chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/ops/mdm/supervise-magic/cmd/tl-patcher/main.go
chahinebrini 01374c426e feat(supervise-magic): TechLockdown-clone v1 — supervise iPhones without erase 
Implementiert eigenen MobileBackup2-Restore-Trick zur Supervision-Übernahme
von aktivierten iOS-Geräten ohne Factory-Reset. Foundation für DiGA-Phase-G
Lock-Layer-Stack (non-removable Apps, non-removable Profiles, OnDemand-VPN-
Toggle-Lock) auf Consumer-iPhones.

Verifiziert end-to-end auf:
- iPhone Air (iPhone18,4, iOS 26.5): TL→ReBreak re-supervise 
- Olfa iPhone 14 Pro (iPhone15,3, iOS 26.4.2): TL→ReBreak re-supervise 

Key empirische Findings:
1. Find-My-iPhone MUSS off sein (ErrorCode 211 sonst)
   → Stolen Device Protection (SDP) zwingt FMI an seit iOS 17.3+
2. SupervisorHostCertificates DARF NICHT in CloudConfigurationDetails sein
   für fresh-supervise auf activated unsupervised devices (sonst partial-apply)
3. MCInstall.SetCloudConfiguration firet 14002 auf allen activated devices
   → MobileBackup2-Restore-Trick ist der einzige Weg
4. TL's extracted-embed-bytes != TL's wire-output (Runtime-Mutation)
   → Verbatim-Kopieren reicht nicht

Reverse-Engineering basiert komplett auf:
- Apple's public protocol docs (devicemanagement, mobilebackup2 schemas)
- libimobiledevice (open-source reference impl)
- TL public-distributed binary (interop-RE, legal per US-DMCA-1201 + EU-2009/24)

Structure:
  cmd/supervise/         — main CLI (check, cloud-config, supervise, cert-info, unsupervise)
  cmd/dump-artifacts/    — diagnostic helper (no device needed)
  cmd/usbmux-proxy/      — MITM-proxy for TL-traffic-capture (debug)
  cmd/tl-patcher/        — patches TL's hard-coded usbmuxd path (debug)
  internal/dlmessage/    — DLMessage wire-protocol (4-byte BE length + plist)
  internal/mobilebackup2/— mobilebackup2-service impl (BaseVersionExchange,
                          Hello, Restore, ServeFiles + TL-extracted templates)
  internal/cloudconfig/  — CloudConfigurationDetails.plist builder (cert-less,
                          25 keys matching TL's runtime-output)
  internal/cert/         — auto-gen + persist supervisor-cert in ~/.rebreak-supervise/
  internal/mcinstall/    — MCInstall.GetCloudConfiguration für state-checks
  internal/device/       — go-ios DeviceEntry wrapper
  internal/afclock/      — AFC sync-lock auf /com.apple.itunes.lock_sync
  internal/notification_proxy/ — PostNotification (syncWillStart/etc)
  internal/preflight/    — FMI/Activation/OS-version pre-checks
  internal/supervise/    — End-to-end Flow-Orchestrierung (MobileBackup2 default,
                          MCInstall via REBREAK_FORCE_MCINSTALL=1)

Pending für volle Productization (Phase G):
- Fresh-supervise direkt-empirisch auf truly-unsupervised iPhone testen
  (heute Nacht nur durch Inferenz aus TL-Verhalten gestützt)
- Auto-MDM-enroll-Step nach Supervise (ConfigurationURL oder cfgutil-style)
- DiGA-Onboarding-Flow + Lyra-Coach für FMI/SDP-Disable
- Multi-Device-Validation (Modelle, iOS-Versionen)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 01:55:10 +02:00

99 lines
2.8 KiB
Go
Raw Blame History

// Command tl-patcher: copies TechLockdown's Supervise_bin and binary-patches
// the hard-coded "/var/run/usbmuxd" path to "/tmp/mitm-usbmux" (exact 16 bytes).
// Then ad-hoc re-signs so macOS will allow execution.
//
// Result: a patched binary that connects to our proxy unix-socket instead of
// the real usbmuxd daemon — without needing sudo or env-vars.
//
// Usage:
//
// ./bin/rebreak-tl-patcher
// # Then run: /tmp/Supervise_bin_proxy
package main
import (
"bytes"
"fmt"
"io"
"os"
"os/exec"
)
const (
defaultSrc = "/Users/chahinebrini/Downloads/TechLockdown-supervise-mac-arm64.app/Contents/MacOS/Supervise_bin"
defaultDst = "/tmp/Supervise_bin_proxy"
origPath = "/var/run/usbmuxd" // 16 bytes
patchedPath = "/tmp/mitm-usbmux" // 16 bytes ✓
)
func main() {
src := defaultSrc
dst := defaultDst
if len(os.Args) > 1 {
src = os.Args[1]
}
if len(os.Args) > 2 {
dst = os.Args[2]
}
if len(origPath) != len(patchedPath) {
fmt.Fprintf(os.Stderr, "ERROR: path lengths must match — orig=%d patched=%d\n", len(origPath), len(patchedPath))
os.Exit(1)
}
fmt.Printf("Reading %s ...\n", src)
data, err := os.ReadFile(src)
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
count := bytes.Count(data, []byte(origPath))
fmt.Printf("Found %d occurrence(s) of %q\n", count, origPath)
if count == 0 {
fmt.Fprintln(os.Stderr, "no patch needed?")
os.Exit(1)
}
patched := bytes.ReplaceAll(data, []byte(origPath), []byte(patchedPath))
fmt.Printf("Writing patched binary to %s ...\n", dst)
if err := os.WriteFile(dst, patched, 0o755); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
// Remove quarantine xattr (otherwise macOS blocks unsigned launch)
fmt.Println("Removing quarantine xattr ...")
exec.Command("xattr", "-d", "com.apple.quarantine", dst).Run() // ignore err
// Ad-hoc re-sign (otherwise macOS refuses to launch patched binary)
fmt.Println("Removing original signature ...")
out, err := exec.Command("codesign", "--remove-signature", dst).CombinedOutput()
if err != nil {
fmt.Printf(" warn: codesign remove: %v %s\n", err, out)
}
fmt.Println("Ad-hoc re-signing ...")
out, err = exec.Command("codesign", "-f", "-s", "-", dst).CombinedOutput()
if err != nil {
fmt.Printf(" warn: codesign sign: %v %s\n", err, out)
}
// Show how to launch
stat, _ := os.Stat(dst)
size := int64(0)
if stat != nil {
size = stat.Size()
}
fmt.Printf("\nDone. Patched binary: %s (%d bytes)\n", dst, size)
fmt.Printf("Path patch: %q → %q\n", origPath, patchedPath)
fmt.Println()
fmt.Println("Next steps:")
fmt.Println(" 1. In Terminal 1: ./bin/rebreak-usbmux-proxy -proxy /tmp/mitm-usbmux")
fmt.Println(" 2. In Terminal 2: " + dst)
fmt.Println(" 3. If macOS blocks: System Settings → Privacy & Security → 'Allow anyway'")
}
// suppress unused-import warning
var _ = io.Copy
Reference in New Issue View Git Blame Copy Permalink