kpwn · nullpixel · Jan 28, 2017 · Jan 28, 2017 · Jan 28, 2017 · Jan 28, 2017
diff --git a/yalu102/AppDelegate.h b/yalu102/AppDelegate.h
@@ -11,7 +11,7 @@
 @interface AppDelegate : UIResponder <UIApplicationDelegate>
 
 @property (strong, nonatomic) UIWindow *window;
-
+@property (nonatomic) BOOL shouldJailbreak;
 
 @end
 
diff --git a/yalu102/AppDelegate.m b/yalu102/AppDelegate.m
@@ -20,6 +20,22 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
     return YES;
 }
 
+- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {
+    NSString *urlParameter = [url host];
+    if ([urlParameter isEqual:@"break"]) {
+        NSLog(@"We're breaking out of jail bois!");
+        _shouldJailbreak = YES;
+    }
+    return YES;
+}
+
+- (void)application:(UIApplication *)application performActionForShortcutItem:(UIApplicationShortcutItem *)shortcutItem completionHandler:(void (^)(BOOL))completionHandler {
+    NSString *bundleIdentifier = [[NSBundle mainBundle] bundleIdentifier];
+    NSLog(@"%@", shortcutItem.type);
+    if ([shortcutItem.type isEqual:[NSString stringWithFormat: @"%@.BREAK", bundleIdentifier]]) {
+        _shouldJailbreak = YES;
+    }
+}
 
 - (void)applicationWillResignActive:(UIApplication *)application {
     // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
@@ -47,5 +63,4 @@ - (void)applicationWillTerminate:(UIApplication *)application {
     // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
 }
 
-
 @end
diff --git a/yalu102/Info.plist b/yalu102/Info.plist
@@ -2,6 +2,26 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>UIApplicationShortcutItems </key>
+	<array>
+		<dict>
+			<key>UIApplicationShortcutItemTitle</key>
+			<string>Jailbreak</string>
+			<key>UIApplicationShortcutItemType</key>
+			<string>${PRODUCT_BUNDLE_IDENTIFIER}.BREAK</string>
+		</dict>
+	</array>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>yalu</string>
+			</array>
+			<key>CFBundleURLName</key>
+			<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+		</dict>
+	</array>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleExecutable</key>

diff --git a/yalu102/ViewController.h b/yalu102/ViewController.h
@@ -13,6 +13,8 @@
     IBOutlet UIButton* dope;
 }
 - (IBAction)yolo:(id)sender;
+- (void) doIt;
+- (bool) alreadyJailbroken;
 
 @end
 
diff --git a/yalu102/ViewController.m b/yalu102/ViewController.m
@@ -14,6 +14,7 @@
 #undef __IPHONE_OS_VERSION_MIN_REQUIRED
 #import <mach/mach.h>
 #include <sys/utsname.h>
+#include "AppDelegate.h"
 
 extern uint64_t procoff;
 
@@ -32,17 +33,27 @@ @implementation ViewController
 
 - (void)viewDidLoad {
     [super viewDidLoad];
+    [self alreadyJailbroken];
     init_offsets();
+
+    if([(AppDelegate*)[[UIApplication sharedApplication] delegate] shouldJailbreak]) {
+        // User opened through 3D touch or URL scheme
+        if(![self alreadyJailbroken]){
+            [self doIt];
+        }
+    }
+}
+
+- (bool) alreadyJailbroken {
     struct utsname u = { 0 };
     uname(&u);
 
-
-    if (strstr(u.version, "MarijuanARM")) {
+    bool alreadyJailbroken = strstr(u.version, "MarijuanARM");
+    if (alreadyJailbroken) {
         [dope setEnabled:NO];
         [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled];
     }
-
-    // Do any additional setup after loading the view, typically from a nib.
+    return alreadyJailbroken;
 }
 
 typedef natural_t not_natural_t;
@@ -117,8 +128,12 @@ - (void)viewDidLoad {
 #define IKOT_CLOCK 25
 
 char dt[128];
-- (IBAction)yolo:(UIButton*)sender
-{
+
+- (IBAction)yolo:(UIButton*)sender {
+    [self doIt];
+}
+
+- (void)doIt {
     /*
 
      we out here!
@@ -253,7 +268,7 @@ - (IBAction)yolo:(UIButton*)sender
             ports[i] = 0;
         }
     }
-    [sender setTitle:@"failed, retry" forState:UIControlStateNormal];
+    [dope setTitle:@"failed, retry" forState:UIControlStateNormal];
     return;
 
 foundp:
@@ -273,7 +288,7 @@ - (IBAction)yolo:(UIButton*)sender
             }
         }
     }
-    [sender setTitle:@"failed, retry" forState:UIControlStateNormal];
+    [dope setTitle:@"failed, retry" forState:UIControlStateNormal];
     return;
 
 gotclock:;
@@ -371,16 +386,10 @@ - (IBAction)yolo:(UIButton*)sender
     extern uint64_t slide;
     slide = kernel_base - 0xFFFFFFF007004000;
 
-    void exploit(void*, mach_port_t, uint64_t, uint64_t);
-    exploit(sender, pt, kernel_base, allproc_offset);
-    [dope setEnabled:NO];
-    [dope setTitle:@"already jailbroken" forState:UIControlStateDisabled];
-
-}
+    void exploit(mach_port_t, uint64_t, uint64_t);
+    exploit(pt, kernel_base, allproc_offset);
+    [self alreadyJailbroken];
 
-- (void)didReceiveMemoryWarning {
-    [super didReceiveMemoryWarning];
-    // Dispose of any resources that can be recreated.
 }
 
 

diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m
@@ -95,7 +95,7 @@ uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) {
 
 #import "pte_stuff.h"
 
-void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
+void exploit(mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
 {
     io_iterator_t iterator;
     IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot"), &iterator);

diff --git a/yalu102/offsets.c b/yalu102/offsets.c
@@ -96,6 +96,8 @@ void init_offsets() {
         allproc_offset = 0x5a4128; /* @Mila432 */
         procoff = 0x360;
         rootvnode_offset = 0x5aa0b8; /* @Mila432 */
+    } else if (strstr(u.version, "MarijuanARM")) {
+        printf("Already jailbroken\n");
     } else {
         printf("missing offset, prob crashing\n");
     }