kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7daa2c4773142c7fe9332d227cd46e161d729db4
vphone-cli/research/kernel_patch_jb/patch_load_dylinker.md
Lakr 7daa2c4773 Enable 16 verified kernel JB patches, add per-patch research docs 
Batch-tested all 24 kernel JB patches individually:
- 18 enabled: A1,A3,A4,B5,B7,B9-B20,C21,C22
- 3 PANIC: A2, B6 (proc_security_policy), B8 (convert_port_to_map), C23 (hook_cred_label_update_execve)
- 1 NOT_BOOT: C24 (kcall10)

Added research/kernel_patch_jb/ with per-patch analysis notes.
2026-03-04 20:08:00 +08:00

994 B
Raw Blame History

B16 patch_load_dylinker

How the patch works

  • Source: scripts/patchers/kernel_jb_patch_load_dylinker.py.
  • Locator strategy:
    1. Try symbol _load_dylinker.
    2. Otherwise find function with repeated PAC triplets:
      • tst xN, #0x40000000000000
      • b.eq ...
      • movk xN, #0xc8a2
      • repeated >= 3 times, usually in a function with no direct BL callers.
  • Patch action:
    • Replace the last tst with unconditional branch to the b.eq target.

Expected outcome

  • Always skip selected PAC re-sign/check path in chained-fixup rebase flow.

Target

  • PAC decision branch in _load_dylinker-related fixup path.

IDA MCP evidence (current state)

  • No direct stable string/symbol anchor for this stripped build.
  • The patch design is pattern-based and function-profile-based; exact static site remains pending additional scripted narrowing.

Risk

  • PAC bypass in dylinker/fixup path is security-sensitive and can alter pointer-auth assumptions globally.