kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7daa2c4773142c7fe9332d227cd46e161d729db4
vphone-cli/research/kernel_patch_jb/patch_shared_region_map.md
Lakr 7daa2c4773 Enable 16 verified kernel JB patches, add per-patch research docs 
Batch-tested all 24 kernel JB patches individually:
- 18 enabled: A1,A3,A4,B5,B7,B9-B20,C21,C22
- 3 PANIC: A2, B6 (proc_security_policy), B8 (convert_port_to_map), C23 (hook_cred_label_update_execve)
- 1 NOT_BOOT: C24 (kcall10)

Added research/kernel_patch_jb/ with per-patch analysis notes.
2026-03-04 20:08:00 +08:00

835 B
Raw Blame History

B17 patch_shared_region_map

How the patch works

  • Source: scripts/patchers/kernel_jb_patch_shared_region.py.
  • Locator strategy:
    1. Try symbol _shared_region_map_and_slide_setup.
    2. Fallback string anchor: /private/preboot/Cryptexes.
    3. In function body, find cmp <reg>, <reg> followed by b.ne style guard.
  • Patch action:
    • Rewrite compare to cmp x0, x0.

Expected outcome

  • Force compare result toward equality path, weakening rejection branch behavior.

Target

  • Shared region setup guard in _shared_region_map_and_slide_setup path.

IDA MCP evidence

  • Anchor string: 0xfffffe000708c481 (/private/preboot/Cryptexes)
  • xref: 0xfffffe00080769dc
  • containing function start: 0xfffffe0008076260

Risk

  • Shared-region mapping checks influence process memory layout/security assumptions.