kpwn · ohmza · Mar 4, 2017 · Mar 4, 2017 · Apr 8, 2017
diff --git a/yalu102.xcodeproj/project.pbxproj b/yalu102.xcodeproj/project.pbxproj
@@ -7,6 +7,11 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		DEE2E2CA1E6A7049003AA147 /* dpkg in Resources */ = {isa = PBXBuildFile; fileRef = DEE2E2C51E6A7049003AA147 /* dpkg */; };
+		DEE2E2CB1E6A7049003AA147 /* openssl.zip in Resources */ = {isa = PBXBuildFile; fileRef = DEE2E2C61E6A7049003AA147 /* openssl.zip */; };
+		DEE2E2CC1E6A7049003AA147 /* scp in Resources */ = {isa = PBXBuildFile; fileRef = DEE2E2C71E6A7049003AA147 /* scp */; };
+		DEE2E2CD1E6A7049003AA147 /* sftp in Resources */ = {isa = PBXBuildFile; fileRef = DEE2E2C81E6A7049003AA147 /* sftp */; };
+		DEE2E2CE1E6A7049003AA147 /* sftp-server in Resources */ = {isa = PBXBuildFile; fileRef = DEE2E2C91E6A7049003AA147 /* sftp-server */; };
 		EA1A3B9D1E391C4F009CA025 /* patchfinder64.o in Frameworks */ = {isa = PBXBuildFile; fileRef = EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */; };
 		EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BA61E398E33009CA025 /* 0.reload.plist */; };
 		EA1A3BAD1E399006009CA025 /* reload in Resources */ = {isa = PBXBuildFile; fileRef = EA1A3BAC1E399006009CA025 /* reload */; };
@@ -28,6 +33,11 @@
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
+		DEE2E2C51E6A7049003AA147 /* dpkg */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = dpkg; sourceTree = "<group>"; };
+		DEE2E2C61E6A7049003AA147 /* openssl.zip */ = {isa = PBXFileReference; lastKnownFileType = archive.zip; path = openssl.zip; sourceTree = "<group>"; };
+		DEE2E2C71E6A7049003AA147 /* scp */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = scp; sourceTree = "<group>"; };
+		DEE2E2C81E6A7049003AA147 /* sftp */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = sftp; sourceTree = "<group>"; };
+		DEE2E2C91E6A7049003AA147 /* sftp-server */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = "sftp-server"; sourceTree = "<group>"; };
 		EA1A3B9B1E38BBDB009CA025 /* patchfinder64.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = "<group>"; };
 		EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.objfile"; path = patchfinder64.o; sourceTree = "<group>"; };
 		EA1A3BA61E398E33009CA025 /* 0.reload.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = 0.reload.plist; sourceTree = "<group>"; };
@@ -106,6 +116,11 @@
 				EA9901051E219FF10056FEBD /* bootstrap.tar */,
 				EA9901091E21A04C0056FEBD /* tar */,
 				EA99010B1E21A0520056FEBD /* launchctl */,
+				DEE2E2C51E6A7049003AA147 /* dpkg */,
+				DEE2E2C61E6A7049003AA147 /* openssl.zip */,
+				DEE2E2C71E6A7049003AA147 /* scp */,
+				DEE2E2C81E6A7049003AA147 /* sftp */,
+				DEE2E2C91E6A7049003AA147 /* sftp-server */,
 				EA9901131E21A1B00056FEBD /* iokitmig64.o */,
 				EA1A3B9C1E391C4F009CA025 /* patchfinder64.o */,
 				EA99010F1E21A1A00056FEBD /* pte_stuff.h */,
@@ -157,7 +172,7 @@
 				TargetAttributes = {
 					EA9900E21E1E9F060056FEBD = {
 						CreatedOnToolsVersion = 8.2.1;
-						DevelopmentTeam = CGTX3WH3ZS;
+						DevelopmentTeam = Z2U66H6MHA;
 						ProvisioningStyle = Automatic;
 					};
 				};
@@ -185,13 +200,18 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				DEE2E2CA1E6A7049003AA147 /* dpkg in Resources */,
+				DEE2E2CD1E6A7049003AA147 /* sftp in Resources */,
 				EA99010A1E21A04C0056FEBD /* tar in Resources */,
+				DEE2E2CB1E6A7049003AA147 /* openssl.zip in Resources */,
+				DEE2E2CE1E6A7049003AA147 /* sftp-server in Resources */,
 				EA99010C1E21A0520056FEBD /* launchctl in Resources */,
 				EA9901061E219FF10056FEBD /* bootstrap.tar in Resources */,
 				EA1A3BA81E398E33009CA025 /* 0.reload.plist in Resources */,
 				EAA7F7C71E3EE4AF00BE3C64 /* dropbear.plist in Resources */,
 				EA9900F61E1E9F060056FEBD /* LaunchScreen.storyboard in Resources */,
 				EA1A3BAD1E399006009CA025 /* reload in Resources */,
+				DEE2E2CC1E6A7049003AA147 /* scp in Resources */,
 				EA1A3BC51E39D1FF009CA025 /* Assets.xcassets in Resources */,
 				EA9900F11E1E9F060056FEBD /* Main.storyboard in Resources */,
 			);
@@ -334,37 +354,41 @@
 		EA9900FB1E1E9F060056FEBD /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				ALWAYS_SEARCH_USER_PATHS = YES;
 				ARCHS = armv7;
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_OBJC_ARC = NO;
-				DEVELOPMENT_TEAM = CGTX3WH3ZS;
+				DEVELOPMENT_TEAM = Z2U66H6MHA;
 				INFOPLIST_FILE = yalu102/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				LIBRARY_SEARCH_PATHS = (
 					"$(inherited)",
 					"$(PROJECT_DIR)/yalu102",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102;
+				PRODUCT_BUNDLE_IDENTIFIER = com.ohmza.Yalu;
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				USER_HEADER_SEARCH_PATHS = "$(inherited) $(PROJECT_DIR)/yalu102";
 				VALID_ARCHS = armv7;
 			};
 			name = Debug;
 		};
 		EA9900FC1E1E9F060056FEBD /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				ALWAYS_SEARCH_USER_PATHS = YES;
 				ARCHS = armv7;
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_OBJC_ARC = NO;
-				DEVELOPMENT_TEAM = CGTX3WH3ZS;
+				DEVELOPMENT_TEAM = Z2U66H6MHA;
 				INFOPLIST_FILE = yalu102/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				LIBRARY_SEARCH_PATHS = (
 					"$(inherited)",
 					"$(PROJECT_DIR)/yalu102",
 				);
-				PRODUCT_BUNDLE_IDENTIFIER = kim.cracksby.yalu102;
+				PRODUCT_BUNDLE_IDENTIFIER = com.ohmza.Yalu;
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				USER_HEADER_SEARCH_PATHS = "$(inherited) $(PROJECT_DIR)/yalu102";
 				VALID_ARCHS = armv7;
 			};
 			name = Release;

diff --git a/yalu102/dpkg b/yalu102/dpkg
diff --git a/yalu102/jailbreak.m b/yalu102/jailbreak.m
@@ -894,6 +894,33 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
                 system("killall -9 cfprefsd");
 
             }
+
+
+            int g = open("/.installed_YaluXPatched", O_RDONLY);
+
+            if (g == -1) {
+                system("/bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist; mv /System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist /System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist.disabled");
+
+                NSString* dpkg = [execpath stringByAppendingPathComponent:@"dpkg"];
+                const char* jl = [dpkg UTF8String];
+
+                unlink("/usr/bin/dpkg");
+                unlink("/tmp/openssl.deb");
+
+                copyfile(jl, "/usr/bin/dpkg", 0, COPYFILE_ALL);
+                chmod("/usr/bin/dpkg", 0755);
+
+                NSString* openssl = [execpath stringByAppendingPathComponent:@"openssl.zip"];
+                jl = [openssl UTF8String];
+
+                copyfile(jl, "/tmp/openssl.deb", 0, COPYFILE_ALL);
+                chmod("/tmp/openssl.deb", 0755);
+
+                system("/usr/bin/dpkg -i /tmp/openssl.deb");
+
+                open("/.installed_YaluXPatched", O_RDWR|O_CREAT);
+            }
+
             {
                 NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"reload"];
                 char* jl = [jlaunchctl UTF8String];
@@ -903,6 +930,30 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
                 chown("/usr/libexec/reload", 0, 0);
 
             }
+            {
+                NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"sftp-server"];
+                char* jl = [jlaunchctl UTF8String];
+                unlink("/usr/libexec/sftp-server");
+                copyfile(jl, "/usr/libexec/sftp-server", 0, COPYFILE_ALL);
+                chmod("/usr/libexec/sftp-server", 0755);
+                chown("/usr/libexec/sftp-server", 0, 0);
+            }
+            {
+                NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"scp"];
+                char* jl = [jlaunchctl UTF8String];
+                unlink("/usr/bin/scp");
+                copyfile(jl, "/usr/bin/scp", 0, COPYFILE_ALL);
+                chmod("/usr/bin/scp", 0755);
+                chown("/usr/bin/scp", 0, 0);
+            }
+            {
+                NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"sftp"];
+                char* jl = [jlaunchctl UTF8String];
+                unlink("/usr/bin/sftp");
+                copyfile(jl, "/usr/bin/sftp", 0, COPYFILE_ALL);
+                chmod("/usr/bin/sftp", 0755);
+                chown("/usr/bin/sftp", 0, 0);
+            }
             {
                 NSString* jlaunchctl = [execpath stringByAppendingPathComponent:@"0.reload.plist"];
                 char* jl = [jlaunchctl UTF8String];
@@ -919,16 +970,13 @@ void exploit(void* btn, mach_port_t pt, uint64_t kernbase, uint64_t allprocs)
                 chmod("/Library/LaunchDaemons/dropbear.plist", 0644);
                 chown("/Library/LaunchDaemons/dropbear.plist", 0, 0);
             }
-            unlink("/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist");
-
         }
     }
     chmod("/private", 0777);
     chmod("/private/var", 0777);
     chmod("/private/var/mobile", 0777);
     chmod("/private/var/mobile/Library", 0777);
     chmod("/private/var/mobile/Library/Preferences", 0777);
-    system("rm -rf /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; touch /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chmod 000 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate; chown 0:0 /var/MobileAsset/Assets/com_apple_MobileAsset_SoftwareUpdate");
     system("(echo 'really jailbroken'; /bin/launchctl load /Library/LaunchDaemons/0.reload.plist)&");
     WriteAnywhere64(bsd_task+0x100, orig_cred);
     sleep(2);

diff --git a/yalu102/openssl.zip b/yalu102/openssl.zip
diff --git a/yalu102/pte_stuff.h b/yalu102/pte_stuff.h
@@ -60,10 +60,11 @@ void checkvad() {
     if (!sz) {
         struct utsname u = { 0 };
         uname(&u);
-        host_page_size(mach_host_self(), &sz);
         NSLog(@"checkvad: %x %x", sz, getpagesize());
-        if (strstr(u.machine, "iPad5,") == u.machine) {
-            sz = 4096; // this is 4k but host_page_size lies to us
+        if ((strstr(u.machine, "iPad4,") == u.machine) || (strstr(u.machine, "iPad5,") == u.machine) || (strstr(u.machine, "iPhone6,") == u.machine) || (strstr(u.machine, "iPhone7,") == u.machine) || (strstr(u.machine, "iPod7,") == u.machine)) {
+            sz = 4096;
+        } else if ((strstr(u.machine, "iPad6,") == u.machine) || (strstr(u.machine, "iPhone8,") == u.machine) || (strstr(u.machine, "iPhone9,") == u.machine)) {
+            sz = 4096*4;
         }
         assert(sz);
         if (sz == 4096) {

diff --git a/yalu102/scp b/yalu102/scp
diff --git a/yalu102/sftp b/yalu102/sftp
diff --git a/yalu102/sftp-server b/yalu102/sftp-server