async_wake with a bit of fun! - async_awake by Ian Beer (https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3)
Switch branches/tags
Nothing to show
Clone or download
Latest commit 6ffb822 Jan 2, 2018
Permalink
Failed to load latest commit information.
async_wake_ios.xcodeproj amfid patch i think Dec 24, 2017
async_wake_ios Fixed FAT issue Dec 25, 2017
README.md Update README.md Jan 2, 2018

README.md

Fun additions to async_wake

Features:

  • setuid(0) with no kernel panic
  • mount / as rw
  • AMFI bypass via trustcache injection
  • amfid patch - utilises the AMFI bypass to inject into amfid and replace MISValidateSignatureAndCopyInfo with our own version

See the comments for an explanation for some of the things going on. Better kexecute explanations can be found by people like Siguza and @bazad (on GH). I might consider doing a proper explanation of the AMFI.kext bypass (a good overview can be found in *OS Internals Vol. 3, but I would go in detail at code level), and the amfid bypass (I've already briefly explaned in #21, but again, go a bit deeper)

Credits:

  • Ian Beer for the original exploit
  • @xerub for the KPPless patches
  • @s1guza for the base of the kexecute idea of modifying the vtable of a user client (which I used before I noticed Ian Beer includes it), and the resolving of the upper 4 bytes of memory addresses returned from kexecute
  • @theninjaprawn for amfid patch
  • @coolstarorg for doing the cooler stuff (see his fork https://github.com/coolstar/async_awake-fun - he's got a jailbreakd daemon + more)
  • @stek29, @nullriver