Difference between revisions of "Tfp0 patch"

From The iPhone Wiki
Jump to: navigation, search
m
Line 42: Line 42:
 
* [[Home Depot]] (9.1–9.3.4) on 32-bit
 
* [[Home Depot]] (9.1–9.3.4) on 32-bit
 
* [[jbme]] (9.2–9.3.3) on 64-bit
 
* [[jbme]] (9.2–9.3.3) on 64-bit
* [[yalu]] (10.x) on 64-bit
+
* [[extra_recipe+yaluX]] (10.0–10.1.1) on 64-bit
  +
* [[yalu102]] (10.2) on 64-bit (excluding iPhone 7)
   
 
The following jailbreaks do ''not'' have tfp0 enabled:
 
The following jailbreaks do ''not'' have tfp0 enabled:
Line 55: Line 56:
 
* [[h3lix]] (10.0–10.3.3) on 32-bit
 
* [[h3lix]] (10.0–10.3.3) on 32-bit
 
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available
 
:* No solution for compiled code, replace <code>task_for_pid(mach_task_self(), 0, &ktask)</code> calls with <code>host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask)</code> if source is available
  +
  +
== See also ==
  +
* [[hgsp4 patch]]
   
 
[[Category:Kernel Patches]]
 
[[Category:Kernel Patches]]

Revision as of 21:33, 26 December 2017

In the XNU kernel, task_for_pid is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable running as root to call task_for_pid for pid 0 (hence the name) and then use vm_read and vm_write to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.

Example code

The following C program calls task_for_pid and returns the error code:

#include <mach/mach.h>

// Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed):
// cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0

int main(void) {
    mach_port_t kernel_task = 0;
    return task_for_pid(mach_task_self(), 0, &kernel_task);
}

The returned error code, which can be checked using echo $? in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see kern_return.h for possible values). The entitlements plist (named tfp0.plist in this example) for ldid can look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

tfp0 enabled jailbreaks

Jailbreaks known to enable tfp0 include:

The following jailbreaks do not have tfp0 enabled:

  • Pangu v0.1–0.2 (7.1–7.1.2)
  • Solution: Update to version 0.3 (filename: io.pangu.axe7_0.3_iphoneos-arm.deb)
  • Solution: Update to version 0.5 (filename: io.pangu.xuanyuansword8_0.5_iphoneos-arm.deb)
  • Solution: replace PPJailbreak with TaiG
  • Pangu9 (9.0–9.3.3) on 64-bit
  • Solution: use cl0ver by Siguza
  • h3lix (10.0–10.3.3) on 32-bit
  • No solution for compiled code, replace task_for_pid(mach_task_self(), 0, &ktask) calls with host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &ktask) if source is available

See also