iOS 11.1.2 kernel exploit and PoC local kernel debugger by @i41nbeer
This is my attempt to learn more about the iOS kernel and exploit development. I'll try keep at it and add bits as I learn more.
- Adds support for iPad mini 2 wifi
- Adds support for iPhone6 (actually shares symbols with iPod6g)
- Adds temoporary root
- Reads /etc/master.passwd as PoC
I wouldn't have even gotten started if not for @cji. I recommend anyone wanting to start exploring this PoC read his blog post
The technique for getting root was taken from the work done by:
- Abraham Masri @cheesecakeufo https://gist.github.com/iabem97/d11e61afa7a0d0a9f2b5a1e42ee505d8
- @benjibobs https://github.com/benjibobs/async_wake
Used a bunch of the functions from patchfinder64.c by xerub
And the work by stek29 helped me understand the trust_cache and I used some of his work to get my trust_cache injection working. Ninjapawn did a lot of work as that I referenced, especially around remount RW.
- xerub: https://github.com/xerub/extra_recipe
- ninjapawn: https://github.com/ninjaprawn/async_awake-fun
- stek29: https://github.com/stek29/async_awake-fun
I've tried to comment the above work with my understanding and what I've learned in the process. If I've got something fundamentaly wrong please let me know!
