Trigon: Exploiting coprocessors for fun and for profit (part 2)

Summary

A few months ago, I released a kernel exploit called Trigon. It was significant in that it was deterministic - that is, it cannot fail. However, at the time of release, only A10 devices on iOS 13 - 15 were supported. Since then, support has been implemented for A9(X) and A11 devices. In this blog post, I am going to dive into what it took to support these new devices - I made use of some pretty interesting techniques, which I believe are worthy of a second part to the original writeup. If you haven’t read the first part of this blog post, you can do so here, and you can find the source code here. This one is a little more technical in my opinion, but as always, I will happily answer questions via Twitter or email. Where did we leave off? For starters, let’s remind ourselves how the original release of Trigon’s exploit strategy worked. First, it would find the mapping base via the iboot-handoff region. It would then use this to map the KTRR limit registers and find the kernel base by scanning the read-only region protected by KTRR. After that, it would find the pv_head_table structure in the kernel, using that to then search for IOSurface objects in kernel memory in order to find one we could control for full kernel read/write. However, when it came to other devices and versions, there were quite a few issues with the various techniques: KTRR limit registers do not exist on A9 and below Pages marked as page tables existed within the read-only region on A11 (remember, we cannot read those) One of the most inconsistent parts of the exploit is the method used to find the kernel base. That is, there is no surefire method to do so on all arm64 devices. Hence, it is split into two different methods and both will be detailed in this writeup. Background: KTRR Kernel Text Read-only Region (KTRR) is a mitigation that was introduced with the A10 chip. Essentially, it is a hardware-enforced kernel code integrity mechanism, which means the hardware will prevent you from overwriti...