Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added iPhone XR 16.6 B1 Offsets #3

Merged
merged 1 commit into from
Aug 1, 2023
Merged

Added iPhone XR 16.6 B1 Offsets #3

merged 1 commit into from
Aug 1, 2023

Conversation

gorouflex
Copy link

Should work…
IMG_0020

@hrtowii
Copy link
Owner

hrtowii commented Aug 1, 2023

Thanks!

@hrtowii hrtowii merged commit c694adc into hrtowii:main Aug 1, 2023
@gorouflex
Copy link
Author

gorouflex commented Aug 1, 2023
edited
Loading

@hrtowii hey it's doesn't work somehow??? after press kopen then it will crash and KP, i just think because the iPhone 12,13 series offset cause the KP but no...
here is the log when i run with single offset for my XR:

[info_init]: kfd->info.env.pid = 416
[info_init]: kfd->info.env.tid = 6153
[info_init]: kfd->info.env.maxfilesperproc = 10240
[info_init]: kfd->info.env.kern_version = Darwin Kernel Version 22.6.0: Tue May  9 06:18:00 PDT 2023; root:xnu-8796.140.12.502.1~12/RELEASE_ARM64_T8020
[info_init]: kfd->info.env.vid = 0
[puaf_init]: method_name = smith
[krkw_init]: method_name = kread_sem_open
[krkw_init]: method_name = kwrite_sem_open
[puaf_helper_give_ppl_pages]: given_ppl_pages = 80
[puaf_helper_give_ppl_pages]: 🟢 0s 1ms 848us
[puaf_run]: 🟢 0s 16ms 854us
[krkw_helper_grab_free_pages]: grabbed_free_pages = 912
[krkw_helper_grab_free_pages]: 🟢 0s 22ms 413us

and here the offset (changed all 0x08 -> 0x10 as you mentioned in readme):

/*
 * Copyright (c) 2023 Félix Poulin-Bélanger. All rights reserved.
 */

#ifndef dynamic_info_h
#define dynamic_info_h

struct dynamic_info {
    const char* kern_version;
    // struct fileglob
    u64 fileglob__fg_ops;
    u64 fileglob__fg_data;
    // struct fileops
    u64 fileops__fo_kqfilter;
    // struct fileproc
    // u64 fileproc__fp_iocount;
    // u64 fileproc__fp_vflags;
    // u64 fileproc__fp_flags;
    // u64 fileproc__fp_guard_attrs;
    // u64 fileproc__fp_glob;
    // u64 fileproc__fp_guard;
    // u64 fileproc__object_size;
    // struct fileproc_guard
    u64 fileproc_guard__fpg_guard;
    // struct kqworkloop
    u64 kqworkloop__kqwl_state;
    u64 kqworkloop__kqwl_p;
    u64 kqworkloop__kqwl_owner;
    u64 kqworkloop__kqwl_dynamicid;
    u64 kqworkloop__object_size;
    // struct pmap
    u64 pmap__tte;
    u64 pmap__ttep;
    // struct proc
    u64 proc__p_list__le_next;
    u64 proc__p_list__le_prev;
    u64 proc__p_pid;
    u64 proc__p_fd__fd_ofiles;
    u64 proc__object_size;
    // struct pseminfo
    u64 pseminfo__psem_usecount;
    u64 pseminfo__psem_uid;
    u64 pseminfo__psem_gid;
    u64 pseminfo__psem_name;
    u64 pseminfo__psem_semobject;
    // struct psemnode
    // u64 psemnode__pinfo;
    // u64 psemnode__padding;
    // u64 psemnode__object_size;
    // struct semaphore
    u64 semaphore__owner;
    // struct specinfo
    u64 specinfo__si_rdev;
    // struct task
    u64 task__map;
    u64 task__threads__next;
    u64 task__threads__prev;
    u64 task__itk_space;
    u64 task__object_size;
    // struct thread
    u64 thread__task_threads__next;
    u64 thread__task_threads__prev;
    u64 thread__map;
    u64 thread__thread_id;
    u64 thread__object_size;
    // struct uthread
    u64 uthread__object_size;
    // struct vm_map_entry
    u64 vm_map_entry__links__prev;
    u64 vm_map_entry__links__next;
    u64 vm_map_entry__links__start;
    u64 vm_map_entry__links__end;
    u64 vm_map_entry__store__entry__rbe_left;
    u64 vm_map_entry__store__entry__rbe_right;
    u64 vm_map_entry__store__entry__rbe_parent;
    // struct vnode
    u64 vnode__v_un__vu_specinfo;
    // struct _vm_map
    u64 _vm_map__hdr__links__prev;
    u64 _vm_map__hdr__links__next;
    u64 _vm_map__hdr__links__start;
    u64 _vm_map__hdr__links__end;
    u64 _vm_map__hdr__nentries;
    u64 _vm_map__hdr__rb_head_store__rbh_root;
    u64 _vm_map__pmap;
    u64 _vm_map__hint;
    u64 _vm_map__hole_hint;
    u64 _vm_map__holes_list;
    u64 _vm_map__object_size;
    // kernelcache static addresses
    u64 kernelcache__kernel_base;
    u64 kernelcache__cdevsw;
    u64 kernelcache__gPhysBase;
    u64 kernelcache__gPhysSize;
    u64 kernelcache__gVirtBase;
    u64 kernelcache__perfmon_devices;
    u64 kernelcache__perfmon_dev_open;
    u64 kernelcache__ptov_table;
    u64 kernelcache__vm_first_phys_ppnum;
    u64 kernelcache__vm_pages;
    u64 kernelcache__vm_page_array_beginning_addr;
    u64 kernelcache__vm_page_array_ending_addr;
    u64 kernelcache__vn_kqfilter;
};

const struct dynamic_info kern_versions[] = {
    {
        .kern_version = "Darwin Kernel Version 22.6.0: Tue May  9 06:18:00 PDT 2023; root:xnu-8796.140.12.502.1~12/RELEASE_ARM64_T8020",
        .fileglob__fg_ops = 0x28,
        .fileglob__fg_data = 0x40 - 8,
        .fileops__fo_kqfilter = 0x30,
        // .fileproc__fp_iocount = 0x0000,
        // .fileproc__fp_vflags = 0x0004,
        // .fileproc__fp_flags = 0x0008,
        // .fileproc__fp_guard_attrs = 0x000a,
        // .fileproc__fp_glob = 0x0010,
        // .fileproc__fp_guard = 0x0018,
        // .fileproc__object_size = 0x0020,
        .fileproc_guard__fpg_guard = 0x10,
        .kqworkloop__kqwl_state = 0x10,
        .kqworkloop__kqwl_p = 0x18,
        .kqworkloop__kqwl_owner = 0xd0,
        .kqworkloop__kqwl_dynamicid = 0xd0 + 0x18,
        .kqworkloop__object_size = 0x108,
        .pmap__tte = 0x0,
        .pmap__ttep = 0x10,
        .proc__p_list__le_next = 0x0,
        .proc__p_list__le_prev = 0x10,
        .proc__p_pid = 0x60,
        .proc__p_fd__fd_ofiles = 0xf8,
        .proc__object_size = 0x730,
        .pseminfo__psem_usecount = 0x04,
        .pseminfo__psem_uid = 0x0c,
        .pseminfo__psem_gid = 0x10,
        .pseminfo__psem_name = 0x14,
        .pseminfo__psem_semobject = 0x38,
        // .psemnode__pinfo = 0x0000,
        // .psemnode__padding = 0x0008,
        // .psemnode__object_size = 0x0010,
        .semaphore__owner = 0x28,
        .specinfo__si_rdev = 0x18,
        .task__map = 0x28,
        .task__threads__next = 0x80 - 0x28,
        .task__threads__prev = 0x80 - 0x28 + 8,
        .task__itk_space = 0x300,
        .task__object_size = 0x628,
        .thread__task_threads__next = 0x368 - 0x18,
        .thread__task_threads__prev = 0x368 - 0x18 + 8,
        .thread__map = 0x368,
        .thread__thread_id = 0x400,
        .thread__object_size = 0x4a8,
        .uthread__object_size = 0x200,
        .vm_map_entry__links__prev = 0x00,
        .vm_map_entry__links__next = 0x10,
        .vm_map_entry__links__start = 0x10,
        .vm_map_entry__links__end = 0x18,
        .vm_map_entry__store__entry__rbe_left = 0x20,
        .vm_map_entry__store__entry__rbe_right = 0x28,
        .vm_map_entry__store__entry__rbe_parent = 0x30,
        .vnode__v_un__vu_specinfo = 0x78,
        ._vm_map__hdr__links__prev = 0x00 + 0x10,
        ._vm_map__hdr__links__next = 0x10 + 0x10,
        ._vm_map__hdr__links__start = 0x10 + 0x10,
        ._vm_map__hdr__links__end = 0x18 + 0x10,
        ._vm_map__hdr__nentries = 0x30,
        ._vm_map__hdr__rb_head_store__rbh_root = 0x38,
        ._vm_map__pmap = 0x40,
        ._vm_map__hint = 0x90 + 0x10,
        ._vm_map__hole_hint = 0x90 + 0x10,
        ._vm_map__holes_list = 0x90 + 0x18,
        ._vm_map__object_size = 0xc0,
        .kernelcache__kernel_base = 0xfffffff007004000,
        .kernelcache__cdevsw = 0xfffffff00a249ab0,
        .kernelcache__gPhysBase = 0xfffffff0078ec288,
        .kernelcache__gPhysSize = 0xfffffff0078ec288 + 8,
        .kernelcache__gVirtBase = 0xfffffff0078ea440,
        .kernelcache__perfmon_devices = 0xfffffff00a289530,
        .kernelcache__perfmon_dev_open = 0xfffffff007e7a434,
        .kernelcache__ptov_table = 0xfffffff00789f9a0,
        .kernelcache__vm_first_phys_ppnum = 0xfffffff00a288910,
        .kernelcache__vm_pages = 0xfffffff00789c0f8,
        .kernelcache__vm_page_array_beginning_addr = 0xfffffff00789e950,
        .kernelcache__vm_page_array_ending_addr = 0xfffffff00a288908,
        .kernelcache__vn_kqfilter = 0xfffffff007ec8c44
    },
};

#endif /* dynamic_info_h */

@gorouflex
Copy link
Author

@hrtowii also tried the original offsets for Xr 16.6 B1 but still doesn't work

@forcequitOS
Copy link

Yeah it's not working for me either on my 16.6b1 XR. Just crashes around 15 seconds after pressing kopen.

@gorouflex
Copy link
Author

@hrtowii maybe your offsets.m isn't set to global

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gorouflex @hrtowii @forcequitOS