This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// pplrw.m | |
// kfd | |
// | |
// Created by Lars Fröder on 29.12.23. | |
// | |
#import <Foundation/Foundation.h> | |
#import <dlfcn.h> | |
#import <mach-o/dyld.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@import Darwin; | |
@import Foundation; | |
@import MachO; | |
#import <mach-o/fixup-chains.h> | |
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from | |
// WDBFontOverwrite | |
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything) | |
// Please don't call this code on iOS 14 or below | |
// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iOS 16 introduced launch constraints, which can be used to constraint the launch of an application. | |
There are three types of constraints: | |
Self Constraints, which the launched application itself must meet | |
Parent Constraints, which the parent process must meet | |
Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service) | |
Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints. | |
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements). | |
Constraint Categories (from TrustCache, new in version 2): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Inject into appstored and itunesstored | |
#import <MobileGestalt/MobileGestalt.h> | |
NSString *deviceClass; | |
%hook XDCDevice | |
- (NSString *)productType { | |
return deviceClass; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//FIRESTORM: only FIRESTORM (A14/M1) | |
//LIGHTNING: only Lightning (A13) | |
#define FIRESTORM | |
int main() { | |
__asm__ __volatile__("isb sy\n" | |
".long 0x00200000\n" //mul53lo.2d v0, v0 | |
".long 0x002003ff\n" //mul53lo.2d v31, v31 | |
".long 0x00200400\n" //mul53hi.2d v0, v0 | |
".long 0x002007ff\n" //mul53hi.2d v31, v31 | |
".long 0x00200800\n" //wkdmc x0, x0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <IOKit/IOKitLib.h> | |
#include <mach/mach.h> | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <stdlib.h> | |
#include <ctype.h> | |
void hexdump(void *ptr, int buflen) { | |
unsigned char *buf = (unsigned char*)ptr; | |
int i, j; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#if 0 | |
IOAccelContext2::finish_fence_event() race condition OOB read/write | |
This is a method exposed to user space, it takes a kernel read-only shared memory | |
(type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array. | |
The user supplied index is checked against the IOAccelEvents array bounds,since there are no | |
locks held in this method,it is possible to change the array bounds by calling | |
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by | |
multiplying the older size by 2, but we still have a reference to the old shared memory address |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// loader.c | |
// Undecimus | |
// | |
// Created by Pwn20wnd on 3/16/19. | |
// Copyright © 2019 Pwn20wnd. All rights reserved. | |
// Copyright © 2019 Jakeashacks. All rights reserved. | |
// | |
#include <common.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Copyright 2017 Adam H. Leventhal. All Rights Reserved. | |
*/ | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <strings.h> |