-
Notifications
You must be signed in to change notification settings - Fork 33
/
README
56 lines (51 loc) · 1.8 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
How to use:
- git submodule init -u
- ln -s /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk /var/sdk
- add binaries to bs, e.g.
mkdir iPhone2,1_4.3.3_8J2
cp decrypted_kernel iPhone2,1_4.3.3_8J2/kern
cp dyld_shared_cache_armv7 iPhone2,1_4.3.3_8J2/cache
OR import an ipsw:
grab https://github.com/posixninja/xpwn.git
install "xpwntool", "hfsplus", and "dmg" to ~/xpwnbin/
in here: cd config; python ipsw.py whatever.ipsw
- get t1utils and apply this patch: http://pastie.org/2251647
- get http://github.com/comex/xnu-env and point fs/xnu to it
- ./make.py pdf
external repositories:
------------------------------------------------------
data: mach-o handling
white: load dylibs into the kernel
datautils0: make kernel patches, port over symbols
in here:
------------------------------------------------------
catalog:
catalog.py: ROP code and kernel exploit
kcode.S: kernel payload
chain: unused
common:
common.h: _log, _assert, etc
datautils:
dmini.py: python interface to data
dejavu:
gen_dejavu.raw.py: FreeType exploit
dsc:
dsc.c: mount dyld shared cache via fuse
goo:
goop.py: the "string with pointers, relocations, etc." abstraction
goo.py: doing ROP with the abstraction
world1.py: specific gadgets
two.py: creating mach-o files with the abstraction
headers: external headers
install:
install.m: install the jailbreak
locutus:
locutus.c: download files / communicate with locutus_server / run install
inject.c: inject a dylib into a process
locutus_server.m: injected into SpringBoard
mroib: unused
otool: patch to otool that supports "force ARM" mode
starstuff:
build-archive.sh: build the saffron-jailbreak-xxx debian package
mount_nulls.c: do so
upgrade-data: unused