Failed to call task_for_pid_workaround(int)

Wherein links to *OS related articles will be posted (alongside the RSS), and you are welcome to ask any questions or post any comments.

Failed to call task_for_pid_workaround(int)

Postby snakeninny » Sat Mar 12, 2016 10:46 am

Hi Jonathan:
I've read through your article "Who needs task_for_pid() anyway..." (http://newosxbook.com/articles/PST2.html) and planned to update my memory editor (https://github.com/iosre/HippocampHairSalon) on iOS 9.
With the born of rootless on iOS 9, we can't call task_for_pid() anymore so I used your alternative task_for_pid_workaround instead ;)
However, by calling task_for_pid_workaround(), I got errors like this:
host_processor_set_priv failed with error 4
host_processor_set_priv (os/kern) invalid argument

According to https://developer.apple.com/library/mac ... rrors.html, error 4 seems to be mach-ipc errors.
Since I'm pretty new to kernel and all these low level functions, I'm not quite sure what was happening.
Can you take a look and help figure out what was wrong?
Thanks,
snakeninny
snakeninny
 
Posts: 2
Joined: Sat Mar 12, 2016 10:36 am

Re: Failed to call task_for_pid_workaround(int)

Postby morpheus » Sat Mar 12, 2016 11:23 pm

Contrary to popular believe, there's no rootless on iOS 9 yet. The workaround actually works very well (if you look at the article, that *is* from iOS 9.02.

error 4 is KERN_INVALID_ARGUMENT - you might be calling processor_set_tasks wrong? Again, remember this method is not for kernel_task.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Failed to call task_for_pid_workaround(int)

Postby Siguza » Sun Mar 13, 2016 2:51 am

Just found this on Twitter:
PanguTeam wrote:For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)

Didn't test it myself though.
And there's some "tfp0 on Pangu 9.1 might brick your device" floating around on Twitter.

I've also read that KPP is fairly easy to bypass. Might not be feasible for inclusion in a simple tool, but probably still worth noting.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Failed to call task_for_pid_workaround(int)

Postby snakeninny » Sat Apr 23, 2016 1:29 pm

Siguza wrote:Just found this on Twitter:
PanguTeam wrote:For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)

Didn't test it myself though.
And there's some "tfp0 on Pangu 9.1 might brick your device" floating around on Twitter.

I've also read that KPP is fairly easy to bypass. Might not be feasible for inclusion in a simple tool, but probably still worth noting.


But I'm calling task_for_pid on other processes, i.e. the arg is not 0. Will host_get_special_port work under such situation too?
snakeninny
 
Posts: 2
Joined: Sat Mar 12, 2016 10:36 am

Re: Failed to call task_for_pid_workaround(int)

Postby morpheus » Sat Apr 23, 2016 3:51 pm

The workaround works, that I can tell you. The host special port #4 that was recommended here is solely for the kernel_task. If you'd care to show some source code, I can probably help - but you can get the task ports just fine via processor_set_tasks - on iOS , and not for long.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Articles and Feedback

Who is online

Users browsing this forum: No registered users and 1 guest