The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
hgsp4 patch
A hgsp4 patch (or host_get_special_port(4) patch) is a kernel patch that enables any executable running as root to access the kernel task by calling host_get_special_port for host special port 4 (hence the name). This host special port is usually unused, and the kernel task port must be “mounted” there by an exploit.[1][2] It is thus recommended that host special port 4 be used solely for the kernel task port.[3]
The hgsp4 route is equivalent to the tfp0 route, and tools that rely on tfp0 can be recompiled to use hgsp4 instead.[4] In a tweet, tihmstar confirmed that this applies to kloader too.[5]
Example code
The following example C program calls host_get_special_port
and, on success, returns a positive integer that can be checked using echo $?
in bash after running the test program:
#include <mach/mach.h> int main(void) { mach_port_t kernel_task = 0; if (!host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kernel_task)) return -1; return kernel_task; }
-1 is returned on error. 0 is returned if no hgsp4 patch is enabled.
hgsp4 enabled jailbreaks
Jailbreaks known to enable hgsp4 include:
- Pangu9 (9.1) on 64-bit
- yalu+mach_portal (10.0-10.1.1) on 64-bit
- h3lix (10.0–10.3.3) on 32-bit
- Electra (11.0-11.1.2) on 64-bit
See also
References
- ^ https://bazad.github.io/2017/09/live-kernel-introspection-ios/
- ^ https://github.com/iabem97/hermes/blob/master/hermes/disable_protections.c
- ^ http://www.newosxbook.com/forum/viewtopic.php?f=8&t=16641
- ^ @PanguTeam: For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)
- ^ @tihmstar: kloader works fine with h3lix :) Thanks to @nyan_satan for sending me a compiled version which uses hgsp(4)