Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logic refactor & URL Schemes / 3D Touch #141

Open
wants to merge 35 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
201982e
Add case for already jailbroken device
Jan 28, 2017
a8a0dac
Added better already jailbroken handling, made a function, and remove…
nullpixel Jan 28, 2017
32f8a0d
Merge branch 'patch-1' of github.com:nullpixel1/yalu102 into patch-1
nullpixel Jan 28, 2017
b99c5f8
Added URL scheme & rename setAleadyJailbroken
nullpixel Jan 28, 2017
e8f8323
Added local bool & rename for easier use in future
nullpixel Jan 28, 2017
25669fc
Add a URL scheme to jailbreak
nullpixel Jan 28, 2017
f289c67
Add 3D touch shortcut to jailbreak
nullpixel Jan 28, 2017
4dfc259
Fixed 3D touch shortcuts not working?
nullpixel Jan 28, 2017
746b443
Add jailbreaking button state
nullpixel Jan 28, 2017
8e105de
Allow building and running on iOS Simulator
aydenp Jan 28, 2017
fc5aaf4
Attempt at fixing issue where shouldJailbreak sticks
nullpixel Jan 28, 2017
b28d73e
Fix 3D Touch shortcut
aydenp Jan 28, 2017
df57c80
Merge remote-tracking branch 'origin/patch-1' into patch-1
aydenp Jan 28, 2017
a169a55
Move actual UI changes outside of logic function
aydenp Jan 28, 2017
9378385
Move shouldJailbreak setter to better spot
aydenp Jan 28, 2017
d25d842
Comment some of the more "easy" code
aydenp Jan 28, 2017
0f33ad8
Move location of device check to make build for real devices again (w…
aydenp Jan 28, 2017
d83fd90
Fixed simulator check in jailbreak file
aydenp Jan 28, 2017
d02d694
Fix jailbreak check always returning true
aydenp Jan 28, 2017
06ff73b
Add some UI changes to main thread
nullpixel Jan 28, 2017
250f337
Merge pull request #1 from kpwn/master
aydenp Jan 29, 2017
44f2e95
Merge branch 'master' into patch-1
Jan 29, 2017
b6dcaf8
Fix offsets typo
aydenp Jan 29, 2017
5c377ba
Merge pull request #2 from kpwn/master
aydenp Jan 29, 2017
89edd86
Add 5s and 6 to supported devices
Jan 29, 2017
12d1c66
Add beta 2
Jan 29, 2017
d7a035c
Forgot to commit confirm alert
nullpixel Jan 29, 2017
eb32ad9
Merge branch 'patch-1' of github.com:nullpixel1/yalu102 into patch-1
nullpixel Jan 29, 2017
9e03639
Merge branch 'master' into patch-1
Jan 29, 2017
255126e
Merge branch 'master' into patch-1
aydenp Jan 29, 2017
e259f23
Merge pull request #3 from kpwn/master
aydenp Jan 30, 2017
a515977
Fixed hanging
Jan 30, 2017
1f1a80a
Merge branch 'master' into patch-1
Jan 31, 2017
7ae3a82
Merge pull request #4 from kpwn/master
aydenp Feb 1, 2017
727ca28
Merge pull request #5 from kpwn/master
aydenp Feb 5, 2017
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@ Please use the "Issues" tab for **code related** issues only. If you need suppor

| Device | Version |
|---------|----------|
| iPad Pro | iOS 10.0.0 -> iOS 10.2 |
| iPhone 6S | iOS 10.0.0 -> iOS 10.2 |
| iPhone SE | iOS 10.0.0 -> iOS 10.2 |
| iPhone 5S | iOS 10.0.0 -> iOS 10.2 |
| iPad Air| iOS 10.0.0 -> iOS 10.2 |
| iPad Mini 2| iOS 10.0.0 -> iOS 10.2 |
Expand All @@ -21,15 +18,19 @@ Please use the "Issues" tab for **code related** issues only. If you need suppor
| iPad Air 2| iOS 10.0.0 -> iOS 10.2 |
| iPad Mini 4 | iOS 10.0.0 -> iOS 10.2 |
| iPod touch (6G) | iOS 10.0.0 -> iOS 10.2 |
| iPad Pro | iOS 10.0.0 -> iOS 10.2 |
| iPhone 6S | iOS 10.0.0 -> iOS 10.2 |
| iPhone SE | iOS 10.0.0 -> iOS 10.2 |

### Planned Support:

In the near future, the jailbreak will support the following devices:
In the near future, the jailbreak will support the following device:

| Device | Version |
|---------|----------|
| iPhone 7 | iOS 10.0.0 -> iOS 10.1.1 |


**Note, the iPhone 7 is only supported till iOS 10.1.1**
If you are already on iOS 10.2 with an iPhone 7, **stay there**. The actual exploit behind this still works, but the KPP bypass does not.

Expand Down
2 changes: 1 addition & 1 deletion yalu102/AppDelegate.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
@interface AppDelegate : UIResponder <UIApplicationDelegate>

@property (strong, nonatomic) UIWindow *window;

@property (nonatomic, readwrite) BOOL shouldJailbreak;

@end

34 changes: 32 additions & 2 deletions yalu102/AppDelegate.m
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,44 @@ @interface AppDelegate ()
@end

@implementation AppDelegate

@synthesize shouldJailbreak = _shouldJailbreak;

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
// Override point for customization after application launch.
return YES;
}

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {
// URL scheme handling
NSString *urlParameter = [url host];
if ([urlParameter isEqual:@"break"]) {
// URL scheme to jailbreak is being handled
UIAlertController *alertvc = [UIAlertController alertControllerWithTitle:@"Do you really want to jailbreak?" message:@"You used a URI scheme to break out of jail." preferredStyle:UIAlertControllerStyleAlert];
UIAlertAction *actionOk = [UIAlertAction actionWithTitle:@"I want to jailbreak!" style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
NSLog(@"We're breaking out of jail bois!");
_shouldJailbreak = YES;
[[NSNotificationCenter defaultCenter] postNotificationName:@"ReevaluateShouldJailbreak" object:nil userInfo:nil];
}];
UIAlertAction* cancelAction = [UIAlertAction actionWithTitle:@"Cancel" style:UIAlertActionStyleDestructive handler:nil];
[alertvc addAction:actionOk];
[alertvc addAction:cancelAction];
UIViewController *vc = self.window.rootViewController;
[vc presentViewController:alertvc animated:YES completion:nil];
}
return YES;
}

- (void)application:(UIApplication *)application performActionForShortcutItem:(UIApplicationShortcutItem *)shortcutItem completionHandler:(void (^)(BOOL))completionHandler {
// 3D Touch shortcut action handling
NSString *bundleIdentifier = [[NSBundle mainBundle] bundleIdentifier];
NSLog(@"%@", shortcutItem.type);
if ([shortcutItem.type isEqual:[NSString stringWithFormat: @"%@.BREAK", bundleIdentifier]]) {
// User has requested through 3D Touch to jailbreal
NSLog(@"3D Touch shortcut action to jailbreak hit!");
_shouldJailbreak = YES;
[[NSNotificationCenter defaultCenter] postNotificationName: @"ReevaluateShouldJailbreak" object:nil userInfo:nil];
}
}

- (void)applicationWillResignActive:(UIApplication *)application {
// Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
Expand Down Expand Up @@ -47,5 +78,4 @@ - (void)applicationWillTerminate:(UIApplication *)application {
// Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
}


@end
20 changes: 20 additions & 0 deletions yalu102/Info.plist
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,26 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>UIApplicationShortcutItems</key>
<array>
<dict>
<key>UIApplicationShortcutItemTitle</key>
<string>Jailbreak</string>
<key>UIApplicationShortcutItemType</key>
<string>${PRODUCT_BUNDLE_IDENTIFIER}.BREAK</string>
</dict>
</array>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>yalu</string>
</array>
<key>CFBundleURLName</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
</dict>
</array>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
Expand Down
2 changes: 2 additions & 0 deletions yalu102/ViewController.h
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
IBOutlet UIButton* dope;
}
- (IBAction)yolo:(id)sender;
- (void) doIt;
- (bool) alreadyJailbroken;

@end

70 changes: 52 additions & 18 deletions yalu102/ViewController.m
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
#undef __IPHONE_OS_VERSION_MIN_REQUIRED
#import <mach/mach.h>
#include <sys/utsname.h>
#include "AppDelegate.h"

extern uint64_t procoff;

Expand All @@ -32,17 +33,43 @@ @implementation ViewController

- (void)viewDidLoad {
[super viewDidLoad];

// Check if user is already jailbroken
[self performForJailbrokenState];
init_offsets();

// Check if user has requested to jailbreak through URL schemes or 3D Touch
[self evaluateShouldJailbreak];
// Keep checking for when we need to reevaluate this
[[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(evaluateShouldJailbreak) name:@"ReevaluateShouldJailbreak" object:nil];
}

- (void) evaluateShouldJailbreak {
if([(AppDelegate*)[[UIApplication sharedApplication] delegate] shouldJailbreak]) {
// User opened through 3D touch or URL scheme
if(![self alreadyJailbroken]) {
[self doIt];
}
[(AppDelegate*)[[UIApplication sharedApplication] delegate] setShouldJailbreak:NO];
}
}

- (bool) alreadyJailbroken {
struct utsname u = { 0 };
uname(&u);

bool alreadyJailbroken = strstr(u.version, "MarijuanARM");
return alreadyJailbroken;
}

if (strstr(u.version, "MarijuanARM")) {
[dope setEnabled:NO];
[dope setTitle:@"already jailbroken" forState:UIControlStateDisabled];
- (void) performForJailbrokenState {
// Check if the device is already jailbroken and change the UI accordingly
if ([self alreadyJailbroken]) {
dispatch_async(dispatch_get_main_queue(), ^{
[dope setEnabled:NO];
[dope setTitle:@"already jailbroken" forState:UIControlStateDisabled];
});
}

// Do any additional setup after loading the view, typically from a nib.
}

typedef natural_t not_natural_t;
Expand Down Expand Up @@ -117,13 +144,25 @@ - (void)viewDidLoad {
#define IKOT_CLOCK 25

char dt[128];
- (IBAction)yolo:(UIButton*)sender
{

- (IBAction)yolo:(UIButton*)sender {
[self doIt];
}

- (void)doIt {
#if TARGET_IPHONE_SIMULATOR
UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"Cannot Jailbreak" message:@"You are currently running the app in the iOS Simulator. To jailbreak, run the tool on a real device." preferredStyle:UIAlertControllerStyleAlert];
[alert addAction: [UIAlertAction actionWithTitle:@"Dismiss" style:UIAlertActionStyleCancel handler:nil]];
[self presentViewController:alert animated:YES completion:nil];
#else
/*

we out here!

*/
//[dope setEnabled:NO];
//[dope setTitle:@"jailbreaking" forState:UIControlStateDisabled];
// Breaks something

mach_port_t vch = 0;

Expand Down Expand Up @@ -253,7 +292,7 @@ - (IBAction)yolo:(UIButton*)sender
ports[i] = 0;
}
}
[sender setTitle:@"failed, retry" forState:UIControlStateNormal];
[dope setTitle:@"failed, retry" forState:UIControlStateNormal];
return;

foundp:
Expand All @@ -273,7 +312,7 @@ - (IBAction)yolo:(UIButton*)sender
}
}
}
[sender setTitle:@"failed, retry" forState:UIControlStateNormal];
[dope setTitle:@"failed, retry" forState:UIControlStateNormal];
return;

gotclock:;
Expand Down Expand Up @@ -371,16 +410,11 @@ - (IBAction)yolo:(UIButton*)sender
extern uint64_t slide;
slide = kernel_base - 0xFFFFFFF007004000;

void exploit(void*, mach_port_t, uint64_t, uint64_t);
exploit(sender, pt, kernel_base, allproc_offset);
[dope setEnabled:NO];
[dope setTitle:@"already jailbroken" forState:UIControlStateDisabled];

}
void exploit(mach_port_t, uint64_t, uint64_t);
exploit(pt, kernel_base, allproc_offset);
[self performForJailbrokenState];
#endif

- (void)didReceiveMemoryWarning {
[super didReceiveMemoryWarning];
// Dispose of any resources that can be recreated.
}


Expand Down
4 changes: 3 additions & 1 deletion yalu102/jailbreak.m
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#import <mach/mach.h>
#import "devicesupport.h"

#if !(TARGET_OS_SIMULATOR)
#import <IOKit/IOKitLib.h>
#import <dlfcn.h>
#import <Foundation/Foundation.h>
Expand Down Expand Up @@ -95,7 +96,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) {

#import "pte_stuff.h"

void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
{
io_iterator_t iterator;
IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator);
Expand Down Expand Up @@ -935,3 +936,4 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)

NSLog(@"done");
}
#endif
47 changes: 44 additions & 3 deletions yalu102/offsets.c
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,49 @@ void init_offsets() {
else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0) {
allproc_offset = 0x5a4128;
rootvnode_offset = 0x5aa0b8;
}//some beta ios
else {
} else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) {
allproc_offset = 0x5ec178; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5f20b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) {
allproc_offset = 0x5b4228; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5ba0b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) {
allproc_offset = 0x5b4168; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5ba0b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) {
allproc_offset = 0x5a4148; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5aa0b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) {
allproc_offset = 0x5a4128; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5aa0b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) {
allproc_offset = 0x5ec178; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5f20b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) {
allproc_offset = 0x5b0228; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5b60b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) {
allproc_offset = 0x5b0168; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5b60b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) {
allproc_offset = 0x5a4148; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5aa0b8; /* @Mila432 */
} else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) {
allproc_offset = 0x5a4128; /* @Mila432 */
procoff = 0x360;
rootvnode_offset = 0x5aa0b8; /* @Mila432 */
} else if (strstr(u.version, "MarijuanARM")) {
printf("Already jailbroken\n");
} else {
printf("missing offset, prob crashing\n");
}
}
}