Apple’s iOS Kernel Patch Protection (KPP) Explained

Many users asked me what Kernel Patch Protection is. So I decided to write a quick article explaining what KPP is and how it works.

What is Kernel Patch Protection?

KPP (Kernel Patch Protection) is a protection mechanism deployed by Apple on modern firmware versions. KPP was first introduced in iOS 9 firmware and is still being used on iOS 10.

As the name suggests, KPP performs random “checks” to ensure the kernel is in its original state. It runs during boot and keeps running after the boot sequence is over.

jailbreak

KPP is designed to protect iOS from jailbreak tools. However, it also prevents malware from covertly modifying your device.

KPP is also the reason behind 32-bit devices not being compatible with Yalu. KPP security mechanism is present only on 64-bit iOS devices. This makes developing a working jailbreak tool for both architectures very cumbersome and time-consuming.

Since hackers release jailbreaks for free, most of them aren’t willing to go the extra mile for older devices.

How Kernel Patch Protection Works

A jailbreak essentially modifies kernel permissions from read-only (ro) to read, write, execute (rw). This process is known as patching.

Older jailbreak tools such as evasi0n and greenpois0n directly patch the kernel. They are able to do so because KPP didn’t exist in older firmware versions.

chronic dev team

Now each time you reboot your device, the “patched” kernel loads without any major hiccups.

This is where KPP comes into action.

KPP ensures the integrity of the iOS kernel. Even when a hacker injects malicious code into the kernel, it can’t patch the kernel fully.

How Hackers Bypass KPP

Many vulnerabilities such as IOHIDFamily vulnerabilities exist that allow hackers to bypass restrictions.

jailbreakme

However, these alone aren’t enough and a hacker must achieve the following.

  • Sandbox Escape – It is an exploit that allows the hacker to access components a process doesn’t have the permissions to.
  • Privilege Escalation – Gaining elevated access to protected resources.
  • KPP Bypass      

Here are the different KPP bypass techniques used in popular jailbreak tools.

Pangu9

  • Pangu9 “races” with the Code signing check during boot. For the uninitiated, Code signing check is another security mechanism that ensures the kernel is in read-only mode.
  • Pangu reaches the kernel before the Code signing check does. It then changes the kernel permissions to rw and disables the Code signing check.
  • After the Code signing check is disabled, Pangu uses another exploit to disable Kernel Patch Protection.

Pangu 9.2-9.3.3 and Yalu

  • Pangu and Yalu jailbreak the device after it boots.
  • When the user reboots the device, Code signing check gets active. It detects a kernel in rw mode and hence changes it to ro mode.
  • The user then runs the jailbreak app to set the kernel to rw mode again.
  • Once the device is in jailbreak mode, they then employ another exploit to disable Kernel Patch Protection.

Undoubtedly, the jailbreak game is getting harder by the day. Apple has been actively ramping up iOS security but hackers are still finding exploits.

Recently, iOS 11 and iOS 10.3.2 jailbreaks were demonstrated by Liang Chen of KeenLab.

For more scene updates, follow us on Facebook and Twitter.

2 Comments

  1. Daniel Yankovich June 26, 2017
    • Luca R June 26, 2017

Leave a Reply

Share4
Tweet