Tfp0 patch

In the XNU kernel,  is a function that allows a (privileged) process to get the task port of another process on the same host, except the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) removes this restriction, allowing any executable running as root to call task_for_pid for pid 0 (hence the name) and then use  and   to modify the kernel VM region. The entitlements get-task-allow and task_for_pid-allow are required to make AMFI happy.

Example code
The following C program calls  and returns the error code:

// Compile and fakesign with entitlements (on-device; LLVM+Clang and ldid must be installed): // cc -o tfp0 tfp0.c && ldid -Stfp0.plist tfp0 int main(void) { mach_port_t kernel_task = 0; return task_for_pid(mach_task_self, 0, &kernel_task); }
 * 1) include 

The returned error code, which can be checked using  in bash after running the test program, will be 0 if the call succeeded. If it did not, a positive number, e.g. 5 (KERN_FAILURE), is returned instead (see  for possible values). The entitlements plist (named  in this example) for ldid can look like this:

 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd ">  get-task-allow run-unsigned-code task_for_pid-allow

tfp0 enabled jailbreaks
Jailbreaks known to enable tfp0 include:
 * Absinthe (5.1.1)
 * evasi0n (6.0–6.1.2)
 * p0sixspwn (6.1.3–6.1.6)
 * evasi0n7 (7.0–7.0.6)
 * Pangu v0.3 (7.1–7.1.2)
 * Pangu8 v0.5 (8.0–8.1)
 * TaiG (8.0–8.4)
 * Pangu9 (9.0–9.0.2) on 32-bit
 * Home Depot (9.1–9.3.4) on 32-bit
 * jbme (9.2–9.3.3) on 64-bit
 * extra_recipe+yaluX (10.0–10.1.1) on 64-bit
 * yalu102 (10.2) on 64-bit (excluding iPhone 7)

Jailbreaks lacking tfp0
The following jailbreaks do not have tfp0 enabled:
 * Pangu v0.1–0.2 (7.1–7.1.2)
 * Solution: Update to version 0.3 (filename: )


 * Pangu8 v0.1–0.4 (8.0–8.1)
 * Solution: Update to version 0.5 (filename: )


 * PPJailbreak (8.0–8.4)
 * Solution: replace PPJailbreak with TaiG


 * Pangu9 (9.0–9.3.3) on 64-bit
 * Solution: use cl0ver by Siguza, or re-jailbreak using jbme (uses the trident exploit chain instead)


 * yalu + mach_portal (10.0–10.1.1) on 64-bit
 * Solution: use extra_recipe+yaluX instead


 * h3lix (10.0–10.3.3) on 32-bit
 * No solution for compiled code, replace  calls with   if source is available