Will iOS 12 be supported?

[brendonjkding]

I wanna test the offsets just found.

} else if (strcmp(u.version, "Darwin Kernel Version 18.7.0: Fri Jun 21 22:24:15 PDT 2019; root:xnu-4903.270.47~7/RELEASE_ARM64_S8000") == 0) {
        /*---- S8000 16G77 [12.4] ----*/
        bootargs_store      = OFFSET(0xFFFFFFF007095E10);
        ml_phys_read_data   = OFFSET(0xFFFFFFF0071BADEC);
        ml_phys_write_data  = OFFSET(0xFFFFFFF0071BB04C);
        _sysent_stat        = OFFSET(0xfffffff007080bb0);
        _copyinstr          = OFFSET(0xFFFFFFF0071B4C64);
        _IOLog              = OFFSET(0xFFFFFFF0075258F0);
        _strcmp             = OFFSET(0xFFFFFFF0071982D8);
        _payload_base       = OFFSET(0xfffffff0075bf6d0); 

It shows It seems that it only supports 16k devices with iOS 13/14. and stuck at Booting. Maybe the offsets are incorrect. 😅

[dora2-iOS]

The payload itself should work on iOS 12. But, we must always disable KPP. I can't be sure because I don't have an iOS 12 environment on a 16k device, It will work once the KPP module works properly.

[dora2-iOS]

@brendonjkding Changed the KPPmodule to work on iOS 12. Is it possible to try it?

[brendonjkding]

Yes. KPPmoudule works on iOS 12 now. Thanks for quick update. Then I installed the tweak and run CPBypass2(12.4 offsets added).

Log

CPBypass2 v1.0.1 made by @dora2ios
!! WARNING !!
CPBypass2 apply patches actual pages protected with KPP/KTRR lockdown.
If KPP is not disabled, the device will kernel panic after a few minutes.
KPP really disabled on this device? If you want to continue, type "Y" and press  key.
>> Y
tfp0: 0x1003
base: 0xFFFFFFF007004000
sec_cstring_addr: 0xFFFFFFF00702CF94, sec_cstring_off: 0x28F94, sec_cstring_sz: 0x48A55
sec_text_addr: 0xFFFFFFF007098000, sec_text_off: 0x94000, sec_text_sz: 0x527200
cmd_symtab_symoff: 0x63DB40, cmd_symtab_nsyms: 0x12A3, cmd_symtab_stroff: 0x650570
kbase: 0xFFFFFFF00C3DC000, kslide: 0x53D8000
kernproc: 0xFFFFFFF00C9D20D0
csblob_get_cdhash: 0xFFFFFFF00C7CC250
pmap_find_phys: 0xFFFFFFF00C587D7C
bcopy_phys: 0xFFFFFFF00C592814
serv: 0xF07
g_conn: 0x1507
our_task: 0xFFFFFFE002401680
itk_space: 0xFFFFFFE0040C34F0
is_table_sz: 0x2A
is_table: 0xFFFFFFE005E7AC00
ipc_port: 0xFFFFFFE0045B6BF8
user_client: 0xFFFFFFE005A41D60
orig_vtab: 0xFFFFFFF00C3458E0
fake_vtab: 0xFFFFFFE000010000
csblob_get_cdhash(USER_CLIENT_TRAP_OFF): 0x80
kernel_task: 0xFFFFFFE00039D680
kernel_map: 0xFFFFFFF0A655DEC0
kernel_pmap: 0xFFFFFFF00CA1AB60
kernel_pmap_min: 0xFFFFFF8000000000
kernel_pmap_max: 0xFFFFFFF3FFFFFFFF
ml_phys_read_data: 0xfffffff00c592dec
ml_phys_write_data: 0xfffffff00c59304c
_sysent_stat: 0xfffffff00c458bb0
_copyinstr: 0xfffffff00c58cc64
_IOLog: 0xfffffff00c8fd8f0
_strcmp: 0xfffffff00c5702d8
_payload_base: 0xfffffff00c9976d0
ttbr1_el1: 0x805638000
payload_base: 0xfffffff00c9976d0
vaddr: fffffff00c9976d0
l1_tte: 80563c003
l2_tte: 805654003
old l3_tte: 40000804994e83
new l3_tte: 40000804994e03
writing payload...
patching kernel...
vaddr: fffffff00c458bb0
l1_tte: 80563c003
l2_tte: 805654003
old l3_tte: 60000804458e83
new l3_tte: 60000804458e03

And I tested bookwalker and プリコネ. They are still not launchable. Did I find wrong offsets or miss something?

[dora2-iOS]

Files other than those specified by CPBypass2 may be detected. For example, CP Bypass2 does not evade Sileo's file detection. Is there any file you can think of?

[brendonjkding]

Thanks for your advice. I restored the device (fully) and It works now! And I can't reproduce that now...