kppoffsets.m 114 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224
  1. //
  2. // offsets.m
  3. // g0blin
  4. //
  5. // Created by Sticktron on 2017-12-26.
  6. // Copyright © 2017 Sticktron. All rights reserved.
  7. //
  8. #include "kppoffsets.h"
  9. #include "kppcommon.h"
  10. #include <sys/utsname.h>
  11. #include <sys/sysctl.h>
  12. uint64_t OFFSET_ZONE_MAP;
  13. uint64_t OFFSET_KERNEL_MAP;
  14. uint64_t OFFSET_KERNEL_TASK;
  15. uint64_t OFFSET_REALHOST;
  16. uint64_t OFFSET_BZERO;
  17. uint64_t OFFSET_BCOPY;
  18. uint64_t OFFSET_COPYIN;
  19. uint64_t OFFSET_COPYOUT;
  20. uint64_t OFFSET_IPC_PORT_ALLOC_SPECIAL;
  21. uint64_t OFFSET_IPC_KOBJECT_SET;
  22. uint64_t OFFSET_IPC_PORT_MAKE_SEND;
  23. uint64_t OFFSET_IOSURFACEROOTUSERCLIENT_VTAB;
  24. uint64_t OFFSET_OSSERIALIZER_SERIALIZE;
  25. uint64_t OFFSET_ROP_ADD_X0_X0_0x10;
  26. uint64_t OFFSET_ROOT_MOUNT_V_NODE;
  27. kern_return_t init_offsets()
  28. {
  29. LOG("Detecting device and OS...");
  30. kern_return_t error = KERN_SUCCESS;
  31. //read device id
  32. int d_prop[2] = {CTL_HW, HW_MACHINE};
  33. char device[20];
  34. size_t d_prop_len = sizeof(device);
  35. //sysctl(d_prop, 2, NULL, &d_prop_len, NULL, 0);
  36. sysctl(d_prop, 2, device, &d_prop_len, NULL, 0);
  37. LOG("device: %s", device);
  38. int version_prop[2] = {CTL_KERN, KERN_OSVERSION};
  39. char osversion[20];
  40. size_t version_prop_len = sizeof(osversion);
  41. //sysctl(version_prop, 2, NULL, &version_prop_len, NULL, 0);
  42. sysctl(version_prop, 2, osversion, &version_prop_len, NULL, 0);
  43. LOG("version: %s", osversion);
  44. // Apple TV 4 (2015)
  45. if(!strcmp(device, "AppleTV5,3"))
  46. {
  47. // 10.2.2
  48. if(!strcmp(osversion, "14W756"))
  49. {
  50. OFFSET_ZONE_MAP = 0xfffffff007558478;
  51. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  52. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  53. OFFSET_REALHOST = 0xfffffff00753aba0;
  54. OFFSET_BZERO = 0xfffffff00708df80;
  55. OFFSET_BCOPY = 0xfffffff00708ddc0;
  56. OFFSET_COPYIN = 0xfffffff00718d028;
  57. OFFSET_COPYOUT = 0xfffffff00718d21c;
  58. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  59. //OFFSET_CHGPROCCNT = 0xfffffff00739aa04;
  60. //OFFSET_KAUTH_CRED_REF = 0xfffffff007374d90;
  61. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  62. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  63. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  64. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f11678;
  65. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006935398;
  66. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00744db90;
  67. //OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff00666a09c;
  68. }
  69. // 10.2.1
  70. if(!strcmp(osversion, "14W585a"))
  71. {
  72. OFFSET_ZONE_MAP = 0xfffffff007558478;
  73. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  74. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  75. OFFSET_REALHOST = 0xfffffff00753aba0;
  76. OFFSET_BZERO = 0xfffffff00708df80;
  77. OFFSET_BCOPY = 0xfffffff00708ddc0;
  78. OFFSET_COPYIN = 0xfffffff00718d37c;
  79. OFFSET_COPYOUT = 0xfffffff00718d570;
  80. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  81. //OFFSET_CHGPROCCNT = 0xfffffff00739aab4;
  82. //OFFSET_KAUTH_CRED_REF = 0xfffffff007374e6c;
  83. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  84. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  85. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  86. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f15678;
  87. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00693a398;
  88. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00744dc40;
  89. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff00666e09c;
  90. }
  91. // 10.2
  92. if(!strcmp(osversion, "14W265"))
  93. {
  94. OFFSET_ZONE_MAP = 0xfffffff007558478;
  95. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  96. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  97. OFFSET_REALHOST = 0xfffffff00753aba0;
  98. OFFSET_BZERO = 0xfffffff00708df80;
  99. OFFSET_BCOPY = 0xfffffff00708ddc0;
  100. OFFSET_COPYIN = 0xfffffff00718d3a8;
  101. OFFSET_COPYOUT = 0xfffffff00718d59c;
  102. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  103. //OFFSET_CHGPROCCNT = 0xfffffff00739a78c;
  104. //OFFSET_KAUTH_CRED_REF = 0xfffffff007374b2c;
  105. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  106. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  107. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  108. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f15678;
  109. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00693d398;
  110. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00744d6ac;
  111. //OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff00667109c;
  112. }
  113. // 10.1.1
  114. if(!strcmp(osversion, "14U712a"))
  115. {
  116. OFFSET_ZONE_MAP = 0xfffffff007566360;
  117. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  118. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  119. OFFSET_REALHOST = 0xfffffff007548a98;
  120. OFFSET_BZERO = 0xfffffff00708e140;
  121. OFFSET_BCOPY = 0xfffffff00708df80;
  122. OFFSET_COPYIN = 0xfffffff00718f76c;
  123. OFFSET_COPYOUT = 0xfffffff00718f974;
  124. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  125. //OFFSET_CHGPROCCNT = 0xfffffff0073a4940;
  126. //OFFSET_KAUTH_CRED_REF = 0xfffffff00737e6d4;
  127. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  128. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  129. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  130. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f1c960;
  131. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00697e29c;
  132. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00745b100;
  133. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0066b30b4;
  134. }
  135. // 10.1
  136. if(!strcmp(osversion, "14U593"))
  137. {
  138. OFFSET_ZONE_MAP = 0xfffffff007566360;
  139. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  140. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  141. OFFSET_REALHOST = 0xfffffff007548a98;
  142. OFFSET_BZERO = 0xfffffff00708e140;
  143. OFFSET_BCOPY = 0xfffffff00708df80;
  144. OFFSET_COPYIN = 0xfffffff00718f748;
  145. OFFSET_COPYOUT = 0xfffffff00718f950;
  146. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  147. //OFFSET_CHGPROCCNT = 0xfffffff0073a491c;
  148. //OFFSET_KAUTH_CRED_REF = 0xfffffff00737e6b0;
  149. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  150. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b987c;
  151. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  152. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f1c960;
  153. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00697e29c;
  154. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00745b0dc;
  155. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0066b30b4;
  156. }
  157. // 10.0.1
  158. if(!strcmp(osversion, "14U100"))
  159. {
  160. OFFSET_ZONE_MAP = 0xfffffff007562160;
  161. OFFSET_KERNEL_MAP = 0xfffffff0075be058;
  162. OFFSET_KERNEL_TASK = 0xfffffff0075be050;
  163. OFFSET_REALHOST = 0xfffffff007544898;
  164. OFFSET_BZERO = 0xfffffff00708a140;
  165. OFFSET_BCOPY = 0xfffffff007089f80;
  166. OFFSET_COPYIN = 0xfffffff00718baf8;
  167. OFFSET_COPYOUT = 0xfffffff00718bd00;
  168. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075be0b8;
  169. //OFFSET_CHGPROCCNT = 0xfffffff0073a0d48;
  170. //OFFSET_KAUTH_CRED_REF = 0xfffffff00737ab58;
  171. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a1bf0;
  172. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b4e10;
  173. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a18a4;
  174. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f1c7a0;
  175. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00698629c;
  176. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff007456cb8;
  177. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0066bb0b4;
  178. }
  179. // 10.0.1
  180. if(!strcmp(osversion, "14U71"))
  181. {
  182. OFFSET_ZONE_MAP = 0xfffffff007562160;
  183. OFFSET_KERNEL_MAP = 0xfffffff0075be058;
  184. OFFSET_KERNEL_TASK = 0xfffffff0075be050;
  185. OFFSET_REALHOST = 0xfffffff007544898;
  186. OFFSET_BZERO = 0xfffffff00708a140;
  187. OFFSET_BCOPY = 0xfffffff007089f80;
  188. OFFSET_COPYIN = 0xfffffff00718baf8;
  189. OFFSET_COPYOUT = 0xfffffff00718bd00;
  190. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075be0b8;
  191. //OFFSET_CHGPROCCNT = 0xfffffff0073a0d48;
  192. //OFFSET_KAUTH_CRED_REF = 0xfffffff00737ab58;
  193. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a1bf0;
  194. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b4e10;
  195. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a18a4;
  196. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f1c7a0;
  197. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00698629c;
  198. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff007456cb8;
  199. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0066bb0b4;
  200. }
  201. // 10.0
  202. if(!strcmp(osversion, "14T330"))
  203. {
  204. OFFSET_ZONE_MAP = 0xfffffff00755e160;
  205. OFFSET_KERNEL_MAP = 0xfffffff0075ba058;
  206. OFFSET_KERNEL_TASK = 0xfffffff0075ba050;
  207. OFFSET_REALHOST = 0xfffffff007540898;
  208. OFFSET_BZERO = 0xfffffff00708a140;
  209. OFFSET_BCOPY = 0xfffffff007089f80;
  210. OFFSET_COPYIN = 0xfffffff00718ae90;
  211. OFFSET_COPYOUT = 0xfffffff00718b098;
  212. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075ba0b8;
  213. //OFFSET_CHGPROCCNT = 0xfffffff00739f8c8;
  214. //OFFSET_KAUTH_CRED_REF = 0xfffffff007379a90;
  215. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a16ec;
  216. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b47b0;
  217. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a13a0;
  218. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f1c720;
  219. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0066d30a8;
  220. OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff007455748;
  221. // OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff0066bb0b4;
  222. }
  223. }
  224. // iPhone 6
  225. if(!strcmp(device, "iPhone7,2"))
  226. {
  227. // 10.3.3
  228. if(!strcmp(osversion, "14G60"))
  229. {
  230. OFFSET_ZONE_MAP = 0xfffffff007558478;
  231. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  232. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  233. OFFSET_REALHOST = 0xfffffff00753aba0;
  234. OFFSET_BZERO = 0xfffffff00708df80;
  235. OFFSET_BCOPY = 0xfffffff00708ddc0;
  236. OFFSET_COPYIN = 0xfffffff00718d028;
  237. OFFSET_COPYOUT = 0xfffffff00718d21c;
  238. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  239. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  240. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  241. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  242. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b2174;
  243. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  244. }
  245. // 10.3.2
  246. if(!strcmp(osversion, "14F89"))
  247. {
  248. OFFSET_ZONE_MAP = 0xfffffff007558478;
  249. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  250. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  251. OFFSET_REALHOST = 0xfffffff00753aba0;
  252. OFFSET_BZERO = 0xfffffff00708df80;
  253. OFFSET_BCOPY = 0xfffffff00708ddc0;
  254. OFFSET_COPYIN = 0xfffffff00718d37c;
  255. OFFSET_COPYOUT = 0xfffffff00718d570;
  256. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  257. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  258. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  259. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  260. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b2174;
  261. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  262. }
  263. // 10.3.1
  264. if(!strcmp(osversion, "14E304"))
  265. {
  266. OFFSET_ZONE_MAP = 0xfffffff007558478;
  267. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  268. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  269. OFFSET_REALHOST = 0xfffffff00753aba0;
  270. OFFSET_BZERO = 0xfffffff00708df80;
  271. OFFSET_BCOPY = 0xfffffff00708ddc0;
  272. OFFSET_COPYIN = 0xfffffff00718d3a8;
  273. OFFSET_COPYOUT = 0xfffffff00718d59c;
  274. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  275. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  276. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  277. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  278. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b5174;
  279. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  280. }
  281. // 10.3
  282. if(!strcmp(osversion, "14E277"))
  283. {
  284. OFFSET_ZONE_MAP = 0xfffffff007558478;
  285. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  286. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  287. OFFSET_REALHOST = 0xfffffff00753aba0;
  288. OFFSET_BZERO = 0xfffffff00708df80;
  289. OFFSET_BCOPY = 0xfffffff00708ddc0;
  290. OFFSET_COPYIN = 0xfffffff00718d3a8;
  291. OFFSET_COPYOUT = 0xfffffff00718d59c;
  292. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  293. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  294. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  295. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  296. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b5174;
  297. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  298. }
  299. }
  300. // iPhone 6s
  301. if(!strcmp(device, "iPhone8,1"))
  302. {
  303. // 10.3.3
  304. if(!strcmp(osversion, "14G60"))
  305. {
  306. OFFSET_ZONE_MAP = 0xfffffff007548478;
  307. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  308. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  309. OFFSET_REALHOST = 0xfffffff00752aba0;
  310. OFFSET_BZERO = 0xfffffff007081f80;
  311. OFFSET_BCOPY = 0xfffffff007081dc0;
  312. OFFSET_COPYIN = 0xfffffff0071803a0;
  313. OFFSET_COPYOUT = 0xfffffff007180594;
  314. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  315. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  316. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  317. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  318. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006462174;
  319. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  320. }
  321. // 10.3.2 --------------------------------------------------------------
  322. // offically working offsets by sticktron.
  323. //----------------------------------------------------------------------
  324. if(!strcmp(osversion, "14F89"))
  325. {
  326. OFFSET_ZONE_MAP = 0xfffffff007548478; /* "zone_init: kmem_suballoc failed" */
  327. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  328. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  329. OFFSET_REALHOST = 0xfffffff00752aba0; /* host_priv_self */
  330. OFFSET_BZERO = 0xfffffff007081f80;
  331. OFFSET_BCOPY = 0xfffffff007081dc0;
  332. OFFSET_COPYIN = 0xfffffff0071806f4;
  333. OFFSET_COPYOUT = 0xfffffff0071808e8;
  334. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94; /* convert_task_suspension_token_to_port */
  335. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c; /* convert_task_suspension_token_to_port */
  336. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8; /* "ipc_host_init" */
  337. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  338. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b1398;
  339. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  340. }
  341. //----------------------------------------------------------------------
  342. // 10.3.1
  343. if(!strcmp(osversion, "14E304"))
  344. {
  345. OFFSET_ZONE_MAP = 0xfffffff007548478;
  346. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  347. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  348. OFFSET_REALHOST = 0xfffffff00752aba0;
  349. OFFSET_BZERO = 0xfffffff007081f80;
  350. OFFSET_BCOPY = 0xfffffff007081dc0;
  351. OFFSET_COPYIN = 0xfffffff007180720;
  352. OFFSET_COPYOUT = 0xfffffff007180914;
  353. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  354. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  355. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  356. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  357. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006465174;
  358. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  359. }
  360. // 10.3
  361. if(!strcmp(osversion, "14E277"))
  362. {
  363. OFFSET_ZONE_MAP = 0xfffffff007548478;
  364. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  365. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  366. OFFSET_REALHOST = 0xfffffff00752aba0;
  367. OFFSET_BZERO = 0xfffffff007081f80;
  368. OFFSET_BCOPY = 0xfffffff007081dc0;
  369. OFFSET_COPYIN = 0xfffffff007180720;
  370. OFFSET_COPYOUT = 0xfffffff007180914;
  371. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  372. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  373. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  374. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  375. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006465174;
  376. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  377. }
  378. }
  379. // iPad Air (WiFi), iPad Air (China) and iPad Air (Cellular)
  380. if(!strcmp(device, "iPad4,1") || !strcmp(device, "iPad4,3") || !strcmp(device, "iPad4,2"))
  381. {
  382. // 10.3.3
  383. if(!strcmp(osversion, "14G60"))
  384. {
  385. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  386. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  387. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  388. OFFSET_REALHOST = 0xfffffff00752eba0;
  389. OFFSET_BZERO = 0xfffffff007081f80;
  390. OFFSET_BCOPY = 0xfffffff007081dc0;
  391. OFFSET_COPYIN = 0xfffffff007180e98;
  392. OFFSET_COPYOUT = 0xfffffff00718108c;
  393. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  394. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  395. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  396. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  397. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064fe174;
  398. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  399. }
  400. // 10.3.2
  401. if(!strcmp(osversion, "14F89"))
  402. {
  403. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  404. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  405. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  406. OFFSET_REALHOST = 0xfffffff00752eba0;
  407. OFFSET_BZERO = 0xfffffff007081f80;
  408. OFFSET_BCOPY = 0xfffffff007081dc0;
  409. OFFSET_COPYIN = 0xfffffff0071811ec;
  410. OFFSET_COPYOUT = 0xfffffff0071813e0;
  411. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  412. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  413. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  414. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  415. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006502174;
  416. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  417. }
  418. // 10.3.1
  419. if(!strcmp(osversion, "14E304"))
  420. {
  421. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  422. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  423. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  424. OFFSET_REALHOST = 0xfffffff00752eba0;
  425. OFFSET_BZERO = 0xfffffff007081f80;
  426. OFFSET_BCOPY = 0xfffffff007081dc0;
  427. OFFSET_COPYIN = 0xfffffff007181218;
  428. OFFSET_COPYOUT = 0xfffffff00718140c;
  429. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  430. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  431. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  432. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  433. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006501174;
  434. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  435. }
  436. // 10.3
  437. if(!strcmp(osversion, "14E277"))
  438. {
  439. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  440. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  441. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  442. OFFSET_REALHOST = 0xfffffff00752eba0;
  443. OFFSET_BZERO = 0xfffffff007081f80;
  444. OFFSET_BCOPY = 0xfffffff007081dc0;
  445. OFFSET_COPYIN = 0xfffffff007181218;
  446. OFFSET_COPYOUT = 0xfffffff00718140c;
  447. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  448. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  449. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  450. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  451. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006501174;
  452. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  453. }
  454. }
  455. // iPad Mini 2 (Cellular), iPad Mini 2 (WiFi) and iPad Mini 2 (China)
  456. if(!strcmp(device, "iPad4,5") || !strcmp(device, "iPad4,4") || !strcmp(device, "iPad4,6"))
  457. {
  458. // 10.3.3
  459. if(!strcmp(osversion, "14G60"))
  460. {
  461. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  462. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  463. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  464. OFFSET_REALHOST = 0xfffffff00752eba0;
  465. OFFSET_BZERO = 0xfffffff007081f80;
  466. OFFSET_BCOPY = 0xfffffff007081dc0;
  467. OFFSET_COPYIN = 0xfffffff007180e98;
  468. OFFSET_COPYOUT = 0xfffffff00718108c;
  469. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  470. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  471. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  472. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  473. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064fe174;
  474. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  475. }
  476. // 10.3.2
  477. if(!strcmp(osversion, "14F89"))
  478. {
  479. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  480. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  481. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  482. OFFSET_REALHOST = 0xfffffff00752eba0;
  483. OFFSET_BZERO = 0xfffffff007081f80;
  484. OFFSET_BCOPY = 0xfffffff007081dc0;
  485. OFFSET_COPYIN = 0xfffffff0071811ec;
  486. OFFSET_COPYOUT = 0xfffffff0071813e0;
  487. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  488. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  489. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  490. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  491. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064fe174;
  492. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  493. }
  494. // 10.3.1
  495. if(!strcmp(osversion, "14E304"))
  496. {
  497. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  498. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  499. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  500. OFFSET_REALHOST = 0xfffffff00752eba0;
  501. OFFSET_BZERO = 0xfffffff007081f80;
  502. OFFSET_BCOPY = 0xfffffff007081dc0;
  503. OFFSET_COPYIN = 0xfffffff007181218;
  504. OFFSET_COPYOUT = 0xfffffff00718140c;
  505. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  506. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  507. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  508. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  509. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064fd174;
  510. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  511. }
  512. // 10.3
  513. if(!strcmp(osversion, "14E277"))
  514. {
  515. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  516. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  517. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  518. OFFSET_REALHOST = 0xfffffff00752eba0;
  519. OFFSET_BZERO = 0xfffffff007081f80;
  520. OFFSET_BCOPY = 0xfffffff007081dc0;
  521. OFFSET_COPYIN = 0xfffffff007181218;
  522. OFFSET_COPYOUT = 0xfffffff00718140c;
  523. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  524. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  525. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  526. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2e338;
  527. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064fd174;
  528. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  529. }
  530. }
  531. // iPad Air (WiFi)
  532. if(!strcmp(device, "iPad4,1"))
  533. {
  534. // 10.2.1
  535. if(!strcmp(osversion, "14D27"))
  536. {
  537. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  538. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  539. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  540. OFFSET_REALHOST = 0xfffffff00753ca98;
  541. OFFSET_BZERO = 0xfffffff007082140;
  542. OFFSET_BCOPY = 0xfffffff007081f80;
  543. OFFSET_COPYIN = 0xfffffff0071835dc;
  544. OFFSET_COPYOUT = 0xfffffff0071837e4;
  545. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  546. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  547. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  548. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  549. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  550. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  551. }
  552. }
  553. // iPad Mini 2 (Cellular)
  554. if(!strcmp(device, "iPad4,5"))
  555. {
  556. // 10.2.1
  557. if(!strcmp(osversion, "14D27"))
  558. {
  559. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  560. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  561. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  562. OFFSET_REALHOST = 0xfffffff00753ca98;
  563. OFFSET_BZERO = 0xfffffff007082140;
  564. OFFSET_BCOPY = 0xfffffff007081f80;
  565. OFFSET_COPYIN = 0xfffffff0071835dc;
  566. OFFSET_COPYOUT = 0xfffffff0071837e4;
  567. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  568. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  569. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  570. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  571. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  572. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  573. }
  574. }
  575. // iPad Mini 2 (WiFi)
  576. if(!strcmp(device, "iPad4,4"))
  577. {
  578. // 10.2.1
  579. if(!strcmp(osversion, "14D27"))
  580. {
  581. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  582. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  583. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  584. OFFSET_REALHOST = 0xfffffff00753ca98;
  585. OFFSET_BZERO = 0xfffffff007082140;
  586. OFFSET_BCOPY = 0xfffffff007081f80;
  587. OFFSET_COPYIN = 0xfffffff0071835dc;
  588. OFFSET_COPYOUT = 0xfffffff0071837e4;
  589. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  590. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  591. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  592. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  593. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  594. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  595. }
  596. }
  597. // iPad Air (China)
  598. if(!strcmp(device, "iPad4,3"))
  599. {
  600. // 10.2.1
  601. if(!strcmp(osversion, "14D27"))
  602. {
  603. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  604. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  605. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  606. OFFSET_REALHOST = 0xfffffff00753ca98;
  607. OFFSET_BZERO = 0xfffffff007082140;
  608. OFFSET_BCOPY = 0xfffffff007081f80;
  609. OFFSET_COPYIN = 0xfffffff0071835dc;
  610. OFFSET_COPYOUT = 0xfffffff0071837e4;
  611. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  612. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  613. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  614. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  615. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  616. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  617. }
  618. }
  619. // iPad Air (Cellular)
  620. if(!strcmp(device, "iPad4,2"))
  621. {
  622. // 10.2.1
  623. if(!strcmp(osversion, "14D27"))
  624. {
  625. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  626. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  627. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  628. OFFSET_REALHOST = 0xfffffff00753ca98;
  629. OFFSET_BZERO = 0xfffffff007082140;
  630. OFFSET_BCOPY = 0xfffffff007081f80;
  631. OFFSET_COPYIN = 0xfffffff0071835dc;
  632. OFFSET_COPYOUT = 0xfffffff0071837e4;
  633. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  634. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  635. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  636. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  637. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  638. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  639. }
  640. }
  641. // iPad Mini 2 (China)
  642. if(!strcmp(device, "iPad4,6"))
  643. {
  644. // 10.2.1
  645. if(!strcmp(osversion, "14D27"))
  646. {
  647. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  648. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  649. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  650. OFFSET_REALHOST = 0xfffffff00753ca98;
  651. OFFSET_BZERO = 0xfffffff007082140;
  652. OFFSET_BCOPY = 0xfffffff007081f80;
  653. OFFSET_COPYIN = 0xfffffff0071835dc;
  654. OFFSET_COPYOUT = 0xfffffff0071837e4;
  655. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  656. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  657. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  658. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f336a0;
  659. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00650dfb0;
  660. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  661. }
  662. }
  663. // iPad Mini 3 (Cellular), iPad Mini 3 (WiFi) and iPad Mini 3 (China)
  664. if(!strcmp(device, "iPad4,8") || !strcmp(device, "iPad4,7") || !strcmp(device, "iPad4,9"))
  665. {
  666. // 10.3.3
  667. if(!strcmp(osversion, "14G60"))
  668. {
  669. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  670. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  671. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  672. OFFSET_REALHOST = 0xfffffff00752eba0;
  673. OFFSET_BZERO = 0xfffffff007081f80;
  674. OFFSET_BCOPY = 0xfffffff007081dc0;
  675. OFFSET_COPYIN = 0xfffffff007180e98;
  676. OFFSET_COPYOUT = 0xfffffff00718108c;
  677. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  678. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  679. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  680. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2d738;
  681. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064ba174;
  682. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  683. }
  684. // 10.3.2
  685. if(!strcmp(osversion, "14F89"))
  686. {
  687. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  688. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  689. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  690. OFFSET_REALHOST = 0xfffffff00752eba0;
  691. OFFSET_BZERO = 0xfffffff007081f80;
  692. OFFSET_BCOPY = 0xfffffff007081dc0;
  693. OFFSET_COPYIN = 0xfffffff0071811ec;
  694. OFFSET_COPYOUT = 0xfffffff0071813e0;
  695. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  696. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  697. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  698. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2d738;
  699. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064be174;
  700. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  701. }
  702. // 10.3.1
  703. if(!strcmp(osversion, "14E304"))
  704. {
  705. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  706. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  707. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  708. OFFSET_REALHOST = 0xfffffff00752eba0;
  709. OFFSET_BZERO = 0xfffffff007081f80;
  710. OFFSET_BCOPY = 0xfffffff007081dc0;
  711. OFFSET_COPYIN = 0xfffffff007181218;
  712. OFFSET_COPYOUT = 0xfffffff00718140c;
  713. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  714. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  715. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  716. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2d738;
  717. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064bd174;
  718. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  719. }
  720. // 10.3
  721. if(!strcmp(osversion, "14E277"))
  722. {
  723. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  724. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  725. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  726. OFFSET_REALHOST = 0xfffffff00752eba0;
  727. OFFSET_BZERO = 0xfffffff007081f80;
  728. OFFSET_BCOPY = 0xfffffff007081dc0;
  729. OFFSET_COPYIN = 0xfffffff007181218;
  730. OFFSET_COPYOUT = 0xfffffff00718140c;
  731. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  732. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  733. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  734. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2d738;
  735. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064bd174;
  736. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  737. }
  738. // 10.3.2
  739. if(!strcmp(osversion, "14F91"))
  740. {
  741. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  742. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  743. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  744. OFFSET_REALHOST = 0xfffffff00752eba0;
  745. OFFSET_BZERO = 0xfffffff007081f80;
  746. OFFSET_BCOPY = 0xfffffff007081dc0;
  747. OFFSET_COPYIN = 0xfffffff0071811ec;
  748. OFFSET_COPYOUT = 0xfffffff0071813e0;
  749. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  750. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  751. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  752. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2d738;
  753. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064be174;
  754. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  755. }
  756. }
  757. // iPad Air 2 (Cellular) and iPad Air 2 (WiFi)
  758. if(!strcmp(device, "iPad5,4") || !strcmp(device, "iPad5,3"))
  759. {
  760. // 10.3.3
  761. if(!strcmp(osversion, "14G60"))
  762. {
  763. OFFSET_ZONE_MAP = 0xfffffff007558478;
  764. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  765. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  766. OFFSET_REALHOST = 0xfffffff00753aba0;
  767. OFFSET_BZERO = 0xfffffff00708df80;
  768. OFFSET_BCOPY = 0xfffffff00708ddc0;
  769. OFFSET_COPYIN = 0xfffffff00718d120;
  770. OFFSET_COPYOUT = 0xfffffff00718d314;
  771. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  772. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  773. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  774. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  775. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006456174;
  776. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  777. }
  778. // 10.3.2
  779. if(!strcmp(osversion, "14F89"))
  780. {
  781. OFFSET_ZONE_MAP = 0xfffffff007558478;
  782. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  783. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  784. OFFSET_REALHOST = 0xfffffff00753aba0;
  785. OFFSET_BZERO = 0xfffffff00708df80;
  786. OFFSET_BCOPY = 0xfffffff00708ddc0;
  787. OFFSET_COPYIN = 0xfffffff00718d474;
  788. OFFSET_COPYOUT = 0xfffffff00718d668;
  789. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  790. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  791. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  792. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  793. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006456174;
  794. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  795. }
  796. // 10.3.1
  797. if(!strcmp(osversion, "14E304"))
  798. {
  799. OFFSET_ZONE_MAP = 0xfffffff007558478;
  800. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  801. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  802. OFFSET_REALHOST = 0xfffffff00753aba0;
  803. OFFSET_BZERO = 0xfffffff00708df80;
  804. OFFSET_BCOPY = 0xfffffff00708ddc0;
  805. OFFSET_COPYIN = 0xfffffff00718d4a0;
  806. OFFSET_COPYOUT = 0xfffffff00718d694;
  807. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  808. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  809. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  810. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  811. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006459174;
  812. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  813. }
  814. // 10.3
  815. if(!strcmp(osversion, "14E277"))
  816. {
  817. OFFSET_ZONE_MAP = 0xfffffff007558478;
  818. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  819. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  820. OFFSET_REALHOST = 0xfffffff00753aba0;
  821. OFFSET_BZERO = 0xfffffff00708df80;
  822. OFFSET_BCOPY = 0xfffffff00708ddc0;
  823. OFFSET_COPYIN = 0xfffffff00718d4a0;
  824. OFFSET_COPYOUT = 0xfffffff00718d694;
  825. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  826. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  827. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  828. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  829. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006459174;
  830. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  831. }
  832. // 10.3.2
  833. if(!strcmp(osversion, "14F91"))
  834. {
  835. OFFSET_ZONE_MAP = 0xfffffff007558478;
  836. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  837. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  838. OFFSET_REALHOST = 0xfffffff00753aba0;
  839. OFFSET_BZERO = 0xfffffff00708df80;
  840. OFFSET_BCOPY = 0xfffffff00708ddc0;
  841. OFFSET_COPYIN = 0xfffffff00718d474;
  842. OFFSET_COPYOUT = 0xfffffff00718d668;
  843. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  844. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  845. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  846. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  847. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006456174;
  848. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  849. }
  850. }
  851. // iPad Mini 4 (Cellular) and iPad Mini 4 (WiFi)
  852. if(!strcmp(device, "iPad5,2") || !strcmp(device, "iPad5,1"))
  853. {
  854. // 10.3.3
  855. if(!strcmp(osversion, "14G60"))
  856. {
  857. OFFSET_ZONE_MAP = 0xfffffff007558478;
  858. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  859. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  860. OFFSET_REALHOST = 0xfffffff00753aba0;
  861. OFFSET_BZERO = 0xfffffff00708df80;
  862. OFFSET_BCOPY = 0xfffffff00708ddc0;
  863. OFFSET_COPYIN = 0xfffffff00718d028;
  864. OFFSET_COPYOUT = 0xfffffff00718d21c;
  865. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  866. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  867. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  868. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  869. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00644e174;
  870. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  871. }
  872. // 10.3.2
  873. if(!strcmp(osversion, "14F89"))
  874. {
  875. OFFSET_ZONE_MAP = 0xfffffff007558478;
  876. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  877. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  878. OFFSET_REALHOST = 0xfffffff00753aba0;
  879. OFFSET_BZERO = 0xfffffff00708df80;
  880. OFFSET_BCOPY = 0xfffffff00708ddc0;
  881. OFFSET_COPYIN = 0xfffffff00718d37c;
  882. OFFSET_COPYOUT = 0xfffffff00718d570;
  883. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  884. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  885. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  886. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  887. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00644e174;
  888. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  889. }
  890. // 10.3.1
  891. if(!strcmp(osversion, "14E304"))
  892. {
  893. OFFSET_ZONE_MAP = 0xfffffff007558478;
  894. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  895. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  896. OFFSET_REALHOST = 0xfffffff00753aba0;
  897. OFFSET_BZERO = 0xfffffff00708df80;
  898. OFFSET_BCOPY = 0xfffffff00708ddc0;
  899. OFFSET_COPYIN = 0xfffffff00718d3a8;
  900. OFFSET_COPYOUT = 0xfffffff00718d59c;
  901. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  902. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  903. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  904. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  905. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00644d174;
  906. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  907. }
  908. // 10.3
  909. if(!strcmp(osversion, "14E277"))
  910. {
  911. OFFSET_ZONE_MAP = 0xfffffff007558478;
  912. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  913. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  914. OFFSET_REALHOST = 0xfffffff00753aba0;
  915. OFFSET_BZERO = 0xfffffff00708df80;
  916. OFFSET_BCOPY = 0xfffffff00708ddc0;
  917. OFFSET_COPYIN = 0xfffffff00718d3a8;
  918. OFFSET_COPYOUT = 0xfffffff00718d59c;
  919. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  920. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  921. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  922. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  923. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00644d174;
  924. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  925. }
  926. // 10.3.2
  927. if(!strcmp(osversion, "14F91"))
  928. {
  929. OFFSET_ZONE_MAP = 0xfffffff007558478;
  930. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  931. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  932. OFFSET_REALHOST = 0xfffffff00753aba0;
  933. OFFSET_BZERO = 0xfffffff00708df80;
  934. OFFSET_BCOPY = 0xfffffff00708ddc0;
  935. OFFSET_COPYIN = 0xfffffff00718d37c;
  936. OFFSET_COPYOUT = 0xfffffff00718d570;
  937. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  938. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  939. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  940. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ecdd38;
  941. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00644e174;
  942. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  943. }
  944. }
  945. // iPad Mini 3 (Cellular)
  946. if(!strcmp(device, "iPad4,8"))
  947. {
  948. // 10.2.1
  949. if(!strcmp(osversion, "14D27"))
  950. {
  951. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  952. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  953. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  954. OFFSET_REALHOST = 0xfffffff00753ca98;
  955. OFFSET_BZERO = 0xfffffff007082140;
  956. OFFSET_BCOPY = 0xfffffff007081f80;
  957. OFFSET_COPYIN = 0xfffffff0071835dc;
  958. OFFSET_COPYOUT = 0xfffffff0071837e4;
  959. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  960. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  961. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  962. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f32a60;
  963. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064cdfb0;
  964. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  965. }
  966. }
  967. // iPad Mini 3 (WiFi)
  968. if(!strcmp(device, "iPad4,7"))
  969. {
  970. // 10.2.1
  971. if(!strcmp(osversion, "14D27"))
  972. {
  973. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  974. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  975. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  976. OFFSET_REALHOST = 0xfffffff00753ca98;
  977. OFFSET_BZERO = 0xfffffff007082140;
  978. OFFSET_BCOPY = 0xfffffff007081f80;
  979. OFFSET_COPYIN = 0xfffffff0071835dc;
  980. OFFSET_COPYOUT = 0xfffffff0071837e4;
  981. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  982. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  983. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  984. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f32a60;
  985. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064cdfb0;
  986. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  987. }
  988. }
  989. // iPad Air 2 (Cellular)
  990. if(!strcmp(device, "iPad5,4"))
  991. {
  992. // 10.2.1
  993. if(!strcmp(osversion, "14D27"))
  994. {
  995. OFFSET_ZONE_MAP = 0xfffffff007566360;
  996. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  997. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  998. OFFSET_REALHOST = 0xfffffff007548a98;
  999. OFFSET_BZERO = 0xfffffff00708e140;
  1000. OFFSET_BCOPY = 0xfffffff00708df80;
  1001. OFFSET_COPYIN = 0xfffffff00718f864;
  1002. OFFSET_COPYOUT = 0xfffffff00718fa6c;
  1003. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1004. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1005. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1006. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ed93e0;
  1007. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006471fb0;
  1008. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1009. }
  1010. }
  1011. // iPad Mini 4 (Cellular)
  1012. if(!strcmp(device, "iPad5,2"))
  1013. {
  1014. // 10.2.1
  1015. if(!strcmp(osversion, "14D27"))
  1016. {
  1017. OFFSET_ZONE_MAP = 0xfffffff007566360;
  1018. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  1019. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  1020. OFFSET_REALHOST = 0xfffffff007548a98;
  1021. OFFSET_BZERO = 0xfffffff00708e140;
  1022. OFFSET_BCOPY = 0xfffffff00708df80;
  1023. OFFSET_COPYIN = 0xfffffff00718f76c;
  1024. OFFSET_COPYOUT = 0xfffffff00718f974;
  1025. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1026. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1027. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1028. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ed93e0;
  1029. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006469fb0;
  1030. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1031. }
  1032. }
  1033. // iPad Air 2 (WiFi)
  1034. if(!strcmp(device, "iPad5,3"))
  1035. {
  1036. // 10.2.1
  1037. if(!strcmp(osversion, "14D27"))
  1038. {
  1039. OFFSET_ZONE_MAP = 0xfffffff007566360;
  1040. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  1041. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  1042. OFFSET_REALHOST = 0xfffffff007548a98;
  1043. OFFSET_BZERO = 0xfffffff00708e140;
  1044. OFFSET_BCOPY = 0xfffffff00708df80;
  1045. OFFSET_COPYIN = 0xfffffff00718f864;
  1046. OFFSET_COPYOUT = 0xfffffff00718fa6c;
  1047. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1048. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1049. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1050. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ed93e0;
  1051. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006471fb0;
  1052. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1053. }
  1054. }
  1055. // iPad Mini 4 (WiFi)
  1056. if(!strcmp(device, "iPad5,1"))
  1057. {
  1058. // 10.2.1
  1059. if(!strcmp(osversion, "14D27"))
  1060. {
  1061. OFFSET_ZONE_MAP = 0xfffffff007566360;
  1062. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  1063. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  1064. OFFSET_REALHOST = 0xfffffff007548a98;
  1065. OFFSET_BZERO = 0xfffffff00708e140;
  1066. OFFSET_BCOPY = 0xfffffff00708df80;
  1067. OFFSET_COPYIN = 0xfffffff00718f76c;
  1068. OFFSET_COPYOUT = 0xfffffff00718f974;
  1069. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1070. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1071. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1072. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ed93e0;
  1073. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006469fb0;
  1074. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1075. }
  1076. }
  1077. // iPad Mini 3 (China)
  1078. if(!strcmp(device, "iPad4,9"))
  1079. {
  1080. // 10.2.1
  1081. if(!strcmp(osversion, "14D27"))
  1082. {
  1083. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  1084. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  1085. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  1086. OFFSET_REALHOST = 0xfffffff00753ca98;
  1087. OFFSET_BZERO = 0xfffffff007082140;
  1088. OFFSET_BCOPY = 0xfffffff007081f80;
  1089. OFFSET_COPYIN = 0xfffffff0071835dc;
  1090. OFFSET_COPYOUT = 0xfffffff0071837e4;
  1091. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  1092. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  1093. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  1094. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f32a60;
  1095. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064cdfb0;
  1096. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  1097. }
  1098. }
  1099. // iPad 5 (Cellular) and iPad 5 (WiFi)
  1100. if(!strcmp(device, "iPad6,12") || !strcmp(device, "iPad6,11"))
  1101. {
  1102. // 10.3.3
  1103. if(!strcmp(osversion, "14G60"))
  1104. {
  1105. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1106. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1107. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1108. OFFSET_REALHOST = 0xfffffff00752aba0;
  1109. OFFSET_BZERO = 0xfffffff007081f80;
  1110. OFFSET_BCOPY = 0xfffffff007081dc0;
  1111. OFFSET_COPYIN = 0xfffffff0071803a0;
  1112. OFFSET_COPYOUT = 0xfffffff007180594;
  1113. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1114. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1115. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1116. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e61cb8;
  1117. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006426174;
  1118. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1119. }
  1120. // 10.3.2
  1121. if(!strcmp(osversion, "14F90"))
  1122. {
  1123. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1124. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1125. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1126. OFFSET_REALHOST = 0xfffffff00752aba0;
  1127. OFFSET_BZERO = 0xfffffff007081f80;
  1128. OFFSET_BCOPY = 0xfffffff007081dc0;
  1129. OFFSET_COPYIN = 0xfffffff0071806f4;
  1130. OFFSET_COPYOUT = 0xfffffff0071808e8;
  1131. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1132. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1133. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1134. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e65cb8;
  1135. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00642a174;
  1136. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1137. }
  1138. // 10.3.1
  1139. if(!strcmp(osversion, "14E304"))
  1140. {
  1141. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1142. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1143. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1144. OFFSET_REALHOST = 0xfffffff00752aba0;
  1145. OFFSET_BZERO = 0xfffffff007081f80;
  1146. OFFSET_BCOPY = 0xfffffff007081dc0;
  1147. OFFSET_COPYIN = 0xfffffff007180720;
  1148. OFFSET_COPYOUT = 0xfffffff007180914;
  1149. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1150. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1151. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1152. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e65cb8;
  1153. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006429174;
  1154. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1155. }
  1156. // 10.3
  1157. if(!strcmp(osversion, "14E277"))
  1158. {
  1159. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1160. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1161. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1162. OFFSET_REALHOST = 0xfffffff00752aba0;
  1163. OFFSET_BZERO = 0xfffffff007081f80;
  1164. OFFSET_BCOPY = 0xfffffff007081dc0;
  1165. OFFSET_COPYIN = 0xfffffff007180720;
  1166. OFFSET_COPYOUT = 0xfffffff007180914;
  1167. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1168. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1169. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1170. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e65cb8;
  1171. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006429174;
  1172. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1173. }
  1174. }
  1175. // iPad Pro 9.7-inch (WiFi) and iPad Pro 9.7-inch (Cellular)
  1176. if(!strcmp(device, "iPad6,3") || !strcmp(device, "iPad6,4"))
  1177. {
  1178. // 10.3.3
  1179. if(!strcmp(osversion, "14G60"))
  1180. {
  1181. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1182. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1183. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1184. OFFSET_REALHOST = 0xfffffff00752aba0;
  1185. OFFSET_BZERO = 0xfffffff007081f80;
  1186. OFFSET_BCOPY = 0xfffffff007081dc0;
  1187. OFFSET_COPYIN = 0xfffffff0071803a0;
  1188. OFFSET_COPYOUT = 0xfffffff007180594;
  1189. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1190. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1191. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1192. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e3d738;
  1193. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00633e0c8;
  1194. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1195. }
  1196. // 10.3.2
  1197. if(!strcmp(osversion, "14F89"))
  1198. {
  1199. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1200. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1201. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1202. OFFSET_REALHOST = 0xfffffff00752aba0;
  1203. OFFSET_BZERO = 0xfffffff007081f80;
  1204. OFFSET_BCOPY = 0xfffffff007081dc0;
  1205. OFFSET_COPYIN = 0xfffffff0071806f4;
  1206. OFFSET_COPYOUT = 0xfffffff0071808e8;
  1207. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1208. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1209. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1210. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e3d738;
  1211. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063420c8;
  1212. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1213. }
  1214. // 10.3.1
  1215. if(!strcmp(osversion, "14E304"))
  1216. {
  1217. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1218. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1219. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1220. OFFSET_REALHOST = 0xfffffff00752aba0;
  1221. OFFSET_BZERO = 0xfffffff007081f80;
  1222. OFFSET_BCOPY = 0xfffffff007081dc0;
  1223. OFFSET_COPYIN = 0xfffffff007180720;
  1224. OFFSET_COPYOUT = 0xfffffff007180914;
  1225. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1226. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1227. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1228. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e3d738;
  1229. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063410c8;
  1230. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1231. }
  1232. // 10.3
  1233. if(!strcmp(osversion, "14E277"))
  1234. {
  1235. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1236. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1237. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1238. OFFSET_REALHOST = 0xfffffff00752aba0;
  1239. OFFSET_BZERO = 0xfffffff007081f80;
  1240. OFFSET_BCOPY = 0xfffffff007081dc0;
  1241. OFFSET_COPYIN = 0xfffffff007180720;
  1242. OFFSET_COPYOUT = 0xfffffff007180914;
  1243. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1244. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1245. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1246. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e3d738;
  1247. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063410c8;
  1248. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1249. }
  1250. }
  1251. // iPad Pro 9.7-inch (WiFi)
  1252. if(!strcmp(device, "iPad6,3"))
  1253. {
  1254. // 10.2.1
  1255. if(!strcmp(osversion, "14D27"))
  1256. {
  1257. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1258. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1259. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1260. OFFSET_REALHOST = 0xfffffff007538a98;
  1261. OFFSET_BZERO = 0xfffffff007082140;
  1262. OFFSET_BCOPY = 0xfffffff007081f80;
  1263. OFFSET_COPYIN = 0xfffffff007182af0;
  1264. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1265. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1266. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1267. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1268. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e4d5e0;
  1269. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006376140;
  1270. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1271. }
  1272. }
  1273. // iPad Pro 9.7-inch (Cellular)
  1274. if(!strcmp(device, "iPad6,4"))
  1275. {
  1276. // 10.2.1
  1277. if(!strcmp(osversion, "14D27"))
  1278. {
  1279. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1280. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1281. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1282. OFFSET_REALHOST = 0xfffffff007538a98;
  1283. OFFSET_BZERO = 0xfffffff007082140;
  1284. OFFSET_BCOPY = 0xfffffff007081f80;
  1285. OFFSET_COPYIN = 0xfffffff007182af0;
  1286. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1287. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1288. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1289. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1290. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e4d5e0;
  1291. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006376140;
  1292. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1293. }
  1294. }
  1295. // iPad Pro 12.9-inch (Cellular) and iPad Pro 12.9-inch (WiFi)
  1296. if(!strcmp(device, "iPad6,8") || !strcmp(device, "iPad6,7"))
  1297. {
  1298. // 10.3.3
  1299. if(!strcmp(osversion, "14G60"))
  1300. {
  1301. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1302. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1303. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1304. OFFSET_REALHOST = 0xfffffff00752aba0;
  1305. OFFSET_BZERO = 0xfffffff007081f80;
  1306. OFFSET_BCOPY = 0xfffffff007081dc0;
  1307. OFFSET_COPYIN = 0xfffffff0071803a0;
  1308. OFFSET_COPYOUT = 0xfffffff007180594;
  1309. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1310. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1311. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1312. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e49738;
  1313. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00637e0c8;
  1314. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1315. }
  1316. // 10.3.2
  1317. if(!strcmp(osversion, "14F89"))
  1318. {
  1319. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1320. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1321. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1322. OFFSET_REALHOST = 0xfffffff00752aba0;
  1323. OFFSET_BZERO = 0xfffffff007081f80;
  1324. OFFSET_BCOPY = 0xfffffff007081dc0;
  1325. OFFSET_COPYIN = 0xfffffff0071806f4;
  1326. OFFSET_COPYOUT = 0xfffffff0071808e8;
  1327. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1328. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1329. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1330. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e49738;
  1331. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00637e0c8;
  1332. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1333. }
  1334. // 10.3.1
  1335. if(!strcmp(osversion, "14E304"))
  1336. {
  1337. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1338. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1339. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1340. OFFSET_REALHOST = 0xfffffff00752aba0;
  1341. OFFSET_BZERO = 0xfffffff007081f80;
  1342. OFFSET_BCOPY = 0xfffffff007081dc0;
  1343. OFFSET_COPYIN = 0xfffffff007180720;
  1344. OFFSET_COPYOUT = 0xfffffff007180914;
  1345. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1346. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1347. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1348. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e49738;
  1349. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00637d0c8;
  1350. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1351. }
  1352. // 10.3
  1353. if(!strcmp(osversion, "14E277"))
  1354. {
  1355. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1356. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1357. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1358. OFFSET_REALHOST = 0xfffffff00752aba0;
  1359. OFFSET_BZERO = 0xfffffff007081f80;
  1360. OFFSET_BCOPY = 0xfffffff007081dc0;
  1361. OFFSET_COPYIN = 0xfffffff007180720;
  1362. OFFSET_COPYOUT = 0xfffffff007180914;
  1363. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1364. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1365. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1366. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e49738;
  1367. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00637d0c8;
  1368. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1369. }
  1370. }
  1371. // iPad Pro 12.9-inch (Cellular)
  1372. if(!strcmp(device, "iPad6,8"))
  1373. {
  1374. // 10.2.1
  1375. if(!strcmp(osversion, "14D27"))
  1376. {
  1377. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1378. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1379. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1380. OFFSET_REALHOST = 0xfffffff007538a98;
  1381. OFFSET_BZERO = 0xfffffff007082140;
  1382. OFFSET_BCOPY = 0xfffffff007081f80;
  1383. OFFSET_COPYIN = 0xfffffff007182af0;
  1384. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1385. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1386. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1387. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1388. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e595e0;
  1389. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063aa140;
  1390. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1391. }
  1392. }
  1393. // iPad Pro 12.9-inch (WiFi)
  1394. if(!strcmp(device, "iPad6,7"))
  1395. {
  1396. // 10.2.1
  1397. if(!strcmp(osversion, "14D27"))
  1398. {
  1399. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1400. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1401. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1402. OFFSET_REALHOST = 0xfffffff007538a98;
  1403. OFFSET_BZERO = 0xfffffff007082140;
  1404. OFFSET_BCOPY = 0xfffffff007081f80;
  1405. OFFSET_COPYIN = 0xfffffff007182af0;
  1406. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1407. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1408. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1409. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1410. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e595e0;
  1411. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063aa140;
  1412. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1413. }
  1414. }
  1415. // iPad Pro 2 (12.9-inch, WiFi) and iPad Pro 2 (12.9-inch, Cellular)
  1416. if(!strcmp(device, "iPad7,1") || !strcmp(device, "iPad7,2"))
  1417. {
  1418. // 10.3.3
  1419. if(!strcmp(osversion, "14G60"))
  1420. {
  1421. OFFSET_ZONE_MAP = 0xfffffff007590478;
  1422. OFFSET_KERNEL_MAP = 0xfffffff0075ec050;
  1423. OFFSET_KERNEL_TASK = 0xfffffff0075ec048;
  1424. OFFSET_REALHOST = 0xfffffff007572ba0;
  1425. OFFSET_BZERO = 0xfffffff0070c1f80;
  1426. OFFSET_BCOPY = 0xfffffff0070c1dc0;
  1427. OFFSET_COPYIN = 0xfffffff0071c5ecc;
  1428. OFFSET_COPYOUT = 0xfffffff0071c61ac;
  1429. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070df014;
  1430. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070f22ec;
  1431. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070deb38;
  1432. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ec1578;
  1433. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00632e0c8;
  1434. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075ec0b0;
  1435. }
  1436. // 10.3.2
  1437. if(!strcmp(osversion, "14F8089"))
  1438. {
  1439. OFFSET_ZONE_MAP = 0xfffffff007590478;
  1440. OFFSET_KERNEL_MAP = 0xfffffff0075ec050;
  1441. OFFSET_KERNEL_TASK = 0xfffffff0075ec048;
  1442. OFFSET_REALHOST = 0xfffffff007572ba0;
  1443. OFFSET_BZERO = 0xfffffff0070c1f80;
  1444. OFFSET_BCOPY = 0xfffffff0070c1dc0;
  1445. OFFSET_COPYIN = 0xfffffff0071c6220;
  1446. OFFSET_COPYOUT = 0xfffffff0071c6500;
  1447. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070df014;
  1448. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070f22ec;
  1449. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070deb38;
  1450. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ec1578;
  1451. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00632e0c8;
  1452. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075ec0b0;
  1453. }
  1454. }
  1455. // iPhone SE
  1456. if(!strcmp(device, "iPhone8,4"))
  1457. {
  1458. // 10.3.3
  1459. if(!strcmp(osversion, "14G60"))
  1460. {
  1461. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1462. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1463. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1464. OFFSET_REALHOST = 0xfffffff00752aba0;
  1465. OFFSET_BZERO = 0xfffffff007081f80;
  1466. OFFSET_BCOPY = 0xfffffff007081dc0;
  1467. OFFSET_COPYIN = 0xfffffff0071803a0;
  1468. OFFSET_COPYOUT = 0xfffffff007180594;
  1469. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1470. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1471. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1472. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e849f8;
  1473. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006482174;
  1474. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1475. }
  1476. // 10.3.2
  1477. if(!strcmp(osversion, "14F89"))
  1478. {
  1479. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1480. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1481. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1482. OFFSET_REALHOST = 0xfffffff00752aba0;
  1483. OFFSET_BZERO = 0xfffffff007081f80;
  1484. OFFSET_BCOPY = 0xfffffff007081dc0;
  1485. OFFSET_COPYIN = 0xfffffff0071806f4;
  1486. OFFSET_COPYOUT = 0xfffffff0071808e8;
  1487. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1488. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1489. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1490. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e849f8;
  1491. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006482174;
  1492. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1493. }
  1494. // 10.3.1
  1495. if(!strcmp(osversion, "14E304"))
  1496. {
  1497. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1498. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1499. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1500. OFFSET_REALHOST = 0xfffffff00752aba0;
  1501. OFFSET_BZERO = 0xfffffff007081f80;
  1502. OFFSET_BCOPY = 0xfffffff007081dc0;
  1503. OFFSET_COPYIN = 0xfffffff007180720;
  1504. OFFSET_COPYOUT = 0xfffffff007180914;
  1505. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1506. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1507. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1508. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e849f8;
  1509. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006481174;
  1510. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1511. }
  1512. // 10.3
  1513. if(!strcmp(osversion, "14E277"))
  1514. {
  1515. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1516. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1517. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1518. OFFSET_REALHOST = 0xfffffff00752aba0;
  1519. OFFSET_BZERO = 0xfffffff007081f80;
  1520. OFFSET_BCOPY = 0xfffffff007081dc0;
  1521. OFFSET_COPYIN = 0xfffffff007180720;
  1522. OFFSET_COPYOUT = 0xfffffff007180914;
  1523. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1524. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1525. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1526. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e849f8;
  1527. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006481174;
  1528. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1529. }
  1530. // 10.2.1
  1531. if(!strcmp(osversion, "14D27"))
  1532. {
  1533. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1534. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1535. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1536. OFFSET_REALHOST = 0xfffffff007538a98;
  1537. OFFSET_BZERO = 0xfffffff007082140;
  1538. OFFSET_BCOPY = 0xfffffff007081f80;
  1539. OFFSET_COPYIN = 0xfffffff007182af0;
  1540. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1541. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1542. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1543. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1544. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e8c820;
  1545. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00649dfb0;
  1546. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1547. }
  1548. }
  1549. // iPhone 5s (Global) and iPhone 5s (GSM)
  1550. if(!strcmp(device, "iPhone6,2") || !strcmp(device, "iPhone6,1"))
  1551. {
  1552. // 10.3.3
  1553. if(!strcmp(osversion, "14G60"))
  1554. {
  1555. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  1556. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  1557. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  1558. OFFSET_REALHOST = 0xfffffff00752eba0;
  1559. OFFSET_BZERO = 0xfffffff007081f80;
  1560. OFFSET_BCOPY = 0xfffffff007081dc0;
  1561. OFFSET_COPYIN = 0xfffffff007180e98;
  1562. OFFSET_COPYOUT = 0xfffffff00718108c;
  1563. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  1564. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  1565. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  1566. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f25538;
  1567. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006522174;
  1568. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  1569. }
  1570. // 10.3.2
  1571. if(!strcmp(osversion, "14F89"))
  1572. {
  1573. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  1574. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  1575. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  1576. OFFSET_REALHOST = 0xfffffff00752eba0;
  1577. OFFSET_BZERO = 0xfffffff007081f80;
  1578. OFFSET_BCOPY = 0xfffffff007081dc0;
  1579. OFFSET_COPYIN = 0xfffffff0071811ec;
  1580. OFFSET_COPYOUT = 0xfffffff0071813e0;
  1581. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f14;
  1582. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1ec;
  1583. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a38;
  1584. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f25538;
  1585. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006526174;
  1586. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  1587. }
  1588. // 10.3.1
  1589. if(!strcmp(osversion, "14E304"))
  1590. {
  1591. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  1592. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  1593. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  1594. OFFSET_REALHOST = 0xfffffff00752eba0;
  1595. OFFSET_BZERO = 0xfffffff007081f80;
  1596. OFFSET_BCOPY = 0xfffffff007081dc0;
  1597. OFFSET_COPYIN = 0xfffffff007181218;
  1598. OFFSET_COPYOUT = 0xfffffff00718140c;
  1599. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  1600. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  1601. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  1602. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f25538;
  1603. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006525174;
  1604. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  1605. }
  1606. // 10.3
  1607. if(!strcmp(osversion, "14E277"))
  1608. {
  1609. OFFSET_ZONE_MAP = 0xfffffff00754c478;
  1610. OFFSET_KERNEL_MAP = 0xfffffff0075a8050;
  1611. OFFSET_KERNEL_TASK = 0xfffffff0075a8048;
  1612. OFFSET_REALHOST = 0xfffffff00752eba0;
  1613. OFFSET_BZERO = 0xfffffff007081f80;
  1614. OFFSET_BCOPY = 0xfffffff007081dc0;
  1615. OFFSET_COPYIN = 0xfffffff007181218;
  1616. OFFSET_COPYOUT = 0xfffffff00718140c;
  1617. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099f7c;
  1618. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad1d4;
  1619. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099aa0;
  1620. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f25538;
  1621. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006525174;
  1622. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a80b0;
  1623. }
  1624. }
  1625. // iPhone 5s (Global)
  1626. if(!strcmp(device, "iPhone6,2"))
  1627. {
  1628. // 10.2.1
  1629. if(!strcmp(osversion, "14D27"))
  1630. {
  1631. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  1632. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  1633. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  1634. OFFSET_REALHOST = 0xfffffff00753ca98;
  1635. OFFSET_BZERO = 0xfffffff007082140;
  1636. OFFSET_BCOPY = 0xfffffff007081f80;
  1637. OFFSET_COPYIN = 0xfffffff0071835dc;
  1638. OFFSET_COPYOUT = 0xfffffff0071837e4;
  1639. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  1640. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  1641. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  1642. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2ca20;
  1643. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006531fb0;
  1644. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  1645. }
  1646. }
  1647. // iPhone 5s (GSM)
  1648. if(!strcmp(device, "iPhone6,1"))
  1649. {
  1650. // 10.2.1
  1651. if(!strcmp(osversion, "14D27"))
  1652. {
  1653. OFFSET_ZONE_MAP = 0xfffffff00755a360;
  1654. OFFSET_KERNEL_MAP = 0xfffffff0075b6058;
  1655. OFFSET_KERNEL_TASK = 0xfffffff0075b6050;
  1656. OFFSET_REALHOST = 0xfffffff00753ca98;
  1657. OFFSET_BZERO = 0xfffffff007082140;
  1658. OFFSET_BCOPY = 0xfffffff007081f80;
  1659. OFFSET_COPYIN = 0xfffffff0071835dc;
  1660. OFFSET_COPYOUT = 0xfffffff0071837e4;
  1661. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff00709a060;
  1662. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad700;
  1663. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099ba4;
  1664. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006f2ca20;
  1665. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006531fb0;
  1666. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b60b8;
  1667. }
  1668. }
  1669. // iPhone 6+
  1670. if(!strcmp(device, "iPhone7,1"))
  1671. {
  1672. // 10.3.3
  1673. if(!strcmp(osversion, "14G60"))
  1674. {
  1675. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1676. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1677. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1678. OFFSET_REALHOST = 0xfffffff00753aba0;
  1679. OFFSET_BZERO = 0xfffffff00708df80;
  1680. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1681. OFFSET_COPYIN = 0xfffffff00718d028;
  1682. OFFSET_COPYOUT = 0xfffffff00718d21c;
  1683. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  1684. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  1685. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  1686. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  1687. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b2174;
  1688. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1689. }
  1690. // 10.3.2
  1691. if(!strcmp(osversion, "14F89"))
  1692. {
  1693. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1694. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1695. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1696. OFFSET_REALHOST = 0xfffffff00753aba0;
  1697. OFFSET_BZERO = 0xfffffff00708df80;
  1698. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1699. OFFSET_COPYIN = 0xfffffff00718d37c;
  1700. OFFSET_COPYOUT = 0xfffffff00718d570;
  1701. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  1702. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  1703. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  1704. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  1705. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b2174;
  1706. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1707. }
  1708. // 10.3.1
  1709. if(!strcmp(osversion, "14E304"))
  1710. {
  1711. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1712. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1713. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1714. OFFSET_REALHOST = 0xfffffff00753aba0;
  1715. OFFSET_BZERO = 0xfffffff00708df80;
  1716. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1717. OFFSET_COPYIN = 0xfffffff00718d3a8;
  1718. OFFSET_COPYOUT = 0xfffffff00718d59c;
  1719. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  1720. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  1721. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  1722. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  1723. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b5174;
  1724. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1725. }
  1726. // 10.3
  1727. if(!strcmp(osversion, "14E277"))
  1728. {
  1729. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1730. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1731. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1732. OFFSET_REALHOST = 0xfffffff00753aba0;
  1733. OFFSET_BZERO = 0xfffffff00708df80;
  1734. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1735. OFFSET_COPYIN = 0xfffffff00718d3a8;
  1736. OFFSET_COPYOUT = 0xfffffff00718d59c;
  1737. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  1738. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  1739. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  1740. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8;
  1741. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b5174;
  1742. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1743. }
  1744. // 10.2.1
  1745. if(!strcmp(osversion, "14D27"))
  1746. {
  1747. OFFSET_ZONE_MAP = 0xfffffff007566360;
  1748. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  1749. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  1750. OFFSET_REALHOST = 0xfffffff007548a98;
  1751. OFFSET_BZERO = 0xfffffff00708e140;
  1752. OFFSET_BCOPY = 0xfffffff00708df80;
  1753. OFFSET_COPYIN = 0xfffffff00718f76c;
  1754. OFFSET_COPYOUT = 0xfffffff00718f974;
  1755. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1756. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1757. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1758. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ef57a0;
  1759. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064c1fb0;
  1760. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1761. }
  1762. }
  1763. // iPhone 6s+
  1764. if(!strcmp(device, "iPhone8,2"))
  1765. {
  1766. // 10.3.3
  1767. if(!strcmp(osversion, "14G60"))
  1768. {
  1769. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1770. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1771. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1772. OFFSET_REALHOST = 0xfffffff00752aba0;
  1773. OFFSET_BZERO = 0xfffffff007081f80;
  1774. OFFSET_BCOPY = 0xfffffff007081dc0;
  1775. OFFSET_COPYIN = 0xfffffff0071803a0;
  1776. OFFSET_COPYOUT = 0xfffffff007180594;
  1777. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1778. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1779. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1780. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  1781. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006462174;
  1782. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1783. }
  1784. // 10.3.2
  1785. if(!strcmp(osversion, "14F89"))
  1786. {
  1787. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1788. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1789. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1790. OFFSET_REALHOST = 0xfffffff00752aba0;
  1791. OFFSET_BZERO = 0xfffffff007081f80;
  1792. OFFSET_BCOPY = 0xfffffff007081dc0;
  1793. OFFSET_COPYIN = 0xfffffff0071806f4;
  1794. OFFSET_COPYOUT = 0xfffffff0071808e8;
  1795. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099e94;
  1796. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad16c;
  1797. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070999b8;
  1798. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  1799. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006466174;
  1800. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1801. }
  1802. // 10.3.1
  1803. if(!strcmp(osversion, "14E304"))
  1804. {
  1805. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1806. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1807. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1808. OFFSET_REALHOST = 0xfffffff00752aba0;
  1809. OFFSET_BZERO = 0xfffffff007081f80;
  1810. OFFSET_BCOPY = 0xfffffff007081dc0;
  1811. OFFSET_COPYIN = 0xfffffff007180720;
  1812. OFFSET_COPYOUT = 0xfffffff007180914;
  1813. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1814. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1815. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1816. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  1817. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006465174;
  1818. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1819. }
  1820. // 10.3
  1821. if(!strcmp(osversion, "14E277"))
  1822. {
  1823. OFFSET_ZONE_MAP = 0xfffffff007548478;
  1824. OFFSET_KERNEL_MAP = 0xfffffff0075a4050;
  1825. OFFSET_KERNEL_TASK = 0xfffffff0075a4048;
  1826. OFFSET_REALHOST = 0xfffffff00752aba0;
  1827. OFFSET_BZERO = 0xfffffff007081f80;
  1828. OFFSET_BCOPY = 0xfffffff007081dc0;
  1829. OFFSET_COPYIN = 0xfffffff007180720;
  1830. OFFSET_COPYOUT = 0xfffffff007180914;
  1831. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099efc;
  1832. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad154;
  1833. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099a20;
  1834. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e7c9f8;
  1835. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006465174;
  1836. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075a40b0;
  1837. }
  1838. // 10.2.1
  1839. if(!strcmp(osversion, "14D27"))
  1840. {
  1841. OFFSET_ZONE_MAP = 0xfffffff007556360;
  1842. OFFSET_KERNEL_MAP = 0xfffffff0075b2058;
  1843. OFFSET_KERNEL_TASK = 0xfffffff0075b2050;
  1844. OFFSET_REALHOST = 0xfffffff007538a98;
  1845. OFFSET_BZERO = 0xfffffff007082140;
  1846. OFFSET_BCOPY = 0xfffffff007081f80;
  1847. OFFSET_COPYIN = 0xfffffff007182af0;
  1848. OFFSET_COPYOUT = 0xfffffff007182cf8;
  1849. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff007099fe0;
  1850. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070ad680;
  1851. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff007099b24;
  1852. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e84820;
  1853. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006481fb0;
  1854. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b20b8;
  1855. }
  1856. }
  1857. // iPod touch 6
  1858. if(!strcmp(device, "iPod7,1"))
  1859. {
  1860. // 10.3.3
  1861. if(!strcmp(osversion, "14G60"))
  1862. {
  1863. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1864. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1865. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1866. OFFSET_REALHOST = 0xfffffff00753aba0;
  1867. OFFSET_BZERO = 0xfffffff00708df80;
  1868. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1869. OFFSET_COPYIN = 0xfffffff00718d028;
  1870. OFFSET_COPYOUT = 0xfffffff00718d21c;
  1871. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  1872. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  1873. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  1874. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ef2d78;
  1875. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00651a174;
  1876. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1877. }
  1878. // 10.3.2
  1879. if(!strcmp(osversion, "14F89"))
  1880. {
  1881. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1882. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1883. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1884. OFFSET_REALHOST = 0xfffffff00753aba0;
  1885. OFFSET_BZERO = 0xfffffff00708df80;
  1886. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1887. OFFSET_COPYIN = 0xfffffff00718d37c;
  1888. OFFSET_COPYOUT = 0xfffffff00718d570;
  1889. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a60b4;
  1890. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b938c;
  1891. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5bd8;
  1892. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ef2d78;
  1893. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00651e174;
  1894. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1895. }
  1896. // 10.3.1
  1897. if(!strcmp(osversion, "14E304"))
  1898. {
  1899. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1900. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1901. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1902. OFFSET_REALHOST = 0xfffffff00753aba0;
  1903. OFFSET_BZERO = 0xfffffff00708df80;
  1904. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1905. OFFSET_COPYIN = 0xfffffff00718d3a8;
  1906. OFFSET_COPYOUT = 0xfffffff00718d59c;
  1907. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  1908. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  1909. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  1910. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ef2d78;
  1911. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00651d174;
  1912. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1913. }
  1914. // 10.3
  1915. if(!strcmp(osversion, "14E277"))
  1916. {
  1917. OFFSET_ZONE_MAP = 0xfffffff007558478;
  1918. OFFSET_KERNEL_MAP = 0xfffffff0075b4050;
  1919. OFFSET_KERNEL_TASK = 0xfffffff0075b4048;
  1920. OFFSET_REALHOST = 0xfffffff00753aba0;
  1921. OFFSET_BZERO = 0xfffffff00708df80;
  1922. OFFSET_BCOPY = 0xfffffff00708ddc0;
  1923. OFFSET_COPYIN = 0xfffffff00718d3a8;
  1924. OFFSET_COPYOUT = 0xfffffff00718d59c;
  1925. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c;
  1926. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374;
  1927. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40;
  1928. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006ef2d78;
  1929. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff00651d174;
  1930. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075b40b0;
  1931. }
  1932. // 10.2.1
  1933. if(!strcmp(osversion, "14D27"))
  1934. {
  1935. OFFSET_ZONE_MAP = 0xfffffff007566360;
  1936. OFFSET_KERNEL_MAP = 0xfffffff0075c2058;
  1937. OFFSET_KERNEL_TASK = 0xfffffff0075c2050;
  1938. OFFSET_REALHOST = 0xfffffff007548a98;
  1939. OFFSET_BZERO = 0xfffffff00708e140;
  1940. OFFSET_BCOPY = 0xfffffff00708df80;
  1941. OFFSET_COPYIN = 0xfffffff00718f76c;
  1942. OFFSET_COPYOUT = 0xfffffff00718f974;
  1943. OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a6200;
  1944. OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b98a0;
  1945. OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5d44;
  1946. OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006efa320;
  1947. OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff006529fb0;
  1948. OFFSET_ROOT_MOUNT_V_NODE = 0xfffffff0075c20b8;
  1949. }
  1950. }
  1951. if(!OFFSET_ZONE_MAP)
  1952. {
  1953. LOG("%s on %s isn't supported", device, osversion);
  1954. error = KERN_FAILURE;
  1955. }
  1956. else
  1957. {
  1958. LOG("loading offsets for %s - %s", device, osversion);
  1959. LOG("test offset ZONE_MAP: %llx", OFFSET_ZONE_MAP);
  1960. error = KERN_SUCCESS;
  1961. }
  1962. return error;
  1963. }