Adding New Symbols Doesn't Work

Hi, i added new symbols to get my iPad mini 2 working while adding a few other symbols for my friends, but in my testing my iPad resprings, any thoughts

here is the console build_id: 15B202 sysname: Darwin nodename: iPad release: 17.2.0 version: Darwin Kernel Version 17.2.0: Fri Sep 29 18:14:49 PDT 2017; root:xnu-4570.20.62~4/RELEASE_ARM64_S5L8960X machine: iPad4,4 this is iPad Mini 2 WiFi, should work! message size for kalloc.4096: 2956 got user client: 0x6107 [+] prepared kqueue task self: 0xfffffff002afe498 our task port is at 0xfffffff002afe498 found target port with suitable allocation page offset: 0xfffffff005976b90 replacer_body_size: 0xb74 message_body_offset: 0x448 0 e00002c9 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 got replaced with replacer port 52 found kernel vm_map: 0xfffffff11e5866e0 second time got replaced with replacer port 0 will try to read from second port (fake kernel) kernel read via fake kernel task port worked? 0x0000000000420000 0x0000000000000000 0xfffffff11e590890 0xfffffff11e5907f0 about to build safer tfp0 message buffer: fffffff00f027000 fake_kernel_task_kaddr: fffffff00f027000 read fake_task_refs: d00d about to test new tfp0 kernel read via second tfp0 port worked? 0x0000000000420000 0x0000000000000000 0xfffffff11e590890 0xfffffff11e5907f0 built safer tfp0 about to clear up cleared up tfp0: 188920b have symbols for this device, testing the kernel debugger... trying to pin to cpu0: fffffff01e9e90c8 pin_current_thread yielding cpu pin_current_thread back on cpu running on fffffff01e9e90c8 message buffer: fffffff00f03e000 message buffer: fffffff00d1fe400 message buffer: fffffff00f03f000 kcall object allocated via early_kalloc at fffffff00f03f000

and is the offsets i have `// ip7 uint64_t ksymbols_iphone_7_15B202[] = { 0xfffffff0074d74cc, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xfffffff007566454, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xfffffff007567bfc, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xfffffff0073eb130, // KSYMBOL_CSBLOB_GET_CD_HASH 0xfffffff007101248, // KSYMBOL_KALLOC_EXTERNAL 0xfffffff007101278, // KSYMBOL_KFREE 0xfffffff0074d74d4, // KYSMBOL_RET 0xfffffff0074f11cc, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xfffffff00758c618, // KSYMBOL_KPRINTF 0xfffffff0074fc164, // KSYMBOL_UUID_COPY 0xfffffff0075b2000, // KSYMBOL_CPU_DATA_ENTRIES 0xfffffff0070cc1d4, // KSYMBOL_VALID_LINK_REGISTER 0xfffffff0070cc1ac, // KSYMBOL_X21_JOP_GADGET 0xfffffff0070cc474, // KSYMBOL_EXCEPTION_RETURN 0xfffffff0070cc42c, // KSYMBOL_THREAD_EXCEPTION_RETURN 0xfffffff0071e1998, // KSYMBOL_SET_MDSCR_EL1_GADGET 0xfffffff007439b20, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // this is actually 1 instruction in to the entrypoint 0xfffffff0071de074, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP 0xfffffff0071dea24, // KSYMBOL_SLEH_SYNC_EPILOG };

uint64_t ksymbols_iphone_x_15B202[] = { 0xfffffff0074f9948, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xfffffff00758b03c, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xfffffff00758c7b0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xfffffff007400974, // KSYMBOL_CSBLOB_GET_CD_HASH 0xfffffff00710232c, // KSYMBOL_KALLOC_EXTERNAL 0xfffffff00710235c, // KSYMBOL_KFREE 0xfffffff007102358, // KYSMBOL_RET 0xfffffff007513324, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xfffffff0075b2694, // KSYMBOL_KPRINTF 0xfffffff00751e1d8, // KSYMBOL_UUID_COPY 0xfffffff0075d6000, // KSYMBOL_CPU_DATA_ENTRIES 0xfffffff0070cc1d4, // KSYMBOL_VALID_LINK_REGISTER 0xfffffff0070cc1ac, // KSYMBOL_X21_JOP_GADGET 0xfffffff0070cc474, // KSYMBOL_EXCEPTION_RETURN 0xfffffff0070cc42c, // KSYMBOL_THREAD_EXCEPTION_RETURN 0xfffffff0071e8630, // KSYMBOL_SET_MDSCR_EL1_GADGET 0xfffffff007454194, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // this is actually 1 instruction in to the entrypoint 0xfffffff0071e451c, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP 0xfffffff0071e4ed8, // KSYMBOL_SLEH_SYNC_EPILOG };

uint64_t ksymbols_ipod_touch_6g_15b202[] = { 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH 0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL 0xFFFFFFF0070C8740, // KSYMBOL_KFREE 0xFFFFFFF0070C873C, // KYSMBOL_RET 0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF 0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY 0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment 0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1)) 0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register) 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF] 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return 0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1 0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint) 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code." };

// 6p (N56ap) uint64_t ksymbol_iphone_6p_15b202[] = { 0xfffffff0074a4a4c, // ZNK7OSArray12getMetaClassEv 0xfffffff007533cf8, // ZNK12IOUserClient12getMetaClassEv 0xfffffff0075354a0, // ZN12IOUserClient24getTargetAndTrapForIndexEPP9IOServicej 0xfffffff0073b71e4, // _csblob_get_cdhash 0xfffffff0070c8710, // _kalloc_external 0xfffffff0070c8740, // _kfree 0xFFFFFFF0070C873C, // ret 0xfffffff0074be978, // ZNK12OSSerializer9serializeEP11OSSerialize 0xfffffff007559fd0, // kprintf 0xfffffff0074c9910, // _uuid_copy 0xfffffff00757E000, // _DATA:__data + 0x6000 // 0x4DDE74 + 0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1)) 0xFFFFFFF007098180, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register) 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF] 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return 0xFFFFFFF0071ACCB8, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1 0xFFFFFFF0074062F0, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint) 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."

};

uint64_t ksymbols_iphone_6s_15b202[] = { 0xFFFFFFF00748D548, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xFFFFFFF00751C4D0, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xFFFFFFF00751DC78, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xFFFFFFF0073A1054, // KSYMBOL_CSBLOB_GET_CD_HASH 0xFFFFFFF0070B8088, // KSYMBOL_KALLOC_EXTERNAL 0xFFFFFFF0070B80B8, // KSYMBOL_KFREE 0xFFFFFFF0070B80B4, // KYSMBOL_RET 0xFFFFFFF0074A7248, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xFFFFFFF0075426C4, // KSYMBOL_KPRINTF 0xFFFFFFF0074B21E0, // KSYMBOL_UUID_COPY 0xFFFFFFF007566000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment 0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1)) 0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register) 0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF] 0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return 0xFFFFFFF007197AB0, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1 0xFFFFFFF0073EFB44, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint) 0xFFFFFFF0071941D8, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49 0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code." };

uint64_t ksymbols_iphone_6_15b202[] = { 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH 0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL 0xFFFFFFF0070C8740, // KSYMBOL_KFREE 0xFFFFFFF0070C873C, // KYSMBOL_RET 0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF 0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY 0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment 0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1)) 0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register) 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF] 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return 0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1 0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint) 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code." };

uint64_t ksymbols_ipad_mini_2_wifi_15b202[] = { 0xFFFFFFF0074947EC, // KSYMBOL_OSARRAY_GET_META_CLASS, 0xFFFFFFF007523A98, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS 0xFFFFFFF007525240, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX 0xFFFFFFF0073A6F84, // KSYMBOL_CSBLOB_GET_CD_HASH 0xFFFFFFF0070B8590, // KSYMBOL_KALLOC_EXTERNAL 0xFFFFFFF0070B85C0, // KSYMBOL_KFREE 0xFFFFFFF0070B85BC, // KYSMBOL_RET 0xFFFFFFF0074AE718, // KSYMBOL_OSSERIALIZER_SERIALIZE, 0xFFFFFFF007549D40, // KSYMBOL_KPRINTF 0xFFFFFFF0074B96B0, // KSYMBOL_UUID_COPY 0xFFFFFFF00756E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment 0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1)) 0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register) 0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF] 0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return 0xFFFFFFF00719CF44, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1 0xFFFFFFF0073F6094, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint) 0xFFFFFFF007198EC0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49 0xfffffff0071998BC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code." };`

and here are the symbols i have if (strstr(u.machine, "iPod7,1")) { printf("this is iPod Touch 6G, should work!\n"); symbols = ksymbols_ipod_touch_6g_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone9,3")) { printf("this is iPhone 7, should work!\n"); symbols = ksymbols_iphone_7_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone9,4")) { printf("this is iPhone 7 plus, should work!\n"); symbols = ksymbols_iphone_7_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone10,6")) { printf("this is iPhone X, should work!\n"); symbols = ksymbols_iphone_x_15B202; have_syms = 1; } else if (strstr(u.machine, "iPhone8,1")) { printf("this is iPhone 6s, should work!\n"); symbols = ksymbols_iphone_6s_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone7,1")) { printf("this is iPhone 6P, should work!\n"); symbols = ksymbol_iphone_6p_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone7,2")) { printf("this is iPhone 6, should work!\n"); symbols = ksymbols_iphone_6_15b202; have_syms = 1; } else if (strstr(u.machine, "iPad4,4")) { printf("this is iPad Mini 2 WiFi, should work!\n"); symbols = ksymbols_ipad_mini_2_wifi_15b202; have_syms = 1; } else if (strstr(u.machine, "iPhone6,2")) { printf("this is iPhone 5s, should work!\n"); symbols = ksymbols_ipad_mini_2_wifi_15b202; have_syms = 1; } else { printf("no symbols for this device yet\n"); printf("tfp0 should still work, but the kernel debugger PoC won't\n"); symbols = NULL; have_syms = 0; }

i have used some of this code from another async project.

ninjaprawn / async_wake-fun

Adding New Symbols Doesn't Work #12