Halo-Michael

//
//  loader.c
//  Undecimus
//
//  Created by Pwn20wnd on 3/16/19.
//  Copyright © 2019 Pwn20wnd. All rights reserved.
//  Copyright © 2019 Jakeashacks. All rights reserved.
//

#include <common.h>

Halo-Michael

/*
 * Copyright 2017 Adam H. Leventhal. All Rights Reserved.
 */

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>

Halo-Michael

./img4tool -e -o ibss.raw --iv "iv" --key "key" ibss.stock
./img4tool -e -o ibec.raw --iv "iv" --key "key" ibec.stock
./iBoot64Patcher ibss.raw ibss.pwn
./iBoot64Patcher ibec.raw ibec.pwn -b "-v"
./img4tool -c ibss.v -t ibss -d ibss ibss.pwn
./img4tool -c ibec.v -t ibec -d ibec ibec.pwn
./img4tool -c ibss.final -p ibss.v -s "path/to/any/shsh"
./img4tool -c ibec.final -p ibec.v -s "path/to/any/shsh"
 
 

Halo-Michael

#include <CoreFoundation/CoreFoundation.h>
#include <pthread.h>

void* foo(void *foo) {
    return NULL;
}

int main(int argc, char **argv) {
    pthread_t thread;
    pthread_create(&thread, NULL, &foo, NULL);

Halo-Michael

#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include <IOKit/IOKitLib.h>

#if 0
AppleM2ScalerCSCDriver Infoleak:

IOSurfaceAcceleratorClient::user_get_histogram takes a userspace pointer and writes histogram data back to that address.
IOSurfaceAcceleratorClient::initClient allocates this histogram buffer, but does not zero the memory.
When the external method IOSurfaceAcceleratorClient::user_get_histogram is called, this uninitialised memory is then sent back to userspace.

Halo-Michael

#import <Foundation/Foundation.h>
__asm__("\
        _paciza:\n \
            paciza x0\n \
            ret\n \
        _autiza:\n \
            autiza x0\n \
            ret\n \
        ");
uint64_t paciza(uint64_t);

Halo-Michael

#if 0
IOAccelContext2::finish_fence_event() race condition OOB read/write

This is a method exposed to user space, it takes a kernel read-only shared memory
(type 2 via clientMemoryForType())  address and treats it as an IOAccelEvents Array.

The user supplied index is checked against the IOAccelEvents array bounds,since there are no
locks held in this method,it is possible to change the array bounds by calling
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
multiplying the older size by 2, but we still have a reference to the old shared memory address

Halo-Michael

#!/usr/bin/env python3
import struct
import os,sys

extfun=lambda x: x

def read_file_hex(file_path):
    file_object = open(file_path,'rb')
    file_object.seek(0,0)
    hex_str =''

Halo-Michael

#import <Foundation/Foundation.h>
#import <Foundation/NSTask.h>

int main(){
    for (NSString *file in [[NSFileManager defaultManager] subpathsAtPath:@"/etc/rc.d"]) {
        NSString *path = [@"/etc/rc.d/" stringByAppendingString:file];
        if ([[NSFileManager defaultManager] isExecutableFileAtPath:path]) {
            [[NSTask launchedTaskWithLaunchPath:path arguments:@[]] waitUntilExit];
        }
    }

Halo-Michael

//A7~A9, use SHA1 algorithm to generate apnonce.
unsigned long buf = 0x1111111111111111;
unsigned char result[CC_SHA1_DIGEST_LENGTH];
CC_SHA1(&buf, sizeof(buf), result);
for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; i++)
  printf("%02" PRIx32, result[i]);
putchar('\n');

//A10~A11, use SHA384 algorithm, but only take the first 32 bits to generate apnonce.
unsigned long buf = 0x1111111111111111;