ios-kernel-patch

iOS kernel patch

Go to file

comex 95cd350b5c build		2011-05-02 15:10:23 -04:00
apply_patchfile.c	add a readme	2011-03-29 00:04:51 -04:00
check_sanity.c	have a makefile	2011-03-28 23:09:38 -04:00
lambda.h	fixes; update data; get rid of placeholder functionality; add lambda.h; make make_kernel_patchfile use b_relocate instead, whee	2011-03-16 23:45:29 -04:00
make_kernel_patchfile.c	build	2011-05-02 15:10:23 -04:00
Makefile	build	2011-05-02 15:10:23 -04:00
pf2c.py	add a readme	2011-03-29 00:04:51 -04:00
README	omg	2011-04-01 15:08:39 -04:00
sandbox.S	fix	2011-04-04 21:09:10 -04:00

README

git clone git@github.com:comex/datautils0.git
cd datautils0
git clone git@github.com:comex/data.git
make NATIVE=1
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache

Patchfile format:

field        length
--------------------
namelen      4
name         namelen
addr         4
datalen      4
data         datalen

- If the address is 0, skip.

- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".

- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd.  You can remove that, but the idea is that the filesystem looks like this:

/sbin/launchd: an untether exploit that execs /sbin/lunchd; skipped by an already-patched kernel
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
/sbin/launchd.real: the original /sbin/launchd

This is the lunchd script:

    #!/bin/bash
    shopt -s nullglob
    dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
    export DYLD_INSERT_LIBRARIES=${dylibs%:}
    exec -a /sbin/launchd /sbin/launchd.real