The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel Patches"
m (→iOS 5.1.1b - 9B208: changed b to r, as requested by Adaminsull (b is beta)) |
m (Updating) |
||
(One intermediate revision by one other user not shown) | |||
Line 11: | Line 11: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
|- |
|- |
||
| KERNEL_AMFI_BINARY_CACHE |
| KERNEL_AMFI_BINARY_CACHE |
||
Line 120: | Line 120: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
|- |
|- |
||
| KERNEL_AMFI_BINARY_CACHE |
| KERNEL_AMFI_BINARY_CACHE |
||
Line 229: | Line 229: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
− | ! [[ |
+ | ! [[N92AP]] |
|- |
|- |
||
| KERNEL_CS_ENFORCEMENT |
| KERNEL_CS_ENFORCEMENT |
||
Line 321: | Line 321: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
− | ! [[ |
+ | ! [[N92AP]] |
|- |
|- |
||
| KERNEL_CS_ENFORCEMENT |
| KERNEL_CS_ENFORCEMENT |
||
Line 413: | Line 413: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
− | ! [[ |
+ | ! [[N92AP]] |
|- |
|- |
||
| KERNEL_AMFI |
| KERNEL_AMFI |
||
Line 529: | Line 529: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[K48AP]] |
− | ! [[ |
+ | ! [[N18AP]] |
− | ! [[ |
+ | ! [[N81AP]] |
− | ! [[ |
+ | ! [[N88AP]] |
− | ! [[ |
+ | ! [[N90AP]] |
− | ! [[ |
+ | ! [[N92AP]] |
|- |
|- |
||
| KERNEL_CS_ENFORCEMENT |
| KERNEL_CS_ENFORCEMENT |
||
Line 621: | Line 621: | ||
|- |
|- |
||
! Symbol |
! Symbol |
||
− | ! [[ |
+ | ! [[N90AP]] |
|- |
|- |
||
| KERNEL_CS_ENFORCEMENT |
| KERNEL_CS_ENFORCEMENT |
||
Line 653: | Line 653: | ||
| 0x8004992C |
| 0x8004992C |
||
|} |
|} |
||
+ | |||
+ | == Patching the kernel (using inline ASM) == |
||
+ | |||
+ | Here are some functions, patched to be able to be used for jailbreak kernel patches, |
||
+ | for vm_map_protect here is the function. |
||
+ | |||
+ | int vm_map_protect_patch() |
||
+ | { |
||
+ | __asm{ |
||
+ | AND.W R1, R6, #8 |
||
+ | CMP R1, #6 |
||
+ | IT EQ |
||
+ | TSTEQ.W R0, #0x40000000 |
||
+ | BNE loc_8004A96A |
||
+ | BIC.W R6, R6, #4 |
||
+ | } |
||
+ | } |
||
+ | |||
+ | For vm_map_enter |
||
+ | |||
+ | int vm_map_enter_patch() |
||
+ | { |
||
+ | __asm { |
||
+ | LDR R1, [R7,#cur_protection] |
||
+ | AND.W R0, R4, #0x80000 |
||
+ | STR R0, [SP,#0xB8+var_54] |
||
+ | STR R1, [SP,#0xB8+var_78] |
||
+ | AND.W R0, R1, #8 |
||
+ | CMP R0, #6 |
||
+ | ITT EQ |
||
+ | LDREQ R0, [SP,#0xB8+var_54] |
||
+ | CMPEQ R0, #0 |
||
+ | BNE loc_800497F0 |
||
+ | LDR.W R1, =aKern_return_ |
||
+ | MOVS R0, #0 |
||
+ | BL sub_8001D608 |
||
+ | LDR R0, [R7,#cur_protection] |
||
+ | BIC.W R0, R0, #4 |
||
+ | STR R0, [SP,#0xB8+var_78] |
||
+ | } |
||
+ | } |
||
+ | |||
+ | For cs_enforcement_disable (kernel) |
||
+ | |||
+ | int cs_kern_patch() |
||
+ | { |
||
+ | __asm LDR.W R3, =dword_802DE330 |
||
+ | __asm MRC p15, 0, R0,c13,c0, 4 |
||
+ | __asm LDR R2, [R4,#0x28] |
||
+ | __asm LDR R3, #1 |
||
+ | __asm CMP R3, #0 |
||
+ | } |
||
+ | |||
+ | To use this in an untether, use find_vm_map_enter_patch(), find_vm_map_protect_patch() and find_cs_enforcement_disable_kernel() from |
||
+ | planetbeings ios-jailbreak-finder, then use bcopy() to copy these functions (which are patched) to the address of the actual functions |
||
+ | heres an example |
||
+ | |||
+ | uint32_t *p = malloc(0xd00000) |
||
+ | uint32_t cs_kern = find_cs_enforcement_disable(kernel_file, p, sizeof(p)); |
||
+ | bcopy((void*)cs_kern_patch, cs_kern, sizeof(cs_kern_patch)); |
||
==References== |
==References== |
Latest revision as of 09:45, 11 October 2015
For the patches applied together with a jailbreak, most groups rely on a list of patches generated by comex. See https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c
See also saurik's comment for a list of "the 'best practice' patches that jailbreaks install by default" on ycombinator.
Contents
Kernel Offsets
(Initial list copied from Unthredera1n source code.)
Offsets
iOS 4.3.4 - 8K2
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP |
---|---|---|---|---|---|
KERNEL_AMFI_BINARY_CACHE | 0x80355394 | 0x80706394 | 0x80618394 | 0x80688394 | 0x80759394 |
KERNEL_CS_ENFORCEMENT_DISABLE | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C |
KERNEL_DEBUG_ENABLED | 0x802D427C | 0x802D427C | 0x802D427C | 0x802D427C | 0x802D427C |
KERNEL_FLUSH_DCACHE | 0x80063504 | 0x80063504 | 0x80063504 | 0x80063504 | 0x80063504 |
KERNEL_FLUSH_ICACHE | 0x800636F4 | 0x800636F4 | 0x800636F4 | 0x800636F4 | 0x800636F4 |
KERNEL_IOLOG | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 |
KERNEL_NX_ENABLE | 0x8027F304 | 0x8027F304 | 0x8027F304 | 0x8027F304 | 0x8027F304 |
KERNEL_PROC_ENFORCE | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 |
KERNEL_SANDBOX | 0x80366CA6 | 0x807EACA6 | 0x80939CA6 | 0x80809CA6 | 0x80966CA6 |
KERNEL_SYSCALL0 | 0x802926EC | 0x802926EC | 0x802926EC | 0x802926EC | 0x802926EC |
KERNEL_SYSCALL0_VALUE | 0x8018246D | 0x8018246D | 0x8018246D | 0x8018246D | 0x8018246D |
KERNEL_TASK_FOR_PID | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 |
KERNEL_VM_MAP_ENTER | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 |
KERNEL_VM_MAP_PROTECT | 0x8004115E | 0x8004115E | 0x8004115E | 0x8004115E | 0x8004115E |
iOS 4.3.5 - 8L1
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP |
---|---|---|---|---|---|
KERNEL_AMFI_BINARY_CACHE | 0x80355394 | 0x80706394 | 0x80618394 | 0x80688394 | 0x80759394 |
KERNEL_CS_ENFORCEMENT_DISABLE | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C | 0x8027EB5C |
KERNEL_DEBUG_ENABLED | 0x802D427C | 0x802D427C | 0x802D427C | 0x802D427C | 0x802D427C |
KERNEL_FLUSH_DCACHE | 0x80063504 | 0x80063504 | 0x80063504 | 0x80063504 | 0x80063504 |
KERNEL_FLUSH_ICACHE | 0x800636F4 | 0x800636F4 | 0x800636F4 | 0x800636F4 | 0x800636F4 |
KERNEL_IOLOG | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 | 0x801CBE65 |
KERNEL_NX_ENABLE | 0x8027F304 | 0x8027F304 | 0x8027F304 | 0x8027F304 | 0x8027F304 |
KERNEL_PROC_ENFORCE | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 | 0x8029C1E4 |
KERNEL_SANDBOX | 0x80366CA6 | 0x807EACA6 | 0x80939CA6 | 0x80809CA6 | 0x80966CA6 |
KERNEL_SYSCALL0 | 0x802926EC | 0x802926EC | 0x802926EC | 0x802926EC | 0x802926EC |
KERNEL_SYSCALL0_VALUE | 0x8018246D | 0x8018246D | 0x8018246D | 0x8018246D | 0x8018246D |
KERNEL_TASK_FOR_PID | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 | 0x801A7DF6 |
KERNEL_VM_MAP_ENTER | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 | 0x80043FC8 |
KERNEL_VM_MAP_PROTECT | 0x8004115E | 0x8004115E | 0x8004115E | 0x8004115E | 0x8004115E |
iOS 5.0 - 9A334
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP | N92AP |
---|---|---|---|---|---|---|
KERNEL_CS_ENFORCEMENT | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 |
KERNEL_FLUSH_DCACHE | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 |
KERNEL_FLUSH_ICACHE | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 |
KERNEL_IOLOG | 0x80203EDD | 0x80203EDD | 0x80203EDD | 0x80203EDD | 0x80203EDD | 0x80203EDD |
KERNEL_NX_ENABLE | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 |
KERNEL_PE_DEBUGGER | 0x80241704 | 0x80241700 | 0x80241704 | 0x80241700 | 0x80241704 | 0x80241704 |
KERNEL_SYSCALL0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 |
KERNEL_SYSCALL0_VALUE | 0x801B2F79 | 0x801B2F79 | 0x801B2F79 | 0x801B2F79 | 0x801B2F79 | 0x801B2F79 |
KERNEL_TASK_FOR_PID0 | 0x801DFAA4 | 0x801DFAA4 | 0x801DFAA4 | 0x801DFAA4 | 0x801DFAA4 | 0x801DFAA4 |
KERNEL_VM_ENTER | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 |
iOS 5.0.1 - 9A405
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP | N92AP |
---|---|---|---|---|---|---|
KERNEL_CS_ENFORCEMENT | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 | 0x80045738 |
KERNEL_FLUSH_DCACHE | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 | 0x800719C4 |
KERNEL_FLUSH_ICACHE | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 | 0x80071AC4 |
KERNEL_IOLOG | 0x80203F7D | 0x80203F7D | 0x80203F7D | 0x80203F7D | 0x80203F7D | 0x80203F7D |
KERNEL_NX_ENABLE | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 |
KERNEL_PE_DEBUGGER | 0x802417A4 | 0x802417A0 | 0x802417A4 | 0x802417A0 | 0x802417A4 | 0x802417A4 |
KERNEL_SYSCALL0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 |
KERNEL_SYSCALL0_VALUE | 0x801B3015 | 0x801B3015 | 0x801B3015 | 0x801B3015 | 0x801B3015 | 0x801B3015 |
KERNEL_TASK_FOR_PID0 | 0x801DFB40 | 0x801DFB40 | 0x801DFB40 | 0x801DFB40 | 0x801DFB40 | 0x801DFB40 |
KERNEL_VM_ENTER | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 | 0x800497D4 |
iOS 5.1 - 9B176
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP | N92AP |
---|---|---|---|---|---|---|
KERNEL_AMFI | 0x805D6718 | |||||
KERNEL_AMFI_KILL | 0x805D62F2 | |||||
KERNEL_CS_ENFORCEMENT | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 |
KERNEL_FLUSH_DCACHE | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 |
KERNEL_FLUSH_ICACHE | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 |
KERNEL_IOLOG | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD |
KERNEL_NX_ENABLE | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 | 0x802BAB84 |
KERNEL_PE_DEBUGGER | 0x8024220C | 0x80242208 | 0x8024220C | 0x80242208 | 0x8024220C | 0x8024220C |
KERNEL_SANDBOX | 0x805EE61E | |||||
KERNEL_SYSCALL0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 | 0x802CCBB0 |
KERNEL_SYSCALL0_VALUE | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 |
KERNEL_TASK_FOR_PID0 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 |
KERNEL_VM_ENTER | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C |
iOS 5.1.1 - 9B206
Symbol | K48AP | N18AP | N81AP | N88AP | N90AP | N92AP |
---|---|---|---|---|---|---|
KERNEL_CS_ENFORCEMENT | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 | 0x80045874 |
KERNEL_FLUSH_DCACHE | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 | 0x80072204 |
KERNEL_FLUSH_ICACHE | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 | 0x80072304 |
KERNEL_IOLOG | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD | 0x802049DD |
KERNEL_NX_ENABLE | 0x802BBB84 | 0x802BBB84 | 0x802BBB84 | 0x802BBB84 | 0x802BBB84 | 0x802BBB84 |
KERNEL_PE_DEBUGGER | 0x8024220C | 0x80242208 | 0x8024220C | 0x80242208 | 0x8024220C | 0x8024220C |
KERNEL_SYSCALL0 | 0x802CDBB0 | 0x802CDBB0 | 0x802CDBB0 | 0x802CDBB0 | 0x802CDBB0 | 0x802CDBB0 |
KERNEL_SYSCALL0_VALUE | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 | 0x801B3AA5 |
KERNEL_TASK_FOR_PID0 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 | 0x801E05B4 |
KERNEL_VM_ENTER | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C | 0x8004992C |
iOS 5.1.1r - 9B208
Symbol | N90AP |
---|---|
KERNEL_CS_ENFORCEMENT | 0x80045874 |
KERNEL_FLUSH_DCACHE | 0x80072204 |
KERNEL_FLUSH_ICACHE | 0x80072304 |
KERNEL_IOLOG | 0x802049DD |
KERNEL_NX_ENABLE | 0x802BBB84 |
KERNEL_PE_DEBUGGER | 0x8024220C |
KERNEL_SYSCALL0 | 0x802CDBB0 |
KERNEL_SYSCALL0_VALUE | 0x801B3AA5 |
KERNEL_TASK_FOR_PID0 | 0x801E05B4 |
KERNEL_VM_ENTER | 0x8004992C |
Patching the kernel (using inline ASM)
Here are some functions, patched to be able to be used for jailbreak kernel patches, for vm_map_protect here is the function.
int vm_map_protect_patch() { __asm{ AND.W R1, R6, #8 CMP R1, #6 IT EQ TSTEQ.W R0, #0x40000000 BNE loc_8004A96A BIC.W R6, R6, #4 } }
For vm_map_enter
int vm_map_enter_patch() { __asm { LDR R1, [R7,#cur_protection] AND.W R0, R4, #0x80000 STR R0, [SP,#0xB8+var_54] STR R1, [SP,#0xB8+var_78] AND.W R0, R1, #8 CMP R0, #6 ITT EQ LDREQ R0, [SP,#0xB8+var_54] CMPEQ R0, #0 BNE loc_800497F0 LDR.W R1, =aKern_return_ MOVS R0, #0 BL sub_8001D608 LDR R0, [R7,#cur_protection] BIC.W R0, R0, #4 STR R0, [SP,#0xB8+var_78] } }
For cs_enforcement_disable (kernel)
int cs_kern_patch() { __asm LDR.W R3, =dword_802DE330 __asm MRC p15, 0, R0,c13,c0, 4 __asm LDR R2, [R4,#0x28] __asm LDR R3, #1 __asm CMP R3, #0 }
To use this in an untether, use find_vm_map_enter_patch(), find_vm_map_protect_patch() and find_cs_enforcement_disable_kernel() from planetbeings ios-jailbreak-finder, then use bcopy() to copy these functions (which are patched) to the address of the actual functions heres an example
uint32_t *p = malloc(0xd00000) uint32_t cs_kern = find_cs_enforcement_disable(kernel_file, p, sizeof(p)); bcopy((void*)cs_kern_patch, cs_kern, sizeof(cs_kern_patch));
References
- See also the category Kernel Patches