Merge pull request #40 from PsychoTea/develop

v0.9-007 Pre-Release

Meridian/Meridian/views/ViewController.m

@@ -25,7 +25,7 @@ @interface ViewController ()
 @property (weak, nonatomic) IBOutlet UILabel *versionLabel;
 @end
 
-NSString *Version = @"Meridian: v0.9-006 Pre-Release";
+NSString *Version = @"Meridian: v0.9-007 Pre-Release";
 NSOperatingSystemVersion osVersion;
 
 id thisClass;

Meridian/jailbreakd/helpers/kmem.c → Meridian/jailbreakd/helpers/kmem.m

@@ -1,5 +1,7 @@
-#import "kern_utils.h"
-#import "kmem.h"
+#include "kern_utils.h"
+#include "kmem.h"
+
+#import <Foundation/Foundation.h>
 
 #define MAX_CHUNK_SIZE 0xFFF
 
@@ -88,32 +90,28 @@ typedef struct {
 } kmap_hdr_t;
 
 uint64_t zm_fix_addr(uint64_t addr) {
-  static kmap_hdr_t zm_hdr = {0, 0, 0, 0};
-  if (zm_hdr.start == 0) {
-    // xxx rk64(0) ?!
-      // uint64_t zone_map_ref = find_zone_map_ref();
-      fprintf(stderr, "offset_zonemap = %llx \n", offset_zonemap);
-      fprintf(stderr, "zone_map_ref: %llx \n", offset_zonemap + kernel_slide);
-    uint64_t zone_map = rk64(offset_zonemap + kernel_slide);
-      fprintf(stderr, "zone_map: %llx \n", zone_map);
-    // hdr is at offset 0x10, mutexes at start
-    size_t r = kread(zone_map + 0x10, &zm_hdr, sizeof(zm_hdr));
-    fprintf(stderr, "zm_range: 0x%llx - 0x%llx (read 0x%zx, exp 0x%zx)\n", zm_hdr.start, zm_hdr.end, r, sizeof(zm_hdr));
-
-    if (r != sizeof(zm_hdr) || zm_hdr.start == 0 || zm_hdr.end == 0) {
-      fprintf(stderr, "kread of zone_map failed!\n");
-      exit(1);
-    }
-
-    if (zm_hdr.end - zm_hdr.start > 0x100000000) {
-        fprintf(stderr, "zone_map is too big, sorry.\n");
-        exit(1);
+    static kmap_hdr_t zm_hdr = {0, 0, 0, 0};
+
+    if (zm_hdr.start == 0) {
+        uint64_t zone_map = rk64(offset_zonemap + kernel_slide);
+
+        // hdr is at offset 0x10, mutexes at start
+        size_t r = kread(zone_map + 0x10, &zm_hdr, sizeof(zm_hdr));
+
+        if (r != sizeof(zm_hdr) || zm_hdr.start == 0 || zm_hdr.end == 0) {
+            NSLog(@"kread of zone_map failed!");
+            return 0;
+        }
+
+        if (zm_hdr.end - zm_hdr.start > 0x100000000) {
+            NSLog(@"zone_map is too big, sorry.\n");
+            return 0;
+        }
     }
-  }
 
-  uint64_t zm_tmp = (zm_hdr.start & 0xffffffff00000000) | ((addr) & 0xffffffff);
+    uint64_t zm_tmp = (zm_hdr.start & 0xffffffff00000000) | ((addr) & 0xffffffff);
 
-  return zm_tmp < zm_hdr.start ? zm_tmp + 0x100000000 : zm_tmp;
+    return zm_tmp < zm_hdr.start ? zm_tmp + 0x100000000 : zm_tmp;
 }
 
 int kstrcmp(uint64_t kstr, const char *str) {

Meridian/jailbreakd/kern_utils.m

@@ -42,9 +42,6 @@ uint64_t proc_find(int pd) {
 }
 
 CACHED_FIND(uint64_t, our_task_addr) {
-    // proc_find won't work as it requires kexecute, which
-    // is not yet set up when this is called. we will just
-    // manually walk the proc list instead
     uint64_t proc = rk64(kernprocaddr + 0x8);
 
     while (proc) {

Meridian/jailbreakd/mach/jailbreak_daemonServer.c

@@ -1,6 +1,6 @@
 /*
  * IDENTIFICATION:
- * stub generated Tue Aug 14 18:38:08 2018
+ * stub generated Fri Sep 21 22:56:39 2018
  * with a MiG generated by bootstrap_cmds-96.20.2
  * OPTIONS: 
  */

Meridian/jailbreakd/mach/mig.defs

@@ -4,6 +4,8 @@ subsystem jailbreak_daemon 500;
 userprefix jbd_;
 serverprefix jbd_;
 
+WaitTime 2500;
+
 #include <mach/std_types.defs>
 #include <mach/mach_types.defs>
 

Meridian/pspawn_hook/mach/jailbreak_daemonUser.c

@@ -1,6 +1,6 @@
 /*
  * IDENTIFICATION:
- * stub generated Tue Aug 14 18:38:08 2018
+ * stub generated Fri Sep 21 22:56:39 2018
  * with a MiG generated by bootstrap_cmds-96.20.2
  * OPTIONS: 
  */
@@ -231,10 +231,14 @@ mig_external kern_return_t jbd_call
 /* END VOUCHER CODE */
 
 	__BeforeSendRpc(500, "call")
-	msg_result = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	msg_result = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_SEND_TIMEOUT|MACH_RCV_TIMEOUT|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_reply_port, 2500, MACH_PORT_NULL);
 	__AfterSendRpc(500, "call")
+
+	if (msg_result == MACH_SEND_TIMED_OUT) {
+	}
+
 	if (msg_result != MACH_MSG_SUCCESS) {
-		__MachMsgErrorWithoutTimeout(msg_result);
+		__MachMsgErrorWithTimeout(msg_result);
 		{ return msg_result; }
 	}
 

Meridian/pspawn_hook/pspawn_hook.m

@@ -54,6 +54,8 @@
 
 mach_port_t jbd_port;
 
+dispatch_queue_t queue = NULL;
+
 #define DYLD_INSERT             "DYLD_INSERT_LIBRARIES="
 #define MAX_INJECT              1
 
@@ -243,7 +245,7 @@ int fake_posix_spawn_common(pid_t *pid,
             kern_return_t ret = jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_FROM_XPCPROXY, ourpid);
 
             if (ret != KERN_SUCCESS) {
-                DEBUGLOG("jbd_call(xpcproxy, %d): %s", ourpid, mach_error_string(ret));
+                DEBUGLOG("jbd_call(xpcproxy, %d): %x (%s)", ourpid, ret, mach_error_string(ret));
             }
         }
     }
@@ -261,12 +263,12 @@ int fake_posix_spawn_common(pid_t *pid,
         *pid = child;
     }
 
-     if (ninject > 0 && current_process == PROCESS_LAUNCHD) {
+    dispatch_async(queue, ^{
         kern_return_t ret = jbd_call(jbd_port, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT, child);
         if (ret != KERN_SUCCESS) {
-            DEBUGLOG("jbd_call(launchd, %d): %s", child, mach_error_string(ret));
+            DEBUGLOG("jbd_call(launchd, %d): %x (%s)", child, ret, mach_error_string(ret));
         }
-    }
+    });
 
     retval = 0;
 
@@ -307,6 +309,8 @@ void rebind_pspawns(void) {
 
 __attribute__ ((constructor))
 static void ctor(void) {
+    queue = dispatch_queue_create("pspawn.queue", NULL);
+
     char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
     bzero(pathbuf, sizeof(pathbuf));
     proc_pidpath(getpid(), pathbuf, sizeof(pathbuf));