From f92ed682982d7fa7d1afe2e61aefd42050649ea8 Mon Sep 17 00:00:00 2001
From: spv <92738222+spv420@users.noreply.github.com>
Date: Wed, 20 Apr 2022 18:40:33 -0400
Subject: Update README.md

---
 README.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 9dd53c7..5956625 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,10 @@
 # p0laris untether
-this is a work-in-progress. better readme to come...
\ No newline at end of file
+this is a work-in-progress.
+
+gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w, currently up to 4-arg call primitive)
+
+current offsets are included for `iPhone4,1` on `9.3.6 (13G37)`. it may work on other devices and/or firmwares, but that's unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?)
+
+clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique.
+
+clarification to the clarification: the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build. 
-- 
cgit v1.2.3