diff --git a/.gitignore b/.gitignore index fc1741d..1998fdc 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ *.lo *.o *.patch +*.tar.zst *.po *.so *.swp diff --git a/src/ibootpatchfinder64.cpp b/src/ibootpatchfinder64.cpp index 49262b9..3c610e0 100644 --- a/src/ibootpatchfinder64.cpp +++ b/src/ibootpatchfinder64.cpp @@ -70,7 +70,7 @@ ibootpatchfinder64 *ibootpatchfinder64::make_ibootpatchfinder64(const void *buff assure(!strncmp((char*)&buf[IBOOT_VERS_STR_OFFSET], "iBoot", sizeof("iBoot")-1)); retassure(*(uint32_t*)&buf[0] == 0x90000000, "invalid magic"); - retassure(vers = atoi((char*)&buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!\n"); + retassure(vers = atoi((char*)&buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!"); std::string vers_str = std::string((char*)&buf[IBOOT_VERS_STR_OFFSET+6]); for(int i = 0; i < 5; i++) { std::size_t pos = vers_str.find('.'); diff --git a/src/ibootpatchfinder64_base.cpp b/src/ibootpatchfinder64_base.cpp index dfc1a21..516ba4a 100644 --- a/src/ibootpatchfinder64_base.cpp +++ b/src/ibootpatchfinder64_base.cpp @@ -52,7 +52,7 @@ ibootpatchfinder64_base::ibootpatchfinder64_base(const char * filename) : assure(_bufSize > 0x1000); assure(!strncmp((char*)&_buf[IBOOT_VERS_STR_OFFSET], "iBoot", sizeof("iBoot")-1)); - retassure(_vers = atoi((char*)&_buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!\n"); + retassure(_vers = atoi((char*)&_buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!"); debug("_vers: %d\n", _vers); if(_vers < 3000) { debug("1337: 1\n"); @@ -107,7 +107,7 @@ ibootpatchfinder64_base::ibootpatchfinder64_base(const void *buffer, size_t bufS assure(_bufSize > 0x1000); assure(!strncmp((char*)&_buf[IBOOT_VERS_STR_OFFSET], "iBoot", sizeof("iBoot")-1)); - retassure(_vers = atoi((char*)&_buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!\n"); + retassure(_vers = atoi((char*)&_buf[IBOOT_VERS_STR_OFFSET+6]), "No iBoot version found!"); if(_vers < 3000) { stage1 = !strncmp((char *) &_buf[IBOOT_STAGE_STR_OFFSET], "iBSS", sizeof("iBSS") - 1); stage2 = !strncmp((char *) &_buf[IBOOT_STAGE_STR_OFFSET], "iBEC", sizeof("iBEC") - 1); @@ -279,6 +279,7 @@ std::vector ibootpatchfinder64_base::get_boot_arg_patch(const char *boota int default_boot_args_len = 0; bool _7429_0 = (_vers >= 7429 && _vers_arr[0] >= 0); bool _6723_100 = ((_vers == 6723 && _vers_arr[0] >= 100) || (_vers > 6723)) && !_7429_0; + bool _10151_0 = (_vers >= 10151 && _vers_arr[0] >= 0); try { default_boot_args_str_loc = _vmem->memstr(DEFAULT_BOOTARGS_STR); @@ -295,27 +296,27 @@ std::vector ibootpatchfinder64_base::get_boot_arg_patch(const char *boota } } - assure(default_boot_args_str_loc); + retassure(default_boot_args_str_loc, "retassure: %d", __LINE__); default_boot_args_str_loc = dev ? default_boot_args_str_loc - 1 : default_boot_args_str_loc; debug("default_boot_args_str_loc=%p\n", default_boot_args_str_loc); if((_6723_100 || _7429_0) && !dev) { loc_t adr1 = 0; - assure(adr1 = find_literal_ref(default_boot_args_str_loc)); + retassure(adr1 = find_literal_ref(default_boot_args_str_loc), "retassure: %d", __LINE__); debug("adr1=%p\n", adr1); vmem iter(*_vmem, adr1); while (++iter != insn::b) continue; loc_t bootargstackvarbranch = 0; - assure(bootargstackvarbranch = (loc_t)iter().imm()); + retassure(bootargstackvarbranch = (loc_t)iter().imm(), "retassure: %d", __LINE__); debug("bootargstackvarbranch=%p\n", bootargstackvarbranch); iter = vmem(*_vmem,bootargstackvarbranch); while(++iter != insn::bl) continue; while(--iter != insn::nop) continue; loc_t bootargstackvar = iter().pc(); - assure(default_boot_args_xref = bootargstackvar); + retassure(default_boot_args_xref = bootargstackvar, "retassure: %d", __LINE__); debug("bootargstackvar=%p\n", bootargstackvar); } else { - assure(default_boot_args_xref = find_literal_ref(default_boot_args_str_loc)); + retassure(default_boot_args_xref = find_literal_ref(default_boot_args_str_loc), "retassure: %d", __LINE__); debug("default_boot_args_xref=%p\n",default_boot_args_xref); } @@ -349,7 +350,7 @@ std::vector ibootpatchfinder64_base::get_boot_arg_patch(const char *boota default_boot_args_str_loc = iter().pc() - 1; } else { /* Find the "Reliance on this cert..." string. */ - retassure(cert_str_loc = _vmem->memstr(CERT_STR), "Unable to find \"%s\" string!\n", CERT_STR); + retassure(cert_str_loc = _vmem->memstr(CERT_STR), "Unable to find \"%s\" string!", CERT_STR); debug("\"%s\" string found at %p\n", CERT_STR, cert_str_loc); @@ -359,90 +360,104 @@ std::vector ibootpatchfinder64_base::get_boot_arg_patch(const char *boota default_boot_args_str_loc = cert_str_loc; } - - vmem iter2(*_vmem,default_boot_args_xref); + vmem iter2(*_vmem, default_boot_args_xref); uint8_t _reg = 0; - if((_6723_100 || _7429_0) && !dev) { - assure(iter2() == insn::nop); - loc_t adr2 = 0; - retassure(adr2 = _vmem->memstr(DEFAULT_BOOTARGS_STR_OTHER2), "Unable to find \"%s\" string!\n", DEFAULT_BOOTARGS_STR_OTHER2); - loc_t adr2_xref = 0; - retassure(adr2_xref = find_literal_ref(adr2), "Unable to find \"%s\" xref for string!\n", DEFAULT_BOOTARGS_STR_OTHER2); - iter2 = vmem(*_vmem,adr2_xref); - while(--iter2 != insn::sub) continue; - assure(iter2() == insn::sub); - assure(iter2().rd()); - _reg = iter2().rd(); + if ((_6723_100 || _7429_0) && !dev) { + retassure(iter2() == insn::nop, "retassure: %d", __LINE__); + loc_t adr2 = 0; + retassure(adr2 = _vmem->memstr(DEFAULT_BOOTARGS_STR_OTHER2), + "Unable to find \"%s\" string!\n", + DEFAULT_BOOTARGS_STR_OTHER2); + loc_t adr2_xref = 0; + retassure(adr2_xref = find_literal_ref(adr2), + "Unable to find \"%s\" xref for string!\n", + DEFAULT_BOOTARGS_STR_OTHER2); + iter2 = vmem(*_vmem, adr2_xref); + if(_10151_0) { + while (++iter2 != insn::sub) + continue; + } else { + while (--iter2 != insn::sub) + continue; + } + retassure(iter2() == insn::sub, "retassure: %d", __LINE__); + retassure(iter2().rd(), "retassure: %d", __LINE__); + _reg = iter2().rd(); } else { - if(iter2() != insn::adr) { - --iter2; - --iter2; - assure(iter2() == insn::bl); - ++iter2; - _reg = iter2().rd(); - } else { - assure(iter2() == insn::adr); - _reg = iter2().rd(); - } + if (iter2() != insn::adr) { + --iter2; + --iter2; + retassure(iter2() == insn::bl, "retassure: %d", __LINE__); + ++iter2; + _reg = iter2().rd(); + } else { + retassure(iter2() == insn::adr, "retassure: %d", __LINE__); + _reg = iter2().rd(); + } } - insn pins = insn::new_general_adr(default_boot_args_xref, (int64_t)default_boot_args_str_loc, _reg); - + insn pins = insn::new_general_adr( + default_boot_args_xref, (int64_t)default_boot_args_str_loc, _reg); + uint32_t opcode = pins.opcode(); patches.push_back({(loc_t)pins.pc(), &opcode, 4}); - + debug("Applying custom boot-args \"%s\"\n", bootargs); - patches.push_back({default_boot_args_str_loc, bootargs, strlen(bootargs)+1}); - + patches.push_back( + {default_boot_args_str_loc, bootargs, strlen(bootargs) + 1}); - vmem iter(*_vmem,default_boot_args_xref); + vmem iter(*_vmem, default_boot_args_xref); uint8_t xrefRD = 0; - if(_6723_100 || _7429_0) { - xrefRD = 4; + if (_6723_100 || _7429_0) { + xrefRD = 4; } else { - xrefRD = iter().rd(); + xrefRD = iter().rd(); } - debug("xrefRD=%d\n",xrefRD); - if(xrefRD > 9 || xrefRD == 4) - return patches; - - while (++iter != insn::csel); - + debug("xrefRD=%d\n", xrefRD); + if (xrefRD > 9 || xrefRD == 4) + return patches; + + while (++iter != insn::csel) + ; + insn csel = iter(); debug("csel=%p\n", (loc_t)csel.pc()); - assure(xrefRD == csel.rn() || xrefRD == csel.rm()); - - debug("cselrd=%d\n",csel.rd()); - - + retassure(xrefRD == csel.rn() || xrefRD == csel.rm(), "retassure: %d", __LINE__); + + debug("cselrd=%d\n", csel.rd()); + { - insn pins = insn::new_register_mov(iter, 0, csel.rd(), -1, xrefRD); - debug("(%p)patching: \"mov x%d, x%d\"\n",(loc_t)pins.pc(),pins.rd(),pins.rm()); - uint32_t opcode = pins.opcode(); - patches.push_back({(loc_t)pins.pc(), &opcode, 4}); + insn pins = insn::new_register_mov(iter, 0, csel.rd(), -1, xrefRD); + debug("(%p)patching: \"mov x%d, x%d\"\n", (loc_t)pins.pc(), pins.rd(), + pins.rm()); + uint32_t opcode = pins.opcode(); + patches.push_back({(loc_t)pins.pc(), &opcode, 4}); } - - while ((--iter).supertype() != insn::sut_branch_imm || iter() == insn::bl); - - debug("branch loc=%p\n",(loc_t)iter); - + while ((--iter).supertype() != insn::sut_branch_imm || iter() == insn::bl) + ; + + debug("branch loc=%p\n", (loc_t)iter); + iter = (loc_t)iter().imm(); - debug("branch dst=%p\n",(loc_t)iter); - + debug("branch dst=%p\n", (loc_t)iter); + if (iter() != insn::adr) { - while (++iter != insn::adr); + while (++iter != insn::adr) + ; } - + { - insn pins = insn::new_general_adr(iter, (int64_t)default_boot_args_str_loc, iter().rd()); - debug("(%p)patching: \"adr x%d, 0x%llx\"\n",(loc_t)pins.pc(),pins.rd(),pins.imm()); - uint32_t opcode = pins.opcode(); - patches.push_back({(loc_t)pins.pc(), &opcode, 4}); + insn pins = insn::new_general_adr( + iter, (int64_t)default_boot_args_str_loc, iter().rd()); + debug("(%p)patching: \"adr x%d, 0x%llx\"\n", (loc_t)pins.pc(), + pins.rd(), pins.imm()); + uint32_t opcode = pins.opcode(); + patches.push_back({(loc_t)pins.pc(), &opcode, 4}); } return patches; diff --git a/src/ibootpatchfinder64_iOS14.cpp b/src/ibootpatchfinder64_iOS14.cpp index 18571be..a2ae3d4 100644 --- a/src/ibootpatchfinder64_iOS14.cpp +++ b/src/ibootpatchfinder64_iOS14.cpp @@ -41,32 +41,35 @@ std::vector ibootpatchfinder64_iOS14::get_sigcheck_patch(){ img4decodemanifestexists = _vmem->memmem("\xE8\x03\x00\xAA\xC0\x00\x80\x52\xE8\x00\x00\xB4", 12); //0x180032144; } debug("img4decodemanifestexists=%p",img4decodemanifestexists); - assure(img4decodemanifestexists); + retassure(img4decodemanifestexists, "retassure: %d", __LINE__); loc_t img4decodemanifestexistsref = find_call_ref(img4decodemanifestexists); debug("img4decodemanifestexistsref=%p",img4decodemanifestexistsref); - assure(img4decodemanifestexistsref); + retassure(img4decodemanifestexistsref, "retassure: %d", __LINE__); vmem iter(*_vmem,img4decodemanifestexistsref); vmem iter2(*_vmem,img4decodemanifestexistsref); - while(++iter != insn::adr); + while(++iter != insn::adr) continue; + if(_vers >= 10151) { + while(++iter != insn::adr) continue; + } if((uint8_t)iter().rd() != 2) { while(++iter2 != insn::adr); - assure((uint8_t)iter().rd() == 2); + retassure((uint8_t)iter().rd() == 2, "retassure: %d", __LINE__); } loc_t img4interposercallbackptr = iter().imm(); debug("img4interposercallbackptr=%p",img4interposercallbackptr); - assure(img4interposercallbackptr); + retassure(img4interposercallbackptr, "retassure: %d", __LINE__); loc_t img4interposercallback = _vmem->deref(img4interposercallbackptr); debug("img4interposercallback=%p",img4interposercallback); - assure(img4interposercallback); + retassure(img4interposercallback, "retassure: %d", __LINE__); vmem iter3(*_vmem,img4interposercallback); while(++iter3 != insn::ret); loc_t img4interposercallbackret = iter3().pc(); - assure(img4interposercallbackret); + retassure(img4interposercallbackret, "retassure: %d", __LINE__); debug("img4interposercallbackret=%p",img4interposercallbackret); if(--iter3 == insn::add) { while(--iter3 == insn::ldp); @@ -74,13 +77,13 @@ std::vector ibootpatchfinder64_iOS14::get_sigcheck_patch(){ while(--iter3 != insn::nop); } loc_t img4interposercallbackmov = iter3().pc(); - assure(img4interposercallbackmov); + retassure(img4interposercallbackmov, "retassure: %d", __LINE__); debug("img4interposercallbackmov=%p",img4interposercallbackmov); patches.push_back({img4interposercallbackmov, "\x00\x00\x80\xD2" /*mov x0, 0*/, 4}); while (++iter3 != insn::ret); while (++iter3 != insn::ret); loc_t img4interposercallbackret2 = iter3().pc(); - assure(img4interposercallbackret2); + retassure(img4interposercallbackret2, "retassure: %d", __LINE__); debug("img4interposercallbackret2=%p", img4interposercallbackret2); patches.push_back({img4interposercallbackret2 - 4, "\x00\x00\x80\xD2" /*mov x0, 0*/, 4}); } else { diff --git a/src/kernelpatchfinder64.cpp b/src/kernelpatchfinder64.cpp index 3f37772..bf15959 100644 --- a/src/kernelpatchfinder64.cpp +++ b/src/kernelpatchfinder64.cpp @@ -361,7 +361,7 @@ std::vector kernelpatchfinder64::get_mount_patch(){ iter = ref; - while (--iter != insn::ldrb); + while (--iter != insn::ldrb) continue; { debug("p1=%p\n",(loc_t)iter); diff --git a/src/patchfinder64.cpp b/src/patchfinder64.cpp index c783a00..75a1294 100644 --- a/src/patchfinder64.cpp +++ b/src/patchfinder64.cpp @@ -28,8 +28,8 @@ patchfinder64::patchfinder64(bool freeBuf) : _freeBuf(freeBuf), _buf(NULL), _bufSize(0), - _entrypoint(NULL), - _base(NULL) + _entrypoint(0), + _base(0) { // }