kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
db5a2886faf056245c3791e35d6b78c440bbb628
vphone-cli/research/kernel_patch_jb
History
Lakr c9fd521659 Fix C24: patch_kcall10 sysent table base, chained fixup encoding, PAC signing 
Three bugs caused NOT_BOOT (timeout):

1. Wrong sysent table base: first _nosys match is entry 428, not entry 0.
   Entry 0 is the indirect syscall handler. Fixed with backward scan.

2. Raw VA written to chained fixup pointer slot: struct.pack("<Q", cave_va)
   corrupts the fixup chain from sysent[439] onward. Fixed with proper
   auth rebase encoding (_encode_chained_auth_ptr).

3. Missing PAC parameters: dispatch uses BLRAA X8, X17 with X17=0xBCAD.
   Chained fixup must encode diversity=0xBCAD, key=IA, addrDiv=0.
   Chain 'next' field preserved from original entry.

Boot-tested OK via testing ramdisk.
2026-03-04 21:41:44 +08:00
..
patch_amfi_cdhash_in_trustcache.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_amfi_execve_kill_path.md
Fix A2: rewrite AMFI execve kill path patch to target shared epilogue
2026-03-04 20:43:36 +08:00
patch_bsd_init_auth.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_convert_port_to_map.md
Fix B8 convert_port_to_map: was patching PAC check instead of kernel_map guard
2026-03-04 20:54:16 +08:00
patch_cred_label_update_execve.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_dounmount.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_hook_cred_label_update_execve.md
Fix C23: vnode_getattr string anchor resolved to wrong function (AppleImage4)
2026-03-04 21:21:23 +08:00
patch_io_secure_bsd_root.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_kcall10.md
Fix C24: patch_kcall10 sysent table base, chained fixup encoding, PAC signing
2026-03-04 21:41:44 +08:00
patch_load_dylinker.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_mac_mount.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_nvram_verify_permission.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_post_validation_additional.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_proc_pidinfo.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_proc_security_policy.md
Fix B6 proc_security_policy: was stubbing copyio instead of real target
2026-03-04 20:42:58 +08:00
patch_sandbox_hooks_extended.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_shared_region_map.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_spawn_validate_persona.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_syscallmask_apply_to_proc.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_task_conversion_eval_internal.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_task_for_pid.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_thid_should_crash.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_vm_fault_enter_prepare.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00
patch_vm_map_protect.md
docs: add per-patch kernel JB analysis notes
2026-03-04 20:05:23 +08:00