NOTE none of this stuff works from 1.1.2 onwards... *sigh*
Added some filesystem stuff. dumpfs and restore are kinda fun ;)
imac /diskdev_cmds-332.22/ cd fscmds
imac /fscmds/ file *
README: ASCII text
dev_mkdb: Mach-O executable acorn
dump: Mach-O executable acorn
dumpfs: Mach-O executable acorn
mount: Mach-O executable acorn
mount_cd9660: Mach-O executable acorn
mount_devfs: Mach-O executable acorn
mount_fdesc: Mach-O executable acorn
mount_nfs: Mach-O executable acorn
mount_synthfs: Mach-O executable acorn
newfs_msdos: Mach-O executable acorn
restore: Mach-O executable acorn
tunefs: Mach-O executable acorn
umount: Mach-O executable acorn
vndevice: Mach-O executable acorn
vsdbutil: Mach-O executable acorn
Added launchd binary suite:
imac /src/ file launch_progs/*
launch_progs/ConsoleMessage: Mach-O executable acorn
launch_progs/StartupItemContext: Mach-O executable acorn
launch_progs/SystemStarter: Mach-O executable acorn
launch_progs/launchctl: Mach-O executable acorn
launch_progs/launchd: Mach-O executable acorn
launch_progs/launchd_debugd: Mach-O executable acorn
launch_progs/launchproxy: Mach-O executable acorn
launch_progs/register_mach_bootstrap_servers: Mach-O executable acorn
launch_progs/wait4path: Mach-O executable acorn
Getting a lot closer to a working module setup now
Thumb and ARM funcs are mixed in the kernel
Makes me think of this link where they mention -mlong-calls -mthumb-interwork
http://mail-index.netbsd.org/port-arm/2004/08/21/0000.html
Not all funcs are thumb code as found today:
static void (*addlog)(const char * fmt, ...) = 0xc010411c + 1; // thumb !!
static long * (*cpuid_info)(void) = 0xc005a5d4; //arm.
kern_return_t MyKextStart (kmod_info_t * ki, void * d) {
addlog("KEXT loaded!\n");
long * val = cpuid_info();
addlog("CPUID Result: %08x\n", *val);
return KERN_SUCCESS;
}
# tail -2 /var/log/syslog
Oct 13 18:48:35 localhost kernel[0]: KEXT loaded!
Oct 13 18:48:35 localhost kernel[0]: CPUID Result: 4107b761
I need to read up here!
http://www.coranac.com/tonc/text/asm.htm
bgm's patches confirmed!
All we needed was:
echo -en "\x08\x1C\x11\x1C\x85\xE7" | dd of=/dev/kmem seek=3221581156 bs=1 count=6
And this magic to redefine "printf":
imac /kernel/ diff mykext.orig.c mykext.bgm.c
3a4,5
> void (*p)(const char * fmt, ...) = 0xc010411c + 1; // addlog() THUMB!!!
>
5c7
< printf("Hello, World!\n");
---
> (*p)("Hello, World!\n");
10c12
< printf("Goodbye, World!\n");
---
> (*p)("Goodbye, World!\n");
Now we have this working:
# kextload -v 3 /System/Library/Extensions/MyKext.kext
kextload: adding repository /System/Library/Extensions
kextload: scanning repository /System/Library/Extensions
kextload: request to clear relationships while disabled; pending
kextload: request to clear relationships while disabled; pending
kextload: added repository /System/Library/Extensions
kextload: request to clear relationships while disabled; pending
kextload: request to add kernel extension /System/Library/Extensions/MyKext.kext
kextload: kernel extension /System/Library/Extensions/MyKext.kext exists
kextload: clearing all version/dependency relationships among kernel extensions
kextload: extension /System/Library/Extensions/MyKext.kext appears to be loadable
kextload: loading extension /System/Library/Extensions/MyKext.kext
kextload: calculating version relationships
kextload: sending 1 personality to the kernel
kextload: link/loading file /System/Library/Extensions/System6.0.kext/kernel.6.0
kextload: link/loading file /System/Library/Extensions/MyKext.kext/MyKext
kextload: allocated 8192 bytes in kernel space at 0xf34cc000
kextload: using load address of 0xf34cc000
kextload: kmod name: net.wickedpsyched.MyKext
kextload: kmod start @ 0xf34cd0b0 (offset 0x3e0)
kextload: kmod stop @ 0xf34cd0dc (offset 0x40c)
kextload: module net.wickedpsyched.MyKext created as # 71 at address 0xf34cc000, size 8192
kextload: module # 71 reference counts incremented
kextload: module # 71 started
kextload: /System/Library/Extensions/MyKext.kext loaded successfully
kextload: extension /System/Library/Extensions/MyKext.kext has no personalities
# kextstat | grep My
71 0 0xf34cc000 0x2000 0x1000 net.wickedpsyched.MyKext (1.4.3) <12>
# kextunload /System/Library/Extensions/MyKext.kext
kextunload: unload kext /System/Library/Extensions/MyKext.kext succeeded
# tail -2 /var/log/syslog
Oct 13 13:21:57 localhost kernel[0]: Hello, World!
Oct 13 13:23:36 localhost kernel[0]: Goodbye, World!
More stuff from here http://uninformed.org/index.cgi?v=4&a=3&p=17
Code here:
Build this as "ptrace":
#include <stdio.h>
#include <sys/types.h>
#include <sys/ptrace.h>
static int changeme = 0;
int main(int ac, char **av) { ptrace(PT_DENY_ATTACH, 0, 0, 0);
while(1) { if(changeme) { printf("[+] hacked.\n"); exit(1); } }
return 1;}
Then get the address like so:
imac /kernel/ nm a.out | grep chang
00002030 b _changeme
then build and compile this as "ptrace.hackme":
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <dlfcn.h>
#define CHANGEMEADDR 0x2030
int main(int ac, char **av) {
mach_port_t port;
long content = 1;
if(task_for_pid(mach_task_self(), atoi(av[1]), &port))
error("_|_");
if(vm_write(port, (vm_address_t) CHANGEMEADDR, (vm_address_t)&content, sizeof(content)))
error("writing to process");
return 0;
}
This shows code attaching to a running PID, and calling mach_task_self()
iPhone# ./ptrace &
[1] 267
iPhone# ps aux | grep ptrace
root 267 91.5 0.0 264648 284 p1 RN 2:59PM 0:03.15 ./ptrace
root 269 0.0 0.0 273028 408 p1 S+ 2:59PM 0:00.02 grep ptrace
iPhone# ./ptrace.hackme 267
iPhone# [+] hacked.
Loading Kexts after the mach patch
bgm, and Zf found this gem http://iphone.fiveforty.net/wiki/index.php/Kernel_Manipulation:
use Fcntl;
$a = hex("C011db66");
sysopen(HANDLE, "/dev/kmem", O_RDWR);
$r = sysseek(HANDLE, $a, SEEK_SET);
printf("seek = %x\n", $r);
$r = syswrite(HANDLE, pack("H*", "012B"), 2);
printf("write: %x\n", $r);
close(HANDLE);
Turbo gave me this to do the same thing:
13:52 you can add this to the page for ppl that don't have perl
13:52 echo -en "\x01\x2B" | dd of=/dev/kmem seek=3222395750 bs=1
count=2
(sweet!)
We can now access mach_ports with the pid0 code below:
# ./pid0 -1
KERN_SUCCESS: 0 MACH_PORT_VALID: 1
[+] done!
kern.securelevel = -1
# ./pid0 0
KERN_SUCCESS: 0 MACH_PORT_VALID: 1
[+] done!
kern.securelevel = 0
Also after running this, we can now allocate memory inside the kernel:
the MyKext I'm using is above:
#include <libkern/libkern.h>
#include <mach/mach_types.h>
kern_return_t MyKextStart(kmod_info_t *ki, void *d) {
printf("Hello, World!\n");
return KERN_SUCCESS;
}
kern_return_t MyKextStop(kmod_info_t *ki, void *d) {
printf("Goodbye, World!\n");
return KERN_SUCCESS;
}
extern kern_return_t _start(kmod_info_t *ki, void *data);
extern kern_return_t _stop(kmod_info_t *ki, void *data);
KMOD_EXPLICIT_DECL(net.wickedpsyched.MyKext, "1.0", _start, _stop)
__private_extern__ kmod_start_func_t *_realmain = MyKextStart;
__private_extern__ kmod_stop_func_t *_antimain = MyKextStop;
__private_extern__ int _kext_apple_cc = __APPLE_CC__;
# kextload -v 6 -b net.wickedpsyched.MyKext
kextload: patching C++ code in module /System/Library/Extensions/MyKext.kext/MyKext
kextload: link/loading file /System/Library/Extensions/System6.0.kext/kernel.6.0
kextload: link/loading file /System/Library/Extensions/MyKext.kext/MyKext
kextload: allocated 8192 bytes in kernel space at 0xf34e0000
kextload: using load address of 0xf34e0000
But alas we fail here:
kld(): /System/Library/Extensions/MyKext.kext/MyKext relocation overflow for relocation entry 1 in section (__TEXT,__text) (displacement too large)
kld(): /System/Library/Extensions/MyKext.kext/MyKext relocation overflow for relocation entry 3 in section (__TEXT,__text) (displacement too large)
there is some info here (this may be related to mismatched gcc versions):
http://lists.apple.com/archives/Darwin-kernel/2005/Jan/msg00032.html that shows a potential issue.
We need Patrick on this one :)
Writing to the kmem
Albeit we have r/w access to the kernel (thanks bgm)
This still does not work:
iPhone# cat /dev/kmem
cat: /dev/kmem: Bad address
Owch.
So further attempts to change:
kern.secure_kernel=1 to kern.secure_kernel=0 are not going so well.
However this code (many thanks to Zf!) is very interesting:
using this to get the address:
imac /~/ zgrep secure_kernel toolchain/KERNEL/obj3/nm_obj3.txt.gz
c01c412c D _sysctl__kern_secure_kernel
then this code to poke at it:
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
unsigned char b=0;
int main(int argc, char **argv) {
int mem;
char data[4];
int i;
mem = open("/dev/kmem", O_RDWR);
if (mem<0) {
printf("Oops !\n");
return 0;
}
if (lseek(mem, (off_t)0xC01C412C, SEEK_SET) != 0xC01C412C) {
perror("lseek");
return 1;
}
if (read(mem, data, 4) == 1) {
perror("read");
printf("secure_kern: %.2x ", data[i]);
}
printf("\n");
printf("Data match : %d %d %d %d \n",data[0],data[1],data[2],data[3]);
lseek(mem, (off_t)0xC01C412C, SEEK_SET);
if (write(mem, &b, 4) == 1) {
perror("write");
return 1;
}
close(mem);
return 1;
}
Results in:
iPhone# ./zf
Data match : 48 162 30 192
iPhone# ./zf
Data match : 0 0 0 0
iPhone# ./zf
Data match : 0 0 0 0
but alas:
kern.secure_kernel=1 persists... shame
more kmods
Thanks to bgm, we have write access to kvm:
http://iphone.fiveforty.net/wiki/index.php/Kernel_Manipulation
We can now see:
12:49 <+core> # sysctl -w kern.securelevel=0
12:49 <+core> kern.securelevel: 0 -> 0
12:49 <+core> # sysctl -w kern.securelevel=1
12:49 <+core> kern.securelevel: 0 -> 1
12:49 <+core> # sysctl -w kern.securelevel=0
12:49 <+core> kern.securelevel: Operation not permitted
I worked on this code here http://uninformed.org/index.cgi?v=4&a=3&p=17
changing the adress from the following:
imac /KERNEL/ nm obj3/kernelcache.release.s5l8900xrb | grep secure
c01e8bac S _securelevel
c01c412c D _sysctl__kern_secure_kernel
#include <mach/mach.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#define SECURELEVELADDR 0xc01e8bac
void error(char *msg) {
printf("[!] error: %s\n",msg);
exit(1);
}
void usage(char *progname) {
printf("[+] usage: %s \n",progname);
exit(1);
}
int main(int ac, char **av) {
mach_port_t kernel_task;
kern_return_t err;
long value = 0;
if(ac != 2) usage(*av);
if(getuid() && geteuid()) error("requires root.");
value = atoi(av[1]);
err = task_for_pid(mach_task_self(),0,&kernel_task);
if ((err != KERN_SUCCESS) || !MACH_PORT_VALID(kernel_task))
error("getting kernel task.");
// Write values to stack.
if(vm_write(kernel_task, (vm_address_t) SECURELEVELADDR, (vm_address_t)&value, sizeof(value)))
error("writing argument to dlopen.");
printf("[+] done!\n");
return 0;
}
But alas have no access to task_for_pid 0:
13:13 <+core> # ./pid0 -1
13:13 <+core> KERN_SUCCESS: 0 MACH_PORT_VALID: 0
13:09 <+core> [!] error: getting kernel task.
And this piece no worky yet:
12:40 <+core> # sysctl -w kern.secure_kernel=0
12:40 <+core> sysctl: oid 'kern.secure_kernel' is read only
The kext stuff below, still errors with:
# kextload -v 6 -b net.wickedpsyched.MyKext
kextload: unable to get kernel task port: (os/kern) failure
kcache unpack
We have the kernel decoded:
You will need these 2 things:
http://www.crosswire.org/sword/software/swordapi.jsp
http://iphone.fiveforty.net/wiki/index.php/Unpack_89001.0.c
A lot of this is based on
http://www.appletvhacks.net/2007/03/26/hidden-files-in-the-apple-tv-kern...
Thanks SAM!!
here we go:
imac /obj3/ scp root@iphone:/System/Library/Caches/com.apple.kernelcaches/kernelcache.release.s5l8900xrb .
kernelcache.release.s5l8900xrb 100% 3186KB 1.0MB/s 00:03
imac /obj3/ ../unpack.89001 kernelcache.release.s5l8900xrb kernelcache.release.s5l8900xrb.unpack
imac /obj3/ dd if=kernelcache.release.s5l8900xrb.unpack of=kernelcache.release.s5l8900xrb.lzs skip="1" bs="384"
8480+1 records in
8480+1 records out
3256350 bytes transferred in 0.091624 secs (35540445 bytes/sec)
imac /obj3/ ../lz/sword-1.5.9/tests/complzss kernelcache.release.s5l8900xrb.lzs
imac /obj3/ file kernelcache.release.s5l8900xrb
kernelcache.release.s5l8900xrb: Mach-O executable acorn
imac /obj3/ nm kernelcache.release.s5l8900xrb | head -4
c01c5abc D .constructors_used
c01c5ac4 D .destructors_used
c00e3ef8 T _AllocateNode
c0019944 T _Assert
imac /obj3/ nm kernelcache.release.s5l8900xrb | tail -4
c002a6a4 T _zone_steal_memory
c0059c08 T _zone_virtual_addr
c01acae0 D _zone_zone
c002addc T _zprealloc
Now we can install the kernel:
mac /obj3/ scp kernelcache.release.s5l8900xrb root@iphone:/mach
kernelcache.release.s5l8900xrb 100% 5755KB 822.1KB/s 00:07
This page is a big help:
http://iphone.fiveforty.net/wiki/index.php/KernelCache_Files_List
TestingModules has the following:
# tar cfv TestingModules.tgz /System/Library/Extensions/MyKext.kext /System/Library/Extensions/System6.0.kext
tar: Removing leading `/' from member names
/System/Library/Extensions/MyKext.kext/
/System/Library/Extensions/MyKext.kext/Info.plist
/System/Library/Extensions/MyKext.kext/MyKext
/System/Library/Extensions/System6.0.kext/
/System/Library/Extensions/System6.0.kext/Info.plist
/System/Library/Extensions/System6.0.kext/kernel.6.0
/System/Library/Extensions/System6.0.kext/version.plist
Current result of a load:
# kextload -v 6 -b net.wickedpsyched.MyKext
kextload: adding repository /System/Library/Extensions
kextload: scanning repository /System/Library/Extensions
kextload: scanning directory /System/Library/Extensions
kextload: found valid extension AppleMultitouchSPI.kext
kextload: found valid extension IOHIDFamily.kext
kextload: found valid extension MyKext.kext
kextload: found valid extension PPP.kext
kextload: found valid extension System.kext
kextload: scanning directory /System/Library/Extensions/AppleMultitouchSPI.kext/PlugIns
kextload: scanning directory /System/Library/Extensions/IOHIDFamily.kext/PlugIns
kextload: found valid extension IOHIDFamily.kext/PlugIns/IOHIDEventDriver.kext
kextload: found valid extension IOHIDFamily.kext/PlugIns/IOHIDEventDriverSafeBoot.kext
kextload: found valid extension IOHIDFamily.kext/PlugIns/IOHIDSystem.kext
kextload: scanning directory /System/Library/Extensions/MyKext.kext/PlugIns
kextload: scanning directory /System/Library/Extensions/PPP.kext/PlugIns
kextload: scanning directory /System/Library/Extensions/System.kext/PlugIns
kextload: found valid extension System.kext/PlugIns/BSDKernel.kext
kextload: found valid extension System.kext/PlugIns/IOKit.kext
kextload: found valid extension System.kext/PlugIns/Libkern.kext
kextload: found valid extension System.kext/PlugIns/Mach.kext
kextload: found valid extension System.kext/PlugIns/System6.0.kext
kextload: found valid extension System.kext/PlugIns/Unsupported.kext
kextload: request to clear relationships while disabled; pending
kextload: request to clear relationships while disabled; pending
kextload: added repository /System/Library/Extensions
kextload: request to clear relationships while disabled; pending
kextload: clearing all version/dependency relationships among kernel extensions
kextload: calculating version relationships
kextload: looking up extension with identifier net.wickedpsyched.MyKext
kextload: found extension bundle /System/Library/Extensions/MyKext.kext
kextload: extension /System/Library/Extensions/MyKext.kext appears to be loadable
kextload: loading extension /System/Library/Extensions/MyKext.kext
kextload: resolving dependencies for extension /System/Library/Extensions/MyKext.kext
kextload: looking for dependency of extension
/System/Library/Extensions/MyKext.kext with ID com.apple.kernel.6.0,
compatible with version 7.9.9
kextload: found compatible dependency from extension
/System/Library/Extensions/MyKext.kext to
/System/Library/Extensions/System.kext/PlugIns/System6.0.kext;
resolving its dependencies
kextload: /System/Library/Extensions/System.kext/PlugIns/System6.0.kext
is a kernel resource and thus has no dependencies
kextload: authenticating extension
/System/Library/Extensions/System.kext/PlugIns/System6.0.kext
kextload: authenticating bundle directory /System/Library/Extensions/System.kext/PlugIns/System6.0.kext
kextload: authenticating file/directory "/System/Library/Extensions/System.kext/PlugIns/System6.0.kext/Info.plist"
kextload: authenticating file/directory "/System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel"
kextload: extension /System/Library/Extensions/System.kext/PlugIns/System6.0.kext is authentic
kextload: authenticating extension /System/Library/Extensions/MyKext.kext
kextload: authenticating bundle directory /System/Library/Extensions/MyKext.kext
kextload: authenticating file/directory "/System/Library/Extensions/MyKext.kext/Info.plist"
kextload: authenticating file/directory "/System/Library/Extensions/MyKext.kext/MyKext"
kextload: extension /System/Library/Extensions/MyKext.kext is authentic
kextload: sending 1 personality to the kernel
kextload: loading dependency graph:
kextload: flattened dependency list:
kextload: /System/Library/Extensions/MyKext.kext/MyKext
kextload: is kernel component: no
kextload: expected kmod name: [net.wickedpsyched.MyKext]
kextload: expected kmod vers: [1.0]
kextload: /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel
kextload: is kernel component: yes
kextload: expected kmod name: [com.apple.kernel.6.0]
kextload: expected kmod vers: [7.9.9]
kextload:
kextload: load order dependency list:
kextload: /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel
kextload: /System/Library/Extensions/MyKext.kext/MyKext
kextload:
kextload: dependency graph:
kextload: /System/Library/Extensions/MyKext.kext/MyKext ->
/System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel
kextload:
kextload: getting module addresses from kernel
kextload: mapping the kernel file /mach
kextload: mapping module file /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel
kextload: mapping module file /System/Library/Extensions/MyKext.kext/MyKext
kextload: checking whether module file com.apple.kernel.6.0 is already loaded
kextload: checking whether module file net.wickedpsyched.MyKext is already loaded
kextload: mapping the kernel file /mach
kextload: mapping module file /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel
kextload: module file /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/kernel is already mapped
kextload: mapping module file /System/Library/Extensions/MyKext.kext/MyKext
kextload: module file /System/Library/Extensions/MyKext.kext/MyKext is already mapped
kextload: patching C++ code in module /System/Library/Extensions/MyKext.kext/MyKext
kextload: unable to get kernel task port: (os/kern) failure
kextload: you must be running as root to load modules into the kernel
kextload: a link/load error occured for kernel extension /System/Library/Extensions/MyKext.kext
kextload: clearing all version/dependency relationships among kernel extensions
kextload: sending 1 personality to the kernel
![[file]](http://wickedpsyched.com/iphone/modules/webfm/image/icon/f.gif "Download ANNOTATEDKEXT.html"){kind=icon}
ANNOTATEDKEXT.html