Beispiel #1
0
/* sub_e568 */
void setup_watchdog_timer(int value)
{
	io_service_t timerservice = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOWatchDogTimer"));
	if (timerservice != 0) {
		CFNumberRef cfval = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
		IORegistryEntrySetCFProperties(timerservice, cfval);
		IOObjectRelease(timerservice);
		CFRelease(cfval);
	}
}
Beispiel #2
0
int applydict(CFMutableDictionaryRef dict) {
    int ret = 1;

    io_service_t nvram = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
    if(!MACH_PORT_VALID(nvram)) {
        ERROR("Failed to get IODTNVRAM service");
    } else {
        kern_return_t kret = IORegistryEntrySetCFProperties(nvram, dict);
        DEBUG("IORegistryEntrySetCFProperties: 0x%x (%s)\n", kret, mach_error_string(kret));
        if(kret == KERN_SUCCESS) {
            ret = 0;
        }
    }

    return ret;
}
Beispiel #3
0
int main() {
    io_service_t service = IOServiceGetMatchingService( kIOMasterPortDefault, IOServiceMatching("IOWatchDogTimer"));
    assert(service);
    //assert(!IORegistryEntrySetCFProperty(service, CFSTR("IOWatchDogEnabled"), kCFBooleanFalse));
    long zero = 0;
    CFNumberRef number = CFNumberCreate(NULL, kCFNumberLongType, &zero);

    assert(!IORegistryEntrySetCFProperties(service, number));

    void *kern_hdr;
    size_t kern_size;
    void *devicetree;
    size_t devicetree_size;

    load("kern", &kern_hdr, &kern_size);
    load("devicetree", &devicetree, &devicetree_size);

    // todo use reboot2
    system("launchctl unload /System/Library/LaunchDaemons/com.apple.SpringBoard.plist");

    syscall(8, kern_hdr, kern_size, devicetree, devicetree_size);
    return 0;
}
int main (int argc, const char *argv[])
{
    CFMutableDictionaryRef dictRef;
    io_iterator_t iter;
    io_service_t service;
    kern_return_t kr;
    CFNumberRef numberRef;
    SInt32 constantOne = 1;
    
    constantOne=42;
    
    if (argc > 1) {
        constantOne = atoi(argv[1]);
    }
    
    // The bulk of this code locates all instances of our driver running on the system.
    
    // First find all children of our driver. As opposed to nubs, drivers are often not registered
    // via the registerServices call because nothing is expected to match to them. Unregistered
    // objects in the I/O Registry are not returned by IOServiceGetMatchingServices.
    
    // IOBlockStorageServices is our child in the I/O Registry
    dictRef = IOServiceMatching("IOBlockStorageServices");
    if (!dictRef) {
        fprintf(stderr, "IOServiceMatching returned NULL.\n");
        return -1;
    }
    
    // Create an iterator over all matching IOService nubs.
    // This consumes a reference on dictRef.
    kr = IOServiceGetMatchingServices(kIOMasterPortDefault, dictRef, &iter);
    if (KERN_SUCCESS != kr) {
        fprintf(stderr, "IOServiceGetMatchingServices returned 0x%08x.\n", kr);
        CFRelease(dictRef);
        return -1;
    }
    
    // Create a dictionary to pass to our driver. This dictionary has the key "MyProperty"
    // and the value an integer 1.
    dictRef = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
                                        &kCFTypeDictionaryKeyCallBacks,
                                        &kCFTypeDictionaryValueCallBacks);
    
    numberRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &constantOne);
    CFDictionarySetValue(dictRef, CFSTR("MyProperty"), numberRef);
    CFRelease(numberRef);
    
    // Iterate across all instances of IOBlockStorageServices.
    while ((service = IOIteratorNext(iter))) {
        io_registry_entry_t parent;
        
        // Now that our child has been found we can traverse the I/O Registry to find our driver.
        kr = IORegistryEntryGetParentEntry(service, kIOServicePlane, &parent);
        if (KERN_SUCCESS != kr) {
            fprintf(stderr, "IORegistryEntryGetParentEntry returned 0x%08x.\n", kr);
        }
        else {
            // We're only interested in the parent object if it's our driver class.
            if (IOObjectConformsTo(parent, "fi_dungeon_driver_IOSATDriver")) {
                // This is the function that results in ::setProperties() being called in our
                // kernel driver. The dictionary we created is passed to the driver here.
                kr = IORegistryEntrySetCFProperties(parent, dictRef);
                if (KERN_SUCCESS != kr) {
                    fprintf(stderr, "IORegistryEntrySetCFProperties returned 0x%08x.\n", kr);
                }
            }
            
            // Done with the parent object.
            IOObjectRelease(parent);
        }
        
        // Done with the object returned by the iterator.
        IOObjectRelease(service);
    }
    
    if (iter != IO_OBJECT_NULL) {
        IOObjectRelease(iter);
        iter = IO_OBJECT_NULL;
    }
    
    if (dictRef) {
        CFRelease(dictRef);
        dictRef = NULL;
    }
    
    return 0;
}
int main(int argc, char* argv[])
{
    int i;
    int nandReadOnly=0;
    struct stat st;
    
    printf("Starting ramdisk tool\n");
    printf("Compiled " __DATE__ " " __TIME__ "\n");
    printf("Revision " HGVERSION "\n");
    
    CFMutableDictionaryRef matching;
    io_service_t service = 0;
    matching = IOServiceMatching("IOWatchDogTimer");
    if (matching == NULL) {
        printf("unable to create matching dictionary for class IOWatchDogTimer\n");
    }
    
    service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
    if (service == 0) {
        printf("unable to create matching dictionary for class IOWatchDogTimer\n");
    }
    uint32_t zero = 0;
    CFNumberRef n = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &zero);
    IORegistryEntrySetCFProperties(service, n);
    IOObjectRelease(service);
    
    CFMutableDictionaryRef deviceInfos = CFDictionaryCreateMutable(kCFAllocatorDefault,
                                                            0,
                                                            &kCFTypeDictionaryKeyCallBacks,
                                                            &kCFTypeDictionaryValueCallBacks);	
    
    get_device_infos(deviceInfos);
    init_tcp();

    sysctlbyname("kern.bootargs", bootargs, &bootargs_len, NULL, 0);
    
    if (strstr(bootargs, "nand-readonly") || strstr(bootargs, "nand-disable"))
    {
        printf("NAND read only mode, data partition wont be mounted\n");
        nandReadOnly = 1;
    }
    else
    {
        printf("Waiting for data partition\n");
        for(i=0; i < 10; i++)
        {
            if(!stat("/dev/disk0s2s1", &st))
            {
                system("/sbin/fsck_hfs  /dev/disk0s2s1");
                break;
            }
            if(!stat("/dev/disk0s1s2", &st))
            {
                system("/sbin/fsck_hfs  /dev/disk0s1s2");
                break;
            }
            if(!stat("/dev/disk0s2", &st))
            {
                system("/sbin/fsck_hfs  /dev/disk0s2");
                break;
            }
            sleep(5);
        }
    }
    init_usb(CFDictionaryGetValue(deviceInfos, CFSTR("udid")));
    printf("USB init done\n");

    system("mount /"); //make ramdisk writable
   
    chmod("/var/root/.ssh/authorized_keys", 0600); 
    chown("/var/root/.ssh/authorized_keys", 0, 0); 
    chown("/var/root/.ssh", 0, 0); 
    chown("/var/root/", 0, 0); 

    printf(" #######  ##    ##\n");
    printf("##     ## ##   ## \n");
    printf("##     ## ##  ##  \n");
    printf("##     ## #####   \n");
    printf("##     ## ##  ##  \n");
    printf("##     ## ##   ## \n"); 
    printf(" #######  ##    ##\n");
    printf("iphone-dataprotection ramdisk\n");
    printf("revision: " HGVERSION " "  __DATE__ " " __TIME__ "\n");
    
    if(!stat(execve_params[0], &st))
    {
        printf("Running %s\n", execve_params[0]);
        if((i = posix_spawn(NULL, execve_params[0], NULL, NULL, execve_params, execve_env)))
            printf("posix_spawn(%s) returned %d\n", execve_params[0], i);
    }
    else
    {
        printf("%s is missing\n", execve_params[0]);
    }
    
    /*if (nandReadOnly)
    {*/
        if(!stat(ioflash[0], &st))
        {
            printf("Running %s\n", ioflash[0]);
            if((i = posix_spawn(NULL, ioflash[0], NULL, NULL, ioflash, execve_env)))
                printf("posix_spawn(%s) returned %d\n", execve_params[0], i);
        }
    /*}*/
    
    CFMutableDictionaryRef handlers = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, NULL);
    CFDictionaryAddValue(handlers, CFSTR("DeviceInfo"), device_info);
    CFDictionaryAddValue(handlers, CFSTR("GetSystemKeyBag"), load_system_keybag);
    CFDictionaryAddValue(handlers, CFSTR("BruteforceSystemKeyBag"), bruteforce_system_keybag);
    CFDictionaryAddValue(handlers, CFSTR("KeyBagGetPasscodeKey"), keybag_get_passcode_key);
    CFDictionaryAddValue(handlers, CFSTR("GetEscrowRecord"), get_escrow_record);
    CFDictionaryAddValue(handlers, CFSTR("DownloadFile"), download_file);
    CFDictionaryAddValue(handlers, CFSTR("AES"), remote_aes);
    CFDictionaryAddValue(handlers, CFSTR("Reboot"), reboot__);

    serve_plist_rpc(1999, handlers);
    return 0;
}