/* sub_e568 */ void setup_watchdog_timer(int value) { io_service_t timerservice = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOWatchDogTimer")); if (timerservice != 0) { CFNumberRef cfval = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value); IORegistryEntrySetCFProperties(timerservice, cfval); IOObjectRelease(timerservice); CFRelease(cfval); } }
int applydict(CFMutableDictionaryRef dict) { int ret = 1; io_service_t nvram = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM")); if(!MACH_PORT_VALID(nvram)) { ERROR("Failed to get IODTNVRAM service"); } else { kern_return_t kret = IORegistryEntrySetCFProperties(nvram, dict); DEBUG("IORegistryEntrySetCFProperties: 0x%x (%s)\n", kret, mach_error_string(kret)); if(kret == KERN_SUCCESS) { ret = 0; } } return ret; }
int main() { io_service_t service = IOServiceGetMatchingService( kIOMasterPortDefault, IOServiceMatching("IOWatchDogTimer")); assert(service); //assert(!IORegistryEntrySetCFProperty(service, CFSTR("IOWatchDogEnabled"), kCFBooleanFalse)); long zero = 0; CFNumberRef number = CFNumberCreate(NULL, kCFNumberLongType, &zero); assert(!IORegistryEntrySetCFProperties(service, number)); void *kern_hdr; size_t kern_size; void *devicetree; size_t devicetree_size; load("kern", &kern_hdr, &kern_size); load("devicetree", &devicetree, &devicetree_size); // todo use reboot2 system("launchctl unload /System/Library/LaunchDaemons/com.apple.SpringBoard.plist"); syscall(8, kern_hdr, kern_size, devicetree, devicetree_size); return 0; }
int main (int argc, const char *argv[]) { CFMutableDictionaryRef dictRef; io_iterator_t iter; io_service_t service; kern_return_t kr; CFNumberRef numberRef; SInt32 constantOne = 1; constantOne=42; if (argc > 1) { constantOne = atoi(argv[1]); } // The bulk of this code locates all instances of our driver running on the system. // First find all children of our driver. As opposed to nubs, drivers are often not registered // via the registerServices call because nothing is expected to match to them. Unregistered // objects in the I/O Registry are not returned by IOServiceGetMatchingServices. // IOBlockStorageServices is our child in the I/O Registry dictRef = IOServiceMatching("IOBlockStorageServices"); if (!dictRef) { fprintf(stderr, "IOServiceMatching returned NULL.\n"); return -1; } // Create an iterator over all matching IOService nubs. // This consumes a reference on dictRef. kr = IOServiceGetMatchingServices(kIOMasterPortDefault, dictRef, &iter); if (KERN_SUCCESS != kr) { fprintf(stderr, "IOServiceGetMatchingServices returned 0x%08x.\n", kr); CFRelease(dictRef); return -1; } // Create a dictionary to pass to our driver. This dictionary has the key "MyProperty" // and the value an integer 1. dictRef = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); numberRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &constantOne); CFDictionarySetValue(dictRef, CFSTR("MyProperty"), numberRef); CFRelease(numberRef); // Iterate across all instances of IOBlockStorageServices. while ((service = IOIteratorNext(iter))) { io_registry_entry_t parent; // Now that our child has been found we can traverse the I/O Registry to find our driver. kr = IORegistryEntryGetParentEntry(service, kIOServicePlane, &parent); if (KERN_SUCCESS != kr) { fprintf(stderr, "IORegistryEntryGetParentEntry returned 0x%08x.\n", kr); } else { // We're only interested in the parent object if it's our driver class. if (IOObjectConformsTo(parent, "fi_dungeon_driver_IOSATDriver")) { // This is the function that results in ::setProperties() being called in our // kernel driver. The dictionary we created is passed to the driver here. kr = IORegistryEntrySetCFProperties(parent, dictRef); if (KERN_SUCCESS != kr) { fprintf(stderr, "IORegistryEntrySetCFProperties returned 0x%08x.\n", kr); } } // Done with the parent object. IOObjectRelease(parent); } // Done with the object returned by the iterator. IOObjectRelease(service); } if (iter != IO_OBJECT_NULL) { IOObjectRelease(iter); iter = IO_OBJECT_NULL; } if (dictRef) { CFRelease(dictRef); dictRef = NULL; } return 0; }
int main(int argc, char* argv[]) { int i; int nandReadOnly=0; struct stat st; printf("Starting ramdisk tool\n"); printf("Compiled " __DATE__ " " __TIME__ "\n"); printf("Revision " HGVERSION "\n"); CFMutableDictionaryRef matching; io_service_t service = 0; matching = IOServiceMatching("IOWatchDogTimer"); if (matching == NULL) { printf("unable to create matching dictionary for class IOWatchDogTimer\n"); } service = IOServiceGetMatchingService(kIOMasterPortDefault, matching); if (service == 0) { printf("unable to create matching dictionary for class IOWatchDogTimer\n"); } uint32_t zero = 0; CFNumberRef n = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &zero); IORegistryEntrySetCFProperties(service, n); IOObjectRelease(service); CFMutableDictionaryRef deviceInfos = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); get_device_infos(deviceInfos); init_tcp(); sysctlbyname("kern.bootargs", bootargs, &bootargs_len, NULL, 0); if (strstr(bootargs, "nand-readonly") || strstr(bootargs, "nand-disable")) { printf("NAND read only mode, data partition wont be mounted\n"); nandReadOnly = 1; } else { printf("Waiting for data partition\n"); for(i=0; i < 10; i++) { if(!stat("/dev/disk0s2s1", &st)) { system("/sbin/fsck_hfs /dev/disk0s2s1"); break; } if(!stat("/dev/disk0s1s2", &st)) { system("/sbin/fsck_hfs /dev/disk0s1s2"); break; } if(!stat("/dev/disk0s2", &st)) { system("/sbin/fsck_hfs /dev/disk0s2"); break; } sleep(5); } } init_usb(CFDictionaryGetValue(deviceInfos, CFSTR("udid"))); printf("USB init done\n"); system("mount /"); //make ramdisk writable chmod("/var/root/.ssh/authorized_keys", 0600); chown("/var/root/.ssh/authorized_keys", 0, 0); chown("/var/root/.ssh", 0, 0); chown("/var/root/", 0, 0); printf(" ####### ## ##\n"); printf("## ## ## ## \n"); printf("## ## ## ## \n"); printf("## ## ##### \n"); printf("## ## ## ## \n"); printf("## ## ## ## \n"); printf(" ####### ## ##\n"); printf("iphone-dataprotection ramdisk\n"); printf("revision: " HGVERSION " " __DATE__ " " __TIME__ "\n"); if(!stat(execve_params[0], &st)) { printf("Running %s\n", execve_params[0]); if((i = posix_spawn(NULL, execve_params[0], NULL, NULL, execve_params, execve_env))) printf("posix_spawn(%s) returned %d\n", execve_params[0], i); } else { printf("%s is missing\n", execve_params[0]); } /*if (nandReadOnly) {*/ if(!stat(ioflash[0], &st)) { printf("Running %s\n", ioflash[0]); if((i = posix_spawn(NULL, ioflash[0], NULL, NULL, ioflash, execve_env))) printf("posix_spawn(%s) returned %d\n", execve_params[0], i); } /*}*/ CFMutableDictionaryRef handlers = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, NULL); CFDictionaryAddValue(handlers, CFSTR("DeviceInfo"), device_info); CFDictionaryAddValue(handlers, CFSTR("GetSystemKeyBag"), load_system_keybag); CFDictionaryAddValue(handlers, CFSTR("BruteforceSystemKeyBag"), bruteforce_system_keybag); CFDictionaryAddValue(handlers, CFSTR("KeyBagGetPasscodeKey"), keybag_get_passcode_key); CFDictionaryAddValue(handlers, CFSTR("GetEscrowRecord"), get_escrow_record); CFDictionaryAddValue(handlers, CFSTR("DownloadFile"), download_file); CFDictionaryAddValue(handlers, CFSTR("AES"), remote_aes); CFDictionaryAddValue(handlers, CFSTR("Reboot"), reboot__); serve_plist_rpc(1999, handlers); return 0; }