Add iPhone7,2 on 11.4

Makefile

@@ -23,7 +23,7 @@ endif
 UNTETHER         = lib$(TARGET_CLI).dylib
 TRAMP            = trampoline
 ICONS           := $(wildcard $(RES)/Icon-*.png)
-FILES           := $(TARGET_GUI) Info.plist Base.lproj/LaunchScreen.storyboardc $(ICONS:$(RES)/%=%) Unrestrict.dylib bootstrap.tar.lzma jailbreak-resources.deb
+FILES           := $(TARGET_GUI) Info.plist Base.lproj/LaunchScreen.storyboardc $(ICONS:$(RES)/%=%) Unrestrict.dylib bootstrap.tar.lzma jailbreak-resources.deb mobilesubstrate.deb
 
 SDK_FILE        := src/untether/sdk.txt
 SDK_RESULT      := $(shell cat ${SDK_FILE})
@@ -46,10 +46,12 @@ IBTOOL_FLAGS    ?= --output-format human-readable-text --errors --warnings --not
 SIGN            ?= codesign
 SIGN_FLAGS      ?= -s -
 
-.PHONY: all ipa untether clean install payload
+.PHONY: all app ipa untether clean install payload
 
 all: $(IPA) $(UNTETHER) $(TRAMP)
 
+app: ipa
+
 ipa: $(IPA)
 
 untether: $(UNTETHER) $(TRAMP)

README.md

@@ -23,6 +23,7 @@ Devices with offsets already present but untested on a real device (these *may*
 * **iPhone 5S (GSM) (iPhone6,1), iOS 11.2.6**
 * **iPhone 6 Plus (iPhone7,1), iOS 11.2.6**
 * **iPhone SE (1st gen) (iPhone8,4), iOS 11.3**
+* **iPhone 6 (iPhone7,2), iOS 11.4**
 * **iPhone SE (1st gen) (iPhone8,4), iOS 11.4**
 
 Any other device will require offsets to be added. PRs are welcomed to speed this up, but an actual device will be needed to provide the final offset (`DYLD_CACHE_FD`) if you desire support.

src/app/MainVC.h

@@ -1,109 +1,5 @@
 #import <UIKit/UIKit.h>
-#include <shared/common.h>
-
-#if N41AP
-#define COMPILED_DEVICE @"iPhone5,1 (iPhone 5, GSM)"
-#elif N42AP
-#define COMPILED_DEVICE @"iPhone5,2 (iPhone 5, Global)"
-#elif N48AP
-#define COMPILED_DEVICE @"iPhone5,3 (iPhone 5c, GSM)"
-#elif N48AP
-#define COMPILED_DEVICE @"iPhone5,4 (iPhone 5c, Global)"
-#elif J71AP
-#define COMPILED_DEVICE @"iPad4,1 (iPad Air 1st gen, Wi-Fi)"
-#elif J72AP
-#define COMPILED_DEVICE @"iPad4,2 (iPad Air 1st gen, cellular)"
-#elif J73AP
-#define COMPILED_DEVICE @"iPad4,3 (iPad Air 1st gen, China)"
-#elif J85AP
-#define COMPILED_DEVICE @"iPad4,4 (iPad mini 2, Wi-Fi)"
-#elif J86AP
-#define COMPILED_DEVICE @"iPad4,5 (iPad mini 2, cellular)"
-#elif J87AP
-#define COMPILED_DEVICE @"iPad4,6 (iPad mini 2, China)"
-#elif J85mAP
-#define COMPILED_DEVICE @"iPad4,7 (iPad mini 3, Wi-Fi)"
-#elif J86mAP
-#define COMPILED_DEVICE @"iPad4,8 (iPad mini 3, cellular)"
-#elif J87mAP
-#define COMPILED_DEVICE @"iPad4,9 (iPad mini 3, China)"
-#elif J96AP
-#define COMPILED_DEVICE @"iPad5,1 (iPad mini 4, Wi-Fi)"
-#elif J97AP
-#define COMPILED_DEVICE @"iPad5,2 (iPad mini 4, cellular)"
-#elif J81AP
-#define COMPILED_DEVICE @"iPad5,3 (iPad Air 2, Wi-Fi)"
-#elif J82AP
-#define COMPILED_DEVICE @"iPad5,4 (iPad Air 2, cellular)"
-#elif J127AP
-#define COMPILED_DEVICE @"iPad6,3 (iPad Pro 9.7, Wi-Fi)"
-#elif J128AP
-#define COMPILED_DEVICE @"iPad6,4 (iPad Pro 9.7, cellular)"
-#elif J98aAP
-#define COMPILED_DEVICE @"iPad6,7 (iPad Pro 12.9, Wi-Fi)"
-#elif J99aAP
-#define COMPILED_DEVICE @"iPad6,8 (iPad Pro 12.9, cellular)"
-#elif (J71sAP | J71tAP)
-#define COMPILED_DEVICE @"iPad6,11 (iPad 5, Wi-Fi)"
-#elif (J72sAP | J72tAP)
-#define COMPILED_DEVICE @"iPad6,12 (iPad 5, cellular)"
-#elif N51AP
-#define COMPILED_DEVICE @"iPhone6,1 (iPhone 5s, GSM)"
-#elif N53AP
-#define COMPILED_DEVICE @"iPhone6,2 (iPhone 5s, Global)"
-#elif N56AP
-#define COMPILED_DEVICE @"iPhone7,1 (iPhone 6 Plus)"
-#elif N61AP
-#define COMPILED_DEVICE @"iPhone7,2 (iPhone 6)"
-#elif N71AP
-#define COMPILED_DEVICE @"iPhone8,1 (iPhone 6s)"
-#elif (N66AP | N66mAP)
-#define COMPILED_DEVICE @"iPhone8,2 (iPhone 6s Plus)"
-#elif (N69AP | N69uAP)
-#define COMPILED_DEVICE @"iPhone8,4 (iPhone SE 1st gen)"
-#elif N102AP
-#define COMPILED_DEVICE @"iPod7,1 (iPod touch 6th gen)"
-#else
-#define COMPILED_DEVICE @"unknown device"
-#endif
-
-#if IOS_10_3_4
-#define COMPILED_IOS @"iOS 10.3.4"
-#elif IOS_11_0
-#define COMPILED_IOS @"iOS 11.0"
-#elif IOS_11_0_1
-#define COMPILED_IOS @"iOS 11.0.1"
-#elif IOS_11_0_2
-#define COMPILED_IOS @"iOS 11.0.2"
-#elif IOS_11_0_3
-#define COMPILED_IOS @"iOS 11.0.3"
-#elif IOS_11_1
-#define COMPILED_IOS @"iOS 11.1"
-#elif IOS_11_1_1
-#define COMPILED_IOS @"iOS 11.1.1"
-#elif IOS_11_1_2
-#define COMPILED_IOS @"iOS 11.1.2"
-#elif IOS_11_2
-#define COMPILED_IOS @"iOS 11.2"
-#elif IOS_11_2_1
-#define COMPILED_IOS @"iOS 11.2.1"
-#elif IOS_11_2_2
-#define COMPILED_IOS @"iOS 11.2.2"
-#elif IOS_11_2_5
-#define COMPILED_IOS @"iOS 11.2.5"
-#elif IOS_11_2_6
-#define COMPILED_IOS @"iOS 11.2.6"
-#elif IOS_11_3
-#define COMPILED_IOS @"iOS 11.3"
-#elif IOS_11_3_1
-#define COMPILED_IOS @"iOS 11.3.1"
-#elif IOS_11_4
-#define COMPILED_IOS @"iOS 11.4"
-#elif IOS_11_4_1
-#define COMPILED_IOS @"iOS 11.4.1"
-#else
-#define COMPILED_IOS @"unknown iOS"
-#endif
+NSString* deviceName();
 
 @interface MainVC : UIViewController
 
@@ -115,4 +11,10 @@
 
 - (void)actionJailbreak;
 
+- (void)actionFailed;
+
+- (void)exploitSucceeded;
+
+- (void)exploitFailed;
+
 @end

src/app/MainVC.m

@@ -1,8 +1,12 @@
-#include <shared/jailbreak.h>
-#include <shared/utils.h>
-#include <shared/sbx.h>
-
 #import <CoreFoundation/CoreFoundation.h>
+#include <UIKit/UIDevice.h>
+
+#include <shared/common.h>
+#include <shared/offsets.h>
+#include <untether/offsets.h>
+
+#include <shared/jailbreak.h> // for jailbreak function
+#include <shared/utils.h> // for respring function
 
 #import "MainVC.h"
 
@@ -82,7 +86,25 @@ - (void)loadView
     self.textView.translatesAutoresizingMaskIntoConstraints = NO;
 	self.textView.backgroundColor = [UIColor colorWithWhite:0.0 alpha:0.7];
 	self.textView.textColor = [UIColor whiteColor];
-	self.textView.text = [NSString stringWithFormat:@"[*] Compiled for %@ on %@\n", COMPILED_DEVICE, COMPILED_IOS];
+
+	offsets_t *off1 = malloc(sizeof(offsets_t));
+	memset(off1,0,sizeof(offsets_t));
+    offset_struct_t *off2 = malloc(sizeof(offset_struct_t));
+	memset(off2,0,sizeof(offset_struct_t));
+
+	if (populate_offsets(off1, off2)) {
+	    self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"[*] Using offsets for %@ on %@\n", deviceName(), [[UIDevice currentDevice] systemVersion]]];
+	    if (off1->constant.verified) {
+	        self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"[*] Offsets verified for %@ on %@\n", deviceName(), [[UIDevice currentDevice] systemVersion]]];
+	    } else {
+	        self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"[*] Offsets unverified, please inform if it functions\n", deviceName(), [[UIDevice currentDevice] systemVersion]]];
+	    }
+	} else {
+	    self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"[*] Offsets not found for %@ on %@\n", deviceName(), [[UIDevice currentDevice] systemVersion]]];
+	    [jbButton setTitle:@"No offsets" forState:UIControlStateNormal];
+	    [jbButton removeTarget:nil action:NULL forControlEvents:UIControlEventAllEvents];
+	    [jbButton addTarget:self action:@selector(actionFailed) forControlEvents:UIControlEventTouchUpInside];
+	}
 
 	self.textView.editable = NO;
 	self.textView.scrollEnabled = YES;
@@ -105,6 +127,11 @@ - (void)loadView
     [self.view addConstraint:[NSLayoutConstraint constraintWithItem:titleLabel attribute:NSLayoutAttributeCenterY relatedBy:NSLayoutRelationEqual toItem:self.view attribute:NSLayoutAttributeCenterY multiplier:0.5 constant:0.0]];
 }
 
+- (void)actionFailed
+{
+    self.textView.text = [self.textView.text stringByAppendingString:[NSString stringWithFormat:@"[*] Please add offsets for %@ on %@\n", deviceName(), [[UIDevice currentDevice] systemVersion]]];
+}
+
 - (void)actionJailbreak
 {
     if (hasJailbroken)

src/shared/infoleak.m

@@ -81,9 +81,10 @@
         {
             uint32_t val = req.code[1];
             LOG("Leaked value: 0x%x", val);
-            if((val & 0xfffff) == (OFF_ANCHOR & 0xfffff)) // XXX 0xfffffff0070d4878
+            uint32_t anchor = get_anchor();
+            if((val & 0xfffff) == (anchor & 0xfffff)) // XXX 0xfffffff0070d4878
             {
-                kslide = val - OFF_ANCHOR;
+                kslide = val - anchor;
             }
         }
 

src/shared/jailbreak.m

@@ -74,6 +74,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
     kptr_t kbase = 0;
     NSFileManager *fileMgr = [NSFileManager defaultManager];
     #define PWN_LOG(...) do { sendLog(controller, [NSString stringWithFormat:@__VA_ARGS__]); LOG(__VA_ARGS__); } while(0)
+    #define updateStage(stage) PWN_LOG("Jailbreaking... (%d/21)", stage)
 
     if(opt & JBOPT_POST_ONLY)
     {
@@ -115,6 +116,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
     PWN_LOG("kernproc: %llx\n", kernproc);
 
     MACH(elevate_to_root());
+    updateStage(15);
 
     MACH(init_kexecute(offs.data.zone_map, offs.gadgets.add_x0_x0_ret));
 
@@ -153,6 +155,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
 
     MACH(remount_root_fs());
     PWN_LOG("remounted root fs");
+    updateStage(16);
 
     fclose(fopen("/.cydia_no_stash", "w"));
 
@@ -222,6 +225,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
     	while (1) {}
     }
     fclose(fopen(doublebootcheck, "w"));
+    updateStage(17);
 
     // TODO: hash checks on binaries 
     #define COPY_RESOURCE(name, to_path)\
@@ -289,6 +293,38 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
                     ret = KERN_FAILURE;
                     goto out;
                 }
+
+                // Substrate is not in the bootstrap, so let's just install it
+                if (access("/usr/lib/libsubstitute.dylib", F_OK) == 0)
+                {
+                    PWN_LOG("Warning: Substitute detected, will not install Substrate.");
+                }
+
+                if (access("/usr/libexec/substrate", F_OK) != 0 && access("/usr/lib/libsubstitute.dylib", F_OK) != 0)
+                {
+                    install_substrate:
+                    PWN_LOG("substrate was not found. installing it...");
+
+                    COPY_RESOURCE("mobilesubstrate.deb", "/jb/mobilesubstrate.deb");
+
+                    if (access("/jb/mobilesubstrate.deb", F_OK) != 0)
+                    {
+                        PWN_LOG("tried to install substrate but failed to copy it!");
+                        ret = KERN_FAILURE;
+                        goto out;
+                    }
+
+                    BOOL extractResult = extractDeb(@"/jb/mobilesubstrate.deb");
+
+                    if (!extractResult)
+                    {
+                        PWN_LOG("attempted to install substrate but failed to extract it!");
+                        ret = KERN_FAILURE;
+                        goto out;
+                    }
+
+                    PWN_LOG("finished installing substrate");
+                }
 
                 fclose(fopen("/.spice_bootstrap_installed", "w+"));
 
@@ -357,38 +393,15 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
             PWN_LOG("JBOPT_POST_ONLY mode and bootstrap is present, all is well");
         }
     }
-
+    updateStage(18);
     {
-        // Substrate is not in the bootstrap, we may need to install it
         if ((opt & JBOPT_POST_ONLY) == 0)
         {
-            if (access("/usr/lib/libsubstitute.dylib", F_OK) == 0)
-            {
-                PWN_LOG("Warning: Substitute detected, will not install Substrate.");
-            }
             if (access("/usr/libexec/substrate", F_OK) != 0 && access("/usr/lib/libsubstitute.dylib", F_OK) != 0)
             {
-                PWN_LOG("substrate was not found. installing it...");
-
-                COPY_RESOURCE("mobilesubstrate.deb", "/jb/mobilesubstrate.deb");
-
-                if (access("/jb/mobilesubstrate.deb", F_OK) != 0)
-                {
-                    PWN_LOG("tried to install substrate but failed to copy it!");
-                    ret = KERN_FAILURE;
-                    goto out;
-                }
-
-                BOOL extractResult = extractDeb(@"/jb/mobilesubstrate.deb");
-
-                if (!extractResult)
-                {
-                    PWN_LOG("attempted to install substrate but failed to extract it!");
-                    ret = KERN_FAILURE;
-                    goto out;
-                }
-
-                PWN_LOG("finished installing substrate");
+                PWN_LOG("Warning: Substrate not found, returning to stage 17.");
+                updateStage(17);
+                goto install_substrate;
             }
         }
     }
@@ -427,7 +440,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
         	}
         }
     }
-
+    updateStage(19);
     {
         NSMutableDictionary *dict = NULL;
 
@@ -516,7 +529,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
          * -- remember; it handles codesign patching
          */ 
     }
-
+    updateStage(20);
     {
         // TODO: copy/check for launchctl
         MACH(inject_trust("/bin/launchctl"));
@@ -564,7 +577,7 @@ kern_return_t jailbreak(uint32_t opt, void* controller, void (*sendLog)(void*, N
             }
         }
     }
-
+    updateStage(21);
     {
         if ((opt & JBOPT_POST_ONLY) != 0)
         {