KP in FindKernelBase() about jelbreklib HOT 7 CLOSED

Use the one in voucher_swap instead. It works fine. I'm trying adapting voucher_swap to rootlessJB, Stucked in AMFI stage. The trustbin method KP(of course), patchAMFI cannot set exception port Logs: [D] platform: iPhone8,1 16C101 [+] created 1024 pipes [+] created 8000 ports [+] sprayed 16777216 bytes to 1024 pipes in kalloc.16384 [+] created 3564 vouchers [+] sprayed 315752448 bytes to 8 ports in kalloc.1024 [+] stashed voucher pointer in thread ........................................................................................................................................................................... [+] sprayed 357924864 bytes of OOL ports to 4 ports in kalloc.32768 [+] recovered voucher port 0xf07 for freed voucher [+] adding references to the freed voucher to change the OOL port pointer [+] receiving the OOL ports will leak port 0x1ebf03 [+] received voucher port 0xf07 in OOL ports [+] voucher overlapped at offset 0x5ae0 [+] received fake port 0xd07 [+] port is at pipe index 256 [+] got ip_requests at 0xffffffe01c4c9300 [+] fake port is at offset 5712 [+] base port is at 0xffffffe005d15650 [+] kernel_task is at 0xffffffe00026e1c0 [+] done! port 0xd07 is tfp0 [D] found kernel slide 0x0000000004e00000 [*] Starting fun [*] Initializing jelbrekLib [i] offsets selected for iOS 12.0 or above [+] Initialized patchfinder [*] Unsandboxing pid 220 [*] copying to /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache [*] Sandboxing pid 220 with slot at 0xffffffe0058f3aa0 [i] Mach-o header at 0x1C0 [lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache for reading [lzss] Opening /var/mobile/Containers/Data/Application/A6F314E3-3541-4FB1-B46D-13601E5A67DB/Documents/31.01.19:13.16.21_kernelcache.dec for writing [+] Decompressed kernelcache! [+] Initialized KernelSymbolFinder [+] kexecute: got user client: 0x1ebf07 [i] Kernel base: 0xfffffff00be04000 [i] uid: 0 [*] Unsandboxing pid 220 [+] Escaped sandbox! Wrote file 0x121e9eaf8 [-] Old host type: 0x80000000 [-] New host type: 0x80000004 [remap_kernel_task] kernel task at 0xffffffe00026e1c0 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe000014000 [*] address to wire: ffffffe000014000 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe00001c000 [*] address to wire: ffffffe00001c000 [remap_kernel_task] remapped successfully to 0xffffffe005a4e1c0 [remap_kernel_task] port kaddr: 0xffffffe005d158f0 [*] vm_kernel_page_size: 4000 [+] allocated address: ffffffe000024000 [*] address to wire: ffffffe000024000 [*] Installing bootstrap... ...................................................... [+] Installed bootstrap! [*] amfid, it's your turn [i] amfid's PID: 221 [*] Setting Entitlements... [i] before: get-task-allow is 0x0 [i] after: get-task-allow is 0xffffffe00020e140 [*] Getting task port [*] Got amfid's task port? :) 0x1e7907 [+] amfid_task_port = 0x1e7907 [+] AMFID_ExceptionPort = 0x1ec207 [-] Error setting amfid exception port: (os/kern) invalid argument [*] About to search for the binary load address [+] About to call mach_vm_region [-] Failed to get the region: (os/kern) invalid argument [i] Amfid load address: 0xffffffffffffffff [amfid][-] Error reading MISVSACI: (os/kern) invalid argument [*] Will trust /var/containers/Bundle/tweaksupport/usr/bin/inject_dylib [*] trust_chain at 0xfffffff00aa78000 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATtX-dZrDQjcBvijJbQyf8vRanasZk1tks5vIoqFgaJpZM4abp4y> .

Well, kernel_slide_init() from voucher_swap can get you the kernel_slide peacefully(maybe we don't really need to find a new method?), I put it just before the voucher_swap exploit return with tfp0 and put a few line to stop jeilbreaklib from trying to FindKernelBase() again. Also, not until *patchfinder* works well, we still have lots of thing to do. I tried KPP bypassed in yalu102 but the offset completely failed with some 0 in result (kernel_pmap, cpu_list,...) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATtX-SwyPw_noz748tSPYNPJ5Qn_S2b-ks5vI5UQgaJpZM4abp4y> .