From faee2212875b92440f87be7b16e60c87d7415eae Mon Sep 17 00:00:00 2001 From: spv420 Date: Tue, 31 May 2022 19:51:28 -0400 Subject: I live in a constant state of fear and misery Do you miss me anymore? And I don't even notice When it hurts anymore Anymore Anymore Anymore --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2741815..e30ce51 100644 --- a/README.md +++ b/README.md @@ -7,4 +7,6 @@ current offsets are included for `iPhone4,1` on `9.3.6 (13G37)`. it may work on clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique. the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build. -current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P \ No newline at end of file +current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P + +greetz to @tihmstar for help with 935csbypass \ No newline at end of file -- cgit v1.2.3