docs: fix formatting in kernel_patch_jb MD files

Apply whitespace and formatting cleanups across research/kernel_patch_jb/*.md: add missing blank lines for readability, remove extraneous trailing blank lines, and adjust a small inline spacing/punctuation in patch_vm_map_protect.md. No semantic changes to content.
2026-04-05 04:59:05 +08:00 · 2026-03-06 23:11:14 +08:00
parent 73bc732349
commit 6c4165c7fe
6 changed files with 5 additions and 5 deletions
--- a/research/kernel_patch_jb/patch_dounmount.md
+++ b/research/kernel_patch_jb/patch_dounmount.md
@@ -48,6 +48,7 @@ On PCC 26.1 research the validated sequence is:
 The previous repo matcher had drifted to `0xCA81FC` on research.

 That drift was treated as a red flag because:
+
 - it did **not** match upstream,
 - it matched a later teardown sequence with shape `mov x0, #0 ; mov w1, #0x10 ; mov x2, #0 ; bl ...`,
 - that later sequence does **not** correspond to the upstream `coveredvp` cleanup gate in either IDA or XNU source structure.
@@ -175,4 +176,3 @@ Both variants emit exactly one patch:
 - Release/generalization rationale: the panic string is stable in stripped kernels, and the local 8-instruction shape is tight enough to stay cheap and robust across PCC 26.1 release / likely 26.3 release.
 - Performance note: one string-xref resolution plus a single function-local linear scan.
 - Focused PCC 26.1 research dry-run: `hit`, 1 write at `0x00CA8134`.
-
--- a/research/kernel_patch_jb/patch_mac_mount.md
+++ b/research/kernel_patch_jb/patch_mac_mount.md
@@ -115,4 +115,3 @@
 - Release/generalization rationale: the string keeps the search local to the right source module, while the paired semantic patterns identify the same function without relying on symbols. That combination should survive 26.1 release / likely 26.3 release better than a raw offset.
 - Performance note: one string anchor plus a bounded neighborhood scan (~`0x9000` bytes) instead of a whole-kernel semantic walk.
 - Focused PCC 26.1 research dry-run: `hit`, 2 writes at `0x00CA5D54` and `0x00CA5D88`.
-
--- a/research/kernel_patch_jb/patch_shared_region_map.md
+++ b/research/kernel_patch_jb/patch_shared_region_map.md
@@ -44,6 +44,7 @@ On PCC 26.1 research the validated sequence is:
 The older local analysis focused on a later fallback compare after the preboot lookup succeeded.

 That older focus is rejected because:
+
 - it did **not** match the known-good upstream site,
 - XNU source first checks `srfmp->vp->v_mount != rdir_vp->v_mount` before any preboot lookup,
 - IDA on PCC 26.1 research still shows that first root-vs-process-root compare exactly at the upstream offset,
--- a/research/kernel_patch_jb/patch_spawn_validate_persona.md
+++ b/research/kernel_patch_jb/patch_spawn_validate_persona.md
@@ -62,6 +62,7 @@ This helper is a compact persona validation subroutine in the spawn/exec policy
 ### Conclusion

 The upstream pair is the correct semantic gate because:
+
 - it is the exact pair patched by the known-good upstream tool,
 - both branches converge on the helper's deny path,
 - they live in the small validation helper reached from the outer spawn entitlement wrapper,
@@ -105,4 +106,3 @@ The upstream pair is the correct semantic gate because:
 - Release/generalization rationale: entitlement strings are stable across stripped kernels, and the dual-load/dual-cbz shape is tiny and source-backed.
 - Performance note: one string-xref resolution plus a very small helper-local scan.
 - Focused PCC 26.1 research dry-run: `hit`, 2 writes at `0x00FA7024` and `0x00FA702C`.
-
--- a/research/kernel_patch_jb/patch_task_for_pid.md
+++ b/research/kernel_patch_jb/patch_task_for_pid.md
@@ -40,6 +40,7 @@ On PCC 26.1 research the validated sequence is:
 The previous local rework had diverged to two later deny-return rewrites in small helper functions.

 That divergence is rejected because:
+
 - it does **not** match the known-good upstream site,
 - the XNU source still explicitly says `/* Always check if pid == 0 */` and immediately returns failure,
 - IDA on PCC 26.1 research still shows the same early `cbz wPid, fail` gate at the exact upstream offset,
--- a/research/kernel_patch_jb/patch_vm_map_protect.md
+++ b/research/kernel_patch_jb/patch_vm_map_protect.md
@@ -23,7 +23,7 @@
 - Nearby validated block in IDA:
  - `mov w9, #6`
  - `bics wzr, w9, w20`
-  - `b.ne #0xbc0274`  ← patched
+  - `b.ne #0xbc0274` ← patched
  - `tbnz w8, #0x16, #0xbc0274`
  - ...
  - `and w20, w20, #0xfffffffb`
@@ -243,4 +243,3 @@ goto guarded_path;   // unconditional
 - Release/generalization rationale: the panic string and the local BICS/TBNZ/write-clear shape are source-backed and should survive stripped release kernels with low matcher cost.
 - Performance note: one string-xref resolution and one function-local scan with a short semantic confirmation window.
 - Focused PCC 26.1 research dry-run: `hit`, 1 write at `0x00BC024C`.
-