Page 1 of 1

Failed to call task_for_pid_workaround(int)

PostPosted: Sat Mar 12, 2016 10:46 am
by snakeninny
Hi Jonathan:
I've read through your article "Who needs task_for_pid() anyway..." (http://newosxbook.com/articles/PST2.html) and planned to update my memory editor (https://github.com/iosre/HippocampHairSalon) on iOS 9.
With the born of rootless on iOS 9, we can't call task_for_pid() anymore so I used your alternative task_for_pid_workaround instead ;)
However, by calling task_for_pid_workaround(), I got errors like this:
host_processor_set_priv failed with error 4
host_processor_set_priv (os/kern) invalid argument

According to https://developer.apple.com/library/mac ... rrors.html, error 4 seems to be mach-ipc errors.
Since I'm pretty new to kernel and all these low level functions, I'm not quite sure what was happening.
Can you take a look and help figure out what was wrong?
Thanks,
snakeninny

Re: Failed to call task_for_pid_workaround(int)

PostPosted: Sat Mar 12, 2016 11:23 pm
by morpheus
Contrary to popular believe, there's no rootless on iOS 9 yet. The workaround actually works very well (if you look at the article, that *is* from iOS 9.02.

error 4 is KERN_INVALID_ARGUMENT - you might be calling processor_set_tasks wrong? Again, remember this method is not for kernel_task.

Re: Failed to call task_for_pid_workaround(int)

PostPosted: Sun Mar 13, 2016 2:51 am
by Siguza
Just found this on Twitter:
PanguTeam wrote:For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)

Didn't test it myself though.
And there's some "tfp0 on Pangu 9.1 might brick your device" floating around on Twitter.

I've also read that KPP is fairly easy to bypass. Might not be feasible for inclusion in a simple tool, but probably still worth noting.

Re: Failed to call task_for_pid_workaround(int)

PostPosted: Sat Apr 23, 2016 1:29 pm
by snakeninny
Siguza wrote:Just found this on Twitter:
PanguTeam wrote:For security researchers, calling host_get_special_port with 4 on jailbroken devices will give u kernel task port just like task_for_pid(0)

Didn't test it myself though.
And there's some "tfp0 on Pangu 9.1 might brick your device" floating around on Twitter.

I've also read that KPP is fairly easy to bypass. Might not be feasible for inclusion in a simple tool, but probably still worth noting.


But I'm calling task_for_pid on other processes, i.e. the arg is not 0. Will host_get_special_port work under such situation too?

Re: Failed to call task_for_pid_workaround(int)

PostPosted: Sat Apr 23, 2016 3:51 pm
by morpheus
The workaround works, that I can tell you. The host special port #4 that was recommended here is solely for the kernel_task. If you'd care to show some source code, I can probably help - but you can get the task ports just fine via processor_set_tasks - on iOS , and not for long.