The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Sandbox Patch"
(another public patch from Stefan Esser's slides) |
|||
(One intermediate revision by one other user not shown) | |||
Line 5: | Line 5: | ||
*access to other subdirs of '''private/var/mobile/Library/Preferences''' is granted |
*access to other subdirs of '''private/var/mobile/Library/Preferences''' is granted |
||
*everything else goes through original checks |
*everything else goes through original checks |
||
+ | |||
+ | * Can optionally be patched by the original Sandbox hook routine, the TST/BEQ instruction tuple becomes a MOVS/MOVS/BEQ tuple. This patch makes all ignore sandbox profiles. |
||
__text:804028B0 PUSH {R4-R7,LR} <== function is hooked so that a new sb_evaluate() is used |
__text:804028B0 PUSH {R4-R7,LR} <== function is hooked so that a new sb_evaluate() is used |
||
Line 31: | Line 33: | ||
For further info see [https://github.com/comex/datautils0/blob/master/sandbox.S https://github.com/comex/datautils0/blob/master/sandbox.S]. |
For further info see [https://github.com/comex/datautils0/blob/master/sandbox.S https://github.com/comex/datautils0/blob/master/sandbox.S]. |
||
− | [[Category:Patches]] |
+ | [[Category:Kernel Patches]] |
Latest revision as of 17:12, 1 August 2013
- fixes the sandbox problems caused by moving files
- access outside /private/var/mobile is allowed
- access to /private/var/mobile/Library/Preferences/com.apple is going through original evaluation
- access to other subdirs of private/var/mobile/Library/Preferences is granted
- everything else goes through original checks
- Can optionally be patched by the original Sandbox hook routine, the TST/BEQ instruction tuple becomes a MOVS/MOVS/BEQ tuple. This patch makes all ignore sandbox profiles.
__text:804028B0 PUSH {R4-R7,LR} <== function is hooked so that a new sb_evaluate() is used __text:804028B2 ADD R7, SP, #0xC __text:804028B4 PUSH.W {R8,R10,R11} __text:804028B8 SUB SP, SP, #0x104 __text:804028BA MOV R10, R0 __text:804028BC LDR R0, [R3,#0x2C] __text:804028BE MOV R11, R1 __text:804028C0 STR R2, [SP,#0x11C+var_114] __text:804028C2 MOV R5, R3 __text:804028C4 LDR.W R8, [R1] __text:804028C8 CBZ R0, loc_804028EE __text:804028CA ADD.W R1, R3, #0x3C __text:804028CE ADD.W R2, R3, #0x40 __text:804028D2 LDR.W R4, =(_sock_gettype+1) __text:804028D6 MOVS R3, #0 __text:804028D8 BLX R4 ; _sock_gettype __text:804028DA ... __text:804028DC __text:804028DE __text:804028E2 __text:804028E4 __text:804028E6
For further info see https://github.com/comex/datautils0/blob/master/sandbox.S.