Welcome to tfp0 — a space for kernel exploitation, reverse engineering, and security research.

What is tfp0?#

task_for_pid(0) — the holy grail of iOS/macOS kernel exploitation. Getting a send right to the kernel task port means full control over the kernel’s virtual memory. From there, you own the system.

What to Expect#

This site will cover:

  • Vulnerability analysis — CVEs, patches, and root causes
  • Exploit development — from bug to tfp0
  • Mitigations — PAC, PPL, KTRR, and how they fall
  • Tooling — Frida, LLDB, Ghidra, and custom scripts
// The classic
mach_port_t tfp0;
kern_return_t kr = task_for_pid(mach_task_self(), 0, &tfp0);
if (kr == KERN_SUCCESS) {
    printf("[+] got tfp0: 0x%x\n", tfp0);
}

Stay tuned. root@tfp0:~#