Skip to content

ninjaprawn/async_wake-fun

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 

Repository files navigation

Fun additions to async_wake

Features:

  • setuid(0) with no kernel panic
  • mount / as rw
  • AMFI bypass via trustcache injection
  • amfid patch - utilises the AMFI bypass to inject into amfid and replace MISValidateSignatureAndCopyInfo with our own version

See the comments for an explanation for some of the things going on. Better kexecute explanations can be found by people like Siguza and @bazad (on GH). I might consider doing a proper explanation of the AMFI.kext bypass (a good overview can be found in *OS Internals Vol. 3, but I would go in detail at code level), and the amfid bypass (I've already briefly explaned in #21, but again, go a bit deeper)

Credits:

  • Ian Beer for the original exploit
  • @xerub for the KPPless patches
  • @s1guza for the base of the kexecute idea of modifying the vtable of a user client (which I used before I noticed Ian Beer includes it), and the resolving of the upper 4 bytes of memory addresses returned from kexecute
  • @theninjaprawn for amfid patch
  • @coolstarorg for doing the cooler stuff (see his fork https://github.com/coolstar/async_awake-fun - he's got a jailbreakd daemon + more)
  • @stek29, @nullriver

About

async_wake with a bit of fun! - async_awake by Ian Beer (https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published