physical memory read/write

bazad / memctl

An iOS kernel introspection tool.

https://bazad.github.io/2017/09/live-kernel-introspection-ios/

MIT License

226 stars 29 forks source link

physical memory read/write #5

Closed stek29 closed 6 years ago

stek29 commented 6 years ago

memctl> vma 10
0xfffffff000857000
memctl> rf 0xfffffff000857000
fffffff000857000:  0000000000000000
memctl> kpm 0xfffffff000857000-0xfffffff000857000
fffffff000857000  0x825706000
memctl> w -p 0xfffffff000857000^C
memctl> w -p 0x825706000 0
error: cannot write physical memory
memctl> r -p 0x825706000
error: cannot read physical memory

what are requirements for physical memory read/write?

bazad commented 6 years ago

Hmm, interesting. It may be that libmemctl decided it didn't have the necessary functionality (e.g. kernel function call) to implement physical memory access. What device, version, and jailbreak are you using?

stek29 commented 6 years ago

iOS 11.1.2, let's say electra :) I can give you ssh access for testing if you want to.

bazad commented 6 years ago

Ah, I'm still working on iOS 11.1.2 support. I'm surprised it didn't show any kind of error message for broken functionality.

Let me see if I can reproduce the behavior on another device; if not I'll probably take you up on your SSH offer.

By the way, kernel slide detection on iOS 11 is currently unsafe, and may panic the device. It's mostly a stopgag measure until I can implement a more robust version. Just be aware.

stek29 commented 6 years ago

@bazad actually, it did show some warnings:

memctl> vma 10
0xfffffff009077000
memctl> rf 0xfffffff009077000
fffffff009077000:  0000000000000000
memctl> kpm 0xfffffff009077000-0xfffffff009077010
warning: could not find _kauth_cred_setsvuidgid
warning: could not find _pthread_callbacks
warning: could not find _kfree_addr
setting up kernel function call...
fffffff009077000  0x8258f4000
memctl> w -p 0x8258f4000 0
error: cannot write physical memory
memctl> r -p 0x8258f4000
error: cannot read physical memory

Also, I'm using a modified build which disables arm-only jop kcall.

And idk why, but kpm stopped working for me.

As a workaround, kcall to bcopy_phys would be an easy way to read/write physical memory. It's easy to patch find by panic("bcopy extends beyond copy windows")

bazad commented 6 years ago

Alright, I can fully reproduce your behavior, so I should be able to address this from my end. I'm going to add another arm64 jop payload using gadgets from the iOS 11.1.2 kernelcache, after which (I hope) the safe physical memory functions should work again.

In the meantime, a workaround is to comment out the arm64 kernel call variants in kernel_call.c (like you have) and use the unsafe physical memory functions; these should be just fine for known-good addresses:

memctl> vma 10
0xfffffff00086d000
memctl> rf 0xfffffff00086d000
fffffff00086d000:  0000000000000000
memctl> kp 0xfffffff00086d000
warning: could not find _kauth_cred_setsvuidgid
warning: could not find _pthread_callbacks
warning: could not find _kfree_addr
setting up kernel function call...
0x836f59000
memctl> wpf 0x836f59000 0x11223344
memctl> r 0xfffffff00086d000
fffffff00086d000:  0000000011223344
memctl>

stek29 commented 6 years ago

Thanks!

bazad commented 6 years ago

@stek29 I've pushed support for 14-argument kernel function calling on the iPhone 7 11.1.2 kernelcache. If you're using an iPhone 7 or 8, this should fix some of those errors, although there's still a lot of things that need fixing.

If you're using a different device this new kernel call strategy may not be applicable. What device are you using?

stek29 commented 6 years ago

@bazad I'm using iPhone5S 11.1.2 I'll check out your changes a bit later :)

bazad commented 6 years ago

kernel_call_arm64 is now optional and the special symbol finders have been updated for iOS 11. However, there is still no kernel_call_arm64 implementation for the iPhone 5s 11.1.2 kernelcache.

bazad commented 6 years ago

The iPhone 5s will be supported on iOS 11.3.1 after pull request #6.