2011-05-02 15:10:23 -04:00
2011-03-29 00:04:51 -04:00
2011-03-28 23:09:38 -04:00
2011-05-02 15:10:23 -04:00
2011-05-02 15:10:23 -04:00
2011-03-29 00:04:51 -04:00
omg
2011-04-01 15:08:39 -04:00
fix
2011-04-04 21:09:10 -04:00

git clone git@github.com:comex/datautils0.git
cd datautils0
git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache

Patchfile format:

field        length
--------------------
namelen      4
name         namelen
addr         4
datalen      4
data         datalen

- If the address is 0, skip.

- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".

- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:

/sbin/launchd: an untether exploit that execs /sbin/lunchd; skipped by an already-patched kernel
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
/sbin/launchd.real: the original /sbin/launchd

This is the lunchd script:

    #!/bin/bash
    shopt -s nullglob
    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
    export DYLD_INSERT_LIBRARIES=${dylibs%:}
    exec -a /sbin/launchd /sbin/launchd.real
Description
iOS kernel patch
Readme 164 KiB
Languages
C 88.5%
C++ 9.8%
Makefile 0.7%
Assembly 0.5%
Python 0.4%
Other 0.1%