Try to not use private entitlements

2018-11-13 22:39:03 -08:00
parent ce7e6e7dd8
commit f462ee68ca
12 changed files with 309 additions and 51 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "GCDWebServer"]
 	path = GCDWebServer
 	url = https://github.com/swisspol/GCDWebServer.git
+[submodule "logos"]
+	path = logos
+	url = git@github.com:theos/logos.git
--- a/MessagesBridge.xcodeproj/project.pbxproj
+++ b/MessagesBridge.xcodeproj/project.pbxproj
@@ -11,6 +11,8 @@
 		CD60205C219B623F0024D9C5 /* MBIMMessagesListOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD60205B219B623F0024D9C5 /* MBIMMessagesListOperation.m */; };
 		CD60205F219B674B0024D9C5 /* MBIMConversationListOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD60205E219B674B0024D9C5 /* MBIMConversationListOperation.m */; };
 		CD602062219B68950024D9C5 /* MBIMSendMessageOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = CD602061219B68950024D9C5 /* MBIMSendMessageOperation.m */; };
+		CD83E156219BE10A00F4CCEA /* hooking.m in Sources */ = {isa = PBXBuildFile; fileRef = CD83E155219BE10A00F4CCEA /* hooking.m */; };
+		CD83E166219BE91600F4CCEA /* agentHook.m in Sources */ = {isa = PBXBuildFile; fileRef = CD83E165219BE91600F4CCEA /* agentHook.m */; };
 		CDF62335219A895D00690038 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = CDF62334219A895D00690038 /* main.m */; };
 		CDF62339219A8A5600690038 /* MBIMBridge.h in Sources */ = {isa = PBXBuildFile; fileRef = 1A0C4469219A4BC300F2AC00 /* MBIMBridge.h */; };
 		CDF6233A219A8A5600690038 /* MBIMBridge.m in Sources */ = {isa = PBXBuildFile; fileRef = 1A0C446A219A4BC300F2AC00 /* MBIMBridge.m */; };
@@ -21,6 +23,13 @@
 /* End PBXBuildFile section */

 /* Begin PBXContainerItemProxy section */
+		CD83E16A219BE9AB00F4CCEA /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 1A0C443F219A38E100F2AC00 /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = CD83E160219BE91500F4CCEA;
+			remoteInfo = agentHook;
+		};
 		CDF6231D219A869000690038 /* PBXContainerItemProxy */ = {
 			isa = PBXContainerItemProxy;
 			containerPortal = CDF62312219A869000690038 /* GCDWebServer.xcodeproj */;
@@ -92,7 +101,6 @@
 /* End PBXCopyFilesBuildPhase section */

 /* Begin PBXFileReference section */
-		1A0C4455219A38E200F2AC00 /* kordophone.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = kordophone.entitlements; sourceTree = "<group>"; };
 		1A0C445D219A458400F2AC00 /* SOAPlugInControllerProtocol.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOAPlugInControllerProtocol.h; sourceTree = "<group>"; };
 		1A0C445F219A45B400F2AC00 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.Internal.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
 		1A0C4461219A45B900F2AC00 /* AppKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.Internal.sdk/System/Library/Frameworks/AppKit.framework; sourceTree = DEVELOPER_DIR; };
@@ -114,6 +122,11 @@
 		CD60205E219B674B0024D9C5 /* MBIMConversationListOperation.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MBIMConversationListOperation.m; sourceTree = "<group>"; };
 		CD602060219B68950024D9C5 /* MBIMSendMessageOperation.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MBIMSendMessageOperation.h; sourceTree = "<group>"; };
 		CD602061219B68950024D9C5 /* MBIMSendMessageOperation.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MBIMSendMessageOperation.m; sourceTree = "<group>"; };
+		CD83E154219BDBA200F4CCEA /* hooking.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = hooking.h; sourceTree = "<group>"; };
+		CD83E155219BE10A00F4CCEA /* hooking.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = hooking.m; sourceTree = "<group>"; };
+		CD83E161219BE91500F4CCEA /* libagentHook.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libagentHook.dylib; sourceTree = BUILT_PRODUCTS_DIR; };
+		CD83E165219BE91600F4CCEA /* agentHook.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = agentHook.m; sourceTree = "<group>"; };
+		CD83E1B5219BF78E00F4CCEA /* hookAgent.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = hookAgent.sh; sourceTree = "<group>"; };
 		CDF62312219A869000690038 /* GCDWebServer.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = GCDWebServer.xcodeproj; path = GCDWebServer/GCDWebServer.xcodeproj; sourceTree = "<group>"; };
 		CDF62332219A895D00690038 /* kordophoned */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = kordophoned; sourceTree = BUILT_PRODUCTS_DIR; };
 		CDF62334219A895D00690038 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
@@ -122,6 +135,13 @@
 /* End PBXFileReference section */

 /* Begin PBXFrameworksBuildPhase section */
+		CD83E15F219BE91500F4CCEA /* Frameworks */ = {
+			isa = PBXFrameworksBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 		CDF6232F219A895D00690038 /* Frameworks */ = {
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
@@ -144,6 +164,7 @@
 				CDF62333219A895D00690038 /* kordophone */,
 				1A33B439219A5ACD0034485A /* Config Files */,
 				1A0C445C219A457C00F2AC00 /* Pilfered Headers */,
+				CD83E162219BE91600F4CCEA /* agentHook */,
 				1A0C4448219A38E100F2AC00 /* Products */,
 				1A0C445E219A45B400F2AC00 /* Frameworks */,
 			);
@@ -153,6 +174,7 @@
 			isa = PBXGroup;
 			children = (
 				CDF62332219A895D00690038 /* kordophoned */,
+				CD83E161219BE91500F4CCEA /* libagentHook.dylib */,
 			);
 			name = Products;
 			sourceTree = "<group>";
@@ -215,6 +237,24 @@
 			path = Operations;
 			sourceTree = "<group>";
 		};
+		CD83E150219BDB4F00F4CCEA /* Hooking */ = {
+			isa = PBXGroup;
+			children = (
+				CD83E154219BDBA200F4CCEA /* hooking.h */,
+				CD83E155219BE10A00F4CCEA /* hooking.m */,
+			);
+			path = Hooking;
+			sourceTree = "<group>";
+		};
+		CD83E162219BE91600F4CCEA /* agentHook */ = {
+			isa = PBXGroup;
+			children = (
+				CD83E1B5219BF78E00F4CCEA /* hookAgent.sh */,
+				CD83E165219BE91600F4CCEA /* agentHook.m */,
+			);
+			path = agentHook;
+			sourceTree = "<group>";
+		};
 		CDF62313219A869000690038 /* Products */ = {
 			isa = PBXGroup;
 			children = (
@@ -232,8 +272,8 @@
 		CDF62333219A895D00690038 /* kordophone */ = {
 			isa = PBXGroup;
 			children = (
+				CD83E150219BDB4F00F4CCEA /* Hooking */,
 				1A0C446D219A4BCD00F2AC00 /* Bridge */,
-				1A0C4455219A38E200F2AC00 /* kordophone.entitlements */,
 				CDF62334219A895D00690038 /* main.m */,
 			);
 			path = kordophone;
@@ -241,7 +281,34 @@
 		};
 /* End PBXGroup section */

+/* Begin PBXHeadersBuildPhase section */
+		CD83E15D219BE91500F4CCEA /* Headers */ = {
+			isa = PBXHeadersBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXHeadersBuildPhase section */
+
 /* Begin PBXNativeTarget section */
+		CD83E160219BE91500F4CCEA /* agentHook */ = {
+			isa = PBXNativeTarget;
+			buildConfigurationList = CD83E167219BE91600F4CCEA /* Build configuration list for PBXNativeTarget "agentHook" */;
+			buildPhases = (
+				CD83E15D219BE91500F4CCEA /* Headers */,
+				CD83E15E219BE91500F4CCEA /* Sources */,
+				CD83E15F219BE91500F4CCEA /* Frameworks */,
+			);
+			buildRules = (
+			);
+			dependencies = (
+			);
+			name = agentHook;
+			productName = agentHook;
+			productReference = CD83E161219BE91500F4CCEA /* libagentHook.dylib */;
+			productType = "com.apple.product-type.library.dynamic";
+		};
 		CDF62331219A895D00690038 /* kordophoned */ = {
 			isa = PBXNativeTarget;
 			buildConfigurationList = CDF62336219A895D00690038 /* Build configuration list for PBXNativeTarget "kordophoned" */;
@@ -253,6 +320,7 @@
 			buildRules = (
 			);
 			dependencies = (
+				CD83E16B219BE9AB00F4CCEA /* PBXTargetDependency */,
 				CDF6233C219A8A6600690038 /* PBXTargetDependency */,
 			);
 			name = kordophoned;
@@ -269,6 +337,9 @@
 				LastUpgradeCheck = 1100;
 				ORGANIZATIONNAME = "James Magahern";
 				TargetAttributes = {
+					CD83E160219BE91500F4CCEA = {
+						CreatedOnToolsVersion = 11.0;
+					};
 					CDF62331219A895D00690038 = {
 						CreatedOnToolsVersion = 11.0;
 					};
@@ -294,6 +365,7 @@
 			projectRoot = "";
 			targets = (
 				CDF62331219A895D00690038 /* kordophoned */,
+				CD83E160219BE91500F4CCEA /* agentHook */,
 			);
 		};
 /* End PBXProject section */
@@ -351,11 +423,20 @@
 /* End PBXReferenceProxy section */

 /* Begin PBXSourcesBuildPhase section */
+		CD83E15E219BE91500F4CCEA /* Sources */ = {
+			isa = PBXSourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				CD83E166219BE91600F4CCEA /* agentHook.m in Sources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 		CDF6232E219A895D00690038 /* Sources */ = {
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				CDF62339219A8A5600690038 /* MBIMBridge.h in Sources */,
+				CD83E156219BE10A00F4CCEA /* hooking.m in Sources */,
 				CDF6233A219A8A5600690038 /* MBIMBridge.m in Sources */,
 				CDF62335219A895D00690038 /* main.m in Sources */,
 				CD60205C219B623F0024D9C5 /* MBIMMessagesListOperation.m in Sources */,
@@ -368,6 +449,11 @@
 /* End PBXSourcesBuildPhase section */

 /* Begin PBXTargetDependency section */
+		CD83E16B219BE9AB00F4CCEA /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = CD83E160219BE91500F4CCEA /* agentHook */;
+			targetProxy = CD83E16A219BE9AB00F4CCEA /* PBXContainerItemProxy */;
+		};
 		CDF6233C219A8A6600690038 /* PBXTargetDependency */ = {
 			isa = PBXTargetDependency;
 			name = "GCDWebServers (Mac)";
@@ -495,11 +581,44 @@
 			};
 			name = Release;
 		};
+		CD83E168219BE91600F4CCEA /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CLANG_ENABLE_MODULES = YES;
+				CODE_SIGN_STYLE = Automatic;
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXECUTABLE_PREFIX = lib;
+				OTHER_LDFLAGS = (
+					"-undefined",
+					dynamic_lookup,
+				);
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				SKIP_INSTALL = YES;
+			};
+			name = Debug;
+		};
+		CD83E169219BE91600F4CCEA /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CLANG_ENABLE_MODULES = YES;
+				CODE_SIGN_STYLE = Automatic;
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXECUTABLE_PREFIX = lib;
+				OTHER_LDFLAGS = (
+					"-undefined",
+					dynamic_lookup,
+				);
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				SKIP_INSTALL = YES;
+			};
+			name = Release;
+		};
 		CDF62337219A895D00690038 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = NO;
-				CODE_SIGN_ENTITLEMENTS = kordophone/kordophone.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx.internal;
@@ -514,7 +633,6 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = NO;
-				CODE_SIGN_ENTITLEMENTS = kordophone/kordophone.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx.internal;
@@ -537,6 +655,15 @@
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
+		CD83E167219BE91600F4CCEA /* Build configuration list for PBXNativeTarget "agentHook" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				CD83E168219BE91600F4CCEA /* Debug */,
+				CD83E169219BE91600F4CCEA /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
 		CDF62336219A895D00690038 /* Build configuration list for PBXNativeTarget "kordophoned" */ = {
 			isa = XCConfigurationList;
 			buildConfigurations = (
--- a/MessagesBridge.xcodeproj/xcshareddata/xcschemes/kordophoned.xcscheme
+++ b/MessagesBridge.xcodeproj/xcshareddata/xcschemes/kordophoned.xcscheme
@@ -61,6 +61,12 @@
            ReferencedContainer = "container:MessagesBridge.xcodeproj">
         </BuildableReference>
      </BuildableProductRunnable>
+      <CommandLineArguments>
+         <CommandLineArgument
+            argument = "${BUILT_PRODUCTS_DIR}/libagentHook.dylib"
+            isEnabled = "YES">
+         </CommandLineArgument>
+      </CommandLineArguments>
      <AdditionalOptions>
      </AdditionalOptions>
   </LaunchAction>
--- a/README.md
+++ b/README.md
@@ -6,3 +6,12 @@ sudo defaults write /Library/Preferences/com.apple.security.coderequirements Ent
 ```

 Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. 
+
+
+## Building/linking 
+If you get dyld errors running from the command line, use `install_name_tool` to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is).
+    `install_name_tool -add_rpath . ./kordophoned`
+
+
+## Running
+You need to hook imagent first to bypass entitlements check. Look at `hookAgent.sh`
--- a/agentHook/agentHook.m
+++ b/agentHook/agentHook.m
@@ -0,0 +1,19 @@
+#import <mach/message.h>
+#import <Foundation/Foundation.h>
+
+#include <dlfcn.h>
+
+#define DYLD_INTERPOSE(_replacment,_replacee) \
+__attribute__((used)) static struct{ const void* replacment; const void* replacee; } _interpose_##_replacee \
+__attribute__ ((section ("__DATA,__interpose"))) = { (const void*)(unsigned long)&_replacment, (const void*)(unsigned long)&_replacee };
+
+
+BOOL IMDAuditTokenTaskHasEntitlement(audit_token_t *auditToken, NSString *entitlement);
+
+BOOL replacement__IMDAuditTokenTaskHasEntitlement(audit_token_t *auditToken, NSString *entitlement)
+{
+    // Bypass all entitlement checks
+    return YES;
+}
+
+DYLD_INTERPOSE(replacement__IMDAuditTokenTaskHasEntitlement, IMDAuditTokenTaskHasEntitlement);
--- a/agentHook/hookAgent.sh
+++ b/agentHook/hookAgent.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# This script is necessary to circumvent the entitlements check in imagent.
+# Might want to wrap this script up in a startup script or something so we make sure this
+# happens every time.
+
+if [[ $# -lt 1 ]]; then
+    echo "Usage: hookAgent.sh libagentHook.dylib"
+    exit 0
+fi
+
+LIB_PATH=$(python -c "import os; print(os.path.realpath('$1'))")
+echo "Library path: $LIB_PATH"
+
+echo "Telling imagent to launch with inserted libraries for uid $EUID"
+sudo launchctl debug gui/$EUID/com.apple.imagent --environment DYLD_INSERT_LIBRARIES=$LIB_PATH
+launchctl kill SIGKILL gui/501/com.apple.imagent
+
+
--- a/kordophone/Bridge/MBIMBridge.h
+++ b/kordophone/Bridge/MBIMBridge.h
@@ -8,9 +8,14 @@

 #import <Foundation/Foundation.h>

+// See note in hooking.m about why this was a bad idea
+#define HOOK_IMAGENT 0
+
 NS_ASSUME_NONNULL_BEGIN

@interface MBIMBridge : NSObject
+@property (nonatomic, assign) const char *dylibPath;
+
 + (instancetype)sharedInstance;

 - (instancetype)init NS_UNAVAILABLE;
--- a/kordophone/Bridge/MBIMBridge.m
+++ b/kordophone/Bridge/MBIMBridge.m
@@ -8,6 +8,7 @@

 #import "MBIMBridge.h"
 #import "MBIMBridgeOperation.h"
+#import "hooking.h"

 #import <GCDWebServers/GCDWebServers.h>

@@ -55,14 +56,32 @@ static NSString *const MBIMBridgeToken = @"net.buzzert.kordophone";
    return self;
 }

+- (void)_terminate
+{
+    // *shrug*
+    exit(0);
+}
+
 #pragma mark -
 #pragma mark Connection

 - (void)connect
 {
+#if HOOK_IMAGENT
+    char *errorString = nil;
+    BOOL hooked = HookIMAgent(self.dylibPath, &errorString);
+    if (!hooked) {
+        NSString *errorNSString = [NSString stringWithUTF8String:errorString];
+        NSLog(@"Error hooking imagent: %@", errorNSString);
+        return;
+    }
+#endif
+    
    if (![sDaemonController hasListenerForID: MBIMBridgeToken]) {
        if (![sDaemonController addListenerID:MBIMBridgeToken capabilities:(kFZListenerCapFileTransfers | kFZListenerCapManageStatus | kFZListenerCapChats | kFZListenerCapMessageHistory | kFZListenerCapIDQueries | kFZListenerCapSendMessages)]) {
            NSLog(@"Failed to connect to imagent");
+            
+            [self _terminate];
        }
    }
 }
@@ -158,6 +177,7 @@ static NSString *const MBIMBridgeToken = @"net.buzzert.kordophone";
        NSLog(@"iMessage account connected: %@", iMessageAccount);
    } else {
        NSLog(@"imagent returned no accounts (not entitled?)");
+        [self _terminate];
    }
 }

--- a/kordophone/Hooking/hooking.h
+++ b/kordophone/Hooking/hooking.h
@@ -0,0 +1,12 @@
+//
+//  hooking.h
+//  MessagesBridge
+//
+//  Created by James Magahern on 11/13/18.
+//  Copyright © 2018 James Magahern. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+// Returns success and a populated errorString on error.
+BOOL HookIMAgent(const char *hookDylibPath, char **errorString);
--- a/kordophone/Hooking/hooking.m
+++ b/kordophone/Hooking/hooking.m
@@ -0,0 +1,75 @@
+//
+//  hooking.c
+//  kordophoned
+//
+//  Created by James Magahern on 11/13/18.
+//  Copyright © 2018 James Magahern. All rights reserved.
+//
+
+#include "hooking.h"
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <unistd.h>
+
+BOOL HookIMAgent(const char *relativeDylibPath, char **errorString)
+{
+    NSLog(@"Hooking imagent");
+    
+    const char *hookDylibPath = realpath(relativeDylibPath, NULL);
+    
+    // See if file is there.
+    int succ = access(hookDylibPath, R_OK);
+    if (succ != 0) {
+        *errorString = "Unable to access hook dylib. Does file exist?";
+        return NO;
+    }
+    
+    // Make sure we can load the dylib (filters out codesigning issues)
+    void *handle = dlopen(hookDylibPath, RTLD_NOW);
+    if (!handle) {
+        *errorString = dlerror();
+        return NO;
+    }
+    
+    /*********
+     ***********
+     PROBABLY DON'T DO THIS
+     
+     If other processes start and load agentHook, then they will crash because dyld tries to
+     interpose a function that doesn't exist.
+     
+     A better way (maybe put this in a script or something):
+     ( But launchctl debug needs to run as root :( )
+     
+     $ launchctl debug gui/501/com.apple.imagent --environment DYLD_INSERT_LIBRARIES=(path to libagentHook.dylib)
+     
+     $ launchctl kill SIGKILL gui/501/com.apple.imagent
+     
+     // then let it restart...
+     
+     **/
+    
+    // Set launchd DYLD_INSERT_LIBRARIES environment variable
+    const char *systemCommandFormatString = "/bin/launchctl setenv DYLD_INSERT_LIBRARIES %s";
+    size_t bufferSize = strlen(systemCommandFormatString) + strlen(hookDylibPath) + 2;
+    char *systemCommand = (char *)malloc(sizeof(char) * bufferSize);
+    
+    sprintf(systemCommand, "/bin/launchctl setenv DYLD_INSERT_LIBRARIES %s", hookDylibPath);
+    int setEnvSucc = system(systemCommand);
+    if (setEnvSucc != 0) {
+        *errorString = "Unable to set launchd environment variable.";
+        return NO;
+    }
+    
+    NSLog(@"Successfully setup environment variables");
+    
+    // Kill imagent so the new one has the loaded bundle
+    NSLog(@"Killing imagent...");
+    int killAgentSuccess = system("killall imagent");
+    
+    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
+        system("/bin/launchctl unsetenv DYLD_INSERT_LIBRARIES");
+    });
+    
+    return (killAgentSuccess == 0);
+}
--- a/kordophone/kordophone.entitlements
+++ b/kordophone/kordophone.entitlements
@@ -1,47 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.private.corespotlight.search.internal</key>
-	<true/>
-	<key>com.apple.private.corespotlight.internal</key>
-	<true/>
-	<key>com.apple.CommCenter.fine-grained</key>
-	<array>
-		<string>spi</string>
-	</array>
-	<key>com.apple.accounts.inactive.fullaccess</key>
-	<true/>
-	<key>com.apple.imagent</key>
-	<true/>
-	<key>com.apple.private.accounts.allaccounts</key>
-	<true/>
-	<key>com.apple.private.aps-connection-initiate</key>
-	<array>
-		<string>com.apple.ess</string>
-		<string>com.apple.madrid</string>
-	</array>
-	<key>com.apple.private.communicationsfilter</key>
-	<true/>
-	<key>com.apple.private.ids.idquery-cache</key>
-	<true/>
-	<key>com.apple.private.ids.remoteurlconnection</key>
-	<true/>
-	<key>com.apple.private.imcore.imdpersistence.database-access</key>
-	<true/>
-	<key>com.apple.private.tcc.allow</key>
-	<array>
-		<string>kTCCServiceAddressBook</string>
-	</array>
-	<key>keychain-access-groups</key>
-	<array>
-		<string>appleaccount</string>
-		<string>InternetAccounts</string>
-		<string>IMCore</string>
-		<string>ichat</string>
-		<string>apple</string>
-	</array>
-	<key>com.apple.logd.admin</key>
-	<true/>
-</dict>
-</plist>
--- a/kordophone/main.m
+++ b/kordophone/main.m
@@ -13,6 +13,16 @@
 int main(int argc, const char * argv[]) {
    @autoreleasepool {
        MBIMBridge *bridge = [MBIMBridge sharedInstance];
+        
+#if HOOK_IMAGENT
+        if (argc < 2) {
+            fprintf(stderr, "Usage: kordophoned agentHook.dylib\n");
+            return 1;
+        }
+        
+        bridge.dylibPath = argv[1];
+#endif
+        
        [bridge connect];
        
        BOOL running = YES;