fix ios 16.1.2-, amongst other things.

SerotoninApp · Jan 8, 2024 · 0fdf39f · 0fdf39f
1 parent a650d22
commit 0fdf39f
Show file tree

Hide file tree

Showing 8 changed files with 97 additions and 5 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,36 @@
+name: Build Serotonin
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: macos-13
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Switch to Xcode 15
+      run: sudo xcode-select -s /Applications/Xcode_15.0.app
+
+    - name: Install theos
+      run: bash -c "$(curl -fsSL https://raw.githubusercontent.com/roothide/theos/master/bin/install-theos)"
+
+    - name: Download ct_bypass to /usr/local/bin
+      run: |
+        curl -L -o /usr/local/bin/ct_bypass https://cdn.mineek.dev/serotonin/action_deps/ct_bypass
+        chmod +x /usr/local/bin/ct_bypass
+
+    - name: Install ldid
+      run: brew install ldid-procursus
+
+    - name: Compile IPA
+      run: make
+
+    - name: Upload IPA
+      uses: actions/upload-artifact@v2
+      with:
+        name: Serotonin.tipa
+        path: Serotonin.tipa
diff --git a/RootHelperSample/launchdshim/SpringBoardShim/SpringBoardHook/Tweak.x b/RootHelperSample/launchdshim/SpringBoardShim/SpringBoardHook/Tweak.x
@@ -136,8 +136,8 @@ bool OpenedTweaks = false;
 bool os_variant_has_internal_content(const char* subsystem);
 %hookf(bool, os_variant_has_internal_content, const char* subsystem) {
     if (OpenedTweaks == false) {
+        spawnRoot(jbroot(@"/basebin/bootstrapd"), @[@"daemon",@"-f"], nil, nil);
         if (isarm64e()) {
-            spawnRoot(jbroot(@"/basebin/bootstrapd"), @[@"daemon",@"-f"], nil, nil);
             dlopen(jbroot(@"/basebin/bootstrap.dylib").UTF8String, RTLD_GLOBAL | RTLD_NOW);
         } else {
             NSLog(@"[mineek's supporttweak] loading actual tweaks");
@@ -164,7 +164,6 @@ bool os_variant_has_internal_content(const char* subsystem);
                     }
 			    }
             }
-            spawnRoot(jbroot(@"/basebin/bootstrapd"), @[@"daemon",@"-f"], nil, nil);
         }
         OpenedTweaks = true;
         return true;

diff --git a/RootHelperSample/launchdshim/SpringBoardShim/SpringBoardHook/springboardhooksigned.dylib b/RootHelperSample/launchdshim/SpringBoardShim/SpringBoardHook/springboardhooksigned.dylib
diff --git a/usprebooter/fun/offsets.h b/usprebooter/fun/offsets.h
@@ -48,6 +48,8 @@ extern uint32_t off_fp_glob;
 extern uint32_t off_fg_data;
 extern uint32_t off_fg_flag;
 extern uint32_t off_vnode_v_ncchildren_tqh_first;
+extern uint32_t off_vnode_v_ncchildren_tqh_last;
+extern uint32_t off_vnode_v_nclinks_lh_first;
 extern uint32_t off_vnode_v_iocount;
 extern uint32_t off_vnode_v_usecount;
 extern uint32_t off_vnode_v_flag;
@@ -70,7 +72,10 @@ extern uint32_t off_mount_mnt_fsgroup;
 extern uint32_t off_mount_mnt_devvp;
 extern uint32_t off_mount_mnt_flag;
 extern uint32_t off_specinfo_si_flags;
+extern uint32_t off_namecache_nc_dvp;
 extern uint32_t off_namecache_nc_vp;
+extern uint32_t off_namecache_nc_hashval;
+extern uint32_t off_namecache_nc_name;
 extern uint32_t off_namecache_nc_child_tqe_prev;
 extern uint32_t off_ipc_space_is_table;
 extern uint32_t off_ubc_info_cs_blobs;

diff --git a/usprebooter/fun/offsets.m b/usprebooter/fun/offsets.m
@@ -49,6 +49,8 @@
 uint32_t off_fg_data = 0;
 uint32_t off_fg_flag = 0;
 uint32_t off_vnode_v_ncchildren_tqh_first = 0;
+uint32_t off_vnode_v_ncchildren_tqh_last = 0;
+uint32_t off_vnode_v_nclinks_lh_first = 0;
 uint32_t off_vnode_v_iocount = 0;
 uint32_t off_vnode_v_usecount = 0;
 uint32_t off_vnode_v_flag = 0;
@@ -68,10 +70,14 @@
 uint32_t off_mount_mnt_devvp = 0;
 uint32_t off_mount_mnt_flag = 0;
 uint32_t off_specinfo_si_flags = 0;
+uint32_t off_namecache_nc_dvp = 0;
 uint32_t off_namecache_nc_vp = 0;
+uint32_t off_namecache_nc_hashval = 0;
+uint32_t off_namecache_nc_name = 0;
 uint32_t off_namecache_nc_child_tqe_prev = 0;
 
 #define SYSTEM_VERSION_EQUAL_TO(v)                  ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)
+#define SYSTEM_VERSION_LOWER_THAN(v)                ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)
 
 void _offsets_init(void) {
     if(SYSTEM_VERSION_EQUAL_TO(@"16.1.2")||SYSTEM_VERSION_EQUAL_TO(@"16.2")||SYSTEM_VERSION_EQUAL_TO(@"16.3")||SYSTEM_VERSION_EQUAL_TO(@"16.3.1")) {
@@ -136,6 +142,8 @@ void _offsets_init(void) {
 
         //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/vnode_internal.h#L158
         off_vnode_v_ncchildren_tqh_first = 0x30;
+        off_vnode_v_ncchildren_tqh_last = 0x38;
+        off_vnode_v_nclinks_lh_first = 0x40;
         off_vnode_v_iocount = 0x64;
         off_vnode_v_usecount = 0x60;
         off_vnode_v_flag = 0x54;
@@ -161,7 +169,10 @@ void _offsets_init(void) {
         off_specinfo_si_flags = 0x10;
 
         //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/namei.h#L243
+        off_namecache_nc_dvp = 0x40;
         off_namecache_nc_vp = 0x48;
+        off_namecache_nc_hashval = 0x50;
+        off_namecache_nc_name = 0x58;
         off_namecache_nc_child_tqe_prev = 0x10;
 
     } else if (SYSTEM_VERSION_EQUAL_TO(@"16.7.2")||SYSTEM_VERSION_EQUAL_TO(@"16.7.1")||SYSTEM_VERSION_EQUAL_TO(@"16.7")||SYSTEM_VERSION_EQUAL_TO(@"16.6.1")||SYSTEM_VERSION_EQUAL_TO(@"16.6")||SYSTEM_VERSION_EQUAL_TO(@"16.4")||SYSTEM_VERSION_EQUAL_TO(@"16.4.1")||SYSTEM_VERSION_EQUAL_TO(@"16.5") || SYSTEM_VERSION_EQUAL_TO(@"16.5.1")) {
@@ -253,7 +264,6 @@ void _offsets_init(void) {
         //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/namei.h#L243
         off_namecache_nc_vp = 0x48;
         off_namecache_nc_child_tqe_prev = 0x0;
-
     }else {
         NSLog(@"[-] No matching offsets.");
         exit(EXIT_FAILURE);

diff --git a/usprebooter/fun/vnode.h b/usprebooter/fun/vnode.h
@@ -116,4 +116,5 @@ uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from);
 
 void ChangeDirFor(int pid, const char *where); // change directory for something with chroot
 
+uint64_t SwitchSysBin160(char* to, char* from, uint64_t* orig_to_vnode, uint64_t* orig_nc_vp); // overwrite v_name to swap files
 int SwitchSysBin(uint64_t vnode, char* what, char* with); // overwrite v_name to swap files
diff --git a/usprebooter/fun/vnode.m b/usprebooter/fun/vnode.m
@@ -589,6 +589,38 @@ int SwitchSysBin(uint64_t vnode, char* what, char* with)
         }
         vp_namecache = kread64(vp_namecache + off_namecache_nc_child_tqe_prev);
     }
-
     return 0;
 }
+
+uint64_t SwitchSysBin160(char* to, char* from, uint64_t* orig_to_vnode, uint64_t* orig_nc_vp)
+{
+    uint64_t to_vnode = getVnodeAtPath(to);
+    if(to_vnode == -1) {
+        NSString *to_dir = [[NSString stringWithUTF8String:to] stringByDeletingLastPathComponent];
+        NSString *to_file = [[NSString stringWithUTF8String:to] lastPathComponent];
+        uint64_t to_dir_vnode = getVnodeAtPathByChdir(to_dir.UTF8String);
+        to_vnode = findChildVnodeByVnode(to_dir_vnode, to_file.UTF8String);
+        if(to_vnode == 0) {
+            printf("[-] Couldn't find file (to): %s", to);
+            return -1;
+        }
+    }
+
+    uint64_t from_vnode = getVnodeAtPath(from);
+    if(from_vnode == -1) {
+        NSString *from_dir = [[NSString stringWithUTF8String:from] stringByDeletingLastPathComponent];
+        NSString *from_file = [[NSString stringWithUTF8String:from] lastPathComponent];
+        uint64_t from_dir_vnode = getVnodeAtPathByChdir(from_dir.UTF8String);
+        from_vnode = findChildVnodeByVnode(from_dir_vnode, from_file.UTF8String);
+        if(from_vnode == 0) {
+            printf("[-] Couldn't find file (from): %s", from);
+            return -1;
+        }
+    }
+
+    uint64_t to_vnode_nc = kread64(to_vnode + off_vnode_v_nclinks_lh_first);
+    *orig_nc_vp = kread64(to_vnode_nc + off_namecache_nc_vp);
+    *orig_to_vnode = to_vnode;
+    kwrite64(to_vnode_nc + off_namecache_nc_vp, from_vnode);
+    return 0;
+}
diff --git a/usprebooter/overwriter.m b/usprebooter/overwriter.m
@@ -2,6 +2,7 @@
 @import Foundation;
 @import MachO;
 
+#include <UIKit/UIKit.h>
 #import <mach-o/fixup-chains.h>
 #import "vm_unaligned_copy_switch_race.h"
 #import "overwriter.h"
@@ -14,11 +15,19 @@
     return jbroot(@"lunchd");
 }
 
+#define SYSTEM_VERSION_LOWER_THAN(v)                ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)
+
 bool overwrite_patchedlaunchd_kfd(void) {
     // ayo whats this – bomberfish
 //    SwitchSysBin(getVnodeAtPathByChdir("/System/Library/CoreServices/SpringBoard.app"), "SpringBoard", "/var/jb/SprangBoard");
     printf("[i] performing launchd hax\n");
-    SwitchSysBin(getVnodeAtPathByChdir("/sbin"), "launchd", getLunchd().UTF8String);
+    if (SYSTEM_VERSION_LOWER_THAN(@"16.2")) {
+        uint64_t orig_nc_vp = 0;
+        uint64_t orig_to_vnode = 0;
+        SwitchSysBin160("/sbin/launchd", getLunchd().UTF8String, &orig_to_vnode, &orig_nc_vp);
+    } else {
+        SwitchSysBin(getVnodeAtPathByChdir("/sbin"), "launchd", getLunchd().UTF8String);
+    }
     printf("[i] launchd haxed\n");
     return true;
 }