Skip to content

Commit ca6c077

Browse files
c22devc22dev
committed
update 0.2
Update Commit Changelog : run.sh Now automatically detects version, build ID and device ID. Using curl instead of wget, and using -s tag ; result, faster, cleaner, and native README.md Specified what is required and what isn't. Removed wget as we use curl - Added an offset (poc of autmoatic detection)
1 parent d6560dc commit ca6c077

File tree

3 files changed

+212
-7
lines changed

3 files changed

+212
-7
lines changed

16.6Beta1Offsets/iPhone14,5 16.6 20G5026e.h

Lines changed: 188 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,188 @@
1+
/*
2+
* Copyright (c) 2023 Félix Poulin-Bélanger. All rights reserved.
3+
*/
4+
5+
#ifndef dynamic_info_h
6+
#define dynamic_info_h
7+
8+
struct dynamic_info {
9+
const char* kern_version;
10+
// struct fileglob
11+
u64 fileglob__fg_ops;
12+
u64 fileglob__fg_data;
13+
// struct fileops
14+
u64 fileops__fo_kqfilter;
15+
// struct fileproc
16+
// u64 fileproc__fp_iocount;
17+
// u64 fileproc__fp_vflags;
18+
// u64 fileproc__fp_flags;
19+
// u64 fileproc__fp_guard_attrs;
20+
// u64 fileproc__fp_glob;
21+
// u64 fileproc__fp_guard;
22+
// u64 fileproc__object_size;
23+
// struct fileproc_guard
24+
u64 fileproc_guard__fpg_guard;
25+
// struct kqworkloop
26+
u64 kqworkloop__kqwl_state;
27+
u64 kqworkloop__kqwl_p;
28+
u64 kqworkloop__kqwl_owner;
29+
u64 kqworkloop__kqwl_dynamicid;
30+
u64 kqworkloop__object_size;
31+
// struct pmap
32+
u64 pmap__tte;
33+
u64 pmap__ttep;
34+
// struct proc
35+
u64 proc__p_list__le_next;
36+
u64 proc__p_list__le_prev;
37+
u64 proc__p_pid;
38+
u64 proc__p_fd__fd_ofiles;
39+
u64 proc__object_size;
40+
// struct pseminfo
41+
u64 pseminfo__psem_usecount;
42+
u64 pseminfo__psem_uid;
43+
u64 pseminfo__psem_gid;
44+
u64 pseminfo__psem_name;
45+
u64 pseminfo__psem_semobject;
46+
// struct psemnode
47+
// u64 psemnode__pinfo;
48+
// u64 psemnode__padding;
49+
// u64 psemnode__object_size;
50+
// struct semaphore
51+
u64 semaphore__owner;
52+
// struct specinfo
53+
u64 specinfo__si_rdev;
54+
// struct task
55+
u64 task__map;
56+
u64 task__threads__next;
57+
u64 task__threads__prev;
58+
u64 task__itk_space;
59+
u64 task__object_size;
60+
// struct thread
61+
u64 thread__task_threads__next;
62+
u64 thread__task_threads__prev;
63+
u64 thread__map;
64+
u64 thread__thread_id;
65+
u64 thread__object_size;
66+
// struct uthread
67+
u64 uthread__object_size;
68+
// struct vm_map_entry
69+
u64 vm_map_entry__links__prev;
70+
u64 vm_map_entry__links__next;
71+
u64 vm_map_entry__links__start;
72+
u64 vm_map_entry__links__end;
73+
u64 vm_map_entry__store__entry__rbe_left;
74+
u64 vm_map_entry__store__entry__rbe_right;
75+
u64 vm_map_entry__store__entry__rbe_parent;
76+
// struct vnode
77+
u64 vnode__v_un__vu_specinfo;
78+
// struct _vm_map
79+
u64 _vm_map__hdr__links__prev;
80+
u64 _vm_map__hdr__links__next;
81+
u64 _vm_map__hdr__links__start;
82+
u64 _vm_map__hdr__links__end;
83+
u64 _vm_map__hdr__nentries;
84+
u64 _vm_map__hdr__rb_head_store__rbh_root;
85+
u64 _vm_map__pmap;
86+
u64 _vm_map__hint;
87+
u64 _vm_map__hole_hint;
88+
u64 _vm_map__holes_list;
89+
u64 _vm_map__object_size;
90+
// kernelcache static addresses
91+
u64 kernelcache__kernel_base;
92+
u64 kernelcache__cdevsw;
93+
u64 kernelcache__gPhysBase;
94+
u64 kernelcache__gPhysSize;
95+
u64 kernelcache__gVirtBase;
96+
u64 kernelcache__perfmon_devices;
97+
u64 kernelcache__perfmon_dev_open;
98+
u64 kernelcache__ptov_table;
99+
u64 kernelcache__vm_first_phys_ppnum;
100+
u64 kernelcache__vm_pages;
101+
u64 kernelcache__vm_page_array_beginning_addr;
102+
u64 kernelcache__vm_page_array_ending_addr;
103+
u64 kernelcache__vn_kqfilter;
104+
};
105+
106+
const struct dynamic_info kern_versions[] = {
107+
{
108+
.kern_version = "Darwin Kernel Version 22.6.0: Tue May 9 06:16:18 PDT 2023; root:xnu-8796.140.12.502.1~12/RELEASE_ARM64_T8110",
109+
.fileglob__fg_ops = 0x28,
110+
.fileglob__fg_data = 0x40 - 8,
111+
.fileops__fo_kqfilter = 0x30,
112+
// .fileproc__fp_iocount = 0x0000,
113+
// .fileproc__fp_vflags = 0x0004,
114+
// .fileproc__fp_flags = 0x0008,
115+
// .fileproc__fp_guard_attrs = 0x000a,
116+
// .fileproc__fp_glob = 0x0010,
117+
// .fileproc__fp_guard = 0x0018,
118+
// .fileproc__object_size = 0x0020,
119+
.fileproc_guard__fpg_guard = 0x8,
120+
.kqworkloop__kqwl_state = 0x10,
121+
.kqworkloop__kqwl_p = 0x18,
122+
.kqworkloop__kqwl_owner = 0xd0,
123+
.kqworkloop__kqwl_dynamicid = 0xd0 + 0x18,
124+
.kqworkloop__object_size = 0x108,
125+
.pmap__tte = 0x0,
126+
.pmap__ttep = 0x8,
127+
.proc__p_list__le_next = 0x0,
128+
.proc__p_list__le_prev = 0x8,
129+
.proc__p_pid = 0x60,
130+
.proc__p_fd__fd_ofiles = 0xf8,
131+
.proc__object_size = 0x730,
132+
.pseminfo__psem_usecount = 0x04,
133+
.pseminfo__psem_uid = 0x0c,
134+
.pseminfo__psem_gid = 0x10,
135+
.pseminfo__psem_name = 0x14,
136+
.pseminfo__psem_semobject = 0x38,
137+
// .psemnode__pinfo = 0x0000,
138+
// .psemnode__padding = 0x0008,
139+
// .psemnode__object_size = 0x0010,
140+
.semaphore__owner = 0x28,
141+
.specinfo__si_rdev = 0x18,
142+
.task__map = 0x28,
143+
.task__threads__next = 0x80 - 0x28,
144+
.task__threads__prev = 0x80 - 0x28 + 8,
145+
.task__itk_space = 0x300,
146+
.task__object_size = 0x640,
147+
.thread__task_threads__next = 0x380 - 0x18,
148+
.thread__task_threads__prev = 0x380 - 0x18 + 8,
149+
.thread__map = 0x380,
150+
.thread__thread_id = 0x418,
151+
.thread__object_size = 0x4c0,
152+
.uthread__object_size = 0x200,
153+
.vm_map_entry__links__prev = 0x00,
154+
.vm_map_entry__links__next = 0x08,
155+
.vm_map_entry__links__start = 0x10,
156+
.vm_map_entry__links__end = 0x18,
157+
.vm_map_entry__store__entry__rbe_left = 0x20,
158+
.vm_map_entry__store__entry__rbe_right = 0x28,
159+
.vm_map_entry__store__entry__rbe_parent = 0x30,
160+
.vnode__v_un__vu_specinfo = 0x78,
161+
._vm_map__hdr__links__prev = 0x00 + 0x8,
162+
._vm_map__hdr__links__next = 0x08 + 0x8,
163+
._vm_map__hdr__links__start = 0x10 + 0x8,
164+
._vm_map__hdr__links__end = 0x18 + 0x8,
165+
._vm_map__hdr__nentries = 0x30,
166+
._vm_map__hdr__rb_head_store__rbh_root = 0x38,
167+
._vm_map__pmap = 0x40,
168+
._vm_map__hint = 0x90 + 0x08,
169+
._vm_map__hole_hint = 0x90 + 0x10,
170+
._vm_map__holes_list = 0x90 + 0x18,
171+
._vm_map__object_size = 0xc0,
172+
.kernelcache__kernel_base = 0xfffffff007004000,
173+
.kernelcache__cdevsw = 0xfffffff00a519a30,
174+
.kernelcache__gPhysBase = 0xfffffff0079502a8,
175+
.kernelcache__gPhysSize = 0xfffffff0079502a8 + 8,
176+
.kernelcache__gVirtBase = 0xfffffff00794e460,
177+
.kernelcache__perfmon_devices = 0xfffffff00a559550,
178+
.kernelcache__perfmon_dev_open = 0xfffffff007f1db9c,
179+
.kernelcache__ptov_table = 0xfffffff0079039c0,
180+
.kernelcache__vm_first_phys_ppnum = 0xfffffff00a558910,
181+
.kernelcache__vm_pages = 0xfffffff007900110,
182+
.kernelcache__vm_page_array_beginning_addr = 0xfffffff007902970,
183+
.kernelcache__vm_page_array_ending_addr = 0xfffffff00a558908,
184+
.kernelcache__vn_kqfilter = 0xfffffff007f6a0b8,
185+
},
186+
};
187+
188+
#endif /* dynamic_info_h */

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,13 +2,14 @@
22
An sh script that finds offsets for you from an IPSW link :)
33
This can also generate offsets for betas.
44
<img src="https://i.ibb.co/TvNkVTn/Pasted-Graphic.png">
5-
## What's required
5+
## Dependencies
6+
Required :
67
- [libpatchfinder](https://github.com/tihmstar/libpatchfinder) from [tihmstar](https://github.com/tihmstar) installed but *Make* have to be configured with this command :
78
```./configure --with-offsetexporter```
8-
- [wget](https://formulae.brew.sh/formula/wget) (```brew install wget```)
99
- [partialZipBrowser](https://github.com/tihmstar/partialZipBrowser) installed to PATH (a.k.a pzb)
1010
- [Python 3](https://formulae.brew.sh/formula/python@3.11) and [PyIMG4](https://github.com/m1stadev/PyIMG4) installed (```brew install python && pip3 install pyimg4```)
1111
- An IPSW (iOS 16.0 or higher) URL (it can be obtained from [ipsw.me](https://ipsw.me/) or [ipswbeta.dev](https://ipswbeta.dev/))
12+
Optional :
1213
- Your Device Identifier (full list [here](http://bit.ly/Devices_IDs))
1314
- The iOS version and the iOS Build ID that the IPSW contains
1415
- An Internet Connection

run.sh

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,27 @@
11
#!/bin/bash
2-
wget https://raw.githubusercontent.com/tihmstar/libpatchfinder/master/example/offsetexporter/template_dynamic_info.h -O template_dynamic_info.h
2+
curl -s -O https://raw.githubusercontent.com/tihmstar/libpatchfinder/master/example/offsetexporter/template_dynamic_info.h
33
clear
4-
echo -e "OffsetFinder v0.1 - made by c22dev\nCredits : AppInstallerIOS, tihmstar"
4+
echo -e "OffsetFinder v0.2 - made by c22dev\nCredits : AppInstallerIOS, tihmstar"
55
read -p "Enter the IPSW URL: " IPSWURL
6-
read -p "Enter your device Identifier (e.g. iPhone11,8): " Identifier
7-
read -p "Enter the IPSW Version (e.g 16.1): " Version
8-
read -p "Enter the IPSW Build ID (e.g. 20B79): " BuildID
6+
filename=$(basename "$IPSWURL")
7+
info=${filename%_Restore.ipsw}
8+
IFS="_" read -r Identifier Version BuildID <<< "$info"
9+
10+
echo "Device Identifier: $Identifier"
11+
echo "IPSW Version: $Version"
12+
echo "IPSW Build ID: $BuildID"
13+
14+
read -p "Is everything right ? (Y/N): " confirm
15+
if [[ "$confirm" == "Y" ]]; then
16+
echo "Great ! Extracting offsets."
17+
else
18+
read -p "Enter your device Identifier (e.g. iPhone11,8): " Identifier
19+
read -p "Enter the IPSW Version (e.g 16.1): " Version
20+
read -p "Enter the IPSW Build ID (e.g. 20B79): " BuildID
21+
fi
22+
23+
24+
# Offsets extracting
925
if [[ "$Identifier" =~ "iPhone".* || "$Identifier" =~ "iPad".* ]]; then KernelCacheName=$(pzb -l --nosubdirs "$IPSWURL" | grep kernelcache.release | sed 's/^.*kernelcache/kernelcache/')
1026
pzb -g "$KernelCacheName" "$IPSWURL" > /dev/null
1127
python3 -m pyimg4 im4p extract -i "$KernelCacheName" -o "$Identifier".raw

0 commit comments

Comments
 (0)