SerotoninApp / Serotonin

641 stars 74 forks source link

SwitchBin() seems not work at /usr/libexec/ #83

Open ArchCangyuan opened 9 months ago

ArchCangyuan commented 9 months ago

I tried to call SwitchSysBin() and hook executable binaries at /usr/libexec/, it seems that at most time the the binaries in the path cannot be enumerated (kread64(vp_namecache + off_namecache_nc_vp) = 0). Sometimes when it successfully finds and hooks the namecache of the binary (I tried nfcd), the kernel get panic after rebooting.

"panicString" : "panic(cpu 2 caller 0xfffffff027364670): vnode_drop_internal : vp 0xffffffe1c63c4800 holdcount -ve: -1. v_tag = 0, v_type = 8, v_flag = 84800. @vfs_subr.c:5915\nDebugger message: panic\nMemory ID: 0x6\nOS release type: User\nOS version: 20G75\nKernel version: Darwin Kernel Version 22.6.0: Wed Jun 28 20:51:23 PDT 2023;

hrtowii commented 9 months ago

holdcount -ve is a known problem with switchsysbin, it also panics if you userspace reboot after switching launchd. this is why I didn't just outright swap SpringBoard and opted to hook posix_spawn, I get the same issue as this

ArchCangyuan commented 9 months ago

@hrtowii Thanks for replying. I also tried to kwrite 'holdcount' of the target knode (with 2) after switching, but still paniced. Originally, I tried to follow the method of hooking launchd's posix_spawn(p)(). But it seems that many of daemons are not spawned by our hooked functions (I printed logs, nfcd and backboardd are not shown at least). Don't know whether they are spanwned with other approaches or some fallback methods are used due to detection of jailbreak.