DarkSword Kernel Exploit — iOS 18.4 Offset Update

Forked from the original darksword kexploit (Objective-C reimplementation). Updated with verified kernel struct offsets for iOS 18.4 / iPhone 15 Pro (A17 Pro).

What this does

Achieves kernel read/write via a physical memory TOCTOU race condition:

1. Creates physically contiguous memory via IOSurface (PurpleGfxMem)
2. Races pwritev/preadv against mach_vm_map(VM_FLAGS_OVERWRITE) for OOB physical read/write
3. Sprays ICMPv6 sockets, corrupts icmp6_filter pointer for stable kernel r/w
4. Walks socket → so_proto → pr_input to find kernel base and KASLR slide

iOS 18.4 offset changes

All offsets verified via kernelcache disassembly (capstone + IDA Hex-Rays) and XNU source (xnu-11215 through xnu-11417).

Define	iOS 15.x	iOS 18.4	Verification
OFFSET_PCB_SOCKET	0x40	0x40	Disasm + source
OFFSET_SOCKET_SO_COUNT	0x228	0x254	Disasm (sorele)
OFFSET_ICMP6FILT	0x150	0x138	Disasm + source
OFFSET_SO_PROTO	0x18	0x20	Disasm (soclose)
OFFSET_PR_INPUT	0x28	0x20	Disasm (ip6_input)
OFFSET_INP_GENCNT	0x78	0x78	IDA + source
OFFSET_INP_LIST	0x20/0x28	0x20/0x28	XNU source

Kernel: xnu-11417.102.9 (Darwin 24.4.0, RELEASE_ARM64_T8122)

Status

• Offsets: Verified
• Build: Compiles (arm64 + arm64e)
• Tested on device: No — needs a deployment method with private entitlements (no-sandbox, platform-application, IOKit user clients). No known method exists for stock iOS 18.4.
• Race condition patched? Unknown — cannot test without deployment
• A18 support: pe_v2() still unimplemented

Building

Requires Xcode (iOS SDK) and ldid:

brew install ldid
make        # compile
make sign   # sign with entitlements

What this is NOT

This is not a jailbreak. Even if KRW works, a full jailbreak additionally requires PPL bypass, CoreTrust/AMFI bypass, codesign bypass, and post-exploitation tooling.

Credits

• Original darksword kexploit author
• Offset analysis for iOS 18.4 by @Kev1nLevin