diff --git a/README.md b/README.md index 4df7f38..be1ccd3 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,6 @@ Please use the "Issues" tab for **code related** issues only. If you need suppor | Device | Version | |---------|----------| -| iPad Pro | iOS 10.0.0 -> iOS 10.2 | -| iPhone 6S | iOS 10.0.0 -> iOS 10.2 | -| iPhone SE | iOS 10.0.0 -> iOS 10.2 | | iPhone 5S | iOS 10.0.0 -> iOS 10.2 | | iPad Air| iOS 10.0.0 -> iOS 10.2 | | iPad Mini 2| iOS 10.0.0 -> iOS 10.2 | @@ -21,15 +18,19 @@ Please use the "Issues" tab for **code related** issues only. If you need suppor | iPad Air 2| iOS 10.0.0 -> iOS 10.2 | | iPad Mini 4 | iOS 10.0.0 -> iOS 10.2 | | iPod touch (6G) | iOS 10.0.0 -> iOS 10.2 | +| iPad Pro | iOS 10.0.0 -> iOS 10.2 | +| iPhone 6S | iOS 10.0.0 -> iOS 10.2 | +| iPhone SE | iOS 10.0.0 -> iOS 10.2 | ### Planned Support: -In the near future, the jailbreak will support the following devices: +In the near future, the jailbreak will support the following device: | Device | Version | |---------|----------| | iPhone 7 | iOS 10.0.0 -> iOS 10.1.1 | + **Note, the iPhone 7 is only supported till iOS 10.1.1** If you are already on iOS 10.2 with an iPhone 7, **stay there**. The actual exploit behind this still works, but the KPP bypass does not. diff --git a/yalu102/AppDelegate.h b/yalu102/AppDelegate.h index ccd8022..e16ffab 100644 --- a/yalu102/AppDelegate.h +++ b/yalu102/AppDelegate.h @@ -11,7 +11,7 @@ @interface AppDelegate : UIResponder @property (strong, nonatomic) UIWindow *window; - +@property (nonatomic, readwrite) BOOL shouldJailbreak; @end diff --git a/yalu102/AppDelegate.m b/yalu102/AppDelegate.m index 8dfdc30..eb7626c 100644 --- a/yalu102/AppDelegate.m +++ b/yalu102/AppDelegate.m @@ -13,13 +13,44 @@ @interface AppDelegate () @end @implementation AppDelegate - +@synthesize shouldJailbreak = _shouldJailbreak; - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { // Override point for customization after application launch. return YES; } +- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { + // URL scheme handling + NSString *urlParameter = [url host]; + if ([urlParameter isEqual:@"break"]) { + // URL scheme to jailbreak is being handled + UIAlertController *alertvc = [UIAlertController alertControllerWithTitle:@"Do you really want to jailbreak?" message:@"You used a URI scheme to break out of jail." preferredStyle:UIAlertControllerStyleAlert]; + UIAlertAction *actionOk = [UIAlertAction actionWithTitle:@"I want to jailbreak!" style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) { + NSLog(@"We're breaking out of jail bois!"); + _shouldJailbreak = YES; + [[NSNotificationCenter defaultCenter] postNotificationName:@"ReevaluateShouldJailbreak" object:nil userInfo:nil]; + }]; + UIAlertAction* cancelAction = [UIAlertAction actionWithTitle:@"Cancel" style:UIAlertActionStyleDestructive handler:nil]; + [alertvc addAction:actionOk]; + [alertvc addAction:cancelAction]; + UIViewController *vc = self.window.rootViewController; + [vc presentViewController:alertvc animated:YES completion:nil]; + } + return YES; +} + +- (void)application:(UIApplication *)application performActionForShortcutItem:(UIApplicationShortcutItem *)shortcutItem completionHandler:(void (^)(BOOL))completionHandler { + // 3D Touch shortcut action handling + NSString *bundleIdentifier = [[NSBundle mainBundle] bundleIdentifier]; + NSLog(@"%@", shortcutItem.type); + if ([shortcutItem.type isEqual:[NSString stringWithFormat: @"%@.BREAK", bundleIdentifier]]) { + // User has requested through 3D Touch to jailbreal + NSLog(@"3D Touch shortcut action to jailbreak hit!"); + _shouldJailbreak = YES; + [[NSNotificationCenter defaultCenter] postNotificationName: @"ReevaluateShouldJailbreak" object:nil userInfo:nil]; + } +} - (void)applicationWillResignActive:(UIApplication *)application { // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. @@ -47,5 +78,4 @@ - (void)applicationWillTerminate:(UIApplication *)application { // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. } - @end diff --git a/yalu102/Info.plist b/yalu102/Info.plist index d052473..e369746 100644 --- a/yalu102/Info.plist +++ b/yalu102/Info.plist @@ -2,6 +2,26 @@ + UIApplicationShortcutItems + + + UIApplicationShortcutItemTitle + Jailbreak + UIApplicationShortcutItemType + ${PRODUCT_BUNDLE_IDENTIFIER}.BREAK + + + CFBundleURLTypes + + + CFBundleURLSchemes + + yalu + + CFBundleURLName + $(PRODUCT_BUNDLE_IDENTIFIER) + + CFBundleDevelopmentRegion en CFBundleExecutable diff --git a/yalu102/ViewController.h b/yalu102/ViewController.h index 80fe105..5d503aa 100644 --- a/yalu102/ViewController.h +++ b/yalu102/ViewController.h @@ -13,6 +13,8 @@ IBOutlet UIButton* dope; } - (IBAction)yolo:(id)sender; +- (void) doIt; +- (bool) alreadyJailbroken; @end diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m index 63328b3..8cb2665 100644 --- a/yalu102/ViewController.m +++ b/yalu102/ViewController.m @@ -14,6 +14,7 @@ #undef __IPHONE_OS_VERSION_MIN_REQUIRED #import #include +#include "AppDelegate.h" extern uint64_t procoff; @@ -32,17 +33,43 @@ @implementation ViewController - (void)viewDidLoad { [super viewDidLoad]; + + // Check if user is already jailbroken + [self performForJailbrokenState]; init_offsets(); + + // Check if user has requested to jailbreak through URL schemes or 3D Touch + [self evaluateShouldJailbreak]; + // Keep checking for when we need to reevaluate this + [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(evaluateShouldJailbreak) name:@"ReevaluateShouldJailbreak" object:nil]; +} + +- (void) evaluateShouldJailbreak { + if([(AppDelegate*)[[UIApplication sharedApplication] delegate] shouldJailbreak]) { + // User opened through 3D touch or URL scheme + if(![self alreadyJailbroken]) { + [self doIt]; + } + [(AppDelegate*)[[UIApplication sharedApplication] delegate] setShouldJailbreak:NO]; + } +} + +- (bool) alreadyJailbroken { struct utsname u = { 0 }; uname(&u); + bool alreadyJailbroken = strstr(u.version, "MarijuanARM"); + return alreadyJailbroken; +} - if (strstr(u.version, "MarijuanARM")) { - [dope setEnabled:NO]; - [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; +- (void) performForJailbrokenState { + // Check if the device is already jailbroken and change the UI accordingly + if ([self alreadyJailbroken]) { + dispatch_async(dispatch_get_main_queue(), ^{ + [dope setEnabled:NO]; + [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; + }); } - - // Do any additional setup after loading the view, typically from a nib. } typedef natural_t not_natural_t; @@ -117,13 +144,25 @@ - (void)viewDidLoad { #define IKOT_CLOCK 25 char dt[128]; -- (IBAction)yolo:(UIButton*)sender -{ + +- (IBAction)yolo:(UIButton*)sender { + [self doIt]; +} + +- (void)doIt { + #if TARGET_IPHONE_SIMULATOR + UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"Cannot Jailbreak" message:@"You are currently running the app in the iOS Simulator. To jailbreak, run the tool on a real device." preferredStyle:UIAlertControllerStyleAlert]; + [alert addAction: [UIAlertAction actionWithTitle:@"Dismiss" style:UIAlertActionStyleCancel handler:nil]]; + [self presentViewController:alert animated:YES completion:nil]; + #else /* we out here! */ + //[dope setEnabled:NO]; + //[dope setTitle:@"jailbreaking" forState:UIControlStateDisabled]; + // Breaks something mach_port_t vch = 0; @@ -253,7 +292,7 @@ - (IBAction)yolo:(UIButton*)sender ports[i] = 0; } } - [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; + [dope setTitle:@"failed, retry" forState:UIControlStateNormal]; return; foundp: @@ -273,7 +312,7 @@ - (IBAction)yolo:(UIButton*)sender } } } - [sender setTitle:@"failed, retry" forState:UIControlStateNormal]; + [dope setTitle:@"failed, retry" forState:UIControlStateNormal]; return; gotclock:; @@ -371,16 +410,11 @@ - (IBAction)yolo:(UIButton*)sender extern uint64_t slide; slide = kernel_base - 0xFFFFFFF007004000; - void exploit(void*, mach_port_t, uint64_t, uint64_t); - exploit(sender, pt, kernel_base, allproc_offset); - [dope setEnabled:NO]; - [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled]; - -} + void exploit(mach_port_t, uint64_t, uint64_t); + exploit(pt, kernel_base, allproc_offset); + [self performForJailbrokenState]; + #endif -- (void)didReceiveMemoryWarning { - [super didReceiveMemoryWarning]; - // Dispose of any resources that can be recreated. } diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m index 96d6368..991761e 100644 --- a/yalu102/jailbreak.m +++ b/yalu102/jailbreak.m @@ -11,6 +11,7 @@ #import #import "devicesupport.h" +#if !(TARGET_OS_SIMULATOR) #import #import #import @@ -95,7 +96,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { #import "pte_stuff.h" -void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) +void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs) { io_iterator_t iterator; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator); @@ -935,3 +936,4 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs) NSLog(@"done"); } +#endif diff --git a/yalu102/offsets.c b/yalu102/offsets.c index 88c4dd0..9e1e548 100644 --- a/yalu102/offsets.c +++ b/yalu102/offsets.c @@ -109,8 +109,49 @@ void init_offsets() { else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0) { allproc_offset = 0x5a4128; rootvnode_offset = 0x5aa0b8; - }//some beta ios - else { + } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) { + allproc_offset = 0x5ec178; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5f20b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) { + allproc_offset = 0x5b4228; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5ba0b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) { + allproc_offset = 0x5b4168; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5ba0b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { + allproc_offset = 0x5a4148; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5aa0b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) { + allproc_offset = 0x5a4128; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5aa0b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) { + allproc_offset = 0x5ec178; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5f20b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) { + allproc_offset = 0x5b0228; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5b60b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) { + allproc_offset = 0x5b0168; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5b60b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) { + allproc_offset = 0x5a4148; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5aa0b8; /* @Mila432 */ + } else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) { + allproc_offset = 0x5a4128; /* @Mila432 */ + procoff = 0x360; + rootvnode_offset = 0x5aa0b8; /* @Mila432 */ + } else if (strstr(u.version, "MarijuanARM")) { + printf("Already jailbroken\n"); + } else { printf("missing offset, prob crashing\n"); } -} \ No newline at end of file +}