coalfire-research / ios-11.1.2-15b202-jailbreak Goto Github PK

View Code? Open in Web Editor NEW

430.0 26.0 98.0 63.33 MB

iOS 11.1.2 (15B202) Jailbreak

Objective-C 2.14% C 97.80% Shell 0.05%

jailbreak ios11

ios-11.1.2-15b202-jailbreak's Introduction

iOS 11 Jailbreak

Target

This jailbreak is for iOS 11.1.2 (15B202). If you don't have this exact version it won't work for you

How to Install

Load and run the XCode project or sideload the IPA using Cydia Impactor. For more complete / visual instructions see the iOS_jailbreak_writeup.pdf "How to jailbreak your phone" section.

Note: It is recommended to sideload the app, and leave it running (code signing problems will arise if the app is closed). If you run the jailbreak from XCode, don't disconnect the cable, as it will also cause code signing problems. A fix for this is scheduled for .4.

Version 0.3c

Several stability bugs have been fixed, tfp0 is now inserted into hsp4 so any application running as root has kernel access. The live kernel introspection webserver has been moved out of the jailbreak and into a binary dropped on the system, and relies on hsp4 for kernel access.

More bug fixes and extra features are planned for 0.4, see the issues sections for more information or to report a bug.

Copyright

I could have copy-pasta'd MIT or BSD, but it boils down to this: credit the authors. This jailbreak is released as 100% open-source to help the security community. Feel free to take the code, use it how you wish, just keep in mind that if it's my code, attribute me BUT MORE IMPORTANTLY if I used someone else's code or ideas, make sure to credit them and respect their licenses (QiLin, especially). My goal is for this code to help the security community and vulnerability research in general, so don't use it commercially. Let information be free!

ios-11.1.2-15b202-jailbreak's People

Contributors

Stargazers

Watchers

Forkers

marksee netspi quangnh89 riusksk xuechiyaobai jackbro tsondt vaginessa fatgrass crazbot kernullist idkwim sweetchipsw burningcodes surven ro9ueadmin thomasking2014 rithyskun milesforks griffinmb liutenghou mikalv jamesjara hobbit19 hwahab jacke coldblackice nevermore2015 insecuritea asdlei99 fivetwentyseven blackap3rture shuixi2013 username4github ognz kunwaratulhax0r megatronxx kknet orf53975 gladiopeace alexmullins janszeng r-l-i ayooshagarwal rogerioth shpurdy69 cndycc kungia09 obaby zhencang ykankaya serjepatoff jakeajames shasthojoy afrocheese shangadi sploitamos grospy c002 st-rnd hackinfinity dothanthitiendiettiende raystyle security-geeks ceblan k3rnelninja qwexvf bean3ai reanimat0r khanhbk08t1 virgilcj rajeshgit optimusbits superf0sh hennrock05 modulexcite modumn maldiohead freemanzyq fengjixuchui awesome-security achristensen6 5l1v3r1 gsongx nghiaiosdev timb-machine-mirrors bb33bb mostafacbrx ox1111

ios-11.1.2-15b202-jailbreak's Issues

Ensure AMFID stays nerfed

Memory leak in web server on /info call

Split web server

Web server is nice, but splitting it from the app would be great -- especially if it uses host_special_port 4.
You can pass kernel slide/address of some task to it via env/args too.
This way it might be useful for others.

A problem in function set_platform_attribs

Here is the snippet code:
void set_platform_attribs(uint64_t proc, mach_port_t tfp0) { ... uint64_t vnode_info = rk64(0x248);

I feel a bit confusion here "uint64_t vnode_info = rk64(0x248);"

Set hsp4

Since patching task_for_pid isn't an option, an alternative way of passing kernel_task is in wide use in jailbreaks.

Mach has per table and per host special ports. In XNU there's only one host though.

Host special ports can be gotten by host_get_special_port and set by host_set_special port.
However, you need host_priv to call those APIs. If youre running as root, then your mach_host_self is a host_priv (and if not -- just host)

Ports 4-7 aren't used and leave "room to grow". So, port 4 is an obvious target.
However, ports before port 7 can't be set only by kernel itself.

So, you have to set the port manually.
Ports are stored inside of "realhost" structure of type host_data_t, which has mutex in beginning and array of ipc_ports "special" after that.
So, to set host special port 4, you have to find realhost, add 0x10 (mutex) + 0x8 * 4, and write pointer to ipc_port representing tfp0 there.

And ip_kobject of host_port points to realhost :)

See coolstar/electra#22 for an example.

Triage properly signed code problems

Correct intermittent crashes / memory leaks in web server

Detect rootfs_vnode locations without hardcoding them

Hardcoded constants are bad

iOS 11.2.6 support?

I am wondering what the timeline is (if every) for iOS 11.2.6+ support?

## Changes

Changes

Safe page sorting @pdmosses (#411)
v0.3.2 @pmarsceill (#388)

🚀 Features

make font-sizes sass variables so they can be changed @pdebruic (#361)
run the site locally inside docker container @fogfish (#398)
Feature/doc collections @SgtSilvio (#379)
Adjust dl layout @pdmosses (#401)

🐛 Bug Fixes

Add site.gh_edit_source to "Edit this page on GitHub" link @mrfleap (#418)
Inhibit text-transform for code in h4 @pdmosses (#404)
Fix native font stack precedence issue on Windows systems. @hvianna (#331)
Support for the linenos option on highlighted code @pdmosses (#375)
Update anchor_headings.html @pdmosses (#399)
Fix https @marksie1988 (#359)

🧰 Maintenance

Bump prettier from 2.0.5 to 2.1.1 @dependabot-preview (#419)
[Security] Bump lodash from 4.17.15 to 4.17.19 @dependabot-preview (#389)
Bump @primer/css from 14.4.0 to 15.1.0 @dependabot-preview (#402)
Bump lodash from 4.17.15 to 4.17.19 @dependabot (#384)
Bump @primer/css from 14.4.0 to 15.0.0 @dependabot-preview (#371)

Originally posted by @pmarsceill in just-the-docs/just-the-docs#388

Remap tfp0

"safe" TFP0 isn't full, and only mach_vm APIs work on it.
Try calling mach_ports_lookup on it, for example. Device will panic.
Either make a proper copy, or better: remap it.

See hsp4/v0rtex by Siguza.

The problem with vm_remap APIs is that they don't recurse into submaps properly.
So you have to find zone_map which is a submap of kernel_map for remapping.
kernel_map can be found in kernel_task->vm_map. zone_map can be theoretically detected by walking maps from kernel_map and looking for map where, for example, previously leaked ports/tasks are. However, it's pretty trivial to find in kernel binary.

Also, you can't really call vm_remap -- only mach_vm_remap.
So, you have to create fake tasks with vm_map set to zone_map on first and zone_map or kernel_map on second, make fake ports for them, and call mach_vm_remap.

See coolstar/electra#22 for example.

28.08 Sources/PackageGraph/

Launchctl not working consistently

dropbear will continue in the background, however the web server and nerfbat will die when the app is closed.

Ios

Jailbreak

JB crashes

Hello, after I compile and run the code in XCode, application starts. However, if I click to the Run Jailbreak button, the application shortly crashes, below is my output from XCode logs. Any ideas what could be wrong? I have tried the same process at least 5 times :) I run 15B202/iPhone7, as you can see below.

2018-02-01 19:34:26.463576+0100 Jailbreak[242:5878] About to run
This application is located at: /var/containers/Bundle/Application/6F2090A0-F186-41E8-83BA-EE4AF4EA4122/Jailbreak.app/Jailbreak
build_id: 15B202
sysname: Darwin
nodename: ps
release: 17.2.0
version: Darwin Kernel Version 17.2.0: Fri Sep 29 18:14:50 PDT 2017; root:xnu-4570.20.62~4/RELEASE_ARM64_T8010
machine: iPhone9,3
this is iPhone 7, should work!
message size for kalloc.4096: 2956
got user client: 0x741f
 [+] prepared kqueue
task self: 0xffffffe00543e568
our task port is at 0xffffffe00543e568
found target port with suitable allocation page offset: 0xffffffe007067a68
replacer_body_size: 0xb74
message_body_offset: 0x448
Attempting to control the port
got replaced with replacer port 45
found kernel vm_map: 0xfffffff120465c40
second time got replaced with replacer port 0
will try to read from second port (fake kernel)
kernel read via fake kernel task port worked?
0x0000000000420000
0x0000000000000000
0xfffffff12048df60
0xffffffe005979400
about to build safer tfp0
message buffer: ffffffe00b1fe000
fake_kernel_task_kaddr: ffffffe00b1fe000
read fake_task_refs: d00d
about to test new tfp0
kernel read via second tfp0 port worked?
0x0000000000420000
0x0000000000000000
0xfffffff12048df60
0xffffffe005979400
built safer tfp0
about to clear up
cleared up
tfp0: 1889d0b
[+]  I have the right symbols!
[!]	JAILBREAK INITIALIZATION
[+]	Going backwards until magic seen....
[+]	Ok, looks like we've found the beginning of the kernel!
[+]	KERNEL IS AT 0xfffffff023804000
[+]	KASLR detected to be 0x1c800000
[i]	Got kaslr = 0x1c800000
[+]	Attempting to obtain root
[i]		old:
[i]		uid=501 gid=501 euid=501 geuid=501
[+]	Flags here: 0x0
[+]	Flags here: 0x20004005
[i]	Current uid=0xf2, gid=0x0
[i]	my pid(242) PCB @ 0xffffffe005e730c0
[i]	kernel_task pid(0) PCB @ 0xfffffff023e4dd10
[i]	amfid pid(233) PCB @ 0xffffffe002a22180
[i]	Kernel base believed to start at 0xfffffff023804000
[i]		new:
[i]		uid=0 gid=0 euid=0 geuid=0
[i]	vnode_info = 0x0
[i]	ubc_block = 0x0
[i]	ubc_info = 0x0
[i]	blob = 0x0
[i]	Attempting to remount /...
[+]	Got kaslr == 0x1c800000
[+]	Got _rootvnode = 0xfffffff023e0a088
[+]	Got rootfs_vnode = 0xfffffff023822aab
[+]	v_mount=0x6d5f6d7622002264
[+]	v_flag_location=0x6d5f6d76220022d4
[+]	v_flag_value=0x0
[+]	Setting v_flag to 0x0
tfp0 write failed: (os/kern) invalid address 1
[+]	[fun] remounting: -1
tfp0 write failed: (os/kern) invalid address 1

11.0.3

Hi I’ve been busy getting ksymbols for iOS 11.0.3 iPhone 9,3. Got most of them but got stuck on some other parts as for rootvnode. Could you help me out or please support that version? I really love the way this jailbreaks and definitely want to use it.
Kind regards Bas