search

kpwn / yalu102

incomplete iOS 10.2 jailbreak for 64 bit devices by qwertyoruiopz and marcograssi
Do What The F*ck You Want To Public License
1.77k stars 554 forks source link

[DEV] iOS 10.2.1 #414

Closed Derewith closed 7 years ago

Derewith commented 7 years ago

//I read the issue posting guidelines.

Hello guys, just to know.. I was looking for allproc_offset = 0x000000 & rootvnode_offset = 0x00000; for (iPhone 4.7 10.2.1 [14D27] ).

Then I used lzssdec from xdadevtools to decript the kernelcache.release.n71 but i can't decompile the file using "Hooper Disassembler v4". ( So i can't get the correct offsets ). ( i uploaded the kernelcache.release.n71 -> here )

( bytes [0x1B7] > are this correct ) ?

./lzssdec -o 0x1B7 < kernelcache.release.n71 >kernelcache1.decrypted 
xxd kernelcache1.decrypted | head -1
file kernelcache1.decrypted

Can anyone help me find this offsets?

Guide from match_portal

$ hexdump -C kernelcache.release.n51 | head 00000000 30 83 b5 9b 0d 16 04 49 4d 34 50 16 04 6b 72 6e |0......IM4P..krn| 00000010 6c 16 1c 4b 65 72 6e 65 6c 43 61 63 68 65 42 75 |l..KernelCacheBu| 00000020 69 6c 64 65 72 2d 31 31 36 32 2e 32 30 2e 31 04 |ilder-1162.20.1.| 00000030 83 b5 9a de 63 6f 6d 70 6c 7a 73 73 83 13 7d ae |....complzss..}.| 00000040 01 64 80 00 00 b5 29 5e 00 00 00 01 00 00 00 00 |.d....)^........| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001b0 00 00 00 00 ff cf fa ed fe 0c 00 00 01 d5 00 f6 |................| 000001c0 f0 02 f6 f0 14 f6 f0 38 0e 9a f3 f1 20 f6 f1 00 |.......8.... ...| 000001d0 19 ff f1 f5 f0 5f 9f 5f 54 45 58 54 09 02 1c 03 |....._._TEXT....|


 * note down the offset of the ff cf fa ed fe byte sequence (in this case it's 0x1b4)

 * compile lzssdec from http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/lzssdec.cpp

 * run a command like: lzssdec -o 0x1b4 < kernel.release.n51 > kernel.decompressed

 * open the decompressed kernelcache in a recent version of IDA Pro (with support for iOS kextcaches)

 * say yes when IDA asks to split by kext

 * let the auto-analysis run - depending on how fast your computer is this might take a while! (it takes my 2013 MBP about 30 minutes)

 * go view -> open subviews -> segments and find the __TEXT:HEADER segment, the start should be FFFFFFF007004000
   if it isn't note this down as you'll need to work out a couple of offsets relative to this

 * go view -> open subviews -> names and find the kernproc data symbol.

 * subtract the __TEXT:HEADER value from that, this is the kernproc offset
     eg for iPhone 5S 10.1.1 kernproc is at FFFFFFF0075AE0E0 making the offset: 0x5AA0E0

 * now the harder one! We need to find allproc which isn't exported so is harder to find:

 * go view -> open subviews -> strings and find the string "pgrp_add : pgrp is dead adding process"

 * hit 'x' on the autogenerated string symbol name; you should see this symbol referenced from two functions

 * open the smaller of those functions in the IDA graph view

 * this is pgrp_add in the XNU source

 * scroll to the bottom of the CFG, the final three nodes all reference the same global variable with code like this:
    ADRP  X8, #qword_FFFFFFF0075A8128@PAGE
    LDR   X9, [X8,#qword_FFFFFFF0075A8128@PAGEOFF]

 * that's the address of allproc - subtract the kernel base to get the offset, in this case it's: 0x5A4128`
Mila432 commented 7 years ago

https://github.com/kpwn/yalu102/issues/64

Derewith commented 7 years ago

@GusToughSon @Mila432 , i know but if someone can give me them it will be nice.

ghost commented 7 years ago

162

iOS 10.2.1 fixes exploits used by Yalu; you cannot add support for it.

ghost commented 7 years ago

As @lolman8776 stated, you can't use Yalu with 10.2.1, for Apple patched the exploit Yalu used.

matteyeux commented 7 years ago

Hey @Derewith use can use joker to decompress kernelcache automatically. BTW Yalu is fixed on 10.2.1+

Derewith commented 7 years ago

Thanks to @lolman8776 , @TheLukeGuy , @matteyeux