Adding Support For Additional Devices

Custom offsets format

If you have found offsets you want to use or you believe the offsets shipped with Home Depot are incorrect, you may supply custom offsets in the following format:

[find_OSSerializer_serialize()]
[find_OSSymbol_getMetaClass()]
[find_calend_gettime()]
[find_bufattr_cpx()]
[find_clock_ops()]
[find_copyin()]
[find_bx_lr()]
[find_write_gadget()]
[find_vm_kernel_addrperm()]
[find_kernel_pmap()]
[find_invalidate_tlb()]
[allproc]
[proc_ucred]

How to find allproc

-go view -> open subviews -> strings and find the string "pgrp_add : pgrp is dead adding process"
-hit 'x' on the autogenerated string symbol name; you should see this symbol referenced from two functions
-open the smaller of those functions in the IDA graph view
-this is pgrp_add in the XNU source
-scroll to the bottom of the CFG, for armv7 there should be a dword referenced three times after an ITTT
-that’s the address of allproc - subtract the kernel base to get the offset, in this case it's: 0x5A4128

How to find proc_ucred

Go to proc_ucred function. You need the offset being added to R0 in the first LDR. This should usually be 0xa4 on iOS 9.3-9.3.5.

User Submitted Offsets

Note: These offsets are user submitted and haven't been tested.

iPhone 4,1 iOS 9.2

0x3106FC
0x312E18
0x1DE84
0xD8750
0x3FC3DC
0xC6754
0xD8752
0xC6488
0x44E840
0x3EF444
0xC64E0
0x450128
0x98

iPhone 5,1 iOS 9.2.1

0x317868
0x319fa0
0x1eb88
0xdd9dc
0x4033dc
0xca87c
0xdd9de
0xca5a8
0x455964
0x3f6444
0xca600
0x457264
0x98

iPhone 5,1 iOS 9.3.3

0x31f13c
0x3219fc
0x1eeac
0xdea48
0x40b428
0xcb7dc
0xdea4a
0xcb508
0x45d978
0x3fe454
0xcb560
0x45f2c8
0xa4

iPhone 5,2/5,3 iOS 9.2/9.2.1

0x317768
0x319ea0
0x1ebac
0xdd9dc
0x4033dc
0xca87c
0xdd9de
0xca5a8
0x455964
0x3f6444
0xca600
0x457264
0x98

iPhone 5,2 iOS 9.3.4

0x31F13C
0x3219FC
0x1EEAC
0xDEA48
0x40B428
0xCB7DC
0xDEA4A
0xCB508
0x45D978
0x3FE454
0xCB560
0x45F2C8
0xA4

iPhone 5,3 iOS 9.3.3

0x31EF50
0x321810
0x1EE6C
0xDEA48
0x40B428
0xCB7DC
0xDEA4A
0xCB508
0x45D978
0x3FE454
0xCB560
0x45F2C8
0xA4

iPhone 5,4 iOS 9.3.2

0x31EF58
0x321818
0x1EE6C
0xDEA48
0x40B428
0xCB7DC
0xDEA4A
0xCB508
0x45D978
0x3FE454
0xCB560
0x45F2C8
0xA4

iPhone 5,4 iOS 9.3.3

0x31f13c
0x3219fc
0x1eeac
0xdea48
0x40b428
0xcb7dc
0xdea4a
0xcb508
0x45d978
0x3fe454
0xcb560
0x45f2c8
0xa4

iPad 2,5 iOS 9.3.2

0x318264
0x31aa6c
0x1e170
0xd9848
0x403428
0xc76b4
0xd984a
0xc73e8
0x455844
0x3f6454
0xc7440
0x45717C
0xa4

iPad 2,5 iOS 9.3.3

0x318388
0x31ab90
0x1e200
0xd9838
0x403428
0xc76b4
0xd983a
0xc73e8
0x455844
0x3f6454
0xc7440
0x45717C
0xa4

iPad 3,3 iOS 9.3.2

0x318264
0x31aa6c
0x1e170
0xd9848
0x403428
0xc76b4
0xd984a
0xc73e8
0x455844
0x3f6454
0xc7440
0x45717c
0xa4

iPad 3,6 iOS 9.2.1

0x317868
0x319fa0
0x1eb88
0xDD9DC
0x4033dc
0xCA87C
0xdd9de
0xca5a8
0x455964
0x3f6444
0xca600
0x457264
0x98

iPod touch 5,1 iOS 9.1

0x319450
0x31bc3c
0x1db34
0xd97d0
0x4053cc
0xc7754
0xd97d2
0xc7488
0x457030
0x3f8444
0xc74e0
0x458904
0x98

iPod touch 5,1 iOS 9.3.3

0x318388
0x31ab90
0x1e200
0xd9838
0x403428
0xc76b4
0xd983a
0xc73e8
0x455844
0x3f6454
0xc7440
0x45717c
0xa4