(probably not the most mergable) *reliable* M1 iPad Pro support

[TheMasterOfMike]

I honestly doubt that this is mergable for two main reasons:

• The fixes being made cause us to use over 4GB of RAM, which pretty much every device besides the M1 iPad Pro's will not be happy with whatsoever
• The fixes being made, even ignoring that bit, cause exploitation time to balloon to over 3 minutes with kfd (which no other device should suffer through)

Thanks @opa334 and @verygenericname for various fixes in helping me to make this a thing.

[verygenericname]

You're gonna need to make it check which device it's running on, for it to be atleast somewhat mergeable, I guess

[0xilis]

You should detect if the device is an M1 iPad and only do the changes if so, it'll make this much more mergeable. Probably can be improved (but should work fine for now): See below changes.

[0xilis]

Detect M1.

[0xilis]

Suggested change

	let ret = do_kopen(0x20000, 0x0, 0x2, 0x2)
	var systemInfo = utsname()
	uname(&systemInfo)
	let machineMirror = Mirror(reflecting: systemInfo.machine)
	let deviceModel = kernelMirror.children.reduce("") { identifier, element in
	guard let value = element.value as? Int8, value != 0 else { return identifier }
	return identifier + String(UnicodeScalar(UInt8(value)))
	}
	let ret;
	if (deviceModel.contains("iPad13") && deviceModel != "iPad13,1" && deviceModel != "iPad13,2") {
	// M1 iPad Pro
	ret = do_kopen(0x20000, 0x0, 0x2, 0x2)
	} else {
	ret = do_kopen(0x800, 0x0, 0x2, 0x2)
	}

detect M1.

Sorry I don't know how to make reviews for multiple files so making multiple reviews for them :P

[0xilis]

Suggested change

	let ret = do_kopen(0x20000, 0x1, 0x2, 0x2)
	var systemInfo = utsname()
	uname(&systemInfo)
	let machineMirror = Mirror(reflecting: systemInfo.machine)
	let deviceModel = kernelMirror.children.reduce("") { identifier, element in
	guard let value = element.value as? Int8, value != 0 else { return identifier }
	return identifier + String(UnicodeScalar(UInt8(value)))
	}
	let ret;
	if (deviceModel.contains("iPad13") && deviceModel != "iPad13,1" && deviceModel != "iPad13,2") {
	// M1 iPad Pro
	ret = do_kopen(0x20000, 0x1, 0x2, 0x2)
	} else {
	ret = do_kopen(0x800, 0x1, 0x2, 0x2)
	}

detect M1

[0xilis]

fixed.

[0xilis]

Suggested change

	kfd->kread.krkw_maximum_id = 0x1000;
	struct utsname systemInfo;
	uname(&systemInfo);
	if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
	kfd->kread.krkw_maximum_id = 0x1000; //M1 iPad Pro
	} else {
	kfd->kread.krkw_maximum_id = 0x4000; //All other devices
	}

detect M1

[0xilis]

Suggested change

	#ifdef ENABLE_XPC
	#include <xpc/xpc.h>
	#ifdef ENABLE_XPC
	#include <xpc/xpc.h>

remove accidental indent

[0xilis]

Suggested change

	const u64 puaf_pages_max = 131072;
	const u64 puaf_pages_max = 2048;
	struct utsname systemInfo;
	uname(&systemInfo);
	if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
	puaf_pages_max = 131072; // M1 iPad Pro
	}

detect M1

[0xilis]

fixed.

[0xilis]

Detect M1.

Fixed an accidental wrong change to the wrong file, now this should work :P. If anyone has any more suggestions, feel free to say them.

[0xilis]

optimize M1 check

[0xilis]

Suggested change

	for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
	u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
	print_buffer(puaf_page_uaddr, 64);
	uint32_t magicToSearch = 0x1EA5CACE;
	void *res = memmem((void *)kfd->puaf.puaf_pages_uaddr[i], 0x4000, &magicToSearch, sizeof(magicToSearch));
	assert(res == NULL);
	struct utsname systemInfo;
	uname(&systemInfo);
	if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
	for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
	u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
	print_buffer(puaf_page_uaddr, 64);
	uint32_t magicToSearch = 0x1EA5CACE;
	void *res = memmem((void *)kfd->puaf.puaf_pages_uaddr[i], 0x4000, &magicToSearch, sizeof(magicToSearch));
	assert(res == NULL);
	}
	} else {
	for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
	u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
	print_buffer(puaf_page_uaddr, 64);
	}
	}

not completely sure if this would break M1, but just to be sure for now I'm keeping the check in.

[opa334]

Tbh the proper way to do this would be to determine the exact RAM size at runtime and then choose an appropriate page count based on that.

[TheMasterOfMike]

Tbh the proper way to do this would be to determine the exact RAM size at runtime and then choose an appropriate page count based on that.

This probably is the cleanest solution, but at the same token, we'd want to limit any changes to just devices with 8GB or 16GB of RAM (which - on iPadOS 14 - only includes the M1 iPad Pro's) else we risk detrimental effects with exploit time on other devices.

(We'd probably also want to do the RAM size check to determine the number of IOSurface's as well - since making any alterations outside of what we need to do on the M1 iPad Pro's will reduce success rate on other devices - which we obviously want to avoid)

[opa334]

Tbh the proper way to do this would be to determine the exact RAM size at runtime and then choose an appropriate page count based on that.

This probably is the cleanest solution, but at the same token, we'd want to limit any changes to just devices with 8GB or 16GB of RAM (which - on iPadOS 14 - only includes the M1 iPad Pro's) else we risk detrimental effects with exploit time on other devices.

(We'd probably also want to do the RAM size check to determine the number of IOSurface's as well - since making any alterations outside of what we need to do on the M1 iPad Pro's will reduce success rate on other devices - which we obviously want to avoid)

I think the fact one device has a limit means we would want to reduce the amount of IOSurfaces on all of them to make sure we're not hitting that threshold. Or the exploit could be modified to just use as many IOSurface's as possible until it starts failing.

[TheMasterOfMike]

Tbh the proper way to do this would be to determine the exact RAM size at runtime and then choose an appropriate page count based on that.

This probably is the cleanest solution, but at the same token, we'd want to limit any changes to just devices with 8GB or 16GB of RAM (which - on iPadOS 14 - only includes the M1 iPad Pro's) else we risk detrimental effects with exploit time on other devices.
(We'd probably also want to do the RAM size check to determine the number of IOSurface's as well - since making any alterations outside of what we need to do on the M1 iPad Pro's will reduce success rate on other devices - which we obviously want to avoid)

I think the fact one device has a limit means we would want to reduce the amount of IOSurfaces on all of them to make sure we're not hitting that threshold. Or the exploit could be modified to just use as many IOSurface's as possible until it starts failing.

As for the former, the problem I see with doing that is that we're either:

• hurting exploit reliability for the same exploit time
• hurting exploit time for the same exploit reliability

(mind you: this assumes that 8192 puaf pages with 4096 IOSurface's has the same reliability as 2048 puaf pages with 16384 IOSurface's, which is something I'd have to check when I get the chance to in a few hours)

As for the latter, the only sign that I've observed that we could potentially utilize is that console will say that we are approaching a limit at both 50% and 75% of the IOSurface limit - if we can use those, then that's probably the better way, but if we can't, then I'm not aware of any better indicators.

[opa334]

I mean, the sign here is that the surface allocate method fails with an error code after 4096, when we hit that we could just remove the assert and just use the surfaces that have been allocated until then.