Merge branch 'opa334:master' into master

roothide · Oct 13, 2023 · 7d52618 · 7d52618
2 parents f1e3183 + df0a1d8
commit 7d52618
Show file tree

Hide file tree

Showing 48 changed files with 814 additions and 782 deletions.
diff --git a/BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate b/BaseBin/_external/fallback/CydiaSubstrate.framework/CydiaSubstrate
diff --git a/BaseBin/_shared/libellekit.tbd b/BaseBin/_shared/libellekit.tbd
@@ -1,12 +1,12 @@
 --- !tapi-tbd
 tbd-version:           4
-targets:               [ arm64, arm64e ]
+targets:               [ arm64-ios, arm64e-ios ]
 flags:                 [ flat_namespace, not_app_extension_safe ]
 install-name:          '@rpath/CydiaSubstrate.framework/CydiaSubstrate'
 current-version:       1
 compatibility-version: 1
 exports:
-  - targets:              [ arm64, arm64e ]
+  - targets:              [ arm64-ios, arm64e-ios ]
     symbols:              [ _$s7ellekit10LHStrErrorySVSgSo13LIBHOOKER_ERRVF,
                             _$s7ellekit10MSHookIvarySvSgyXlXp_SStF,
                             _$s7ellekit10findSymbol5image6symbolSVSgSV_SStKF,

diff --git a/BaseBin/boomerang/src/main.m b/BaseBin/boomerang/src/main.m
@@ -16,8 +16,7 @@ int launchdInitPPLRW(void)
 
 	int error = xpc_dictionary_get_int64(reply, "error");
 	if (error == 0) {
-		uint64_t magicPage = xpc_dictionary_get_uint64(reply, "magicPage");
-		initPPLPrimitives(magicPage);
+		initPPLPrimitives();
 		return 0;
 	}
 	else {
@@ -35,10 +34,7 @@ void getPrimitives(void)
 		if (identifier) {
 			if ([identifier isEqualToString:@"receivePPLRW"])
 			{
-				uint64_t magicPage = [(NSNumber*)message[@"magicPage"] unsignedLongLongValue];
-				if (magicPage) {
-					initPPLPrimitives(magicPage);
-				}
+				initPPLPrimitives();
 				dispatch_semaphore_signal(sema);
 			}
 		}
@@ -60,9 +56,8 @@ void sendPrimitives(void)
 		NSString *identifier = message[@"id"];
 		if (identifier) {
 			if ([identifier isEqualToString:@"getPPLRW"]) {
-				uint64_t magicPage = 0;
-				int ret = handoffPPLPrimitives(1, &magicPage);
-				[gHandler sendMessage:@{@"id" : @"receivePPLRW", @"magicPage" : @(magicPage), @"errorCode" : @(ret), @"boomerangPid" : @(getpid())}];
+				int ret = handoffPPLPrimitives(1);
+				[gHandler sendMessage:@{@"id" : @"receivePPLRW", @"errorCode" : @(ret), @"boomerangPid" : @(getpid())}];
 			}
 			else if ([identifier isEqualToString:@"signThreadState"]) {
 				uint64_t actContextKptr = [(NSNumber*)message[@"actContext"] unsignedLongLongValue];

diff --git a/BaseBin/forkfix/src/litehook.c b/BaseBin/forkfix/src/litehook.c
@@ -1,4 +1,16 @@
 #include "litehook.h"
+#include <stdarg.h>
+#include <stdbool.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/fcntl.h>
+#include <mach/mach.h>
+#include <mach/arm/kern_return.h>
+#include <mach/port.h>
+#include <mach/vm_prot.h>
+#include <mach-o/dyld.h>
+#include <dlfcn.h>
+#include <libkern/OSCacheControl.h>
 
 static uint64_t __attribute((naked)) __xpaci(uint64_t a)
 {
@@ -45,9 +57,9 @@ uint32_t br(uint8_t x)
 
 __attribute__((noinline, naked)) volatile kern_return_t litehook_vm_protect(mach_port_name_t target, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection)
 {
-    __asm("mov x16, #0xFFFFFFFFFFFFFFF2");
-    __asm("svc 0x80");
-    __asm("ret");
+	__asm("mov x16, #0xFFFFFFFFFFFFFFF2");
+	__asm("svc 0x80");
+	__asm("ret");
 }
 
 kern_return_t litehook_unprotect(vm_address_t addr, vm_size_t size)
@@ -62,20 +74,25 @@ kern_return_t litehook_protect(vm_address_t addr, vm_size_t size)
 
 kern_return_t litehook_hook_function(void *source, void *target)
 {
+	kern_return_t kr = KERN_SUCCESS;
+
 	uint32_t *toHook = (uint32_t*)xpaci((uint64_t)source);
 	uint64_t target64 = (uint64_t)xpaci((uint64_t)target);
 
-	kern_return_t kr = litehook_unprotect((vm_address_t)toHook, 5*4);
+	kr = litehook_unprotect((vm_address_t)toHook, 5*4);
 	if (kr != KERN_SUCCESS) return kr;
 
 	toHook[0] = movk(16, target64 >> 0, 0);
 	toHook[1] = movk(16, target64 >> 16, 16);
 	toHook[2] = movk(16, target64 >> 32, 32);
 	toHook[3] = movk(16, target64 >> 48, 48);
 	toHook[4] = br(16);
+	uint32_t hookSize = 5 * sizeof(uint32_t);
 
-	kr = litehook_protect((vm_address_t)toHook, 5*4);
+	kr = litehook_protect((vm_address_t)toHook, hookSize);
 	if (kr != KERN_SUCCESS) return kr;
 
+	sys_icache_invalidate(toHook, hookSize);
+
 	return KERN_SUCCESS;
 }
diff --git a/BaseBin/forkfix/src/main.c b/BaseBin/forkfix/src/main.c
@@ -34,11 +34,6 @@ static void closePipes(void)
 
 void child_fixup(void)
 {
-	// late fixup, normally done in ASM
-	// ASM is a bitch though and I couldn't figure out how to do this
-	extern pid_t _current_pid;
-	_current_pid = 0;
-
 	// Tell parent we are waiting for fixup now
 	char msg = ' ';
 	ffsys_write(childToParentPipe[1], &msg, sizeof(msg));

diff --git a/BaseBin/forkfix/src/syscall.S b/BaseBin/forkfix/src/syscall.S
@@ -12,8 +12,9 @@ _ffsys_fork:
 	b.cs _ffsys_fork_err
 	cbz x1, _ffsys_fork_end
 	mov w0, #0
-	// normally _current_pid is set here
-	// I do it in C, because I couldn't figure out how to properly do it in ASM
+	adrp x9, __current_pid@GOTPAGE
+	ldr x9, [x9, __current_pid@GOTPAGEOFF]
+	str w0, [x9]
 	b _ffsys_fork_end
 
 _ffsys_fork_err:

diff --git a/BaseBin/idownloadd/Makefile b/BaseBin/idownloadd/Makefile
@@ -9,8 +9,8 @@ build:
 	xcodebuild -archivePath ./.build -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS archive $(CS_FLAGS)
 	@cp -f ./.build.xcarchive/Products/usr/local/bin/$(OUTPUT_NAME) .
 	@rm -rf ./.build.xcarchive
-	@ldid -Sentitlements.plist $(OUTPUT_NAME)
 	@install_name_tool -change "/var/jb/basebin/libjailbreak.dylib" "@loader_path/libjailbreak.dylib" $(OUTPUT_NAME)
+	@ldid -Sentitlements.plist $(OUTPUT_NAME)
 
 clean:
 	xcodebuild -project $(XCODE_PROJECT) -scheme $(XCODE_SCHEME) -configuration $(CONFIGURATION) -destination generic/platform=iOS clean

diff --git a/BaseBin/idownloadd/src/idownloadd/iDownloadKRW.swift b/BaseBin/idownloadd/src/idownloadd/iDownloadKRW.swift
@@ -23,9 +23,8 @@ public class iDownloadKRW: KRWHandler {
     }
 
     public func virtToPhys(address: UInt64) throws -> UInt64 {
-        var failure: Bool = false
-        let phys = va_to_pa(bootInfo_getUInt64("physical_ttep"), address, &failure)
-        if (failure) {
+        let phys = kvtophys(address);
+        if (phys == 0) {
             throw KRWError.customError(description: "Address translation failure")
         }
         return phys;

diff --git a/BaseBin/jailbreakd/src/JBDTCPage.h b/BaseBin/jailbreakd/src/JBDTCPage.h
@@ -9,26 +9,20 @@
 
 extern NSMutableArray<JBDTCPage *> *gTCPages;
 extern NSMutableArray<NSNumber *> *gTCUnusedAllocations;
-extern dispatch_queue_t gTCAccessQueue;
 BOOL tcPagesRecover(void);
 void tcPagesChanged(void);
 
 
 @interface JBDTCPage : NSObject
 {
-	trustcache_page* _mappedInPage;
-	void *_mappedInPageCtx;
-	uint32_t _mapRefCount;
+	trustcache_page* _page;
 }
 
-@property (nonatomic,readonly) uint64_t kaddr;
+@property (nonatomic) uint64_t kaddr;
 
 - (instancetype)initWithKernelAddress:(uint64_t)kaddr;
 - (instancetype)initAllocateAndLink;
 
-- (BOOL)mapIn;
-- (void)mapOut;
-
 - (void)sort;
 - (uint32_t)amountOfSlotsLeft;
 - (BOOL)addEntry:(trustcache_entry)entry;