Loading the kext on the device
We use the kext loader from ktrw, an iOS kernel debugger made by @bazad. He uses checkra1n and the pongoOS to load a kext.
Our setup now consists of 2 components. 1) kext loader from ktrw and 2) vulnerable kext
These can be built by running make on the projects root directory.
To load the vulnerable kext, we'll run 2 utilities: checkra1n and the kext_loader.
Running the following command causes checkra1n to listen for attached iOS devices in DFU mode and boot pongoOS:
/Applications/checkra1n.app/Contents/MacOS/checkra1n -c -p
Run run.sh
to build kext_loader and the vulnerable kext and to start kext_loader.
./run.sh
Note for advanced Usage:
- Disable the patches (jailbreak) by checkra1n, modify DISABLE_CHECKRA1N_KERNEL_PATCHES to 1 in Makefile before running
run.sh
. - This makes checkra1n just inject the vulnerable kext driver and boot into xnu without modiying or disabling any security features inside XNU.
- This can be then be used to write a full chain exploit to jailbreak for teaching/practice! :)
kext_loader waits for a device that's booted pongo shell!
Finally, connect an iOS device in DFU mode using a USB cable. Now, checkra1n will boot pongoOS, then kext_loader will insert the vulnerable kext, and boot to XNU.