How can I find the proper zone_map offset for v0rtex exploit on iOS 9.3.5?

Question

I am building an APNonce setter tool with the aid of siguza’s v0rtex exploit and for now, I have most of the offsets I need, but zone_map offset seems to be wrong no matter what I do.

What I tried:

I decrypted the kernel and loaded it in IDA on macOS. Searched strings for zone_map and found nothing relevant.

I had a bit of luck when I searched for zone_init, but the xref I followed wasn’t leading anywhere.

My device is iPod Touch 5 and iOS 9.3.5. The offset I found is 0xffffffff0070d1aa4 but it panics the kernel so it’s not correct.

Answer 1

The ZONE_MAP offset isn't very easy to find, but I will detail a method below that should work.

One caveat: I used Hopper for this, instead of IDA Pro. You can use the Demo version of Hopper though.

Step 1: Decrypt your KernelCache. Make sure it's decrypted, otherwise all the rest of the steps will essentially fail. You can use Decrypt0r for this. You know you're good when the Decrypt0r spews the following output:

Enter key for /Users/geosn0w/Desktop/kernelcache.release.n78: 87aa19c72db6e662d6c3dbcf74da88026fda5a66469baa7e271725918133cd2f
Enter key IV for /Users/geosn0w/Desktop/kernelcache.release.n78: 2692e6004e6240aab57f2affa0daedc0
[DEBUG] Opening /Users/geosn0w/Desktop/kernelcache.release.n78
Parsed TYPE element
Parsed DATA element
Parsed SEPO element
Parsed KBAG element
Parsed KBAG element
File opened successfully
Setting Img3 Key and IV
Fetching KBAG element from image
Found KBAG element in image
KBAG Type = 256, State = 1
Decrypting Img3 file
Fetching DATA element from image
Found DATA element in image
Setting keys to decrypt with
Performing decryption...
magic = 0x706d6f63
Image compressed, decompressing
signature = 0x706d6f63
compression_type = 0x73737a6c
Found LZSS compression type
Found output file listed as /Users/geosn0w/Desktop/kernelcache.release.n78.dec
Image claims it's decrypted, dump raw data
Closing Img3 file
/Users/geosn0w/Desktop/kernelcache.release.n78.dec copied to the root of IPSW folder

Step 2: Open Hopper Disassembler and pop the decrypted KernelCache file inside. The kernel is huge, so give it time to analyze it. It can take a few minutes.

Step 3: Once the kernel file has successfully been analyzed, navigate to the Strings Tab in Hopper and search for zone_init: kmem_suballoc failed.

Step 4: Double-click the single result that appeared, and then double-click the DATA XREF: subXXXXXXXXXXX subroutine cross-reference.

Step 5: If you did all the above, you will jump into a subroutine containing something like ; :lower16:(0x803bde69 - 0x80036856), "\\\"zone_init: kmem_suballoc failed\\\"", CODE XREF=sub_80032808+6204. Double click the CODE XREF=sub_XXXXXXXX part at the far right.

Step 6: Your offset is the first QWORD on the location you jumped to. In my case it was 0x8003684a and that's the offset for ZONE_MAP.