
tfp0 for iOS 9.0-9.3.4

Primary LanguageCMIT LicenseMIT


A tfp0 patch for iOS 9, based on the Pegasus/Trident vulnerabilities.




./cl0ver panic [log=file]
    Panic the device, loading to PC:
    on 32-bit: the base address of __DATA.__const
    on 64-bit: the OSString vtable

./cl0ver slide [log=file]
    Print kernel slide
./cl0ver dump [log=file]
    Dump kernel to kernel.bin

./cl0ver [log=file]
    Apply tfp0 kernel patch
If log=file is give, output is written to "file" instead of stderr/syslog.


This repo doesn't contain any code for a GUI/Sandbox app, but a libcl0ver.a is built, which can be linked against. You'll most likely wanna call functions from exploit.h.
And you'll want to call them like:

dump_kernel([[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:@"kernel.bin"].UTF8String);
// or
get_kernel_task([NSHomeDirectory() stringByAppendingPathComponent:@"Documents"].UTF8String);


If you want to run this on a device whose OSString vtable and stack anchor are not in the registry, create a file at /etc/cl0ver/config.txt, containing in hexadecimal the stack anchor on line 1 and the unslid OSString vtable address on line 2.

Also, make sure /etc/cl0ver/ exists and is writable by the current user, if you want offsets to get cached.


[ Here ]


Unless otherwise noted at the top of the file, all files in this repository are released under the MIT License.