not work on X ios 16.1.2

[imrobbyrc]

i try many times, the apps just crash or my device got panics

[imrobbyrc]

usprebooter-2024-01-09-221215.ips.zip

[imrobbyrc]

Got the offset but still crash the apps or panics on devices

base: 0xfffffff007004000
perfmon_devices: 0xfffffff0078e0c10
cdevsw: 0xfffffff0078a5048
perfmon_dev_open: 0xfffffff0073347c4
ptov_table: 0xfffffff007107168
gVirtBase: 0xfffffff0071519b8
gPhysBase: 0xfffffff007153790
gPhysSize: 0xfffffff007153798

[imrobbyrc]

Any help guys? @mineek

[imrobbyrc]

Here's panic full log

{"bug_type":"210","timestamp":"2024-01-09 22:39:18.00 +0700","os_version":"iPhone OS 16.1.2 (20B110)","roots_installed":0,"incident_id":"7ED711AA-43A4-45CC-BAE3-4D79872A887B"}
{
  "build" : "iPhone OS 16.1.2 (20B110)",
  "product" : "iPhone10,6",
  "socId" : "0x00008015",
  "kernel" : "Darwin Kernel Version 22.1.0: Thu Oct  6 19:34:18 PDT 2022; root:xnu-8792.42.7~1\/RELEASE_ARM64_T8015",
  "incident" : "7ED711AA-43A4-45CC-BAE3-4D79872A887B",
  "crashReporterKey" : "23bfc2194b97b6e6552d0a75be55979a58acd725",
  "date" : "2024-01-09 22:39:18.80 +0700",
  "panicString" : "panic(cpu 1 caller 0xfffffff020b29ef0): pmap_remove_pv: unexpected PV head 0x2000000000000000, ptep=0xfffffff076fb23c0 pmap=0xffffffe3e6c0b090 pvh=0xfffffff05fb7d428 pai=0x219fe @pmap_data.c:2597\nDebugger message: panic\nMemory ID: 0x6\nOS release type: User\nOS version: 20B110\nKernel version: Darwin Kernel Version 22.1.0: Thu Oct  6 19:34:18 PDT 2022; root:xnu-8792.42.7~1\/RELEASE_ARM64_T8015\nKernelCache UUID: E09E576586F5D38FD2D6E47C8DE2C734\nKernel UUID: 407C5101-7F5C-3681-B232-52284C867A99\nBoot session UUID: 7ED711AA-43A4-45CC-BAE3-4D79872A887B\niBoot version: iBoot-8419.40.112\nsecure boot?: YES\nroots installed: 0\nPaniclog version: 14\nKernel slide:      0x0000000019810000\nKernel text base:  0xfffffff020814000\nmach_absolute_time: 0x42dfd7359\nEpoch Time:        sec       usec\n  Boot    : 0x659d6510 0x0009cc48\n  Sleep   : 0x659d65ac 0x000e0022\n  Wake    : 0x659d6612 0x00016c3d\n  Calendar: 0x659d6887 0x0002b272\n\nZone info:\n  Zone map: 0xffffffe0004c0000 - 0xffffffe6004c0000\n  . VM    : 0xffffffe0004c0000 - 0xffffffe0e6b24000\n  . RO    : 0xffffffe0e6b24000 - 0xffffffe1337f0000\n  . GEN0  : 0xffffffe1337f0000 - 0xffffffe219e54000\n  . GEN1  : 0xffffffe219e54000 - 0xffffffe3004b8000\n  . GEN2  : 0xffffffe3004b8000 - 0xffffffe3e6b20000\n  . GEN3  : 0xffffffe3e6b20000 - 0xffffffe4cd188000\n  . DATA  : 0xffffffe4cd188000 - 0xffffffe6004c0000\n  Metadata: 0xffffffe79b4c8000 - 0xffffffe79ccc8000\n  Bitmaps : 0xffffffe79ccc8000 - 0xffffffe79dcb4000\n\nTPIDRx_ELy = {1: 0xffffffe218e823b0  0: 0x0000000000000001  0ro: 0x000000016e1070e0 }\nCORE 0: PC=0xfffffff020a3393c, LR=0xfffffff020a3393c, FP=0xffffffe618e9ff00\nCORE 1 is the one that panicked. Check the full backtrace for details.\nCORE 2: PC=0xfffffff020a3393c, LR=0xfffffff020a3393c, FP=0xffffffe6190dbf00\nCORE 3: PC=0xfffffff020b35f94, LR=0xfffffff020a2c1e8, FP=0xffffffefffe7afa0\nCORE 4: PC=0xfffffff020b36570, LR=0xfffffff020b3656c, FP=0xffffffe618f73e80\nCORE 5: PC=0xfffffff020a3393c, LR=0xfffffff020a3393c, FP=0xffffffe618cdff00\nCompressor Info: 26% of compressed pages limit (OK) and 9% of segments limit (OK) with 1 swapfiles and OK swap space\nNULL bsd_info pointer\nPanicked task 0xffffffe3e8735500: 6084 pages, 1 threads: unknown task\nPanicked thread: 0xffffffe218e823b0, backtrace: 0xffffffee7f593080, tid: 14803\n\t\t  lr: 0xfffffff020a044a4  fp: 0xffffffee7f5930c0\n\t\t  lr: 0xfffffff020a042b4  fp: 0xffffffee7f593130\n\t\t  lr: 0xfffffff020b342a0  fp: 0xffffffee7f5931a0\n\t\t  lr: 0xfffffff020b332e0  fp: 0xffffffee7f593260\n\t\t  lr: 0xfffffff0209c55fc  fp: 0xffffffee7f593270\n\t\t  lr: 0xfffffff020a03d34  fp: 0xffffffee7f593620\n\t\t  lr: 0xfffffff0210837a8  fp: 0xffffffee7f593640\n\t\t  lr: 0xfffffff020b29ef0  fp: 0xffffffee7f5936c0\n\t\t  lr: 0xfffffff020b1c59c  fp: 0xffffffee7f5937e0\n\t\t  lr: 0xfffffff020b20528  fp: 0xffffffee7f593870\n\t\t  lr: 0xfffffff020ab502c  fp: 0xffffffee7f593990\n\t\t  lr: 0xfffffff020ab9d18  fp: 0xffffffee7f593a10\n\t\t  lr: 0xfffffff020abd210  fp: 0xffffffee7f593a60\n\t\t  lr: 0xfffffff020a3c694  fp: 0xffffffee7f593ac0\n\t\t  lr: 0xfffffff020a0a824  fp: 0xffffffee7f593b00\n\t\t  lr: 0xfffffff020a40f6c  fp: 0xffffffee7f593b70\n\t\t  lr: 0xfffffff020a4e974  fp: 0xffffffee7f593cb0\n\t\t  lr: 0xfffffff020a527f0  fp: 0xffffffee7f593ce0\n\t\t  lr: 0xfffffff0209fb474  fp: 0xffffffee7f593d30\n\t\t  lr: 0xfffffff0209c5a3c  fp: 0xffffffee7f593d40\n\t\t  lr: 0xfffffff020b33140  fp: 0xffffffee7f593d60\n\t\t  lr: 0xfffffff020a0618c  fp: 0xffffffee7f593dd0\n\t\t  lr: 0xfffffff020b34098  fp: 0xffffffee7f593e50\n\t\t  lr: 0xfffffff020b3331c  fp: 0xffffffee7f593f10\n\t\t  lr: 0xfffffff0209c55fc  fp: 0xffffffee7f593f20\n\n",
  "panicFlags" : "0x802",
  "bug_type" : "210",
  "otherString" : "\n** Stackshot Succeeded ** Bytes Traced 205897 (Uncompressed 538144) **\n",
  "repairStatus" : "1",
  "binaryImages" : [],
  "notes" : ["Source: (null)","iBoot indicates CRC mismatch","non-parseable kc snapshot buffer"]
}

[imrobbyrc]

And here's reser counter log

{"os_version":"iPhone OS 16.1.2 (20B110)","bug_type":"115","timestamp":"2024-01-09 22:39:24.00 +0700","name":"Reset count","roots_installed":0,"incident_id":"071E6801-B824-4494-90BF-A0F44CAE04B2"}
Incident Identifier: 071E6801-B824-4494-90BF-A0F44CAE04B2
CrashReporter Key:   23bfc2194b97b6e6552d0a75be55979a58acd725
Date: 2024-01-09 22:39:24.30 +0700
Reset count: 1
Boot failure count: 0
Boot faults: 
Boot stage: 0x0
Boot app: 1228880451
socId: 0x00008015

[mineek]

arm64 is not fully supported yet on every version, only iPhone X on 16.6.1.

[jonahnm]

HEY it's supported now https://github.com/mineek/Serotonin/pull/54 use this

[imrobbyrc]

HEY it's supported now https://github.com/mineek/Serotonin/pull/54 use this

Hi dont see a tipe file in your repo, can i build by myself?

[jonahnm]

HEY it's supported now #54 use this

Hi dont see a tipe file in your repo, can i build by myself?

Look in actions and go to the first one with a check mark

[imrobbyrc]

HEY it's supported now #54 use this

Hi dont see a tipe file in your repo, can i build by myself?

Look in actions and go to the first one with a check mark

oke, will test now..

[imrobbyrc]

HEY it's supported now #54 use this

Hi dont see a tipe file in your repo, can i build by myself?

Look in actions and go to the first one with a check mark

hi still not working, my phone just panic, no offsets.txt filza /var/mobile, i try use offsets that i got from mineek/serotonin, my device still panic too just restart

[imrobbyrc]

panic logs

{"bug_type":"210","timestamp":"2024-01-12 09:58:52.00 +0700","os_version":"iPhone OS 16.1.2 (20B110)","roots_installed":0,"incident_id":"211422FA-B225-4794-A3E2-A2433251046A"}
{
  "build" : "iPhone OS 16.1.2 (20B110)",
  "product" : "iPhone10,6",
  "socId" : "0x00008015",
  "kernel" : "Darwin Kernel Version 22.1.0: Thu Oct  6 19:34:18 PDT 2022; root:xnu-8792.42.7~1\/RELEASE_ARM64_T8015",
  "incident" : "211422FA-B225-4794-A3E2-A2433251046A",
  "crashReporterKey" : "23bfc2194b97b6e6552d0a75be55979a58acd725",
  "date" : "2024-01-12 09:58:52.69 +0700",
  "panicString" : "panic(cpu 3 caller 0xfffffff01321800c): Kernel data abort. at pc 0xfffffff013030f54, lr 0xfffffff01303cf08 (saved state: 0xffffffe9fcf3f4d0)\n\t  x0:  0xffffffe3ffc9c000 x1:  0xffffffe9fcf3f870  x2:  0xffffffe9fcf3f858  x3:  0xffffffe9fcf3fcb8\n\t  x4:  0xffffffe9fcf3f8c0 x5:  0xffffffe233b523e0  x6:  0x000000016d50a728  x7:  0x00000000000004a0\n\t  x8:  0x0000000000000054 x9:  0x000000000004bdc5  x10: 0xffffffe31a3fce00  x11: 0x0000000000004000\n\t  x12: 0x0000000000420000 x13: 0x0000000000420001  x14: 0x00000000ffdfffff  x15: 0xfffffff013230628\n\t  x16: 0xfffffff012fac114 x17: 0xfffffff013230000  x18: 0xfffffff012b51000  x19: 0xffffffe233b51f08\n\t  x20: 0xffffffe9fcf3f870 x21: 0xffffffe3ffc9c000  x22: 0xfffffff0132ccad8  x23: 0xffffffe3ffc9c000\n\t  x24: 0xffffffe9fcf3f858 x25: 0x00000000000004a0  x26: 0x0000000000000003  x27: 0xfffffff01329e000\n\t  x28: 0xfffffff012ae8f98 fp:  0xffffffe9fcf3f840  lr:  0xfffffff01303cf08  sp:  0xffffffe9fcf3f820\n\t  pc:  0xfffffff013030f54 cpsr: 0x60400204         esr: 0x96000006          far: 0x000000000000005c\n\nDebugger message: panic\nMemory ID: 0x6\nOS release type: User\nOS version: 20B110\nKernel version: Darwin Kernel Version 22.1.0: Thu Oct  6 19:34:18 PDT 2022; root:xnu-8792.42.7~1\/RELEASE_ARM64_T8015\nKernelCache UUID: E09E576586F5D38FD2D6E47C8DE2C734\nKernel UUID: 407C5101-7F5C-3681-B232-52284C867A99\nBoot session UUID: 211422FA-B225-4794-A3E2-A2433251046A\niBoot version: iBoot-8419.40.112\nsecure boot?: YES\nroots installed: 0\nPaniclog version: 14\nKernel slide:      0x000000000b99c000\nKernel text base:  0xfffffff0129a0000\nmach_absolute_time: 0x10f2133ba\nEpoch Time:        sec       usec\n  Boot    : 0x65a0aa19 0x000b1e5c\n  Sleep   : 0x00000000 0x00000000\n  Wake    : 0x00000000 0x00000000\n  Calendar: 0x65a0aacc 0x0006577b\n\nZone info:\n  Zone map: 0xffffffe01933c000 - 0xffffffe61933c000\n  . VM    : 0xffffffe01933c000 - 0xffffffe0ff9a0000\n  . RO    : 0xffffffe0ff9a0000 - 0xffffffe14c66c000\n  . GEN0  : 0xffffffe14c66c000 - 0xffffffe232cd0000\n  . GEN1  : 0xffffffe232cd0000 - 0xffffffe319334000\n  . GEN2  : 0xffffffe319334000 - 0xffffffe3ff99c000\n  . GEN3  : 0xffffffe3ff99c000 - 0xffffffe4e6004000\n  . DATA  : 0xffffffe4e6004000 - 0xffffffe61933c000\n  Metadata: 0xffffffe879c2c000 - 0xffffffe87b42c000\n  Bitmaps : 0xffffffe87b42c000 - 0xffffffe87c414000\n\nTPIDRx_ELy = {1: 0xffffffe233b51f08  0: 0x0000000000000003  0ro: 0x000000016d50b0e0 }\nCORE 0: PC=0xfffffff012bbf93c, LR=0xfffffff012bbf93c, FP=0xffffffe6f9183f00\nCORE 1: PC=0x00000001ad743044, LR=0x00000001ae518fc8, FP=0x000000016d2dd020\nCORE 2: PC=0xfffffff012bbf93c, LR=0xfffffff012bbf93c, FP=0xffffffe9fcdfbf00\nCORE 3 is the one that panicked. Check the full backtrace for details.\nCORE 4: PC=0xfffffff012bbf93c, LR=0xfffffff012bbf93c, FP=0xffffffe9fce5bf00\nCORE 5: PC=0xfffffff012bbf93c, LR=0xfffffff012bbf93c, FP=0xffffffe6f9147f00\nCompressor Info: 20% of compressed pages limit (OK) and 9% of segments limit (OK) with 1 swapfiles and OK swap space\nPanicked task 0xffffffe23172e038: 27027 pages, 5 threads: pid 429: usprebooter\nPanicked thread: 0xffffffe233b51f08, backtrace: 0xffffffe9fcf3ecb0, tid: 5084\n\t\t  lr: 0xfffffff012b904a4  fp: 0xffffffe9fcf3ecf0\n\t\t  lr: 0xfffffff012b902b4  fp: 0xffffffe9fcf3ed60\n\t\t  lr: 0xfffffff012cc02a0  fp: 0xffffffe9fcf3edd0\n\t\t  lr: 0xfffffff012cbf2e0  fp: 0xffffffe9fcf3ee90\n\t\t  lr: 0xfffffff012b515fc  fp: 0xffffffe9fcf3eea0\n\t\t  lr: 0xfffffff012b8fd34  fp: 0xffffffe9fcf3f250\n\t\t  lr: 0xfffffff01320f7a8  fp: 0xffffffe9fcf3f270\n\t\t  lr: 0xfffffff01321800c  fp: 0xffffffe9fcf3f3f0\n\t\t  lr: 0xfffffff012cbfb6c  fp: 0xffffffe9fcf3f4b0\n\t\t  lr: 0xfffffff012b515fc  fp: 0xffffffe9fcf3f4c0\n\t\t  lr: 0xfffffff01303cf08  fp: 0xffffffe9fcf3f840\n\t\t  lr: 0xfffffff01303cf08  fp: 0xffffffe9fcf3fd40\n\t\t  lr: 0xfffffff01303b2f0  fp: 0xffffffe9fcf3fda0\n\t\t  lr: 0xfffffff013039f10  fp: 0xffffffe9fcf3fdc0\n\t\t  lr: 0xfffffff0130c986c  fp: 0xffffffe9fcf3fe50\n\t\t  lr: 0xfffffff012cbf408  fp: 0xffffffe9fcf3ff10\n\t\t  lr: 0xfffffff012b515fc  fp: 0xffffffe9fcf3ff20\n\n",
  "panicFlags" : "0x802",
  "bug_type" : "210",
  "otherString" : "\n** Stackshot Succeeded ** Bytes Traced 207149 (Uncompressed 536976) **\n",
  "repairStatus" : "1",
  "binaryImages" : [],
  "notes" : ["Source: (null)","iBoot indicates CRC mismatch","non-parseable kc snapshot buffer"]
}

[jonahnm]

Strange

[imrobbyrc]

Strange

tried in 512 and 1024 headroom with 3072 puaf pages

[jonahnm]

That's too many pages. Decrease it.

[imrobbyrc]

That's too many pages. Decrease it.

still same on 1072 -> 576 -> 380 pages

[jonahnm]

Huh.

[imrobbyrc]

Huh.

if you need some debuging i can help

[jonahnm]

Is that the full panic log?

[imrobbyrc]

Is that the full panic log? Yes here crash panics logs and serotonin crash Crash.zip

[imrobbyrc]

Is that the full panic log?

For reference, i try latest mikasa kfd it works for me, here's offset

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>kern_version</key>
    <string>Darwin Kernel Version 22.1.0: Thu Oct  6 19:34:18 PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8015</string>
    <key>off_cdevsw</key>
    <integer>18446744005116579912</integer>
    <key>off_gPhysBase</key>
    <integer>18446744005108905872</integer>
    <key>off_gPhysSize</key>
    <integer>18446744005108905880</integer>
    <key>off_gVirtBase</key>
    <integer>18446744005108898232</integer>
    <key>off_perfmon_dev_open</key>
    <integer>18446744005110876100</integer>
    <key>off_perfmon_devices</key>
    <integer>18446744005116824592</integer>
    <key>off_proc_object_size</key>
    <integer>1328</integer>
    <key>off_ptov_table</key>
    <integer>18446744005108593000</integer>
    <key>off_vn_kqfilter</key>
    <integer>18446744005111196012</integer>
</dict>
</plist>

Also mineek serotonin create offset to, here's

base: 0xfffffff007004000
perfmon_devices: 0xfffffff0078e0c10
cdevsw: 0xfffffff0078a5048
perfmon_dev_open: 0xfffffff0073347c4
ptov_table: 0xfffffff007107168
gVirtBase: 0xfffffff0071519b8
gPhysBase: 0xfffffff007153790
gPhysSize: 0xfffffff007153798

[jonahnm]

Hmmm.

[imrobbyrc]

Looks like both offsets its have same value, maybe serotonin need some more works to make compatibility with arm64.

[jonahnm]

Look in actions, latest build fixes arm64

[imrobbyrc]

Look in actions, latest build fixes arm64

Checking bro

[imrobbyrc]

Look in actions, latest build fixes arm64

Checking bro

Wow it's working know bro, really you're genius 🎉 thanks bro

[jonahnm]

Cool.