A tfp0 patch for iOS 9, based on the Pegasus/Trident vulnerabilities.
Precompiled binaries can be obtained from here.
On macOS with XCode and XCode's command line tools installed:
On a different OS with an iOS SDK and
Download a XNU source tarball and unzip it.
Download an IOKitUser source tarball and unzip it.
Export the following environment variables:
LIBKERN=path/to/xnu/libkern OSFMK=path/to/xnu/osfmk IOKIT=path/to/IOKitUser IGCC=ios-compiler-command LIBTOOL=ios-libtool-command SIGN=ldid SIGN_FLAGS=-S
Command line arguments:
./cl0ver panic [log=file] Panic the device, loading to PC: on 32-bit: the base address of __DATA.__const on 64-bit: the OSString vtable ./cl0ver slide [log=file] Print kernel slide ./cl0ver dump [log=file] Dump kernel to kernel.bin ./cl0ver [log=file] Apply tfp0 kernel patch If log=file is give, output is written to "file" instead of stderr/syslog.
But before you can use it, cl0ver needs information about your kernel. There are 3 files it might or might not need:
Start by running
./cl0ver slide. If that tells you the kernel slide, this file isn't required. If it tells you "Unhandled error: Unsupported device", do the following:
./cl0ver panic(preferably over SSH) and save the output you get. This should crash your device and generate a panic log (you can find panic logs in Settings > Privacy > Diagnostics & Usage > Diagnostics & Usage > panic-XXX.ips). Somewhere near the top you should see "panic(cpu 0 caller 0xffffff80...)". The message after that should read "Kernel instruction fetch abort: pc=0xffffff80...". It is important that the first 8 characters of that value are
0xffffff80. Any value starting with
0xffffff81is useless. If you didn't get a panic log, or if the panic log does not fulfill the above criteria, repeat the process (also discard the saved output of cl0ver and save the new one).
Once you get a panic log, open a ticket and post both your saved output and your panic log (they might be too long to include in your ticket - in that case, post them to pastebin or something and leave a link). I will then attempt to extract the values you have to put in your config.
Check the offsets folder to see if a file for your device and OS version is available. If there is one, download it and put it at the mentioned path. If there isn't one available, simply skip this file.
If you already got an
offsets.datfile, this file isn't required.
if you have no offsets file, first check if decryption keys are available for your device/OS version. If they are, decrypt and extract your kernel from the IPSW and put it at
If none of the above is the case, run
./cl0ver dump, but be warned: due to the nature of the Pegasus vulnerabilities, dumping is inherently unstable, and there's a good chance your device will just crash. If your device (eventually) doesn't crash however, you should be left with a
kernel.binfile. Simply move it to
Once you've verified for each of the above files that you either have it or don't need it, you can go ahead and run
./cl0ver without any other arguments. It should take less than a second to complete, and end with the line:
[*] Successfully installed patch
If you see this line, the chances that it went wrong are practically zero, but if you like, you can still verify with any tool that uses the kernel task.
kmap from kern-utils is a good candidate IMO (just make sure to run as root).
Now, if it all worked out for you and there was no
offsets.dat available for your device/OS version, please open a ticket and attach it there - you'll be doing others a great favour. :)
This repo doesn't contain any code for a GUI/Sandbox app, but a
libcl0ver.a is built, which can be linked against. You'll most likely want to call functions from
And you'll want to call them like:
dump_kernel([[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:@"kernel.bin"].UTF8String); // or get_kernel_task([NSHomeDirectory() stringByAppendingPathComponent:@"Documents"].UTF8String);
Unless otherwise noted at the top of the file, all files in this repository are released under the MIT License.