kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7daa2c4773142c7fe9332d227cd46e161d729db4
vphone-cli/research/kernel_patch_jb/patch_io_secure_bsd_root.md
Lakr 7daa2c4773 Enable 16 verified kernel JB patches, add per-patch research docs 
Batch-tested all 24 kernel JB patches individually:
- 18 enabled: A1,A3,A4,B5,B7,B9-B20,C21,C22
- 3 PANIC: A2, B6 (proc_security_policy), B8 (convert_port_to_map), C23 (hook_cred_label_update_execve)
- 1 NOT_BOOT: C24 (kcall10)

Added research/kernel_patch_jb/ with per-patch analysis notes.
2026-03-04 20:08:00 +08:00

974 B
Raw Blame History

B19 patch_io_secure_bsd_root

How the patch works

  • Source: scripts/patchers/kernel_jb_patch_secure_root.py.
  • Locator strategy:
    1. Try symbol _IOSecureBSDRoot.
    2. Fallback string anchor SecureRootName.
    3. In target function, locate first forward conditional branch (cbz/cbnz/tbz/tbnz).
  • Patch action:
    • Replace conditional branch with unconditional B target.

Expected outcome

  • Always take the forward branch and skip selected secure-root check path.

Target

  • Security decision branch inside _IOSecureBSDRoot flow.

IDA MCP evidence

  • SecureRootName occurrences:
    • 0xfffffe00070a66a5 -> xref 0xfffffe000828f444 -> function start 0xfffffe000828f42c
    • 0xfffffe0007108f2d -> xref 0xfffffe000836624c -> function start 0xfffffe0008366008
  • Patch script uses first successful function resolution in scan order.

Risk

  • Secure-root checks are trust anchors; forcing the branch can weaken platform integrity assumptions.