fix iOS 13 palera1n-ios

2025-08-29 13:27:58 +00:00 · 2023-02-20 20:00:24 +08:00 · 2023-02-20 20:00:24 +08:00 · 01bcc332cb
commit 01bcc332cb
parent f519162c61
6 changed files with 147 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -59,7 +59,7 @@ jobs:
          - arch: arm64
            gnu_triple: aarch64-apple-darwin
            os: iphoneos
-            minos: 14.0
+            minos: 7.0
    runs-on: macos-12
    env:
      MBEDTLS_VERSION: 3.3.0
@ -135,8 +135,8 @@ jobs:
        if: matrix.os == 'iphoneos'
        run: |
          echo "FAKE_PLATFORM=2" >> $GITHUB_ENV
-          echo "FAKE_SDK=14.0" >> $GITHUB_ENV
-          echo "FAKE_MINOS=14.0" >> $GITHUB_ENV
+          echo "FAKE_SDK=7.0" >> $GITHUB_ENV
+          echo "FAKE_MINOS=7.0" >> $GITHUB_ENV

      - name: Prepare headers
        if: matrix.os != 'macosx'
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,4 @@ build
 src/*.dmg.c
 .idea
 src/stage2/
+src/libcheckra1nhelper.dylib*
--- a/include/xxd-embedded.h
+++ b/include/xxd-embedded.h
@ -1,6 +1,10 @@
 #ifndef XXD_EMBEDDED_H
 #define XXD_EMBEDDED_H

+#if defined(__APPLE__)
+#include <TargetConditionals.h>
+#endif
+
 extern unsigned char checkra1n[];
 extern unsigned int checkra1n_len;

@ -13,4 +17,9 @@ extern unsigned int ramdisk_dmg_len;
 extern unsigned char binpack_dmg[];
 extern unsigned int binpack_dmg_len;

+#if defined(__APPLE__) && (TARGET_OS_IPHONE || defined(DEV_BUILD))
+extern unsigned char libcheckra1nhelper_dylib[];
+extern unsigned int libcheckra1nhelper_dylib_len;
+#endif
+
 #endif
--- a/src/Makefile
+++ b/src/Makefile
@ -4,6 +4,19 @@ OBJECTS  = main.o dfuhelper.o devhelper.o lockdown_helper.o
 OBJECTS += optparse.o override_file.o log.o lock_vars.o credits.o
 OBJECTS += fake_embedded.o exec_checkra1n.o pongo_helper.o

+ifeq (,$(findstring macosx, $(CFLAGS)))
+ifneq (,$(findstring version-min=, $(CFLAGS)))
+OBJECTS += xxd-libcheckra1nhelper.dylib.o
+endif
+endif
+
+ifeq (,$(findstring xxd-libcheckra1nhelper.dylib.o, $(CFLAGS)))
+ifeq ($(TARGET_OS),Darwin)
+ifeq ($(DEV_BUILD),1)
+OBJECTS += xxd-libcheckra1nhelper.dylib.o
+endif
+endif
+endif

 ifneq ($(NO_RAMDISK),1)
 OBJECTS += xxd-ramdisk.dmg.o
@ -93,6 +106,9 @@ ifneq (,$(findstring version-min=, $(CFLAGS)))
 endif
 endif

+libcheckra1nhelper.dylib: chkstk.S
+	$(CC) $(CFLAGS) $(LDFLAGS) -shared chkstk.S -o libcheckra1nhelper.dylib
+
 checkra1n-kpf-pongo:
 	curl -LO https://cdn.nickchan.lol/palera1n/artifacts/kpf/checkra1n-kpf-pongo

@ -103,6 +119,6 @@ binpack.dmg:
 	curl -LO https://cdn.nickchan.lol/palera1n/c-rewrite/deps/binpack.dmg

 clean:
-	rm -rf *.o palera1n checkra1n checkra1n.c palera1n.dSYM
+	rm -rf *.o palera1n checkra1n checkra1n.c palera1n.dSYM libcheckra1nhelper.dylib

 .PHONY: all clean
--- a/src/chkstk.S
+++ b/src/chkstk.S
@ -0,0 +1,65 @@
+#define _PTHREAD_STRUCT_DIRECT_STACKADDR_OFFSET   -48
+#define _PTHREAD_STRUCT_DIRECT_STACKBOTTOM_OFFSET -40
+
+.align 4
+_thread_chkstk_darwin:
+        .globl ___chkstk_darwin
+___chkstk_darwin: // %w9/x9 == alloca size
+        stp     x10, x11, [sp, #-16]
+
+        // validate that the frame pointer is on our stack (no alt stack)
+        mrs     x10, TPIDRRO_EL0
+
+        // (%sp - pthread_self()->stackaddr) > 0 ?
+#if defined(__ARM64_ARCH_8_32__)
+        ubfx    x9, x9, #0, #32
+        ldur    w11, [x10, _PTHREAD_STRUCT_DIRECT_STACKADDR_OFFSET]
+#else
+        ldur    x11, [x10, _PTHREAD_STRUCT_DIRECT_STACKADDR_OFFSET]
+#endif
+        subs    x11, sp, x11
+        b.hs    Lprobe
+
+        // %sp <= pthread_self()->stackbottom ?
+#if defined(__ARM64_ARCH_8_32__)
+        ldur    w11, [x10, _PTHREAD_STRUCT_DIRECT_STACKBOTTOM_OFFSET]
+#else
+        ldur    x11, [x10, _PTHREAD_STRUCT_DIRECT_STACKBOTTOM_OFFSET]
+#endif
+        mov     x10, sp
+        cmp     x10, x11
+        b.ls    Lprobe
+
+        // %sp - (uintptr_t)%x9 < pthread_self()->stackbottom ?
+        subs    x10, x10, x9
+        b.lo    Lcrash
+        cmp     x10, x11
+        b.lo    Lcrash
+
+Lexit:
+        ldp     x10, x11, [sp, #-16]
+        ret
+
+Lcrash:
+        // POSIX mandates that stack overflow crashes with SIGSEGV
+        // so load an address in the guard page and dereference it
+        //
+        // x11 contains pthread_self()->stackbottom already
+        ldr     x11, [x11, #-8]
+        // if main_thread caused stack growth with setrlimit()
+        // fall into Lprobe and eventually cause SIGSEGV.
+
+Lprobe:
+        mov     x10, sp
+        cmp     x9, #0x1000
+        b.lo    Lend
+Lloop:
+        sub     x10, x10, #0x1000
+        ldr     x11, [x10]
+        sub     x9, x9, #0x1000
+        cmp     x9, #0x1000
+        b.hi    Lloop
+Lend:
+        sub     x10, x10, x9
+        ldr     x11, [x10]
+        b       Lexit
--- a/src/exec_checkra1n.c
+++ b/src/exec_checkra1n.c
@ -11,9 +11,15 @@
 #include <errno.h>
 #include <limits.h>

+#include <assert.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
+#include <sys/utsname.h>
+
+#if defined(__APPLE__)
+#include <TargetConditionals.h>
+#endif

 extern char **environ;

@ -53,6 +59,43 @@ int exec_checkra1n() {
 		unlink(checkra1n_path);
 		return -1;
 	}
+#if defined(__APPLE__) && (TARGET_OS_IPHONE || defined(DEV_BUILD))
+	char* libcheckra1nhelper_dylib_path = NULL;
+	{
+		struct utsname name;
+		uname(&name);
+		unsigned long darwinMajor = strtoul(name.release, NULL, 10);
+		assert(darwinMajor != 0);
+#if !defined(DEV_BUILD)
+		if (darwinMajor < 20) {
+#endif
+			libcheckra1nhelper_dylib_path = malloc(strlen(tmpdir) + 40);
+			snprintf(libcheckra1nhelper_dylib_path, strlen(tmpdir) + 40, "%s/libcheckra1nhelper.dylib.XXXXXX", tmpdir);
+			int helper_fd = mkstemp(libcheckra1nhelper_dylib_path);
+			if (helper_fd == -1) {
+				LOG(LOG_FATAL, "Cannot open temporary file: %d (%s)", errno, strerror(errno));
+				return -1;
+			}
+			ssize_t didWrite = write(helper_fd, libcheckra1nhelper_dylib, libcheckra1nhelper_dylib_len);
+			if ((unsigned int)didWrite != libcheckra1nhelper_dylib_len) {
+				LOG(LOG_FATAL, "Size written does not match expected: %lld != %d: %d (%s)", didWrite, libcheckra1nhelper_dylib_len, errno, strerror(errno));
+				close(helper_fd);
+				unlink(libcheckra1nhelper_dylib_path);
+				return -1;
+			}
+			close(helper_fd);
+			ret = chmod(libcheckra1nhelper_dylib_path, 0700);
+			if (ret) {
+				LOG(LOG_FATAL, "Cannot chmod %s: %d (%s)", libcheckra1nhelper_dylib_path, errno, strerror(errno));
+				unlink(libcheckra1nhelper_dylib_path);
+				return -1;
+			}
+			setenv("DYLD_INSERT_LIBRARIES", libcheckra1nhelper_dylib_path, 1);
+#if !defined(DEV_BUILD)
+		}
+#endif
+	}
+#endif
 checkra1n_exec: {};
 	char args[0x10] = "-pE";
 	if (checkrain_option_enabled(host_flags, host_option_demote)) strncat(args, "d", 0xf);
@ -80,6 +123,15 @@ checkra1n_exec: {};
 		free(checkra1n_path);
 		checkra1n_path = NULL;
 	}
+#if defined(__APPLE__) && (TARGET_OS_IPHONE || defined(DEV_BUILD))
+	if (libcheckra1nhelper_dylib_path != NULL) {
+		unlink(libcheckra1nhelper_dylib_path);
+		unsetenv("DYLD_INSERT_LIBRARIES");
+		unsetenv("DYLD_FORCE_FLAT_NAMESPACE");
+		free(libcheckra1nhelper_dylib_path);
+		libcheckra1nhelper_dylib_path = NULL;
+	}
+#endif
 	waitpid(pid, NULL, 0);
 	return 0;
 }