buzzert/Kordophone

Private

Public Access

Fork 0

Go to file

James Magahern b7312bccb9 adds /resolveHandle for resolving handles

2024-10-01 19:52:21 -07:00

agentHook

Experimental SSL support

2019-01-22 23:31:36 -08:00

CocoaHTTPServer @ 52b2a64e9c

Switches from GCDWebServer to CocoaHTTPServer so we can have HTTPS eventually

2018-11-16 01:30:38 -08:00

Dumped Classes

adds /resolveHandle for resolving handles

2024-10-01 19:52:21 -07:00

kordophone

adds /resolveHandle for resolving handles

2024-10-01 19:52:21 -07:00

MessagesBridge.xcodeproj

adds /resolveHandle for resolving handles

2024-10-01 19:52:21 -07:00

Services

Adds launchd services

2021-06-06 23:39:24 -07:00

Tests

Some basic crypto laid down and tests

2018-11-15 14:50:40 -08:00

.gitmodules

Removed GCDWebServer submodule

2018-11-16 01:32:09 -08:00

Makefile

Add Makefile for ez installing

2021-07-06 23:41:39 -07:00

README.md

Don't build using restricted entitlements by default.

2022-08-03 16:56:53 -07:00

README.md

Entitlements

You might to enable this default to use private entitlements

sudo defaults write /Library/Preferences/com.apple.security.coderequirements Entitlements -string always

Maybe a better thing to do is to DYLD_PRELOAD imagent and swizzle IMDAuditTokenTaskHasEntitlement to always return YES.

Included in the project is "kordophoned-RestrictedEntitlements.plist", which contains all necessary restricted entitlements. On production macOS builds, the kernel will kill kordophoned immediately if it's signed using restricted entitlements, so agent hook is a better option when running on prod machines. By default, the project is configured to ignore kordophoned-RestrictedEntitlements.plist when building.

Building/linking

If you get dyld errors running from the command line, use install_name_tool to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is). install_name_tool -add_rpath . ./kordophoned

Running

You need to hook imagent first to bypass entitlements check. Look at hookAgent.sh

SSL

If you want to run with SSL, you have to generate a self-signed certificate, and have the Mac trust the root cert.

Generate a root cert

Generate root key openssl genrsa -out Kordophone-root.key 4096
Generate root certificate openssl req -x509 -new -nodes -key Kordophone-root.key -sha256 -days 1024 -out Kordophone-root.crt
Add this certificate to the Mac's trust store via Keychain Access. Set to "Always Trust"

Create signing certificate by signing a new cert with the root cert

Generate signing key openssl genrsa -out kp.localhost.key 2048
Create certificate signing request openssl req -new -key kp.localhost.key -out kp.localhost.csr
Sign the cert with the root cert openssl x509 -req -in kp.localhost.csr -CA Kordophone-root.crt -CAkey Kordophone-root.key -CAcreateserial -out kp.localhost.crt -days 365 -sha256
kordophoned works with a signing cert in PKCS12 format. Convert the cert and the privkey to PKCS12 openssl pkcs12 -export -in kp.localhost.crt -inkey kp.localhost.key -out certificate.p12 -name "Kordophone"

Start kordophone with the SSL options and provide the p12

kordophoned -s -c certificate.p12

Authentication

Basic Authentication is also optional, but requires SSL to be enabled as well. To configure basic authentication, create a file containing your username and password on two separate lines encrypted with your GPG key.

echo "username\npassword" > password.txt" gpg -e -r (your email) -o password.asc password.txt

Then run kordophoned with the following option kordophone -s -c certificate.p12 -a password.asc

You may need to unlock your GPG keyring (via gpg-agent) when running kordophoned the first time.

Releases 1

Monorepo release Latest

2025-09-08 01:20:24 +00:00

Languages

Objective-C 38.8%

Rust 29.5%

Kotlin 11.9%

Vala 8.3%

Swift 5.8%

Other 5.5%