Proteas

iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG

Syscall-Unix

SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_link

Proteas

*** ent-list-17E262-iPhone11,2.json	2020-05-25 11:16:14.000000000 +0800
--- ent-list-17F75-iPhone11,2.json	2020-05-25 11:02:29.000000000 +0800
***************
*** 389,394 ****
--- 389,395 ----
      "com.apple.developer.default-data-protection", 
+     "com.apple.developer.exposure-notification", 
      "com.apple.developer.extension-host.photo-editing", 
***************
*** 820,826 ****

Proteas

void inject_trusts(int pathc, const char *paths[])
{
    printf("[+] injecting into trust cache...\n");
    
    extern uint64_t g_kern_base;
    
    static uint64_t tc = 0;
    if (tc == 0) {
        /* loaded_trust_caches
         iPhone11,2-4-6: 0xFFFFFFF008F702C8

Proteas

iOS-v12.0-16A366-iPhone11,6

instructions about setting pac key

__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1

Proteas

Following are my steps to build the ARM64 version of xnu-4570.1.46, hope this is helpfull for saving time.
1. Use Xcode 9.0
2. Preparation is same as macOS, and there is a guide: https://0xcc.re/building-xnu-kernel-macosx-sierrra-10-12-x/
3. There is an ARM64 version libfirehose: https://github.com/Proteas/install_firehose_lib
4. Copy and edit the ARM64 config(CFLAGS, LDFLAGS) from darwin-on-arm/xnu to your target project
5. Example CFLAGS: -Darm64 -DARM64 -D__arm64__ -D__ARM64__ -DLP64 -DCONFIG_EMBEDDED -mkernel -DARM64_BOARD_CONFIG_T8011=1
6. Fix compiling stage errors by directly importing the missing headers or editing the code
7. Fix linking stage errors by implementing place holder funcitons for: chudxnu_cpu_alloc, etc 
8. If missing symbol __divti3 in linking stage, get the runtime from llvm.

Proteas

======== dyld by Proteas ========
seg name: __PAGEZERO
seg name: __TEXT
seg name: __DATA
seg name: __LINKEDIT
ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
notifySingle(state=10, image=/bin/ls)
addMappedRange(0x100000000->0x10000A000) for ls
sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
addRootImage(0x7fdce1f01eb0, /bin/ls)

Proteas

#! /usr/sbin/dtrace -C -s

/*
	requirement: disable SIP 
*/

#pragma D option quiet
BEGIN {
	printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
	printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));

Proteas

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>

Proteas

#!/usr/sbin/dtrace -s
	
#pragma D option flowindent

/* monitor file open */
syscall::open:entry
{
	printf("%s %s", execname, copyinstr(arg0));
}

Proteas

all: driver exp

driver: dummymod.c
	cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
	/usr/bin/ld -r -o dummy dummymod.o
	
exp: 
	cc -o hexp hexpl.c -lsched -m64 -lkstat