API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 21st, 2019
108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Objective C 20.26 KB | None | 0 0
raw download clone embed print report
  1.  
  2. //
  3. //  ViewController.m
  4. //  JBDBG
  5. //
  6. //  Created by Jake James on 11/8/18.
  7. //  Copyright © 2018 Jake James. All rights reserved.
  8. //
  9.  
  10. #import "ViewController.h"
  11. #import <mach/mach.h>
  12. #import "jelbrekLib/jelbrekLib.h"
  13. #import <sys/stat.h>
  14. #import "vnode.h"
  15. #import "mount.h"
  16. #import "proc.h"
  17. #import "task.h"
  18. #import <sys/syscall.h>
  19.  
  20. #import <sys/mount.h>
  21. #include <sys/spawn.h>
  22.  
  23. #define __FILENAME__ (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 : __FILE__)
  24. #define _assert(test, message) do \
  25. if (!(test)) { \
  26. fprintf(stderr, "__assert(%d:%s)@%s:%u[%s]\n", errno, #test, __FILENAME__, __LINE__, __FUNCTION__); \
  27. if (message) \
  28. showAlert(@"Error", [NSString stringWithFormat:@"Errno: %d\nTest: %s\nFilename: %s\nLine: %d\nFunction: %s\nDescription: %s", errno, #test, __FILENAME__, __LINE__, __FUNCTION__, message], 1, 0); \
  29. else \
  30. showAlert(@"Error", [NSString stringWithFormat:@"Errno: %d\nTest: %s\nFilename: %s\nLine: %d\nFunction: %s", errno, #test, __FILENAME__, __LINE__, __FUNCTION__], 1, 0); \
  31. term_jelbrek(); \
  32. exit(1); \
  33. } \
  34. while (false)
  35.  
  36. #define NOTICE(msg, wait, destructive) showAlert(@"Notice", @(msg), wait, destructive)
  37.  
  38. static inline void showAlert(NSString *title, NSString *message, Boolean wait, Boolean destructive) {
  39.     dispatch_semaphore_t semaphore;
  40.     if (wait)
  41.         semaphore = dispatch_semaphore_create(0);
  42.     dispatch_async(dispatch_get_main_queue(), ^{
  43.         [[[[[UIApplication sharedApplication] delegate] window] rootViewController] dismissViewControllerAnimated:YES completion:nil];
  44.         UIAlertController *alertController = [UIAlertController alertControllerWithTitle:title message:message preferredStyle:UIAlertControllerStyleAlert];
  45.         UIAlertAction *OK = [UIAlertAction actionWithTitle:@"OK" style:destructive ? UIAlertActionStyleDestructive : UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
  46.             if (wait)
  47.                 dispatch_semaphore_signal(semaphore);
  48.         }];
  49.         [alertController addAction:OK];
  50.         [alertController setPreferredAction:OK];
  51.         [[[[[UIApplication sharedApplication] delegate] window] rootViewController] presentViewController:alertController animated:YES completion:nil];
  52.     });
  53.     if (wait)
  54.         dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
  55. }
  56.  
  57. // dummy func so I can do sizeof(struct whatever); if I don't use the struct at least once in code lldb will error out saying it's undefined
  58. void func() {
  59.     struct vnode a;
  60.     printf("a: 0x%x\n", a.v_id);
  61.     struct mount_struct b;
  62.     printf("b: %p\n", b.mnt_data);
  63.     struct proc c;
  64.     printf("c: %p\n", c.p_ucred);
  65.     struct task d;
  66.     printf("c: %p\n", d.itk_self);
  67.     cpu_data_t ab;
  68.     printf("d: %lx\n", ab.cpu_reset_handler);
  69. }
  70.  
  71. // stuff i took from sbingner's code to iterate vnodes and patch the mount struct to be the snapshot's one (it's already the root one, so that's left to try); i'm not using this anymore
  72.  
  73. #define tailq_empty(head)    (tailq_first(head)==0)
  74. #define MNT_LITER    0x00000010    /* mount in iteration */
  75.  
  76. enum vtype    {
  77.     /* 0 */
  78.     VNON,
  79.     /* 1 - 5 */
  80.     VREG, VDIR, VBLK, VCHR, VLNK,
  81.     /* 6 - 10 */
  82.     VSOCK, VFIFO, VBAD, VSTR, VCPLX
  83. };
  84.  
  85. size_t kstrlen(uint64_t strptr) {
  86.     return (size_t)Kernel_Execute(find_symbol("_strlen", false) + KASLR_Slide, strptr, 0, 0, 0, 0, 0, 0);
  87. }
  88.  
  89. void lck_mtx_lock(uint64_t mtx) {
  90.     Kernel_Execute(find_symbol("_lck_mtx_lock", false) + KASLR_Slide, mtx, 0, 0, 0, 0, 0, 0);
  91. }
  92.  
  93. void lck_mtx_unlock(uint64_t mtx) {
  94.     Kernel_Execute(find_symbol("_lck_mtx_unlock", false) + KASLR_Slide, mtx, 0, 0, 0, 0, 0, 0);
  95. }
  96.  
  97. void mount_iterate_lock(uint64_t mp) {
  98.     lck_mtx_lock(mp + 0x9f0); // mnt_iter_lock
  99. }
  100.  
  101. void mount_iterate_unlock(uint64_t mp) {
  102.     lck_mtx_unlock(mp + 0x9f0); // mnt_iter_lock
  103. }
  104.  
  105. void mount_lock(uint64_t mp) {
  106.     lck_mtx_lock(mp + 0x18); // mlock
  107. }
  108.  
  109. void mount_unlock(uint64_t mp) {
  110.     lck_mtx_unlock(mp + 0x18); // mlock
  111. }
  112.  
  113. void vnode_iterate_setup(uint64_t mp) {
  114.     uint32_t mnt_lflag = KernelRead_32bits(mp + 0x7c); // mnt_lflag
  115.     mnt_lflag |= MNT_LITER;
  116.     KernelWrite_32bits(mp + 0x7c, mnt_lflag);
  117. }
  118.  
  119. void vnode_iterate_clear(uint64_t mp) {
  120.     uint32_t mnt_lflag = KernelRead_32bits(mp + 0x7c); // mnt_lflag
  121.     mnt_lflag &= ~MNT_LITER;
  122.     KernelWrite_32bits(mp + 0x7c, mnt_lflag);
  123. }
  124.  
  125. uint64_t tailq_first(uint64_t head) {
  126.     return KernelRead_64bits(head + 0x0); // tqh_first
  127. }
  128.  
  129. uint64_t tailq_next(uint64_t elm, unsigned int field_offset) {
  130.     return KernelRead_64bits(elm + field_offset + 0x0);
  131. }
  132.  
  133. void tailq_init(uint64_t head) {
  134.     KernelWrite_64bits(head + 0x0, 0); // tailq_first((head)) = NULL;
  135.     KernelWrite_64bits(head + 0x8, head + 0x0); // (head)->tqh_last = &tailq_first((head));
  136. }
  137.  
  138. void tailq_remove(uint64_t head, uint64_t elm, unsigned int field_offset) {
  139.     uint64_t tq_next_ref = tailq_next(elm, field_offset);
  140.     if (tq_next_ref != 0) {
  141.         KernelWrite_64bits(tq_next_ref + field_offset + 0x8, KernelRead_64bits(elm + field_offset + 0x8)); // tailq_next((elm), field)->field.tqe_prev = (elm)->field.tqe_prev;
  142.     } else {
  143.         KernelWrite_64bits(head + 0x8, KernelRead_64bits(elm + field_offset + 0x8)); // (head)->tqh_last = (elm)->field.tqe_prev;
  144.     }
  145.     uint64_t prev_ref = KernelRead_64bits(elm + field_offset + 0x8);
  146.     KernelWrite_64bits(prev_ref, tq_next_ref); // *(elm)->field.tqe_prev = tailq_next((elm), field);
  147. }
  148.  
  149. void tailq_insert_tail(uint64_t head, uint64_t elm, unsigned int field_offset) {
  150.     KernelWrite_64bits(elm + field_offset + 0x0, 0); // tailq_next((elm), field) = NULL;
  151.     KernelWrite_64bits(elm + field_offset + 0x8, KernelRead_64bits(head + 0x8)); // (elm)->field.tqe_prev = (head)->tqh_last;
  152.     KernelWrite_64bits(KernelRead_64bits(head + 0x8), elm); // *(head)->tqh_last = (elm);
  153.     KernelWrite_64bits(head + 0x8, elm + field_offset + 0x0); // (head)->tqh_last = &tailq_next((elm), field);
  154. }
  155.  
  156. int vnode_iterate_prepare(uint64_t mp) {
  157.     uint64_t vp;
  158.    
  159.     uint64_t mp_mnt_vnodelist = mp + 0x40; // &mp->mnt_vnodelist
  160.    
  161.     if (tailq_empty(mp_mnt_vnodelist))
  162.         return 0;
  163.    
  164.     vp = tailq_first(mp_mnt_vnodelist);
  165.     KernelWrite_64bits(vp + 0x20 + 0x8, mp + 0x50 + 0x0); // vp->v_mntvnodes.tqe_prev = &(mp->mnt_workerqueue.tqh_first)
  166.     KernelWrite_64bits(mp + 0x50 + 0x0, vp); // mp->mnt_workerqueue.tqh_first = mp->mnt_vnodelist.tqh_first;
  167.     KernelWrite_64bits(mp + 0x50 + 0x8, KernelRead_64bits(mp + 0x40 + 0x8)); // mp->mnt_workerqueue.tqh_last = mp->mnt_vnodelist.tqh_last;
  168.     tailq_init(mp + 0x40);
  169.     if (!tailq_empty(mp + 0x60)) { //     if (mp->mnt_newvnodes.tqh_first != NULL) panic("vnode_iterate_prepare: newvnode when entering vnode");
  170.         fprintf(stderr, "!tailq_empty(mp + offsetof_mnt_newvnodes)\n");
  171.         return 0;
  172.     }
  173.    
  174.     tailq_init(mp + 0x60);
  175.    
  176.     return 1;
  177. }
  178.  
  179. uint16_t rk16(uint64_t addr) {
  180.     uint16_t data;
  181.     KernelRead(addr, &data, 2);
  182.     return data;
  183. }
  184.  
  185. void wk16(uint64_t addr, uint16_t what) {
  186.     uint16_t data = what;
  187.     KernelWrite(addr, &data, 2);
  188. }
  189.  
  190. int vnode_iterate(uint64_t mp, uint64_t newmp) {
  191.     uint64_t vp;
  192.     int retval;
  193.     int ret=0;
  194.    
  195.     mount_iterate_lock(mp);
  196.     mount_lock(mp);
  197.     vnode_iterate_setup(mp);
  198.    
  199.     retval = vnode_iterate_prepare(mp);
  200.     fprintf(stderr, "vnode_iterate_prepare(mp): %d\n", retval);
  201.     if (retval == 0) {
  202.         vnode_iterate_clear(mp);
  203.         mount_unlock(mp);
  204.         mount_iterate_unlock(mp);
  205.         return ret;
  206.     }
  207.    
  208.     while (!tailq_empty(mp + 0x50)) {
  209.         vp = tailq_first(mp + 0x50);
  210.         tailq_remove(mp + 0x50, vp, 0x20);
  211.         tailq_insert_tail(mp + 0x40, vp, 0x20);
  212.        
  213.         if ((KernelRead_64bits(vp + 0xe0) == 0) || (rk16(vp + 0x70) == VNON) || (KernelRead_64bits(vp + 0xd8) != mp)) {
  214.             continue;
  215.         }
  216.        
  217.         mount_unlock(mp);
  218.        
  219.         lck_mtx_lock(vp + 0);
  220.         //printf("Found vnode: 0x%llx\n", vp);
  221.         KernelWrite_64bits(vp + 0xd8, newmp); // FIXME: this made my device freeze
  222.         lck_mtx_unlock(vp + 0);
  223.        
  224.         mount_lock(mp);
  225.     }
  226.    
  227.     out:
  228.    
  229.     printf("Party is over\n");
  230.    
  231.     vnode_iterate_clear(mp);
  232.     mount_unlock(mp);
  233.     mount_iterate_unlock(mp);
  234.     return ret;
  235. }
  236.  
  237. @interface ViewController ()
  238. @property (weak, nonatomic) IBOutlet UIButton *goButton;
  239. @end
  240.  
  241. // doesn't follow symlinks (see flag); don't remember why I added this
  242. uint64_t get_vnode(char *path) {
  243.     uint64_t *vnode_ptr = (uint64_t *)malloc(8);
  244.     if (vnode_lookup(path, 1, vnode_ptr, get_vfs_context())) {
  245.         printf("[-] unable to get vnode from path for %s\n", path);
  246.         free(vnode_ptr);
  247.         return -1;
  248.     }
  249.     else {
  250.         uint64_t vnode = *vnode_ptr;
  251.         free(vnode_ptr);
  252.         return vnode;
  253.     }
  254. }
  255. @implementation ViewController
  256.  
  257. mach_port_t tfp0 = MACH_PORT_NULL;
  258. uint64_t orig_mnt_data = 0, root_mount = 0;
  259. bool hidden = false;
  260.  
  261. - (void)viewDidLoad {
  262.     [super viewDidLoad];
  263.     // Do any additional setup after loading the view, typically from a nib.
  264.    
  265.     host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &tfp0);
  266.    
  267.     if (!MACH_PORT_VALID(tfp0)) {
  268.         [self.goButton setTitle:@"Can't get tfp0" forState:UIControlStateNormal];
  269.         [self.goButton setEnabled:false];
  270.         return;
  271.     }
  272.    
  273.     printf("tfp0: 0x%x\n", tfp0);
  274.    
  275.     if (access("/bin/bash", F_OK)) {
  276.         [self.goButton setTitle:@"Unhide Jailbreak" forState:UIControlStateNormal];
  277.     }
  278.     else {
  279.         [self.goButton setTitle:@"Hide Jailbreak" forState:UIControlStateNormal];
  280.     }
  281. }
  282.  
  283. - (IBAction)go:(id)sender {
  284.    
  285.     printf("Got called!\n");
  286.    
  287.     init_jelbrek(tfp0);
  288.    
  289.     if (getuid()) {
  290.         printf("Getting root and unsandboxing...\n");
  291.         rootify(getpid());
  292.         unsandbox(getpid());
  293.        
  294.         //setHSP4();
  295.        
  296.         _assert(getuid() == 0, "Failed to get root");
  297.     }
  298.    
  299.     if (!hidden) {
  300.        
  301.         printf("Detected jailbreak, hiding...\n");
  302.        
  303.         char *message = "Failed to mount system snapshot";
  304.        
  305.         if (!access("/var/tmp/origfs", F_OK)) {
  306.             printf("Found origfs, cleaning up...\n");
  307.            
  308.             if (!access("/var/tmp/origfs/sbin/launchd", F_OK)) goto mounted;
  309.             _assert(rmdir("/var/tmp/origfs") == 0, message);
  310.         }
  311.        
  312.         printf("Creating origfs & mounting\n");
  313.        
  314.         _assert(mkdir("/var/tmp/origfs", 0755) == 0, message);
  315.        
  316.         if (snapshot_check("/", "electra-prejailbreak") == 1) {
  317.             _assert(mountSnapshot("/", "electra-prejailbreak", "/var/tmp/origfs") == 0, message);
  318.         } else if (snapshot_check("/", "orig-fs") == 1) {
  319.             _assert(mountSnapshot("/", "orig-fs", "/var/tmp/origfs") == 0, message);
  320.         } else {
  321.             _assert(mountSnapshot("/", find_system_snapshot(), "/var/tmp/origfs") == 0, message);
  322.         }
  323.         _assert(!access("/var/tmp/origfs/sbin/launchd", F_OK), message);
  324.        
  325.     mounted:;
  326.        
  327.         printf("Mounted orig snapshot\n");
  328.        
  329.         uint64_t snapshot_vnode = getVnodeAtPath("/private/var/tmp/origfs");
  330.         uint64_t root_vnode = getVnodeAtPath("/");
  331.        
  332.         uint64_t snapshot_mount = KernelRead_64bits(snapshot_vnode + offsetof(struct vnode, v_mount));
  333.         root_mount = KernelRead_64bits(root_vnode + offsetof(struct vnode, v_mount));
  334.        
  335.         uint64_t snapshot_mount_data = KernelRead_64bits(snapshot_mount + offsetof(struct mount_struct, mnt_data));
  336.         orig_mnt_data = KernelRead_64bits(root_mount + offsetof(struct mount_struct, mnt_data));
  337.        
  338.         // this just starts looking for pointers to see if i find interesting stuff, so far nothing
  339.        
  340.         /*for (uint32_t i = 0; i < 0x2000; i++) {
  341.          uint64_t val = KernelRead_64bits(orig_mnt_data + i);
  342.          if (val > KernelBase) {
  343.          printf("+ 0x%llx\n", val);
  344.          }
  345.          }*/
  346.        
  347.         printf("Overwriting mount data...\n");
  348.        
  349.         // experiments
  350.        
  351.         //KernelWrite_64bits(snapshot_vnode + offsetof(struct vnode, v_label), KernelRead_64bits(root_vnode + offsetof(struct vnode, v_label)));
  352.         //(void)KernelWrite_64bits(snapshot_vnode + offsetof(struct vnode, v_data), (uint64_t)KernelRead_64bits(root_vnode + offsetof(struct vnode, v_data)));
  353.        
  354.         // back when we were trying to get double-mount working but failed because I was messing the type of something I don't remember
  355.        
  356.         /*uint64_t vardev_vnode = getVnodeAtPath("/dev/disk0s1s2");
  357.          uint64_t specinfo = KernelRead_64bits(vardev_vnode + 0x78);
  358.          uint32_t specflags = KernelRead_32bits(specinfo + 0x10);
  359.          int32_t opencount = KernelRead_32bits(specinfo + 0x20);
  360.          
  361.          // step 1: clear si_flags
  362.          KernelWrite_32bits(specinfo + 0x10, 0);
  363.          
  364.          // step 2: clear si_opencount
  365.          KernelWrite_32bits(specinfo + 0x1c, 0);
  366.          
  367.          // test
  368.          int vcount = (int)Kernel_Execute(find_symbol("_vcount", false) + KASLR_Slide, vardev_vnode, 0, 0, 0, 0, 0, 0);
  369.          printf("vcount returned: %d\n", vcount);
  370.          
  371.          // step 3: remove VMOUNT
  372.          uint32_t v_flags = KernelRead_32bits(vardev_vnode + 0x54);
  373.          printf("v_flags now: 0x%x and then: 0x%x\n", v_flags, v_flags & ~0x80);
  374.          KernelWrite_32bits(vardev_vnode + 0x54, v_flags & ~0x80);
  375.          
  376.          // step 4: double-mount /dev/disk0s1s2
  377.          uint64_t creds = borrowCredsFromPid(getpid(), 0);
  378.          int ret = mountDevAtPathAsRW("/dev/disk0s1s2", "/private/var/tmp/origfs/private/var");
  379.          printf("Double mount returned: %d\n", ret);
  380.          if (ret) {
  381.          printf("Err: %s\n", strerror(errno));
  382.          }
  383.          undoCredDonation(getpid(), creds);
  384.          
  385.          // step 5: clean up
  386.          KernelWrite_32bits(specinfo + 0x10, specflags);
  387.          KernelWrite_32bits(specinfo + 0x1c, opencount);
  388.          KernelWrite_32bits(vardev_vnode + 0x54, v_flags);
  389.          
  390.          vnode_put(vardev_vnode);
  391.          vnode_put(root_vnode);
  392.          vnode_put(snapshot_vnode);
  393.          
  394.          /*uint64_t creds = borrowCredsFromPid(getpid(), 0);
  395.          int ret = unmount("/private/var", 0);
  396.          printf("unmount: %d\n", ret);
  397.          if (ret) printf("ERR: %s\n", strerror(errno));
  398.          else {
  399.          int ret = mountDevAtPathAsRW("/dev/disk0s1s2", "/private/var/tmp/origfs/private/var");
  400.          printf("Mount returned: %d\n", ret);
  401.          if (ret) printf("ERR: %s\n", strerror(errno));
  402.          }
  403.          undoCredDonation(getpid(), creds);*/
  404.        
  405.         // step 4: swap root's mnt_data with /private/var/tmp/origfs
  406.        
  407.         /*[[NSFileManager defaultManager] removeItemAtPath:@"/var/containers/Bundle/iosbinpack64/usr/bin/ldrestart" error:nil];
  408.          [[NSFileManager defaultManager] copyItemAtPath:@"/var/mobile/Media/ldrestart" toPath:@"/var/containers/Bundle/iosbinpack64/usr/bin/ldrestart" error:nil];
  409.          chmod("/var/containers/Bundle/iosbinpack64/usr/bin/ldrestart", 777);*/
  410.        
  411.         //[[NSFileManager defaultManager] copyItemAtPath:@"/jb/spawn" toPath:@"/var/containers/Bundle/iosbinpack64/spawnPlatform" error:nil];
  412.        
  413.         // bool a = [[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/ldrestart" toPath:@"/var/containers/Bundle/iosbinpack64/usr/bin/ldrestart" error:nil];
  414.         bool a = [[NSFileManager defaultManager] copyItemAtPath:@"/bin/launchctl" toPath:@"/var/containers/Bundle/iosbinpack64/bin/launchctl" error:nil];
  415.         printf("%d\n", a);
  416.        
  417.         trustbin("/var/containers/Bundle/iosbinpack64");
  418.        
  419.         // get vnode of /private/var and snapshot's /private var
  420.         uint64_t varvp = getVnodeAtPath("/private/var");
  421.         uint64_t snapvp = getVnodeAtPath("/private/var/tmp/origfs/private/var");
  422.        
  423.         // write root's mount struct into snapshot's mount data
  424.         KernelWrite_64bits(snapshot_mount_data + 0x1a0, root_mount);
  425.        
  426.         // me experimenting other stuff
  427.        
  428.         // get vnode of snapshot's device
  429.         // uint64_t rootdevvp = KernelRead_64bits(root_mount + offsetof(struct mount_struct, mnt_devvp));
  430.         // uint64_t snapdevvp = KernelRead_64bits(KernelRead_64bits(snapvp + offsetof(struct vnode, v_mount)) + offsetof(struct mount_struct, mnt_devvp));
  431.        
  432.         // write snapshot's device into root's struct mount
  433.         // KernelWrite_64bits(root_mount + offsetof(struct mount_struct, mnt_devvp), snapdevvp);
  434.        
  435.         // write the original vnode into the snapshot vnode
  436.         void *vp = malloc(sizeof(struct vnode));
  437.         KernelRead(varvp, vp, sizeof(struct vnode));
  438.         KernelWrite(snapvp, vp, sizeof(struct vnode));
  439.         vnode_put(varvp);
  440.        
  441.         //KernelRead(snapshot_vnode, vp, sizeof(struct vnode));
  442.         //KernelWrite(root_vnode, vp, sizeof(struct vnode));
  443.         free(vp);
  444.        
  445.         // me opening files to analyze their vnodes
  446.         //int fd1 = open("/private/var/mobile/Library/Cydia/metadata.cb0", O_RDONLY);
  447.         //int fd2 = open("/Applications/Preferences.app/Preferences", O_RDONLY);
  448.         //int fd3 = open("/Applications/Cydia.app/Cydia", O_RDONLY);
  449.        
  450.         // do it
  451.         KernelWrite_64bits(root_mount + offsetof(struct mount_struct, mnt_data), snapshot_mount_data);
  452.        
  453.         // not working
  454.         int ret = syscall(SYS_vfs_purge);
  455.        
  456.         printf("%d", ret);
  457.         //vnode_put(snapvp);
  458.        
  459.         term_jelbrek();
  460.        
  461.         // restart userland
  462.         //ret = launch("/var/containers/Bundle/iosbinpack64/bin/bash", "-c", "/var/containers/Bundle/iosbinpack64/usr/bin/nohup /var/containers/Bundle/iosbinpack64/bin/bash -c \"/var/containers/Bundle/iosbinpack64/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.backboardd.plist && /var/containers/Bundle/iosbinpack64/usr/bin/ldrestart; /var/containers/Bundle/iosbinpack64/bin/launchctl load /System/Library/LaunchDaemons/com.apple.backboardd.plist\" 2>&1 >/dev/null &", NULL, NULL, NULL, NULL, NULL);
  463.        
  464.         // panic
  465.         ret = launch("/var/containers/Bundle/iosbinpack64/bin/launchctl", "reboot", "userspace", NULL, NULL, NULL, NULL, NULL);
  466.        
  467.         printf("%d", ret);
  468.        
  469.         //ret = launch("/var/containers/Bundle/iosbinpack64/usr/bin/ldrestart", NULL, NULL, NULL, NULL, NULL, NULL, NULL);
  470.        
  471.        
  472.        
  473.         // idk. probably experimenting as well
  474.        
  475.         /*  // step 5: clean up
  476.          KernelWrite_32bits(specinfo + 0x10, specflags);
  477.          KernelWrite_32bits(specinfo + 0x1c, opencount);
  478.          vnode_put(vardev_vnode);
  479.          vnode_put(root_vnode);
  480.          vnode_put(snapshot_vnode);*/
  481.        
  482.        
  483.         /*uint64_t varvp = getVnodeAtPath("/private/var");
  484.          uint64_t snapvp = getVnodeAtPath("/private/var/tmp/origfs/private/var");
  485.          
  486.          void *vp = malloc(232);
  487.          KernelRead(varvp, vp, 232);
  488.          KernelWrite(snapvp, vp, 232);
  489.          free(vp);
  490.          
  491.          KernelWrite_64bits(snapshot_mount_data + 0x1a0, root_mount);
  492.          KernelWrite_64bits(root_mount + 0x8f8, snapshot_mount_data);
  493.          
  494.          vnode_put(varvp);*/
  495.         //vnode_put(snapvp);
  496.        
  497.         //KernelWrite_64bits(root_mount + offsetof(struct mount_struct, mnt_vnodecovered), KernelRead_64bits(snapshot_mount + offsetof(struct mount_struct, mnt_vnodecovered)));
  498.         //KernelWrite_64bits(root_mount + offsetof(struct mount_struct, mnt_devvp), KernelRead_64bits(snapshot_mount + offsetof(struct mount_struct, mnt_devvp)));
  499.        
  500.         //vnode_iterate(root_mount, snapshot_mount);
  501.        
  502.         //KernelWrite_64bits(root_vnode + 0xd8, snapshot_mount);
  503.        
  504.         //term_jelbrek();
  505.        
  506.         hidden = true;
  507.     }
  508.     else {
  509.        
  510.         if (!orig_mnt_data || !root_mount) {
  511.             NOTICE("Error unhiding jailbreak", 1, 0);
  512.         }
  513.         else {
  514.             printf("Undoing stuff...\n");
  515.             KernelWrite_64bits(root_mount + 0x8f8, orig_mnt_data);
  516.         }
  517.        
  518.         term_jelbrek();
  519.        
  520.         hidden = false;
  521.     }
  522. }
  523.  
  524.  
  525. - (void)didReceiveMemoryWarning {
  526.     [super didReceiveMemoryWarning];
  527.     // Dispose of any resources that can be recreated.
  528. }
  529.  
  530.  
  531. @end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!