Fix smith not working on iOS 15

opa334 · Apr 23, 2024 · 6c56555 · 6c56555
1 parent db615ad
commit 6c56555
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,10 +6,8 @@ xcshareddata/
 DerivedData/
 .swiftpm/xcode/
 /Package.resolved
-/Server/orig.ipa
-/Server/serverCert/fullchain.cer
-/Server/serverCert/server.key
 Dopamine/Dopamine/bootstrap/tmp/
+Application/Payload
 .idea
 Tools/fastPathSign/.build_*
 Exploits/kfd/kfd.framework/kfd
diff --git a/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h b/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
@@ -209,7 +209,7 @@ void smith_free(struct kfd* kfd)
  */
 void smith_helper_init(struct kfd* kfd)
 {
-    const u64 target_hole_size = pages(0);
+    const u64 target_hole_size = pages(10000);
     bool found_target_hole = false;
 
     struct smith_data* smith = (struct smith_data*)(kfd->puaf.puaf_method_data);

diff --git a/Application/Dopamine/Exploits/kfd/kfd.m b/Application/Dopamine/Exploits/kfd/kfd.m
@@ -148,6 +148,17 @@ int exploit_init(const char *flavor)
 
     uint64_t vm_map__pmap = koffsetof(vm_map, pmap);
 
+    uint64_t pmap_to_hint = 0; // offset between vm_map->pmap and vm_map->hint
+    if (@available(iOS 16.0, *)) {
+        pmap_to_hint = 0x58;
+    }
+    else if(@available(iOS 15.4, *)) {
+        pmap_to_hint = 0x38;
+    }
+    else {
+        pmap_to_hint = 0xB8;
+    }
+
     dynamic_system_info = (struct dynamic_info){
         .kread_kqueue_workloop_ctl_supported = true,
         .krkw_iosurface_supported = (kread_method == kread_IOSurface),
@@ -171,11 +182,11 @@ int exploit_init(const char *flavor)
         .vm_map__hdr_nentries_u64           = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x8,
         .vm_map__hdr_rb_head_store_rbh_root = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x18,
 
-        .vm_map__pmap        = vm_map__pmap,        // 0x48 or 0x40
-        .vm_map__hint        = vm_map__pmap + 0x58, // 0xa0 or 0x98
-        .vm_map__hole_hint   = vm_map__pmap + 0x60, // 0xa8 or 0xa0
-        .vm_map__holes_list  = vm_map__pmap + 0x68, // 0xb0 or 0xa8
-        .vm_map__object_size = vm_map__pmap + 0x80, // 0xc8 or 0xc0
+        .vm_map__pmap        = vm_map__pmap,
+        .vm_map__hint        = vm_map__pmap + pmap_to_hint,
+        .vm_map__hole_hint   = vm_map__pmap + pmap_to_hint + 0x8,
+        .vm_map__holes_list  = vm_map__pmap + pmap_to_hint + 0x10,
+        .vm_map__object_size = vm_map__pmap + pmap_to_hint + 0x28,
 
         .IOSurface__isa                 =   0x0,
         .IOSurface__pixelFormat         =  0xa4,

diff --git a/BaseBin/libjailbreak/src/primitives_IOSurface.m b/BaseBin/libjailbreak/src/primitives_IOSurface.m
@@ -207,7 +207,7 @@ void libjailbreak_IOSurface_primitives_init(void)
 	}
 	CFRelease(surfaceRef);
 
-	gPrimitives.kmap          = IOSurface_map;
+	gPrimitives.kmap = IOSurface_map;
 	if (@available(iOS 16.0, *)) {}
 	else {
 		gPrimitives.kalloc_global = IOSurface_kalloc_global;