Issues with iPhone 7 plus on 10.3.2 ?

[eXqusic]

I have tried atleast 400 times in the ast day and cant seem to get it to work, it just constantly says it failed.. Anything im doing wrong?

[ghost]

Same here with an iphone 7 10.3.2, sometimes the app gets a white screen and phone freezes, others makes the phone reboot, best case scenario "failed, please reboot". Tried it several of times (~50 :) )

[arx8x]

I'll re-check the offsets for iPhone 7 plus 10.3.2

[ghost]

could you please also check iphone 7 global?

Here are my logs (when it fails):

2017-12-22 00:06:19.814467+0000 v0rtexNonce[248:8594] uid isn't 0 2017-12-22 00:06:19.814831+0000 v0rtexNonce[248:8594] Darwin Kernel Version 16.6.0: Mon Apr 17 17:33:35 PDT 2017; root:xnu-3789.60.24~24/RELEASE_ARM64_T8010 2017-12-22 00:06:19.814854+0000 v0rtexNonce[248:8594] loading offsets for iPhone9,1 - 14F89 2017-12-22 00:06:19.814864+0000 v0rtexNonce[248:8594] test offset x0x0x10gadget: fffffff0063ca398 2017-12-22 00:06:19.814922+0000 v0rtexNonce[248:8594] service: 650b 2017-12-22 00:06:19.815061+0000 v0rtexNonce[248:8594] client: 660b, (os/kern) successful 2017-12-22 00:06:19.815203+0000 v0rtexNonce[248:8594] newSurface: (os/kern) successful 2017-12-22 00:06:19.818522+0000 v0rtexNonce[248:8594] realport: 6703 2017-12-22 00:06:19.818538+0000 v0rtexNonce[248:8594] port: 106803 2017-12-22 00:06:19.818558+0000 v0rtexNonce[248:8594] mach_port_insert_right: (os/kern) successful 2017-12-22 00:06:19.818580+0000 v0rtexNonce[248:8594] mach_ports_register: (os/kern) successful 2017-12-22 00:06:19.818598+0000 v0rtexNonce[248:8594] herp derp 2017-12-22 00:06:19.919954+0000 v0rtexNonce[248:8594] mach_ports_register: (os/kern) successful 2017-12-22 00:06:20.139469+0000 v0rtexNonce[248:8594] mach_port_get_context: 0x0000000000000011, (os/kern) successful 2017-12-22 00:06:20.139523+0000 v0rtexNonce[248:8594] Invalid shift mask. 2017-12-22 00:06:20.145306+0000 v0rtexNonce[248:8594] Failed to get kernel task 2017-12-22 00:06:20.172796+0000 v0rtexNonce[248:8594] Reading var failed 2017-12-22 00:06:20.172859+0000 v0rtexNonce[248:8594] current generator:

Tried different offsets with same results: OFFSET_ZONE_MAP = 0xfffffff007590478; OFFSET_KERNEL_MAP = 0xfffffff0075ec050; OFFSET_KERNEL_TASK = 0xfffffff0075ec048; OFFSET_REALHOST = 0xfffffff007572ba0; OFFSET_BZERO = 0xfffffff0070c1f80; OFFSET_BCOPY = 0xfffffff0070c1dc0; OFFSET_COPYIN = 0xfffffff0071c6108; OFFSET_COPYOUT = 0xfffffff0071c63e8; OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070deff4; OFFSET_IPC_KOBJECT_SET = 0xfffffff0070f22cc; OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070deb18; OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006e4a238; OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0063ca398;

When I get a blank screen the app is just looping, cpu 100%, never returning out of v0rtex method

[ghost]

Hi arx8x,

Contacted you already on reddit. (i7 plus 10.3.1)

Right now I have the white screen issue, nothing happens. The only method to bring my iphone alive is to hard reset/reboot it.

Xcode logs gives only this information.

2017-12-22 17:08:02.408948+0100 v0rtexNonce[229:6979] uid isn't 0 2017-12-22 17:08:02.410295+0100 v0rtexNonce[229:6979] Darwin Kernel Version 16.5.0: Thu Feb 23 23:22:55 PST 2017; root:xnu-3789.52.2~7/RELEASE_ARM64_T8010 2017-12-22 17:08:02.410390+0100 v0rtexNonce[229:6979] loading offsets for iPhone9,4 - 14E304 2017-12-22 17:08:02.410747+0100 v0rtexNonce[229:6979] test offset x0x0x10gadget: fffffff0063c9398 2017-12-22 17:08:02.411398+0100 v0rtexNonce[229:6979] service: 650b 2017-12-22 17:08:02.412109+0100 v0rtexNonce[229:6979] client: 660b, (os/kern) successful 2017-12-22 17:08:02.412875+0100 v0rtexNonce[229:6979] newSurface: (os/kern) successful 2017-12-22 17:08:02.427729+0100 v0rtexNonce[229:6979] realport: 6703 2017-12-22 17:08:02.428030+0100 v0rtexNonce[229:6979] port: 106803 2017-12-22 17:08:02.428732+0100 v0rtexNonce[229:6979] mach_port_insert_right: (os/kern) successful 2017-12-22 17:08:02.428907+0100 v0rtexNonce[229:6979] mach_ports_register: (os/kern) successful 2017-12-22 17:08:02.428985+0100 v0rtexNonce[229:6979] herp derp 2017-12-22 17:08:02.530391+0100 v0rtexNonce[229:6979] mach_ports_register: (os/kern) successful 2017-12-22 17:08:02.923916+0100 v0rtexNonce[229:6979] mach_port_get_context: 0x300001f000000011, (os/kern) successful 2017-12-22 17:08:02.924129+0100 v0rtexNonce[229:6979] setValue(496): (os/kern) successful 2017-12-22 17:08:02.924204+0100 v0rtexNonce[229:6979] mach_port_request_notification: 0, (os/kern) successful 2017-12-22 17:08:02.924306+0100 v0rtexNonce[229:6979] getValue(496): 0x1010 bytes, (os/kern) successful 2017-12-22 17:08:02.924337+0100 v0rtexNonce[229:6979] realport addr: 0xffffffe0049b9068 2017-12-22 17:08:02.924574+0100 v0rtexNonce[229:6979] setValue(496): (os/kern) successful 2017-12-22 17:08:02.924603+0100 v0rtexNonce[229:6979] itk_space: 0xffffffe000898510 2017-12-22 17:08:02.924612+0100 v0rtexNonce[229:6979] self_task: 0xffffffe004f9c550 2017-12-22 17:08:02.924620+0100 v0rtexNonce[229:6979] IOSurfaceRootUserClient port: 0xffffffe001ec6a00 2017-12-22 17:08:02.924628+0100 v0rtexNonce[229:6979] IOSurfaceRootUserClient addr: 0xffffffe005152e00 2017-12-22 17:08:02.924635+0100 v0rtexNonce[229:6979] IOSurfaceRootUserClient vtab: 0xfffffff01ea4a238 2017-12-22 17:08:02.924668+0100 v0rtexNonce[229:6979] slide: 0x0000000017c00000 2017-12-22 17:08:02.924680+0100 v0rtexNonce[229:6979] mach_ports_register: (os/kern) successful 2017-12-22 17:08:02.925007+0100 v0rtexNonce[229:6979] setValue(496): (os/kern) successful

[webmanjonny]

I'm experiencing the same issues but on an iphone 7 (GSM), 10.3.2. Exploit failed or screen goes completely white and have to reboot. If you require logs please let me know how to. Thank you very much for your hard work!!

[salvatore8686]

Also iPhone 7 Plus (GSM) IOS 10.3.1 same problem i tried more than 50 times without success ( screen white it's restarting the phone ) thanks

[usmanabdurrazzaq]

Same here. I hope you fix it soon, before Apple closes the SEP signing window!

[natedog102]

Another 7+ 10.3.2 user here, offsets are not working. I used the find_offsets.sh script and it detected the same offsets you already have. What could be the problem?

[usmanabdurrazzaq]

I think its of KTRR. This is hardware based kernel security and was patched in 10.2. The reason we didn't get a JB for 10.2 or 10.2.1 on the iPhone 7 and 7 Plus.

[arx8x]

It's not. This is a different exploit and it doesn't touch KTRR

[eXqusic]

What do you think is causing it then? Cause it seems its only happening on the iPhone 7 and 7plus.

[arx8x]

You see, once it took about 50 tries on my 6s. It may take a lot of tries often. Someone also verified that it works ok iPhone 7 models.

But anyway, keep trying. Try with the disabled addx0x0x10 offset too.

[ghost]

Hi arx8x, thanks for your reply. Did you ever receive the white screen while running the project?

[usmanabdurrazzaq]

I give up. Good luck guys! (Reboot the iPhone 50 times to apply a exploit. This takes time and I don't have that. A couple of tries is acceptable, not rebooting your iPhone for an hour or two).

[eXqusic]

Any updates on this issue? @arx8x

[ghost]

Tried over 300 times today.... Kernel exploit not found or its hard rebooting or a white screen. Also tried the disabled adx0x0x0 offset.

I can also use v0rtex-s succesfull from ssh, could this work for me @arx8x? (I can run that exploit just fine...)

[usmanabdurrazzaq]

@forzabatur. How did you run v0rtex-s? Do you have all the offsets for 10.3.2, iPhone 7 Plus?

[ghost]

@uarx no I have i7+ 10.3.1 and the offsets are a bit different on the vortex-s project And that works fine....

[usmanabdurrazzaq]

Nevermind, I made SSH to work on iPhone 7 Plus, GSM on 10.3.2, but nonceEnabler does not. We need to patch the kernel in order to set a nonce. What process does v0rtexNonce do when setting the nonce, @arx8x? How does it patch the kernel?

[eXqusic]

NonceEnable doesnt work on 10.3.2

[usmanabdurrazzaq]

Do you have something that can be used to patch the kernel on 10.3.2, @seiterseiter?

[eXqusic]

Nope thats what this issue thread was about I think.

[usmanabdurrazzaq]

That's bad, only one execute of a kernel patch is required now. Still SSH on 10.3.2 is a great achievement.

[ghost]

FYI, finally got it working... used v0rtex-S v0rtex implementation, a few minor things were needed to adapt, like the arguments to the v0rtex function, and also brought in the offsets setting of values (v0rtex-S just names one of the offsets differently, this is not actually needed). Used the offsets from my above comment for my iphone 7 10.3.2 and successfully ran v0rtexNonce 4 times out of ~10.

@arx8x perhaps considering updating the v0rtex implementation? I'm not sure about licenses and stuff so not sure if I can just publish merging these 2 projects code... :/

Last thing, @arx8x my sincere congrats and thank you for your work! you're awesome! :)

[webmanjonny]

@null0r Sorry are you saying you ran the v0rtex-S exploit (https://github.com/Sticktron/v0rtex-S) over the top of v0rtexNonce? Would you mind posting a quick step by step guide on what you did? Much appreciated, thanks!

[ghost]

both v0rtex-S and v0rtexNonce share the same exploit: v0rtex by Siguza (https://github.com/Siguza/v0rtex). v0rtex exploit is used to gain kernel memory access and therefore root access to the OS (it's how I understand it, anyone feel free to correct me if I'm wrong). This project uses this access level to read and set the nonce variable, v0rtex-s uses it to set fs r/w, deploys utilities and launches dropbear ssh.

What I did was replace the common part (v0rtex) from v0rtex-s into v0rtexNonce. (v0rtex.m basically, but then you need to fix the compilation errors). If you have trouble understanding all of this it's best to just leave it alone and wait for the project owner to fix it.

[webmanjonny]

Thanks @null0r i'll give it ago hopefully not too many compilation errors haha

[eXqusic]

@null0r Could you just fork v0rtexNonce and use your updated version?

[ghost]

https://github.com/null0r/v0rtexNonce

@arx8x @Sticktron let me know if this isn't ok with you.

[ghost]

@seiterseiter @webmanjonny let me know if you succeed

[ghost]

@null0r O-M-G. This works on the first try on my iphone 7 plus 10.3.1!!!!

[eXqusic]

@forzabatur WTF?! Its still not working for me on 10.3.2 haha

[ghost]

Start v0rtexnonce (after installing the version of null0r) if it reboots or kernel exploit failed error -> power off. Power on, close everything in app switcher -> lock device -> wait 1 minute -> unlock and start v0rtexnonce.

If it fails, keep repeating steps above, it really worked for me

EDIT: after 2 times settings my nonce (received succesfull nonceset and saw the nonce) I receive now the error [Error] Devicenonce does not match APTicket nonce :(

I have copy pasted the generator string within my 11.1.2 blobs to the generator..

[eXqusic]

Youre getting further then me atleast.. Its still not working for me

[ghost]

could you post your xcode logs? besides that... it will take at least 50 tries....

[arx8x]

@null0r I've updated the exploit. Tested on my iPhone8,1 10.3.2. Everyone, clone/fork again or use the latest release

[ghost]

@arx8x , when launching the app it shows. 'Current generator' -unavailable- after pressing the empty area I can set my nonce, it also shows then on the current generator.

But when I launch futurerestore and start with restoring to 11.1.2 it says,devicenonce does not match apticket nonce.

It looks like the nonce resets when futurerestore pushes the iphone in recovery mode..

[eXqusic]

Okay it seems to be working now but when I try to restore to 11.1.2 it errors out right at the end

`[TSSC] opening download/basebandManifest.plist

WARNING: Unable to find BbSkeyId node

[TSSR] User specified to request only a Baseband ticket.

Request URL set to https://gs.apple.com/TSS/controller?action=2

Sending TSS request attempt 1... response successfully received

Found device in Normal mode

Entering recovery mode...

ERROR: Unable to connect to device in recovery mode

ERROR: Unable to enter recovery mode

[Error] Unable to place device into recovery mode from Normal mode

[Error] Fail code=-2

Failed with errorcode=-2`

EDIT: it just worked.. exept it seems to be stuck on updating baseband. I know this isnt directly a V0rtexNonce issue but we are all trying to accomplish the same thing here haha

[arx8x]

Awesome. And congratulations.

[usmanabdurrazzaq]

No, it does not work. I've been trying to make it to work for an hour. @null0r v0rtexNonce fork works on the iPhone 7 and 7 Plus and you will be able to set a nonce, but only in the app, it will not overwrite the existing one, so when you enter recovery mode and start futurerestore it will say the blob didn't match the nonce on the device. When you start futurerestore in normal mode after you set the nonce, it will try to enter recovery and restart back to normal mode.

[ghost]

If you kill the app (no restart) and start it again the nonce resets back to previous value?

[usmanabdurrazzaq]

Yes, did you make it?

[arx8x]

@uarx The fork isn't much different. The exploit just takes a lot of tries. The exploit all the forks use is the same. The offsets are also similar.

If the app gives you an alert saying it was success and the value is displayed on the app, that means the value has been written to nvram. The app actually reads the value from nvram and doesn't just put the value you input there.

Cryptic and some others had the same issue. What works is, after you set the generator, power-down and then power on. I don't know if this is just a placebo but it worked for multiple people. After the power-down, boot up and try to run v0rtexNonce again. See if it shows the value you previously set

[usmanabdurrazzaq]

Got it to work and finally upgraded to 11.1.2. After setting the nonce, wait about 10-15 min and then, quit the app (If it panics and restarts automatically, then it didn’t work, you’ll have to wait 10-15 min. It will not work if you quickly restart after setting either). Run v0rtexNonce again and verify it’s the same nonce you want to use, then start the upgrade process!

[ghost]

@uarx will try now, thanks for tests!

[arx8x]

@uarx So I can confirm it's a qucik-reboot or panic that resets it

[usmanabdurrazzaq]

Yes, I don’t know if this method works on other devices, but on the 7 Plus it does.

[maxvibration]

@uarx Well it does not work for me. Just to make sure: Open V0rtexnonce - enter Nonce - wait 15min - quit the app (do you mean just click home or do you mean kill it from app switcher?) - then restart or directly run the app again ?

[usmanabdurrazzaq]

Strange, try first setting the same nonce you have currently and then the new one, press home button, wait for 10 min, close the app (if it panics, then it didn’t work) and then power off the device, not power+volume down.

[maxvibration]

FUCK YES! I did it. I had to try it like 2-3 times, then V0rtexnonce could read my set nonce and i could successfully futurestore my device. So @uarx method works 100%, maybe not on the first try but it works! May i copy this to reddit, or do you want to do it yourself @uarx ? Thanks to everybody in here!