vphone-cli/research/kernel_patch_jb/patch_vm_map_protect.md

B10 patch_vm_map_protect

Patch Goal

Bypass a high-bit protection guard by converting a TBNZ check into unconditional B.

Binary Targets (IDA + Recovered Symbols)

• Recovered symbol: vm_map_protect at 0xfffffe0007bd08d8.
• Anchor string: "vm_map_protect(%p,0x%llx,0x%llx) new=0x%x wired=%x @%s:%d" at 0xfffffe0007049e44.
• Anchor xref: 0xfffffe0007bd0efc in vm_map_protect.

Call-Stack Analysis

Representative static callers of vm_map_protect include:

• sub_FFFFFE0007AF3968
• sub_FFFFFE0007B90928
• sub_FFFFFE0007B9F844
• sub_FFFFFE0007FD6EB0
• additional VM/subsystem callsites

Patch-Site / Byte-Level Change

• Selected guard site: 0xfffffe0007bd09a8
• Before:
  • bytes: 78 24 00 B7
  • asm: TBNZ X24, #0x20, loc_FFFFFE0007BD0E34
• After:
  • bytes: 23 01 00 14
  • asm: B #0x48C (to same target)

Pseudocode (Before)

if (test_bit(flags, 0x20)) {
    goto guarded_path;
}

Pseudocode (After)

goto guarded_path;   // unconditional

Symbol Consistency

• Recovered symbol name and patch context are consistent.

Patch Metadata

• Patch document: patch_vm_map_protect.md (B10).
• Primary patcher module: scripts/patchers/kernel_jb_patch_vm_protect.py.
• Analysis mode: static binary analysis (IDA-MCP + disassembly + recovered symbols), no runtime patch execution.

Target Function(s) and Binary Location

• Primary target: recovered symbol vm_map_protect.
• Patchpoint: 0xfffffe0007bd09a8 (tbnz -> unconditional b).

Kernel Source File Location

• Expected XNU source: osfmk/vm/vm_user.c (vm_map_protect).
• Confidence: high.

Function Call Stack

• Primary traced chain (from Call-Stack Analysis):
• Representative static callers of vm_map_protect include:
• sub_FFFFFE0007AF3968
• sub_FFFFFE0007B90928
• sub_FFFFFE0007B9F844
• sub_FFFFFE0007FD6EB0
• The upstream entry(s) and patched decision node are linked by direct xref/callsite evidence in this file.

Patch Hit Points

• Key patchpoint evidence (from Patch-Site / Byte-Level Change):
• Selected guard site: 0xfffffe0007bd09a8
• Before:
• bytes: 78 24 00 B7
• asm: TBNZ X24, #0x20, loc_FFFFFE0007BD0E34
• After:
• bytes: 23 01 00 14
• The before/after instruction transform is constrained to this validated site.

Current Patch Search Logic

• Implemented in scripts/patchers/kernel_jb_patch_vm_protect.py.
• Site resolution uses anchor + opcode-shape + control-flow context; ambiguous candidates are rejected.
• The patch is applied only after a unique candidate is confirmed in-function.
• Anchor string: "vm_map_protect(%p,0x%llx,0x%llx) new=0x%x wired=%x @%s:%d" at 0xfffffe0007049e44.
• Anchor xref: 0xfffffe0007bd0efc in vm_map_protect.

Validation (Static Evidence)

• Verified with IDA-MCP disassembly/decompilation, xrefs, and callgraph context for the selected site.
• Cross-checked against recovered symbols in research/kernel_info/json/kernelcache.research.vphone600.bin.symbols.json.
• Address-level evidence in this document is consistent with patcher matcher intent.

Expected Failure/Panic if Unpatched

• High-bit protect guard keeps enforcing restrictive branch, causing vm_protect denial in jailbreak memory workflows.

Risk / Side Effects

• This patch weakens a kernel policy gate by design and can broaden behavior beyond stock security assumptions.
• Potential side effects include reduced diagnostics fidelity and wider privileged surface for patched workflows.

Symbol Consistency Check

• Recovered-symbol status in kernelcache.research.vphone600.bin.symbols.json: match.
• Canonical symbol hit(s): vm_map_protect.
• Where canonical names are absent, this document relies on address-level control-flow and instruction evidence; analyst aliases are explicitly marked as aliases.
• IDA-MCP lookup snapshot (2026-03-05): vm_map_protect -> vm_map_protect at 0xfffffe0007bd08d8.

Open Questions and Confidence

• Open question: verify future firmware drift does not move this site into an equivalent but semantically different branch.
• Overall confidence for this patch analysis: high (symbol match + control-flow/byte evidence).

Evidence Appendix

• Detailed addresses, xrefs, and rationale are preserved in the existing analysis sections above.
• For byte-for-byte patch details, refer to the patch-site and call-trace subsections in this file.

Runtime + IDA Verification (2026-03-05)

• Verification timestamp (UTC): 2026-03-05T14:55:58.795709+00:00
• Kernel input: /Users/qaq/Documents/Firmwares/PCC-CloudOS-26.3-23D128/kernelcache.research.vphone600
• Base VA: 0xFFFFFE0007004000
• Runtime status: hit (1 patch writes, method_return=True)
• Included in KernelJBPatcher.find_all(): False
• IDA mapping: 1/1 points in recognized functions; 0 points are code-cave/data-table writes.
• IDA mapping status: ok (IDA runtime mapping loaded.)
• Call-chain mapping status: ok (IDA call-chain report loaded.)
• Call-chain validation: 1 function nodes, 1 patch-point VAs.
• IDA function sample: vm_map_protect
• Chain function sample: vm_map_protect
• Caller sample: _Xmach_vm_protect, _Xprotect, __ZN27IOGuardPageMemoryDescriptor5doMapEP7_vm_mapPyjyy, mach_vm_protect_trap, mprotect, setrlimit
• Callee sample: lck_rw_done, pmap_protect_options, sub_FFFFFE0007B1D788, sub_FFFFFE0007B1EBF0, sub_FFFFFE0007B840E0, sub_FFFFFE0007B84C5C
• Verdict: questionable
• Recommendation: Hit is valid but patch is inactive in find_all(); enable only after staged validation.
• Key verified points:
• 0xFFFFFE0007BD09A8 (vm_map_protect): b #0x48C [_vm_map_protect] | 782400b7 -> 23010014
• Artifacts: research/kernel_patch_jb/runtime_verification/runtime_verification_report.json
• Artifacts: research/kernel_patch_jb/runtime_verification/ida_runtime_patch_points.json
• Artifacts: research/kernel_patch_jb/runtime_verification/ida_patch_chain_report.json
• Artifacts: research/kernel_patch_jb/runtime_verification/ida_patch_chain_report.md