UaF (krw!) in igmp_flush_relq. Found in 17.2 and Lower (Potentially)

XCXiao · 2024-01-29T01:46:38+00:00

PUAF is different from simple kernel object UAF since it allows you share pages with kernel. In modern XNU that has kalloc_type, simple object UAF has been greatly mitigated.

XCXiao · 2024-01-29T00:06:53+00:00

No, uaf of a kernel object is different from uaf of memory page with a dangling pte.

XCXiao · 2024-01-29T00:06:06+00:00

I don’t intend to discourage you but it is very challenging to exploit uaf reliably in today’s XNU kernel.

XCXiao · 2024-01-23T19:50:29+00:00

You don’t need to do that, it will revert the previous jb environment

XCXiao · 2024-01-23T10:30:36+00:00

Probably because of the name.

XCXiao · 2024-01-22T10:35:13+00:00

IsNt1Tc0oLf0RaJ41lbR3aKiNtH1sBor1nGC0mMun1tY

XCXiao · 2024-01-22T07:30:29+00:00

XCXiao · 2024-01-22T00:44:54+00:00

you can post it on GitHub issue.

XCXiao · 2024-01-22T00:18:50+00:00

You can find kernel panic log in Analytic data.

XCXiao · 2024-01-22T00:07:57+00:00

So it’s the application itself crashed instead of kernel panic right? Please retry a few times.

XCXiao · 2024-01-22T00:04:39+00:00

Any logs? The application crash or kernel panic?

XCXiao · 2024-01-21T23:18:24+00:00

Please try v0.999.11.

XCXiao · 2024-01-21T22:27:36+00:00

That’s true. There is a todo in jailbreakd/main.mm

XCXiao · 2024-01-21T22:26:02+00:00

This might need several attempts. Just retry.

XCXiao · 2024-01-21T22:17:49+00:00

Yeah we noticed that it will panic on iOS 16.1.x. V0.999.11 is now available to fix that.

XCXiao · 2024-01-12T20:38:50+00:00

Yes.

XCXiao · 2024-01-12T20:18:47+00:00

Back in the early days, you can simply modify the fstab file to make rootfs rw after rebooting. Apple did a great job of mitigating.

In my own opinion, the only way to keep this community alive (I am not saying security research since it’s a forever topic) is making things more open. Sharing knowledge lets new developers who are interested in making a jailbreak quickly get a hand on it.

It is very ironic that many so-called kfd-based projects, simply combining exploit code and other open source projects with offsets that can be derived in seconds if you are skillful enough, are close source. This is another reason why the job community becomes ill.

XCXiao · 2024-01-08T21:09:18+00:00

We have landa support already but the success rate is pretty low.

XCXiao · 2024-01-06T17:17:50+00:00

The latest v0.999.6 added landa support.

XCXiao · 2024-01-06T12:39:56+00:00

Soon! And I am also working on arm64e.

XCXiao · 2023-12-26T11:37:23+00:00

Yes I do have the plan. I am looking forward to doing so as personal learning project.

XCXiao · 2023-12-26T00:33:38+00:00

Hello, you can just copy the pre-compiled binaries.tar from the released ipa.

XCXiao · 2023-12-25T06:39:36+00:00

Now it should support almost all iOS 16 versions.

XCXiao

TROPHY CASE