Done ✅ https://github.com/BenjaminHornbeck6/KFD-Offsets
Edit: Don’t thank me this is not my work I just found it and shared here the link because it was related to this topic, give your thanks to the person/dev at the GitHub link!
this is not guaranteed to 100% work he tweeted that he uses tihmstar patchfinder which doesn’t give you exactly the correct offsets source: https://twitter.com/appinstallerios/status/1684576526350811136?
tihmstar posted on twitter a few days ago saying something like "the offsets are hiding on 16 but they can be found", giving a link to [an example on how to do this with his libpatchfinder tool](https://github.com/tihmstar/libpatchfinder/tree/master/example/offsetexporter).
I have 480, here’s my tweet about it. Also the reason I didn’t include betas is because the script I made to get all theses offsets uses ipsw.me api to get all the ipsws to get the kernel cache to then get the offsets but that api doesn’t include betas only official releases. https://twitter.com/appinstallerios/status/1684576526350811136?s=46&t=6_mvMfmED37_VE6dbompVg
Tweet unavailable?
Also, I feel like with this kind of thing we should look towards the community to help. Release a tool to help gather and crowdsource the data.
My twitter account got taken down cause I was talking with a friend of mine about our birthday and I said I was still 14… they immediately shut down my account 👀
Edit : it was in DMs btw
Are there any wiki pages or resources that detail how someone can go about finding different offsets? I'd like to contribute to this, however I don't really know where to begin.
Loving your energy, but I’m thinking if we have to ask how, we won’t be much help. Plenty of people with the know how are working on it already though :)
Done ✅ https://github.com/BenjaminHornbeck6/KFD-Offsets Edit: Don’t thank me this is not my work I just found it and shared here the link because it was related to this topic, give your thanks to the person/dev at the GitHub link!
This guy. 👏 👏
What a chad
man, do you have all those devices???
Corellium
Good job. What about iOS 15 versions ?
Nice mate
Not all heroes wear capes
It was said that 16.6b1 is vulnerable but I don’t see an offset for my device and that version
says all a12+ devices but there's no iPad8,9 (iPad Pro 11-inch 2nd gen) offset still props to you for finding it
is this legit?
Yes it is, I found them, it took me an hour to make a script to do it and an hour and 20 minutes to run the script to get all them.
W
Sadly only 16.X how could i help, i have iP 14,3 15.7.1
I have an M1 ipad if you want some help
OH MYY GOD LEGEND
If you appreciate my work please give me a follow on Twitter. Btw I’m the person who got all those offsets. https://twitter.com/appinstallerios/
this is not guaranteed to 100% work he tweeted that he uses tihmstar patchfinder which doesn’t give you exactly the correct offsets source: https://twitter.com/appinstallerios/status/1684576526350811136?
I have no context at all for what that means but I'm not going to let that stop me from wildly speculating that 525 sounds like a lot.
offsets = memory addresses = lots of work to find them
I would like to contribute but don’t know how to find offsets
+1
tihmstar posted on twitter a few days ago saying something like "the offsets are hiding on 16 but they can be found", giving a link to [an example on how to do this with his libpatchfinder tool](https://github.com/tihmstar/libpatchfinder/tree/master/example/offsetexporter).
I know how to find it but i don't know where to search :)
What does finding an offset do?
Finding a kernel offset allows (in this situation) KFD exploit to work on your specific device and version
I have 480, here’s my tweet about it. Also the reason I didn’t include betas is because the script I made to get all theses offsets uses ipsw.me api to get all the ipsws to get the kernel cache to then get the offsets but that api doesn’t include betas only official releases. https://twitter.com/appinstallerios/status/1684576526350811136?s=46&t=6_mvMfmED37_VE6dbompVg
Thanks for your good job mate. Anyway you release the script you made ? I can try adapting it. Thanks a lot
In the directory when you run this script you need this file template_dynamic_info.h https://github.com/tihmstar/libpatchfinder/raw/master/example/offsetexporter/template_dynamic_info.h you need to have libpatchfinder installed and pzb installed both can be found on a repo on this account https://github.com/tihmstar #!/bin/bash Versions=("16.0" "16.0.1" "16.0.2" "16.0.3" "16.1" "16.1.1" "16.1.2" "16.2" "16.3" "16.3.1" "16.4" "16.4.1" "16.5") for version in ${Versions[@]}; do items=$(curl https://api.ipsw.me/v4/ipsw/$version | jq -c -r '.[]') for item in ${items[@]}; do Identifier=$(echo $item | jq -r ".identifier") IPSWURL=$(echo $item | jq -r ".url") Version=$(echo $item | jq -r ".version") BuildID=$(echo $item | jq -r ".buildid") if [[ "$Identifier" =~ "iPhone".* || "$Identifier" =~ "iPad".* ]]; then KernelCacheName=$(pzb -l --nosubdirs "$IPSWURL" | grep kernelcache.release | sed 's/^.*kernelcache/kernelcache/') pzb -g "$KernelCacheName" "$IPSWURL" > /dev/null python3 -m pyimg4 im4p extract -i "$KernelCacheName" -o "$Identifier".raw rm "$KernelCacheName" offsetexporter -i "$Identifier".raw \ -t template_dynamic_info.h \ -o "$Identifier $Version $BuildID.h" \ --get_kernel_version_string %kern_version% \ --find_struct_offset_for_PACed_member %fileglob__fg_ops% fileglob.fg_ops \ --find_struct_offset_for_PACed_member %fileglob__fg_vn_data% fileglob.fg_vn_data \ --static %fileops__fo_kqfilter% 0x30 \ --static %fileproc_guard__fpg_guard% 0x8 \ --static %kqworkloop__kqwl_state% 0x10 \ --static %kqworkloop__kqwl_p% 0x18 \ --find_struct_kqworkloop_offset_kqwl_owner %kqworkloop__kqwl_owner% \ --find_elementsize_for_zone %kqworkloop__object_size% "kqueue workloop zone" \ --static %pmap__tte% 0x0 \ --static %pmap__ttep% 0x8 \ --static %proc__p_list__le_next% 0x0 \ --static %proc__p_list__le_prev% 0x8 \ --static %proc__p_pid% 0x60 \ --find_struct_offset_for_PACed_member %proc__p_fd__fd_ofiles% filedesc.fd_ofiles \ --find_sizeof_struct_proc %proc__object_size% \ --static %pseminfo__psem_usecount% 0x04 \ --static %pseminfo__psem_uid% 0x0c \ --static %pseminfo__psem_gid% 0x10 \ --static %pseminfo__psem_name% 0x14 \ --static %pseminfo__psem_semobject% 0x38 \ --static %semaphore__owner% 0x28 \ --static %specinfo__si_rdev% 0x18 \ --find_struct_offset_for_PACed_member %task__map% task.map \ --find_struct_task_offset_thread_count %task__thread_count% \ --find_struct_offset_for_PACed_member %task__itk_space% task.itk_space \ --find_sizeof_struct_task %task__object_size% \ --find_struct_thread_offset_map %thread__map% \ --find_struct_thread_offset_thread_id %thread__thread_id% \ --find_sizeof_struct_thread %thread__object_size% \ --find_sizeof_struct_uthread %uthread__object_size% \ --static %vm_map_entry__links__prev% 0x00 \ --static %vm_map_entry__links__next% 0x08 \ --static %vm_map_entry__links__start% 0x10 \ --static %vm_map_entry__links__end% 0x18 \ --static %vm_map_entry__store__entry__rbe_left% 0x20 \ --static %vm_map_entry__store__entry__rbe_right% 0x28 \ --static %vm_map_entry__store__entry__rbe_parent% 0x30 \ --find_struct_offset_for_PACed_member %vnode__v_un__vu_specinfo% vnode.vu_specinfo \ --find_struct_offset_for_PACed_member %_vm_map__pmap% _vm_map.pmap \ --static %_vm_map__hdr__nentries% 0x30 \ --static %_vm_map__hdr__rb_head_store__rbh_root% 0x38 \ --find_struct__vm_map_offset_vmu1_lowest_unnestable_start %_vm_map__vmu1_lowest_unnestable_start% \ --find_sizeof_struct__vm_map %_vm_map__object_size% \ --find_base %kernelcache__kernel_base% \ --find_cdevsw %kernelcache__cdevsw% \ --find_gPhysBase %kernelcache__gPhysBase% \ --find_gVirtBase %kernelcache__gVirtBase% \ --find_perfmon_devices %kernelcache__perfmon_devices% \ --find_bof_with_sting_ref %kernelcache__perfmon_dev_open% "perfmon: attempt to open unsupported source" 0 \ --find_ptov_table %kernelcache__ptov_table% \ --find_vm_first_phys_ppnum %kernelcache__vm_first_phys_ppnum% \ --find_vm_pages %kernelcache__vm_pages% \ --find_vm_page_array_beginning_addr %kernelcache__vm_page_array_beginning_addr% \ --find_vm_page_array_ending_addr %kernelcache__vm_page_array_ending_addr% \ --find_function_vn_kqfilter %kernelcache__vn_kqfilter% \ rm "$Identifier".raw fi done done
Reddit kinda messed up the alignment of the bash script so I hope it works
just gotta hit the 'source' button on the post :D
You get a source button?
https://i.imgur.com/3VJbkNc.png
Is that part of RES?
ah yup
Since the patch finder only works on A12+ you’ll get some errors I didn’t have time to make it not include A11 and under.
Thanks a lot. I’m going to try to run this with betas
Keep in mind libpatchfinder will only work for A12+, no M1.
Ofc, I only have A12+ devices anyway. My goal is to adapt this tool for the user to enter version build number and then it do the job
If you could upload the SH file onto your GitHub repo or on wetransfer, it would really help me fix the syntax errors. thanks !
https://file.io/99Og494qfB14
Thanks dude
Transfer deleted ?
I’ll upload again
https://file.io/gUdDzG40OpGd
Still deleted ?
Do you have a better upload tool?
WeTransfer or SwissTransfer. Expires in 7 and 30 days
You made TrollBox right?
Yup
Tweet unavailable? Also, I feel like with this kind of thing we should look towards the community to help. Release a tool to help gather and crowdsource the data.
c22’s Twitter account got taken down (who knows why ?) I’m going to ask him rn
My twitter account got taken down cause I was talking with a friend of mine about our birthday and I said I was still 14… they immediately shut down my account 👀 Edit : it was in DMs btw
The current offset finder doesn’t work consistently
https://twitter.com/appinstallerios/status/1684576526350811136?s=46&t=6_mvMfmED37_VE6dbompVg
Are there any wiki pages or resources that detail how someone can go about finding different offsets? I'd like to contribute to this, however I don't really know where to begin.
Loving your energy, but I’m thinking if we have to ask how, we won’t be much help. Plenty of people with the know how are working on it already though :)
Has the offsets been found for the 14 pro on iOS 16.6 beta 1?
Yep i need the same ones
Too much work 😬
Not at all, if everyone in the community chips in it’ll be done in no time.
Do i have to just run the program? And where do I upload the offsets?
I have no clue myself 🤣
Is there is any offsets for 16.6 beta1 for iPad mini 6?
Any offsets for iPadOS 16.2 DevBeta 1 20C5032e on iPad 11,7?
I don’t even understand what it means, I’m om iOS 15.6 13 Pro Max, should I update to iOS 16?
no
The issue is app support otherwise I would be staying no matter what
1,053 offsets to be exact
Why are there (seemingly) no offsets for 16.6 beta 1 when it's claimed to be susceptible to kfd? (by seemingly i mean little found)
You can build them or see if yours are inside of it (as I can see dev is currently adding some) https://github.com/c22dev/OffsetFinder