add a readme

README

@@ -4,3 +4,29 @@ git clone git@github.com:comex/data.git
 make NATIVE=1
 ./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
 ./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache
+
+Patchfile format:
+
+field        length
+--------------------
+namelen      4
+name         namelen
+addr         4
+datalen      4
+data         datalen
+
+- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".
+
+- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:
+
+/sbin/launchd: untether exploit that execs /sbin/lunchd
+/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
+/sbin/launchd.real: the original /sbin/launchd
+
+This is the lunchd script:
+
+    #!/bin/bash
+    shopt -s nullglob
+    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
+    export DYLD_INSERT_LIBRARIES=${dylibs%:}
+    exec -a /sbin/launchd /sbin/launchd.real

apply_patchfile.c

@@ -36,6 +36,8 @@ int main(int argc, char **argv) {
         assert(read(patchfd, stuff, size) == (ssize_t) size);
         
         if(addr == 0) goto skip;
+        // Patches starting with "+" only make sense to apply after the kernel has already booted.
+        // They may be in BSS.
         if(name[0] == '+') goto skip;
 
         if(argv[4] && !strcmp(argv[4], "-i")) {

pf2c.py

@@ -22,7 +22,7 @@ while True:
         sysent_patch_orig, = struct.unpack('I', data)
     elif name == 'scratch':
         scratch, = struct.unpack('I', data)
-    if addr == 0 or len(data) == 0 or name.startswith('+'): # in place only
+    if addr == 0 or len(data) == 0:
         continue
     
     print '// %s' % name