SE + iOS 11.4.1 failed

[platinumstufff]

I have some questions about Spice. So there is no issues in that repo, and i cant found any contacts.

[platinumstufff]

1. I think offsets for SE 11.4.1 is wrong(40 minutes without any successful attempts)
2. On the last commit build is broken(make: write error).
3. When I build it, File Descriptor = 3. As far as I understand from sources it can be 5 or 6 not an 3.(After adding a fd3 folder with edited control, it builds successfully) Build System: Big Sur + xcode 13.2.1(with ios 11.4 sdk installed)

[UInt2048]

@platinumstufff Do you know which commit did I introduce the write error? It has to be recent but I would like to narrow it down so I can get rid of that issue

[UInt2048]

After adding a fd3 folder with edited control, it builds successfully

This should not happen. The fdscream control should be in effect here.

Are you saying adding an fd3 folder caused the write error to go away?

[platinumstufff]

Are you saying adding an fd3 folder caused the write error to go away?

Yes, but another error in this commit. It happens then i try to build with FD=3.

[platinumstufff]

It happens then i try to build with FD=3.

Log:

cp: src/untether/debian/fd3/control: No such file or directory make: *** [src/untether/generated/lol.spyware.spiceuntether_1.0.160_iphoneos-arm.deb] Error 1

[UInt2048]

@platinumstufff I see, you shouldn't be building with FD=3 unless you empirically verified using the scream test build that the descriptor actually is 3

[UInt2048]

If you are building the scream test, do not include a FD variable at all

[platinumstufff]

Do you know which commit did I introduce the write error?

Probably the last one. I checked and the last to be built is Add trailing newlines.

[platinumstufff]

you shouldn't be building with FD=3

I know but:

./stage1.h:17:2: warning: Scream test is enabled [-W#warnings]
#warning Scream test is enabled
 ^
./stage1.h:26:9: warning: Stage 1 file descriptor is: 3 [-W#pragma-messages]
#pragma message "Stage 1 file descriptor is: " QUOTE(DYLD_CACHE_FD)
        ^
2 warnings generated.
In file included from stage1.m:9:
./stage1.h:17:2: warning: Scream test is enabled [-W#warnings]
#warning Scream test is enabled
 ^
./stage1.h:26:9: warning: Stage 1 file descriptor is: 3 [-W#pragma-messages]
#pragma message "Stage 1 file descriptor is: " QUOTE(DYLD_CACHE_FD)
        ^
2 warnings generated.
In file included from stage2.m:11:
./stage1.h:17:2: warning: Scream test is enabled [-W#warnings]
#warning Scream test is enabled
 ^
./stage1.h:26:9: warning: Stage 1 file descriptor is: 3 [-W#pragma-messages]
#pragma message "Stage 1 file descriptor is: " QUOTE(DYLD_CACHE_FD)

[platinumstufff]

Also the main issue now is

I think offsets for SE 11.4.1 is wrong(40 minutes without any successful attempts)

[UInt2048]

@platinumstufff That's fine, it's just a warning so you don't build the scream test by accident

[UInt2048]

What's happening in the attempts? Is it just taking forever in stage 5 and then panic?

I'm actually trying to switch it over to the sock_port exploit for better reliability but I haven't figured out how to make that not be a guaranteed panic in postexploitation

[platinumstufff]

Yes, but sometimes it show error

Failed to run killall(1):85

[UInt2048]

Yep, this has been addressed in future commits. I'll keep this issue open until error 85 is fixed on the main branch.

[platinumstufff]

Thank you for the answers.

[UInt2048]

@platinumstufff No problem. It might even work now if you use the 32bit branch but change the assignment in line 69 of src/app/MainVC.m to FLAG_LIGHTSPEED

[platinumstufff]

I wiil try it thank you

[platinumstufff]

use the 32bit branch

Build failed, make: *** [bin/Payload/Spice.app/Spice] Error 1

[UInt2048]

Command-F to search "error", the message you gave just means there is an error above

[platinumstufff]

Error is src/shared/exploit_v0rtex.m:477:5: error: implicit declaration of function 'sched_yield' is invalid in C99 [-Werror,-Wimplicit-function-declaration] sched_yield(); ^ src/shared/exploit_v0rtex.m:477:5: error: missing '#include <pthread/sched.h>'; 'sched_yield' must be declared before it is used after editing #include <sched.h> to #include <pthread/sched.h> error changes to In file included from src/shared/exploit_v0rtex.m:67: /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.4.sdk/usr/include/pthread/sched.h:35:57: error: use of undeclared identifier '__SCHED_PARAM_SIZE__' struct sched_param { int sched_priority; char __opaque[__SCHED_PARAM_SIZE__]; }; ^ /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.4.sdk/usr/include/pthread/sched.h:35:8: error: type 'struct sched_param' has incompatible definitions in different translation units struct sched_param { int sched_priority; char __opaque[__SCHED_PARAM_SIZE__]; }; ^ /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.4.sdk/usr/include/pthread/sched.h:35:48: note: field '__opaque' has type 'char' here struct sched_param { int sched_priority; char __opaque[__SCHED_PARAM_SIZE__]; }; ^ /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.4.sdk/usr/include/pthread/sched.h:35:48: note: field '__opaque' has type 'char [4]' here struct sched_param { int sched_priority; char __opaque[__SCHED_PARAM_SIZE__]; };

[UInt2048]

after editing #include to #include <pthread/sched.h>

That's weird because the Linux man page for sched_yield shows #include <sched.h>, and my Mac allows using both #include <sched.h> and #include <pthread/sched.h> without error. Anyways, I assume you should be able to bypass it by simply adding the forward declaration int sched_yield(void); yourself.

That said, the v0rtex exploit is not actually used in Spice, so you could technically patch out the entire file by replacing the pwn_kernel_vortex method with a return 5;

build is broken(make: write error).

This has been fixed, but as a side effect, the warnings have been reduced back to -Wall for the time being. Given that I used a force push to patch any trace of the write error out of the commit history, for my own future reference, the more restrictive options were: -Weverything -Wno-declaration-after-statement -Wno-gnu-zero-variadic-macro-arguments -Wno-cstring-format-directive -Wno-missing-prototypes -Wno-missing-variable-declarations -Wno-sign-conversion -Wno-cast-qual -Wno-bad-function-cast

[platinumstufff]

I will try it, thank you

[UInt2048]

Sorry for the delay.

I believe I have rewritten these issues out of the commit history.

You should be able to use Spice 1.0.171 or later.