iOS kernel patch
Go to file
2011-03-29 00:04:51 -04:00
apply_patchfile.c add a readme 2011-03-29 00:04:51 -04:00
check_sanity.c have a makefile 2011-03-28 23:09:38 -04:00
lambda.h fixes; update data; get rid of placeholder functionality; add lambda.h; make make_kernel_patchfile use b_relocate instead, whee 2011-03-16 23:45:29 -04:00
make_kernel_patchfile.c debug_enabled initializer is an initializer 2011-03-28 23:34:18 -04:00
Makefile twoddle 2011-03-28 23:23:59 -04:00
pf2c.py add a readme 2011-03-29 00:04:51 -04:00
README add a readme 2011-03-29 00:04:51 -04:00
sandbox.S add README and missing file 2011-03-28 23:25:33 -04:00

git clone git@github.com:comex/datautils0.git
cd datautils0
git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache

Patchfile format:

field        length
--------------------
namelen      4
name         namelen
addr         4
datalen      4
data         datalen

- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".

- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:

/sbin/launchd: untether exploit that execs /sbin/lunchd
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
/sbin/launchd.real: the original /sbin/launchd

This is the lunchd script:

    #!/bin/bash
    shopt -s nullglob
    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
    export DYLD_INSERT_LIBRARIES=${dylibs%:}
    exec -a /sbin/launchd /sbin/launchd.real