Home > Blockchain >  How can I find the Kernel Map offset on iOS 9.3.5 iPod Touch 5?
How can I find the Kernel Map offset on iOS 9.3.5 iPod Touch 5?

Time:10-17

I am trying to build a tool around the v0rtex exploit released on GitHub a while back and I need to find the offset for Kernel Map and for Realhost.

I have decrypted the kernel file from the ipsw and loaded it in IDA but the offset I obtain never seems to be correct. The phone errors out.

The offset I managed to locate: 0x2b2b

CodePudding user response:

That is not a valid offset.

I assume you mean the KERNEL_MAP and REALHOST offsets.

If you already have the decrypted kernelcache file on your desktop, and you are doing this on macOS (which I assume you do since you're building an iOS app, here's one of the methods to find the offsets:

  1. Place your kernelcache file on Desktop and make sure it's called "kernelcache".
  2. Open Terminal and paste the following commands:

For KERNEL_MAP:

nm kernelcache | grep ' _kernel_map$' | awk '{ print "0x" $1 }'

For REALHOST:

This is a bit trickier. REALHOST is actually host_priv_self_addr You need to make sure you have Radare2 installed.

If you don't have radare2, install it with

brew install radare2

After that, run:

host_priv_self_addr=$(nm kernelcache | grep host_priv_self | awk '{ print "0x" $1 }')
    r2 -q -e scr.color=false -c "pd 2 @ $host_priv_self_addr" kernelcache 2> /dev/null | sed -n 's/0x//gp' | awk '{ print $NF }' | tr '[a-f]\n' '[A-F] ' | awk '{ print "obase=16;ibase=16;" $1 " " $2 }' | bc | tr '[A-F]' '[a-f]' | awk '{ print "0x" $1 }'

Put this in a .sh file, give it proper permissions with chmod x.

IMPORTANT: Kernel file MUST be decrypted with proper KEY IV from https://www.theiphonewiki.com/wiki/Genoa_13G36_(iPod5,1)

Took some time and ran these against an IPSW of 9.3.5 for iPod Touch 5th Generation that I had around. KERNEL_MAP offset is 0x80412010.

You'll have to find the other one yourself.

  • Related