Kernel Patches

For the patches applied together with a jailbreak, most groups rely on a list of patches generated by comex. See https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c

See also saurik's comment for a list of "the 'best practice' patches that jailbreaks install by default" on ycombinator.

Kernel Offsets
(Initial list copied from Unthredera1n source code.)

Patching the kernel (using inline ASM)
Here are some functions, patched to be able to be used for jailbreak kernel patches, for vm_map_protect here is the function.

int vm_map_protect_patch { __asm{ AND.W R1, R6, #8 CMP R1, #6 IT EQ   TSTEQ.W R0, #0x40000000 BNE loc_8004A96A BIC.W R6, R6, #4 } }

For vm_map_enter

int vm_map_enter_patch {  __asm { LDR R1, [R7,#cur_protection] AND.W R0, R4, #0x80000 STR R0, [SP,#0xB8+var_54] STR R1, [SP,#0xB8+var_78] AND.W R0, R1, #8 CMP R0, #6 ITT EQ    LDREQ R0, [SP,#0xB8+var_54] CMPEQ R0, #0 BNE loc_800497F0 LDR.W R1, =aKern_return_ MOVS R0, #0 BL sub_8001D608 LDR R0, [R7,#cur_protection] BIC.W R0, R0, #4 STR R0, [SP,#0xB8+var_78] } }

For cs_enforcement_disable (kernel)

int cs_kern_patch {   __asm LDR.W R3, =dword_802DE330 __asm MRC p15, 0, R0,c13,c0, 4 __asm LDR R2, [R4,#0x28] __asm LDR R3, #1 __asm CMP R3, #0 }

To use this in an untether, use find_vm_map_enter_patch, find_vm_map_protect_patch and find_cs_enforcement_disable_kernel from planetbeings ios-jailbreak-finder, then use bcopy to copy these functions (which are patched) to the address of the actual functions heres an example uint32_t *p = malloc(0xd00000) uint32_t cs_kern = find_cs_enforcement_disable(kernel_file, p, sizeof(p)); bcopy((void*)cs_kern_patch, cs_kern, sizeof(cs_kern_patch));