opa334

//
//  pplrw.m
//  kfd
//
//  Created by Lars Fröder on 29.12.23.
//

#import <Foundation/Foundation.h>
#import <dlfcn.h>
#import <mach-o/dyld.h>

zhuowei

@import Darwin;
@import Foundation;
@import MachO;

#import <mach-o/fixup-chains.h>
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
// WDBFontOverwrite
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
// Please don't call this code on iOS 14 or below
// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot)

LinusHenze

iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
There are three types of constraints:
    Self Constraints, which the launched application itself must meet
    Parent Constraints, which the parent process must meet
    Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)

Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).

Constraint Categories (from TrustCache, new in version 2):

level3tjg

// Inject into appstored and itunesstored

#import <MobileGestalt/MobileGestalt.h>

NSString *deviceClass;

%hook XDCDevice
- (NSString *)productType {
  return deviceClass;
}

TrungNguyen1909

//FIRESTORM: only FIRESTORM (A14/M1)
//LIGHTNING: only Lightning (A13)
#define FIRESTORM
int main() {
    __asm__ __volatile__("isb sy\n"
                         ".long 0x00200000\n" //mul53lo.2d	v0, v0
                         ".long 0x002003ff\n" //mul53lo.2d	v31, v31
                         ".long 0x00200400\n" //mul53hi.2d	v0, v0
                         ".long 0x002007ff\n" //mul53hi.2d	v31, v31
                         ".long 0x00200800\n" //wkdmc x0, x0

pwn0rz

#include <IOKit/IOKitLib.h>
#include <mach/mach.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <ctype.h>

void hexdump(void *ptr, int buflen) {
  unsigned char *buf = (unsigned char*)ptr;
  int i, j;

0x36

#if 0
IOAccelContext2::finish_fence_event() race condition OOB read/write

This is a method exposed to user space, it takes a kernel read-only shared memory
(type 2 via clientMemoryForType())  address and treats it as an IOAccelEvents Array.

The user supplied index is checked against the IOAccelEvents array bounds,since there are no
locks held in this method,it is possible to change the array bounds by calling
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
multiplying the older size by 2, but we still have a reference to the old shared memory address

pwn20wndstuff

//
//  loader.c
//  Undecimus
//
//  Created by Pwn20wnd on 3/16/19.
//  Copyright © 2019 Pwn20wnd. All rights reserved.
//  Copyright © 2019 Jakeashacks. All rights reserved.
//

#include <common.h>

okanon

/*
 * Copyright 2017 Adam H. Leventhal. All Rights Reserved.
 */

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>