Open ArchCangyuan opened 9 months ago
holdcount -ve is a known problem with switchsysbin, it also panics if you userspace reboot after switching launchd. this is why I didn't just outright swap SpringBoard and opted to hook posix_spawn, I get the same issue as this
@hrtowii Thanks for replying. I also tried to kwrite 'holdcount' of the target knode (with 2) after switching, but still paniced. Originally, I tried to follow the method of hooking launchd's posix_spawn(p)(). But it seems that many of daemons are not spawned by our hooked functions (I printed logs, nfcd and backboardd are not shown at least). Don't know whether they are spanwned with other approaches or some fallback methods are used due to detection of jailbreak.
I tried to call SwitchSysBin() and hook executable binaries at /usr/libexec/, it seems that at most time the the binaries in the path cannot be enumerated (kread64(vp_namecache + off_namecache_nc_vp) = 0). Sometimes when it successfully finds and hooks the namecache of the binary (I tried nfcd), the kernel get panic after rebooting.