Added: kernbypassd

Automatically enabled on ldrestart and Re-Jailbreak
Baw-Appie · May 7, 2020 · cbe1b78 · cbe1b78
1 parent 1b897a5
commit cbe1b78
Show file tree

Hide file tree

Showing 8 changed files with 159 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,11 @@
+*.o
+.theos/*
+debs/*
+*.deb
+*.dylib
+**/.theos/*
+*/.theos/*
+*.sublime-workspace
+_/*
+*/obj/*
+obj/*
diff --git a/Makefile b/Makefile
@@ -1,17 +1,32 @@
-ARCHS = arm64 arm64e
-THEOS_DEVICE_IP=192.168.1.5
+DEBUG = 0
+GO_EASY_ON_ME = 1
+PACKAGE_VERSION = $(THEOS_PACKAGE_BASE_VERSION)
 
-include $(THEOS)/makefiles/common.mk
+ARCHS = arm64 arm64e
+THEOS_DEVICE_IP = localhost -p 2222
 
 TOOL_NAME = changerootfs
-
 changerootfs_FILES = main.m
+changerootfs_CFLAGS = -objc-arc -Wno-error=unused-variable -Wno-error=unused-function
 
-changerootfs_CFLAGS = -fobjc-arc -Wno-error=unused-variable -Wno-error=unused-function
+SUBPROJECTS += zzzzzzzzznotifychroot
+SUBPROJECTS += kernbypassd
 
+include $(THEOS)/makefiles/common.mk
 include $(THEOS_MAKE_PATH)/tool.mk
+include $(THEOS_MAKE_PATH)/aggregate.mk
+
 
 before-package::
 	ldid -S./ent.plist $(THEOS_STAGING_DIR)/usr/bin/changerootfs
-SUBPROJECTS += zzzzzzzzznotifychroot
-include $(THEOS_MAKE_PATH)/aggregate.mk
+	sudo chown -R root:wheel $(THEOS_STAGING_DIR)
+	sudo chmod -R 755 $(THEOS_STAGING_DIR)
+	sudo chmod 6755 $(THEOS_STAGING_DIR)/usr/bin/kernbypassd
+	sudo chmod 666 $(THEOS_STAGING_DIR)/DEBIAN/control
+
+after-package::
+	make clean
+	sudo rm -rf .theos/_
+
+after-install::
+	install.exec "killall backboardd"
diff --git a/control b/control
@@ -1,6 +1,6 @@
 Package: jp.akusio.kernbypass
 Name: KernBypass
-Version: 0.0.2
+Version: 0.0.3
 Depends: mobilesubstrate, applist, preferenceloader, firmware(>=12.0)
 Architecture: iphoneos-arm
 Description: kernel level jailbreak detection bypass.

diff --git a/kernbypassd/Makefile b/kernbypassd/Makefile
@@ -0,0 +1,10 @@
+DEBUG = 0
+ARCHS = arm64 arm64e
+
+TOOL_NAME = kernbypassd
+kernbypassd_FILES = kernbypassd.m
+kernbypassd_CFLAGS = -objc-arc
+kernbypassd_CODESIGN_FLAGS = -S../ent.plist
+
+include $(THEOS)/makefiles/common.mk
+include $(THEOS_MAKE_PATH)/tool.mk
diff --git a/kernbypassd/kernbypassd.m b/kernbypassd/kernbypassd.m
@@ -0,0 +1,62 @@
+#include <spawn.h>
+#import <dlfcn.h>
+#import <sys/sysctl.h>
+
+#define FLAG_PLATFORMIZE (1 << 1)
+
+static void easy_spawn(const char* args[]) {
+    pid_t pid;
+    int status;
+    posix_spawn(&pid, args[0], NULL, NULL, (char* const*)args, NULL);
+    waitpid(pid, &status, WEXITED);
+}
+
+void platformize_me() {
+    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
+    if (!handle) return;
+    // Reset errors
+    dlerror();
+    typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
+    fix_entitle_prt_t ptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
+
+    const char *dlsym_error = dlerror();
+    if (dlsym_error) return;
+
+    ptr(getpid(), FLAG_PLATFORMIZE);
+}
+
+void patch_setuid() {
+    void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
+    if (!handle) return;
+    // Reset errors
+    dlerror();
+    typedef void (*fix_setuid_prt_t)(pid_t pid);
+    fix_setuid_prt_t ptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
+
+    const char *dlsym_error = dlerror();
+    if (dlsym_error) return;
+
+    ptr(getpid());
+}
+
+int main(int argc, char **argv, char **envp) {
+    @autoreleasepool {
+        patch_setuid();
+        platformize_me();
+        setuid(0);
+        if((chdir("/")) < 0) {
+            exit(EXIT_FAILURE);
+        }
+
+        printf("/usr/bin/changerootfs &\n");
+        easy_spawn((const char *[]){"/usr/bin/changerootfs", "&", NULL});
+
+        sleep(3);
+
+        printf("disown %%1\n");
+        easy_spawn((const char *[]){"disown", "%1", NULL});
+
+        printf("RUNNING DAEMON\n");
+    }
+	return 0;
+}
diff --git a/layout/DEBIAN/postinst b/layout/DEBIAN/postinst
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+if ! [ -d /var/MobileSoftwareUpdate/mnt1 ]; then
+ echo "/var/MobileSoftwareUpdate/mnt1 FOLDER NOT FOUND"
+
+ mkdir -p /var/MobileSoftwareUpdate/mnt1
+ chmod 700 /var/MobileSoftwareUpdate/mnt1
+ chown root:wheel /var/MobileSoftwareUpdate/mnt1
+
+ echo "/var/MobileSoftwareUpdate/mnt1 FOLDER CREATED SUCCESS"
+fi
+
+/usr/bin/changerootfs &
+
+echo "/usr/bin/changerootfs &"
+sleep 3
+
+disown %1
+echo "disown %1"
+
+echo "RUNNING DAEMON"
+
+exit 0
diff --git a/layout/DEBIAN/postrm b/layout/DEBIAN/postrm
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "Reboot after uninstalling."
+
+exit 0
diff --git a/zzzzzzzzznotifychroot/Tweak.x b/zzzzzzzzznotifychroot/Tweak.x
@@ -1,11 +1,27 @@
 #import <Foundation/Foundation.h>
 #import <CoreFoundation/CoreFoundation.h>
+#include <spawn.h>
+
+#define kCFCoreFoundationVersionNumber_iOS_12_0 1556.00
 
 #define PLIST_PATH @"/var/mobile/Library/Preferences/jp.akusio.kernbypass.plist"
 
-extern CFNotificationCenterRef CFNotificationCenterGetDistributedCenter(void);
+static void easy_spawn(const char* args[]){
+    pid_t pid;
+    int status;
+    posix_spawn(&pid, args[0], NULL, NULL, (char* const*)args, NULL);
+    waitpid(pid, &status, WEXITED);
+}
 
+// Automatically enabled on ldrestart and Re-Jailbreak
+%group SpringBoardHook %hook SpringBoard
+- (void)applicationDidFinishLaunching:(id)arg1{
+    %orig;
+    easy_spawn((const char *[]){"/usr/bin/kernbypassd", NULL});
+}
+%end %end
 
+extern CFNotificationCenterRef CFNotificationCenterGetDistributedCenter(void);
 
 BOOL isEnableApplication(){
 
@@ -24,6 +40,14 @@ BOOL isEnableApplication(){
 }
 
 %ctor{
+    // SpringBoard Hook
+    NSString* identifier = [[NSBundle mainBundle] bundleIdentifier];
+
+    if(kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 &&
+       [identifier isEqualToString:@"com.apple.springboard"] &&
+       [[NSFileManager defaultManager] fileExistsAtPath:@"/usr/bin/kernbypassd"]){
+        %init(SpringBoardHook);
+    }
 
     if(!isEnableApplication()){
         return;