ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :
if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?
as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.
here's a screenshot of the actual code, and how it's not called anymore :
View attachment 29721
View attachment 29722
and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
