iPad Air 9.0.2 crash

[D0m0]

I'm not sure if I'm doing it right, but my iPad Air (J72AP_13A452) crashes when using any utility except kmap, while ./cl0ver and ./cl0ver dump both work OK.

Kernel panic log attached. panic-2017-05-14-141930_part.ips.txt

[Siguza]

I see from the panic log that you were using kmem... accessing unmapped memory in kernel mode causes a panic, and kmem is the tool that gives you exactly that kind of control.
I can further see that you were trying to access 0xffffff827fef8000, which on my device is a 1MB NULL mapping, i.e. exactly the kind of mapping that will cause a panic if accessed.

[D0m0]

Thanks for the quick reply! Yeah, the last panic was from kmem, that address I got from kmap which I ran previously. But kdump should still work, anyway?

I just realized that using -d helps. Here's what happens when I run kdump: iPad-Air:/User/Media root# kdump -d -v krn2.bin [DEBUG] Getting kernel task... [src/lib/libkern.c:64] [DEBUG] Trying task_for_pid(0)... [src/lib/libkern.c:71] [DEBUG] Failure. Port: 0x00000000, return value: 0x00000005 ((os/kern) failure) [src/lib/libkern.c:74] [DEBUG] Trying host_get_special_port(4)... [src/lib/libkern.c:78] [DEBUG] Success! [src/lib/libkern.c:81] [DEBUG] Success, caching returned port. [src/lib/libkern.c:88] [DEBUG] kernel_task = 0x00000e03 [src/lib/libkern.c:91] [DEBUG] Getting kernel base address... [src/lib/libkern.c:100] [DEBUG] Getting kernel task... [src/lib/libkern.c:64] [DEBUG] Already happened, returning cached value. [src/lib/libkern.c:67] [DEBUG] kernel_task = 0x00000e03 [src/lib/libkern.c:91] [DEBUG] Looping over kernel memory regions... [src/lib/libkern.c:120] [DEBUG] Searching for next region at 0000000000000000... [src/lib/libkern.c:124] [DEBUG] Found region ffffff8000000000-ffffff8000800000with --- [src/lib/libkern.c:131] ... [DEBUG] Searching for next region at ffffff8018000000... [src/lib/libkern.c:124] [DEBUG] Found region ffffff8018000000-ffffff811a800000with --- [src/lib/libkern.c:131] [DEBUG] Found a matching memory region. [src/lib/libkern.c:137] [DEBUG] Reading out Mach-O header from offset 0x2000... [src/lib/libkern.c:146]

And that's where the blue screen blinks...

[D0m0]

P.S. kmem works! I actually did access a NUL mapping ;)

[D0m0]

When I search for the kernel in kmap output, it is consistent with what "cl0ver slide" says about the kernel slide. But it reports that region as nul, i.e.:

ffffff801c800000-ffffff811f000000 [ 4136M] ----/---- [mem nul cp] 0000000000000000 [0 0 0 0 0] 00000000/00000000:< 0> 0,0 {0,0}

[Siguza]

Well, on iOS 9 on later that depends. It can be the same, but the null mapping can also start earlier, which is what broke practically all kernel utilities.
I still haven't come up with a definitive fix for that, but I do have a new idea that I plan to try out in a few days.

[D0m0]

Yes, it seems to start a little earlier indeed. But I still can't read the memory that I "should" be able to. I hope you come up with something!

[Siguza]

Should be fixed with 026081c7b5f897d7ec3d14be827c5fc9b7890f4b.