Justin Sherman

@shogunpwnd and then you call average_allocs on that list and the output from that function are the possible kernel_map guesses you could use. Or were you talking about something different?

@shogunpwnd Hey, I know this is a bit late but those two values it spits out is meant to be used with alloc_averager.py in the iomfb-exploit repo. You gotta get a couple of those ranges to add to that file in a global list like this: #L5" target="_blank" rel="nofollow noopener">github.com/jsherman212/io… and then call average_allocs on it

Can anyone help or explain to me how to get xnuspy to spit out the kernel map address range from using pongoOS? I've tried to get it using Checkra1n -p and thought I built xnuspy with the -B flags or whatever. To get the supposedly address but it repeatedly shows 2 values instead

@aa1896951 This kind of thing is easier over discord (Justin#6010) or twitter DM. Message me on one of those to try and figure this out

@jsherma100 @_bazad Excuse me, I use your KTRW project on iPhone8 and the system version is iOS 14.2. The error occurred when it tries to load ktrw_gdb_stub kext. The error message is "Could not send pongoOS command: e00002ed: (iokit/common) device not responding"

Updated @_bazad's KTRW for 14.x and wrote patchfinders for the offsets it needs (aka no more hunting for offsets yourself and putting them in a text file, the pongo module will get them automatically) @ github.com/jsherman212/kt…

@HostilityXbl @mattp_12 Can't do anything about the 2% success rate (I mistakenly typed .02%) It's because of kalloc type. Reliability would have been near 100% otherwise...

@jsherma100 @mattp_12 Lol I feel like working on it anymore isn’t worth .02 I’d try an see if it can be improved somehow or move onto something that is atleast 1% reliable haha

15.2 🥳 Bad success rate due to recent mitigations tho

@cutesmilee__ Yeah, pretty much

@jsherma100 so basically the only reliable way to reallocate an object is reallocating it with itself (same type of struct)?

@cutesmilee__ ...randomly assigned to one of those type zones. So it's like rolling a 12-sided die in this case: roll the same zone twice by pure luck and you can reallocate your object with something beneficial if you have a UAF, otherwise, reboot and try again

@cutesmilee__ You can only spray objects that are in the same *set* of type zones. If I remember right, kalloc.128 has like 12 type zones: kalloc.type0.128 - kalloc.type11.128. When XNU starts up, the first qword of each kalloc type site belonging to objects which go into kalloc.128 is...

@cutesmilee__ Yeah, cuz of kalloc type, otherwise reliability would have been near 100%

@jsherma100 is the bad success rate due to Apple mitigations against heap spraying?

@HostilityXbl @mattp_12 This is assuming that my math isnt bad 😅

@HostilityXbl @mattp_12 .02% chance lol. I got so lucky. I was expecting to have to spend the entirety of tomorrow getting an xcode screenshot lol

@mattp_12 I have no idea when this will be fixed 😅 apple works slowly

@mattp_12 It's a 0day, but I reported it to apple a month ago, so I guess not technically a 0day anymore

I just updated the part of the writeup about zalloc gc/refill flow to include content about partially-populated chunks. I also fixed something which was incorrect

@kf_63 Fuckin lol

Writeup finished, thank you to everyone that gave me feedback 🙂 jsherman212.github.io/2021/11/28/pop…

@mattp_12 it should work on all chips i just opened a random iphone 13 kernel and the code is there. This code was not part of the code that was moved to DCP

@jsherma100 Nice! Would you be able to confirm if it works on A14? (because iirc IOMFB stuff just crashes the DCP on A14+)

@chompie1337 thanks!!

really good iOS kernel exploit write up

@_saagarjha Never mind, you're a genius, I had optimized battery charging turned off for my phone's battery lol

@jsherma100 ?

Wtf do I have to do to get my airpods to charge past 80% -.-

@_saagarjha Even after turning it off it still does not charge past 80%