The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Tfp0 patch"
m |
|||
Line 42: | Line 42: | ||
* [[Home Depot]] (9.1–9.3.4) on 32-bit |
* [[Home Depot]] (9.1–9.3.4) on 32-bit |
||
* [[jbme]] (9.2–9.3.3) on 64-bit |
* [[jbme]] (9.2–9.3.3) on 64-bit |
||
− | * [[ |
+ | * [[extra_recipe+yaluX]] (10.0–10.1.1) on 64-bit |
+ | * [[yalu102]] (10.2) on 64-bit (excluding iPhone 7) |
||
The following jailbreaks do ''not'' have tfp0 enabled: |
The following jailbreaks do ''not'' have tfp0 enabled: |
||
Line 55: | Line 56: | ||
* [[h3lix]] (10.0–10.3.3) on 32-bit |
* [[h3lix]] (10.0–10.3.3) on 32-bit |
||
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available |
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available |
||
+ | |||
+ | == See also == |
||
+ | * [[hgsp4 patch]] |
||
[[Category:Kernel Patches]] |
[[Category:Kernel Patches]] |
Revision as of 21:33, 26 December 2017
In the XNU kernel, task_for_pid
is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable running as root to call task_for_pid for pid 0 (hence the name) and then use vm_read
and vm_write
to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.
Example code
The following C program calls task_for_pid
and returns the error code:
#include <mach/mach.h> // Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed): // cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0 int main(void) { mach_port_t kernel_task = 0; return task_for_pid(mach_task_self(), 0, &kernel_task); }
The returned error code, which can be checked using echo $?
in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see kern_return.h
for possible values). The entitlements plist (named tfp0.plist
in this example) for ldid can look like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>get-task-allow</key> <true/> <key>run-unsigned-code</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist>
tfp0 enabled jailbreaks
Jailbreaks known to enable tfp0 include:
- Absinthe (5.1.1)
- evasi0n (6.0–6.1.2)
- p0sixspwn (6.1.3–6.1.6)
- evasi0n7 (7.0–7.0.6)
- Pangu v0.3 (7.1–7.1.2)
- Pangu8 v0.5 (8.0–8.1)
- TaiG (8.0–8.4)
- Pangu9 (9.0–9.0.2) on 32-bit
- Home Depot (9.1–9.3.4) on 32-bit
- jbme (9.2–9.3.3) on 64-bit
- extra_recipe+yaluX (10.0–10.1.1) on 64-bit
- yalu102 (10.2) on 64-bit (excluding iPhone 7)
The following jailbreaks do not have tfp0 enabled:
- Pangu v0.1–0.2 (7.1–7.1.2)
- Solution: Update to version 0.3 (filename:
io.pangu.axe7_0.3_iphoneos-arm.deb
)
- Solution: Update to version 0.3 (filename:
- Pangu8 v0.1–0.4 (8.0–8.1)
- Solution: Update to version 0.5 (filename:
io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb
)
- Solution: Update to version 0.5 (filename:
- PPJailbreak (8.0–8.4)
- Solution: replace PPJailbreak with TaiG
- Pangu9 (9.0–9.3.3) on 64-bit
- Solution: use cl0ver by Siguza
- h3lix (10.0–10.3.3) on 32-bit
- No solution for compiled code, replace
task_for_pid(mach_task_self(), 0, &ktask)
calls withhost_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)
if source is available
- No solution for compiled code, replace