The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Tfp0 patch"

From The iPhone Wiki
Jump to: navigation, search
(+lede, +example code, “task_for_pid-allow” is needed on iOS 6 (but not “get-task-allow”, will test on higher versions later))
m (Yalu enables tfp0 on A9 and earlier devices, not sure if extra_recipe enables it there for those devices.)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{DISPLAYTITLE:tfp0 patch}}
  
{{DISPLAYTITLE:tfp0 patch}}
In the XNU kernel, <code>task_for_pid</code> is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A '''tfp0 patch''' (or '''task_for_pid(0) patch''') removes this restriction, allowing any executable to call '''task_for_pid''' for pid '''0''' (hence the name) and then use <code>vm_read</code> and <code>vm_write</code> to modify the kernel VM region. The entitlements ''get-task-allow'' and ''task_for_pid-allow'' are required to make [[AMFI]] happy.
 +
In the XNU kernel, <code>task_for_pid</code> is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A '''tfp0 patch''' (or '''task_for_pid(0) patch''') removes this restriction, allowing any executable running as root to call '''task_for_pid''' for pid '''0''' (hence the name) and then use <code>vm_read</code> and <code>vm_write</code> to modify the kernel VM region. The entitlements ''get-task-allow'' and ''task_for_pid-allow'' are required to make [[AMFI]] happy.
   
 
== Example code ==
  
== Example code ==
Line 29: Line 29:
 
</dict>
  
</dict>
 
</plist>
  
</plist>
  +
  +
== tfp0 enabled jailbreaks ==
  +
Jailbreaks known to enable tfp0 include:
  +
* [[Absinthe]] (5.1.1)
  +
* [[evasi0n]] (6.0–6.1.2)
  +
* [[p0sixspwn]] (6.1.3–6.1.6)
  +
* [[evasi0n7]] (7.0–7.0.6)
  +
* [[Pangu]] v0.3 (7.1–7.1.2)
  +
* [[Pangu8]] v0.5 (8.0–8.1)
  +
* [[TaiG]] (8.0–8.4)
  +
* [[Pangu9]] (9.0–9.0.2) on 32-bit
  +
* [[Home Depot]] (9.1–9.3.4) on 32-bit
  +
* [[jbme]] (9.2–9.3.3) on 64-bit
  +
* [[extra_recipe+yaluX]] (10.0–10.1.1) on 64-bit
  +
* [[yalu102]] (10.2) on 64-bit (excluding iPhone 7)
  +
  +
=== Jailbreaks lacking tfp0 ===
  +
The following jailbreaks do ''not'' have tfp0 enabled:
  +
* [[Pangu]] v0.1–0.2 (7.1–7.1.2)
  +
:* Solution: Update to version 0.3 (filename: <code>io.pangu.axe7_0.3_iphoneos-arm.deb</code>)
  +
* [[Pangu8]] v0.1–0.4 (8.0–8.1)
  +
:* Solution: Update to version 0.5 (filename: <code>io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb</code>)
  +
* [[PPJailbreak]] (8.0–8.4)
  +
:* Solution: replace PPJailbreak with TaiG
  +
* [[Pangu9]] (9.0–9.3.3) on 64-bit
  +
:* Solution: use cl0ver by Siguza, or re-jailbreak using jbme (uses the trident exploit chain instead)
  +
* [[yalu + mach_portal]] (10.0–10.1.1) on iPhone 7/iPhone 7 Plus
  +
:* Solution: use extra_recipe+yaluX instead
  +
* [[h3lix]] (10.0–10.3.3) on 32-bit
  +
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available
  +
  +
== See also ==
  +
* [[hgsp4 patch]]
   
 
[[Category:Kernel Patches]]
  
[[Category:Kernel Patches]]

Latest revision as of 16:02, 29 December 2017

In the XNU kernel, task_for_pid is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable running as root to call task_for_pid for pid 0 (hence the name) and then use vm_read and vm_write to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.

Example code

The following C program calls task_for_pid and returns the error code: 

#include <mach/mach.h>

// Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed):
// cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0

int main(void) {
    mach_port_t kernel_task = 0;
    return task_for_pid(mach_task_self(), 0, &kernel_task);
}

The returned error code, which can be checked using echo $? in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see kern_return.h for possible values). The entitlements plist (named tfp0.plist in this example) for ldid can look like this: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

tfp0 enabled jailbreaks

Jailbreaks known to enable tfp0 include:

Jailbreaks lacking tfp0

The following jailbreaks do not have tfp0 enabled:

  • Pangu v0.1–0.2 (7.1–7.1.2)
  • Solution: Update to version 0.3 (filename: io.pangu.axe7_0.3_iphoneos-arm.deb)
  • Solution: Update to version 0.5 (filename: io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb)
  • Solution: replace PPJailbreak with TaiG
  • Pangu9 (9.0–9.3.3) on 64-bit
  • Solution: use cl0ver by Siguza, or re-jailbreak using jbme (uses the trident exploit chain instead)
  • Solution: use extra_recipe+yaluX instead
  • h3lix (10.0–10.3.3) on 32-bit
  • No solution for compiled code, replace task_for_pid(mach_task_self(), 0, &ktask) calls with host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask) if source is available

See also

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Tfp0_patch&oldid=65901"