How to Escape SandBox And Get Root on iOS 12.x once haldol side effects in elderly you’ve got tfp0

So you wanna build a jailbreak and there is a haldol side effects in elderly tfp0 kernel exploit released (probably by either sparkey or by google project zero if haldol side effects in elderly I know this community well). The tfp0 is basically task_for_pid(0) so the task port for PID 0, which is the kernel_task or the XNU kernel itself. Once you’ve got tfp0, things are pretty simple because if you possess the kernel haldol side effects in elderly task port, you have access to vm_read and vm_write to the kernel haldol side effects in elderly virtual memory which means that you can apply various patches haldol side effects in elderly to yourself (your process representation in the kernel), or to other processes.

Of course, apple thought about this and starting with ios 9 things haldol side effects in elderly have changed quite a bit with the advent of KPP haldol side effects in elderly or kernel patch protection. With A10 (iphone 7, 7 plus), apple took it one step further after KPP was bypassed haldol side effects in elderly in ios 9 and 10. They introduced KTRR (kernel text read-only region), a hardware solution which to this date was only bypassed haldol side effects in elderly once, back in the ios 10 days. KPP and KTRR are very different in the implementation. One is software, another is hardware, and they work in different ways. Siguza has very well writ explanations on how these work haldol side effects in elderly in his blog, but it suffices to know that both KTRR and KPP haldol side effects in elderly prevent you from patching the kernel (well, apple tried… In reality, they only protect the __TEXT region (the code itself) and the constants). Since variable data cannot be protected, it has since been abused to heck and beyond in haldol side effects in elderly all post ios 10 jailbreaks, the so-called kppless paradigm which is not really a KPP bypass, but a KPP compliance. KPP/KTRR don’t want us to mess with the constants and the haldol side effects in elderly code, and we don’t because we don’t even have to, at least for now.

IOS is basically a mobile fork of macos which grew haldol side effects in elderly to have its own particularities. MacOS is basically freebsd + unix + apple’s own shenanigans, so you will see many similarities with other unix-based systems. One of these is the fact that each process that haldol side effects in elderly runs on the device has a PID (process ID) and a representation somewhere in the kernel. That representation holds everything from your permissions (or lack of thereof) to your PID, your entitlements (to make AMFI happy) and other bits and pieces which make up the process haldol side effects in elderly structure.

So the plan is simple: if you have kernel read / write privileges, you can poke around the kernel to find basically yourself haldol side effects in elderly (your app’s representation in the kernel). Once you find that, given the right offsets, you can modify the data to grant yourself new entitlements haldol side effects in elderly (they govern what you can and what you can’t as an app on ios), escape yourself from the sandbox, get to be owned by root (root:wheel) rather than mobile which is far more limited, etc.

So, the first thing we wanna do after we’ve integrated the tfp0 exploit with our jailbreak xcode project haldol side effects in elderly is to add the proper offsets. These offsets basically represent how far from a specific base haldol side effects in elderly address we should expect to find an object in the haldol side effects in elderly memory.

Imagine a street. The street has a number, let’s say street 0xFFFFFFFFFFa14eba. Now, there are multiple houses on that street, but we want to find joe’s house. We know that joe lives at the house 401 so haldol side effects in elderly 401 is the offset because from the base address (the start of the street) we need to go 401 positions up (houses) before we find what we need. The same way in the memory we can find things haldol side effects in elderly by knowing their offsets relative to a base address.

Problem with these offsets is that they change from a haldol side effects in elderly version to another and even from a device to another, so ios 11’s offsets will not work on ios 12. They may, however, in some cases work from a minor version to another, for example from 12.0 to 12.1.2.

The "if (!ShouldUseMachSwap) { … }" should be ignored. It’s there because osiris jailbreak uses two exploits, brandon azad’s and sparkey’s. Brandon’s requires that I escape the sandbox myself, while sparkey’s escapes the sandbox for me, so no need to run the function in that case.

Immediately after that, we find ourselves using the above-mentioned function, then we do a kernel read to grab our credentials haldol side effects in elderly from our process representation in the kernel, which happens to be at selfproc + off_p_ucred. So, selfproc is the address returned by the findourselves() function and it serves as our base address. Our process’ representation in the kernel starts there. The off_p_ucred is an offset which as the value 0xf8 haldol side effects in elderly as you can see on the offsets code. So base address + 0xf8 = the address of our ucred structure.

After that, you can see that I labeled a block "GID" and another one "UID". GID stands for group identifier and UID for user identified. By default, our app belongs like any other appstore app to mobile, a less privileged user on ios with UID 501. We want root because it has way more privileges, that would be UID 0. For the group, we want "wheel" so again, GID 0, but we’re listed as mobile (501) already in the kernel. No problem, these are not constants so we can do a simple haldol side effects in elderly kernel write to those offsets inside our structure to change haldol side effects in elderly our GID and UID to 0, so we do:

The kernel_write32(…) function is part of the exploit. One of the kernel write primitives. The off_p_uid, off_p_ruid, off_p_gid, off_p_rgid, off_ucred_cr_uid, off_ucred_cr_ruid and off_ucred_cr_svuid are all offsets from the above-mentioned huge offsets list. We have to set 0 to all these for the haldol side effects in elderly desired effect. Once we wrote 0, bam! We’re "root:wheel" and not mobile (501) anymore.

The next thing we do is to nuke the sandbox. By default, we’re sandboxed like any third-party ios app. This means that we can ONLY write to our app’s own folders, and we cannot do much. We want full system access so it’s time to leave the sand and the box for haldol side effects in elderly a better landscape.

In order to nuke the sandbox, all we need to do is to find again our haldol side effects in elderly process’ representation in the kernel, use the offsets to locate the cr_label through a kernel_read64(…), then to the cr_label address we add the off_sandbox_slot offset haldol side effects in elderly which is 0x10 on ios 12, and then at the address we obtain we just have haldol side effects in elderly to write 0. We do that like this on osiris jailbreak:

RELATED_POSTS