Try to not use private entitlements

2018-11-13 22:39:03 -08:00
parent ce7e6e7dd8
commit f462ee68ca
12 changed files with 309 additions and 51 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "GCDWebServer"]
 	path = GCDWebServer
 	url = https://github.com/swisspol/GCDWebServer.git
 [submodule "logos"]
 	path = logos
 	url = git@github.com:theos/logos.git
--- a/MessagesBridge.xcodeproj/project.pbxproj
+++ b/MessagesBridge.xcodeproj/project.pbxproj
@@ -11,6 +11,8 @@
 		CD60205C219B623F0024D9C5 /* MBIMMessagesListOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD60205B219B623F0024D9C5 /* MBIMMessagesListOperation.m */; };
 		CD60205F219B674B0024D9C5 /* MBIMConversationListOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD60205E219B674B0024D9C5 /* MBIMConversationListOperation.m */; };
 		CD602062219B68950024D9C5 /* MBIMSendMessageOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD602061219B68950024D9C5 /* MBIMSendMessageOperation.m */; };
 		CD83E156219BE10A00F4CCEA /* hooking.m in Sources */ = {isa = PBXBuildFile; fileRef = CD83E155219BE10A00F4CCEA /* hooking.m */; };
 		CD83E166219BE91600F4CCEA /* agentHook.m in Sources */ = {isa = PBXBuildFile; fileRef = CD83E165219BE91600F4CCEA /* agentHook.m */; };
 		CDF62335219A895D00690038 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = CDF62334219A895D00690038 /* main.m */; };
 		CDF62339219A8A5600690038 /* MBIMBridge.h in Sources */ = {isa = PBXBuildFile; fileRef = 1A0C4469219A4BC300F2AC00 /* MBIMBridge.h */; };
 		CDF6233A219A8A5600690038 /* MBIMBridge.m in Sources */ = {isa = PBXBuildFile; fileRef = 1A0C446A219A4BC300F2AC00 /* MBIMBridge.m */; };
@@ -21,6 +23,13 @@
 /* End PBXBuildFile section */
 /* Begin PBXContainerItemProxy section */
 		CD83E16A219BE9AB00F4CCEA /* PBXContainerItemProxy */ = {
 			isa = PBXContainerItemProxy;
 			containerPortal = 1A0C443F219A38E100F2AC00 /* Project object */;
 			proxyType = 1;
 			remoteGlobalIDString = CD83E160219BE91500F4CCEA;
 			remoteInfo = agentHook;
 		};
 		CDF6231D219A869000690038 /* PBXContainerItemProxy */ = {
 			isa = PBXContainerItemProxy;
 			containerPortal = CDF62312219A869000690038 /* GCDWebServer.xcodeproj */;
@@ -92,7 +101,6 @@
 /* End PBXCopyFilesBuildPhase section */
 /* Begin PBXFileReference section */
 		1A0C4455219A38E200F2AC00 /* kordophone.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = kordophone.entitlements; sourceTree = "<group>"; };
 		1A0C445D219A458400F2AC00 /* SOAPlugInControllerProtocol.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOAPlugInControllerProtocol.h; sourceTree = "<group>"; };
 		1A0C445F219A45B400F2AC00 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.Internal.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
 		1A0C4461219A45B900F2AC00 /* AppKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.Internal.sdk/System/Library/Frameworks/AppKit.framework; sourceTree = DEVELOPER_DIR; };
@@ -114,6 +122,11 @@
 		CD60205E219B674B0024D9C5 /* MBIMConversationListOperation.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MBIMConversationListOperation.m; sourceTree = "<group>"; };
 		CD602060219B68950024D9C5 /* MBIMSendMessageOperation.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MBIMSendMessageOperation.h; sourceTree = "<group>"; };
 		CD602061219B68950024D9C5 /* MBIMSendMessageOperation.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MBIMSendMessageOperation.m; sourceTree = "<group>"; };
 		CD83E154219BDBA200F4CCEA /* hooking.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = hooking.h; sourceTree = "<group>"; };
 		CD83E155219BE10A00F4CCEA /* hooking.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = hooking.m; sourceTree = "<group>"; };
 		CD83E161219BE91500F4CCEA /* libagentHook.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libagentHook.dylib; sourceTree = BUILT_PRODUCTS_DIR; };
 		CD83E165219BE91600F4CCEA /* agentHook.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = agentHook.m; sourceTree = "<group>"; };
 		CD83E1B5219BF78E00F4CCEA /* hookAgent.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = hookAgent.sh; sourceTree = "<group>"; };
 		CDF62312219A869000690038 /* GCDWebServer.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = GCDWebServer.xcodeproj; path = GCDWebServer/GCDWebServer.xcodeproj; sourceTree = "<group>"; };
 		CDF62332219A895D00690038 /* kordophoned */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = kordophoned; sourceTree = BUILT_PRODUCTS_DIR; };
 		CDF62334219A895D00690038 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
@@ -122,6 +135,13 @@
 /* End PBXFileReference section */
 /* Begin PBXFrameworksBuildPhase section */
 		CD83E15F219BE91500F4CCEA /* Frameworks */ = {
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 		CDF6232F219A895D00690038 /* Frameworks */ = {
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
@@ -144,6 +164,7 @@
 				CDF62333219A895D00690038 /* kordophone */,
 				1A33B439219A5ACD0034485A /* Config Files */,
 				1A0C445C219A457C00F2AC00 /* Pilfered Headers */,
 				CD83E162219BE91600F4CCEA /* agentHook */,
 				1A0C4448219A38E100F2AC00 /* Products */,
 				1A0C445E219A45B400F2AC00 /* Frameworks */,
 			);
@@ -153,6 +174,7 @@
 			isa = PBXGroup;
 			children = (
 				CDF62332219A895D00690038 /* kordophoned */,
 				CD83E161219BE91500F4CCEA /* libagentHook.dylib */,
 			);
 			name = Products;
 			sourceTree = "<group>";
@@ -215,6 +237,24 @@
 			path = Operations;
 			sourceTree = "<group>";
 		};
 		CD83E150219BDB4F00F4CCEA /* Hooking */ = {
 			isa = PBXGroup;
 			children = (
 				CD83E154219BDBA200F4CCEA /* hooking.h */,
 				CD83E155219BE10A00F4CCEA /* hooking.m */,
 			);
 			path = Hooking;
 			sourceTree = "<group>";
 		};
 		CD83E162219BE91600F4CCEA /* agentHook */ = {
 			isa = PBXGroup;
 			children = (
 				CD83E1B5219BF78E00F4CCEA /* hookAgent.sh */,
 				CD83E165219BE91600F4CCEA /* agentHook.m */,
 			);
 			path = agentHook;
 			sourceTree = "<group>";
 		};
 		CDF62313219A869000690038 /* Products */ = {
 			isa = PBXGroup;
 			children = (
@@ -232,8 +272,8 @@
 		CDF62333219A895D00690038 /* kordophone */ = {
 			isa = PBXGroup;
 			children = (
 				CD83E150219BDB4F00F4CCEA /* Hooking */,
 				1A0C446D219A4BCD00F2AC00 /* Bridge */,
 				1A0C4455219A38E200F2AC00 /* kordophone.entitlements */,
 				CDF62334219A895D00690038 /* main.m */,
 			);
 			path = kordophone;
@@ -241,7 +281,34 @@
 		};
 /* End PBXGroup section */
 /* Begin PBXHeadersBuildPhase section */
 		CD83E15D219BE91500F4CCEA /* Headers */ = {
 			isa = PBXHeadersBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 /* End PBXHeadersBuildPhase section */
 /* Begin PBXNativeTarget section */
 		CD83E160219BE91500F4CCEA /* agentHook */ = {
 			isa = PBXNativeTarget;
 			buildConfigurationList = CD83E167219BE91600F4CCEA /* Build configuration list for PBXNativeTarget "agentHook" */;
 			buildPhases = (
 				CD83E15D219BE91500F4CCEA /* Headers */,
 				CD83E15E219BE91500F4CCEA /* Sources */,
 				CD83E15F219BE91500F4CCEA /* Frameworks */,
 			);
 			buildRules = (
 			);
 			dependencies = (
 			);
 			name = agentHook;
 			productName = agentHook;
 			productReference = CD83E161219BE91500F4CCEA /* libagentHook.dylib */;
 			productType = "com.apple.product-type.library.dynamic";
 		};
 		CDF62331219A895D00690038 /* kordophoned */ = {
 			isa = PBXNativeTarget;
 			buildConfigurationList = CDF62336219A895D00690038 /* Build configuration list for PBXNativeTarget "kordophoned" */;
@@ -253,6 +320,7 @@
 			buildRules = (
 			);
 			dependencies = (
 				CD83E16B219BE9AB00F4CCEA /* PBXTargetDependency */,
 				CDF6233C219A8A6600690038 /* PBXTargetDependency */,
 			);
 			name = kordophoned;
@@ -269,6 +337,9 @@
 				LastUpgradeCheck = 1100;
 				ORGANIZATIONNAME = "James Magahern";
 				TargetAttributes = {
 					CD83E160219BE91500F4CCEA = {
 						CreatedOnToolsVersion = 11.0;
 					};
 					CDF62331219A895D00690038 = {
 						CreatedOnToolsVersion = 11.0;
 					};
@@ -294,6 +365,7 @@
 			projectRoot = "";
 			targets = (
 				CDF62331219A895D00690038 /* kordophoned */,
 				CD83E160219BE91500F4CCEA /* agentHook */,
 			);
 		};
 /* End PBXProject section */
@@ -351,11 +423,20 @@
 /* End PBXReferenceProxy section */
 /* Begin PBXSourcesBuildPhase section */
 		CD83E15E219BE91500F4CCEA /* Sources */ = {
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				CD83E166219BE91600F4CCEA /* agentHook.m in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 		CDF6232E219A895D00690038 /* Sources */ = {
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				CDF62339219A8A5600690038 /* MBIMBridge.h in Sources */,
 				CD83E156219BE10A00F4CCEA /* hooking.m in Sources */,
 				CDF6233A219A8A5600690038 /* MBIMBridge.m in Sources */,
 				CDF62335219A895D00690038 /* main.m in Sources */,
 				CD60205C219B623F0024D9C5 /* MBIMMessagesListOperation.m in Sources */,
@@ -368,6 +449,11 @@
 /* End PBXSourcesBuildPhase section */
 /* Begin PBXTargetDependency section */
 		CD83E16B219BE9AB00F4CCEA /* PBXTargetDependency */ = {
 			isa = PBXTargetDependency;
 			target = CD83E160219BE91500F4CCEA /* agentHook */;
 			targetProxy = CD83E16A219BE9AB00F4CCEA /* PBXContainerItemProxy */;
 		};
 		CDF6233C219A8A6600690038 /* PBXTargetDependency */ = {
 			isa = PBXTargetDependency;
 			name = "GCDWebServers (Mac)";
@@ -495,11 +581,44 @@
 			};
 			name = Release;
 		};
 		CD83E168219BE91600F4CCEA /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				EXECUTABLE_PREFIX = lib;
 				OTHER_LDFLAGS = (
 					"-undefined",
 					dynamic_lookup,
 				);
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SKIP_INSTALL = YES;
 			};
 			name = Debug;
 		};
 		CD83E169219BE91600F4CCEA /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_STYLE = Automatic;
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				EXECUTABLE_PREFIX = lib;
 				OTHER_LDFLAGS = (
 					"-undefined",
 					dynamic_lookup,
 				);
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SKIP_INSTALL = YES;
 			};
 			name = Release;
 		};
 		CDF62337219A895D00690038 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = NO;
 				CODE_SIGN_ENTITLEMENTS = kordophone/kordophone.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx.internal;
@@ -514,7 +633,6 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = NO;
 				CODE_SIGN_ENTITLEMENTS = kordophone/kordophone.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx.internal;
@@ -537,6 +655,15 @@
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
 		CD83E167219BE91600F4CCEA /* Build configuration list for PBXNativeTarget "agentHook" */ = {
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				CD83E168219BE91600F4CCEA /* Debug */,
 				CD83E169219BE91600F4CCEA /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
 		CDF62336219A895D00690038 /* Build configuration list for PBXNativeTarget "kordophoned" */ = {
 			isa = XCConfigurationList;
 			buildConfigurations = (
--- a/MessagesBridge.xcodeproj/xcshareddata/xcschemes/kordophoned.xcscheme
+++ b/MessagesBridge.xcodeproj/xcshareddata/xcschemes/kordophoned.xcscheme
@@ -61,6 +61,12 @@
            ReferencedContainer = "container:MessagesBridge.xcodeproj">
         </BuildableReference>
      </BuildableProductRunnable>
      <CommandLineArguments>
         <CommandLineArgument
            argument = "${BUILT_PRODUCTS_DIR}/libagentHook.dylib"
            isEnabled = "YES">
         </CommandLineArgument>
      </CommandLineArguments>
      <AdditionalOptions>
      </AdditionalOptions>
   </LaunchAction>
--- a/README.md
+++ b/README.md
@@ -6,3 +6,12 @@ sudo defaults write /Library/Preferences/com.apple.security.coderequirements Ent
 ```
 Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. 
 ## Building/linking 
 If you get dyld errors running from the command line, use `install_name_tool` to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is).
    `install_name_tool -add_rpath . ./kordophoned`
 ## Running
 You need to hook imagent first to bypass entitlements check. Look at `hookAgent.sh`
--- a/agentHook/agentHook.m
+++ b/agentHook/agentHook.m
@@ -0,0 +1,19 @@
 #import <mach/message.h>
 #import <Foundation/Foundation.h>
 #include <dlfcn.h>
 #define DYLD_INTERPOSE(_replacment,_replacee) \
 __attribute__((used)) static struct{ const void* replacment; const void* replacee; } _interpose_##_replacee \
 __attribute__ ((section ("__DATA,__interpose"))) = { (const void*)(unsigned long)&_replacment, (const void*)(unsigned long)&_replacee };
 BOOL IMDAuditTokenTaskHasEntitlement(audit_token_t *auditToken, NSString *entitlement);
 BOOL replacement__IMDAuditTokenTaskHasEntitlement(audit_token_t *auditToken, NSString *entitlement)
 {
    // Bypass all entitlement checks
    return YES;
 }
 DYLD_INTERPOSE(replacement__IMDAuditTokenTaskHasEntitlement, IMDAuditTokenTaskHasEntitlement);
--- a/agentHook/hookAgent.sh
+++ b/agentHook/hookAgent.sh
@@ -0,0 +1,19 @@
 #!/bin/sh
 # This script is necessary to circumvent the entitlements check in imagent.
 # Might want to wrap this script up in a startup script or something so we make sure this
 # happens every time.
 if [[ $# -lt 1 ]]; then
    echo "Usage: hookAgent.sh libagentHook.dylib"
    exit 0
 fi
 LIB_PATH=$(python -c "import os; print(os.path.realpath('$1'))")
 echo "Library path: $LIB_PATH"
 echo "Telling imagent to launch with inserted libraries for uid $EUID"
 sudo launchctl debug gui/$EUID/com.apple.imagent --environment DYLD_INSERT_LIBRARIES=$LIB_PATH
 launchctl kill SIGKILL gui/501/com.apple.imagent
--- a/kordophone/Bridge/MBIMBridge.h
+++ b/kordophone/Bridge/MBIMBridge.h
@@ -8,9 +8,14 @@
 #import <Foundation/Foundation.h>
 // See note in hooking.m about why this was a bad idea
 #define HOOK_IMAGENT 0
 NS_ASSUME_NONNULL_BEGIN
@interface MBIMBridge : NSObject
@property (nonatomic, assign) const char *dylibPath;
 + (instancetype)sharedInstance;
 - (instancetype)init NS_UNAVAILABLE;
--- a/kordophone/Bridge/MBIMBridge.m
+++ b/kordophone/Bridge/MBIMBridge.m
@@ -8,6 +8,7 @@
 #import "MBIMBridge.h"
 #import "MBIMBridgeOperation.h"
 #import "hooking.h"
 #import <GCDWebServers/GCDWebServers.h>
@@ -55,14 +56,32 @@ static NSString *const MBIMBridgeToken = @"net.buzzert.kordophone";
    return self;
 }
 - (void)_terminate
 {
    // *shrug*
    exit(0);
 }
 #pragma mark -
 #pragma mark Connection
 - (void)connect
 {
 #if HOOK_IMAGENT
    char *errorString = nil;
    BOOL hooked = HookIMAgent(self.dylibPath, &errorString);
    if (!hooked) {
        NSString *errorNSString = [NSString stringWithUTF8String:errorString];
        NSLog(@"Error hooking imagent: %@", errorNSString);
        return;
    }
 #endif
    if (![sDaemonController hasListenerForID: MBIMBridgeToken]) {
        if (![sDaemonController addListenerID:MBIMBridgeToken capabilities:(kFZListenerCapFileTransfers | kFZListenerCapManageStatus | kFZListenerCapChats | kFZListenerCapMessageHistory | kFZListenerCapIDQueries | kFZListenerCapSendMessages)]) {
            NSLog(@"Failed to connect to imagent");
            [self _terminate];
        }
    }
 }
@@ -158,6 +177,7 @@ static NSString *const MBIMBridgeToken = @"net.buzzert.kordophone";
        NSLog(@"iMessage account connected: %@", iMessageAccount);
    } else {
        NSLog(@"imagent returned no accounts (not entitled?)");
        [self _terminate];
    }
 }
--- a/kordophone/Hooking/hooking.h
+++ b/kordophone/Hooking/hooking.h
@@ -0,0 +1,12 @@
 //
 //  hooking.h
 //  MessagesBridge
 //
 //  Created by James Magahern on 11/13/18.
 //  Copyright © 2018 James Magahern. All rights reserved.
 //
 #import <Foundation/Foundation.h>
 // Returns success and a populated errorString on error.
 BOOL HookIMAgent(const char *hookDylibPath, char **errorString);
--- a/kordophone/Hooking/hooking.m
+++ b/kordophone/Hooking/hooking.m
@@ -0,0 +1,75 @@
 //
 //  hooking.c
 //  kordophoned
 //
 //  Created by James Magahern on 11/13/18.
 //  Copyright © 2018 James Magahern. All rights reserved.
 //
 #include "hooking.h"
 #include <stdlib.h>
 #include <dlfcn.h>
 #include <unistd.h>
 BOOL HookIMAgent(const char *relativeDylibPath, char **errorString)
 {
    NSLog(@"Hooking imagent");
    const char *hookDylibPath = realpath(relativeDylibPath, NULL);
    // See if file is there.
    int succ = access(hookDylibPath, R_OK);
    if (succ != 0) {
        *errorString = "Unable to access hook dylib. Does file exist?";
        return NO;
    }
    // Make sure we can load the dylib (filters out codesigning issues)
    void *handle = dlopen(hookDylibPath, RTLD_NOW);
    if (!handle) {
        *errorString = dlerror();
        return NO;
    }
    /*********
     ***********
     PROBABLY DON'T DO THIS
     If other processes start and load agentHook, then they will crash because dyld tries to
     interpose a function that doesn't exist.
     A better way (maybe put this in a script or something):
     ( But launchctl debug needs to run as root :( )
     $ launchctl debug gui/501/com.apple.imagent --environment DYLD_INSERT_LIBRARIES=(path to libagentHook.dylib)
     $ launchctl kill SIGKILL gui/501/com.apple.imagent
     // then let it restart...
     **/
    // Set launchd DYLD_INSERT_LIBRARIES environment variable
    const char *systemCommandFormatString = "/bin/launchctl setenv DYLD_INSERT_LIBRARIES %s";
    size_t bufferSize = strlen(systemCommandFormatString) + strlen(hookDylibPath) + 2;
    char *systemCommand = (char *)malloc(sizeof(char) * bufferSize);
    sprintf(systemCommand, "/bin/launchctl setenv DYLD_INSERT_LIBRARIES %s", hookDylibPath);
    int setEnvSucc = system(systemCommand);
    if (setEnvSucc != 0) {
        *errorString = "Unable to set launchd environment variable.";
        return NO;
    }
    NSLog(@"Successfully setup environment variables");
    // Kill imagent so the new one has the loaded bundle
    NSLog(@"Killing imagent...");
    int killAgentSuccess = system("killall imagent");
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
        system("/bin/launchctl unsetenv DYLD_INSERT_LIBRARIES");
    });
    return (killAgentSuccess == 0);
 }
--- a/kordophone/kordophone.entitlements
+++ b/kordophone/kordophone.entitlements
@@ -1,47 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>com.apple.private.corespotlight.search.internal</key>
 	<true/>
 	<key>com.apple.private.corespotlight.internal</key>
 	<true/>
 	<key>com.apple.CommCenter.fine-grained</key>
 	<array>
 		<string>spi</string>
 	</array>
 	<key>com.apple.accounts.inactive.fullaccess</key>
 	<true/>
 	<key>com.apple.imagent</key>
 	<true/>
 	<key>com.apple.private.accounts.allaccounts</key>
 	<true/>
 	<key>com.apple.private.aps-connection-initiate</key>
 	<array>
 		<string>com.apple.ess</string>
 		<string>com.apple.madrid</string>
 	</array>
 	<key>com.apple.private.communicationsfilter</key>
 	<true/>
 	<key>com.apple.private.ids.idquery-cache</key>
 	<true/>
 	<key>com.apple.private.ids.remoteurlconnection</key>
 	<true/>
 	<key>com.apple.private.imcore.imdpersistence.database-access</key>
 	<true/>
 	<key>com.apple.private.tcc.allow</key>
 	<array>
 		<string>kTCCServiceAddressBook</string>
 	</array>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>appleaccount</string>
 		<string>InternetAccounts</string>
 		<string>IMCore</string>
 		<string>ichat</string>
 		<string>apple</string>
 	</array>
 	<key>com.apple.logd.admin</key>
 	<true/>
 </dict>
 </plist>
--- a/kordophone/main.m
+++ b/kordophone/main.m
@@ -13,6 +13,16 @@
 int main(int argc, const char * argv[]) {
    @autoreleasepool {
        MBIMBridge *bridge = [MBIMBridge sharedInstance];
 #if HOOK_IMAGENT
        if (argc < 2) {
            fprintf(stderr, "Usage: kordophoned agentHook.dylib\n");
            return 1;
        }
        bridge.dylibPath = argv[1];
 #endif
        [bridge connect];
        BOOL running = YES;