Skip to content
This repository has been archived by the owner on Jan 1, 2024. It is now read-only.

Commit

Permalink
stay in sandbox when loading apps
Browse files Browse the repository at this point in the history
  • Loading branch information
Andrew Strelsky committed Sep 2, 2023
1 parent 1ac9cd7 commit 6b8a7fa
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 6 deletions.
2 changes: 1 addition & 1 deletion daemon/source/main.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ static bool load(UniquePtr<Hijacker> &spawned, uint8_t *data) {
spawned->getProc()->setName("HomebrewDaemon"_sv);
__builtin_printf("new process %s pid %d\n", spawned->getProc()->getSelfInfo()->name, spawned->getPid());
puts("jailbreaking new process");
spawned->jailbreak();
spawned->jailbreak(false);

// listen on a port for now. in the future embed the daemon and load directly

Expand Down
2 changes: 1 addition & 1 deletion include/hijacker/hijacker.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ class Hijacker {
}

UniquePtr<TrapFrame> getTrapFrame() const;
void jailbreak() const;
void jailbreak(bool escapeSandbox=true) const;
uintptr_t getFunctionAddress(const SharedLib *lib, const Nid &fname) const noexcept;

uintptr_t getLibKernelFunctionAddress(const Nid &fname) const {
Expand Down
1 change: 1 addition & 0 deletions include/nid.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,5 @@ static inline constexpr Nid recv{"Ez8xjo9UF4E"};
static inline constexpr Nid rfork_thread{"bSDxEpGzmUE"};
static inline constexpr Nid sceKernelSendNotificationRequest{"zl7hupSO0C0"};
static inline constexpr Nid printf{"hcuQgD53UxM"};

}
10 changes: 6 additions & 4 deletions libhijacker/source/hijacker.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ static inline void copyin(uintptr_t kdst, const void *src, size_t length) {
kernel_copyin(const_cast<void *>(src), kdst, length);
}

void Hijacker::jailbreak() const {
void Hijacker::jailbreak(bool escapeSandbox) const {
auto p = getProc();
uintptr_t ucred = p->p_ucred();
uintptr_t fd = p->p_fd();
Expand All @@ -79,9 +79,11 @@ void Hijacker::jailbreak() const {
copyin(ucred + 0x10, &ngroups_store, 0x4); // cr_ngroups
copyin(ucred + 0x14, &uid_store, 0x4); // cr_rgid

// Escape sandbox
copyin(fd + 0x10, rootvnode_area_store.get(), 0x8); // fd_rdir
copyin(fd + 0x18, rootvnode_area_store.get(), 0x8); // fd_jdir
if (escapeSandbox) {
// Escape sandbox
copyin(fd + 0x10, rootvnode_area_store.get(), 0x8); // fd_rdir
copyin(fd + 0x18, rootvnode_area_store.get(), 0x8); // fd_jdir
}

// Escalate sony privileges
copyin(ucred + 0x58, &authid_store, 0x8); // cr_sceAuthID
Expand Down

0 comments on commit 6b8a7fa

Please sign in to comment.