Difference between revisions of "Tfp0 patch"

From The iPhone Wiki
Jump to: navigation, search
m (Gjest moved page Task for pid0 patch to Tfp0 patch: More common name, easier to find article)
(tfp0 enabled jailbreaks)
Line 1: Line 1:
 
{{DISPLAYTITLE:tfp0 patch}}
 
{{DISPLAYTITLE:tfp0 patch}}
In the XNU kernel, <code>task_for_pid</code> is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A '''tfp0 patch''' (or '''task_for_pid(0) patch''') removes this restriction, allowing any executable to call '''task_for_pid''' for pid '''0''' (hence the name) and then use <code>vm_read</code> and <code>vm_write</code> to modify the kernel VM region. The entitlements ''get-task-allow'' and ''task_for_pid-allow'' are required to make [[AMFI]] happy.
+
In the XNU kernel, <code>task_for_pid</code> is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A '''tfp0 patch''' (or '''task_for_pid(0) patch''') removes this restriction, allowing any executable running as root to call '''task_for_pid''' for pid '''0''' (hence the name) and then use <code>vm_read</code> and <code>vm_write</code> to modify the kernel VM region. The entitlements ''get-task-allow'' and ''task_for_pid-allow'' are required to make [[AMFI]] happy.
   
 
== Example code ==
 
== Example code ==
Line 29: Line 29:
 
</dict>
 
</dict>
 
</plist>
 
</plist>
  +
  +
== tfp0 enabled jailbreaks ==
  +
Jailbreaks known to enable tfp0 include:
  +
* Absinthe (5.1.1)
  +
* evasi0n (6.0–6.1.2)
  +
* p0sixspwn (6.1.3–6.1.6)
  +
* evasi0n7 (7.0–7.0.6)
  +
* Pangu v 0.3 (7.1–7.1.2)
  +
* Pangu8 v 0.5 (8.0–8.1)
  +
* TaiG (8.0–8.4)
  +
* Pangu9 (9.0–9.0.2) on 32-bit
  +
* Home Depot (9.1–9.3.4) on 32-bit
  +
* JailbreakMe (9.2–9.3.3) on 64-bit
  +
* Yalu (10.x) on 64-bit
  +
  +
The following jailbreaks do ''not'' have tfp0 enabled:
  +
* Pangu7 v 0.1–0.2 (7.1–7.1.2)
  +
:* Solution: Update to version 0.3 (filename: <code>io.pangu.axe7_0.3_iphoneos-arm.deb</code>)
  +
* Pangu8 v 0.1–0.4 (8.0–8.1)
  +
:* Solution: Update to version 0.5 (filename: <code>io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb</code>)
  +
* PPJailbreak (8.0–8.4)
  +
:* Solution: replace PPJailbreak with TaiG
  +
* Pangu9 (9.0–9.3.3) on 64-bit
  +
:* Solution: use cl0ver by Siguza
  +
* h3lix (10.0–10.3.3) on 32-bit
  +
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available
   
 
[[Category:Kernel Patches]]
 
[[Category:Kernel Patches]]

Revision as of 00:07, 26 December 2017

In the XNU kernel, task_for_pid is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable running as root to call task_for_pid for pid 0 (hence the name) and then use vm_read and vm_write to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.

Example code

The following C program calls task_for_pid and returns the error code:

#include <mach/mach.h>

// Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed):
// cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0

int main(void) {
    mach_port_t kernel_task = 0;
    return task_for_pid(mach_task_self(), 0, &kernel_task);
}

The returned error code, which can be checked using echo $? in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see kern_return.h for possible values). The entitlements plist (named tfp0.plist in this example) for ldid can look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

tfp0 enabled jailbreaks

Jailbreaks known to enable tfp0 include:

  • Absinthe (5.1.1)
  • evasi0n (6.0–6.1.2)
  • p0sixspwn (6.1.3–6.1.6)
  • evasi0n7 (7.0–7.0.6)
  • Pangu v 0.3 (7.1–7.1.2)
  • Pangu8 v 0.5 (8.0–8.1)
  • TaiG (8.0–8.4)
  • Pangu9 (9.0–9.0.2) on 32-bit
  • Home Depot (9.1–9.3.4) on 32-bit
  • JailbreakMe (9.2–9.3.3) on 64-bit
  • Yalu (10.x) on 64-bit

The following jailbreaks do not have tfp0 enabled:

  • Pangu7 v 0.1–0.2 (7.1–7.1.2)
  • Solution: Update to version 0.3 (filename: io.pangu.axe7_0.3_iphoneos-arm.deb)
  • Pangu8 v 0.1–0.4 (8.0–8.1)
  • Solution: Update to version 0.5 (filename: io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb)
  • PPJailbreak (8.0–8.4)
  • Solution: replace PPJailbreak with TaiG
  • Pangu9 (9.0–9.3.3) on 64-bit
  • Solution: use cl0ver by Siguza
  • h3lix (10.0–10.3.3) on 32-bit
  • No solution for compiled code, replace task_for_pid(mach_task_self(), 0, &ktask) calls with host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask) if source is available