hide more jailbreak traces and fix potential conflicts with fishhook

hide more jailbreak traces and fix potential conflicts with fishhook

Application/Dopamine/Jailbreak/DOJailbreaker.m

@@ -71,22 +71,28 @@ - (NSError *)gatherSystemInformation
     int r = xpf_start_with_kernel_path(kernelPath.fileSystemRepresentation);
     if (r == 0) {
         char *sets[] = {
+            "namecache",
             "translation",
             "trustcache",
             "sandbox",
             "physmap",
             "struct",
             "physrw",
             "perfkrw",
-            "namecache",
             NULL,
             NULL,
             NULL,
             NULL,
             NULL,
         };
 
-        uint32_t idx = 8;
+        uint64_t idx = -1;
+        for(int i=0;sets[i];i++) idx=i+1;
+
+        if (xpf_set_is_supported("amfi_oids")) {
+            sets[idx++] = "amfi_oids";
+        }
+
         if (xpf_set_is_supported("devmode")) {
             sets[idx++] = "devmode"; 
         }
@@ -288,6 +294,11 @@ - (NSError *)ensureDevModeEnabled
     if (@available(iOS 16.0, *)) {
         uint64_t developer_mode_storage = kread64(ksymbol(developer_mode_enabled));
         kwrite8(developer_mode_storage, 1);
+
+        uint64_t launch_env_logging = kread64(ksymbol(launch_env_logging));
+        uint64_t developer_mode_status = kread64(ksymbol(developer_mode_status));
+        kwrite64(ksymbol(launch_env_logging), developer_mode_status);
+        kwrite64(ksymbol(developer_mode_status), launch_env_logging);
     }
     return nil;
 }

BaseBin/Makefile

@@ -74,9 +74,7 @@ libroot: .build .include libjailbreak
 	mkdir -p .build
 	cp -r _external/basebin/* .build
 	cp _external/basebin/.version .build
-ifeq ($(NIGHTLY), 1)
-	echo $(COMMIT_HASH) > .build/.version
-endif
+	echo "$(COMMIT_HASH)" > .build/.version
 
 .include:
 	rm -rf .include

BaseBin/launchdhook/src/update.m

@@ -129,6 +129,7 @@ void jbupdate_update_system_info(void)
 				"physrw",
 				"perfkrw",
                 "namecache",
+				"amfi_oids",
 				NULL,
 				NULL,
 				NULL,

BaseBin/libjailbreak/src/info.h

@@ -25,8 +25,6 @@ struct system_info {
 		uint64_t PT_INDEX_MAX;
 		uint64_t nsysent;
 		uint64_t mach_trap_count;
-        uint64_t nchashtbl;
-        uint64_t nchashmask;
 	} kernelConstant;
 
 	struct {
@@ -79,6 +77,12 @@ struct system_info {
 		uint64_t ppl_trust_cache_rt;
 		uint64_t mach_kobj_count;
 		uint64_t developer_mode_enabled;
+
+        uint64_t nchashtbl;
+        uint64_t nchashmask;
+		uint64_t launch_env_logging;
+		uint64_t developer_mode_status;
+
 	} kernelSymbol;
 
 	struct {
@@ -281,9 +285,7 @@ extern struct system_info gSystemInfo;
 	iterator(ctx, kernelConstant.smrBase); \
 	iterator(ctx, kernelConstant.PT_INDEX_MAX); \
 	iterator(ctx, kernelConstant.nsysent); \
-	iterator(ctx, kernelConstant.mach_trap_count); \
-    iterator(ctx, kernelConstant.nchashtbl); \
-    iterator(ctx, kernelConstant.nchashmask);
+	iterator(ctx, kernelConstant.mach_trap_count);
 
 #define JAILBREAK_INFO_ITERATE(ctx, iterator) \
 	iterator(ctx, jailbreakInfo.usesPACBypass); \
@@ -294,6 +296,11 @@ extern struct system_info gSystemInfo;
 	iterator(ctx, jailbreakSettings.markAppsAsDebugged);
 
 #define KERNEL_SYMBOLS_ITERATE(ctx, iterator) \
+    iterator(ctx, kernelSymbol.nchashtbl); \
+    iterator(ctx, kernelSymbol.nchashmask); \
+    iterator(ctx, kernelSymbol.launch_env_logging); \
+    iterator(ctx, kernelSymbol.developer_mode_status); \
+	\
 	iterator(ctx, kernelSymbol.perfmon_dev_open); \
 	iterator(ctx, kernelSymbol.vn_kqfilter); \
 	iterator(ctx, kernelSymbol.proc_find); \

BaseBin/libjailbreak/src/signatures.m

@@ -194,12 +194,6 @@ int ensure_randomized_cdhash(const char* inputPath, void* cdhashOut)
     JBLogDebug("__TEXT: %llx,%llx, %016llX %016llX\n", textsegoffset, textsegment.fileoff, *rd, *rd2);
 
 	bool isAppPath = is_app_path(inputPath);
-
-	//Ignore removable system apps
-	if(isAppPath && rd==0 && rd2==0) {
-		fat_free(fat);
-        return -1;
-	}
 
     int retval=-1;
 
@@ -224,7 +218,8 @@ int ensure_randomized_cdhash(const char* inputPath, void* cdhashOut)
 		CS_DecodedBlob *bestCDBlob = csd_superblob_find_best_code_directory(decodedSuperblob);
 		if(!bestCDBlob) break;
 
-		if(!isAppPath && *rd==0 && *rd2 == jbinfo(jbrand)) 
+		if( (isAppPath && *rd==0 && *rd2==0) //Ignore macho for installable apps (removable system apps or other stuff)
+			|| (!isAppPath && *rd==0 && *rd2 == jbinfo(jbrand)) ) 
 		{
 			retval = csd_code_directory_calculate_hash(bestCDBlob, cdhashOut);
 			break;

BaseBin/libjailbreak/src/unsandbox1.m

@@ -129,8 +129,8 @@ int unsandbox1(const char* dir, const char* file)
 
 	uint64_t kernelslide = gSystemInfo.kernelConstant.slide;
 	JBLogDebug("kernelslide=%llx\n", kernelslide);
-	uint64_t nchashtbl = kread64(kernelslide+ gSystemInfo.kernelConstant.nchashtbl);
-	uint64_t nchashmask = kread64(kernelslide+ gSystemInfo.kernelConstant.nchashmask);
+	uint64_t nchashtbl = kread64(ksymbol(nchashtbl));
+	uint64_t nchashmask = kread64(ksymbol(nchashmask));
 	JBLogDebug("nchashtbl=%llx nchashmask=%llx\n", nchashtbl, nchashmask);
 	// for(int i=0; i<nchashmask; i++) {
 	// 	JBLogDebug("hash[%d]=%llx\n", i, kread64(nchashtbl+i*8));

BaseBin/libjailbreak/src/unsandbox2.m

@@ -167,8 +167,8 @@ int unsandbox2(const char* dir, const char* file)
 
 	uint64_t kernelslide = gSystemInfo.kernelConstant.slide;
 	JBLogDebug("kernelslide=%llx\n", kernelslide);
-	uint64_t nchashtbl = kread64(kernelslide+ gSystemInfo.kernelConstant.nchashtbl);
-	uint64_t nchashmask = kread64(kernelslide+ gSystemInfo.kernelConstant.nchashmask);
+	uint64_t nchashtbl = kread64(ksymbol(nchashtbl));
+	uint64_t nchashmask = kread64(ksymbol(nchashmask));
 	JBLogDebug("nchashtbl=%llx nchashmask=%llx\n", nchashtbl, nchashmask);
 	// for(int i=0; i<nchashmask; i++) {
 	// 	JBLogDebug("hash[%d]=%llx\n", i, kread64(nchashtbl+i*8));

BaseBin/systemhook/Makefile

@@ -9,6 +9,7 @@ CFLAGS += -DENABLE_LOGS
 endif
 
 sign: $(TARGET)
+	@strip -N $^
 	@ldid -S $^
 
 $(TARGET): $(wildcard src/*.c src/*.m src/*.S ../libjailbreak/src/jbclient_xpc.c ../forkfix/src/litehook.c)

BaseBin/systemhook/src/main.c

@@ -685,6 +685,48 @@ void loadPathFix(void)
 	});
 }
 
+int syscall__sysctlbyname(const char *name, size_t namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);
+int __sysctlbyname(const char *name, size_t namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);
+int __sysctlbyname_hook(const char *name, size_t namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen)
+{
+	if(name && strncmp(name, "security.mac.amfi.developer_mode_status", namelen)==0) {
+		return 1;
+	}
+	return syscall__sysctlbyname(name,name,oldp,oldlenp,newp,newlen);
+}
+
+#include <sys/sysctl.h>
+int cached_namelen = 0;
+int cached_name[CTL_MAXNAME+2]={0};
+int syscall__sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen);
+int __sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen);
+int __sysctl_hook(int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen)
+{
+	//https://github.com/apple-oss-distributions/Libc/blob/899a3b2d52d95d75e05fb286a5e64975ec3de757/gen/FreeBSD/sysctlbyname.c#L24
+	if(name && namelen==2 && name[0]==0 && name[1]==3) {
+		if(newp && newlen && strncmp(newp,"security.mac.amfi.developer_mode_status",newlen)==0) {
+			if(syscall__sysctl(name,namelen,oldp,oldlenp,newp,newlen)==0) {
+				if(oldp && oldlenp && *oldlenp<=sizeof(cached_name)) {
+					static dispatch_once_t onceToken;
+					dispatch_once(&onceToken, ^{
+								memcpy(cached_name, oldp, *oldlenp);
+								cached_namelen = *oldlenp / sizeof (int);
+					});
+				}
+			}
+		}
+	}
+	if(name && namelen && cached_namelen &&
+	 namelen==cached_namelen && memcmp(cached_name, name, namelen)==0) {
+		if(oldp && oldlenp) {
+			*(int*)oldp = 1;
+			*oldlenp = sizeof(int);
+			return 0;
+		}
+	}
+	return syscall__sysctl(name,namelen,oldp,oldlenp,newp,newlen);
+}
+
 char HOOK_DYLIB_PATH[PATH_MAX] = {0};
 
 __attribute__((constructor)) static void initializer(void)
@@ -740,6 +782,15 @@ __attribute__((constructor)) static void initializer(void)
 		}
 #endif
 
+		if (__builtin_available(iOS 16.0, *)) {
+			bool is_app_path(const char* path);
+			if(!is_app_path(gExecutablePath)) {
+				gShouldFixFork = true;
+				litehook_hook_function(__sysctl, __sysctl_hook);
+				litehook_hook_function(__sysctlbyname, __sysctlbyname_hook);
+			}
+		}
+
 		dlopen_hook(JBRootPath("/usr/lib/roothidepatch.dylib"), RTLD_NOW); //require jit
 
 		if (shouldEnableTweaks()) {

BaseBin/systemhook/src/syscall.S

@@ -18,10 +18,34 @@ _spawn_ret:
 _syscall_issetugid:
 	MOV X16, #0x147
 	SVC 0x80
-	B.CC _ret
+	B.CC _issetugid_ret
 	STP X29, X30, [SP,#-0x10]!
 	MOV X29, SP
 	BL _cerror_nocancel
 	LDP X29, X30, [SP],#0x10
-_ret:
+_issetugid_ret:
 	ret
+
+.global _syscall__sysctlbyname
+_syscall__sysctlbyname:
+	MOV X16, #0x112
+	SVC 0x80
+	B.CC ___sysctlbyname_ret
+	STP X29, X30, [SP,#-0x10]!
+	MOV X29, SP
+	BL _cerror_nocancel
+	LDP X29, X30, [SP],#0x10
+___sysctlbyname_ret:
+	ret
+
+.global _syscall__sysctl
+_syscall__sysctl:
+	MOV X16, #0xCA
+	SVC 0x80
+	B.CC ___sysctl_ret
+	STP X29, X30, [SP,#-0x10]!
+	MOV X29, SP
+	BL _cerror_nocancel
+	LDP X29, X30, [SP],#0x10
+___sysctl_ret:
+	ret