4k devices support - Part 2

[meyer9]

Old thread was getting long

[ghost]

:). I think we are going to need Luca's help to figure this one out. @meyer9

[x86shell]

I read about the "WriteAnywhere64(ReadAnywhere64(find_kernel_pmap()), level1_table);" algorithm you wrote about in the last post, so i attempted some debugging myself, it seems that line of code is sometimes ran sucessfully and sometimes it causes a kernel panic, I think its due to the amount of Virtual memory the devices have like you wrote in the original post. I also noticed that if i had apps open in the background (using virtual memory) that section of the code never got ran successfully. I'm just going to leave it down to you guys however as i'm not really a expert when it comes down to stuff like this. Just thought i should drop my 2 cents into the bucket.

[meyer9]

that's interesting, so maybe it's filling up the page since the page is smaller...

[Shade-Zepheri]

so the issue is in the difference in page sizes between 16k and 4k devices?

[meyer9]

yes, it looks like we're trying to overwrite the iOS kernel pmap. We the need a valid pmap to start which should be at the memory offset 0xfffffff022b9a868ish.

[x86shell]

@meyer9 I think as were dealing with a smaller page size, that is the issue. I don't know about getting around and fixing it though. In my testing, i've been able to use NSLog() to get to different places in the code each run, There doesn't seem to be any consistency to when it crashes in the code, which tells me the page size is the limiting factor.

[meyer9]

it crashes consistently here: WriteAnywhere64(ReadAnywhere64(find_kernel_pmap()), level1_table);. It just runs for an extra couple of seconds, so the logs look like it completes that step.

[x86shell]

@meyer9 Are you using a fully stock version of 10.2 or do you have apps installed?

[meyer9]

I have apps.

[meyer9]

So, with a couple debug statements, I see we're replacing the value 0xfffffff00d8b9000 with 0xffffffe80ae00000. This is consistent and if I write that value instead of the level1_table, it will not kernel panic, meaning out level1_table value is wrong.

This is some progress. I have a feeling we'll be able to fix this.

So, we're remapping physical memory addresses to virtual ones in our own way to bypass KPP I'm guessing.

[msamuel002]

@meyer9 what devices are you testing on? iPhone 6 or iPhone 5S or both? thanks

[meyer9]

I only have a 6, but it should work on the 5s when ready.

[ghost]

I'm surprised the Air 2 is a 4k device

[meyer9]

Ok, so here is some more data, current pmap: 0xfffffff00bab9000, replacing with: 0xffffffe809000000 on iPhone 7,2

[CemreSuler]

If we have the offsets, why are 4K devices still not supported?

[ghost]

@Mila432 Fails at same place as iPhone 6 when running Yalu from Xcode? This is my iPad Air 2 WiFi model anyway

[Mila432]

@nicogibbons your device should fail here https://github.com/kpwn/yalu102/issues/40#issuecomment-275769214

[ninjaprawn]

@cemre2002 In case you haven't been following, the reason why 4k devices aren't supported is because the structure of the lower-level bits this code is playing around is different on 4k devices compared to 16k devices. AFAIK, it's a size difference, meaning that the target location we are looking for will be at a different place

[ghost]

Wait is Air 2 a 16K device? @Mila432

[ghost]

Ah thought so :p @meyer9

[KILLCAMPER]

Is the Air pad 2 cellular 4K ? Or 16k

[x86shell]

@KILLCAMPER its 16k

[oncheonche]

Apple TV 4 is a 4k device I think as it has a A8 chip. If anyone wants me to test something on this device, no problem.

[KILLCAMPER]

@0x0luke thank you so souprt will be easier then 4K at mo . As I was in the mentally it was a 4K thanks bud

[akelly5]

i got iPhone 6 I can test for you guys

[msamuel002]

@meyer9 same with @akelly5 i have an iphone 6 tell me if you need anything to be tested

[msamuel002]

also, @meyer9 what happened after you changed the pmap?

[Dennisbonke]

iPhone 6 here as well, will test anything you throw at me

[AppleBetas]

@0x0luke iPad Air 2 is actually a 4k device.

[tangalbert919]

@AppleBetas is correct because any device with an A8 or A8X CPU or something older is a 4k device. Anything with an A9, A9X or something newer is 16k. This is memory management we are talking about. If you don't know Objective-C or C (like me), let's try not to ask questions because the answers are hard to understand in terms of "programming".

[tangalbert919]

The weekend has started, so I'll be waiting for testing. That is a tough thing to say because I'm on an Android device right now.

[Dennisbonke]

Please explain to me what this memory issue would be on a A8 or lower chip, as I am pretty interested in OS development, I should know my C code :)

[tangalbert919]

According to @kpwn, anything that isn't the iPhone 7, 6s, SE, or the iPad Pro is a 4k device. And honestly, I need to grab a book to learn C.

[meyer9]

Essentially the memory is structured differently on 4k devices. The number of pages per block is 4096 instead of 16384. Since it's a 4k device, the pmap should be different since it maps pages in virtual memory to pages in physical memory.

[akelly5]

if anyone needs help hmu on twitter aidan_kelly5

[Dennisbonke]

@meyer9 thanks for the information!

[msamuel002]

@meyer9 have you gotten anywhere in terms of support for iphone 6?

[x86shell]

@AppleBetas I believe the Wifi is 4k and the cellcular is 16k but im not sure.

[meyer9]

I have not gotten much farther, but it should be solvable.

[msamuel002]

@meyer9 thanks for your hard work, and btw, I alongside @Dennisbonke and @akelly5 have iPhone 6 in case you need anyhing to test we can help out

[relative2]

I also have an iPhone 6.

[meyer9]

Shouldn't be a problem. I have one as well.

[Nikostito]

Guys have you seen in Reddit that a user announced to have succesfully jailbroken his ipad mini 2? No proof is provided but maybe could be of help to all?

[meyer9]

Setting the last arg of this to 4 instead of 2 allows me to reach breakup!:

#define RemapPage(address) \
    pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\
        uint64_t tte = ReadAnywhere64(tte_addr);\
        if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\
            NSLog(@"breakup!");\
            uint64_t fakep = physalloc(PSZ);\
            uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\
            TTE_SETB(tte, TTE_IS_TABLE_MASK);\
            for (int i = 0; i < PSZ/8; i++) {\
                TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\
                WriteAnywhere64(fakep+i*8, tte);\
            }\
            TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\
            WriteAnywhere64(tte_addr, tte);\
        }\
        uint64_t newt = physalloc(PSZ);\
        copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\
        copyout(newt, bbuf, PSZ);\
        TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\
        TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\
        TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\
        WriteAnywhere64(tte_addr, tte);\
        NSLog(@"level %llx - %llx", tte_addr,              TTE_GET(tte, TTE_PHYS_VALUE_MASK));\
    }, level1_table, 4);

[ghost]

@meyer9 What is breakup? Is that closer to solving the issue?

[mmhobi7]

Is pagestuff_64 closed source?

[ghost]

@Aaahh No its not i saw someone decompile it on the 4k support original issue thread.

[relative2]

@TheMerkyShadow if you decompile something it means that 1) you're blind and you didn't look for the source if it existed or 2) it was closed source and mainly its number 2 that is the reason.

[ghost]

@FNCxPro I was just answering a question.

[Mila432]

@TheMerkyShadow @Aaahh its open source..