`task_info` routine not returning kernel slide to usermode

[g0x69lbo]

I'm working on 17.5.1, jailbreak works its just that the task_info mig routine does not return the kernel slide.. I've done some searching and this was already brought up in the past (#1852, #1124, #1070) Also I've tried to search for reference to locate the logic that writes that information to the kernel_task, but didn't find it (I might be missing ..?) I can see the patches that enable tfp0 and in kpf_ramdisk_bootprep I can see that you write the slide just after the ramdisk (I guess this is where XNU reads the bootargs struct from?) but no where is the logic to write to these fields of the kernel task

Please enlighten me 😄

[g0x69lbo]

For some reason I thought the whole project was released as opensource, now I understand that it is not fully open source, therefore it makes sense that this logic exists in the binary but broke in newer versions.

I'd be happy to support you coming up with support for newer versions if you don't have the time, but that wouldn't be possible if that logic is indeed not open source.

I will modify KPF module for now and will piggyback some unused syscall

[g0x69lbo]

Just updating here in case someone else finds himself struggling with the same issue..

I did manage to succeed in installing a new Mach trap by extending the shellcode and adding a new KPF component but this wasn't needed. I was using palera1n which I thought uses the PongoOS project by the checkra1n team but turns out they maintain their own fork of the PongoOS project. Also the jbinit is opensource, there I found that the payload binary actually processes the information from the kernel by reading it from the initial ramdisk.. this is demonstrated in the p1ctl CLI utility see here for implementation.

So yeah I guess the task_info method is obsolete and now the KPF hands off this information to userspace by appending it to the end of the ramdisk.