HOST_AMFID_PORT Query

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

HOST_AMFID_PORT Query

Postby darkknight » Thu Oct 19, 2017 1:44 am

Seeking some clarification. So prior to iOS 9 you could "become" amfid. And one way to do that was to use the following macro from mach/host_special_ports.h

Code: Select all
#define host_set_amfid_port(host, port)   \
   (host_set_special_port((host), HOST_AMFID_PORT, (port)))


Code: Select all
mach_port_t  mp = mach_host_self();
mach_port_t  myAmfi = MACH_PORT_NULL;
mach_port_t  bs_port = MACH_PORT_NULL;

kr = host_get_host_priv_port(mp, &mp);
 if (kr != KERN_SUCCESS)
    {
        printf("Failed to get host_privport: %s\n", mach_error_string(kr));
        exit(1);
    }
   
kr =  mach_port_allocate(mach_task_self(),
                    MACH_PORT_RIGHT_RECEIVE,
                    &myAmfi);
 if (kr != KERN_SUCCESS)
    {
        printf("Failed to allocate port: %s\n", mach_error_string(kr));
        exit(1);
    }

kr = mach_port_insert_right(mach_task_self(), myAmfi, myAmfi, MACH_MSG_TYPE_MAKE_SEND);
 if (kr != KERN_SUCCESS)
    {
        printf("Failed to insert port: %s\n", mach_error_string(kr));
        exit(1);
    }

kr = host_set_amfid_port(mp,myAmfi);
..................so on and so forth


So if I used the bootstrap_check_in method instead would it be:
Code: Select all
kr = task_get_bootstrap_port(mach_task_self(), &bs_port);
 if (kr != KERN_SUCCESS)
    {
        printf("Failed to get bootstrap: %s\n", mach_error_string(kr));
        exit(1);
    }

kr = bootstrap_check_in(bs_port,service_name,myAmfi); //char *service_name = "com.apple.MobileFileIntegrity"
 if (kr != KERN_SUCCESS)
    {
        printf("Failed to check-in: %s\n", mach_error_string(kr));
        exit(1);
    }
........etc

Where/how does HOST_AMFID_PORT(18) get set in this scenario i.e. boot_strap_checkin? And for pre-iOS 9 wouldn't this fail anyways since you are checking in an already active service?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: HOST_AMFID_PORT Query

Postby morpheus » Thu Oct 19, 2017 7:04 am

HOST_AMFID_PORT is in /S/L/LaundDaemons/com.apple.MobileFileIntegrity.plist, associated with "com.apple.MobileFileIntegrity". Note that check_in method would NOT work here for a few reasons:

A) check_in requires that you be launched by launchd. Else it will see you're trying to hijack the port. You meant bootstrap_register.
B) In AMFI's particular case, the Kext verifies that the token came from AMFI, by validating the hard coded code signature of AMFI versus that of whomever returned the token . That's in Chapter 7 somewhere.
C) you'd have to kill amfid first, too (which is easy, of course)

The host_set_special_port would work just fine, but (B) would fail you. For other special ports, it does work, to this day.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: HOST_AMFID_PORT Query

Postby darkknight » Thu Oct 19, 2017 4:06 pm

morpheus wrote:HOST_AMFID_PORT is in /S/L/LaundDaemons/com.apple.MobileFileIntegrity.plist, associated with "com.apple.MobileFileIntegrity". Note that check_in method would NOT work here for a few reasons:

A) check_in requires that you be launched by launchd. Else it will see you're trying to hijack the port. You meant bootstrap_register.
B) In AMFI's particular case, the Kext verifies that the token came from AMFI, by validating the hard coded code signature of AMFI versus that of whomever returned the token . That's in Chapter 7 somewhere.
C) you'd have to kill amfid first, too (which is easy, of course)

The host_set_special_port would work just fine, but (B) would fail you. For other special ports, it does work, to this day.

That is what I misunderstood. Much thanks J.
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests