Offsets iPhone 4,1 iOS 9.2.1
Closed this issue · 41 comments
I've tried to insert the iOS 9.2.1 offsets for iPhone 4S into the project. The app installs, but once pressing YOLO the display shows strange colors (see the attached picture) and the device reboots.
The offsets I've inserted are these:
find_OSSSerializer_serialize(): 0x3107fc
find_OSSymbol_getMetaClass(): 0x312f18
find_calend_gettime(): 0x1de60
find_bufattr_cpx(): 0xd8750
find_clock_ops(): 0x3fc3dc
find_copyin(): 0xc6754
find_bx_lr(): 0xd8752
find_write_gadget(): 0xc6488
find_vm_kernel_addrperm(): 0x44e840
find_kernel_pmap(): 0x3ef444
find_flush_dcache(): 0xbb760
find_invalidate_tlb(): 0xc64e0
find_task_for_pid(): 0x2f56c4
find_setreuid(): 0x2a3bc4
Same problem, the addresses are correct.
I'm trying to find the offsets too for this iPhone on iOS 9.2.1
I have created a branch for that but I'm missing the last one (find_setreuid) so maybe it's the wrong one in your list
https://github.com/ganoninc/Trident/blob/ganoninc-iPhone41_iOS921/Trident/offsetfinder.c
I have used Hopper and it can't find the string "f0b503af2de9000d87b0044602910394d1f800b04d68dff7", even shortened. How did you find this adress ?
I found a tweet of angelXwind which said to try with this string -> f0b503af2de9000d85b004460d4601
Found all offset using Hopper for iPhone 4s iOS 9.2.1. iPhone4,1_9.2.1_13D15_Restore.ipsw from ipsw.me. Please test.
find_OSSSerializer_serialize(): 0x3107fc {803117fc}
find_OSSymbol_getMetaClass(): 0x312f18 {80313f18}
find_calend_gettime(): 0x1de60 {8001ee60}
find_bufattr_cpx(): 0xd8750 {800d9750}
find_clock_ops(): 0x3fc3dc {0x803fd3d8 + 4 = 803fd3dc}
find_copyin(): 0xc6754 {800c7754}
find_bx_lr(): 0xd8752 {800d9752}
find_write_gadget(): 0xc6488 {800c7488}
find_vm_kernel_addrperm(): 0x44e840 {0x8044f844 - 0x4 = 8044f840}
find_kernel_pmap(): 0x3ef444 {803f0444}
find_flush_dcache(): 0xbb760 {800bc760}
find_invalidate_tlb(): 0xc64e0 {800c74e0}
find_task_for_pid(): 0x2f56c4 {802f66c4}
find_setreuid(): 0x2a3bc4 {802a4bc4}
*Updated
It looks like you've forgotten to subtract 0x80001000 so we should try this:
find_OSSSerializer_serialize(): 0x3107fc
find_OSSymbol_getMetaClass(): 0x312f18
find_calend_gettime(): 0x1de60
find_bufattr_cpx(): 0xd8750
find_clock_ops(): 0x3fc3dc
find_copyin(): 0xc6754
find_bx_lr(): 0xd8752
find_write_gadget(): 0xc6488
find_vm_kernel_addrperm(): 0x44e840
find_kernel_pmap(): 0x3ef444
find_flush_dcache(): 0xbb760
find_invalidate_tlb(): 0xc64e0
find_task_for_pid(): 0x2f56c4
find_setreuid(): 0xcc5018
@BiteTheApple can you try?
Just tried, still reboot. :(
My fork is here: https://github.com/BiteTheApple/trident921
The kernel crash at io_service_get_matching_services_bin, probably the UAF failed.
If it's failing at UAF exploit take a look at Lookout paper about Pegasus exploits, page 29 they show a different payload for iOS 9.0 through 9.3.1.
Thanks, I tried another payload, but not work, still reboot. It seems that both payloads can fill the object vtable, but the data is wrong.
After using 32Stage2 payload which is exist in iOS versions from 9.0 to 9.3, there is problem with assert(read_primitive(kernel_base) == 0xfeedface);
The app not crash but it is stuck at Xcode debugging shows is Assertion failed: (read_primitive(kernel_base) == 0xfeedface). It seems kernel base is not == magic value!
Confirmed, rebooting and kernel panic using another payload stage2. Same as previous payload result.
For me there is no doubt that the offsets (even for setreuid), presented by BiteTheApple, are correct. I am not a programmer or developer and I am interested in downgrading my iPhone 4S, iOS 9.2.1.
A guy from Chinese forum (http://bbs.feng.com/read-htm-tid-10984095-page-72.html) wrote about ios 9.1 trident support. He posted some lines from exploit.c file:
void patch_setreuid(uint32_t kernel_base, mach_port_name_t kernel_task) {
uint32_t setreuid_base = find_setreuid() + kernel_base;
uint32_t branch_addr = 0x3e + setreuid_base;
// ushort new_branch = 0xe031; // b loc_802aaa2c iPhone4,1 IOS 9.3.4
ushort new_branch = 0xe040; // RVA:0x802ab35a 40E0 b loc_802ab3de //iPhone4,1 IOS 9.1
vm_write(kernel_task, branch_addr, (vm_address_t)&new_branch, 2);
}
Are numbers 0xe040 and 0x40E0 somewhat related with iOS 9.1 support? In case of positive answer, how to determine these (RVA?) numbers for iOS 9.2.1, b loc_802A4C6C ?
Hello,everyone.The guy who creat Trident-Kloader.ipa post something on his weibo,maybe helpful.
http://weibo.com/u/5363037484
1.iOS 9.2.X的利用方式有些不一样,所以用一样的东西会出现问题
2.9.2.X的问题和A6处理器设备的问题不是同一个
I try to translate it:
- The way that use (exploit) iOS 9.2.X has a littel different (with 9.1&9.3.X),so there will be some mistake if you use the same way (or something else).
And,he said this is why torachiyo dosen't have success in his source codes on 9.2-9.2.1. - The matter of 9.2.X and A6 processor is not the same one.
That is all I can found on his weibo may be helpful.
So,I am a i4s on 9.2 user,still waiting downgrade my device.If those infomation has any help with you guys,then I will be glad.
I hope you guys can finish this work.Have a nice day!
All right,I remember that I have seen something that maybe we can find the different between 9.2.X&9.3.X with Trident on http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
But I forgot which pages,sorry.
It works now, see rxbit/Trident@664d1b7.
So 4s panic because of memory kernel leak at *return no bracket open and close ( )! Good JOB! @hazytint
Can you send ipa file with 4s 9.2.1 support please?:)
@hazytint great job! I can't thank you enough :D
9.2.1 ipa file.
http://pan.baidu.com/s/1mhAJ6VQ
Source code.Run it with XCODE.
http://pan.baidu.com/s/1gfHV9jt
Anyone can fix 9.2 offset please!
@sumories Have you tested the ipa yourself? It seems to get stuck and can't seem to get "w00t root" using this.
Success downgrade, nothing is impossible...add kloader into latest trident exploit xcode fix by @hazytint for iphone 4s iOS 9.2.1, install some brew, add idevicediagnostics into usr/local/bin. Cd into latest OdysseusOTA, add firmware.ipsw -bbupdate. Install trident into devices. Run trident kloader exploit, wait until Wait Exec Sleep Mode. Run idevicediagnostics sleep, push home button several time until hear the sound, phone will enter into dfu mode. Run idevicerestore -e firmware.ipsw. Wait until terminal restore finished. Fix in-case have problem, install redSnow to kick from recovery mode or enter manually into dfu mode.
*TL;DR Successful downgrade from iOS 9.2.1 to iOS 6.1.3 using this fix trident.
WE DID IT!9.2&9.2.1 ALL SUCCESS!
@sumories used you ipa from this link http://pan.baidu.com/s/1gfysN0B, it worked, ty
Good work! Now the problem with A6 processors should be fixed :)
Worked on iOS 9.2.1 iPhone 4S for downgrading to iOS 6.1.3. Thanks to all who worked on this. Thank you sumories for ipa file http://pan.baidu.com/s/1mhAJ6VQ!
Trident worked on ios 9.2.1 it went through the apple logo phase and now whenever I open it , its says start i press it and it crashes does that im rooted
Everytime I click start it crashes ive already went through the apple logo phase am I jailbroken? comments plz and thank you
@UnnamedCode This is not a jailbreak tool, it's for root access only. If the device rebooted, that means it failed. What device and what iOS version do you have?
Link to IPA http://pan.baidu.com/s/1gfysN0B
i want to downgrade my iphone 4s on ios 9.2 to ios 6.1.3 pleas help me and send me trident.ipa for iphone 4.1 ios 9.2
C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i
psw
NOTE: using cached version data
Found device in DFU mode
Identified device as n94ap, iPhone4,1
Extracting BuildManifest from IPSW
Product Version: 6.1.3
Product Build: 10B329 Major: 10
Device supports Image4: false
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Found ECID 4341407892269
Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3
4 f0 75 3c
Trying to fetch new SHSH blob
Getting SepNonce in dfu mode...
WARNING: Unable to find BbSkeyId node
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
Extracting filesystem from IPSW
Extracting iBSS.n94ap.RELEASE.dfu...
Personalizing IMG3 component iBSS...
reconstructed size: 76110
Sending iBSS (76110 bytes)...
Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c
Extracting iBEC.n94ap.RELEASE.dfu...
Not personalizing component iBEC...
Sending iBEC (279576 bytes)...
ERROR: Unable to connect to device in recovery mode
ERROR: Unable to connect to recovery device
ERROR: Unable to place device into recovery mode from DFU mode
i have this error please help meeee :(