Page 1 of 1

How were the 'old' kernel text patches applied?

PostPosted: Thu Apr 11, 2019 3:00 pm
by ccnut
The era of modern open-source jailbreaks is great for those learning the craft. Even parts released as open-source allow for insight into a diverse set of techniques for potentially similar attacks/problems. However, the older jailbreaks are largely (wholly?) closed source and many are obfuscated, making any RE a potentially monumental task.

Though obsolete in the modern age of iOS jailbreaks (provided a userspace attack vector is used) due to KTRR, older jailbreaks would acquire kernel read/write and instrument a handful of useful kernel code patches (e.g. tfp0). However, any security-conscious OS would have marked its code page mappings as r-x. That said, how were older kernel patches applied? Given this initial constraint, some page-table manipulation must have been used, but of what flavor?

    * Were the kernel page tables walked (with kernel read/write) and the target pages marked as rxw?
    * Was a fake kernel page mapping deploying through TTBR0/1_EL1?
    * Did they forge a fake kernel_task port and use the supported vm_protect API to set the pages rw-, apply the patch, and reset to r-x meanwhile hoping that the code path was not used in the interim?
    * Did they use kexec to modify page mappings in the kernel (similar to the above, but from kernelspace without forging a taskport to userspace)