Merge remote-tracking branch 'upstream/2.x' into roothide

Application/Dopamine/Jailbreak/DOJailbreaker.m

@@ -92,10 +92,10 @@ - (NSError *)gatherSystemInformation
         if (xpf_set_is_supported("amfi_oids")) {
             sets[idx++] = "amfi_oids";
         }
+
         if (xpf_set_is_supported("devmode")) {
             sets[idx++] = "devmode"; 
         }
-
         if (xpf_set_is_supported("badRecovery")) {
             sets[idx++] = "badRecovery"; 
         }
@@ -594,6 +594,8 @@ - (void)runWithError:(NSError **)errOut didRemoveJailbreak:(BOOL*)didRemove show
     *errOut = [self injectLaunchdHook];
     if (*errOut) return;
 
+    // don't use dyld-in-cache due to dyldhooks
+    setenv("DYLD_IN_CACHE", "0", 1);
     // don't load tweak during jailbreaking
     setenv("DISABLE_TWEAKS", "1", 1);
     // using the stock path during jailbreaking

Application/Dopamine/UI/DOUIManager.m

@@ -127,6 +127,7 @@ - (NSArray *)getLatestReleases
         NSMutableDictionary* newcommit = [tags[0] mutableCopy];
         newcommit[@"tag_name"] = tags[0][@"name"];
         newcommit[@"body"] = commit[@"commit"][@"message"];
+        newcommit[@"name"] = [NSString stringWithFormat:@"Version %@", newcommit[@"tag_name"]];
         newcommit[@"assets"] = @[@{@"browser_download_url":@"https://github.com/roothide/Dopamine2-roothide"}];
         releases = @[newcommit.copy];
 

Application/Dopamine/UI/Update/DOUpdateViewController.m

@@ -186,7 +186,7 @@ - (void)updateChangelog
         NSDictionary *release = (NSDictionary*)obj;
         NSString *name = release[@"name"];
         NSString *body = release[@"body"];
-        [changelogText appendAttributedString:[[NSAttributedString alloc] initWithString:[NSString stringWithFormat:@"Version %@\n", name] attributes:@{NSFontAttributeName: [UIFont boldSystemFontOfSize:18], NSForegroundColorAttributeName : [UIColor whiteColor], NSParagraphStyleAttributeName:paragraphStyle}]];
+        [changelogText appendAttributedString:[[NSAttributedString alloc] initWithString:[NSString stringWithFormat:@"%@\n", name] attributes:@{NSFontAttributeName: [UIFont boldSystemFontOfSize:18], NSForegroundColorAttributeName : [UIColor whiteColor], NSParagraphStyleAttributeName:paragraphStyle}]];
         [changelogText appendAttributedString:[[NSAttributedString alloc] initWithString:@"\n"]];
 
         NSAttributedStringMarkdownParsingOptions *parsingOptions = [[NSAttributedStringMarkdownParsingOptions alloc] init];

BaseBin/launchdhook/src/crashreporter.m

@@ -520,3 +520,4 @@ void crashreporter_start(void)
 		crashreporter_resume();
 	}
 }
+

BaseBin/launchdhook/src/spawn_hook.c

@@ -274,10 +274,17 @@ int __posix_spawn_hook(pid_t *restrict pidp, const char *restrict path, struct _
         posix_spawnattr_setflags(attrp, flags | POSIX_SPAWN_START_SUSPENDED);
     }
 
+	// on some devices dyldhook may fail due to vm_protect(VM_PROT_READ|VM_PROT_WRITE), 2, (os/kern) protection failure in dsc::__DATA_CONST:__const, 
+	// so we need to disable dyld-in-cache here. (or we can use VM_PROT_READ|VM_PROT_WRITE|VM_PROT_COPY)
+	char **envc = envbuf_mutcopy((const char **)envp);
+	envbuf_setenv(&envc, "DYLD_IN_CACHE", "0");
+
     int pid = 0;
     if (!pidp) pidp = &pid;
-    int ret = posix_spawn_hook_shared(pidp, path, desc, argv, envp, __posix_spawn_orig_wrapper, systemwide_trust_binary, platform_set_process_debugged, jbsetting(jetsamMultiplier));
+    int ret = posix_spawn_hook_shared(pidp, path, desc, argv, envc, __posix_spawn_orig_wrapper, systemwide_trust_binary, platform_set_process_debugged, jbsetting(jetsamMultiplier));
     pid = *pidp;
+
+	envbuf_free(envc);
 
 	posix_spawnattr_setflags(attrp, flags); // maybe caller will use it again?
 

BaseBin/launchdhook/src/update.m

@@ -112,11 +112,7 @@ void jbupdate_update_system_info(void)
 		void (*xpf_stop)(void) = dlsym(xpfHandle, "xpf_stop");
 		xpc_object_t (*xpf_construct_offset_dictionary)(const char *sets[]) = dlsym(xpfHandle, "xpf_construct_offset_dictionary");
 
-		// XXX: this is also a hack
-		struct statfs fst={0};
-		statfs("/usr/standalone/firmware", &fst);
-		char kernelPath[PATH_MAX];
-		snprintf(kernelPath,sizeof(kernelPath),"%s/../../../System/Library/Caches/com.apple.kernelcaches/kernelcache", fst.f_mntfromname);
+		const char *kernelPath = prebootUUIDPath("/System/Library/Caches/com.apple.kernelcaches/kernelcache");
 		xpc_object_t systemInfoXdict = NULL;
 
 		// Rerun patchfinder
@@ -144,10 +140,10 @@ void jbupdate_update_system_info(void)
 			if (xpf_set_is_supported("amfi_oids")) {
 				sets[idx++] = "amfi_oids";
 			}
+
 			if (xpf_set_is_supported("devmode")) {
 				sets[idx++] = "devmode"; 
 			}
-
 			if (xpf_set_is_supported("badRecovery")) {
 				sets[idx++] = "badRecovery"; 
 			}

BaseBin/libjailbreak/src/deny.m

@@ -45,8 +45,6 @@
     NSString *identifier = appInfo[@"CFBundleIdentifier"];
     if (!identifier) return nil;
 
-    JBLogDebug("spawn app [%s] %s", identifier.UTF8String, path);
-
     return identifier;
 }
 

BaseBin/libjailbreak/src/util.c

@@ -584,8 +584,10 @@ int __exec_cmd_internal_va(bool suspended, bool root, bool waitForExit, pid_t *p
 	}
 
 	//force
-	posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
-
+	short flags=0;
+	posix_spawnattr_getflags(&attr, &flags);
+	posix_spawnattr_setflags(&attr, flags | POSIX_SPAWN_START_SUSPENDED);
+
 	pid_t spawnedPid = 0;
 	int spawnError = posix_spawn(&spawnedPid, binary, NULL, &attr, (char *const *)argv, environ);
 	if (attr) posix_spawnattr_destroy(&attr);

BaseBin/libjailbreak/src/util.h

@@ -60,7 +60,6 @@ int exec_cmd_root(const char *binary, ...);
     retval; \
 })
 
-/*
 char *boot_manifest_hash(void);
 
 #define prebootUUIDPath(path) ({ \
@@ -70,7 +69,6 @@ char *boot_manifest_hash(void);
 	strlcat(outPath, path, PATH_MAX); \
 	(outPath); \
 })
-*/
 
 #define VM_FLAGS_GET_PROT(x)    ((x >>  7) & 0xFULL)
 #define VM_FLAGS_GET_MAXPROT(x) ((x >> 11) & 0xFULL);

BaseBin/systemhook/src/main.c

@@ -272,6 +272,9 @@ bool should_enable_tweaks(void)
 	return true;
 }
 
+
+#include "envbuf.h"
+
 #define POSIX_SPAWN_PROC_TYPE_DRIVER 0x700
 int posix_spawnattr_getprocesstype_np(const posix_spawnattr_t * __restrict, int * __restrict) __API_AVAILABLE(macos(10.8), ios(6.0));
 
@@ -313,10 +316,17 @@ int posix_spawn_hook_roothide(pid_t *restrict pidp, const char *restrict path, s
 		}
 	}
 
+	// on some devices dyldhook may fail due to vm_protect(VM_PROT_READ|VM_PROT_WRITE), 2, (os/kern) protection failure in dsc::__DATA_CONST:__const, 
+	// so we need to disable dyld-in-cache here. (or we can use VM_PROT_READ|VM_PROT_WRITE|VM_PROT_COPY)
+	char **envc = envbuf_mutcopy((const char **)envp);
+	envbuf_setenv(&envc, "DYLD_IN_CACHE", "0");
+
 	int pid = 0;
-	int ret = posix_spawn_hook_shared(&pid, path, desc, argv, envp, orig, trust_binary, set_process_debugged, jetsamMultiplier);
+	int ret = posix_spawn_hook_shared(&pid, path, desc, argv, envc, orig, trust_binary, set_process_debugged, jetsamMultiplier);
 	if (pidp) *pidp = pid;
 
+	envbuf_free(envc);
+
 	// maybe caller will use it again? restore flags
 	posix_spawnattr_setflags(attrp, flags);
 
@@ -436,11 +446,12 @@ bool _CFCanChangeEUIDs(void) {
 
 void loadPathHook()
 {
-	// we have to trust the lib manually before dyldhooks applied
-	jbclient_trust_library(JBROOT_PATH("/basebin/roothidehooks.dylib"), NULL);
-	void* roothidehooks = dlopen(JBROOT_PATH("/basebin/roothidehooks.dylib"), RTLD_NOW);
-	void (*pathhook)() = dlsym(roothidehooks, "pathhook");
-	pathhook();
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+		void* roothidehooks = dlopen(JBROOT_PATH("/basebin/roothidehooks.dylib"), RTLD_NOW);
+		void (*pathhook)() = dlsym(roothidehooks, "pathhook");
+		pathhook();
+	});
 }
 
 void redirect_path_env(const char* rootdir)
@@ -548,23 +559,19 @@ char HOOK_DYLIB_PATH[PATH_MAX] = {0};
 
 __attribute__((constructor)) static void initializer(void)
 {
+//////////////////////////////////////////////
+	struct dl_info di={0};
+	dladdr((void*)initializer, &di);
+	strncpy(HOOK_DYLIB_PATH, di.dli_fname, sizeof(HOOK_DYLIB_PATH));
+/////////////////////////////////////////////////////////////////////////
+
 	// Tell jbserver (in launchd) that this process exists
 	// This will disable page validation, which allows the rest of this constructor to apply hooks
 	if (jbclient_process_checkin(&JB_RootPath, &JB_BootUUID, &JB_SandboxExtensions, &gFullyDebugged) != 0) return;
 
 	// Apply sandbox extensions
 	apply_sandbox_extensions();
 
-//////////////////////////////////////////////////////////////////////////
-	struct dl_info di={0};
-	dladdr((void*)initializer, &di);
-	strncpy(HOOK_DYLIB_PATH, di.dli_fname, sizeof(HOOK_DYLIB_PATH));
-
-	redirect_paths(JB_RootPath);
-
-	dlopen(JBROOT_PATH("/usr/lib/roothideinit.dylib"), RTLD_NOW);
-//////////////////////////////////////////////////////////////////////////
-
 	// Unset DYLD_INSERT_LIBRARIES, but only if systemhook itself is the only thing contained in it
 	// Feeable attempt at making jailbreak detection harder
 	const char *dyldInsertLibraries = getenv("DYLD_INSERT_LIBRARIES");
@@ -605,6 +612,20 @@ __attribute__((constructor)) static void initializer(void)
 		dyld_hook_routine(*gDyldPtr, 98, (void *)&dyld_dlopen_audited_hook, (void **)&dyld_dlopen_audited_orig, 0xD2A5);
 	}
 
+//////////////////////////////////////////////////////////////////////
+  /* after unsandboxing jbroot and applying dyldhooks */
+
+	const char* DYLD_IN_CACHE = getenv("DYLD_IN_CACHE");
+	if(strcmp(DYLD_IN_CACHE, "0") == 0) {
+		unsetenv("DYLD_IN_CACHE");
+	}
+
+	redirect_paths(JB_RootPath);
+
+	dlopen(JBROOT_PATH("/usr/lib/roothideinit.dylib"), RTLD_NOW);
+
+//////////////////////////////////////////////////////////////////////////
+
 #ifdef __arm64e__
 	// Since pages have been modified in this process, we need to load forkfix to ensure forking will work
 	// Optimization: If the process cannot fork at all due to sandbox, we don't need to do anything