The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Hgsp4 patch"
(Created page with "{{DISPLAYTITLE:hgsp4 patch}} A '''hgsp4 patch''' (or '''host_get_special_port(4) patch''') is a kernel patch that enables any executable running as root to access the kernel t...") |
Bellis1000 (talk | contribs) (→hgsp4 enabled jailbreaks) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
== hgsp4 enabled jailbreaks == |
== hgsp4 enabled jailbreaks == |
||
Jailbreaks known to enable hgsp4 include: |
Jailbreaks known to enable hgsp4 include: |
||
+ | * [[Pangu9]] (9.1) on 64-bit |
||
* [[Yalu#yalu_.2B_mach_portal_.2810.1-10.1.1.29|yalu+mach_portal]] (10.0-10.1.1) on 64-bit |
* [[Yalu#yalu_.2B_mach_portal_.2810.1-10.1.1.29|yalu+mach_portal]] (10.0-10.1.1) on 64-bit |
||
* [[h3lix]] (10.0–10.3.3) on 32-bit |
* [[h3lix]] (10.0–10.3.3) on 32-bit |
||
+ | * [[Electra]] (11.0-11.1.2) on 64-bit |
||
== See also == |
== See also == |
Latest revision as of 19:11, 31 March 2018
A hgsp4 patch (or host_get_special_port(4) patch) is a kernel patch that enables any executable running as root to access the kernel task by calling host_get_special_port for host special port 4 (hence the name). This host special port is usually unused, and the kernel task port must be “mounted” there by an exploit.[1][2] It is thus recommended that host special port 4 be used solely for the kernel task port.[3]
The hgsp4 route is equivalent to the tfp0 route, and tools that rely on tfp0 can be recompiled to use hgsp4 instead.[4] In a tweet, tihmstar confirmed that this applies to kloader too.[5]
Example code
The following example C program calls host_get_special_port
and, on success, returns a positive integer that can be checked using echo $?
in bash after running the test program:
#include <mach/mach.h> int main(void) { mach_port_t kernel_task = 0; if (!host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kernel_task)) return -1; return kernel_task; }
-1 is returned on error. 0 is returned if no hgsp4 patch is enabled.
hgsp4 enabled jailbreaks
Jailbreaks known to enable hgsp4 include:
- Pangu9 (9.1) on 64-bit
- yalu+mach_portal (10.0-10.1.1) on 64-bit
- h3lix (10.0–10.3.3) on 32-bit
- Electra (11.0-11.1.2) on 64-bit
See also
References
- ^ https://bazad.github.io/2017/09/live-kernel-introspection-ios/
- ^ https://github.com/iabem97/hermes/blob/master/hermes/disable_protections.c
- ^ http://www.newosxbook.com/forum/viewtopic.php?f=8&t=16641
- ^ @PanguTeam: For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)
- ^ @tihmstar: kloader works fine with h3lix :) Thanks to @nyan_satan for sending me a compiled version which uses hgsp(4)