function) "%s: trust cache loaded successfully.\n" store above + liboffsets->vtabs.iosurface_root_userclient = 0xfffffff006ee5910; // search "IOSurfaceRootUserClient", store in function below first reference (or, on iOS 11 only, 'iometa -Csov IOSurfaceRootUserClient kernel', vtab=...) + liboffsets->struct_offsets.is_task_offset = 0x28; // "ipc_task_init", lower of two final offsets to a local variable in decompiled code + liboffsets->struct_offsets.task_itk_self = 0xe0; // first reference of "ipc_task_reset", offset after _lck_mtx_lock + liboffsets->struct_offsets.itk_registered = 0x2f0; // "ipc_task_init", first comparison below to parameter, first str offset in not zero branch + liboffsets->struct_offsets.ipr_size = 0x8; // "ipc_object_copyout_dest: strange rights", function below, offset of second ldr (ipc_port_request->name->size, long path: search all instances of 0x10000003 to find _kernel_rpc_mach_port_construct_trap, needs to have a copyin call, and travel chain) + liboffsets->struct_offsets.sizeof_task = 0x5c8; // str "tasks", mov offset below (size of entire task struct) + liboffsets->struct_offsets.proc_task = 0x18; // "PMTellAppWithResponse - Suspended", second ldr offset above (proc->task) + liboffsets->struct_offsets.proc_p_csflags = 0x2a8; // _cs_restricted, first ldr offset (proc->p_csflags) + liboffsets->struct_offsets.task_t_flags = 0x3a0; // __ZN12IOUserClient18clientHasPrivilegeEPvPKc, in equal to 0 branch of foregroud strncmp, in function on iOS 10 (task->t_flags) + liboffsets->struct_offsets.task_all_image_info_addr = 0x3a8; // "created task is not a member of a resource coalition", search 0x5f (task->all_image_info_addr, theoretically just +0x8 from t_flags) + liboffsets->struct_offsets.task_all_image_info_size = 0x3b0; // "created task is not a member of a resource coalition", search 0x5f (task->all_image_info_size, theoretically just +0x10 from t_flags) + liboffsets->iosurface.create_outsize = 0xbc8; // dispatch table starts at 20 * sizeof(kptr_t) after IOUserClient::getExternalTrapForIndex in vtab + liboffsets->iosurface.create_surface = 0; // IOSurfaceRootUserClient::s_create_surface is method 0 + liboffsets->iosurface.set_value = 9; // IOSurfaceRootUserClient::s_set_value is method 9 + liboffsets->userland_funcs.IOConnectTrap6 = (void*)(0x18116031c + CACHE_DIFF); // dlsym of _IOConnectTrap6 + liboffsets->userland_funcs.mach_ports_lookup = (void*)(0x18095ead0 + CACHE_DIFF); // dlsym of _mach_ports_lookup + liboffsets->userland_funcs.mach_task_self = (void*)(0x180973fdc + CACHE_DIFF); // dlsym of _mach_task_self + liboffsets->userland_funcs.mach_vm_remap = (void*)(0x18097bb28 + CACHE_DIFF); // dlsym of _mach_vm_remap + liboffsets->userland_funcs.mach_port_destroy = (void*)(0x18095c35c + CACHE_DIFF); // dlsym of _mach_port_destroy + liboffsets->userland_funcs.mach_port_deallocate = (void*)(0x18095c83c + CACHE_DIFF); // dlsym of _mach_port_deallocate + liboffsets->userland_funcs.mach_port_allocate = (void*)(0x18095cbc8 + CACHE_DIFF); // dlsym of _mach_port_allocate + liboffsets->userland_funcs.mach_port_insert_right = (void*)(0x18095cc24 + CACHE_DIFF); // dlsym of _mach_port_insert_right + liboffsets->userland_funcs.mach_ports_register = (void*)(0x18096c630 + CACHE_DIFF); // dlsym of _mach_ports_register + liboffsets->userland_funcs.mach_msg = (void*)(0x18095bc18 + CACHE_DIFF); // dlsym of _mach_msg + liboffsets->userland_funcs.posix_spawn = (void*)(0x180976310 + CACHE_DIFF); // dlsym of _posix_spawn + + offsets->dns4_array_to_lcconf = 0x1000670e0 - (0x100067c10 + 0x8); // lcconf = "failed to set my ident: %s", value being offset by 0xb0 (0x6c on 32-bit), then isakmp_config_dns4 = subtract second reference of "No more than %d DNS", first adr in switch case 0x77, add 0x8 + offsets->str_buff_offset = 8; // based on the pivot gadget below (the x21 gadget will do a double deref based on specific value on a buffer we control so we need to know its offset) + offsets->max_slide = 0x53cc000; // read 8 bytes at OFF_OLD_CACHE_ADDR + 0xf0 + offsets->slide_value = 0x4000; // hardcode that one + offsets->pivot_x21 = 0x199c5893c; // search the dyld cache for a8 06 40 f9 09 01 40 f9 29 1d 40 f9 e1 03 00 aa e0 03 08 aa 20 01 3f d6, or original: a8 06 40 f9 09 01 40 f9 29 29 40 f9 e3 07 40 f9 e2 03 00 aa e0 03 08 aa e1 03 16 aa e4 03 14 aa e5 03 13 aa 20 01 3f d6 + offsets->pivot_x21_x9_offset = 0x38; // 11.3 and higher use 0x38 in the gadget instead of 0x50 (since the original is not present) + offsets->memmove = 0x1aad7cd50; // strlcpy second branch, adrp offset in thunk (get from the actual bl instruction, not from decompiler) + offsets->lcconf_counter_offset = 0x10c; // "error allocating splitdns list buffer", switch case 0x87 below, first str offset + offsets->cache_text_seg_size = 0x30000000; // we can get that by parsing the segments from the cache (but this is always enough) + offsets->BEAST_GADGET = 0x1a1455494; // search the dyld cache for e4 03 16 aa e5 03 14 aa e6 03 15 aa e7 03 13 aa e0 03 1a aa e1 03 19 aa e2 03 18 aa e3 03 17 aa 60 03 3f d6 fd 7b 47 a9 f4 4f 46 a9 f6 57 45 a9 f8 5f 44 a9 fa 67 43 a9 fc 6f 42 a9 e9 23 41 6d ff 03 02 91 c0 03 5f d6 + offsets->str_x0_gadget = 0x197e2bac8; // search the dyld cache for 60 16 00 f9 00 00 80 52 fd 7b 41 a9 f4 4f c2 a8 c0 03 5f d6 + offsets->str_x0_gadget_offset = 0x28; // based on the gadget above (at which offset it stores x0 basically) + offsets->cbz_x0_gadget = 0x188d369dc; // __ZN3rtc9TaskQueue12QueueContext13DeleteContextEPv + offsets->cbz_x0_x16_load = 0x1b1246508; // decode the gadget above, there will be a jump, follow that jump and decode the adrp and add there + offsets->add_x0_gadget = 0x18519eb90; // search the dyld cache for a0 02 14 8b fd 7b 42 a9 f4 4f 41 a9 f6 57 c3 a8 c0 03 5f d6 + offsets->errno_offset = 0x1b26e8ff8 + CACHE_DIFF; // we can get that by getting a raw syscall (for example ___mmap, then searching for a branch following that and then searching for an adrp and a str) + offsets->mach_msg_offset = 0x1b0ecd018 + CACHE_DIFF; // address of label _NDR_record, we need to map it before using it + offsets->longjmp = 0x180b126e8; // dlsym of __longjmp + offsets->mmap = 0x18097cbe8; // dlsym of ___mmap + offsets->memcpy = 0x18095d614; // dlsym of _memcpy + offsets->open = 0x18097ce4c; // dlsym of ___open + offsets->fcntl_raw_syscall = 0x18097c404; // dlsym of ___fcntl + offsets->rootdomainUC_vtab = 0xfffffff00708e188; // find __ZTV20RootDomainUserClient in kernel, first non-zero byte + offsets->swapprefix_addr = 0xfffffff0075b18cc; // search for the string "/private/var/vm/swapfile" (or "/var/vm/swapfile" on 10.3.4) in the kernel, that's the right address } #else if (DEVICE_EQUAL_TO(@"iPhone5,1") && SYSTEM_VERSION_EQUAL_TO(@"10.3.4")) {