Use kfund's libkfd and fun and offset finder! iPADS AND ARM64 CONFIRM…

…ED WORKING! FIXES ALMOST EVERY ISSUE! (#54)

* Kfund libkfd and fun?

* Update ContentView.swift

* Update TheCoolerContentView.swift

* Add switchsysbin back lol

* Fix maybe?

* Fix an include error maybe?

* Update utils.m

* Update project.pbxproj

* Update project.pbxproj

* grrr more import errors

* I'm dumb lol

* pls work

* did it wrong lol

* Update usprebooter-Bridging-Header.h

* Update usprebooter-Bridging-Header.h

* Update project.pbxproj

* I had the wrong number lol

* Why won’t you compile krw.m :(

* OK IT SHOULD COMPILE NOW

* PLEASE COMPILE NOWWWW

* It should work now, if it doesn’t then bruh

* Update common.h

* eta s0n

* Update fun.m

* Update fun.h

* eta wen

* eta even s0n

* make it actually do something lol

* fix maybe

* /dev/aes_0 doesn't like me

* Update dynamic_info.h

* fix assert.

* fix macros

* Revert "Merge branch 'mineek:main' into main"

This reverts commit 7dbc022, reversing
changes made to 8320b71.

LATEST BROKEN LOL

* maybe it does?

* Update common.h

* Update fun.m

* Update offsets.m

* Update offsets.m

* Update fun.m

* Update fun.m

* Update to latest kfund 1

* Update latest kfund 2/2

* Works for other people who it wasn't working for before: attempt to fix for me.

* M1/M2 fix 1

* M1/M2 fix 2

* M1/M2 fix 3

* M1/M2 fix 4

* M1/M2 fix 5

* M1/M2 fix final (should also fix A16)

* Rename libdimentio.c to libdimentio.m

* Fix

* Fix again

* Update project.pbxproj

* Update overwriter.m

* Proper overwriter fix.

* Fix M1/M2 for real this time hopefully

* Update TheCoolerContentView.swift

* Update troller.m

* Update troller.h

* Add option for if you're on a beta version.

* Update troller.h

* Update overwriter.h

* Try again

* Whoops

* Me when the

README.md

@@ -26,11 +26,11 @@ To use this app, you need to be on a supported version (mentioned above), and ha
  - [KFD Exploit](https://github.com/felix-pb/kfd)
 
 ## TODO
+ - Try adding support for lower iOS versions by overwriting NSGetExecutablePath
  - Add support for arm64
+ - Add a boot splash screen (SOON)
  - Fix some Makefile jankiness
  - Fix `puaf_pages` picker crash in new UI
- - Add option and installer for Procursus (Rootless) bootstrap
- - Add system wide injection into daemons
 
 ## Credits
 - [DuyKhanhTran](https://github.com/khanhduytran0) - launchd and SpringBoard hooks

RootHelperSample/RootHelperSample.xcodeproj/xcuserdata/ibarahime.xcuserdatad/xcschemes/xcschememanagement.plist

@@ -7,7 +7,7 @@
 		<key>RootHelperSample.xcscheme_^#shared#^_</key>
 		<dict>
 			<key>orderHint</key>
-			<integer>1</integer>
+			<integer>0</integer>
 		</dict>
 	</dict>
 </dict>

RootHelperSample/launchdshim/launchdhook/Makefile

@@ -6,9 +6,7 @@ include $(THEOS)/makefiles/common.mk
 LIBRARY_NAME = launchdhook
 
 launchdhook_FILES = $(wildcard *.m) $(wildcard *.c) $(wildcard verbose/*.m)
-launchdhook_CFLAGS = -fobjc-arc -isystem ../../../apple-include -Wno-error
-
- #"../../../usprebooter/Private Headers I stole from the macOS SDK"
+launchdhook_CFLAGS = -fobjc-arc -isystem "../../../usprebooter/Private Headers I stole from the macOS SDK" -Wno-error
 launchdhook_CODESIGN_FLAGS = -S../launchdentitlements.plist
 launchdhook_LDFLAGS = -F./Frameworks
 launchdhook_EXTRA_FRAMEWORKS += IOMobileFramebuffer IOSurface

RootHelperSample/launchdshim/launchdhook/main.m

@@ -6,8 +6,6 @@
 #include <stdio.h>
 #include "fishhook.h"
 #include <spawn.h>
-#include <sys/spawn_internal.h>
-#include <spawn_private.h>
 #include <limits.h>
 #include <dirent.h>
 #include <stdbool.h>
@@ -93,31 +91,22 @@ int hooked_posix_spawn(pid_t *pid, const char *path, const posix_spawn_file_acti
         return orig_posix_spawn(pid, path, file_actions, attrp, argv, envp);
     }
 
-#define JETSAM_MULTIPLIER 3
-
 int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const posix_spawn_file_actions_t *restrict file_actions, posix_spawnattr_t *attrp, char *const argv[restrict], char *const envp[restrict]) {
     change_launchtype(attrp, path);
     const char *springboardPath = "/System/Library/CoreServices/SpringBoard.app/SpringBoard";
     const char *coolerSpringboard = jbroot("/System/Library/CoreServices/SpringBoard.app/SpringBoard");
 
     if (!strncmp(path, springboardPath, strlen(springboardPath))) {
         posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-        if (attrp) {
-                    _posix_spawnattr_t attrStruct = *(_posix_spawnattr_t *)attrp;
-                    if (attrStruct) {
-                        int memlimit_active = attrStruct->psa_memlimit_active;
-                        if (memlimit_active != -1) {
-                            attrStruct->psa_memlimit_active = memlimit_active * JETSAM_MULTIPLIER;
-                        }
-                        int memlimit_inactive = attrStruct->psa_memlimit_inactive;
-                        if (memlimit_inactive != -1) {
-                            attrStruct->psa_memlimit_inactive = memlimit_inactive * JETSAM_MULTIPLIER;
-                        }
-                    }
-                }
+//        FILE *file = fopen("/var/mobile/lunchd.log", "a");
+//        char output[1024];
+//        sprintf(output, "[lunchd] changing path %s to %s\n", path, coolerSpringboard);
+//        fputs(output, file);
         path = coolerSpringboard;
+//        fclose(file);
         return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
     }
+
     return orig_posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
 }
 
@@ -158,14 +147,14 @@ bool hook_xpc_dictionary_get_bool(xpc_object_t dictionary, const char *key) {
     // requires a jp2 image to be at /var/mobile/boot-happy.jp2. ideally, make the toggle in the app actually work and create .serotonin_verbose then let launchdhook decide from there
     bootscreend_main();
 
-//    printf("[lunchd] launchdhook pid %d", getpid());
-//    if (getpid() == 1) {
-//        printf("============\n");
-//        printf("== WE ARE ==\n");
-//        printf("==  PID1  ==\n");
-//        printf("============\n\n");
-//        printf("Also, my parent is %d\n", getppid());
-//    }
+    printf("[lunchd] launchdhook pid %d", getpid());
+    if (getpid() == 1) {
+        printf("============\n");
+        printf("== WE ARE ==\n");
+        printf("==  PID1  ==\n");
+        printf("============\n\n");
+        printf("Also, my parent is %d\n", getppid());
+    }
     struct rebinding rebindings[] = (struct rebinding[]){
         {"csops", hooked_csops, (void *)&orig_csops},
         {"csops_audittoken", hooked_csops_audittoken, (void *)&orig_csops_audittoken},

RootHelperSample/main.m

@@ -285,6 +285,25 @@ int main(int argc, char *argv[], char *envp[]) {
             [source writeToFile:destination atomically:YES encoding:NSUTF8StringEncoding error:nil];
         } else if ([action isEqual: @"filemove"]) {
             [[NSFileManager defaultManager] moveItemAtPath:source toPath:destination error:nil];
+        } else if ([action isEqual: @"filecopy"]) {
+            NSLog(@"roothelper: cp");
+            [[NSFileManager defaultManager] copyItemAtPath:source toPath:destination error:nil];
+        } else if ([action isEqual: @"makedirectory"]) {
+            NSLog(@"roothelper: mkdir");
+            [[NSFileManager defaultManager] createDirectoryAtPath:source withIntermediateDirectories:true attributes:nil error:nil];
+        } else if ([action isEqual: @"removeitem"]) {
+            NSLog(@"roothelper: rm");
+            [[NSFileManager defaultManager] removeItemAtPath:source error:nil];
+        } else if ([action isEqual: @"permissionset"]) {
+            NSLog(@"roothelper chmod %@", source); // just pass in 755
+            NSMutableDictionary *dict = [[NSMutableDictionary alloc] init];
+            [dict setObject:[NSNumber numberWithInt:755]  forKey:NSFilePosixPermissions];
+            [[NSFileManager defaultManager] setAttributes:dict ofItemAtPath:source error:nil];
+            //        } else if ([action isEqual: @"rebuildiconcache"]) {
+            //            cleanRestrictions();
+            //            [[LSApplicationWorkspace defaultWorkspace] _LSPrivateRebuildApplicationDatabasesForSystemApps:YES internal:YES user:YES];
+            //            refreshAppRegistrations();
+            //            killall(@"backboardd");
         } else if ([action isEqual: @"codesign"]) {
             NSLog(@"roothelper: adhoc sign + fastsign");
 //            NSDictionary* entitlements = @{
@@ -300,7 +319,24 @@ int main(int argc, char *argv[], char *envp[]) {
             NSString *stdOut;
             NSString *stdErr;
             spawnRoot(fastPathSignPath, @[@"-i", patchedLaunchdCopy, @"-r", @"-o", patchedLaunchdCopy], &stdOut, &stdErr);
-        } else if ([action isEqual: @"install"]) {
+        } else if ([action isEqual: @"ptrace"]) {
+            NSLog(@"roothelper: stage 1 ptrace");
+            NSString *stdOut;
+            NSString *stdErr;
+            NSLog(@"trolltoolshelper path %@", rootHelperPath());
+            spawnRoot(rootHelperPath(), @[@"ptrace2", source, @""], &stdOut, &stdErr);
+            kill(getpid(), 1);
+        } else if ([action isEqual: @"ptrace2"]) {
+            NSLog(@"roothelper: stage 2 ptrace, app pid: %@", source);
+            int pidInt = [source intValue];
+//             source = pid of app.
+//             ptrace the source, the pid of the original app
+//             then detach immediately
+//            ptrace(PT_TRACE_ME,0,0,0);
+            ptrace(PT_ATTACH, pidInt, 0, 0);
+            ptrace(PT_DETACH, pidInt, 0, 0);
+            NSLog(@"Done ptracing!");
+        } else if ([action isEqual: @"bootstrap"]) {
             NSLog(@"installing");
             if (!jbroot(@"/")) {
                 NSLog(@"jbroot not found...");
@@ -336,29 +372,10 @@ int main(int argc, char *argv[], char *envp[]) {
                     [[NSFileManager defaultManager] createSymbolicLinkAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/.jbroot") withDestinationPath:jbroot(@"/") error:nil];
                     // laster step: add the cool bootlogo!
                     [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"Serotonin.jp2"] toPath:@"/var/mobile/Serotonin.jp2" error:nil];
-                    // remove workinglaunchd
-                    [[NSFileManager defaultManager] removeItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"workinglaunchd"] error:nil];
-//                } else {
-//                    NSLog(@"lunchd was found, you've already installed");
-//                }
-            }
-        } else if ([action isEqual: @"uninstall"]) {
-            NSLog(@"uninstalling");
-            if (!jbroot(@"/")) {
-                NSLog(@"jbroot not found...");
-            } else {
-//                if (!jbroot(@"lunchd")) {
-                    [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"lunchd") error:nil];
-                    [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"launchdhook.dylib") error:nil];
-                    [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/System/Library/CoreServices/SpringBoard.app/") error:nil];
-                    [[NSFileManager defaultManager] removeItemAtPath:@"/var/mobile/Serotonin.jp2" error:nil];
 //                } else {
 //                    NSLog(@"lunchd was found, you've already installed");
 //                }
             }
-        } else if ([action isEqual: @"reinstall"]) {
-            spawnRoot(rootHelperPath(), @[@"uninstall", source, @""], nil, nil);
-            spawnRoot(rootHelperPath(), @[@"install", source, @""], nil, nil);
         }
         return 0;
     }