The workaround we implemented for getting TFP0 in user-mode can be implemented in a more simple manner that can be easily ported to other iOS versions by patching 2 kernel functions instead of constructing a new fake task and a fake task port.
The implementation we did to load our own trust cache can be implemented in a more simple manner that can be easily ported to other iOS versions by patching the kernel CoreTrust code to not check for signatures or by using other boot args that disable signature verification.
V3rochka
commented
4 years ago
The workaround we implemented for getting TFP0 in user-mode can be implemented in a more simple manner that can be easily ported to other iOS versions by patching 2 kernel functions instead of constructing a new fake task and a fake task port. The implementation we did to load our own trust cache can be implemented in a more simple manner that can be easily ported to other iOS versions by patching the kernel CoreTrust code to not check for signatures or by using other boot args that disable signature verification.