blob: 832a1798a284c3bdc6490590fb77ea73bbebc60c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
/*
* kernel_slide.c
* Brandon Azad
*/
#define KERNEL_SLIDE_EXTERN
#include "kernel_slide.h"
#include <assert.h>
#include <mach/vm_region.h>
#include <mach-o/loader.h>
#include "kernel_memory.h"
#include "log.h"
#include "parameters.h"
#include "platform.h"
/*
* is_kernel_base
*
* Description:
* Checks if the given address is the kernel base.
*/
static bool
is_kernel_base(uint64_t base) {
// Read the data at the base address as a Mach-O header.
struct mach_header_64 header = {};
bool ok = kernel_read(base, &header, sizeof(header));
if (!ok) {
return false;
}
// Validate that this looks like the kernel base. We don't check the CPU subtype since it
// may not exactly match the current platform's CPU subtype (e.g. on iPhone10,1,
// header.cpusubtype is CPU_SUBTYPE_ARM64_ALL while platform.cpu_subtype is
// CPU_SUBTYPE_ARM64_V8).
if (!(header.magic == MH_MAGIC_64
&& header.cputype == platform.cpu_type
&& header.filetype == MH_EXECUTE
&& header.ncmds > 2)) {
return false;
}
return true;
}
bool
kernel_slide_init() {
if (kernel_slide != 0) {
return true;
}
// Get the address of the host port.
mach_port_t host = mach_host_self();
assert(MACH_PORT_VALID(host));
uint64_t host_port;
bool ok = kernel_ipc_port_lookup(current_task, host, &host_port, NULL);
mach_port_deallocate(mach_task_self(), host);
if (!ok) {
ERROR("could not lookup host port");
return false;
}
// Get the address of realhost.
uint64_t realhost = kernel_read64(host_port + OFFSET(ipc_port, ip_kobject));
return kernel_slide_init_with_kernel_image_address(realhost);
}
bool
kernel_slide_init_with_kernel_image_address(uint64_t address) {
if (kernel_slide != 0) {
return true;
}
// Find the highest possible kernel base address that could still correspond to the given
// kernel image address.
uint64_t base = STATIC_ADDRESS(kernel_base);
assert(address > base);
base = base + ((address - base) / kernel_slide_step) * kernel_slide_step;
// Now walk backwards from that kernel base one kernel slide at a time until we find the
// real kernel base.
while (base > STATIC_ADDRESS(kernel_base)) {
bool found = is_kernel_base(base);
if (found) {
kernel_slide = base - STATIC_ADDRESS(kernel_base);
DEBUG_TRACE(1, "found kernel slide 0x%016llx", kernel_slide);
return true;
}
base -= kernel_slide_step;
}
ERROR("could not find kernel base");
ERROR("could not determine kernel slide");
return false;
}
|