What device + iOS version are you on?
iPhone X (10,6)
What checkra1n version are you using?
checkra1n beta 0.9
What are the steps to reproduce the issue?
Run checkra1n normally. Exploit and subsequent jb succeeds normally. (./checkra1n)
Run checkra1n with demotion enabled. Device fails to be exploited, getting stalled on the output below. (Ran with ./checkra1n -d)
What do you expect, and what is happening instead?
Given output (when demotion requested)
[*] Waiting for DFU devices
[*] Exploiting
[*] Checking if device is ready
[*] Exploiting
[*] Setting up the exploit (this is the heap spray)
[*] Right before trigger (this is the real bug setup)
[*] Exploiting (gets stalled here)
Expected output (when exploited normally)
[*] Waiting for DFU devices
[*] DFU mode device found
[*] Attempting to perform checkm8 on 8015 11...
[*] == Checkm8 Preparation stage ==
[*] Stalled input endpoint
[*] DFU mode device found
[*] == Checkm8 Setup stage ==
[*] Entered initial checkm8 state after 3 steps, issuing DFU abort..
[*] DFU device disconnected
[*] DFU mode device found
[*] == Checkm8 Trigger stage ==
[*] Checkmate!
[*] DFU device disconnected
[*] DFU mode device found
[*] == Checkm8 Trying to run payload... ==
[*] If everything went correctly, you should now have code execution.
[*] DFU device disconnected
[*] Download mode device found
[*] Download mode device disconnected
[*] Bootstrap already installed, done
Any other info, error logs, screenshots, ...?
Notice how the start of the exploit log is different! Is it possible that checkra1n is using an older (and less reliable) checkm8 implementation to enable its demotion functionality?
What device + iOS version are you on? iPhone X (10,6)
What checkra1n version are you using? checkra1n beta 0.9
What are the steps to reproduce the issue?
What do you expect, and what is happening instead? Given output (when demotion requested)
Expected output (when exploited normally)
Any other info, error logs, screenshots, ...? Notice how the start of the exploit log is different! Is it possible that checkra1n is using an older (and less reliable) checkm8 implementation to enable its demotion functionality?