Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
void inject_trusts(int pathc, const char *paths[])
{
printf("[+] injecting into trust cache...\n");
extern uint64_t g_kern_base;
static uint64_t tc = 0;
if (tc == 0) {
/* loaded_trust_caches
iPhone11,2-4-6: 0xFFFFFFF008F702C8
iPhone11,8: 0xFFFFFFF008ED42C8
*/
tc = g_kern_base + (0xFFFFFFF008F702C8 - 0xFFFFFFF007004000);
}
printf("[+] trust cache: 0x%llx\n", tc);
struct trust_chain fake_chain;
fake_chain.next = kernel_read64(tc);
#if (0)
*(uint64_t *)&fake_chain.uuid[0] = 0xabadbabeabadbabe;
*(uint64_t *)&fake_chain.uuid[8] = 0xabadbabeabadbabe;
#else
arc4random_buf(&fake_chain.uuid, 16);
#endif
int cnt = 0;
uint8_t hash[CC_SHA256_DIGEST_LENGTH];
hash_t *allhash = malloc(sizeof(hash_t) * pathc);
for (int i = 0; i != pathc; ++i) {
uint8_t *cd = getCodeDirectory(paths[i]);
if (cd != NULL) {
getSHA256inplace(cd, hash);
memmove(allhash[cnt], hash, sizeof(hash_t));
++cnt;
}
}
fake_chain.count = cnt;
size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
uint64_t kernel_trust = kalloc(length);
printf("[+] kalloc: 0x%llx\n", kernel_trust);
printf("[+] writing fake_chain\n");
kernel_write(kernel_trust, &fake_chain, sizeof(fake_chain));
printf("[+] writing allhash\n");
kernel_write(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
printf("[+] writing trust cache\n");
#if (0)
kernel_write64(tc, kernel_trust);
#else
/* load_trust_cache
iPhone11,2-4-6: 0xFFFFFFF007B80504
iPhone11,8: 0xFFFFFFF007B50504
*/
uint64_t f_load_trust_cache = g_kern_base + (0xFFFFFFF007B80504 - 0xFFFFFFF007004000);
uint32_t ret = kernel_call_7(f_load_trust_cache, 3,
kernel_trust,
length,
0);
printf("[+] load_trust_cache: 0x%x\n", ret);
#endif
printf("[+] injected trust cache\n");
}
@sorayori
Copy link

sorayori commented Feb 21, 2019

Unbelievably well done! Congratulations!
For those reading: this was needed, along with other things, for A12 support!

@FranzGeringer
Copy link

FranzGeringer commented Feb 21, 2019

OMG thanks !!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment