Difference between revisions of "Kernel Patches"

From The iPhone Wiki
Jump to: navigation, search
m (iOS 5.1.1b - 9B208: changed b to r, as requested by Adaminsull (b is beta))
Line 653: Line 653:
 
| 0x8004992C
 
| 0x8004992C
 
|}
 
|}
  +
  +
== Patching the kernel (using inline ASM) ==
  +
  +
Here are some functions, patched to be able to be used for jailbreak kernel patches,
  +
for vm_map_protect here is the function.
  +
  +
int vm_map_protect_patch()
  +
{
  +
__asm{
  +
AND.W R1, R6, #8
  +
CMP R1, #6
  +
IT EQ
  +
TSTEQ.W R0, #0x40000000
  +
BNE loc_8004A96A
  +
BIC.W R6, R6, #4
  +
}
  +
}
  +
  +
For vm_map_enter
  +
  +
int vm_map_enter_patch()
  +
{
  +
__asm {
  +
LDR R1, [R7,#cur_protection]
  +
AND.W R0, R4, #0x80000
  +
STR R0, [SP,#0xB8+var_54]
  +
STR R1, [SP,#0xB8+var_78]
  +
AND.W R0, R1, #8
  +
CMP R0, #6
  +
ITT EQ
  +
LDREQ R0, [SP,#0xB8+var_54]
  +
CMPEQ R0, #0
  +
BNE loc_800497F0
  +
LDR.W R1, =aKern_return_
  +
MOVS R0, #0
  +
BL sub_8001D608
  +
LDR R0, [R7,#cur_protection]
  +
BIC.W R0, R0, #4
  +
STR R0, [SP,#0xB8+var_78]
  +
}
  +
}
  +
  +
For cs_enforcement_disable (kernel)
  +
  +
int cs_kern_patch()
  +
{
  +
__asm LDR.W R3, =dword_802DE330
  +
__asm MRC p15, 0, R0,c13,c0, 4
  +
__asm LDR R2, [R4,#0x28]
  +
__asm LDR R3, #1
  +
__asm CMP R3, #0
  +
}
  +
  +
To use this in an untether, use find_vm_map_enter_patch(), find_vm_map_protect_patch() and find_cs_enforcement_disable_kernel() from
  +
planetbeings ios-jailbreak-finder, then use bcopy() to copy these functions (which are patched) to the address of the actual functions
  +
heres an example
  +
  +
uint32_t *p = malloc(0xd00000)
  +
uint32_t cs_kern = find_cs_enforcement_disable(kernel_file, p, sizeof(p));
  +
bcopy((void*)cs_kern_patch, cs_kern, sizeof(cs_kern_patch));
   
 
==References==
 
==References==

Revision as of 02:35, 28 March 2015

For the patches applied together with a jailbreak, most groups rely on a list of patches generated by comex. See https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c

See also saurik's comment for a list of "the 'best practice' patches that jailbreaks install by default" on ycombinator.

Kernel Offsets

(Initial list copied from Unthredera1n source code.)

Offsets

iOS 4.3.4 - 8K2

Symbol k48ap n18ap n81ap n88ap n90ap
KERNEL_AMFI_BINARY_CACHE 0x80355394 0x80706394 0x80618394 0x80688394 0x80759394
KERNEL_CS_ENFORCEMENT_DISABLE 0x8027EB5C 0x8027EB5C 0x8027EB5C 0x8027EB5C 0x8027EB5C
KERNEL_DEBUG_ENABLED 0x802D427C 0x802D427C 0x802D427C 0x802D427C 0x802D427C
KERNEL_FLUSH_DCACHE 0x80063504 0x80063504 0x80063504 0x80063504 0x80063504
KERNEL_FLUSH_ICACHE 0x800636F4 0x800636F4 0x800636F4 0x800636F4 0x800636F4
KERNEL_IOLOG 0x801CBE65 0x801CBE65 0x801CBE65 0x801CBE65 0x801CBE65
KERNEL_NX_ENABLE 0x8027F304 0x8027F304 0x8027F304 0x8027F304 0x8027F304
KERNEL_PROC_ENFORCE 0x8029C1E4 0x8029C1E4 0x8029C1E4 0x8029C1E4 0x8029C1E4
KERNEL_SANDBOX 0x80366CA6 0x807EACA6 0x80939CA6 0x80809CA6 0x80966CA6
KERNEL_SYSCALL0 0x802926EC 0x802926EC 0x802926EC 0x802926EC 0x802926EC
KERNEL_SYSCALL0_VALUE 0x8018246D 0x8018246D 0x8018246D 0x8018246D 0x8018246D
KERNEL_TASK_FOR_PID 0x801A7DF6 0x801A7DF6 0x801A7DF6 0x801A7DF6 0x801A7DF6
KERNEL_VM_MAP_ENTER 0x80043FC8 0x80043FC8 0x80043FC8 0x80043FC8 0x80043FC8
KERNEL_VM_MAP_PROTECT 0x8004115E 0x8004115E 0x8004115E 0x8004115E 0x8004115E

iOS 4.3.5 - 8L1

Symbol k48ap n18ap n81ap n88ap n90ap
KERNEL_AMFI_BINARY_CACHE 0x80355394 0x80706394 0x80618394 0x80688394 0x80759394
KERNEL_CS_ENFORCEMENT_DISABLE 0x8027EB5C 0x8027EB5C 0x8027EB5C 0x8027EB5C 0x8027EB5C
KERNEL_DEBUG_ENABLED 0x802D427C 0x802D427C 0x802D427C 0x802D427C 0x802D427C
KERNEL_FLUSH_DCACHE 0x80063504 0x80063504 0x80063504 0x80063504 0x80063504
KERNEL_FLUSH_ICACHE 0x800636F4 0x800636F4 0x800636F4 0x800636F4 0x800636F4
KERNEL_IOLOG 0x801CBE65 0x801CBE65 0x801CBE65 0x801CBE65 0x801CBE65
KERNEL_NX_ENABLE 0x8027F304 0x8027F304 0x8027F304 0x8027F304 0x8027F304
KERNEL_PROC_ENFORCE 0x8029C1E4 0x8029C1E4 0x8029C1E4 0x8029C1E4 0x8029C1E4
KERNEL_SANDBOX 0x80366CA6 0x807EACA6 0x80939CA6 0x80809CA6 0x80966CA6
KERNEL_SYSCALL0 0x802926EC 0x802926EC 0x802926EC 0x802926EC 0x802926EC
KERNEL_SYSCALL0_VALUE 0x8018246D 0x8018246D 0x8018246D 0x8018246D 0x8018246D
KERNEL_TASK_FOR_PID 0x801A7DF6 0x801A7DF6 0x801A7DF6 0x801A7DF6 0x801A7DF6
KERNEL_VM_MAP_ENTER 0x80043FC8 0x80043FC8 0x80043FC8 0x80043FC8 0x80043FC8
KERNEL_VM_MAP_PROTECT 0x8004115E 0x8004115E 0x8004115E 0x8004115E 0x8004115E

iOS 5.0 - 9A334

Symbol k48ap n18ap n81ap n88ap n90ap n92ap
KERNEL_CS_ENFORCEMENT 0x80045738 0x80045738 0x80045738 0x80045738 0x80045738 0x80045738
KERNEL_FLUSH_DCACHE 0x800719C4 0x800719C4 0x800719C4 0x800719C4 0x800719C4 0x800719C4
KERNEL_FLUSH_ICACHE 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4
KERNEL_IOLOG 0x80203EDD 0x80203EDD 0x80203EDD 0x80203EDD 0x80203EDD 0x80203EDD
KERNEL_NX_ENABLE 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84
KERNEL_PE_DEBUGGER 0x80241704 0x80241700 0x80241704 0x80241700 0x80241704 0x80241704
KERNEL_SYSCALL0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0
KERNEL_SYSCALL0_VALUE 0x801B2F79 0x801B2F79 0x801B2F79 0x801B2F79 0x801B2F79 0x801B2F79
KERNEL_TASK_FOR_PID0 0x801DFAA4 0x801DFAA4 0x801DFAA4 0x801DFAA4 0x801DFAA4 0x801DFAA4
KERNEL_VM_ENTER 0x800497D4 0x800497D4 0x800497D4 0x800497D4 0x800497D4 0x800497D4

iOS 5.0.1 - 9A405

Symbol k48ap n18ap n81ap n88ap n90ap n92ap
KERNEL_CS_ENFORCEMENT 0x80045738 0x80045738 0x80045738 0x80045738 0x80045738 0x80045738
KERNEL_FLUSH_DCACHE 0x800719C4 0x800719C4 0x800719C4 0x800719C4 0x800719C4 0x800719C4
KERNEL_FLUSH_ICACHE 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4 0x80071AC4
KERNEL_IOLOG 0x80203F7D 0x80203F7D 0x80203F7D 0x80203F7D 0x80203F7D 0x80203F7D
KERNEL_NX_ENABLE 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84
KERNEL_PE_DEBUGGER 0x802417A4 0x802417A0 0x802417A4 0x802417A0 0x802417A4 0x802417A4
KERNEL_SYSCALL0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0
KERNEL_SYSCALL0_VALUE 0x801B3015 0x801B3015 0x801B3015 0x801B3015 0x801B3015 0x801B3015
KERNEL_TASK_FOR_PID0 0x801DFB40 0x801DFB40 0x801DFB40 0x801DFB40 0x801DFB40 0x801DFB40
KERNEL_VM_ENTER 0x800497D4 0x800497D4 0x800497D4 0x800497D4 0x800497D4 0x800497D4

iOS 5.1 - 9B176

Symbol k48ap n18ap n81ap n88ap n90ap n92ap
KERNEL_AMFI 0x805D6718
KERNEL_AMFI_KILL 0x805D62F2
KERNEL_CS_ENFORCEMENT 0x80045874 0x80045874 0x80045874 0x80045874 0x80045874 0x80045874
KERNEL_FLUSH_DCACHE 0x80072204 0x80072204 0x80072204 0x80072204 0x80072204 0x80072204
KERNEL_FLUSH_ICACHE 0x80072304 0x80072304 0x80072304 0x80072304 0x80072304 0x80072304
KERNEL_IOLOG 0x802049DD 0x802049DD 0x802049DD 0x802049DD 0x802049DD 0x802049DD
KERNEL_NX_ENABLE 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84 0x802BAB84
KERNEL_PE_DEBUGGER 0x8024220C 0x80242208 0x8024220C 0x80242208 0x8024220C 0x8024220C
KERNEL_SANDBOX 0x805EE61E
KERNEL_SYSCALL0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0 0x802CCBB0
KERNEL_SYSCALL0_VALUE 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5
KERNEL_TASK_FOR_PID0 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4
KERNEL_VM_ENTER 0x8004992C 0x8004992C 0x8004992C 0x8004992C 0x8004992C 0x8004992C

iOS 5.1.1 - 9B206

Symbol k48ap n18ap n81ap n88ap n90ap n92ap
KERNEL_CS_ENFORCEMENT 0x80045874 0x80045874 0x80045874 0x80045874 0x80045874 0x80045874
KERNEL_FLUSH_DCACHE 0x80072204 0x80072204 0x80072204 0x80072204 0x80072204 0x80072204
KERNEL_FLUSH_ICACHE 0x80072304 0x80072304 0x80072304 0x80072304 0x80072304 0x80072304
KERNEL_IOLOG 0x802049DD 0x802049DD 0x802049DD 0x802049DD 0x802049DD 0x802049DD
KERNEL_NX_ENABLE 0x802BBB84 0x802BBB84 0x802BBB84 0x802BBB84 0x802BBB84 0x802BBB84
KERNEL_PE_DEBUGGER 0x8024220C 0x80242208 0x8024220C 0x80242208 0x8024220C 0x8024220C
KERNEL_SYSCALL0 0x802CDBB0 0x802CDBB0 0x802CDBB0 0x802CDBB0 0x802CDBB0 0x802CDBB0
KERNEL_SYSCALL0_VALUE 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5 0x801B3AA5
KERNEL_TASK_FOR_PID0 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4 0x801E05B4
KERNEL_VM_ENTER 0x8004992C 0x8004992C 0x8004992C 0x8004992C 0x8004992C 0x8004992C

iOS 5.1.1r - 9B208

Symbol n90ap
KERNEL_CS_ENFORCEMENT 0x80045874
KERNEL_FLUSH_DCACHE 0x80072204
KERNEL_FLUSH_ICACHE 0x80072304
KERNEL_IOLOG 0x802049DD
KERNEL_NX_ENABLE 0x802BBB84
KERNEL_PE_DEBUGGER 0x8024220C
KERNEL_SYSCALL0 0x802CDBB0
KERNEL_SYSCALL0_VALUE 0x801B3AA5
KERNEL_TASK_FOR_PID0 0x801E05B4
KERNEL_VM_ENTER 0x8004992C

Patching the kernel (using inline ASM)

Here are some functions, patched to be able to be used for jailbreak kernel patches, for vm_map_protect here is the function.

 int vm_map_protect_patch()
 {
 __asm{
   AND.W R1, R6, #8
   CMP R1, #6
   IT EQ
   TSTEQ.W R0, #0x40000000
   BNE loc_8004A96A
   BIC.W R6, R6, #4
   }
 }

For vm_map_enter

 int vm_map_enter_patch()
 {
  __asm {
    LDR R1, [R7,#cur_protection]
    AND.W R0, R4, #0x80000
    STR R0, [SP,#0xB8+var_54]
    STR R1, [SP,#0xB8+var_78]
    AND.W R0, R1, #8
    CMP R0, #6
    ITT EQ
    LDREQ R0, [SP,#0xB8+var_54]
    CMPEQ R0, #0
    BNE loc_800497F0
    LDR.W R1, =aKern_return_
    MOVS R0, #0
    BL sub_8001D608
    LDR R0, [R7,#cur_protection]
    BIC.W R0, R0, #4
    STR R0, [SP,#0xB8+var_78]
     }
 }

For cs_enforcement_disable (kernel)

 int cs_kern_patch()
 {
   __asm LDR.W R3, =dword_802DE330
   __asm MRC p15, 0, R0,c13,c0, 4
   __asm LDR R2, [R4,#0x28]
   __asm LDR R3, #1
   __asm CMP R3, #0
 }

To use this in an untether, use find_vm_map_enter_patch(), find_vm_map_protect_patch() and find_cs_enforcement_disable_kernel() from planetbeings ios-jailbreak-finder, then use bcopy() to copy these functions (which are patched) to the address of the actual functions heres an example

 uint32_t *p = malloc(0xd00000)
 uint32_t cs_kern = find_cs_enforcement_disable(kernel_file, p, sizeof(p));
 bcopy((void*)cs_kern_patch, cs_kern, sizeof(cs_kern_patch));

References