A tfp0 patch for iOS 9, based on the Pegasus/Trident vulnerabilities.
On macOS with XCode:
make
On a different OS with an iOS SDK and ldid installed:
-
Download a XNU source tarball and unzip it.
-
Download an IOKitUser source tarball and unzip it.
-
Export the following environment variables:
LIBKERN=path/to/xnu/libkern OSFMK=path/to/xnu/osfmk IOKIT=path/to/IOKitUser IGCC=ios-compiler-command LIBTOOL=ios-libtool-command SIGN=ldid SIGN_FLAGS=-S
./cl0ver panic [log=file]
Panic the device, loading to PC:
on 32-bit: the base address of __DATA.__const
on 64-bit: the OSString vtable
./cl0ver slide [log=file]
Print kernel slide
./cl0ver dump [log=file]
Dump kernel to kernel.bin
./cl0ver [log=file]
Apply tfp0 kernel patch
If log=file is give, output is written to "file" instead of stderr/syslog.
This repo doesn't contain any code for a GUI/Sandbox app, but a libcl0ver.a is built, which can be linked against. You'll most likely wanna call functions from exploit.h.
And you'll want to call them like:
dump_kernel([[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:@"kernel.bin"].UTF8String);
// or
get_kernel_task([NSHomeDirectory() stringByAppendingPathComponent:@"Documents"].UTF8String);
If you want to run this on a device whose OSString vtable and stack anchor are not in the registry, create a file at /etc/cl0ver/config.txt, containing in hexadecimal the stack anchor on line 1 and the unslid OSString vtable address on line 2.
Also, make sure /etc/cl0ver/ exists and is writable by the current user, if you want offsets to get cached.
[ Here ]
Unless otherwise noted at the top of the file, all files in this repository are released under the MIT License.