kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd8e8d184cde0c182139b85e5b76fa06eb0443d9
vphone-cli/research/00_patch_comparison_all_variants.md
Lakr fd8e8d184c Squash merge iunctqwiocmfxhigkcunamxoi into main 
Included commits:

- f8a54b8 Update JB kernel patch research notes
  Refresh and revalidate jailbreak kernel-patcher documentation and runtime-verification notes. Key updates: re-analyzed B13 (patch_bsd_init_auth) and retargeted recommended site to the FSIOC_KERNEL_ROOTAUTH return check in bsd_init rather than the old ldr/cbz/bl heuristic; clarified preferred NOP-of-CBNZ vs forcing ioctl return. Reworked C21 (patch_cred_label_update_execve) to preserve AMFI exec-time flow and instead clear restrictive csflags in a success-tail trampoline; disabled in default schedule until boot validation. Documented that C23 (patch_hook_cred_label_update_execve) was mis-targeting the wrapper (sub_FFFFFE00093D2CE4) instead of the real hook body (_hook_cred_label_update_execve), explaining boot failures and recommending retargeting. Noted syscallmask and vm_fault matcher problems (patch_syscallmask_apply_to_proc historical hit targeted _profile_syscallmask_destroy; patch_vm_fault_enter_prepare matcher resolves to pmap_lock_phys_page path), and updated the runtime-verification summary with follow-up findings and which methods are temporarily commented out/disabled in the default KernelJBPatcher schedule pending staged re-validation.
- 6ebac65 fix: patch_bsd_init_auth
- 5b224d3 fix: patch_io_secure_bsd_root
- e6806bf docs: update patch notes
- 0d89c5c Retarget vm_fault_enter_prepare jailbreak patch
- 6b9d79b Rework C21 late-exit cred_label patch
- ece8cc0 Clean C21 mov matcher encodings
- ad2ea7c enabled fixed patch_cred_label_update_execve
- c37b6b1 Rebuild syscallmask C22 patch
- 363dd7a Rebuild JB C23 as faithful upstream trampoline
- 129e648 Disable IOUC MACF; rebuild kcall10 & C22 docs
  Re-evaluate and rework several JB kernel patches and docs: mark patch_iouc_failed_macf as reverted/disabled (repo-local, over-broad early-return) and replace its patcher with a no-op implementation to emit zero writes by default; update research notes to explain the reanalysis and rationale. Rebuild patch_kcall10: replace the historical 10-arg design with an ABI-correct syscall-439 cave (target + 7 args -> uint64 return), add a new cave builder and munge32 reuse logic in the kcall10 patcher, and enable the method in KernelJBPatcher group. Clarify syscallmask (C22) semantics in docs: upstream C22 is an all-ones-mask retarget (not a NULL install) and keep the rebuilt all-ones wrapper as the authoritative baseline. Misc: minor refactors and helper additions (chained-pointer helpers, cave size/constants, validation and dry-run safeguards) to improve correctness and alignment with IDA/runtime verification.
- e1b2365 Rebuild kcall10 as ABI-correct syscall cave
- 23090d0 fix patch_iouc_failed_macf
- 0056be2 Normalize formatting in research docs
  Apply whitespace and formatting cleanup across research markdown files for consistency and readability. Adjust table alignment and spacing in 00_patch_comparison_all_variants.md, normalize list/indentation spacing in patch_bsd_init_auth.md and patch_syscallmask_apply_to_proc.md, and add/clean blank lines and minor spacing in patch_kcall10.md. These are non-functional documentation changes only.
2026-03-06 19:08:16 +08:00

30 KiB
Raw Blame History

Patch Comparison: Regular / Development / Jailbreak

Boot Chain Patches

AVPBooter

# Patch Purpose Regular Dev JB
1 mov x0, #0 DGST signature validation bypass Y Y Y

iBSS

# Patch Purpose Regular Dev JB
1 Serial labels (2x) "Loaded iBSS" in serial log Y Y Y
2 image4_validate_property_callback Signature bypass (b.ne -> NOP, mov x0,x22 -> mov x0,#0) Y Y Y
3 Skip generate_nonce Keep apnonce stable for SHSH (tbz -> unconditional b) - - Y

iBEC

# Patch Purpose Regular Dev JB
1 Serial labels (2x) "Loaded iBEC" in serial log Y Y Y
2 image4_validate_property_callback Signature bypass Y Y Y
3 Boot-args redirect ADRP+ADD -> serial=3 -v debug=0x2014e %s Y Y Y

LLB

# Patch Purpose Regular Dev JB
1 Serial labels (2x) "Loaded LLB" in serial log Y Y Y
2 image4_validate_property_callback Signature bypass Y Y Y
3 Boot-args redirect ADRP+ADD -> serial=3 -v debug=0x2014e %s Y Y Y
4 Rootfs bypass (5 patches) Allow edited rootfs loading Y Y Y
5 Panic bypass NOP cbnz after mov w8,#0x328 check Y Y Y

TXM

# Patch Purpose Regular Dev JB
1 Trustcache binary-search bypass bl hash_cmp -> mov x0, #0 Y Y Y
2 Selector24 bypass: mov w0, #0xa1 Return PASS (byte 1 = 0) after prologue - Y Y
3 Selector24 bypass: b <epilogue> Skip validation, jump to register restore - Y Y
4 get-task-allow (selector 41|29) bl -> mov x0, #1 - Y Y
5 Selector42|29 shellcode: branch to cave Redirect dispatch stub to shellcode - Y Y
6 Selector42|29 shellcode: NOP pad UDF -> NOP in code cave - Y Y
7 Selector42|29 shellcode: mov x0, #1 Set return value to true - Y Y
8 Selector42|29 shellcode: strb w0, [x20, #0x30] Set manifest flag - Y Y
9 Selector42|29 shellcode: mov x0, x20 Restore context pointer - Y Y
10 Selector42|29 shellcode: branch back Return from shellcode to stub+4 - Y Y
11 Debugger entitlement (selector 42|37) bl -> mov w0, #1 - Y Y
12 Developer mode bypass NOP conditional guard before deny path - Y Y

Kernelcache

Base Patches (All Variants)

# Patch Function Purpose Regular Dev JB
1 NOP tbnz w8,#5 _apfs_vfsop_mount Skip root snapshot sealed-volume check Y Y Y
2 NOP conditional _authapfs_seal_is_broken Skip root volume seal panic Y Y Y
3 NOP conditional _bsd_init Skip rootvp not-authenticated panic Y Y Y
4-5 mov w0,#0; ret _proc_check_launch_constraints Bypass launch constraints Y Y Y
6-7 mov x0,#1 (2x) PE_i_can_has_debugger Enable kernel debugger Y Y Y
8 NOP _postValidation Skip AMFI post-validation Y Y Y
9 cmp w0,w0 _postValidation Force comparison true Y Y Y
10-11 mov w0,#1 (2x) _check_dyld_policy_internal Allow dyld loading Y Y Y
12 mov w0,#0 _apfs_graft Allow APFS graft Y Y Y
13 cmp x0,x0 _apfs_vfsop_mount Skip mount check Y Y Y
14 mov w0,#0 _apfs_mount_upgrade_checks Allow mount upgrade Y Y Y
15 mov w0,#0 _handle_fsioc_graft Allow fsioc graft Y Y Y
16 NOP (3x) handle_get_dev_by_role Bypass APFS role-lookup deny gates for boot mounts Y Y Y
17-26 mov x0,#0; ret (5 hooks) Sandbox MACF ops table Stub 5 sandbox hooks Y Y Y

JB-Only Kernel Methods (Reference List)

Current default schedule note (2026-03-06): patch_cred_label_update_execve remains temporarily excluded from _PATCH_METHODS pending staged re-validation. patch_syscallmask_apply_to_proc has been rebuilt around the real syscallmask apply wrapper and is re-enabled after focused PCC 26.1 dry-run validation plus user-side boot confirmation; refreshed XNU/IDA review also confirms historical C22 was the all-ones-mask variant, not a NULL-mask install. patch_hook_cred_label_update_execve has also been rebuilt as a faithful upstream C23 wrapper trampoline: it retargets sandbox mac_policy_ops[18] to a cave that copies VSUID/VSGID owner state into the pending credential, sets P_SUGID, and branches back to the original wrapper. patch_iouc_failed_macf has been rebuilt as a narrow branch-level gate patch: the old repo-only entry early-return on 0xFFFFFE000825B0C0 was discarded, and A5-v2 now patches the post-mac_iokit_check_open CBZ W0, allow gate at 0xFFFFFE000825BA98 to unconditional allow while preserving the surrounding IOUserClient setup flow. patch_vm_fault_enter_prepare was retargeted to the upstream PCC 26.1 research cs_bypass gate and re-enabled for dry-run validation. patch_bsd_init_auth has been retargeted to the real _bsd_init rootauth failure branch and re-enabled for staged validation. Fresh IDA re-analysis shows JB-14 previously used a false-positive matcher; it now targets the real _bsd_init rootauth failure branch using in-function Capstone-decoded control-flow semantics and is semantically redundant with base patch #3 when JB is layered on top of fw_patch. For JB-16, the historical hit at 0xFFFFFE000836E1F0 is now treated as semantically wrong: it patches the "SecureRoot" name-check gate inside AppleARMPE::callPlatformFunction, not the "SecureRootName" deny return consumed by IOSecureBSDRoot(). The implementation was retargeted on 2026-03-06 to 0xFFFFFE000836E464 (CSEL W22, WZR, W9, NE -> MOV W22, #0) and re-enabled in KernelJBPatcher._GROUP_B_METHODS pending restore/boot validation.

# Group Method Function Purpose JB Enabled
JB-01 A patch_amfi_cdhash_in_trustcache AMFIIsCDHashInTrustCache Always return true + store hash Y
JB-02 A patch_amfi_execve_kill_path AMFI execve kill return site Convert shared kill return from deny to allow Y
JB-03 C patch_cred_label_update_execve _cred_label_update_execve Reworked C21-v3: C21-v1 already boots; v3 keeps split late exits and additionally ORs success-only helper bits 0xC after clearing 0x3F00; still disabled pending boot validation N
JB-04 C patch_hook_cred_label_update_execve sandbox mpo_cred_label_update_execve wrapper (ops[18] -> sub_FFFFFE00093BDB64) Faithful upstream C23 trampoline: copy VSUID/VSGID owner state into pending cred, set P_SUGID, then branch back to wrapper Y
JB-05 C patch_kcall10 sysent[439] (SYS_kas_info replacement) Rebuilt ABI-correct kcall cave: target + 7 args -> uint64 x0; re-enabled after focused dry-run validation Y
JB-06 B patch_post_validation_additional _postValidation (additional) Disable SHA256-only hash-type reject Y
JB-07 C patch_syscallmask_apply_to_proc syscallmask apply wrapper (_proc_apply_syscall_masks path) Faithful upstream C22: mutate installed Unix/Mach/KOBJ masks to all-ones via structural cave, then continue into setter; distinct from NULL-mask alternative Y
JB-08 A patch_task_conversion_eval_internal _task_conversion_eval_internal Allow task conversion Y
JB-09 A patch_sandbox_hooks_extended Sandbox MACF ops (extended) Stub remaining 30+ sandbox hooks (incl. IOKit 201..210) Y
JB-10 A patch_iouc_failed_macf IOUC MACF shared gate A5-v2: patch only the post-mac_iokit_check_open deny gate (CBZ W0, allow -> B allow) and keep the rest of the IOUserClient open path intact Y
JB-11 B patch_proc_security_policy _proc_security_policy Bypass security policy Y
JB-12 B patch_proc_pidinfo _proc_pidinfo Allow pid 0 info Y
JB-13 B patch_convert_port_to_map _convert_port_to_map_with_flavor Skip kernel map panic Y
JB-14 B patch_bsd_init_auth _bsd_init rootauth-failure branch Ignore FSIOC_KERNEL_ROOTAUTH failure in bsd_init; same gate as base patch #3 when layered Y
JB-15 B patch_dounmount _dounmount Allow unmount (strict in-function match) Y
JB-16 B patch_io_secure_bsd_root AppleARMPE::callPlatformFunction ("SecureRootName" return select), called from IOSecureBSDRoot Force "SecureRootName" policy return to success without altering callback flow; implementation retargeted 2026-03-06 Y
JB-17 B patch_load_dylinker _load_dylinker Skip strict LC_LOAD_DYLINKER == "/usr/lib/dyld" gate Y
JB-18 B patch_mac_mount ___mac_mount Bypass MAC mount deny path (strict site) Y
JB-19 B patch_nvram_verify_permission _verifyPermission (NVRAM) Allow NVRAM writes Y
JB-20 B patch_shared_region_map _shared_region_map_and_slide_setup Force shared region path Y
JB-21 B patch_spawn_validate_persona _spawn_validate_persona Skip persona validation Y
JB-22 B patch_task_for_pid _task_for_pid Allow task_for_pid Y
JB-23 B patch_thid_should_crash _thid_should_crash Prevent GUARD_TYPE_MACH_PORT crash Y
JB-24 B patch_vm_fault_enter_prepare _vm_fault_enter_prepare Force cs_bypass fast path in runtime fault validation Y
JB-25 B patch_vm_map_protect _vm_map_protect Allow VM protect Y

JB-24 note (2026-03-06): the old derived matcher hit the VM_PAGE_CONSUME_CLUSTERED() lock/unlock sequence inside vm_fault_enter_prepare, i.e. pmap_lock_phys_page() / pmap_unlock_phys_page(). The implementation is now retargeted to the upstream PCC 26.1 research cs_bypass gate at 0x00BA9E1C / 0xFFFFFE0007BADE1C.

CFW Installation Patches

Binary Patches Applied Over SSH Ramdisk

# Patch Binary Purpose Regular Dev JB
1 /%s.gl -> /AA.gl seputil Gigalocker UUID fix Y Y Y
2 NOP cache validation launchd_cache_loader Allow modified launchd.plist Y Y Y
3 mov x0,#1; ret mobileactivationd Activation bypass Y Y Y
4 Plist injection launchd.plist bash/dropbear/trollvnc/vphoned daemons Y Y Y
5 b (skip jetsam guard) launchd Prevent jetsam panic on boot - Y Y
6 LC_LOAD_DYLIB injection launchd Load /cores/launchdhook.dylib at launch - - Y

Installed Components

# Component Description Regular Dev JB
1 Cryptex SystemOS + AppOS Decrypt AEA + mount + copy to device Y Y Y
2 GPU driver AppleParavirtGPUMetalIOGPUFamily bundle Y Y Y
3 iosbinpack64 Jailbreak tools (base set) Y Y Y
4 iosbinpack64 dev overlay Replace rpcserver_ios with dev build - Y -
5 vphoned vsock HID/control daemon (built + signed) Y Y Y
6 LaunchDaemons bash/dropbear/trollvnc/rpcserver_ios/vphoned plists Y Y Y
7 Procursus bootstrap Bootstrap filesystem + optional Sileo deb - - Y
8 BaseBin hooks systemhook.dylib / launchdhook.dylib / libellekit.dylib -> /cores/ - - Y

CFW Installer Flow Matrix (Script-Level)

Flow Item Regular (cfw_install.sh) Dev (cfw_install_dev.sh) JB (cfw_install_jb.sh)
Base CFW phases (1/7 -> 7/7) Runs directly Runs directly Runs via CFW_SKIP_HALT=1 zsh cfw_install.sh
Dev overlay (rpcserver_ios replacement) - Y (apply_dev_overlay) -
SSH readiness wait before install Y (wait_for_device_ssh_ready) - Y (inherited from base run)
remote_mount behavior Ensures mountpoint and verifies mount success Best-effort mount only (`mount_apfs ... true`) Ensures mountpoint and verifies mount success
launchd jetsam patch (patch-launchd-jetsam) - Y (base-flow injection) Y (JB-1)
launchd dylib injection (inject-dylib /cores/launchdhook.dylib) - - Y (JB-1)
Procursus bootstrap deployment - - Y (JB-2)
BaseBin hook deployment (*.dylib -> /mnt1/cores) - - Y (JB-3)
Additional input resources cfw_input cfw_input + resources/cfw_dev/rpcserver_ios cfw_input + cfw_jb_input
Extra tool requirement beyond base - - zstd
Halt behavior Halts unless CFW_SKIP_HALT=1 Halts unless CFW_SKIP_HALT=1 Always halts after JB phases

Summary

Component Regular Dev JB
AVPBooter 1 1 1
iBSS 2 2 3
iBEC 3 3 3
LLB 6 6 6
TXM 1 12 12
Kernel 28 28 53
Boot chain total 41 52 78
CFW binary patches 4 5 6
CFW installed components 6 7 8
CFW total 10 12 14
Grand total 51 64 92

Ramdisk Variant Matrix

Variant Pre-step Ramdisk/txm.img4 Ramdisk/krnl.ramdisk.img4 Ramdisk/krnl.img4 Effective kernel used by ramdisk_send.sh
RAMDISK make fw_patch release TXM + base TXM patch (1) base kernel (28), legacy *.ramdisk preferred else derive from pristine CloudOS restore kernel from fw_patch (28) krnl.ramdisk.img4 preferred, fallback krnl.img4
DEV+RAMDISK make fw_patch_dev release TXM + base TXM patch (1) base kernel (28), same derivation rule restore kernel from fw_patch_dev (28) krnl.ramdisk.img4 preferred, fallback krnl.img4
JB+RAMDISK make fw_patch_jb release TXM + base TXM patch (1) base kernel (28), same derivation rule restore kernel from fw_patch_jb (53) krnl.ramdisk.img4 preferred, fallback krnl.img4

Cross-Version Dynamic Snapshot

Case TXM_JB_PATCHES KERNEL_JB_PATCHES
PCC 26.1 (23B85) 14 59
PCC 26.3 (23D128) 14 59
iOS 26.1 (23B85) 14 59
iOS 26.3 (23D127) 14 59

Automation Notes (2026-03-06)

  • scripts/setup_machine.sh non-interactive flow fix: renamed local variable status to boot_state in first-boot log wait and boot-analysis wait helpers to avoid zsh status read-only special parameter collision.
  • scripts/setup_machine.sh non-interactive first-boot wait fix: replaced (( waited++ )) with (( ++waited )) in monitor_boot_log_until to avoid set -e abort when arithmetic expression evaluates to 0.
  • scripts/jb_patch_autotest.sh loop fix for sweep stability under set -e: replaced ((idx++)) with (( ++idx )).
  • scripts/jb_patch_autotest.sh zsh compatibility fix: renamed per-case result variable status to case_status to avoid status read-only special parameter collision.
  • scripts/jb_patch_autotest.sh selection logic update:
    • default run now excludes methods listed in KernelJBPatcher._DEV_SINGLE_WORKING_METHODS (pending-only sweep).
    • set JB_AUTOTEST_INCLUDE_WORKING=1 to include already-working methods and run the full list.
  • Sweep run record:
    • setup_logs/jb_patch_tests_20260306_114417 (2026-03-06): aborted at [1/20] with read-only variable: status in jb_patch_autotest.sh.
    • setup_logs/jb_patch_tests_20260306_115027 (2026-03-06): rerun after status fix, pending-only mode (Total methods: 19).
  • Final run result from jb_patch_tests_20260306_115027 at 2026-03-06 13:17:
    • Finished: 19/19 (PASS=15, FAIL=4, all fails rc=2).
    • Failing methods at that time: patch_bsd_init_auth, patch_io_secure_bsd_root, patch_vm_fault_enter_prepare, patch_cred_label_update_execve.
    • 2026-03-06 follow-up: patch_io_secure_bsd_root failure is now attributed to a wrong-site patch in AppleARMPE::callPlatformFunction ("SecureRoot" gate at 0xFFFFFE000836E1F0), not the intended "SecureRootName" deny-return path. The code was retargeted the same day to 0xFFFFFE000836E464 and re-enabled for the next restore/boot check.
    • 2026-03-06 follow-up: patch_bsd_init_auth was retargeted after confirming the old matcher was hitting unrelated code; keep disabled in default schedule until a fresh clean-baseline boot test passes.
    • Final case: [19/19] patch_syscallmask_apply_to_proc (PASS).
    • 2026-03-06 re-analysis: that historical PASS is now treated as a false positive for functionality, because the recorded bytes landed at 0xfffffe00093ae6e4/0xfffffe00093ae6e8 inside _profile_syscallmask_destroy underflow handling, not in _proc_apply_syscall_masks.
    • 2026-03-06 code update: scripts/patchers/kernel_jb_patch_syscallmask.py was rebuilt to target the real syscallmask apply wrapper structurally and now dry-runs on PCC-CloudOS-26.1-23B85 kernelcache.research.vphone600 with 3 writes: 0x02395530, 0x023955E8, and cave 0x00AB1720. User-side boot validation succeeded the same day.
  • 2026-03-06 follow-up: patch_kcall10 was rebuilt from the old ABI-unsafe pseudo-10-arg design into an ABI-correct sysent[439] cave. Focused dry-run on PCC-CloudOS-26.1-23B85 kernelcache.research.vphone600 now emits 4 writes: cave 0x00AB1720, sy_call 0x0073E180, sy_arg_munge32 0x0073E188, and metadata 0x0073E190; the method was re-enabled in _GROUP_C_METHODS.
    • Observed failure symptom in current failing set: first boot panic before command injection (or boot process early exit).
  • Post-run schedule change (per user request):
    • commented out failing methods from default KernelJBPatcher._PATCH_METHODS schedule in scripts/patchers/kernel_jb.py:
      • patch_bsd_init_auth
      • patch_io_secure_bsd_root
      • patch_vm_fault_enter_prepare
      • patch_cred_label_update_execve
  • 2026-03-06 re-research note for patch_cred_label_update_execve:
    • old entry-time early-return strategy was identified as boot-unsafe because it skipped AMFI exec-time csflags and entitlement propagation entirely.
    • implementation was reworked to a success-tail trampoline that preserves normal AMFI processing and only clears restrictive csflags bits on the success path.
    • default JB schedule still keeps the method disabled until the reworked strategy is boot-validated.
  • Manual DEV+single (setup_machine + PATCH=<method>) working set now includes:
    • patch_amfi_cdhash_in_trustcache
    • patch_amfi_execve_kill_path
    • patch_task_conversion_eval_internal
    • patch_sandbox_hooks_extended
    • patch_post_validation_additional