ios-kernel-patch

nganhkhoa/ios-kernel-patch

Fork 0

Go to file

comex 95cd350b5c build

2011-05-02 15:10:23 -04:00

apply_patchfile.c

add a readme

2011-03-29 00:04:51 -04:00

check_sanity.c

have a makefile

2011-03-28 23:09:38 -04:00

lambda.h

fixes; update data; get rid of placeholder functionality; add lambda.h; make make_kernel_patchfile use b_relocate instead, whee

2011-03-16 23:45:29 -04:00

make_kernel_patchfile.c

build

2011-05-02 15:10:23 -04:00

Makefile

build

2011-05-02 15:10:23 -04:00

pf2c.py

add a readme

2011-03-29 00:04:51 -04:00

README

omg

2011-04-01 15:08:39 -04:00

sandbox.S

fix

2011-04-04 21:09:10 -04:00

README

git clone git@github.com:comex/datautils0.git
cd datautils0
git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache

Patchfile format:

field        length
--------------------
namelen      4
name         namelen
addr         4
datalen      4
data         datalen

- If the address is 0, skip.

- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".

- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:

/sbin/launchd: an untether exploit that execs /sbin/lunchd; skipped by an already-patched kernel
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
/sbin/launchd.real: the original /sbin/launchd

This is the lunchd script:

    #!/bin/bash
    shopt -s nullglob
    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
    export DYLD_INSERT_LIBRARIES=${dylibs%:}
    exec -a /sbin/launchd /sbin/launchd.real

Languages

C 88.5%

C++ 9.8%

Makefile 0.7%

Assembly 0.5%

Python 0.4%

Other 0.1%