ios-kernel-patch/README

git clone git@github.com:comex/datautils0.git
cd datautils0
git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache

Patchfile format:

field        length
--------------------
namelen      4
name         namelen
addr         4
datalen      4
data         datalen

- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".

- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:

/sbin/launchd: untether exploit that execs /sbin/lunchd
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
/sbin/launchd.real: the original /sbin/launchd

This is the lunchd script:

    #!/bin/bash
    shopt -s nullglob
    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
    export DYLD_INSERT_LIBRARIES=${dylibs%:}
    exec -a /sbin/launchd /sbin/launchd.real
add README and missing file 2011-03-29 10:25:27 +07:00			`git clone git@github.com:comex/datautils0.git`
			`cd datautils0`
			`git clone git@github.com:comex/data.git`
			`make NATIVE=1`
			`./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile`
			`./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache`
add a readme 2011-03-29 11:04:51 +07:00
			`Patchfile format:`

			`field length`
			`--------------------`
			`namelen 4`
			`name namelen`
			`addr 4`
			`datalen 4`
			`data datalen`

			`- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".`

			`- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd. You can remove that, but the idea is that the filesystem looks like this:`

			`/sbin/launchd: untether exploit that execs /sbin/lunchd`
			`/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate`
			`/sbin/launchd.real: the original /sbin/launchd`

			`This is the lunchd script:`

			`#!/bin/bash`
			`shopt -s nullglob`
			`dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)`
			`export DYLD_INSERT_LIBRARIES=${dylibs%:}`
			`exec -a /sbin/launchd /sbin/launchd.real`