Darksword Kexploit

---
name: darksword-kexploit
description: iOS kernel exploit (iOS 15.0–26.0.1) reimplemented in Objective-C, providing kernel read/write primitives and privilege escalation on supported devices.
triggers:
  - integrate darksword kernel exploit
  - use DarkSword kexploit in my iOS project
  - kernel read write primitives iOS
  - iOS privilege escalation exploit Objective-C
  - kernel exploit offsets iOS 15
  - implement kernel exploit in Objective-C
  - darksword exploit setup and usage
  - iOS jailbreak kernel exploit integration
---

# DarkSword Kernel Exploit

> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.

DarkSword is a kernel exploit for iOS 15.0–26.0.1, reimplemented in Objective-C. It provides kernel-level read/write primitives and privilege escalation capabilities. Offsets are currently hardcoded for iOS 15.x; extending to other versions requires supplying correct kernel offsets.

---

## What It Does

- Exploits a kernel vulnerability present in iOS 15.0 through 26.0.1
- Provides arbitrary kernel memory read (`kread`) and write (`kwrite`) primitives
- Enables privilege escalation (setuid 0 / unsandboxing)
- Written in Objective-C for easy integration into iOS tooling, jailbreaks, or research projects

---

## Installation

### Adding to an Xcode Project

1. Clone the repository:
   ```bash
   git clone https://github.com/opa334/darksword-kexploit.git

2. Drag the source files into your Xcode project target.

3. Ensure your project's build settings include:

   • Deployment Target: iOS 15.0+
   • ARC: Enabled
   • Relevant entitlements if running on-device (codesign accordingly)

4. Import the main header:

   #import "DarkSword.h"
   

Theos/Makefile Integration

ARCHS = arm64 arm64e
TARGET = iphone:clang:latest:15.0

include $(THEOS)/makefiles/common.mk

TOOL_NAME = myexploit

myexploit_FILES = main.m DarkSword.m exploit_helpers.m
myexploit_CFLAGS = -fobjc-arc
myexploit_LDFLAGS = -lSystem

include $(THEOS_MAKE_PATH)/tool.mk

Key API / Usage Patterns

1. Running the Exploit

#import "DarkSword.h"

int main(int argc, char *argv[]) {
    @autoreleasepool {
        DarkSword *exploit = [[DarkSword alloc] init];

        BOOL success = [exploit run];
        if (!success) {
            NSLog(@"[!] Exploit failed.");
            return 1;
        }

        NSLog(@"[+] Exploit succeeded. Kernel task port: %d", exploit.kernelTaskPort);
    }
    return 0;
}

2. Kernel Read Primitive

#import "DarkSword.h"

// Read 8 bytes (uint64_t) from a kernel address
uint64_t ReadKernel64(DarkSword *exploit, uint64_t address) {
    uint64_t value = 0;
    [exploit kread:address into:&value size:sizeof(uint64_t)];
    return value;
}

// Example: read kernel slide from a known pointer
uint64_t kernelBase = ReadKernel64(exploit, KNOWN_KERNEL_POINTER_OFFSET);
NSLog(@"[+] Kernel base: 0x%llx", kernelBase);