2

I am building an APNonce setter tool with the aid of siguza’s v0rtex exploit and for now, I have most of the offsets I need, but zone_map offset seems to be wrong no matter what I do.

What I tried:

I decrypted the kernel and loaded it in IDA on macOS. Searched strings for zone_map and found nothing relevant.

I had a bit of luck when I searched for zone_init, but the xref I followed wasn’t leading anywhere.

My device is iPod Touch 5 and iOS 9.3.5. The offset I found is 0xffffffff0070d1aa4 but it panics the kernel so it’s not correct.

GeoSn0w
  • 684
  • 1
  • 9
  • 20
danielBinx
  • 33
  • 8
  • 1
    v0rtex would need some changes beyond offsets to work on iOS 9, most notably a new way to trigger zalloc garbage collection. Is this a research project, or is there some other reason you're not using the Phœnix exploit instead? – Siguza Oct 18 '21 at 13:18
  • @Siguza I wondered that too, I assumed they may do it intentionally. – GeoSn0w Oct 18 '21 at 15:30
  • i tried but cannot get it to work at all it panics – danielBinx Oct 18 '21 at 16:00

1 Answers1

1

The ZONE_MAP offset isn't very easy to find, but I will detail a method below that should work.

One caveat: I used Hopper for this, instead of IDA Pro. You can use the Demo version of Hopper though.

Step 1: Decrypt your KernelCache. Make sure it's decrypted, otherwise all the rest of the steps will essentially fail. You can use Decrypt0r for this. You know you're good when the Decrypt0r spews the following output:

Enter key for /Users/geosn0w/Desktop/kernelcache.release.n78: 87aa19c72db6e662d6c3dbcf74da88026fda5a66469baa7e271725918133cd2f
Enter key IV for /Users/geosn0w/Desktop/kernelcache.release.n78: 2692e6004e6240aab57f2affa0daedc0
[DEBUG] Opening /Users/geosn0w/Desktop/kernelcache.release.n78
Parsed TYPE element
Parsed DATA element
Parsed SEPO element
Parsed KBAG element
Parsed KBAG element
File opened successfully
Setting Img3 Key and IV
Fetching KBAG element from image
Found KBAG element in image
KBAG Type = 256, State = 1
Decrypting Img3 file
Fetching DATA element from image
Found DATA element in image
Setting keys to decrypt with
Performing decryption...
magic = 0x706d6f63
Image compressed, decompressing
signature = 0x706d6f63
compression_type = 0x73737a6c
Found LZSS compression type
Found output file listed as /Users/geosn0w/Desktop/kernelcache.release.n78.dec
Image claims it's decrypted, dump raw data
Closing Img3 file
/Users/geosn0w/Desktop/kernelcache.release.n78.dec copied to the root of IPSW folder

Step 2: Open Hopper Disassembler and pop the decrypted KernelCache file inside. The kernel is huge, so give it time to analyze it. It can take a few minutes.

Step 3: Once the kernel file has successfully been analyzed, navigate to the Strings Tab in Hopper and search for zone_init: kmem_suballoc failed.

Step 4: Double-click the single result that appeared, and then double-click the DATA XREF: subXXXXXXXXXXX subroutine cross-reference.

Step 5: If you did all the above, you will jump into a subroutine containing something like ; :lower16:(0x803bde69 - 0x80036856), "\\\"zone_init: kmem_suballoc failed\\\"", CODE XREF=sub_80032808+6204. Double click the CODE XREF=sub_XXXXXXXX part at the far right.

Hopper Disassembly

Step 6: Your offset is the first QWORD on the location you jumped to. In my case it was 0x8003684a and that's the offset for ZONE_MAP. Offset in Hopper

GeoSn0w
  • 684
  • 1
  • 9
  • 20
  • 1
    Thanks sir but can I do this in radare2 or ida? – danielBinx Oct 17 '21 at 14:29
  • 1
    While I am sure it can be done in both, as long as you have the right plugins and decompilers (this is arm after all and not all disassemblers handle it), I wouldn't be able to guide you there as I do not use IDA Pro, however, you can use the free version of Hopper for this. – GeoSn0w Oct 17 '21 at 14:33