kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 04:59:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5388e0c9c5e2bb2d5f6dd5982a0c21f1f81b1a29
vphone-cli/research/kernel_patch_jb/patch_shared_region_map.md
Lakr 5388e0c9c5 Squash merge startup-hang-fix into main 
Prefix research patch comparison doc and normalize root markdown names

Rename research root markdown files to scoped topic names
2026-03-06 02:42:12 +08:00

8.4 KiB
Raw Blame History

B17 patch_shared_region_map

Re-validated from static analysis (IDA MCP)

All checks below were redone from disassembly/decompilation; old assumptions were not trusted.

1) Real call chain (why this path executes)

shared_region_map_and_slide_2_np syscall path:

  1. Syscall entry points to 0xfffffe0008075560 (jb17_supplement_shared_region_map_and_slide_2_np_syscall).
  2. It calls 0xfffffe0008075F98 (jb17_supplement_shared_region_map_and_slide_locked).
  3. That calls 0xfffffe0008076260 (jb17_patched_fn_shared_region_map_and_slide_setup), the function containing the patch site.

This is the shared-region map+slide setup path used during dyld shared cache mapping for process startup.

2) The exact guard being bypassed

Inside jb17_patched_fn_shared_region_map_and_slide_setup:

  • First mount check:
    • 0xfffffe00080769CC (jb17_supplement_patchpoint_cmp_mount_vs_process_root)
    • cmp x8, x16 ; b.eq ...
  • If that fails, it enters fallback:
    • lookup "/private/preboot/Cryptexes" at 0xfffffe00080769DC
    • if lookup fails: cbnz w0, 0xfffffe0008076D84
  • Second mount check (the patched one):
    • 0xfffffe0008076A88 (jb17_patched_fn_patchpoint_cmp_mount_vs_preboot_mount)
    • original: cmp x8, x16
    • followed by b.ne 0xfffffe0008076D84

Fail target:

  • 0xfffffe0008076D84 (jb17_supplement_patchpoint_fail_not_root_or_preboot)
  • reaches mov w25, #1 (EPERM) and exits through cleanup.

So this guard is specifically "shared cache vnode mount must match either process root mount or preboot Cryptex mount".

3) What the patch changes

At 0xfffffe0008076A88:

  • before: cmp x8, x16
  • after: cmp x0, x0

Effect:

  • The following b.ne is never taken.
  • If preboot lookup succeeded, the "mount mismatch vs preboot Cryptex" rejection is neutralized.
  • The lookup-failure branch at 0xfffffe00080769F4 is unchanged.

Why this is needed for unsigned binaries / launchd dylib flow

In this jailbreak flow, process startup still needs successful shared-region map+slide. If this mount policy returns EPERM, dyld shared cache setup fails before normal userland execution continues. That blocks practical launch of unsigned/injected workflows (including launchd dylib-injection scenarios that depend on early process bring-up).

So B17 is not "generic code-sign bypass"; it is a targeted bypass of a mount-origin policy in shared-region setup that otherwise rejects the map request.

IDA rename markers added

Two groups requested were applied in IDA:

  • supplement group:
    • jb17_supplement_shared_region_map_and_slide_2_np_syscall
    • jb17_supplement_shared_region_map_and_slide_locked
    • jb17_supplement_patchpoint_cmp_mount_vs_process_root
    • jb17_supplement_patchpoint_preboot_lookup_begin
    • jb17_supplement_patchpoint_fail_not_root_or_preboot
  • patched function group:
    • jb17_patched_fn_shared_region_map_and_slide_setup
    • jb17_patched_fn_patchpoint_cmp_mount_vs_preboot_mount
    • jb17_patched_fn_patchpoint_bne_fail_preboot_mount

Risk

This weakens a kernel policy that constrains shared-cache mapping source mounts, so it broadens accepted mapping contexts and may reduce expected filesystem trust boundaries.

Symbol Consistency Audit (2026-03-05)

  • Status: partial
  • Recovered symbols include _shared_region_map_and_slide family, but not every internal setup helper name used in this doc.
  • Path-level conclusions remain based on disassembly/xref consistency.

Patch Metadata

  • Patch document: patch_shared_region_map.md (B17).
  • Primary patcher module: scripts/patchers/kernel_jb_patch_shared_region.py.
  • Analysis mode: static binary analysis (IDA-MCP + disassembly + recovered symbols), no runtime patch execution.

Patch Goal

Neutralize a shared-region mount-origin comparison guard that returns EPERM in map-and-slide setup.

Target Function(s) and Binary Location

  • Primary target: shared-region setup at 0xfffffe0008076260 (analyst label).
  • Patchpoint: 0xfffffe0008076a88 (cmp x8,x16 -> cmp x0,x0).

Kernel Source File Location

  • Expected XNU source: osfmk/vm/vm_shared_region.c (shared region map-and-slide setup path).
  • Confidence: high.

Function Call Stack

  • Call-path evidence is derived from IDA xrefs and callsite traversal in this document.
  • The patched node sits on the documented execution-critical branch for this feature path.

Patch Hit Points

  • Patch hitpoint is selected by contextual matcher and verified against local control-flow.
  • Before/after instruction semantics are captured in the patch-site evidence above.

Current Patch Search Logic

  • Implemented in scripts/patchers/kernel_jb_patch_shared_region.py.
  • Site resolution uses anchor + opcode-shape + control-flow context; ambiguous candidates are rejected.
  • The patch is applied only after a unique candidate is confirmed in-function.
  • Uses string anchors + instruction-pattern constraints + structural filters (for example callsite shape, branch form, register/imm checks).

Pseudocode (Before)

if (mount != proc_root_mount && mount != preboot_mount) {
    return EPERM;
}

Pseudocode (After)

if (mount != mount) {
    return EPERM;
}

Validation (Static Evidence)

  • Verified with IDA-MCP disassembly/decompilation, xrefs, and callgraph context for the selected site.
  • Cross-checked against recovered symbols in research/kernel_info/json/kernelcache.research.vphone600.bin.symbols.json.
  • Address-level evidence in this document is consistent with patcher matcher intent.

Expected Failure/Panic if Unpatched

  • Shared-region setup returns EPERM on mount-origin mismatch; dyld shared cache mapping for startup can fail.

Risk / Side Effects

  • This patch weakens a kernel policy gate by design and can broaden behavior beyond stock security assumptions.
  • Potential side effects include reduced diagnostics fidelity and wider privileged surface for patched workflows.

Symbol Consistency Check

  • Recovered-symbol status in kernelcache.research.vphone600.bin.symbols.json: partial.
  • Canonical symbol hit(s): none (alias-based static matching used).
  • Where canonical names are absent, this document relies on address-level control-flow and instruction evidence; analyst aliases are explicitly marked as aliases.
  • IDA-MCP lookup snapshot (2026-03-05): 0xfffffe0008075560 currently resolves to eventhandler_prune_list (size 0x140).

Open Questions and Confidence

  • Open question: symbol recovery is incomplete for this path; aliases are still needed for parts of the call chain.
  • Overall confidence for this patch analysis: medium (address-level semantics are stable, symbol naming is partial).

Evidence Appendix

  • Detailed addresses, xrefs, and rationale are preserved in the existing analysis sections above.
  • For byte-for-byte patch details, refer to the patch-site and call-trace subsections in this file.

Runtime + IDA Verification (2026-03-05)

  • Verification timestamp (UTC): 2026-03-05T14:55:58.795709+00:00
  • Kernel input: /Users/qaq/Documents/Firmwares/PCC-CloudOS-26.3-23D128/kernelcache.research.vphone600
  • Base VA: 0xFFFFFE0007004000
  • Runtime status: hit (1 patch writes, method_return=True)
  • Included in KernelJBPatcher.find_all(): False
  • IDA mapping: 1/1 points in recognized functions; 0 points are code-cave/data-table writes.
  • IDA mapping status: ok (IDA runtime mapping loaded.)
  • Call-chain mapping status: ok (IDA call-chain report loaded.)
  • Call-chain validation: 1 function nodes, 1 patch-point VAs.
  • IDA function sample: sub_FFFFFE000807F5F4
  • Chain function sample: sub_FFFFFE000807F5F4
  • Caller sample: _shared_region_map_and_slide
  • Callee sample: mac_file_check_mmap, sub_FFFFFE0007AC5540, sub_FFFFFE0007B15AFC, sub_FFFFFE0007B84334, sub_FFFFFE0007B84C5C, sub_FFFFFE0007C11F88
  • Verdict: questionable
  • Recommendation: Hit is valid but patch is inactive in find_all(); enable only after staged validation.
  • Key verified points:
  • 0xFFFFFE000807FE1C (sub_FFFFFE000807F5F4): cmp x0,x0 [_shared_region_map_and_slide_setup] | 1f0110eb -> 1f0000eb
  • Artifacts: research/kernel_patch_jb/runtime_verification/runtime_verification_report.json
  • Artifacts: research/kernel_patch_jb/runtime_verification/ida_runtime_patch_points.json
  • Artifacts: research/kernel_patch_jb/runtime_verification/ida_patch_chain_report.json
  • Artifacts: research/kernel_patch_jb/runtime_verification/ida_patch_chain_report.md