I wrote this to learn more about iOS exploitation. It targets iOS 10.3.2 and grants full kernel r/w. It supports SMAP devices, and getting it to work on your device is a matter of changing struct offsets. It's based off the same bug v0rtex is based off of (which you're better off using, anyway)
Overall success rate is about 80-85%. If the first reallocation succeeds, success rate from there on out should be 100%.
Below is a list of incredible resources I used while writing this exploit:
https://siguza.github.io/v0rtex/
https://siguza.github.io/IOHIDeous/
https://sparkes.zone/blog/ios/2019/04/30/machswap-ios-12-kernel-exploit.html
https://jndok.github.io/2016/10/04/pegasus-writeup/ (OSUnserializeBinary internals)
https://www.youtube.com/watch?v=jqrw-VpYekY (heap feng shui with Mach ports)
https://media.blackhat.com/bh-us-12/Briefings/Esser/BH_US_12_Esser_iOS_Kernel_Heap_Armageddon_WP.pdf
https://www.darkmatter.ae/papers-articles/from-zero-to-tfp0-part-1-prologue/
https://www.slideshare.net/i0n1c/cansecwest-2017-portal-to-the-ios-core