tfp0 for iOS 9.0-9.3.4
C Other
Failed to load latest commit information.
docs Update writeup for offset finder & <=9.1 support Jan 10, 2017
mig Working PoC Dec 4, 2016
scan Update scan result Dec 14, 2016
src Port ROP to <=9.1 Jan 10, 2017
.gitignore IOKit services scanning tool Dec 5, 2016
LICENSE Update license year Jan 10, 2017
Makefile Hopefully fix Sierra trouble Dec 30, 2016 Update Readme Dec 30, 2016


A tfp0 patch for iOS 9, based on the Pegasus/Trident vulnerabilities.


On macOS with XCode and XCode command line tools installed:


On a different OS with an iOS SDK and ldid installed:

  • Download a XNU source tarball and unzip it.
  • Download an IOKitUser source tarball and unzip it.
  • Export the following environment variables:



./cl0ver panic [log=file]
    Panic the device, loading to PC:
    on 32-bit: the base address of __DATA.__const
    on 64-bit: the OSString vtable

./cl0ver slide [log=file]
    Print kernel slide

./cl0ver dump [log=file]
    Dump kernel to kernel.bin

./cl0ver [log=file]
    Apply tfp0 kernel patch

If log=file is give, output is written to "file" instead of stderr/syslog.

Device/OS Support

Only a small set of device/OS combinations is currently supported.
If you would like me to add support for yours, please run ./cl0ver panic and open a ticket containing cl0ver's output as well as the panic log.


If you know stack anchor and OSString vtable for an unsupported device/OS and don't want to wait for me to add support for it, you can do the following:
Create a file at /etc/cl0ver/config.txt containing in hexadecimal: on line 1 the stack anchor, on line 2 the OSString vtable address.

If you want a dumped kernel to be saved, and calculated offsets to be cached, make sure the directory /etc/cl0ver exists and is writeable by the current user.

If you have a dumped/decrypted kernel and want to skip kernel dumping, place it at /etc/kernel.bin.


This repo doesn't contain any code for a GUI/Sandbox app, but a libcl0ver.a is built, which can be linked against. You'll most likely want to call functions from exploit.h.
And you'll want to call them like:

dump_kernel([[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:@"kernel.bin"].UTF8String);
// or
get_kernel_task([NSHomeDirectory() stringByAppendingPathComponent:@"Documents"].UTF8String);


[ Here ]


Unless otherwise noted at the top of the file, all files in this repository are released under the MIT License.