arx8x
commented
6 years ago it takes a lot of tries
Closed cowpod closed 6 years ago
arx8x
commented
6 years ago it takes a lot of tries
cowpod
commented
6 years ago It's around 30 now... Are the offsets correct? I mean, there ARE two separate kernel caches. I'll try a different cache (if I get that far :D) and post the other offsets if they differ, here.
ghost
commented
6 years ago I know there are two kernel caches, I use the second one (I'm not at home so I can't check)
ghost
commented
6 years ago For me works at 11/12 try (I don't remember) I have iSE 10.3.1 n69ap
cowpod
commented
6 years ago Okay, finally done! Modified uroboro's find_offsets script to allow selection of kernelcaches. Here it is: https://gist.github.com/cowpod/c20989c01b138f37ad9ec19140079723
cowpod
commented
6 years ago Offsets match! (iPhone SE 10.3.1), n61ap: OFFSET_ZONE_MAP = 0xfffffff007548478; OFFSET_KERNEL_MAP = 0xfffffff0075a4050; OFFSET_KERNEL_TASK = 0xfffffff0075a4048; OFFSET_REALHOST = 0xfffffff00752aba0; OFFSET_BZERO = 0xfffffff007081f80; OFFSET_BCOPY = 0xfffffff007081dc0; OFFSET_COPYIN = 0xfffffff007180720; OFFSET_COPYOUT = 0xfffffff007180914; OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0; OFFSET_CHGPROCCNT = 0xfffffff00738d61c; OFFSET_KAUTH_CRED_REF = 0xfffffff0073679b4; OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc; OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154; OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20; OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e849f8; OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006481174; OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00744053c; OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0063d0a84;
ghost
commented
6 years ago So, they match, they are the same, keep trying. And merry Christmas
cowpod
commented
6 years ago Merry Christmas to you to! (sorry I forgot :D)
cowpod
commented
6 years ago Well... I'm back. Offsets work fine in v0rtex-S, but fail in v0rtexNonce? It reboots instantly, or gives the same "error please reboot". Vortex-S usually works on the second or third try...
cowpod
commented
6 years ago Back again again. Works! I needed to replace the default offsets for vortexnonce with the ones from the second kernelcache. Thanks XDavide!
arx8x
commented
6 years ago @cowpod Nice work. I've modified his script, combined it with mine and now the projects uses a source file generated by my script. I've also added img4tool to his script to support BVX compression. I can't yet put my script on github but the result is in offsets.m
App will cause a kernel panic on launch, or sometimes display an error message requesting a reboot. Using my own offsets from find_offsets.sh (which are a little different I believe) yields nothing better.