Kernel Patch Protection (KPP)

As of iOS9, all arm64 devices have kernel patch protection implemented wherein something likely other than the kernel checks every so often for kernel integrity, otherwise panics.

Checked ranges are __TEXT and __DATA.__const. It is speculated that checks are enforced by either the SEP or the Secure Monitor.

Current attempts to bypass KPP actually avoid it entirely and were demonstrated in Pangu9. The general idea is not to patch __TEXT, but rather data structures. In particular, Pangu9 replaced hooks in AMFI's policy to either disable or alter the checks.

XNU Kernel Exploitation Topics

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Kernel Patch Protection (KPP)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally