Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(probably not the most mergable) *reliable* M1 iPad Pro support #49

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

(probably not the most mergable) *reliable* M1 iPad Pro support #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Taurine/app/ViewController.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ class ViewController: UIViewController, ElectraUI {
case .kfdPhysPuppet:
print("Selecting kfd [physpuppet] for iOS 14.0 - 14.8.1")
LogStream.shared.pause()
let ret = do_kopen(0x800, 0x0, 0x2, 0x2)
let ret = do_kopen(0x20000, 0x0, 0x2, 0x2)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let ret = do_kopen(0x20000, 0x0, 0x2, 0x2)
var systemInfo = utsname()
uname(&systemInfo)
let machineMirror = Mirror(reflecting: systemInfo.machine)
let deviceModel = kernelMirror.children.reduce("") { identifier, element in
guard let value = element.value as? Int8, value != 0 else { return identifier }
return identifier + String(UnicodeScalar(UInt8(value)))
}
let ret;
if (deviceModel.contains("iPad13") && deviceModel != "iPad13,1" && deviceModel != "iPad13,2") {
// M1 iPad Pro
ret = do_kopen(0x20000, 0x0, 0x2, 0x2)
} else {
ret = do_kopen(0x800, 0x0, 0x2, 0x2)
}

detect M1.

Sorry I don't know how to make reviews for multiple files so making multiple reviews for them :P

LogStream.shared.resume()
if ret != 0 {
print("Successfully exploited kernel!");
Expand All @@ -272,7 +272,7 @@ class ViewController: UIViewController, ElectraUI {
case .kfdSmith:
print("Selecting kfd [smith] for iOS 14.0 - 14.8.1")
LogStream.shared.pause()
let ret = do_kopen(0x800, 0x1, 0x2, 0x2)
let ret = do_kopen(0x20000, 0x1, 0x2, 0x2)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let ret = do_kopen(0x20000, 0x1, 0x2, 0x2)
var systemInfo = utsname()
uname(&systemInfo)
let machineMirror = Mirror(reflecting: systemInfo.machine)
let deviceModel = kernelMirror.children.reduce("") { identifier, element in
guard let value = element.value as? Int8, value != 0 else { return identifier }
return identifier + String(UnicodeScalar(UInt8(value)))
}
let ret;
if (deviceModel.contains("iPad13") && deviceModel != "iPad13,1" && deviceModel != "iPad13,2") {
// M1 iPad Pro
ret = do_kopen(0x20000, 0x1, 0x2, 0x2)
} else {
ret = do_kopen(0x800, 0x1, 0x2, 0x2)
}

detect M1

LogStream.shared.resume()
if ret != 0 {
print("Successfully exploited kernel!");
Expand Down
2 changes: 1 addition & 1 deletion Taurine/exploit/kfd/libkfd.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ u64 kopen(u64 puaf_pages, u64 puaf_method, u64 kread_method, u64 kwrite_method)
timer_start();

const u64 puaf_pages_min = 16;
const u64 puaf_pages_max = 2048;
const u64 puaf_pages_max = 131072;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const u64 puaf_pages_max = 131072;
const u64 puaf_pages_max = 2048;
struct utsname systemInfo;
uname(&systemInfo);
if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
puaf_pages_max = 131072; // M1 iPad Pro
}

detect M1

assert(puaf_pages >= puaf_pages_min);
assert(puaf_pages <= puaf_pages_max);
assert(puaf_method <= puaf_smith);
Expand Down
4 changes: 4 additions & 0 deletions Taurine/exploit/kfd/libkfd/krkw.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,10 @@ void krkw_helper_run_allocate(struct kfd* kfd, struct krkw* krkw)
for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
print_buffer(puaf_page_uaddr, 64);

uint32_t magicToSearch = 0x1EA5CACE;
void *res = memmem((void *)kfd->puaf.puaf_pages_uaddr[i], 0x4000, &magicToSearch, sizeof(magicToSearch));
assert(res == NULL);
Comment on lines +211 to +214
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

Comment on lines 208 to +214
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
print_buffer(puaf_page_uaddr, 64);
uint32_t magicToSearch = 0x1EA5CACE;
void *res = memmem((void *)kfd->puaf.puaf_pages_uaddr[i], 0x4000, &magicToSearch, sizeof(magicToSearch));
assert(res == NULL);
struct utsname systemInfo;
uname(&systemInfo);
if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
print_buffer(puaf_page_uaddr, 64);
uint32_t magicToSearch = 0x1EA5CACE;
void *res = memmem((void *)kfd->puaf.puaf_pages_uaddr[i], 0x4000, &magicToSearch, sizeof(magicToSearch));
assert(res == NULL);
}
} else {
for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) {
u64 puaf_page_uaddr = kfd->puaf.puaf_pages_uaddr[i];
print_buffer(puaf_page_uaddr, 64);
}
}

not completely sure if this would break M1, but just to be sure for now I'm keeping the check in.

}

assert_false(krkw_type);
Expand Down
2 changes: 1 addition & 1 deletion Taurine/exploit/kfd/libkfd/krkw/kread/kread_IOSurface.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ u32 kread_IOSurface_kread_u32(struct kfd* kfd, u64 kaddr);

void kread_IOSurface_init(struct kfd* kfd)
{
kfd->kread.krkw_maximum_id = 0x4000;
kfd->kread.krkw_maximum_id = 0x1000;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
kfd->kread.krkw_maximum_id = 0x1000;
struct utsname systemInfo;
uname(&systemInfo);
if (strncmp(systemInfo.machine, "iPad13",6) == 0 && strcmp(systemInfo.machine, "iPad13,1") != 0 && strcmp(systemInfo.machine, "iPad13,2") != 0) {
kfd->kread.krkw_maximum_id = 0x1000; //M1 iPad Pro
} else {
kfd->kread.krkw_maximum_id = 0x4000; //All other devices
}

detect M1

kfd->kread.krkw_object_size = 0x400; //estimate

kfd->kread.krkw_method_data_size = ((kfd->kread.krkw_maximum_id) * (sizeof(struct iosurface_obj)));
Expand Down
4 changes: 2 additions & 2 deletions Taurine/post-exploit/cutils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ void setLr(arm_thread_state64_t *state, uint64_t lr);
void setPc(arm_thread_state64_t *state, uint64_t pc);
void amfid_test(mach_port_t amfid_port);

#ifdef ENABLE_XPC
#include <xpc/xpc.h>
#ifdef ENABLE_XPC
#include <xpc/xpc.h>
Comment on lines +39 to +40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#ifdef ENABLE_XPC
#include <xpc/xpc.h>
#ifdef ENABLE_XPC
#include <xpc/xpc.h>

remove accidental indent

// os_alloc_once_table:
//
// Ripped this from XNU's libsystem
Expand Down
2 changes: 1 addition & 1 deletion Taurine/post-exploit/utils/amfidtakeover.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,7 @@ class AmfidTakeover {
}

let req = head.withMemoryRebound(to: exception_raise_request.self,
capacity: 0x4000) { $0.pointee }
capacity: 1) { $0.pointee }
TheMasterOfMike marked this conversation as resolved.
Show resolved Hide resolved

let thread_port = req.thread.name
let task_port = req.task.name
Expand Down