I am trying to build a tool around the v0rtex exploit released on GitHub a while back and I need to find the offset for Kernel Map and for Realhost.
I have decrypted the kernel file from the ipsw and loaded it in IDA but the offset I obtain never seems to be correct. The phone errors out.
The offset I managed to locate: 0x2b2b
That is not a valid offset.
I assume you mean the KERNEL_MAP and REALHOST offsets.
If you already have the decrypted kernelcache file on your desktop, and you are doing this on macOS (which I assume you do since you're building an iOS app, here's one of the methods to find the offsets:
kernelcache file on Desktop and make sure it's called "kernelcache".For KERNEL_MAP:
nm kernelcache | grep ' _kernel_map$' | awk '{ print "0x" $1 }'
For REALHOST:
This is a bit trickier. REALHOST is actually host_priv_self_addr
You need to make sure you have Radare2 installed.
If you don't have radare2, install it with
brew install radare2
After that, run:
host_priv_self_addr=$(nm kernelcache | grep host_priv_self | awk '{ print "0x" $1 }')
r2 -q -e scr.color=false -c "pd 2 @ $host_priv_self_addr" kernelcache 2> /dev/null | sed -n 's/0x//gp' | awk '{ print $NF }' | tr '[a-f]\n' '[A-F] ' | awk '{ print "obase=16;ibase=16;" $1 "+" $2 }' | bc | tr '[A-F]' '[a-f]' | awk '{ print "0x" $1 }'
Put this in a .sh file, give it proper permissions with chmod +x.
IMPORTANT: Kernel file MUST be decrypted with proper KEY + IV from https://www.theiphonewiki.com/wiki/Genoa_13G36_(iPod5,1)
Took some time and ran these against an IPSW of 9.3.5 for iPod Touch 5th Generation that I had around. KERNEL_MAP offset is 0x80412010.
You'll have to find the other one yourself.