![]() ![]() All the tools referred in this write-up will be linked at the end of the article. We need to decrypt the kernel using xpwntool. However, It’s not pink flowers and unicorns here either. Fortunately, the decryption keys are available, so we don’t need to dump the kernel from the memory of the device (much more painful and hard to do and requires exploit and more coding). So, without further ado, let’s begin() our journey! Getting started.Īt first, we need to obtain ourselves a copy of the iOS 8.4.1 (or the version you intend to use this for) Kernel. ![]() That was the reason I’ve decided to put together this write-up. In my case, I was going to use Trident by benjamin-42 on GitHub, but I realized that the offsetfinder.c from his project does not have the offsets for iPod Touch 5th Generation on iOS 8.4.1 which means that the project is totally useless for my device until I find the correct offsets. You can reuse parts of someone else’s code (publicly released open source exploits, PoCs, etc.), as long as you give proper credits and you respect the license. When you’re building a jailbreak, there is no legal notice that you MUST do everything from scratch or otherwise your PC will catch fire. These can be located, fortunately, on TheiPhoneWiki for all 32-Bit devices and some 64-Bit devices too. Of course, since my example is on iOS 8.4.1, and therefore before the changes implemented in iOS 10 regarding the encryption of the firmware, before we can do any sort of disassembly we need to decrypt the Kernel with the appropriate Key and IV. Of course, _kernel_pmap is not the only component that needs patching in a jailbreak, and for each component, the address you find in IDA or in Hopper won’t match the live Kernel because of kASLR (Kernel Address Space Layout Randomization). In this case, I need to find the offset, add the Kernel Base and calculate the live, slid address of _kernel_pmap. If I disassemble the 78 using IDA Pro or Hopper Disassembler, the _kernel_pmap can be located at address 0x803a311c in the _DATA segment, but this will not remain true for the live running kernel, so I can’t just patch PMAP using that address. The iOS 8.4.1 Kernel is randomized using kASLR by iBoot at every boot of the system so we’ll need to calculate the randomized address of the components we wanna patch. The Kernel base will be required, especially since I need to patch a few things up. I was working on a private iOS 8.4.1 Jailbreak for my iPod Touch 5th Generation for practicing purposes and I’ve decided to use CVE-2016-4655 in order to leak the Kernel Base. I am gonna use the iPod Touch 5th Generation for this write-up. Each exploit requires a different set of offsets for various kernel components and each offset is found in a different way, but I believe this information should be useful for beginners. The offsets are for the components this particular project requires, but the methodology and the information can easily be adapted to other iOS versions, devices, and projects. This write-up uses as an example the Trident project by benjamin-42.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |