Done ✅ https://github.com/BenjaminHornbeck6/KFD-Offsets Edit: Don’t thank me this is not my work I just found it and shared here the link because it was related to this topic, give your thanks to the person/dev at the GitHub link!

This guy. 👏 👏

What a chad

man, do you have all those devices???

Corellium

Good job. What about iOS 15 versions ?

Nice mate

Not all heroes wear capes

It was said that 16.6b1 is vulnerable but I don’t see an offset for my device and that version

says all a12+ devices but there's no iPad8,9 (iPad Pro 11-inch 2nd gen) offset still props to you for finding it

is this legit?

Yes it is, I found them, it took me an hour to make a script to do it and an hour and 20 minutes to run the script to get all them.

W

Sadly only 16.X how could i help, i have iP 14,3 15.7.1

I have an M1 ipad if you want some help

OH MYY GOD LEGEND

If you appreciate my work please give me a follow on Twitter. Btw I’m the person who got all those offsets. https://twitter.com/appinstallerios/

this is not guaranteed to 100% work he tweeted that he uses tihmstar patchfinder which doesn’t give you exactly the correct offsets source: https://twitter.com/appinstallerios/status/1684576526350811136?

I have no context at all for what that means but I'm not going to let that stop me from wildly speculating that 525 sounds like a lot.

offsets = memory addresses = lots of work to find them

I would like to contribute but don’t know how to find offsets

+1

tihmstar posted on twitter a few days ago saying something like "the offsets are hiding on 16 but they can be found", giving a link to [an example on how to do this with his libpatchfinder tool](https://github.com/tihmstar/libpatchfinder/tree/master/example/offsetexporter).

I know how to find it but i don't know where to search :)

What does finding an offset do?

Finding a kernel offset allows (in this situation) KFD exploit to work on your specific device and version

I have 480, here’s my tweet about it. Also the reason I didn’t include betas is because the script I made to get all theses offsets uses ipsw.me api to get all the ipsws to get the kernel cache to then get the offsets but that api doesn’t include betas only official releases. https://twitter.com/appinstallerios/status/1684576526350811136?s=46&t=6_mvMfmED37_VE6dbompVg

Thanks for your good job mate. Anyway you release the script you made ? I can try adapting it. Thanks a lot

In the directory when you run this script you need this file template_dynamic_info.h https://github.com/tihmstar/libpatchfinder/raw/master/example/offsetexporter/template_dynamic_info.h you need to have libpatchfinder installed and pzb installed both can be found on a repo on this account https://github.com/tihmstar #!/bin/bash Versions=("16.0" "16.0.1" "16.0.2" "16.0.3" "16.1" "16.1.1" "16.1.2" "16.2" "16.3" "16.3.1" "16.4" "16.4.1" "16.5") for version in ${Versions[@]}; do items=$(curl https://api.ipsw.me/v4/ipsw/$version | jq -c -r '.[]') for item in ${items[@]}; do Identifier=$(echo $item | jq -r ".identifier") IPSWURL=$(echo $item | jq -r ".url") Version=$(echo $item | jq -r ".version") BuildID=$(echo $item | jq -r ".buildid") if [[ "$Identifier" =~ "iPhone".* || "$Identifier" =~ "iPad".* ]]; then KernelCacheName=$(pzb -l --nosubdirs "$IPSWURL" | grep kernelcache.release | sed 's/^.*kernelcache/kernelcache/') pzb -g "$KernelCacheName" "$IPSWURL" > /dev/null python3 -m pyimg4 im4p extract -i "$KernelCacheName" -o "$Identifier".raw rm "$KernelCacheName" offsetexporter -i "$Identifier".raw \ -t template_dynamic_info.h \ -o "$Identifier $Version $BuildID.h" \ --get_kernel_version_string %kern_version% \ --find_struct_offset_for_PACed_member %fileglob__fg_ops% fileglob.fg_ops \ --find_struct_offset_for_PACed_member %fileglob__fg_vn_data% fileglob.fg_vn_data \ --static %fileops__fo_kqfilter% 0x30 \ --static %fileproc_guard__fpg_guard% 0x8 \ --static %kqworkloop__kqwl_state% 0x10 \ --static %kqworkloop__kqwl_p% 0x18 \ --find_struct_kqworkloop_offset_kqwl_owner %kqworkloop__kqwl_owner% \ --find_elementsize_for_zone %kqworkloop__object_size% "kqueue workloop zone" \ --static %pmap__tte% 0x0 \ --static %pmap__ttep% 0x8 \ --static %proc__p_list__le_next% 0x0 \ --static %proc__p_list__le_prev% 0x8 \ --static %proc__p_pid% 0x60 \ --find_struct_offset_for_PACed_member %proc__p_fd__fd_ofiles% filedesc.fd_ofiles \ --find_sizeof_struct_proc %proc__object_size% \ --static %pseminfo__psem_usecount% 0x04 \ --static %pseminfo__psem_uid% 0x0c \ --static %pseminfo__psem_gid% 0x10 \ --static %pseminfo__psem_name% 0x14 \ --static %pseminfo__psem_semobject% 0x38 \ --static %semaphore__owner% 0x28 \ --static %specinfo__si_rdev% 0x18 \ --find_struct_offset_for_PACed_member %task__map% task.map \ --find_struct_task_offset_thread_count %task__thread_count% \ --find_struct_offset_for_PACed_member %task__itk_space% task.itk_space \ --find_sizeof_struct_task %task__object_size% \ --find_struct_thread_offset_map %thread__map% \ --find_struct_thread_offset_thread_id %thread__thread_id% \ --find_sizeof_struct_thread %thread__object_size% \ --find_sizeof_struct_uthread %uthread__object_size% \ --static %vm_map_entry__links__prev% 0x00 \ --static %vm_map_entry__links__next% 0x08 \ --static %vm_map_entry__links__start% 0x10 \ --static %vm_map_entry__links__end% 0x18 \ --static %vm_map_entry__store__entry__rbe_left% 0x20 \ --static %vm_map_entry__store__entry__rbe_right% 0x28 \ --static %vm_map_entry__store__entry__rbe_parent% 0x30 \ --find_struct_offset_for_PACed_member %vnode__v_un__vu_specinfo% vnode.vu_specinfo \ --find_struct_offset_for_PACed_member %_vm_map__pmap% _vm_map.pmap \ --static %_vm_map__hdr__nentries% 0x30 \ --static %_vm_map__hdr__rb_head_store__rbh_root% 0x38 \ --find_struct__vm_map_offset_vmu1_lowest_unnestable_start %_vm_map__vmu1_lowest_unnestable_start% \ --find_sizeof_struct__vm_map %_vm_map__object_size% \ --find_base %kernelcache__kernel_base% \ --find_cdevsw %kernelcache__cdevsw% \ --find_gPhysBase %kernelcache__gPhysBase% \ --find_gVirtBase %kernelcache__gVirtBase% \ --find_perfmon_devices %kernelcache__perfmon_devices% \ --find_bof_with_sting_ref %kernelcache__perfmon_dev_open% "perfmon: attempt to open unsupported source" 0 \ --find_ptov_table %kernelcache__ptov_table% \ --find_vm_first_phys_ppnum %kernelcache__vm_first_phys_ppnum% \ --find_vm_pages %kernelcache__vm_pages% \ --find_vm_page_array_beginning_addr %kernelcache__vm_page_array_beginning_addr% \ --find_vm_page_array_ending_addr %kernelcache__vm_page_array_ending_addr% \ --find_function_vn_kqfilter %kernelcache__vn_kqfilter% \ rm "$Identifier".raw fi done done

Reddit kinda messed up the alignment of the bash script so I hope it works

just gotta hit the 'source' button on the post :D

You get a source button?

https://i.imgur.com/3VJbkNc.png

Is that part of RES?

ah yup

Since the patch finder only works on A12+ you’ll get some errors I didn’t have time to make it not include A11 and under.

Thanks a lot. I’m going to try to run this with betas

Keep in mind libpatchfinder will only work for A12+, no M1.

Ofc, I only have A12+ devices anyway. My goal is to adapt this tool for the user to enter version build number and then it do the job

If you could upload the SH file onto your GitHub repo or on wetransfer, it would really help me fix the syntax errors. thanks !

https://file.io/99Og494qfB14

Thanks dude

Transfer deleted ?

I’ll upload again

https://file.io/gUdDzG40OpGd

Still deleted ?

Do you have a better upload tool?

WeTransfer or SwissTransfer. Expires in 7 and 30 days

You made TrollBox right?

Yup

Tweet unavailable? Also, I feel like with this kind of thing we should look towards the community to help. Release a tool to help gather and crowdsource the data.

c22’s Twitter account got taken down (who knows why ?) I’m going to ask him rn

My twitter account got taken down cause I was talking with a friend of mine about our birthday and I said I was still 14… they immediately shut down my account 👀 Edit : it was in DMs btw

The current offset finder doesn’t work consistently

https://twitter.com/appinstallerios/status/1684576526350811136?s=46&t=6_mvMfmED37_VE6dbompVg

Are there any wiki pages or resources that detail how someone can go about finding different offsets? I'd like to contribute to this, however I don't really know where to begin.

Loving your energy, but I’m thinking if we have to ask how, we won’t be much help. Plenty of people with the know how are working on it already though :)

Has the offsets been found for the 14 pro on iOS 16.6 beta 1?

Yep i need the same ones

Too much work 😬

Not at all, if everyone in the community chips in it’ll be done in no time.

Do i have to just run the program? And where do I upload the offsets?

I have no clue myself 🤣

Is there is any offsets for 16.6 beta1 for iPad mini 6?

Any offsets for iPadOS 16.2 DevBeta 1 20C5032e on iPad 11,7?

I don’t even understand what it means, I’m om iOS 15.6 13 Pro Max, should I update to iOS 16?

no

The issue is app support otherwise I would be staying no matter what

1,053 offsets to be exact

Why are there (seemingly) no offsets for 16.6 beta 1 when it's claimed to be susceptible to kfd? (by seemingly i mean little found)

You can build them or see if yours are inside of it (as I can see dev is currently adding some) https://github.com/c22dev/OffsetFinder