stek29.rocks

Is this blog?

Before you start

Maybe your offsets are already in this gist. You may want to check it.

On-device easy method

There’s a tool named SHOFF in my cydia repo. Just download it and run as root, and everything should be made automatically. Please, pay attention to warnings and other data it prints.

Prerequirements

I’m going to use macOS in this guide Get Homebrew, Xcode CLI tools (or full Xcode installation). Then install openssl from homebrew:

brew install openssl

You’ll also need Hopper, IDA or any other disassembler. I’ll use Hopper in this guide.

Getting kernelcache

If your device is already jailbroken, then grab /System/Library/Caches/com.apple.kernelcaches/kernelcache If it’s not, get ipsw and unextract it (it’s a ZIP archive afaik), and grab kernelcache.release.j2a.

Getting IV and Key

Then check your build number (Settings => General => About => Version, like 13F69), and iDevice version (like iPad3,3, it is shown in HomeDepot and Cydia)

After that go to theiphonewiki and type version and iDevice into search bar, and get to page about that firmware. For iPad3,3 on iOS 9.3.2 (13F69)

Scroll to Kernelcache and note IV and Key.

Compiling xpwntool-lite

Open terminal. Get xpwntool-lite sources:

git clone https://github.com/sektioneins/xpwntool-lite
cd xpwntool-lite

Apple ships it’s own libcrypto and libssl, and because of that Homebrew doesn’t link OpenSSL into /usr/local after installation. Instead you’d have to specify CFLAGS.

make CFLAGS="-L `brew --prefix openssl`/lib -I `brew --prefix openssl`/include"

After that you should have xpwntool-lite compiled. Try running ./xpwntool, you should see it’s usage.

Decrypting and extracting kernelcache

Get the key, IV, kernelcache file and xpwntool together. If kernelcache is in the same dir as xpwntool:

./xpwntool kernelcache kernelcache.dec -k KEY -iv IV

For iPad3,3 on iOS 9.3.2:

# Don't copy paste :)
./xpwntool kernelcache kernelcache.dec -k 24bbf75e6e4fe9a989e30649abbcab6dacb0b669f95574cd44d9ef0264d9d85d -iv f920a49fc62c38a8a373fce65f060170

After that decrypted kernelcache should be in kernelcache.dec:

$ file kernelcache.dec
kernelcache.dec: Mach-O executable arm_v7

Getting the offsets

Now load the file into Hopper. Use default options, and let the processing begin.

While Hopper is doing it’s stuff, go to wall.supplies and look up offsets for normal HomeDepot your device. You’ll need 5th offset, for iPad 3,3 on iOS 9.3.2 it’s 0x403428.

UPDATE: (Thanks to FRANCHESCO): There’s some kind of API HomeDepot uses. So you can find offsets at http://wall.supplies/offsets/iDevice-iOS_VERS. For iPad3,3 on iOS 9.3.2 the URL would be http://wall.supplies/offsets/iPad3,3-9.3.2.

If offsets for your device are not there, use Karen’s page and “Custom offsets format”

When you have 5th offset, press G, select “File Offset”, enter that offset. Then keep pressing D until it turns into dd 0xXXXXXXXX. Do same thing for next 5 lines.

Here’s how it looks like for iPad3,3 on iOS 9.3.2:

80404428         dd         0x8001f145
8040442c         dd         0x00000000
80404430         dd         0x00000000
80404434         dd         0x8001f171
80404438         dd         0x8001f191

And those are the offsets. Second and third should be null afaik, I lost the reference though. I think it was in lookout’s PDF.

Getting kernel version

Just do this in terminal:

strings kernelcache.dec|grep Darwin

You’ll get two lines:

Darwin Kernel Version 15.5.0: Mon Apr 18 16:44:06 PDT 2016; root:xnu-3248.50.21~4/RELEASE_ARM_S5L8945X
Darwin

First one is Kernel Version you should put in offsets.json.

Making an offsets.json file

Use offsets for homedepot from wall.supplies (or ones you found on your own), and ones you found with Hopper on clock_ops. Then add your kernel version, and get something like this (iPad 3,3 on iOS 9.3.2 once again)

{
  "Darwin Kernel Version 15.6.0: Mon Jun 20 20:10:21 PDT 2016; root:xnu-3248.60.9~1/RELEASE_ARM_S5L8940X":
   ["0x318388",
    "0x31ab90",
    "0x1e200",
    "0xd9838",
    "0x403428",
    "0xc76b4",
    "0xd983a",
    "0xc73e8",
    "0x455844",
    "0x3f6454",
    "0xc7440",
    "0x45717c",
    "0xa4",
    "0x8001f1d5",
    "0x0",
    "0x0",
    "0x8001f201",
    "0x8001f221"
  ]
}

Put that into /untether/offsets.json and reboot.

Helping community

If everything goes well, please, share your offsets. I’m currently maintaining a gist, and I’d love to see your offsets there. Contact me on Telegram, Twitter or via e-mail: offsets[at]stek29[dot]rocks