|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Tfp0 patch"
(Created page with "{{DISPLAYTITLE:task-for-pid0 Patch}} * task_for_pid requires entitlements 'get-task-allow' to make AMFI happy. * task_for_pid cannot get kernel_task without a patch. * Thi...") |
(+lede, +example code, “task_for_pid-allow” is needed on iOS 6 (but not “get-task-allow”, will test on higher versions later)) |
||
| Line 1: | Line 1: | ||
| − | {{DISPLAYTITLE: |
+ | {{DISPLAYTITLE:tfp0 patch}} |
| + | In the XNU kernel, <code>task_for_pid</code> is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A '''tfp0 patch''' (or '''task_for_pid(0) patch''') removes this restriction, allowing any executable to call '''task_for_pid''' for pid '''0''' (hence the name) and then use <code>vm_read</code> and <code>vm_write</code> to modify the kernel VM region. The entitlements ''get-task-allow'' and ''task_for_pid-allow'' are required to make [[AMFI]] happy. |
||
| − | * task_for_pid requires entitlements 'get-task-allow' to make [[AMFI]] happy. |
||
| + | |||
| − | * task_for_pid cannot get kernel_task without a patch. |
||
| + | == Example code == |
||
| − | * This patch allows you to get the kernel Mach task, you can then use vm_read and vm_write to modify the kernel VM region. |
||
| + | The following C program calls <code>task_for_pid</code> and returns the error code: |
||
| + | |||
| + | #include <mach/mach.h> |
||
| + | |||
| + | // Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed): |
||
| + | // cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0 |
||
| + | |||
| + | int main(void) { |
||
| + | mach_port_t kernel_task = 0; |
||
| + | return task_for_pid(mach_task_self(), 0, &kernel_task); |
||
| + | } |
||
| + | |||
| + | The returned error code, which can be checked using <code>echo $?</code> in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see <code>kern_return.h</code> for possible values). The entitlements plist (named <code>tfp0.plist</code> in this example) for [[ldid]] can look like this: |
||
| + | |||
| + | <?xml version="1.0" encoding="UTF-8"?> |
||
| + | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<nowiki>http://www.apple.com/DTDs/PropertyList-1.0.dtd</nowiki>"> |
||
| + | <plist version="1.0"> |
||
| + | <dict> |
||
| + | <key>get-task-allow</key> |
||
| + | <true/> |
||
| + | <key>run-unsigned-code</key> |
||
| + | <true/> |
||
| + | <key>task_for_pid-allow</key> |
||
| + | <true/> |
||
| + | </dict> |
||
| + | </plist> |
||
| + | |||
[[Category:Kernel Patches]] |
[[Category:Kernel Patches]] |
||
Revision as of 23:14, 25 December 2017
In the XNU kernel, task_for_pid is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable to call task_for_pid for pid 0 (hence the name) and then use vm_read and vm_write to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.
Example code
The following C program calls task_for_pid and returns the error code:
#include <mach/mach.h>
// Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed):
// cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0
int main(void) {
mach_port_t kernel_task = 0;
return task_for_pid(mach_task_self(), 0, &kernel_task);
}
The returned error code, which can be checked using echo $? in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see kern_return.h for possible values). The entitlements plist (named tfp0.plist in this example) for ldid can look like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
