iPhone 6s ios 10.3.1 crash

gamla11 commented 6 years ago

the app opens and crashes/resprings my iPhone

gamla11 commented 6 years ago

i tried the default offsets from the source itself and those i fetched myself:

OFFSET_ZONE_MAP = 0xfffffff007558478; OFFSET_KERNEL_MAP = 0xfffffff0075b4050; OFFSET_KERNEL_TASK = 0xfffffff0075b4048; OFFSET_REALHOST = 0xfffffff00753aba0; OFFSET_BZERO = 0xfffffff00708df80; OFFSET_BCOPY = 0xfffffff00708ddc0; OFFSET_COPYIN = 0xfffffff00718d3a8; OFFSET_COPYOUT = 0xfffffff00718d59c; OFFSET_ROOTVNODE = 0xfffffff0075b40b0; OFFSET_CHGPROCCNT = 0xfffffff00739a78c; OFFSET_KAUTH_CRED_REF = 0xfffffff007374b2c; OFFSET_IPC_PORT_ALLOC_SPECIAL = 0xfffffff0070a611c; OFFSET_IPC_KOBJECT_SET = 0xfffffff0070b9374; OFFSET_IPC_PORT_MAKE_SEND = 0xfffffff0070a5c40; OFFSET_IOSURFACEROOTUSERCLIENT_VTAB = 0xfffffff006eee1b8; OFFSET_ROP_ADD_X0_X0_0x10 = 0xfffffff0064b5174; OFFSET_OSSERIALIZER_SERIALIZE = 0xfffffff00744d6ac; OFFSET_ROP_LDR_X0_X0_0x10 = 0xfffffff006404a84;

Eperty123 commented 6 years ago

Is that confirmed to be working and if so, could you compile it and provide the IPA?

Thanks in advance!

arx8x commented 6 years ago

That is expected behavior. Watch Xcode logs and post them here

gamla11 commented 6 years ago

Unknown (null).txt

here is my device log, change .txt to .crash to view it better on mac os

arx8x commented 6 years ago

@gamla11 Get the logs from xcode's console on bottom area

arx8x commented 6 years ago

@gamla11 Nevermind. The error you get is usual. It doesn't respring but reboot your phone. The exploit failed. Keep trying

gamla11 commented 6 years ago

2017-12-25 14:12:36.152974+0100 v0rtexNonce[920:189075] uid isn't 0 2017-12-25 14:12:36.153565+0100 v0rtexNonce[920:189075] Darwin Kernel Version 16.5.0: Thu Feb 23 23:22:54 PST 2017; root:xnu-3789.52.2~7/RELEASE_ARM64_S8000 2017-12-25 14:12:36.153605+0100 v0rtexNonce[920:189075] loading offsets for iPhone8,1 - 14E304 2017-12-25 14:12:36.153624+0100 v0rtexNonce[920:189075] test offset x0x0x10gadget: fffffff006465174 2017-12-25 14:12:36.153745+0100 v0rtexNonce[920:189075] service: 620b 2017-12-25 14:12:36.153953+0100 v0rtexNonce[920:189075] client: 6313, (os/kern) successful 2017-12-25 14:12:36.154165+0100 v0rtexNonce[920:189075] newSurface: (os/kern) successful 2017-12-25 14:12:36.158891+0100 v0rtexNonce[920:189075] realport: 6507 2017-12-25 14:12:36.158954+0100 v0rtexNonce[920:189075] port: 106603 2017-12-25 14:12:36.159003+0100 v0rtexNonce[920:189075] mach_port_insert_right: (os/kern) successful 2017-12-25 14:12:36.159040+0100 v0rtexNonce[920:189075] mach_ports_register: (os/kern) successful 2017-12-25 14:12:36.159075+0100 v0rtexNonce[920:189075] herp derp 2017-12-25 14:12:36.260239+0100 v0rtexNonce[920:189075] mach_ports_register: (os/kern) successful 2017-12-25 14:12:36.634237+0100 v0rtexNonce[920:189075] mach_port_get_context: 0x1000028f00000000, (os/kern) successful 2017-12-25 14:12:36.634450+0100 v0rtexNonce[920:189075] setValue(655): (os/kern) successful 2017-12-25 14:12:36.634514+0100 v0rtexNonce[920:189075] mach_port_request_notification: 0, (os/kern) successful 2017-12-25 14:12:36.634626+0100 v0rtexNonce[920:189075] getValue(655): 0x1010 bytes, (os/kern) successful 2017-12-25 14:12:36.634655+0100 v0rtexNonce[920:189075] realport addr: 0xfffffff0084e55a8 2017-12-25 14:12:36.634742+0100 v0rtexNonce[920:189075] setValue(655): (os/kern) successful 2017-12-25 14:12:36.634775+0100 v0rtexNonce[920:189075] itk_space: 0xfffffff0026f7f00 2017-12-25 14:12:36.634791+0100 v0rtexNonce[920:189075] self_task: 0xfffffff00364f520 2017-12-25 14:12:36.634806+0100 v0rtexNonce[920:189075] IOSurfaceRootUserClient port: 0xfffffff0084e7090 2017-12-25 14:12:36.634924+0100 v0rtexNonce[920:189075] IOSurfaceRootUserClient addr: 0xfffffff005e24400 2017-12-25 14:12:36.634953+0100 v0rtexNonce[920:189075] IOSurfaceRootUserClient vtab: 0xfffffff02447c9f8 2017-12-25 14:12:36.634983+0100 v0rtexNonce[920:189075] slide: 0x000000001d600000 2017-12-25 14:12:36.635005+0100 v0rtexNonce[920:189075] mach_ports_register: (os/kern) successful 2017-12-25 14:12:36.635489+0100 v0rtexNonce[920:189075] setValue(655): (os/kern) successful 2017-12-25 14:12:36.635515+0100 v0rtexNonce[920:189075] kernel_task addr: 0xfffffff002739a90, success 2017-12-25 14:12:36.635532+0100 v0rtexNonce[920:189075] kernproc addr: 0xfffffff024b9d448, success 2017-12-25 14:12:36.635547+0100 v0rtexNonce[920:189075] kern_ucred: 0xfffffff002935cb0, success 2017-12-25 14:12:36.635567+0100 v0rtexNonce[920:189075] self_proc: 0xfffffff005ebf060, success 2017-12-25 14:12:36.635582+0100 v0rtexNonce[920:189075] self_ucred: 0xfffffff006f79170, success 2017-12-25 14:12:36.635596+0100 v0rtexNonce[920:189075] stole the kernel's cr_label 2017-12-25 14:12:36.635627+0100 v0rtexNonce[920:189075] uid: 0 2017-12-25 14:12:36.635642+0100 v0rtexNonce[920:189075] realhost: 6607 (host: a03) 2017-12-25 14:12:36.635655+0100 v0rtexNonce[920:189075] zone_map: 0xfffffff12255d7c0, success 2017-12-25 14:12:36.635696+0100 v0rtexNonce[920:189075] kernel_map: 0xfffffff12255d6a0, success 2017-12-25 14:12:36.635710+0100 v0rtexNonce[920:189075] ipc_space_kernel: 0xfffffff0026f5878, success 2017-12-25 14:12:36.635724+0100 v0rtexNonce[920:189075] zm_range: 0xfffffff002648000-0xfffffff01a648000, success 2017-12-25 14:12:36.635739+0100 v0rtexNonce[920:189075] zm_port addr: 0xfffffff00357f330 2017-12-25 14:12:36.635750+0100 v0rtexNonce[920:189075] km_port addr: 0xfffffff00357c738 2017-12-25 14:12:36.635763+0100 v0rtexNonce[920:189075] copyin: success 2017-12-25 14:12:36.635802+0100 v0rtexNonce[920:189075] mach_ports_lookup: (os/kern) successful 2017-12-25 14:12:36.635815+0100 v0rtexNonce[920:189075] zone_map port: 6707 2017-12-25 14:12:36.635826+0100 v0rtexNonce[920:189075] kernel_map port: 6807 2017-12-25 14:12:36.635841+0100 v0rtexNonce[920:189075] mach_ports_register: (os/kern) successful 2017-12-25 14:12:36.635872+0100 v0rtexNonce[920:189075] mach_vm_remap: (os/kern) successful 2017-12-25 14:12:36.635884+0100 v0rtexNonce[920:189075] remap_addr: 0xfffffff0022e5a90 2017-12-25 14:12:36.636022+0100 v0rtexNonce[920:189075] mach_vm_wire: (os/kern) successful 2017-12-25 14:12:36.636037+0100 v0rtexNonce[920:189075] newport: 0xfffffff00357c348 2017-12-25 14:12:36.636052+0100 v0rtexNonce[920:189075] copyin: success 2017-12-25 14:12:36.636082+0100 v0rtexNonce[920:189075] kernel_task: 6907, (os/kern) successful 2017-12-25 14:12:36.636104+0100 v0rtexNonce[920:189075] mach_ports_register: (os/kern) successful 2017-12-25 14:12:36.636116+0100 v0rtexNonce[920:189075] copyin: success 2017-12-25 14:12:36.650123+0100 v0rtexNonce[920:189075] kernel_task: 0x6907 2017-12-25 14:12:36.650220+0100 v0rtexNonce[920:189075] Reading kernel header... 2017-12-25 14:12:36.650271+0100 v0rtexNonce[920:189075] Found TEXT.cstring section at 0xfffffff02461f858 2017-12-25 14:12:36.650648+0100 v0rtexNonce[920:189075] Found DATA.data section at 0xfffffff024af4000 2017-12-25 14:12:36.651501+0100 v0rtexNonce[920:189075] Found string "little-endian?" at 0xfffffff02465bc90 2017-12-25 14:12:36.651648+0100 v0rtexNonce[920:189075] Found gOFVariables at 0xfffffff024b236b0 2017-12-25 14:12:36.651707+0100 v0rtexNonce[920:189075] Successfully patched permissions for variable "com.apple.System.boot-nonce" 2017-12-25 14:12:36.651885+0100 v0rtexNonce[920:189075] Reading var failed 2017-12-25 14:12:36.651988+0100 v0rtexNonce[920:189075] current generator: 2017-12-25 14:12:43.081495+0100 v0rtexNonce[920:189075] [MC] System group container for systemgroup.com.apple.configurationprofiles path is /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles 2017-12-25 14:12:43.081783+0100 v0rtexNonce[920:189075] [MC] Reading from private effective user settings.

gamla11 commented 6 years ago

it works, i also pushed pull request.

arx8x / v0rtexNonce

iPhone 6s ios 10.3.1 crash #29