Comments (148)
kpwn
commented on July 20, 2024
5
'i hope eta is son' kind of posts will be removed.
from yalu102.
kpwn
commented on July 20, 2024
3
mach_portal doesn't use pagestuff64, mach_portal+yalu does, and it doesn't work on 4k. also i am qwerty.
from yalu102.
commented on July 20, 2024
3
@kpwn Some people may.
But a majority of us dont care when its fixed. We just care that you are taking a look at the problem and trying to fix it eventually. Thats all that really matters.
from yalu102.
kpwn
commented on July 20, 2024
1
My sleep cycles are not normal, although it's almost 6pm here, I am still awake. Anyway my definition of weekend is do you really care this much
from yalu102.
meyer9
commented on July 20, 2024
1
this thread is not for asking him when it will be fixed but instead for fixing the bug
from yalu102.
kpwn
commented on July 20, 2024
1
The level may indeed be the issue. Try to pass 1 rather than 2. Not sure, but i think it's that.
from yalu102.
tangalbert919
commented on July 20, 2024
1
Good to know @kpwn is still awake.
I checked the offsets across device kernels that use the same CPU. They really are the same. I'll just wait until @kpwn does testing on 4K devices. Maybe I'll be one of them, because I'm bored and it sucks to do nothing.
from yalu102.
ninjaprawn
commented on July 20, 2024
Is it possible if we can get an explanation on what defines a "4K device", "16k device", etc.?
from yalu102.
ninjaprawn
commented on July 20, 2024
After a quick google search, I have a feeling it might have to do with the size of the memory pages (http://stackoverflow.com/questions/21552747/strange-behavior-on-64bit-ios-devices-when-retrieving-vm-statistics/33574804)
from yalu102.
shdkpr2008
commented on July 20, 2024
/*
* page size -> used to know how many pages the ipc ports zone will use per block so we can guess task port addresses
>*/
.....
int page_size = getpagesize();
.....
if (page_size == 0x1000) // running with 4k pages
.......
else if (page_size == 0x4000) // running with 16k pages
.....
Yes, 4K and 16K are memory pages per block of memory allocated to zones. Reading a comment and few lines of code from Ian Beer's mach_portal (kernel_sploit.c) also explains what is meant by 4K and 16K and for what it is used.
Original article & code:
https://bugs.chromium.org/p/project-zero/issues/detail?id=965#c2
from yalu102.
meyer9
commented on July 20, 2024
How are we supposed to debug a kernel panic on these devices?
from yalu102.
meyer9
commented on July 20, 2024
Here's the device log for an attempted JB on an iP6:
Jan 26 15:51:01 Julians-iPhone yalu102[540] <Notice>: found corruption 38403
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: found kernel text at fffffff022c04000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: got tfp0 -> e07
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: found procs at fffffff004c56850
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __TEXT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __DATA_CONST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __TEXT_EXEC
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __KLD
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __LAST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __DATA
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_TEXT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_TEXT_EXEC
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_DATA
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_DATA_CONST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_LINKEDIT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_INFO
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __LINKEDIT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: fffffff021ccc000 - fffffff023494000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: ffffffff03cd4000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: fffffff022c715a0
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: pmap: fffffff023120850
Could panic here: https://github.com/kpwn/yalu102/blob/master/yalu102/jailbreak.m#L266
Possibly change that to 0x1000?
from yalu102.
commented on July 20, 2024
@meyer9 I can test?
from yalu102.
meyer9
commented on July 20, 2024
sure, but I'm just taking a wild guess here
from yalu102.
meyer9
commented on July 20, 2024
alright, that helped I think?
2017-01-26 16:11:45.462718 yalu102[252:9458] debug: test point 1
2017-01-26 16:11:45.462881 yalu102[252:9458] debug: test point 2
2017-01-26 16:11:45.462966 yalu102[252:9458] debug: test point 3
2017-01-26 16:11:45.463140 yalu102[252:9458] debug: test point 4
2017-01-26 16:11:45.463253 yalu102[252:9458] debug: test point 5
2017-01-26 16:11:45.463326 yalu102[252:9458] debug: test point 6
2017-01-26 16:11:45.463387 yalu102[252:9458] debug: test point 7
2017-01-26 16:11:45.463568 yalu102[252:9458] got phys at 802dd2000 for virt fffffff00088f000
2017-01-26 16:11:45.463692 yalu102[252:9458] found cpu 0
2017-01-26 16:11:45.463725 yalu102[252:9458] found physz: fffffff012693000
2017-01-26 16:11:45.463806 yalu102[252:9458] found cpu 1
2017-01-26 16:11:45.463873 yalu102[252:9458] found physz: fffffff012693000
2017-01-26 16:11:45.463997 yalu102[252:9458] fffffff012793574 - fffffff0127933a8
2017-01-26 16:11:45.465377 yalu102[252:9458] ttbr0: 802ab9000 fffffff012671590
from yalu102.
commented on July 20, 2024
Still gets stuck though :P
from yalu102.
commented on July 20, 2024
It got further @meyer9
from yalu102.
meyer9
commented on July 20, 2024
yeah
2017-01-26 16:19:00.212362 yalu102[222:4858] debug: test point 8
2017-01-26 16:19:00.212397 yalu102[222:4858] debug: test point 9
2017-01-26 16:19:00.212481 yalu102[222:4858] debug: test point 10
2017-01-26 16:19:00.212515 yalu102[222:4858] debug: test point 2
2017-01-26 16:19:00.213501 yalu102[222:4858] got a cpacr
from yalu102.
commented on July 20, 2024
@meyer9 we need to fix whats causing corruption ;/
found corruption XXXXX
from yalu102.
meyer9
commented on July 20, 2024
that's not normal?
from yalu102.
commented on July 20, 2024
I didn't think so, it might be? @meyer9
from yalu102.
meyer9
commented on July 20, 2024
I believe it is. The problem stems from this function:
pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\
uint64_t tte = ReadAnywhere64(tte_addr);\
if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\
NSLog(@"breakup!");\
uint64_t fakep = physalloc(PSZ);\
uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\
TTE_SETB(tte, TTE_IS_TABLE_MASK);\
for (int i = 0; i < PSZ/8; i++) {\
TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\
WriteAnywhere64(fakep+i*8, tte);\
}\
TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\
WriteAnywhere64(tte_addr, tte);\
}\
uint64_t newt = physalloc(PSZ);\
copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\
copyout(newt, bbuf, PSZ);\
TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\
TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\
TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\
WriteAnywhere64(tte_addr, tte);\
NSLog(@"level %llx - %llx", tte_addr, TTE_GET(tte, TTE_PHYS_VALUE_MASK));\
}, level1_table, 2);
from yalu102.
commented on July 20, 2024
Doesn't look like an easy fix
from yalu102.
Hexeption
commented on July 20, 2024
I'm at the same place as you @meyer9
from yalu102.
meyer9
commented on July 20, 2024
Check out pte_stuff
from yalu102.
meyer9
commented on July 20, 2024
These possibly need adjusting?
typedef union VMA_4K {
struct {
uint64_t block_off : 12;
uint64_t level3_index : 9;
uint64_t level2_index : 9;
uint64_t level1_index : 9;
uint64_t level0_index : 9;
uint64_t ttbr_selector : 16;
} __attribute__((packed)) vm_info;
uint64_t vmaddr;
} VMA_4K;
from yalu102.
commented on July 20, 2024
Tell me if you get the correct values 👍
from yalu102.
commented on July 20, 2024
Just an after thought if those are the 16K device strings or same as won't the 4K values be a quater of the 16K values ?
from yalu102.
meyer9
commented on July 20, 2024
Probably not since all of them aren't divisible by 4, but I have no clue
from yalu102.
commented on July 20, 2024
I'm guessing if it was an easy fix it would already have been added :p
from yalu102.
meyer9
commented on July 20, 2024
Probably, but it's still fun to look
from yalu102.
Hexeption
commented on July 20, 2024
Yeah
from yalu102.
commented on July 20, 2024
Just leave a comment if you find / fix something else
from yalu102.
meyer9
commented on July 20, 2024
If I put NSLog(@"calling back %llu %d", tteaddr, level); just before pagestuff_64_callback in pte_stuff.h, I get calling back 18446743970915550384 2. But it does not run the callback...
from yalu102.
meyer9
commented on July 20, 2024
Can someone do this on a verified working JB and see what it gives them? The level may be different.
from yalu102.
commented on July 20, 2024
Ive been trying to look for successful logs but haven't found them
from yalu102.
DarknesGaming
commented on July 20, 2024
I haven't tried this yet, and that's because I don't have a jailbreak working. Despite my lack of memory-management knowledge, I'll see if I can do anything.
from yalu102.
DarknesGaming
commented on July 20, 2024
I just forgot that I didn't plug in my iPhone yet. Also, @Mila432's latest commit does not support the TSMC iPhone 6s and SE (which has S8003 at the end, and not S8000).
from yalu102.
DarknesGaming
commented on July 20, 2024
Just tried to run the jailbreak. No output. Just a crash and reboot.
from yalu102.
meyer9
commented on July 20, 2024
On what device?
I'd like someone to add that debug line I described above and paste the output on a working JB.
from yalu102.
DarknesGaming
commented on July 20, 2024
The iPhone 6.
from yalu102.
meyer9
commented on July 20, 2024
Got it. That's pretty expected. We're looking for comparison with a different device.
from yalu102.
DarknesGaming
commented on July 20, 2024
I'll try to fix this problem. At the same time, I'll be trying to find a way to make this code a bit easier to read (and this is by using more "if" statements with u.machine to better define which set of offsets are for which device).
from yalu102.
meyer9
commented on July 20, 2024
kernel panic:
panic(cpu 1 caller 0xfffffff01d3969e8): Kernel data abort. (saved state: 0xfffffff16943b350)
x0: 0xfffffff001e274d8 x1: 0xffffffe81b600748 x2: 0x0000000000000000 x3: 0xfffffff001e274d8
x4: 0xfffffff16943b838 x5: 0xfffffff16943b988 x6: 0x0000000010000003 x7: 0xfffffff004b4bf00
x8: 0xfffffff01d79a868 x9: 0xfffffff01d79a868 x10: 0xfffffff001e274d8 x11: 0xfffffff001e274d8
x12: 0xfffffff01d766380 x13: 0x00000000000014f9 x14: 0xaaaaaaaaaaaaaaab x15: 0x0000000000000018
x16: 0xfffffff01d748f10 x17: 0x0000000000000000 x18: 0x0000000000000000 x19: 0xfffffff11cd5a920
x20: 0x0000000000000008 x21: 0xfffffff001e274d8 x22: 0xffffffe81b600748 x23: 0x0000000000000020
x24: 0x0000000000000000 x25: 0xffffffe81b600750 x26: 0xffffffe81b600748 x27: 0x0000000000000001
x28: 0xfffffff16943b838 fp: 0xfffffff16943b6a0 lr: 0xfffffff01d32f9bc sp: 0xfffffff16943b6a0
pc: 0xfffffff01d28e034 cpsr: 0x60000304 esr: 0x96000004 far: 0xffffffe81b600748
Debugger message: panic
Memory ID: 0x1
OS version: 14C92
Kernel version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4\/RELEASE_ARM64_T7000
KernelCache UUID: E241E5E5848A662ECF7751CB6E36E94D
iBoot version: iBoot-3406.30.8
secure boot?: YES
Paniclog version: 6
Kernel slide: 0x0000000016200000
Kernel text base: 0xfffffff01d204000
Epoch Time: sec usec
Boot : 0x588a933b 0x000b0c5c
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x588a93ad 0x000729f0
Panicked task 0xfffffff00253a000: 8941 pages, 6 threads: pid 224: yalu102
Panicked thread: 0xfffffff002b534f0, backtrace: 0xfffffff16943af90
lr: 0xfffffff01d39bbc0 fp: 0xfffffff16943b000
lr: 0xfffffff01d2b6e70 fp: 0xfffffff16943b050
lr: 0xfffffff01d3969e8 fp: 0xfffffff16943b240
lr: 0xfffffff01d39709c fp: 0xfffffff16943b330
lr: 0xfffffff01d2901f0 fp: 0xfffffff16943b340
lr: 0xfffffff01d28e034 fp: 0xfffffff16943b6a0
lr: 0xfffffff01d32f9bc fp: 0xfffffff16943b6e0
lr: 0xfffffff01d33cf70 fp: 0xfffffff16943b820
lr: 0xfffffff01d365f20 fp: 0xfffffff16943b870
lr: 0xfffffff01d304f1c fp: 0xfffffff16943b8b0
lr: 0xfffffff01d29ef18 fp: 0xfffffff16943ba20
lr: 0xfffffff01d2af3c8 fp: 0xfffffff16943bad0
lr: 0xfffffff01d3983f0 fp: 0xfffffff16943bba0
lr: 0xfffffff01d396d0c fp: 0xfffffff16943bc90
lr: 0xfffffff01d2901f0 fp: 0xfffffff16943bca0
from yalu102.
DarknesGaming
commented on July 20, 2024
I can tell this is a kernel panic. What does the rest mean?
from yalu102.
meyer9
commented on July 20, 2024
I believe they are the values of the registers?
from yalu102.
meyer9
commented on July 20, 2024
Also, the tte_addr is thought to be ffffffe8110004b0 according to the callback where it fails.
from yalu102.
meyer9
commented on July 20, 2024
I think we're looking at this wrong. It probably fails earlier and then only crashes later since there should be no reason it's crashing at that specific spot.
from yalu102.
DarknesGaming
commented on July 20, 2024
I'm not sure how to look at this. I only learned a little bit of memory management, but that was because I was learning how a buffer overflow works.
from yalu102.
DarknesGaming
commented on July 20, 2024
Quick question: How do I access the device logs?
from yalu102.
Hexeption
commented on July 20, 2024
When you run the app with XCode Open the Console
from yalu102.
DarknesGaming
commented on July 20, 2024
I'm getting no output from the console.
from yalu102.
meyer9
commented on July 20, 2024
are you running from Xcode?
from yalu102.
Hexeption
commented on July 20, 2024
did you run the app with xcode and let it open automatically?
from yalu102.
meyer9
commented on July 20, 2024
It's also in Impactor under Device > Watch Log
from yalu102.
DarknesGaming
commented on July 20, 2024
No. I set Xcode to not run the app automatically, but to wait for me to launch the app to start debugging.
from yalu102.
masbog
commented on July 20, 2024
same as me on my iPad Air 2,
sysname: Darwin
nodename: Augustas-iPad-Air-2-Silver
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001
machine: iPad5,3
2017-01-27 11:49:16.463734 yalu102[224:8076] found corruption 38303
2017-01-27 11:49:16.774413 yalu102[224:8076] found kernel text at fffffff008604000
2017-01-27 11:49:16.776410 yalu102[224:8076] got tfp0 -> 38403
2017-01-27 11:49:16.777854 yalu102[224:8076] found procs at fffffff10d428c18
2017-01-27 11:49:16.781215 yalu102[224:8076] seg: __TEXT
2017-01-27 11:49:16.781268 yalu102[224:8076] seg: __DATA_CONST
2017-01-27 11:49:16.781305 yalu102[224:8076] seg: __TEXT_EXEC
2017-01-27 11:49:16.781337 yalu102[224:8076] seg: __KLD
2017-01-27 11:49:16.781371 yalu102[224:8076] seg: __LAST
2017-01-27 11:49:16.781404 yalu102[224:8076] seg: __DATA
2017-01-27 11:49:16.781435 yalu102[224:8076] seg: __PRELINK_TEXT
2017-01-27 11:49:16.781484 yalu102[224:8076] seg: __PLK_TEXT_EXEC
2017-01-27 11:49:16.781518 yalu102[224:8076] seg: __PRELINK_DATA
2017-01-27 11:49:16.781548 yalu102[224:8076] seg: __PLK_DATA_CONST
2017-01-27 11:49:16.781578 yalu102[224:8076] seg: __PLK_LINKEDIT
2017-01-27 11:49:16.781610 yalu102[224:8076] seg: __PRELINK_INFO
2017-01-27 11:49:16.781640 yalu102[224:8076] seg: __LINKEDIT
2017-01-27 11:49:16.781666 yalu102[224:8076] fffffff007670000 - fffffff008ea0000
2017-01-27 11:49:16.815980 yalu102[224:8076] ffffffff045d0000
2017-01-27 11:49:16.852228 yalu102[224:8076] fffffff0086715a0
2017-01-27 11:49:16.887973 yalu102[224:8076] pmap: fffffff008b20850
2017-01-27 11:49:16.924006 yalu102[224:8076] got phys at 0 for virt fffffff1b7790000
2017-01-27 11:49:16.924117 yalu102[224:8076] found cpu 0
2017-01-27 11:49:16.924150 yalu102[224:8076] found physz: fffffff008693000
2017-01-27 11:49:16.924188 yalu102[224:8076] found cpu 1
2017-01-27 11:49:16.924218 yalu102[224:8076] found physz: fffffff008693000
2017-01-27 11:49:16.924255 yalu102[224:8076] found cpu 2
2017-01-27 11:49:16.924282 yalu102[224:8076] found physz: fffffff008693000
2017-01-27 11:49:16.924323 yalu102[224:8076] fffffff008793714 - fffffff008793548
2017-01-27 11:49:16.925590 yalu102[224:8076] ttbr0: 802ac5000 fffffff008671590
2017-01-27 11:49:16.926011 yalu102[224:8076] got a cpacr
from yalu102.
meyer9
commented on July 20, 2024
Yeah this seems like a race condition for the logs, so those are basically useless.
It's something before that.
If I add an exit(0) before the cpacr code, the device does not panic.
It does panic before RemapPage
Panics on: WriteAnywhere64(ReadAnywhere64(find_kernel_pmap()), level1_table);
This comes from patchfinder64, a proprietary library by @kpwn.
Disassembled:
int _find_kernel_pmap() {
r7 = (sp - 0xc) + 0x4;
r4 = sp - 0x40;
asm { bfc r4, #0x0, #0x3 };
sp = r4;
r0 = _find_string_reference("\"pmap_map_bd\"", 0x0);
stack[2042] = r0;
if ((r0 | 0x0) == 0x0) {
_NSLog(@"couldn't reference pmap_map_bd");
r0 = _abort();
}
else {
r0 = _get_data_for_mode(0x0, 0x0, 0x0);
*(sp + 0x4) = 0xd8b;
*sp = 0x0;
r0 = _find_prev_instruction_matching(r0, stack[2042], 0x0, 0x20, stack[2032], stack[2033]);
stack[2041] = stack[2042];
stack[2040] = r0;
if ((r0 | stack[2042]) == 0x0) {
_NSLog(@"pmap: couldn't reference prev_bl");
r0 = _abort();
}
else {
r0 = _get_data_for_mode(0x0, 0x0, 0x0);
*(sp + 0x4) = 0x2;
*sp = *0x2974;
r0 = _find_register_value(r0, stack[2040], stack[2041], *0x2970, stack[2032], stack[2033]);
}
}
return r0;
}
P.S. @kpwn, if you are reading this, thank you so much for everything. I'm not sure if I helped you at all, but hopefully someone can figure this one out.
from yalu102.
commented on July 20, 2024
@parrotgeek1, I never saw 4K Device Support in Yalu 10.1.1 either.
from yalu102.
meyer9
commented on July 20, 2024
I wonder if patchfinder has ever been used with 4k devices...
from yalu102.
kpwn
commented on July 20, 2024
The issue is that pagetable layout is different on 4k devices, so pagestuff_64 is used improperly (i think).
from yalu102.
kpwn
commented on July 20, 2024
This patchfinder was used for Yalu2 on 9.3.3, which was developed on a 64 bit 4k device.
from yalu102.
commented on July 20, 2024
Well that makes more sense. If you need any results just leave a comment :)
from yalu102.
kpwn
commented on July 20, 2024
you are literally commenting on an issue in the entire code i am building
from yalu102.
andrewwiik
commented on July 20, 2024
@kpwn can you ask qwertyuiop why the original mach_portal project works on 4K devices and why this doesn't, didn't the original mach_portal project also use pagestuff_64.
from yalu102.
kpwn
commented on July 20, 2024
note that pagestuff itself is fine. issue is in code that uses it.
from yalu102.
andrewwiik
commented on July 20, 2024
Oh okay, and well that is embarrassing... walks out of room slowly
from yalu102.
andrewwiik
commented on July 20, 2024
@kpwn can you point out exactly where it is being used that is wrong, or is it in one of the precompiled binaries?
from yalu102.
tangalbert919
commented on July 20, 2024
The whole time I'm asleep, this place is active.
We all love you @kpwn, but this project is vulnerable to the hands of Stefan Esser. Should I add the license to that? xD
from yalu102.
meyer9
commented on July 20, 2024
Let's see, so if level_1_table is wrong then I'm assuming something about this is wrong?
uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1);
As in, it's not finding the correct location for 4k devices...
from yalu102.
mmhobi7
commented on July 20, 2024
Wait so where does it panic?
Shouldn't you get NSLog(@"level %llx - %llx",
Yeah my guess is level_1
from yalu102.
tangalbert919
commented on July 20, 2024
I seriously need to learn to understand this stuff.
I've got C and Objective-C programming books in my shopping list. I should buy them when I have the time.
from yalu102.
andrewwiik
commented on July 20, 2024
@kpwn is weekend friday or saturday for you btw? I know with some people it differs.
from yalu102.
tangalbert919
commented on July 20, 2024
I think he's asleep right now. He's in Europe.
from yalu102.
Mila432
commented on July 20, 2024
@tangalbert919 its 5:44pm
from yalu102.
KILLCAMPER
commented on July 20, 2024
It's only 5pm in U.K. ;)
…Sent from my iPad
On 27 Jan 2017, at 16:44, Albert Tang ***@***.***> wrote:
I think he's asleep right now. He's in Europe.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
from yalu102.
andrewwiik
commented on July 20, 2024
I didn't think they were normal lol, and yes, I have a paid tweak release coming up and I need to strategise, I'll refrain from future personal questions as they deviate from the this thread.
from yalu102.
KILLCAMPER
commented on July 20, 2024
@kpwn pmsl lol 😂 your doing amazing job when it's dun it's dun life goes on 💩
from yalu102.
andrewwiik
commented on July 20, 2024
I was never asking when, I was asking his perception on when a weekend starts
from yalu102.
kpwn
commented on July 20, 2024
Note that findphys_real also has the same assumption, so that's why sometimes it may fail earlier.
from yalu102.
meyer9
commented on July 20, 2024
I can try when I get home.
from yalu102.
meyer9
commented on July 20, 2024
Well, the RemapPage is sending level 2 to the callback function, so I wouldn't be surprised if that was part of the problem. On iP7 is it returning level 1 in the callback or level 2? You can see the debug message I added above and the output.
If I put NSLog(@"calling back %llu %d", tteaddr, level); just before pagestuff_64_callback in pte_stuff.h, I get calling back 0xffffffe8110004b0 2. But it does not run the callback...
from yalu102.
andrewwiik
commented on July 20, 2024
changed this:
uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(0, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1);
to:
uint64_t ttbr0_real = find_register_value((uint32_t*)get_data_for_mode(1, SearchTextExec), idlesleep_handler + idx*4 - gadget_base + 24, text_exec_base, 1);
this is the output when changing it:
sysname: Darwin
nodename: Andrews-iPhone
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000
machine: iPhone7,2
2017-01-27 12:25:57.760413 yalu102[854:178086] found corruption 38003
2017-01-27 12:25:58.476276 yalu102[854:178086] found kernel text at fffffff00a004000
2017-01-27 12:25:58.478631 yalu102[854:178086] got tfp0 -> 1207
2017-01-27 12:25:58.480478 yalu102[854:178086] found procs at fffffff10b06e020
2017-01-27 12:25:58.485402 yalu102[854:178086] seg: __TEXT
2017-01-27 12:25:58.485498 yalu102[854:178086] seg: __DATA_CONST
2017-01-27 12:25:58.485532 yalu102[854:178086] seg: __TEXT_EXEC
2017-01-27 12:25:58.485566 yalu102[854:178086] seg: __KLD
2017-01-27 12:25:58.485598 yalu102[854:178086] seg: __LAST
2017-01-27 12:25:58.485629 yalu102[854:178086] seg: __DATA
2017-01-27 12:25:58.485660 yalu102[854:178086] seg: __PRELINK_TEXT
2017-01-27 12:25:58.485721 yalu102[854:178086] seg: __PLK_TEXT_EXEC
2017-01-27 12:25:58.485851 yalu102[854:178086] seg: __PRELINK_DATA
2017-01-27 12:25:58.485886 yalu102[854:178086] seg: __PLK_DATA_CONST
2017-01-27 12:25:58.485918 yalu102[854:178086] seg: __PLK_LINKEDIT
2017-01-27 12:25:58.485950 yalu102[854:178086] seg: __PRELINK_INFO
2017-01-27 12:25:58.485982 yalu102[854:178086] seg: __LINKEDIT
2017-01-27 12:25:58.486015 yalu102[854:178086] fffffff0090cc000 - fffffff00a894000
2017-01-27 12:25:58.544741 yalu102[854:178086] ffffffff03d98000
2017-01-27 12:25:58.591398 yalu102[854:178086] fffffff00a0715a0
2017-01-27 12:25:58.630298 yalu102[854:178086] pmap: fffffff00a520850
2017-01-27 12:25:58.669476 yalu102[854:178086] got phys at 0 for virt fffffff120f88000
2017-01-27 12:25:58.669623 yalu102[854:178086] found cpu 0
2017-01-27 12:25:58.669697 yalu102[854:178086] found physz: fffffff00a093000
2017-01-27 12:25:58.669741 yalu102[854:178086] found cpu 1
2017-01-27 12:25:58.669768 yalu102[854:178086] found physz: fffffff00a093000
2017-01-27 12:25:58.669882 yalu102[854:178086] fffffff00a193574 - fffffff00a1933a8
from yalu102.
meyer9
commented on July 20, 2024
Can you try adding the debug statements I did?
from yalu102.
andrewwiik
commented on July 20, 2024
I changed the wrong thing, give me a second I'm running again after i changed the right thing
from yalu102.
andrewwiik
commented on July 20, 2024
this was the output after changing the right thing:
sysname: Darwin
nodename: Andrews-iPhone
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000
machine: iPhone7,2
2017-01-27 12:31:50.903002 yalu102[235:4659] found corruption 38203
2017-01-27 12:31:55.836549 yalu102[235:4659] found kernel text at fffffff01be04000
2017-01-27 12:31:55.838888 yalu102[235:4659] got tfp0 -> d07
2017-01-27 12:31:55.839426 yalu102[235:4659] found procs at fffffff004e24810
2017-01-27 12:31:55.844557 yalu102[235:4659] seg: __TEXT
2017-01-27 12:31:55.844653 yalu102[235:4659] seg: __DATA_CONST
2017-01-27 12:31:55.844688 yalu102[235:4659] seg: __TEXT_EXEC
2017-01-27 12:31:55.844776 yalu102[235:4659] seg: __KLD
2017-01-27 12:31:55.844816 yalu102[235:4659] seg: __LAST
2017-01-27 12:31:55.844849 yalu102[235:4659] seg: __DATA
2017-01-27 12:31:55.844882 yalu102[235:4659] seg: __PRELINK_TEXT
2017-01-27 12:31:55.845092 yalu102[235:4659] seg: __PLK_TEXT_EXEC
2017-01-27 12:31:55.845129 yalu102[235:4659] seg: __PRELINK_DATA
2017-01-27 12:31:55.845297 yalu102[235:4659] seg: __PLK_DATA_CONST
2017-01-27 12:31:55.845333 yalu102[235:4659] seg: __PLK_LINKEDIT
2017-01-27 12:31:55.845366 yalu102[235:4659] seg: __PRELINK_INFO
2017-01-27 12:31:55.845437 yalu102[235:4659] seg: __LINKEDIT
2017-01-27 12:31:55.845489 yalu102[235:4659] fffffff01aecc000 - fffffff01c694000
2017-01-27 12:31:55.899988 yalu102[235:4659] ffffffff03d9c000
2017-01-27 12:31:55.944697 yalu102[235:4659] fffffff01be715a0
2017-01-27 12:31:55.983353 yalu102[235:4659] pmap: fffffff01c320850
2017-01-27 12:31:56.022341 yalu102[235:4659] got phys at 0 for virt fffffff000824000
2017-01-27 12:31:56.022479 yalu102[235:4659] found cpu 0
2017-01-27 12:31:56.022553 yalu102[235:4659] found physz: fffffff01be93000
2017-01-27 12:31:56.022591 yalu102[235:4659] found cpu 1
2017-01-27 12:31:56.022620 yalu102[235:4659] found physz: fffffff01be93000
2017-01-27 12:31:56.022833 yalu102[235:4659] fffffff01bf93574 - fffffff01bf933a8
2017-01-27 12:31:56.024233 yalu102[235:4659] ttbr0: 802ab9000 fffffff01be71590
2017-01-27 12:31:56.025501 yalu102[235:4659] got a cpacr
from yalu102.
meyer9
commented on July 20, 2024
ok, that's what we got before so that specifically didn't help.
from yalu102.
andrewwiik
commented on July 20, 2024
wait, am I replacing the level in pte or jailbreak.m?
from yalu102.
meyer9
commented on July 20, 2024
try my branch with that change please: https://github.com/meyer9/yalu102
from yalu102.
meyer9
commented on July 20, 2024
I have some debug statements added
from yalu102.
Hexeption
commented on July 20, 2024
This is what i got when i change it
sysname: Darwin
nodename: Keirs-iPhone
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000
machine: iPhone7,1
2017-01-27 17:33:16.456749 yalu102[235:5155] found corruption 37c03
2017-01-27 17:33:21.304816 yalu102[235:5155] found kernel text at fffffff01bc04000
2017-01-27 17:33:21.306975 yalu102[235:5155] got tfp0 -> 1207
2017-01-27 17:33:21.308431 yalu102[235:5155] found procs at fffffff0047b7408
2017-01-27 17:33:21.312822 yalu102[235:5155] seg: __TEXT
2017-01-27 17:33:21.312899 yalu102[235:5155] seg: __DATA_CONST
2017-01-27 17:33:21.312935 yalu102[235:5155] seg: __TEXT_EXEC
2017-01-27 17:33:21.312968 yalu102[235:5155] seg: __KLD
2017-01-27 17:33:21.313001 yalu102[235:5155] seg: __LAST
2017-01-27 17:33:21.313054 yalu102[235:5155] seg: __DATA
2017-01-27 17:33:21.313167 yalu102[235:5155] seg: __PRELINK_TEXT
2017-01-27 17:33:21.313202 yalu102[235:5155] seg: __PLK_TEXT_EXEC
2017-01-27 17:33:21.313234 yalu102[235:5155] seg: __PRELINK_DATA
2017-01-27 17:33:21.313267 yalu102[235:5155] seg: __PLK_DATA_CONST
2017-01-27 17:33:21.313299 yalu102[235:5155] seg: __PLK_LINKEDIT
2017-01-27 17:33:21.313454 yalu102[235:5155] seg: __PRELINK_INFO
2017-01-27 17:33:21.313504 yalu102[235:5155] seg: __LINKEDIT
2017-01-27 17:33:21.313537 yalu102[235:5155] fffffff01accc000 - fffffff01c494000
2017-01-27 17:33:21.366759 yalu102[235:5155] ffffffff03e30000
2017-01-27 17:33:21.413297 yalu102[235:5155] fffffff01bc715a0
2017-01-27 17:33:21.453138 yalu102[235:5155] pmap: fffffff01c120850
2017-01-27 17:33:21.492678 yalu102[235:5155] got phys at 0 for virt fffffff00089f000
2017-01-27 17:33:21.492808 yalu102[235:5155] found cpu 0
2017-01-27 17:33:21.492846 yalu102[235:5155] found physz: fffffff01bc93000
2017-01-27 17:33:21.492882 yalu102[235:5155] found cpu 1
2017-01-27 17:33:21.492910 yalu102[235:5155] found physz: fffffff01bc93000
2017-01-27 17:33:21.492957 yalu102[235:5155] fffffff01bd93574 - fffffff01bd933a8
from yalu102.
meyer9
commented on July 20, 2024
yeah it crashes at a random point in the log. we already knew that. add exit(0) instead of nslog statements so we can debug exactly where it panics.
from yalu102.
andrewwiik
commented on July 20, 2024
@meyer9 can you please please merge your branch so it is not 16 commits behind
from yalu102.
meyer9
commented on July 20, 2024
yeah 1 sec
from yalu102.
meyer9
commented on July 20, 2024
done
from yalu102.
andrewwiik
commented on July 20, 2024
pulling now
from yalu102.
andrewwiik
commented on July 20, 2024
Yalu crashed? I got sent to the homescreen, here is the output:
sysname: Darwin
nodename: Andrews-iPhone
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000
machine: iPhone7,2
2017-01-27 12:42:45.142462 yalu102[242:5523] found corruption 38503
2017-01-27 12:42:46.782259 yalu102[242:5523] found kernel text at fffffff00e004000
2017-01-27 12:42:46.784489 yalu102[242:5523] got tfp0 -> 38603
2017-01-27 12:42:46.786461 yalu102[242:5523] found procs at fffffff10f3c7080
2017-01-27 12:42:46.790893 yalu102[242:5523] seg: __TEXT
2017-01-27 12:42:46.790971 yalu102[242:5523] seg: __DATA_CONST
2017-01-27 12:42:46.791005 yalu102[242:5523] seg: __TEXT_EXEC
2017-01-27 12:42:46.791038 yalu102[242:5523] seg: __KLD
2017-01-27 12:42:46.791070 yalu102[242:5523] seg: __LAST
2017-01-27 12:42:46.791116 yalu102[242:5523] seg: __DATA
2017-01-27 12:42:46.791182 yalu102[242:5523] seg: __PRELINK_TEXT
2017-01-27 12:42:46.791235 yalu102[242:5523] seg: __PLK_TEXT_EXEC
2017-01-27 12:42:46.791268 yalu102[242:5523] seg: __PRELINK_DATA
2017-01-27 12:42:46.791299 yalu102[242:5523] seg: __PLK_DATA_CONST
2017-01-27 12:42:46.791330 yalu102[242:5523] seg: __PLK_LINKEDIT
2017-01-27 12:42:46.791363 yalu102[242:5523] seg: __PRELINK_INFO
2017-01-27 12:42:46.791475 yalu102[242:5523] seg: __LINKEDIT
2017-01-27 12:42:46.791531 yalu102[242:5523] fffffff00d0cc000 - fffffff00e894000
2017-01-27 12:42:46.844824 yalu102[242:5523] 1430803da0000
2017-01-27 12:42:46.887031 yalu102[242:5523] fffffff00e0715a0
2017-01-27 12:42:46.926864 yalu102[242:5523] pmap: fffffff00e520850
2017-01-27 12:42:46.965535 yalu102[242:5523] debug: test point 1
2017-01-27 12:42:46.965668 yalu102[242:5523] debug: test point 2
2017-01-27 12:42:46.965692 yalu102[242:5523] debug: test point 3
2017-01-27 12:42:46.965752 yalu102[242:5523] debug: test point 4
2017-01-27 12:42:46.965786 yalu102[242:5523] debug: test point 5
2017-01-27 12:42:46.965812 yalu102[242:5523] debug: test point 6
2017-01-27 12:42:46.965838 yalu102[242:5523] debug: test point 7
2017-01-27 12:42:46.965954 yalu102[242:5523] Indentified 4k device
2017-01-27 12:42:46.966014 yalu102[242:5523] calling back 18446744005240397312 1
2017-01-27 12:42:46.966045 yalu102[242:5523] calling back 2
2017-01-27 12:42:46.966071 yalu102[242:5523] calling back 3
2017-01-27 12:42:46.966119 yalu102[242:5523] got phys at 0 for virt fffffff000853000
2017-01-27 12:42:46.966326 yalu102[242:5523] found cpu 0
2017-01-27 12:42:46.966373 yalu102[242:5523] found physz: fffffff00e093000
2017-01-27 12:42:46.966408 yalu102[242:5523] found cpu 1
2017-01-27 12:42:46.966435 yalu102[242:5523] found physz: fffffff00e093000
2017-01-27 12:42:46.966483 yalu102[242:5523] fffffff00e193574 - fffffff00e1933a8
2017-01-27 12:42:46.967919 yalu102[242:5523] ttbr0: 802ab9000 fffffff00e071590
2017-01-27 12:42:46.967959 yalu102[242:5523] debug: test point 8
2017-01-27 12:42:46.968006 yalu102[242:5523] debug: test point 9
2017-01-27 12:42:46.968041 yalu102[242:5523] debug: test point 10
2017-01-27 12:42:46.968062 yalu102[242:5523] Indentified 4k device
2017-01-27 12:42:46.968095 yalu102[242:5523] calling back 18446744005240397312 1
2017-01-27 12:42:46.968169 yalu102[242:5523] calling back 2
2017-01-27 12:42:46.968213 yalu102[242:5523] calling back 3
2017-01-27 12:42:46.968235 yalu102[242:5523] debug: test point 11
2017-01-27 12:42:46.968319 yalu102[242:5523] debug: test point 12
2017-01-27 12:42:46.968528 yalu102[242:5523] debug: test point 13
2017-01-27 12:42:46.968596 yalu102[242:5523] debug: test point 14
2017-01-27 12:42:46.968625 yalu102[242:5523] debug: test point 15
2017-01-27 12:42:46.968653 yalu102[242:5523] debug: test point 16
2017-01-27 12:42:46.968692 yalu102[242:5523] debug: test point 17
2017-01-27 12:42:46.968713 yalu102[242:5523] Indentified 4k device
2017-01-27 12:42:46.968749 yalu102[242:5523] calling back 18446744005240397312 1
2017-01-27 12:42:46.968776 yalu102[242:5523] calling back 2
2017-01-27 12:42:46.968802 yalu102[242:5523] calling back 3
2017-01-27 12:42:46.968822 yalu102[242:5523] debug: test point 18
2017-01-27 12:42:46.968960 yalu102[242:5523] got a cpacr at 4462
2017-01-27 12:42:46.968981 yalu102[242:5523] debug ---
2017-01-27 12:42:46.969072 yalu102[242:5523] debug: test point 18z1
2017-01-27 12:42:46.969099 yalu102[242:5523] debug: test point 18z2
2017-01-27 12:42:47.045855 yalu102[242:5523] 18446744005230831720, 205520896
from yalu102.
meyer9
commented on July 20, 2024
interesting that yours is on level 1 now when it calls back.
from yalu102.
andrewwiik
commented on July 20, 2024
is that progress?
from yalu102.
Hexeption
commented on July 20, 2024
A little yeah
from yalu102.
Related Issues (20)
- Apple Mach-O Linker Error HOT 7
- No developer :( HOT 1
- SHA1 collisions, so use SHA256 in README.md? HOT 7
- new issue on iOS 10.2.1 HOT 4
- I guess this is it. HOT 7
- Yacc error HOT 1
- Apple Mach-O Linker Error HOT 27
- iPhone 6: Consistent Kernel Hang/Reboot with UIImage/CoreGraphics API/Floating Point usage
- iPad Air 2 Restarts HOT 14
- wouldn't let me
- Who knows the source code? Explain it to me. HOT 5
- Broadpwn
- Cydia Not Showing Up HOT 2
- is patchfinder64.c not open source? HOT 3
- 'system' is not available on iOS HOT 6
- cannot compile at xcode 9 HOT 5
- iPhone 5s (GSM) Kernel Panic HOT 1
- Thanks for your Time to allow a jailbreak :-)
- file: provision.cpp; line: 81; what: ios/listDevices =3018
- iPhone 7 iOS 14.4 Request
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yalu102.