googleprojectzero / ktrw Goto Github PK
View Code? Open in Web Editor NEWAn iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
License: Apache License 2.0
An iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
License: Apache License 2.0
Is it possible to add the task_for_pid-allow permission to the Xcode ktrw_kext_loader project so that to be able to debug this app?
I am trying to run this project on iPhone10, 4 (iOS 13.2.2) which has missed kernel parameters and debugging capabilities would be very useful.
I use the Checkra1n JB tool which provides us with tfp0 functionality. tfp0 requires task_for_pid-allow permission.
What would you recommend in this case?
Thanks.
Once connected with lldb, commands like pr i
and c
work as expected, freezing and un-freezing the device respectively. However when trying to use commands like x
, di
, or b
, I get error: failed to send packet
.
Here are some sample outputs:
(lldb) x/12wx 0xffffffe001d5b528
error: failed to send packet: 'xffffffe001d5b400,200'
(lldb) di -s 0xfffffff01110e238
error: failed to send packet: 'xfffffff01110e200,200'
error: Failed to disassemble memory at 0xfffffff01110e238.
(lldb) b 0xfffffff01110e230
warning: failed to set breakpoint site at 0xfffffff01110e230 for breakpoint 1.1: error sending the breakpoint request
Breakpoint 1: address = 0xfffffff01110e230
Please let me know what other information you need (this is running on an iPhone 8 iOS 13.5, with the offsets supplied by NewDwarf in issue #6)
I've been trying to run KTRW on iOS 13.5 but iOS won't boot.
The file ktrw_gdb_stub/kernel_symbols/iPhone10,1_17F75.txt was created with following content
KERNELCACHE UUID: 15576917-FD0D-3A15-B52E-72D55A37D8E8
DEVICE: iPhone10,1 17F75
DEVICE: iPhone10,4 17F75
__disable_preemption 0xFFFFFFF007D08CF0
__enable_preemption 0xFFFFFFF007D08D20
__mh_execute_header 0xFFFFFFF007004000
_const_boot_args 0xFFFFFFF0079328C0
_IOSleep 0xFFFFFFF008131198
_kernel_map 0xFFFFFFF0079316a8
_kernel_memory_allocate 0xFFFFFFF007C88CE0
_kernel_thread_start 0xFFFFFFF007C33608
_ml_nofault_copy 0xFFFFFFF007D0F574
_panic 0xFFFFFFF00909EA08
_paniclog_append_noflush 0xFFFFFFF007C0E170
_thread_deallocate 0xFFFFFFF007C010AC
_vsnprintf 0xFFFFFFF0080204E0
The pongo_kext_loader tool prints out:
pongo_kext_loader/pongo_kext_loader pongo_kextload/kextload.pongo-module ktrw_gdb_stub/kernel_symbols ktrw_gdb_stub/ktrw_gdb_stub.ikext
[1003] Found pongoOS device
[1003] Loading pongoOS kextload module
[1003] Loading kernel symbols
[1003] Loading kernel extension
On the iPhone 8 screen the last messages are:
KTRW pongoOS kextload pre-boot hook
Skipping checkra1n pre-boot hook
Disabling KTRR AMCC lockdown
Disabling KTRR MMU lockdown
Booting
At the same time the GDB stub is not accessible which means that the kext is not activated.
There are no any new messages, at least, in 5+ minutes.
@bazad Is it a result of wrong addresses in the iPhone10,1_17F75.txt?
Hi,
I have an iPhone 8 Global running iOS 13.6, and I want to use KTRW + checkra1n for debugging kernel ( I have tested checkra1n with this device and kernel version and it works ). However I get no debug connection after following your instructions:
I guess that I need to create a new symbol file under ktrw_gdb_stub/kernel_symbols/
Is it enough to adapt KTRW on new iOS version or do I have to do anything else?
When building ktrw_gdb_stub I get the following warning (treated as error):
error: using extended field designator is an extension [-Werror,-Wextended-offsetof]
I solved it by adding the following CFLAGS in the Makefile:
-Wno-unknown-warning-option -Wno-invalid-offsetof -Wno-extended-offsetof
Could you provide offsets for the iPhone 10,4 17D50 please? Alternatively, would it be possible to write a script/instructions to aid with fetching the required offsets ourselves?
After booting with KTRW, checkra1n's kernel patches don't appear to have been applied meaning that you can't SSH into a device and you can't launch unsigned applications.
Is this expected behaviour? Would it be possible to enable checkra1n's patches? It would be extremely useful to be able to launch unsigned applications in order to debug kexts that are denied access by the app sandbox.
It seems that
Hi! Thank you for the truly awesome work @bazad!
I made @NewDwarf's comments from #1 into a branch: https://github.com/dflatline/ktrw/commits/iOS13.3. I successfully tested basic debugging on an iPhone 10,1 17C54 and checkra1n 0.9.5 with that branch.
I can make that into a PR if that saves you time but it's not my work. What a mess for the contribution policy :/
While I am here: do you use IDA+BinDiff to help update symbols automatically? Are people still porting symbols forward from the iOS 12 beta1 symbol leak in this way?
Are there other options that don't require IDA? Levin's joker/jtool2 didn't yield any of these symbols by default. I started toying with some yara plugins for Hopper but then @NewDwarf beat me to it, presumably by manual binary string match-and-check?
Can you provide suggestions to help update these symbol offsets for future iOS releases? I can go back to work on Hopper scripts, if that is even a worthwhile direction...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.