From 1ab4a46705a8f7e891decb2880c5ab40970a10a5 Mon Sep 17 00:00:00 2001
From: comex <comexk@gmail.com>
Date: Tue, 29 Mar 2011 00:04:51 -0400
Subject: [PATCH] add a readme

---
 README            | 26 ++++++++++++++++++++++++++
 apply_patchfile.c |  2 ++
 pf2c.py           |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/README b/README
index aef9378..7951a6e 100644
--- a/README
+++ b/README
@@ -4,3 +4,29 @@ git clone git@github.com:comex/data.git
 make NATIVE=1
 ./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
 ./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache
+
+Patchfile format:
+
+field        length
+--------------------
+namelen      4
+name         namelen
+addr         4
+datalen      4
+data         datalen
+
+- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".
+
+- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:
+
+/sbin/launchd: untether exploit that execs /sbin/lunchd
+/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
+/sbin/launchd.real: the original /sbin/launchd
+
+This is the lunchd script:
+
+    #!/bin/bash
+    shopt -s nullglob
+    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
+    export DYLD_INSERT_LIBRARIES=${dylibs%:}
+    exec -a /sbin/launchd /sbin/launchd.real
diff --git a/apply_patchfile.c b/apply_patchfile.c
index 754e685..d067b13 100644
--- a/apply_patchfile.c
+++ b/apply_patchfile.c
@@ -36,6 +36,8 @@ int main(int argc, char **argv) {
         assert(read(patchfd, stuff, size) == (ssize_t) size);
         
         if(addr == 0) goto skip;
+        // Patches starting with "+" only make sense to apply after the kernel has already booted.
+        // They may be in BSS.
         if(name[0] == '+') goto skip;
 
         if(argv[4] && !strcmp(argv[4], "-i")) {
diff --git a/pf2c.py b/pf2c.py
index 2f4406a..9bdf4d7 100644
--- a/pf2c.py
+++ b/pf2c.py
@@ -22,7 +22,7 @@ while True:
         sysent_patch_orig, = struct.unpack('I', data)
     elif name == 'scratch':
         scratch, = struct.unpack('I', data)
-    if addr == 0 or len(data) == 0 or name.startswith('+'): # in place only
+    if addr == 0 or len(data) == 0:
         continue
     
     print '// %s' % name