N61AP, 13G34 (iphone6 9.3.3)

Question

N61AP, 13G34 (iphone6 9.3.3)

Closed this issue 8 years ago · 17 comments

cl0ver log : https://ghostbin.com/paste/nykce
cl0ver panic log : https://ghostbin.com/paste/25e9q
panic log : https://ghostbin.com/paste/og96p

and Do you have a ROP chain that get root? ( i think of exploit() in main.c )

Answer 1 · 2017-01-25T12:35:58.000Z

Thanks, I'll have a look at these tomorrow.

And no, my ROP chain doesn't get root, it gets the kernel task directly. With that, we could just give ourselves root, but... what's the point?

Answer 2 · 2017-01-26T02:08:37.000Z

I saw jndok's blog. and Trident's POC code. I was so impressed with them that I wanted to try it. Like their POC(get root shell in jailbroken environment.)

Anyway, Please check the above logs. thanks

Answer 3 · 2017-01-27T21:06:47.000Z

Okay, the anchor should be 0xffffff8004542000, but it looks like my heap feng shui didn't quite work for the panic, i.e. the value in the log can hardly be the vtable address.

However, since you're on 9.3.3, we might be able to bypass that. Try this:

Reboot your device to get back into unjailbroken state
Instead of the Pangu app, use qwertyoruiopz's jbme
Install kern-utils
Run kdump as root
Move the resulting kernel.bin to /etc/cl0ver/kernel.bin
Create a file at /etc/cl0ver/config.txt with the following contents:
```
0xffffff8004542000
0x1234
```
Run ./cl0ver (it should tell you "patch already in place", but you can modify it from there on out if you like)

Answer 4 · 2017-01-27T21:09:13.000Z

Also I'm marking this as "declined", since the jbme gives tfp0 for anyone who really needs in on 9.3.3... I'll still help you do this just for the fun of it though. :)

Answer 5 · 2017-01-31T01:15:38.000Z

Here are some questions.

In the case of, can it be changed anchor?
When your source code is compiled and operated, the address of the anchor varies from time to time.

and i jailbreaking use qwertyoruiopz.s jbme, run kdump. then device is panic!
what's the problem!

Answer 6 · 2017-01-31T02:38:23.000Z

In the case of, can it be changed anchor?

...what? I don't understand that.

and i jailbreaking use qwertyoruiopz.s jbme, run kdump. then device is panic! what's the problem!

That's a kern-utils problem - starting somewhere between iOS 9.1 and 9.3, there have been changes to the kernel's memory map, which can cause kdump to wrongly guess the base address, and in turn cause a panic when trying to read memory from that address. I'm currently trying to fix that.

Answer 7 · 2017-01-31T04:51:47.000Z

Okey. Thanks.

If so, can not I get kernel.bin on iphone6 9.3.3?

Answer 8 · 2017-01-31T04:57:06.000Z

Well... kmem works fine, so you could run ./cl0ver slide, then add 0xffffff8004004000 to that, and run kmem -r YOUR_ADDRESS_HERE 0x2000000 > kernel.bin.

Answer 9 · 2017-01-31T05:16:08.000Z

Sorry.
But I am studying now and want to solve this problem.

i try kmem, but In this case too, panic occurs. What's problem.. T.T
Wrong config.txt?

command : https://ghostbin.com/paste/tusou
panic : https://ghostbin.com/paste/ykgs3

Answer 10 · 2017-01-31T05:18:52.000Z

It should have been 0xffffff800e004000, not 0xffffff800a004000. There's another 4 in the original address: 0xffffff8004004000.

Answer 11 · 2017-01-31T05:36:12.000Z

Oh! My mistake... Sorry.

iPhone:~ root# ./cl0ver slide
[] Checking for config file... [src/lib/offsets.c:107 off_cfg]
[] Yes, attempting to read anchor and vtab from config file... [src/lib/offsets.c:117 off_cfg]
[] Anchor: 0xffffff8004542000, Vtab (unslid): 0x0000000000001234 [src/lib/offsets.c:121 off_cfg]
[] Using info leak to get kernel slide... [src/lib/slide.c:64 get_kernel_slide]
[] Dict: [src/lib/slide.c:33 get_kernel_anchor]
[] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor]
[] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:59 _io_spawn_client]
[] Getting IO service handle... [src/lib/io.c:45 _io_get_service]
[] Getting IO master port... [src/lib/io.c:30 get_io_master_port]
[] Creating dict iterator... [src/lib/io.c:72 _io_iterator]
[] Getting next element from iterator... [src/lib/io.c:84 _io_next]
[] Releasing user client... [src/lib/io.c:131 _io_release_client]
[] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 1]: 0xffffff8006542000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 3]: 0xffffff810acf75cc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 4]: 0xffffff810a60ebb4 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 5]: 0xffffff810a092500 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 6]: 0xffffff810acf75a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 7]: 0xffffff80031338a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 8]: 0xffffff80060d3690 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 9]: 0x0000000000000003 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[10]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[11]: 0xffffff810acf7000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[12]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[13]: 0xffffff8006548a50 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[14]: 0x0000000000000018 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[15]: 0xffffff8006544400 [src/lib/slide.c:44 get_kernel_anchor]
[] Kernel slide: 0x0000000002000000 [src/lib/slide.c:67 get_kernel_slide]
iPhone:~ root#
iPhone:~ root#
iPhone:~ root#
iPhone:~ root#
iPhone:~ root# ./kmem -r 0xffffff8006004000 0x2000000 > kernel.bin

thanks!
If I have any other questions, can I leave them here?

Answer 12 · 2017-01-31T06:21:32.000Z

shit!

https://ghostbin.com/paste/4s89p

Answer 13 · 2017-01-31T08:11:15.000Z

i can not find a __ZTV8OSString in dump file (kernel.bin).
That file is encrypted? so i try decompile (lzssdec -o 0x00 <kernel.bin> kernel_decrypted)
and kernel_decrypted file is not valied file.

Help me. plz.

Answer 14 · 2017-01-31T14:30:25.000Z

No, it's not encrypted. But since it's a dump, is has no symbol table, hence no __ZTV8OSString. But still, you don't even need that anymore, you're way past that.

As for your crash, only a panic log will reveal what's going wrong there.

Answer 15 · 2017-02-01T01:25:43.000Z

As for your crash, only a panic log will reveal what's going wrong there.
what is mean?

I want to ask you a question after I have studied a little more.
Can I contact you on Twitter?

Answer 16 · 2017-02-01T01:31:21.000Z

what is mean?

Panic log. Information about panic. Usually found at /var/logs/CrashReporter/Panics.

Can I contact you on Twitter?

Sure.

Answer 17 · 2017-02-01T02:10:47.000Z

my command log : https://ghostbin.com/paste/ya472
panic log : https://ghostbin.com/paste/tnko4

how get OSString's vtable?
After this, I will contact you via Twitter.