search

Siguza / ios-kern-utils

iOS Kernel utilities
MIT License
240 stars 54 forks source link

iPad Air 2 iOS 9.0.2 - Failed to get kernel task (invalid port) #18

Open Mob-Barley opened 5 years ago

Mob-Barley commented 5 years ago

Dear Siguza, thank you for this project! For me now its time to move from iOS 9.0.2 to 12.1 on my iPad Air 2 after its finally jailbroken.

Unfortunately I wasn't able to set the nonce. At first cl0ver reported a successfull installation. I tried already two versions of your ios-kern-utils (1.4.1 and one from here https://github.com/Siguza/ios-kern-utils/issues/2) and the nvpatch and searched the issues here on Github. You can see the output below.

iPad-Air:~ root# ./kmap && ./nvpatch -v -d com.apple.System.boot-nonce [!] Failed to get kernel task ((os/kern) failure, kernel_task = 0) iPad-Air:~ root# ./nvpatch -v -d com.apple.System.boot-nonce [DEBUG] Getting kernel task... [src/lib/libkern.c:68] [DEBUG] Trying task_for_pid(0)... [src/lib/libkern.c:69] [DEBUG] Failure. Port: 0x00000000, return value: 0x00000005 ((os/kern) failure) [src/lib/libkern.c:72] [DEBUG] Trying host_get_special_port(4)... [src/lib/libkern.c:76] [DEBUG] Returned success, but port is invalid (0x00000000) [src/lib/libkern.c:79] [DEBUG] Returning failure. [src/lib/libkern.c:83] [!] Failed to get kernel task ((os/kern) failure, kernel_task = 0)

What is wrong with my special port? I would be glad, if you can help me with this issue. Many greetings from Germany!

Mob Barley

Siguza commented 5 years ago

Well that sounds inconsistent. Would you mind posting the cl0ver output?

Mob-Barley commented 5 years ago

Thank you for the fast reply, I get the following output

cl0ver output

```iPad-Air:~ root# ./cl0ver [*] Checking for config file... [src/lib/offsets.c:176 off_cfg] [*] Nope, let's hope the registry has a compatible anchor & vtab... [src/lib/off sets.c:181 off_cfg] [*] OS build: 13A452 [src/lib/device.c:102 get_os_version_internal] [*] Page size: 0x0000000000004000 [src/lib/uaf_rop.c:113 uaf_rop_stack] [*] Allocating ROP stack page at 0x000000000c000000 [src/lib/uaf_rop.c:117 uaf_r op_stack] [*] Allocated ROP page at 0x000000000c000000 [src/lib/uaf_rop.c:123 uaf_rop_stac k] [*] Initializing offsets... [src/lib/offsets.c:253 off_init] [*] Checking for offsets cache file... [src/lib/offsets.c:266 off_init] [*] Yes, trying to load offsets from cache... [src/lib/offsets.c:272 off_init] [*] Successfully loaded offsets from cache, skipping kernel dumping. [src/lib/of fsets.c:289 off_init] [*] Using info leak to get kernel slide... [src/lib/slide.c:64 get_kernel_slide] [*] Dict: [src/lib/slide.c:33 get_kernel_anchor] [*] dict[0]: 0x000000d3 [src/lib/slide.c:33 get_kernel_anchor] [*] dict[1]: 0x81000002 [src/lib/slide.c:33 get_kernel_anchor] [*] dict[2]: 0x08000004 [src/lib/slide.c:33 get_kernel_anchor] [*] dict[3]: 0x006c6f6c [src/lib/slide.c:33 get_kernel_anchor] [*] dict[4]: 0x84000400 [src/lib/slide.c:33 get_kernel_anchor] [*] dict[5]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor] [*] dict[6]: 0x69696969 [src/lib/slide.c:33 get_kernel_anchor] [*] Spawning user client / Parsing dictionary... [src/lib/io.c:59 _io_spawn_clie nt] [*] Getting IO service handle... [src/lib/io.c:45 _io_get_service] [*] Getting IO master port... [src/lib/io.c:30 get_io_master_port] [*] Creating dict iterator... [src/lib/io.c:72 _io_iterator] [*] Getting next element from iterator... [src/lib/io.c:84 _io_next] [*] Releasing user client... [src/lib/io.c:131 _io_release_client] [*] Kernel stack: [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 0]: 0x6969696969696969 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 1]: 0xffffff802454a000 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 2]: 0x00000000ff002bf1 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 3]: 0xffffff80053be5cc [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 4]: 0xffffff80050b93b4 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 5]: 0xffffff8003aa4000 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 6]: 0xffffff80053be5a0 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 7]: 0xffffff802381b950 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 8]: 0xffffff80240d4edc [src/lib/slide.c:44 get_kernel_anchor] [*] buf[ 9]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[10]: 0xffffff8024550a50 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[11]: 0xffffff80053be000 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[12]: 0xffffff802459ecc8 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[13]: 0x0000000000001074 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[14]: 0x0000000000000000 [src/lib/slide.c:44 get_kernel_anchor] [*] buf[15]: 0xffffff802459e050 [src/lib/slide.c:44 get_kernel_anchor] [*] Getting anchor address from registry... [src/lib/offsets.c:37 reg_anchor] [*] Model: J81AP [src/lib/device.c:34 get_model_internal] [*] Got anchor: 0xffffff800454a000 [src/lib/offsets.c:148 off_anchor] [*] Kernel slide: 0x0000000020000000 [src/lib/slide.c:67 get_kernel_slide] [*] Offsets: [src/lib/offsets.c:435 off_init] [*] gadget_load_x20_x19 = 0xffffff8024008dec [src/lib/offsets.c:4 36 off_init] [*] gadget_ldp_x9_add_sp_sp_0x10 = 0xffffff80250b0dbc [src/lib/offsets.c:4 37 off_init] [*] gadget_ldr_x0_sp_0x20_load_x22_x19 = 0xffffff80240e3880 [src/lib/offsets.c:4 38 off_init] [*] gadget_add_x0_x0_x19_load_x20_x19 = 0xffffff80240dd618 [src/lib/offsets.c:4 39 off_init] [*] gadget_blr_x20_load_x22_x19 = 0xffffff8024f83088 [src/lib/offsets.c:4 40 off_init] [*] gadget_str_x0_x19_load_x20_x19 = 0xffffff8024029ec0 [src/lib/offsets.c:4 41 off_init] [*] gadget_ldr_x0_x21_load_x24_x19 = 0xffffff80243027b0 [src/lib/offsets.c:4 42 off_init] [*] gadget_OSUnserializeXML_return = 0xffffff80243f69ec [src/lib/offsets.c:4 43 off_init] [*] frag_mov_x1_x20_blr_x19 = 0xffffff802402c128 [src/lib/offsets.c:4 44 off_init] [*] func_ldr_x0_x0 = 0xffffff8024119810 [src/lib/offsets.c:4 45 off_init] [*] func_current_task = 0xffffff8024051b4c [src/lib/offsets.c:4 46 off_init] [*] func_ipc_port_copyout_send = 0xffffff802401e728 [src/lib/offsets.c:4 47 off_init] [*] func_ipc_port_make_send = 0xffffff802401e67c [src/lib/offsets.c:4 48 off_init] [*] data_kernel_task = 0xffffff802454a010 [src/lib/offsets.c:4 49 off_init] [*] data_realhost_special = 0xffffff80245a83f0 [src/lib/offsets.c:4 50 off_init] [*] off_task_itk_self = 0x00000000000000e8 [src/lib/offsets.c:4 51 off_init] [*] off_task_itk_space = 0x00000000000002a0 [src/lib/offsets.c:4 52 off_init] [*] OSUnserializeXML_stack = 0x0000000000000110 [src/lib/offsets.c:4 53 off_init] [*] is_io_service_open_extended_stack = 0x0000000000000120 [src/lib/offsets.c:4 54 off_init] [*] Rop chain: 0x000000000c000000-0x000000000c000340 [src/lib/exploit.c:73 get_k ernel_task] [*] fp: 0x000000000c000010 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000020 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000030 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000040 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000050 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000060 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000070 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000080 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000090 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0000a0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0000b0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0000c0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0000d0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80250b0dbc [src/lib/exploit.c:77 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000100 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80240e3880 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0xfffffffffffffee0 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000120 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80240dd618 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x000000000c000330 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000140 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024029ec0 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000160 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024008dec [src/lib/exploit.c:77 get_kernel_task] [*] 0xffffff8024051b4c [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000190 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024f83088 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x00000000000002a0 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0001b0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80240dd618 [src/lib/exploit.c:77 get_kernel_task] [*] 0xffffff8024119810 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0001e0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024f83088 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0xffffff802454a010 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x000000000c0002b0 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000200 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024029ec0 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000240 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80243027b0 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x00000000000000e8 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000260 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80240dd618 [src/lib/exploit.c:77 get_kernel_task] [*] 0xffffff8024119810 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000290 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024f83088 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0xffffff802401e67c [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0002c0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024f83088 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x00000000baadf00d [src/lib/exploit.c:84 get_kernel_task] [*] 0xffffff8024008dec [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c0002e0 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff802402c128 [src/lib/exploit.c:77 get_kernel_task] [*] 0xffffff802401e728 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000310 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024f83088 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x000000010005c4e8 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x000000000c000330 [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff8024029ec0 [src/lib/exploit.c:77 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] 0x0000000000000000 [src/lib/exploit.c:84 get_kernel_task] [*] ---------------------- [src/lib/exploit.c:87 get_kernel_task] [*] fp: 0x00000000deadbeef [src/lib/exploit.c:76 get_kernel_task] [*] lr: 0xffffff80243f69ec [src/lib/exploit.c:77 get_kernel_task] [*] Executing ROP chain... [src/lib/uaf_rop.c:131 uaf_rop] [*] Using UAF to gain PC control... [src/lib/uaf_rop.c:19 uaf_parse] [*] Data: [src/lib/uaf_rop.c:22 uaf_parse] [*] data[0]: 0x6fdbba00 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[1]: 0x00000001 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[2]: 0x00000064 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[3]: 0x00000001 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[4]: 0x00000000 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[5]: 0x00000001 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[6]: 0x00000000 [src/lib/uaf_rop.c:22 uaf_parse] [*] data[7]: 0x00000000 [src/lib/uaf_rop.c:22 uaf_parse] [*] dict_90: [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 0]: 0x000000d3 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 1]: 0x81000004 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 2]: 0x08000004 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 3]: 0x00727473 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 4]: 0x09000004 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 5]: 0x00727473 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 6]: 0x0c000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 7]: 0x0b000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 8]: 0x0c000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[ 9]: 0x0a000020 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[10]: 0x6fdbba00 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[11]: 0x00000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[12]: 0x00000064 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[13]: 0x00000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[14]: 0x00000000 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[15]: 0x00000001 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[16]: 0x00000000 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[17]: 0x00000000 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[18]: 0x08000004 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[19]: 0x00666572 [src/lib/uaf_rop.c:99 uaf_parse] [*] dict_90[20]: 0x8c000002 [src/lib/uaf_rop.c:99 uaf_parse] [*] Spawning user client / Parsing dictionary... [src/lib/io.c:59 _io_spawn_clie nt] [*] TODO: fix ROP to return 0 [src/lib/exploit.c:100 get_kernel_task] [*] Got kernel task [src/lib/exploit.c:107 get_kernel_task] [*] Installing host_special_port(4) patch... [src/lib/exploit.c:114 patch_host_s pecial_port_4] [*] Kernel task address: 0xffffff80023a7b50 [src/lib/exploit.c:130 patch_host_sp ecial_port_4] [*] Kernel task port address: 0xffffff800237bb00 [src/lib/exploit.c:139 patch_ho st_special_port_4] [*] Successfully installed patch [src/lib/exploit.c:168 patch_host_special_port_ 4] ```