Closed stek29 closed 6 years ago
Hmm, interesting. It may be that libmemctl decided it didn't have the necessary functionality (e.g. kernel function call) to implement physical memory access. What device, version, and jailbreak are you using?
iOS 11.1.2, let's say electra :) I can give you ssh access for testing if you want to.
Ah, I'm still working on iOS 11.1.2 support. I'm surprised it didn't show any kind of error message for broken functionality.
Let me see if I can reproduce the behavior on another device; if not I'll probably take you up on your SSH offer.
By the way, kernel slide detection on iOS 11 is currently unsafe, and may panic the device. It's mostly a stopgag measure until I can implement a more robust version. Just be aware.
@bazad actually, it did show some warnings:
memctl> vma 10
0xfffffff009077000
memctl> rf 0xfffffff009077000
fffffff009077000: 0000000000000000
memctl> kpm 0xfffffff009077000-0xfffffff009077010
warning: could not find _kauth_cred_setsvuidgid
warning: could not find _pthread_callbacks
warning: could not find _kfree_addr
setting up kernel function call...
fffffff009077000 0x8258f4000
memctl> w -p 0x8258f4000 0
error: cannot write physical memory
memctl> r -p 0x8258f4000
error: cannot read physical memory
Also, I'm using a modified build which disables arm-only jop kcall.
And idk why, but kpm stopped working for me.
As a workaround, kcall to bcopy_phys would be an easy way to read/write physical memory.
It's easy to patch find by panic("bcopy extends beyond copy windows")
Alright, I can fully reproduce your behavior, so I should be able to address this from my end. I'm going to add another arm64 jop payload using gadgets from the iOS 11.1.2 kernelcache, after which (I hope) the safe physical memory functions should work again.
In the meantime, a workaround is to comment out the arm64 kernel call variants in kernel_call.c (like you have) and use the unsafe physical memory functions; these should be just fine for known-good addresses:
memctl> vma 10
0xfffffff00086d000
memctl> rf 0xfffffff00086d000
fffffff00086d000: 0000000000000000
memctl> kp 0xfffffff00086d000
warning: could not find _kauth_cred_setsvuidgid
warning: could not find _pthread_callbacks
warning: could not find _kfree_addr
setting up kernel function call...
0x836f59000
memctl> wpf 0x836f59000 0x11223344
memctl> r 0xfffffff00086d000
fffffff00086d000: 0000000011223344
memctl>
Thanks!
@stek29 I've pushed support for 14-argument kernel function calling on the iPhone 7 11.1.2 kernelcache. If you're using an iPhone 7 or 8, this should fix some of those errors, although there's still a lot of things that need fixing.
If you're using a different device this new kernel call strategy may not be applicable. What device are you using?
@bazad I'm using iPhone5S 11.1.2 I'll check out your changes a bit later :)
kernel_call_arm64
is now optional and the special symbol finders have been updated for iOS 11. However, there is still no kernel_call_arm64
implementation for the iPhone 5s 11.1.2 kernelcache.
The iPhone 5s will be supported on iOS 11.3.1 after pull request #6.
what are requirements for physical memory read/write?