merge 2.1.5

Application/Dopamine.xcodeproj/project.pbxproj

@@ -2239,7 +2239,7 @@
 					"$(PROJECT_DIR)/Dopamine/Dependencies",
 					"$(PROJECT_DIR)/Dopamine/Resources",
 				);
-				MARKETING_VERSION = 2.1.4;
+				MARKETING_VERSION = 2.1.5;
 				PRODUCT_BUNDLE_IDENTIFIER = "com.opa334.Dopamine-roothide";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -2277,7 +2277,7 @@
 					"$(PROJECT_DIR)/Dopamine/Dependencies",
 					"$(PROJECT_DIR)/Dopamine/Resources",
 				);
-				MARKETING_VERSION = 2.1.4;
+				MARKETING_VERSION = 2.1.5;
 				PRODUCT_BUNDLE_IDENTIFIER = "com.opa334.Dopamine-roothide";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;

Application/Dopamine/Jailbreak/DOBootstrapper.m

@@ -716,6 +716,8 @@ - (void)prepareBootstrapWithCompletion:(void (^)(NSError *))completion
         NSString* systemhookFilePath = [NSString stringWithFormat:@"%@/systemhook-%016llX.dylib", NSJBRootPath(@"/basebin"), jbrand()];
         [[NSFileManager defaultManager] copyItemAtPath:NSJBRootPath(@"/basebin/systemhook.dylib") toPath:systemhookFilePath error:nil];
 
+        JBFixMobilePermissions();
+
         completion(nil);
     }
 }

Application/Dopamine/Resources/LICENSE_weightBufs.md

@@ -1,10 +1,6 @@
 MIT License
 
-<<<<<<<< HEAD:LICENSE.md
-Copyright (c) 2023-2024 Lars Fröder (opa334)
-========
 Copyright (c) 2022 Mohamed Ghannam
->>>>>>>> upstream/2.x:Application/Dopamine/Resources/LICENSE_weightBufs.md
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Application/Dopamine/UI/Settings/DOSettingsController.m

@@ -213,6 +213,16 @@ - (id)specifiers
             [appJitSpecifier setProperty:@YES forKey:@"default"];
             [specifiers addObject:appJitSpecifier];
 
+            if (@available(iOS 16.0, *)) {
+                if (envManager.isJailbroken && !jbclient_platform_jbsettings_get_bool("DevMode")) {
+                    PSSpecifier *devmodeSpecifier = [PSSpecifier preferenceSpecifierNamed:DOLocalizedString(@"Settings_DevMode") target:self set:@selector(setDevMode:specifier:) get:@selector(getDevMode:) detail:nil cell:PSSwitchCell edit:nil];
+                    [appJitSpecifier setProperty:@YES forKey:@"enabled"];
+                    [appJitSpecifier setProperty:@"DevMode" forKey:@"key"];
+                    [appJitSpecifier setProperty:@YES forKey:@"default"];
+                    [specifiers addObject:devmodeSpecifier];
+                }
+            }
+
             if (!envManager.isJailbroken && !envManager.isInstalledThroughTrollStore) {
                 PSSpecifier *removeJailbreakSwitchSpecifier = [PSSpecifier preferenceSpecifierNamed:DOLocalizedString(@"Button_Remove_Jailbreak") target:self set:@selector(setRemoveJailbreakEnabled:specifier:) get:defGetter detail:nil cell:PSSwitchCell edit:nil];
                 [removeJailbreakSwitchSpecifier setProperty:@YES forKey:@"enabled"];
@@ -399,6 +409,32 @@ - (void)setAppJITEnabled:(id)value specifier:(PSSpecifier *)specifier
     }
 }
 
+- (id)getDevMode:(PSSpecifier *)specifier
+{
+    return @(jbclient_platform_jbsettings_get_bool("DevMode"));
+}
+
+- (void)setDevMode:(id)value specifier:(PSSpecifier *)specifier
+{
+    BOOL enable = ((NSNumber *)value).boolValue;
+
+    if(enable) {
+        jbclient_platform_jbsettings_set_bool("DevMode", YES);
+        return;
+    }
+
+    UIAlertController *confirmationAlertController = [UIAlertController alertControllerWithTitle:DOLocalizedString(@"Alert_Disable_DevMode_Title") message:DOLocalizedString(@"Alert_Disable_DevMode_Body") preferredStyle:UIAlertControllerStyleAlert];
+    UIAlertAction *continueAction = [UIAlertAction actionWithTitle:DOLocalizedString(@"Button_Continue") style:UIAlertActionStyleDestructive handler:^(UIAlertAction * _Nonnull action) {
+            jbclient_platform_jbsettings_set_bool("DevMode", NO);
+    }];
+    UIAlertAction *cancelAction = [UIAlertAction actionWithTitle:DOLocalizedString(@"Button_Cancel") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
+        [self reloadSpecifiers];
+    }];
+    [confirmationAlertController addAction:continueAction];
+    [confirmationAlertController addAction:cancelAction];
+    [self presentViewController:confirmationAlertController animated:YES completion:nil];
+}
+
 - (void)setRemoveJailbreakEnabled:(id)value specifier:(PSSpecifier *)specifier
 {
     [self setPreferenceValue:value specifier:specifier];

Application/Dopamine/en.lproj/Localizable.strings

@@ -42,6 +42,9 @@
 "Settings_iDownload" = "iDownload (Developer Shell)";
 "Settings_Verbose_Logs" = "Verbose Logs";
 "Settings_Apps_JIT" = "Allow JIT in Apps";
+"Settings_DevMode" = "Enable Developer Mode";
+"Alert_Disable_DevMode_Title" = "Disable Developer Mode";
+"Alert_Disable_DevMode_Body" = "Disabling developer mode will cause some jailbreak programs to be unable to run. Are you sure you want to continue?";
 
 // Settings Buttons
 "Button_Reboot_Device" = "Reboot Device";

BaseBin/_external/basebin/.version

@@ -1 +1 @@
-2.1.4
+2.1.5

BaseBin/jbctl/src/main.m

@@ -106,7 +106,7 @@ int main(int argc, char* argv[])
 				print_usage();
 				return 2;
 			}
-			return jbclient_trust_binary(filepath);
+			return jbclient_trust_binary(filepath, NULL);
 		}
 	}
 	else if (!strcmp(cmd, "reboot_userspace")) {

BaseBin/launchdhook/src/jbserver/jbdomain_platform.c

@@ -34,6 +34,23 @@ static int platform_jbsettings_get(const char *key, xpc_object_t *valueOut)
 		*valueOut = xpc_bool_create(jbsetting(markAppsAsDebugged));
 		return 0;
 	}
+	else if(strcmp(key, "DevMode")==0) {
+		int state = 1;
+		uint64_t developer_mode_state = kread64(ksymbol(developer_mode_enabled));
+		if ((developer_mode_state & 0xff) == 0 || (developer_mode_state & 0xff) == 1) {
+			// On iOS 16.0 - 16.3, developer_mode_state is a bool
+			state = (uint8_t)developer_mode_state;
+		}
+		else {
+			// On iOS 16.4+, developer_mode_state is a pointer to a bool
+			uint8_t devmode = kread8(developer_mode_state);
+			if(devmode==0 || devmode==1) {
+				state = devmode;
+			}
+		}
+		*valueOut = xpc_bool_create(state);
+		return 0;
+	}
 	return -1;
 }
 
@@ -43,6 +60,21 @@ static int platform_jbsettings_set(const char *key, xpc_object_t value)
 		gSystemInfo.jailbreakSettings.markAppsAsDebugged = xpc_bool_get_value(value);
 		return 0;
 	}
+	else if(strcmp(key, "DevMode")==0 && xpc_get_type(value) == XPC_TYPE_BOOL) {
+		int state = xpc_bool_get_value(value);
+		uint64_t developer_mode_state = kread64(ksymbol(developer_mode_enabled));
+		if ((developer_mode_state & 0xff) == 0 || (developer_mode_state & 0xff) == 1) {
+			// On iOS 16.0 - 16.3, developer_mode_state is a bool
+			if (developer_mode_state != state) {
+				kwrite8(ksymbol(developer_mode_enabled), state);
+			}
+		}
+		else if (kread8(developer_mode_state) != state) {
+			// On iOS 16.4+, developer_mode_state is a pointer to a bool
+			kwrite8(developer_mode_state, state);
+		}
+		return 0;
+	}
 	return -1;
 }
 

BaseBin/launchdhook/src/jbserver/jbdomain_systemwide.c

@@ -73,7 +73,7 @@ static int systemwide_get_boot_uuid(char **bootUUIDOut)
 	return 0;
 }
 
-static int trust_file(const char *filePath, const char *dlopenCallerImagePath, const char *dlopenCallerExecutablePath)
+static int trust_file(const char *filePath, const char *dlopenCallerImagePath, const char *dlopenCallerExecutablePath, xpc_object_t preferredArchsArray)
 {
 	// Shared logic between client and server, implemented in client
 	// This should essentially mean these files never reach us in the first place
@@ -82,9 +82,23 @@ static int trust_file(const char *filePath, const char *dlopenCallerImagePath, c
 
 	if (can_skip_trusting_file(filePath, (bool)dlopenCallerExecutablePath, false)) return -1;
 
+	size_t preferredArchCount = 0;
+	if (preferredArchsArray) preferredArchCount = xpc_array_get_count(preferredArchsArray);
+	uint32_t preferredArchTypes[preferredArchCount];
+	uint32_t preferredArchSubtypes[preferredArchCount];
+	for (size_t i = 0; i < preferredArchCount; i++) {
+		preferredArchTypes[i] = 0;
+		preferredArchSubtypes[i] = UINT32_MAX;
+		xpc_object_t arch = xpc_array_get_value(preferredArchsArray, i);
+		if (xpc_get_type(arch) == XPC_TYPE_DICTIONARY) {
+			preferredArchTypes[i] = xpc_dictionary_get_uint64(arch, "type");
+			preferredArchSubtypes[i] = xpc_dictionary_get_uint64(arch, "subtype");
+		}
+	}
+
 	cdhash_t *cdhashes = NULL;
 	uint32_t cdhashesCount = 0;
-	macho_collect_untrusted_cdhashes(filePath, dlopenCallerImagePath, dlopenCallerExecutablePath, &cdhashes, &cdhashesCount);
+	macho_collect_untrusted_cdhashes(filePath, dlopenCallerImagePath, dlopenCallerExecutablePath, preferredArchTypes, preferredArchSubtypes, preferredArchCount, &cdhashes, &cdhashesCount);
 	if (cdhashes && cdhashesCount > 0) {
 		jb_trustcache_add_cdhashes(cdhashes, cdhashesCount);
 		free(cdhashes);
@@ -93,9 +107,9 @@ static int trust_file(const char *filePath, const char *dlopenCallerImagePath, c
 }
 
 // Not static because launchd will directly call this from it's posix_spawn hook
-int systemwide_trust_binary(const char *binaryPath)
+int systemwide_trust_binary(const char *binaryPath, xpc_object_t preferredArchsArray)
 {
-	return trust_file(binaryPath, NULL, NULL);
+	return trust_file(binaryPath, NULL, NULL, preferredArchsArray);
 }
 
 static int systemwide_trust_library(audit_token_t *processToken, const char *libraryPath, const char *callerLibraryPath)
@@ -111,7 +125,7 @@ static int systemwide_trust_library(audit_token_t *processToken, const char *lib
 	// This is to support dlopen("@executable_path/whatever", RTLD_NOW) and stuff like that
 	// (Yes that is a thing >.<)
 	// Also we need to pass the path of the image that called dlopen due to @loader_path, sigh...
-	return trust_file(libraryPath, callerLibraryPath, callerPath);
+	return trust_file(libraryPath, callerLibraryPath, callerPath, NULL);
 }
 
 char* generate_sandbox_extensions(audit_token_t *processToken, bool writable)
@@ -248,6 +262,26 @@ static int systemwide_process_checkin(audit_token_t *processToken, char **rootPa
 		}
 	}
 
+#ifdef __arm64e__
+	// On arm64e every image has a trust level associated with it
+	// "In trust cache" trust levels have higher runtime enforcements, this can be a problem for some tools as Dopamine trustcaches everything that's adhoc signed
+	// So we add the ability for a binary to get a different trust level using the "jb.pmap_cs_custom_trust" entitlement
+	// This is for binaries that rely on weaker PMAP_CS checks (e.g. Lua trampolines need it)
+	xpc_object_t customTrustObj = xpc_copy_entitlement_for_token("jb.pmap_cs.custom_trust", processToken);
+	if (customTrustObj) {
+		if (xpc_get_type(customTrustObj) == XPC_TYPE_STRING) {
+			const char *customTrustStr = xpc_string_get_string_ptr(customTrustObj);
+			uint32_t customTrust = pmap_cs_trust_string_to_int(customTrustStr);
+			if (customTrust >= 2) {
+				uint64_t mainCodeDir = proc_find_main_binary_code_dir(proc);
+				if (mainCodeDir) {
+					kwrite32(mainCodeDir + koffsetof(pmap_cs_code_directory, trust), customTrust);
+				}
+			}
+		}
+	}
+#endif
+
 	proc_rele(proc);
 	return 0;
 }
@@ -405,6 +439,7 @@ struct jbserver_domain gSystemwideDomain = {
 			.handler = systemwide_trust_binary,
 			.args = (jbserver_arg[]){
 				{ .name = "binary-path", .type = JBS_TYPE_STRING, .out = false },
+				{ .name = "preferred-archs", .type = JBS_TYPE_ARRAY, .out = false },
 				{ 0 },
 			},
 		},

BaseBin/launchdhook/src/spawn_hook.c

@@ -25,8 +25,7 @@ int posix_spawnattr_getprocesstype_np(const posix_spawnattr_t *__restrict, int *
 
 extern char **environ;
 
-extern int systemwide_trust_binary(const char *binaryPath);
-
+extern int systemwide_trust_binary(const char *binaryPath, xpc_object_t preferredArchsArray);
 extern int platform_set_process_debugged(uint64_t pid, bool fullyDebugged);
 
 void *posix_spawn_orig;

BaseBin/libjailbreak/src/info.c

@@ -107,15 +107,27 @@ void jbinfo_initialize_hardcoded_offsets(void)
 	gSystemInfo.kernelStruct.pmap.tte        = 0x0;
 	gSystemInfo.kernelStruct.pmap.ttep       = 0x8;
 #ifdef __arm64e__
-	gSystemInfo.kernelStruct.pmap.sw_asid    = 0xBE + pmapEl2Adjust;
-	gSystemInfo.kernelStruct.pmap.wx_allowed = 0xC2 + pmapEl2Adjust;
-	gSystemInfo.kernelStruct.pmap.type       = 0xC8 + pmapEl2Adjust;
+	gSystemInfo.kernelStruct.pmap.pmap_cs_main = 0x90;
+	gSystemInfo.kernelStruct.pmap.sw_asid      = 0xBE + pmapEl2Adjust;
+	gSystemInfo.kernelStruct.pmap.wx_allowed   = 0xC2 + pmapEl2Adjust;
+	gSystemInfo.kernelStruct.pmap.type         = 0xC8 + pmapEl2Adjust;
 #else
 	gSystemInfo.kernelStruct.pmap.sw_asid    = 0x96;
 	gSystemInfo.kernelStruct.pmap.wx_allowed = 0;
 	gSystemInfo.kernelStruct.pmap.type       = 0x9c + pmapA11Adjust;
 #endif
 
+#ifdef __arm64e__
+	// pmap_cs_region
+	gSystemInfo.kernelStruct.pmap_cs_region.pmap_cs_region_next = 0x0;
+	gSystemInfo.kernelStruct.pmap_cs_region.cd_entry            = 0x28;
+
+	// pmap_cs_code_directory
+	gSystemInfo.kernelStruct.pmap_cs_code_directory.pmap_cs_code_directory_next = 0x0;
+	gSystemInfo.kernelStruct.pmap_cs_code_directory.main_binary                 = 0x50;
+	gSystemInfo.kernelStruct.pmap_cs_code_directory.trust                       = 0x9C;
+#endif
+
 	// pt_desc
 	gSystemInfo.kernelStruct.pt_desc.pmap     = 0x10;
 	gSystemInfo.kernelStruct.pt_desc.va       = 0x18;
@@ -249,6 +261,12 @@ void jbinfo_initialize_hardcoded_offsets(void)
 					gSystemInfo.kernelStruct.pmap.type       = 0x94 + pmapA11Adjust;
 #endif
 
+#ifdef __arm64e__
+					// pmap_cs_code_directory
+					gSystemInfo.kernelStruct.pmap_cs_code_directory.main_binary = 0x190;
+					gSystemInfo.kernelStruct.pmap_cs_code_directory.trust       = 0x1DC;
+#endif
+
 					if (strcmp(xnuVersion, "22.1.0") >= 0) { // iOS 16.1+
 						gSystemInfo.kernelStruct.ipc_space.table_uses_smr = true;
 						if (strcmp(xnuVersion, "22.3.0") >= 0) { // iOS 16.3+
@@ -265,6 +283,11 @@ void jbinfo_initialize_hardcoded_offsets(void)
 								gSystemInfo.kernelStruct.proc.flag   = 0x454;
 								gSystemInfo.kernelStruct.proc.textvp = 0x548;
 
+#ifdef __arm64e__
+								// pmap_cs_code_directory
+								gSystemInfo.kernelStruct.pmap_cs_code_directory.trust = 0x1EC;
+#endif
+
 								if (strcmp(xnuVersion, "22.4.0") == 0) { // iOS 16.4 ONLY 
 									// iOS 16.4 beta 1-3 use the old proc struct, 16.4b4+ use new
 									if (gSystemInfo.kernelStruct.proc.struct_size != 0x730) {

BaseBin/libjailbreak/src/info.h

@@ -229,11 +229,23 @@ struct system_info {
 		struct {
 			uint32_t tte;
 			uint32_t ttep;
+			uint32_t pmap_cs_main;
 			uint32_t sw_asid;
 			uint32_t wx_allowed;
 			uint32_t type;
 		} pmap;
 
+		struct {
+			uint32_t pmap_cs_region_next;
+			uint32_t cd_entry;
+		} pmap_cs_region;
+
+		struct {
+			uint32_t pmap_cs_code_directory_next;
+			uint32_t main_binary;
+			uint32_t trust;
+		} pmap_cs_code_directory;
+
 		struct {
 			uint32_t pmap;
 			uint32_t va;
@@ -281,6 +293,9 @@ extern struct system_info gSystemInfo;
 #define JAILBREAK_SETTINGS_ITERATE(ctx, iterator) \
 	iterator(ctx, jailbreakSettings.markAppsAsDebugged);
 
+#define JAILBREAK_SETTINGS_ITERATE(ctx, iterator) \
+	iterator(ctx, jailbreakSettings.markAppsAsDebugged);
+
 #define KERNEL_SYMBOLS_ITERATE(ctx, iterator) \
 	iterator(ctx, kernelSymbol.perfmon_dev_open); \
 	iterator(ctx, kernelSymbol.vn_kqfilter); \
@@ -421,10 +436,18 @@ extern struct system_info gSystemInfo;
 	\
 	iterator(ctx, kernelStruct.pmap.tte); \
 	iterator(ctx, kernelStruct.pmap.ttep); \
+	iterator(ctx, kernelStruct.pmap.pmap_cs_main); \
 	iterator(ctx, kernelStruct.pmap.sw_asid); \
 	iterator(ctx, kernelStruct.pmap.wx_allowed); \
 	iterator(ctx, kernelStruct.pmap.type); \
 	\
+	iterator(ctx, kernelStruct.pmap_cs_region.pmap_cs_region_next); \
+	iterator(ctx, kernelStruct.pmap_cs_region.cd_entry); \
+	\
+	iterator(ctx, kernelStruct.pmap_cs_code_directory.pmap_cs_code_directory_next); \
+	iterator(ctx, kernelStruct.pmap_cs_code_directory.main_binary); \
+	iterator(ctx, kernelStruct.pmap_cs_code_directory.trust); \
+	\
 	iterator(ctx, kernelStruct.pt_desc.pmap); \
 	iterator(ctx, kernelStruct.pt_desc.va); \
 	iterator(ctx, kernelStruct.pt_desc.ptd_info); \

BaseBin/libjailbreak/src/jbclient_xpc.c

@@ -184,7 +184,7 @@ char *realafpath(const char *restrict path, char *restrict resolved_path)
 	}
 }
 
-int jbclient_trust_binary(const char *binaryPath)
+int jbclient_trust_binary(const char *binaryPath, xpc_object_t preferredArchsArray)
 {
 	if (!binaryPath) return -1;
 
@@ -195,6 +195,9 @@ int jbclient_trust_binary(const char *binaryPath)
 
 	xpc_object_t xargs = xpc_dictionary_create_empty();
 	xpc_dictionary_set_string(xargs, "binary-path", absolutePath);
+	if (preferredArchsArray) {
+		xpc_dictionary_set_value(xargs, "preferred-archs", preferredArchsArray);
+	}
 	xpc_object_t xreply = jbserver_xpc_send(JBS_DOMAIN_SYSTEMWIDE, JBS_SYSTEMWIDE_TRUST_BINARY, xargs);
 	xpc_release(xargs);
 	if (xreply) {

BaseBin/libjailbreak/src/jbclient_xpc.h

@@ -12,7 +12,7 @@ xpc_object_t jbserver_xpc_send(uint64_t domain, uint64_t action, xpc_object_t xa
 
 char *jbclient_get_jbroot(void);
 char *jbclient_get_boot_uuid(void);
-int jbclient_trust_binary(const char *binaryPath);
+int jbclient_trust_binary(const char *binaryPath, xpc_object_t preferredArchsArray);
 int jbclient_trust_library(const char *libraryPath, void *addressInCaller);
 int jbclient_process_checkin(char **rootPathOut, char **bootUUIDOut, char **sandboxExtensionsOut, bool *fullyDebuggedOut);
 int jbclient_fork_fix(uint64_t childPid);