Closed devAlikhani closed 5 months ago
I tried on an iPhone 14 Pro. After the first try to use it, the app stuck on Deinitialising kernel exploit (landa). Shutting down the phone and deleting the app and reinstalling did not work. Am I wrong somewhere?
Deinitialising kernel exploit (landa)
Running on an iPhone15,2 on iOS 16.6 Gathering kernel information System Info: 0xfffffff00a425208 <- kernelSymbol.cdevsw 0xfffffff00a465300 <- kernelSymbol.perfmon_devices 0xfffffff0078ea818 <- kernelSymbol.pv_head_table 0x0000000000000011 <- kernelConstant.T1SZ_BOOT 0xfffffff007f3d0e8 <- kernelSymbol.vn_kqfilter 0xfffffff00790c990 <- kernelSymbol.vm_last_phys 0xfffffff00a464790 <- kernelSymbol.vm_first_phys_ppnum 0xfffffff00a464788 <- kernelSymbol.vm_page_array_ending_addr 0xfffffff0078ea890 <- kernelSymbol.vm_page_array_beginning_addr 0xfffffff0079382c8 <- kernelSymbol.gPhysBase 0xfffffff00790c010 <- kernelSymbol.cpu_ttep 0xfffffff007dc98fc <- kernelSymbol.kalloc_data_external 0xfffffff007ef0a30 <- kernelSymbol.perfmon_dev_open 0x0000000000000040 <- kernelStruct.vm_map.pmap 0xfffffff00791f5b8 <- kernelSymbol.mach_kobj_count 0xfffffff0079290c0 <- kernelSymbol.ppl_trust_cache_rt 0xfffffff0079382d0 <- kernelSymbol.gPhysSize 0x0000000000000002 <- kernelConstant.kernel_el 0xfffffff007004000 <- kernelConstant.staticBase 0x0000000000000730 <- kernelStruct.proc.struct_size 0xfffffff00790c988 <- kernelSymbol.vm_first_phys 0x000000000000022c <- kernelConstant.nsysent 0xfffffff0078ea810 <- kernelSymbol.pp_attr_table 0x0000000000000080 <- kernelConstant.mach_trap_count 0xfffffff007929618 <- kernelSymbol.developer_mode_enabled 0x0000000000000300 <- kernelStruct.task.itk_space 0x0000000000000004 <- kernelConstant.PT_INDEX_MAX 0xfffffff0078eb8e0 <- kernelSymbol.ptov_table 0x00007ff000000000 <- kernelConstant.ARM_TT_L1_INDEX_MASK 0xfffffff00a4835d0 <- kernelSymbol.allproc 0xffff800000000000 <- kernelConstant.pointer_mask 0xfffffff007936480 <- kernelSymbol.gVirtBase 0xfffffff007dc9f18 <- kernelSymbol.kfree_data_external System Info libjailbreak: 0x0000000000000038 <- kernelStruct.pt_desc.ptd_info 0x0000000000000008 <- kernelStruct.pmap.ttep 0x0000000000000020 <- kernelStruct.ipc_space.table 0x0000000000000018 <- kernelStruct.proc.proc_ro 0xfffffff0078ea818 <- kernelSymbol.pv_head_table 0xfffffff00a425208 <- kernelSymbol.cdevsw 0xfffffff00a465300 <- kernelSymbol.perfmon_devices 0x0000000000000011 <- kernelConstant.T1SZ_BOOT 0x0000000000000028 <- kernelStruct.trustcache.struct_size 0x0000000000000094 <- kernelStruct.pmap.type 0x0000000000000010 <- kernelStruct.vm_map_links.min 0x000000000000006c <- kernelStruct.ucred.svgid 0x0000000000000020 <- kernelStruct.ucred.svuid 0x0000000000000020 <- kernelStruct.filedesc.ofiles_start 0x0000000000000068 <- kernelStruct.proc_ro.mach_trap_filter_mask 0x00000000000000d8 <- kernelStruct.proc.fd 0x0000000000000040 <- kernelStruct.proc.svgid 0x000000000000003c <- kernelStruct.proc.svuid 0xfffffff00a464788 <- kernelSymbol.vm_page_array_ending_addr 0xfffffff0078ea890 <- kernelSymbol.vm_page_array_beginning_addr 0xfffffff00790c990 <- kernelSymbol.vm_last_phys 0xfffffff00a464790 <- kernelSymbol.vm_first_phys_ppnum 0xfffffff00790c010 <- kernelSymbol.cpu_ttep 0xfffffff0079382c8 <- kernelSymbol.gPhysBase 0xfffffff007dc98fc <- kernelSymbol.kalloc_data_external 0xfffffff007f3d0e8 <- kernelSymbol.vn_kqfilter 0x0000000000000010 <- kernelStruct.pt_desc.pmap 0x0000000000000008 <- kernelStruct.vm_map_links.next 0x0000000000000040 <- kernelStruct.vm_map.pmap 0x0000000000000018 <- kernelStruct.ipc_entry.struct_size 0x0000000000000068 <- kernelStruct.ucred.rgid 0x000000000000001c <- kernelStruct.ucred.ruid 0x0000000000000454 <- kernelStruct.proc.flag 0x0000000000000010 <- kernelStruct.proc.pptr 0x0000000000000008 <- kernelStruct.proc.list_prev 0xfffffff00791f5b8 <- kernelSymbol.mach_kobj_count 0xfffffff0079290c0 <- kernelSymbol.ppl_trust_cache_rt 0xfffffff0079382d0 <- kernelSymbol.gPhysSize 0xfffffff007ef0a30 <- kernelSymbol.perfmon_dev_open 0x0000000000000002 <- kernelConstant.kernel_el 0x0000000000000008 <- kernelStruct.trustcache.prevptr 0x00000000000000b4 <- kernelStruct.vm_map.flags 0x0000000000000060 <- kernelStruct.task.threads 0x0000000000000070 <- kernelStruct.proc_ro.mach_kobj_filter_mask 0x0000000000000730 <- kernelStruct.proc.struct_size 0xfffffff00790c988 <- kernelSymbol.vm_first_phys 0x000000000000022c <- kernelConstant.nsysent 0xfffffff007004000 <- kernelConstant.staticBase 0x0000000000000020 <- kernelStruct.trustcache.fileptr 0x0000000000000018 <- kernelStruct.pt_desc.va 0x0000000000000028 <- kernelStruct.task.map 0x0000000000000078 <- kernelStruct.ucred.label 0x0000000000000018 <- kernelStruct.ucred.uid 0xfffffff0078ea810 <- kernelSymbol.pp_attr_table 0x0000000000000080 <- kernelConstant.mach_trap_count 0x0000000000000018 <- kernelStruct.trustcache.size 0x000000000000008e <- kernelStruct.pmap.sw_asid 0x0000000000000010 <- kernelStruct.vm_map.hdr 0x0000000000000048 <- kernelStruct.ipc_port.kobject 0x0000000000000300 <- kernelStruct.task.itk_space 0x000000000000001c <- kernelStruct.proc_ro.csflags 0xfffffff007929618 <- kernelSymbol.developer_mode_enabled 0xfffffff0078eb8e0 <- kernelSymbol.ptov_table 0xfffffff00a4835d0 <- kernelSymbol.allproc 0x0000000000000004 <- kernelConstant.PT_INDEX_MAX 0x0000000000000002 <- kernelConstant.smrBase 0x00007ff000000000 <- kernelConstant.ARM_TT_L1_INDEX_MASK 0x0000000000000018 <- kernelStruct.vm_map_links.max 0x0000000000000048 <- kernelStruct.vm_map_entry.flags 0x0000000000000528 <- kernelStruct.task.task_can_transfer_memory_ownership 0x0000000000000028 <- kernelStruct.ucred.groups 0x0000000000000028 <- kernelStruct.proc_ro.syscall_filter_mask 0x0000000000000020 <- kernelStruct.proc_ro.ucred 0x0000000000000548 <- kernelStruct.proc.textvp 0x0000000000000060 <- kernelStruct.proc.pid 0xfffffff007936480 <- kernelSymbol.gVirtBase 0xfffffff007dc9f18 <- kernelSymbol.kfree_data_external 0xffff800000000000 <- kernelConstant.pointer_mask Exploiting kernel (landa) device info: CPU family: 0x8765edea, RAM: 0x0160c5c000, available: 0x00bf153b00 PUAF pages: 3072, hogger memory: 0x0000000000 Available memory after hogging: 0x00bf153b00 [info_init]: kfd->info.env.pid = 285 [info_init]: kfd->info.env.tid = 4295 [info_init]: kfd->info.env.maxfilesperproc = 10240 [puaf_init]: method_name = landa [krkw_init]: method_name = kread_sem_open [krkw_init]: method_name = kwrite_sem_open [puaf_helper_give_ppl_pages]: given_ppl_pages = 209 [puaf_helper_give_ppl_pages]: 🟢 0s 1ms 107us onChange(of: Array<StdoutLog>) action tried to update multiple times per frame. [puaf_run]: 🟢 0s 28ms 195us RAM size: 0x160c5c000, free pages max: 0x30d40 [krkw_helper_grab_free_pages]: grabbed_free_pages = 48776 [krkw_helper_run_allocate]: kread ---> object_id = 10, object_uaddr = 0x0000000399d08010, object_size = 16, allocated_id = 1024/10140, batch_size = 1024 [0x0000]: ffffffe0892ff460 0000000000000000 [krkw_helper_run_allocate]: kwrite ---> object_id = 2512, object_uaddr = 0x0000000399b54000, object_size = 32, allocated_id = 2560/10140, batch_size = 512 [0x0000]: 0000000000000001 0000000000000001 fafaffdebe33a7f0 0000000000000000 [krkw_helper_run_deallocate]: 🟢 0s 0ms 5us [krkw_helper_run_deallocate]: 🟢 0s 0ms 482us [info_run]: kfd->info.kaddr.current_proc = ffffffe16e1a17b0 [info_run]: kfd->info.kaddr.current_task = ffffffe16e1a1ee0 [info_run]: kfd->info.kaddr.current_map = ffffffde6f8b10c0 [info_run]: kfd->info.kaddr.current_pmap = fffffff13db92958 [info_run]: kfd->info.kaddr.kernel_proc = ffffffe16f83e520 [info_run]: kfd->info.kaddr.kernel_task = ffffffe16f83ec50 [info_run]: kfd->info.kaddr.kernel_map = ffffffdd8929cc40 [info_run]: kfd->info.kaddr.kernel_pmap = fffffff01faf40e8 [info_run]: 🟢 0s 0ms 8us [perf_run]: kfd->info.kaddr.kernel_slide = 00000000156ec000 [perf_run]: kfd->perf.gVirtBase = fffffff01844c000 [perf_run]: kfd->perf.gPhysBase = 000001000244c000 [perf_run]: kfd->perf.gPhysSize = 0000000160c5c000 [puaf_cleanup]: 🟢 0s 0ms 652us Successfully exploited the kernel Persistence helper already installed! Deinitialising kernel exploit (landa)
how did you solve that? thanks
I tried on an iPhone 14 Pro. After the first try to use it, the app stuck on
Deinitialising kernel exploit (landa)
. Shutting down the phone and deleting the app and reinstalling did not work. Am I wrong somewhere?