KP in FindKernelBase()

[TrungNguyen1909]

Use the one in voucher_swap instead. It works fine.

I'm trying adapting voucher_swap to rootlessJB, Stucked in AMFI stage.

The trustbin method KP(of course), patchAMFI cannot set exception port
Logs:

[D] platform: iPhone8,1 16C101
[+] created 1024 pipes
[+] created 8000 ports
[+] sprayed 16777216 bytes to 1024 pipes in kalloc.16384
[+] created 3564 vouchers
[+] sprayed 315752448 bytes to 8 ports in kalloc.1024
[+] stashed voucher pointer in thread
...........................................................................................................................................................................
[+] sprayed 357924864 bytes of OOL ports to 4 ports in kalloc.32768
[+] recovered voucher port 0xf07 for freed voucher
[+] adding references to the freed voucher to change the OOL port pointer
[+] receiving the OOL ports will leak port 0x1ebf03
[+] received voucher port 0xf07 in OOL ports
[+] voucher overlapped at offset 0x5ae0
[+] received fake port 0xd07
[+] port is at pipe index 256
[+] got ip_requests at 0xffffffe01c4c9300
[+] fake port is at offset 5712
[+] base port is at 0xffffffe005d15650
[+] kernel_task is at 0xffffffe00026e1c0
[+] done! port 0xd07 is tfp0
[D] found kernel slide 0x0000000004e00000
	[*] Starting fun
[*] Initializing jelbrekLib
[i] offsets selected for iOS 12.0 or above
[+] Initialized patchfinder
[*] Unsandboxing pid 220
[*] copying to /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache
[*] Sandboxing pid 220 with slot at 0xffffffe0058f3aa0
[i] Mach-o header at 0x1C0
[lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache for reading
[lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache.dec for writing
[+] Decompressed kernelcache!
[+] Initialized KernelSymbolFinder
[+] kexecute: got user client: 0x1ebf07
	[i] Kernel base: 0xfffffff00be04000
	[i] uid: 0

[*] Unsandboxing pid 220
	[+] Escaped sandbox!
	Wrote file 0x121e9eaf8
[-] Old host type: 0x80000000
[-] New host type: 0x80000004
[remap_kernel_task] kernel task at 0xffffffe00026e1c0
[*] vm_kernel_page_size: 4000
[+] allocated address: ffffffe000014000
[*] address to wire: ffffffe000014000
[*] vm_kernel_page_size: 4000
[+] allocated address: ffffffe00001c000
[*] address to wire: ffffffe00001c000
[remap_kernel_task] remapped successfully to 0xffffffe005a4e1c0
[remap_kernel_task] port kaddr: 0xffffffe005d158f0
[*] vm_kernel_page_size: 4000
[+] allocated address: ffffffe000024000
[*] address to wire: ffffffe000024000
	[*] Installing bootstrap...
......................................................
	[+] Installed bootstrap!
[*] amfid, it's your turn
[i] amfid's PID: 221
[*] Setting Entitlements...
[i] before: get-task-allow is 0x0
[i] after: get-task-allow is 0xffffffe00020e140
[*] Getting task port
[*] Got amfid's task port? :) 0x1e7907
[+] amfid_task_port = 0x1e7907
[+] AMFID_ExceptionPort = 0x1ec207
[-] Error setting amfid exception port: (os/kern) invalid argument
[*] About to search for the binary load address
[+] About to call mach_vm_region
[-] Failed to get the region: (os/kern) invalid argument
[i] Amfid load address: 0xffffffffffffffff
[amfid][-] Error reading MISVSACI: (os/kern) invalid argument
[*] Will trust /var/containers/Bundle/tweaksupport/usr/bin/inject_dylib
[*] trust_chain at 0xfffffff00aa78000

[jakeajames]

I'm aware FindKernelBase() might cause panics, i'll add a separate method to init with kernel base. I'm aware code injection & trustcache also don't work Il giorno giovedì 31 gennaio 2019, TrungNguyen1909 <notifications@github.com> ha scritto:

…

Use the one in voucher_swap instead. It works fine. I'm trying adapting voucher_swap to rootlessJB, Stucked in AMFI stage. The trustbin method KP(of course), patchAMFI cannot set exception port Logs: [D] platform: iPhone8,1 16C101 [+] created 1024 pipes [+] created 8000 ports [+] sprayed 16777216 bytes to 1024 pipes in kalloc.16384 [+] created 3564 vouchers [+] sprayed 315752448 bytes to 8 ports in kalloc.1024 [+] stashed voucher pointer in thread ........................................................................................................................................................................... [+] sprayed 357924864 bytes of OOL ports to 4 ports in kalloc.32768 [+] recovered voucher port 0xf07 for freed voucher [+] adding references to the freed voucher to change the OOL port pointer [+] receiving the OOL ports will leak port 0x1ebf03 [+] received voucher port 0xf07 in OOL ports [+] voucher overlapped at offset 0x5ae0 [+] received fake port 0xd07 [+] port is at pipe index 256 [+] got ip_requests at 0xffffffe01c4c9300 [+] fake port is at offset 5712 [+] base port is at 0xffffffe005d15650 [+] kernel_task is at 0xffffffe00026e1c0 [+] done! port 0xd07 is tfp0 [D] found kernel slide 0x0000000004e00000 [*] Starting fun [*] Initializing jelbrekLib [i] offsets selected for iOS 12.0 or above [+] Initialized patchfinder [*] Unsandboxing pid 220 [*] copying to /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache [*] Sandboxing pid 220 with slot at 0xffffffe0058f3aa0 [i] Mach-o header at 0x1C0 [lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache for reading [lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache.dec for writing [+] Decompressed kernelcache! [+] Initialized KernelSymbolFinder [+] kexecute: got user client: 0x1ebf07 [i] Kernel base: 0xfffffff00be04000 [i] uid: 0 [*] Unsandboxing pid 220 [+] Escaped sandbox! Wrote file 0x121e9eaf8 [-] Old host type: 0x80000000 [-] New host type: 0x80000004 [remap_kernel_task] kernel task at 0xffffffe00026e1c0 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe000014000 [*] address to wire: ffffffe000014000 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe00001c000 [*] address to wire: ffffffe00001c000 [remap_kernel_task] remapped successfully to 0xffffffe005a4e1c0 [remap_kernel_task] port kaddr: 0xffffffe005d158f0 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe000024000 [*] address to wire: ffffffe000024000 [*] Installing bootstrap... ...................................................... [+] Installed bootstrap! [*] amfid, it's your turn [i] amfid's PID: 221 [*] Setting Entitlements... [i] before: get-task-allow is 0x0 [i] after: get-task-allow is 0xffffffe00020e140 [*] Getting task port [*] Got amfid's task port? :) 0x1e7907 [+] amfid_task_port = 0x1e7907 [+] AMFID_ExceptionPort = 0x1ec207 [-] Error setting amfid exception port: (os/kern) invalid argument [*] About to search for the binary load address [+] About to call mach_vm_region [-] Failed to get the region: (os/kern) invalid argument [i] Amfid load address: 0xffffffffffffffff [amfid][-] Error reading MISVSACI: (os/kern) invalid argument [*] Will trust /var/containers/Bundle/tweaksupport/usr/bin/inject_dylib [*] trust_chain at 0xfffffff00aa78000 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATtX-dZrDQjcBvijJbQyf8vRanasZk1tks5vIoqFgaJpZM4abp4y> .

[TrungNguyen1909]

Well, kernel_slide_init() from voucher_swap can get you the kernel_slide peacefully(maybe we don't really need to find a new method?), I put it just before the voucher_swap exploit return with tfp0 and put a few line to stop jeilbreaklib from trying to FindKernelBase() again.

Also, not until patchfinder works well, we still have lots of thing to do. I tried KPP bypassed in yalu102 but the offset completely failed with some 0 in result (kernel_pmap, cpu_list,...)

[jakeajames]

I can't include kernel_slide_init(), iirc it depends on the exploit, so I'll just add a "initWithKernelBase()" method. As for the KPP bypass, it has needed different offsets since iOS 11 and I've tried updating them but the bypass doesn't work nonetheless, not sure if I forgot something or it needs an update Il giorno venerdì 1 febbraio 2019, TrungNguyen1909 <notifications@github.com> ha scritto:

…

Well, kernel_slide_init() from voucher_swap can get you the kernel_slide peacefully(maybe we don't really need to find a new method?), I put it just before the voucher_swap exploit return with tfp0 and put a few line to stop jeilbreaklib from trying to FindKernelBase() again. Also, not until *patchfinder* works well, we still have lots of thing to do. I tried KPP bypassed in yalu102 but the offset completely failed with some 0 in result (kernel_pmap, cpu_list,...) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATtX-SwyPw_noz748tSPYNPJ5Qn_S2b-ks5vI5UQgaJpZM4abp4y> .

[TrungNguyen1909]

Maybe AMFID task port is invalid? please check out IP_VALID macro, which is check by the XNU kernel for invalid argument.
How funny is that we have task_for_pid(0) but not task_for_pid(pidof("amfid")) :)
Maybe entitlement missing? or OS Boolean True offset is not right????
task_for_pid_in_kernel() have the same behavior. Seems like most of the mach call are failure now :(

[jakeajames]

task_for_pid() was fixed.

Developer Image is not put in FS but mounted after doing checks.

Attaching to amfid is not possible because it lacks get-task-allow (but you can always add it, but why even attach?)

[TrungNguyen1909]

Impressive, Could you please tell me what was wrong with task_for_pid()?
I spent hours tried to find any logic/typo or any parameters order that was messed up.
Although I have some exploitation background in linux but I'm just a noob in mach.
Thank you.
EDIT: Why did you disable amfid patch for 12? amfid_payload.dylib was too old?

[jakeajames]

It was a wrong offset, (t_flags) which was breaking platformization. And also added a method to init with kernel base.