N71AP, 13A452 (iPhone 6s, 9.0.2)
Closed this issue · 2 comments
iPhone:~ root# ./cl0ver panic
[] Checking for config file... [src/lib/offsets.c:302 off_cfg]
[] Nope, let's hope the registry has a compatible anchor & vtab... [src/lib/offsets.c:306 off_cfg]
[] Using UAF to leak vtable... [src/lib/uaf_panic.c:123 uaf_panic_leak_vtab]
[] dict: [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict[0]: 0x000000d3 [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict[1]: 0x81000002 [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict[2]: 0x09000004 [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict[3]: 0x00727473 [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict[4]: 0x8c000001 [src/lib/uaf_panic.c:182 uaf_panic_leak_vtab]
[] dict_hole: [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_hole[0]: 0x000000d3 [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_hole[1]: 0x81000002 [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_hole[2]: 0x08000004 [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_hole[3]: 0x00727473 [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_hole[4]: 0x89000004 [src/lib/uaf_panic.c:183 uaf_panic_leak_vtab]
[] dict_plug: [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_plug[0]: 0x000000d3 [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_plug[1]: 0x810001fe [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_plug[2]: 0x08000004 [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_plug[3]: 0x00000000 [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_plug[4]: 0x09000004 [src/lib/uaf_panic.c:184 uaf_panic_leak_vtab]
[] dict_pad: [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] dict_pad[0]: 0x000000d3 [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] dict_pad[1]: 0x81000080 [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] dict_pad[2]: 0x08000004 [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] dict_pad[3]: 0x00000000 [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] dict_pad[4]: 0x09000004 [src/lib/uaf_panic.c:185 uaf_panic_leak_vtab]
[] Spawning user clients... [src/lib/uaf_panic.c:187 uaf_panic_leak_vtab]
[] Plugging existing heap holes... [src/lib/uaf_panic.c:192 uaf_panic_leak_vtab]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Getting IO service handle... [src/lib/io.c:46 _io_get_service]
[] Getting IO master port... [src/lib/io.c:31 get_io_master_port]
[] Allocating (hopefully) contiguous memory... [src/lib/uaf_panic.c:195 uaf_panic_leak_vtab]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Poking holes... [src/lib/uaf_panic.c:222 uaf_panic_leak_vtab]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Dict: [src/lib/slide.c:33 get_kernel_anchor]
[] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor]
[] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Creating dict iterator... [src/lib/io.c:73 _io_iterator]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 1]: 0xffffff801b53e000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 3]: 0xffffff811d7545cc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 4]: 0xffffff811fbd2ab4 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 5]: 0xffffff811d2f2f00 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 6]: 0xffffff811d7545a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 7]: 0xffffff80025e3950 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 8]: 0xffffff801b0d5e48 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 9]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[10]: 0xffffff801b544a50 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[11]: 0xffffff811d754000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[12]: 0xffffff801b592cc0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[13]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[14]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[15]: 0xffffff801b592050 [src/lib/slide.c:44 get_kernel_anchor]
[] ************** Info ************** [src/lib/uaf_panic.c:21 print_info]
[] * To go along with the panic log * [src/lib/uaf_panic.c:22 print_info]
[] * Model: N71AP * [src/lib/uaf_panic.c:28 print_info]
[] * OS build: 13A452 * [src/lib/uaf_panic.c:36 print_info]
[] * Anchor: 0xffffff801b53e000 * [src/lib/uaf_panic.c:44 print_info]
[] ********************************** [src/lib/uaf_panic.c:45 print_info]
[] Triggering panic! [src/lib/uaf_panic.c:231 uaf_panic_leak_vtab]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[*] Releasing user client... [src/lib/io.c:132 _io_release_client]
[!] Unhandled error: Failed to parse dictionary (client = 0x00000000, ret = 0: (os/kern) successful, err = 3758097090: (iokit/common) invalid argument) [src/lib/io.c:66 _io_spawn_client]
Missed the signing window for 10.2, but saved my blobs. Any help is much appreciated!
iPhone:~ root# ./cl0ver dump
[] Checking for config file... [src/lib/offsets.c:302 off_cfg]
[] Nope, let's hope the registry has a compatible anchor & vtab... [src/lib/offsets.c:306 off_cfg]
[] Dumping kernel to file [src/lib/exploit.c:41 dump_kernel]
[] Dumping kernel, this will take some time... [src/lib/uaf_read.c:284 uaf_dump_kernel]
[] Using info leak to get kernel slide... [src/lib/slide.c:64 get_kernel_slide]
[] Dict: [src/lib/slide.c:33 get_kernel_anchor]
[] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor]
[] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Getting IO service handle... [src/lib/io.c:46 _io_get_service]
[] Getting IO master port... [src/lib/io.c:31 get_io_master_port]
[] Creating dict iterator... [src/lib/io.c:73 _io_iterator]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 1]: 0xffffff801b53e000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 3]: 0xffffff811ce885cc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 4]: 0xffffff811fbd22b4 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 5]: 0xffffff811cb2fa00 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 6]: 0xffffff811ce885a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 7]: 0xffffff80021d3950 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 8]: 0xffffff801b0d5e48 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 9]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[10]: 0xffffff801b544a50 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[11]: 0xffffff811ce88000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[12]: 0xffffff801b592cc0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[13]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[14]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[15]: 0xffffff801b592050 [src/lib/slide.c:44 get_kernel_anchor]
[] Getting anchor address from registry... [src/lib/offsets.c:225 reg_anchor]
[] Model: N71AP [src/lib/offsets.c:127 get_model]
[*] OS build: 13A452 [src/lib/offsets.c:195 get_os_version]
[!] Unhandled error: Unsupported device/OS combination [src/lib/offsets.c:242 reg_anchor]
Support for iPhone 6 and 6s (N61AP, N71AP, N71mAP) on 9.0.2 has been added with rev 271f51b, and my newly started offset database lists an offsets.dat file for 6s on 9.0.2, so you can skip the unstable kernel dumping (see the updated Usage part of the readme for more info).
I'm marking this as resolved.