Alexey Terentev axifive

## poc.c
#include <stdlib.h>
#include <stdio.h>
#include <pthread/pthread.h>
#include <mach/mach.h>

struct ool_msg  {
    mach_msg_header_t hdr;
    mach_msg_body_t body;
    mach_msg_ool_ports_descriptor_t ool_ports[];
};

## oob_events.c
#if 0
IOAccelContext2::finish_fence_event() race condition OOB read/write

This is a method exposed to user space, it takes a kernel read-only shared memory
(type 2 via clientMemoryForType())  address and treats it as an IOAccelEvents Array.

The user supplied index is checked against the IOAccelEvents array bounds,since there are no
locks held in this method,it is possible to change the array bounds by calling
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
multiplying the older size by 2, but we still have a reference to the old shared memory address

## gateway_bootloader.idc
#define UNLOADED_FILE   1
#include <idc.idc>

static main(void)
{
        // set 'loading idc file' mode
        set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
        GenInfo();            // various settings
        Segments();           // segmentation
        Enums();              // enumerations

## tx_decompress_v3_internal.py
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#

## tx_unpack_v3_internal.py
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################

from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct

"""

## jpeg.c
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition

AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted)  during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().

## ipatch_decode.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>

#define FUSE_IMAGE_SIZE                                             0x400
#define ROM_BASE                                                 0x100000

#define FUSE_BOOTROM_PATCH_SIZE_T210_START_BIT                         13

## GhidraDecompiler.java
// Copyright (C) 2019 Guillaume Valadon <guillaume@valadon.net>
// This program is published under a GPLv2 license

/*
 * Decompile a function with Ghidra
 *
 * analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript GhidraDecompiler.java $FUNCTION_ADDRESS -deleteProject -noanalysis
 *
*/

## extract.py
#!/usr/bin/env python

from os import listdir
from os.path import isfile, join
import re
import json

from bs4 import BeautifulSoup

"""

## nvhax_dump_proc.js
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
    var gpu_va = [0, 0x04];
    var dram_base_addr = (dram_addr & 0xFFF00000);
    var dram_offset = (dram_addr & 0x000F0000);

    // Map GPU MMIO
    var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

    // Patch the channel with the base DRAM address
    var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);
	#include <stdlib.h>
	#include <stdio.h>
	#include <pthread/pthread.h>
	#include <mach/mach.h>

	struct ool_msg {
	mach_msg_header_t hdr;
	mach_msg_body_t body;
	mach_msg_ool_ports_descriptor_t ool_ports[];
	};
	#if 0
	IOAccelContext2::finish_fence_event() race condition OOB read/write

	This is a method exposed to user space, it takes a kernel read-only shared memory
	(type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array.

	The user supplied index is checked against the IOAccelEvents array bounds,since there are no
	locks held in this method,it is possible to change the array bounds by calling
	IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
	multiplying the older size by 2, but we still have a reference to the old shared memory address
	#define UNLOADED_FILE 1
	#include <idc.idc>

	static main(void)
	{
	// set 'loading idc file' mode
	set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC\|get_inf_attr(INF_GENFLAGS));
	GenInfo(); // various settings
	Segments(); // segmentation
	Enums(); // enumerations
	# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
	#
	# ===========================================================================================
	#
	# Copyright 2017 Reswitched Team
	#
	# Permission to use, copy, modify, and/or distribute this software for any purpose with or
	# without fee is hereby granted, provided that the above copyright notice and this permission
	# notice appear in all copies.
	#
	###############################################
	# TX SX OS unpacker - by hexkyz and naehrwert #
	###############################################

	from Crypto.Cipher import AES
	from Crypto.Util import Counter
	import os
	import struct

	"""
	#if 0
	Reported : 19-Jan-2020
	Fixed in iOS 13.4 with CVE-2020-9768
	AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition

	AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
	it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
	and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
	possible to release the port (if the port got substituted) during the processing of jpeg request and end up
	with dangling pointer passed to _mach_msg_send_from_kernel_proper().
	#include <stdlib.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <stdbool.h>
	#include <string.h>

	#define FUSE_IMAGE_SIZE 0x400
	#define ROM_BASE 0x100000

	#define FUSE_BOOTROM_PATCH_SIZE_T210_START_BIT 13
	// Copyright (C) 2019 Guillaume Valadon <guillaume@valadon.net>
	// This program is published under a GPLv2 license

	/*
	* Decompile a function with Ghidra
	*
	* analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript GhidraDecompiler.java $FUNCTION_ADDRESS -deleteProject -noanalysis
	*
	*/
	#!/usr/bin/env python

	from os import listdir
	from os.path import isfile, join
	import re
	import json

	from bs4 import BeautifulSoup

	"""
	sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
	var gpu_va = [0, 0x04];
	var dram_base_addr = (dram_addr & 0xFFF00000);
	var dram_offset = (dram_addr & 0x000F0000);

	// Map GPU MMIO
	var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

	// Patch the channel with the base DRAM address
	var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);