Unsupported Device N56AP; iOS 9.0.2 (13A452) iPhone 6 Plus

Question

Unsupported Device N56AP; iOS 9.0.2 (13A452) iPhone 6 Plus

Closed this issue 8 years ago · 9 comments

./cl0ver panic
panic.txt

./cl0ver Output
[] Checking for config file... [src/lib/offsets.c:302 off_cfg]
[] Nope, let's hope the registry has a compatible anchor & vtab... [src/lib/offsets.c:306 off_cfg]
[] Page size: 0x0000000000001000 [src/lib/uaf_rop.c:67 uaf_rop_stack]
[] Allocating ROP stack page at 0x000000000c000000 [src/lib/uaf_rop.c:71 uaf_rop_stack]
[] Allocated ROP page at 0x000000000c000000 [src/lib/uaf_rop.c:77 uaf_rop_stack]
[] Initializing offsets... [src/lib/offsets.c:344 off_init]
[] Checking for offsets cache file... [src/lib/offsets.c:357 off_init]
[] Using info leak to get kernel slide... [src/lib/slide.c:64 get_kernel_slide]
[] Dict: [src/lib/slide.c:33 get_kernel_anchor]
[] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor]
[] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:60 _io_spawn_client]
[] Getting IO service handle... [src/lib/io.c:46 _io_get_service]
[] Getting IO master port... [src/lib/io.c:31 get_io_master_port]
[] Creating dict iterator... [src/lib/io.c:73 _io_iterator]
[] Getting next element from iterator... [src/lib/io.c:85 _io_next]
[] Releasing user client... [src/lib/io.c:132 _io_release_client]
[] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 1]: 0xffffff801974a000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 3]: 0xffffff8002ebe5cc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 4]: 0xffffff800117eab4 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 5]: 0xffffff80013be400 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 6]: 0xffffff8002ebe5a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 7]: 0xffffff816981b950 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 8]: 0xffffff80192d4edc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 9]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[10]: 0xffffff8019750a50 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[11]: 0xffffff8002ebe000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[12]: 0xffffff801979ecc8 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[13]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[14]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[15]: 0xffffff801979e050 [src/lib/slide.c:44 get_kernel_anchor]
[] Getting anchor address from registry... [src/lib/offsets.c:225 reg_anchor]
[] Model: N56AP [src/lib/offsets.c:127 get_model]
[] OS build: 13A452 [src/lib/offsets.c:195 get_os_version]
[!] Unhandled error: Unsupported device/OS combination [src/lib/offsets.c:242 reg_anchor]

I Hope it will help you to support more devices.
Happy New Year to all of you :-)

Answer 1 · 2017-01-03T20:31:04.000Z

Changing to this thread as this is the same device / firmware I am on.

cl0ver log
https://ghostbin.com/paste/5bfpu

panic log
https://ghostbin.com/paste/68wp8

Answer 2 · 2017-01-10T10:57:27.000Z

Doesn't seem like that panic log caught the vtable... the anchor seems to be the same as for N61AP though, so it might be worth trying with these values in /etc/cl0ver/config.txt:

0xffffff800454a000
0xffffff8004503168

Answer 3 · 2017-01-10T22:17:35.000Z

Tried dumping a few times, keeps crashing my phone, here is the output..

https://ghostbin.com/paste/s9vpo

And here is the panic..

https://ghostbin.com/paste/txdzz

Answer 4 · 2017-01-15T03:38:29.000Z

OK, I used the offsets.dat provided by gitNemo and it looks like my kernel was successfully patched.

[*] Successfully installed patch [src/lib/exploit.c:168 patch_host_special_port_4]

Full output here
https://ghostbin.com/paste/hypy5

So my only question is how do I verify that my device now has tfp0? Is there a command I can run to check?

Answer 5 · 2017-01-17T03:12:58.000Z

If your device hasn't crashed, it's very likely that it succeeded.
But you could install kern-utils and, as root, run e.g. kmap. That would print the kernel memory map if successful, or an error message otherwise.

Answer 6 · 2017-01-27T20:42:32.000Z

I used the offsets that you say worked for you @effowe and we have the same device/model/build but I keep crashing at this point below. Is there anything else you had to do?

[] Checking for config file... [src/lib/offsets.c:108 off_cfg]
[] Yes, attempting to read anchor and vtab from config file... [src/lib/offsets .c:118 off_cfg]
[] Anchor: 0xffffff800454a000, Vtab (unslid): 0xffffff8004503168 [src/lib/offse ts.c:122 off_cfg]
[] Using info leak to get kernel slide... [src/lib/slide.c:64 get_kernel_slide]
[] Dict: [src/lib/slide.c:33 get_kernel_anchor]
[] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor]
[] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor]
[] Spawning user client / Parsing dictionary... [src/lib/io.c:59 _io_spawn_clie nt]
[] Getting IO service handle... [src/lib/io.c:45 _io_get_service]
[] Getting IO master port... [src/lib/io.c:30 get_io_master_port]
[] Creating dict iterator... [src/lib/io.c:72 _io_iterator]
[] Getting next element from iterator... [src/lib/io.c:84 _io_next]
[] Releasing user client... [src/lib/io.c:131 _io_release_client]
[] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 1]: 0xffffff802314a000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 3]: 0xffffff80030e45cc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 4]: 0xffffff8002dc67b4 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 5]: 0xffffff80012df800 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 6]: 0xffffff80030e45a0 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 7]: 0xffffff801fff3950 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 8]: 0xffffff8022cd4edc [src/lib/slide.c:44 get_kernel_anchor]
[] buf[ 9]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[10]: 0xffffff8023150a50 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[11]: 0xffffff80030e4000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[12]: 0xffffff802319ecc8 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[13]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[14]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor]
[] buf[15]: 0xffffff802319e050 [src/lib/slide.c:44 get_kernel_anchor]
[] Kernel slide: 0x000000001ec00000 [src/lib/slide.c:67 get_kernel_slide]
[] Page size: 0x0000000000001000 [src/lib/uaf_rop.c:113 uaf_rop_stack]
[] Allocating ROP stack page at 0x000000000c000000 [src/lib/uaf_rop.c:117 uaf_r op_stack]
[] Allocated ROP page at 0x000000000c000000 [src/lib/uaf_rop.c:123 uaf_rop_stac k]
[] Initializing offsets... [src/lib/offsets.c:148 off_init]
[] Checking for offsets cache file... [src/lib/offsets.c:161 off_init]
[] No offsets loaded so far, checking for dumped kernel... [src/lib/offsets.c:2 03 off_init]
[] Failed to open file (No such file or directory) [src/lib/offsets.c:212 off_i nit]
[] That didn't work, dumping the kernel now... [src/lib/offsets.c:274 off_init]
[] Dumping kernel, this will take some time... [src/lib/uaf_read.c:434 uaf_dump _kernel]
[] Dumping kernel bytes 0xffffff8022c04000-0xffffff8022c05000... [src/lib/uaf_r ead.c:287 uaf_read]
[] OS build: 13A452 [src/lib/device.c:102 get_os_version_internal]
[] Dumping 0xffffff8022c04000-0xffffff8022c05000... [src/lib/uaf_read.c:333 uaf _read]
[] Kernel segments: [src/lib/uaf_read.c:459 uaf_dump_kernel]
[] Mem: 0xffffff8022c04000-0xffffff80230f4000 File: 0x0000000000000000-0x000000 00004f0000 _TEXT [src/lib/uaf_read.c:470 uaf_dump kernel]
[] Mem: 0xffffff8022c07000-0xffffff802309152c File: 0x0000000000003000-0x00 0000000048d52c __TEXT._text [src/lib/uaf_read.c:474 uaf_dump kernel]
[] Mem: 0xffffff8023091540-0xffffff80230b74cc File: 0x000000000048d540-0x00 000000004b34cc __TEXT._const [src/lib/uaf_read.c:474 uaf_dump kernel]
[] Mem: 0xffffff80230b74cc-0xffffff80230f3da5 File: 0x00000000004b34cc-0x00 000000004efda5 __TEXT._cstring [src/lib/uaf_read.c:474 uaf_dump kernel]
[] Mem: 0xffffff80230f4000-0xffffff80231b8000 File: 0x00000000004f0000-0x000000 0000548000 _DATA [src/lib/uaf_read.c:470 uaf_dump kernel]
[*] Mem: 0xffffff80230f4000-0xffffff80230f4208 File: 0x00000000004f0000-0x00 000000004f0208 __DATA.__mod_init_fun

Answer 7 · 2017-01-27T20:47:51.000Z

effowe said he used gitNemo's offsets.dat file - link, unzip & put at /etc/cl0ver/offsets.dat. That should let you use cl0ver without a kernel dump, i.e. running ./cl0ver should install the patch right away.

Answer 8 · 2017-01-27T20:50:08.000Z

OMG thank you! that worked, Im closing out my other issue now

Answer 9 · 2017-02-03T02:26:36.000Z

I'm marking this as resolved as per c06430a (also see offsets database).