checkra1n / BugTracker

checkra1n bug tracker
729 stars 104 forks source link

A7 unplug workaround doesn't work anymore #1445

Closed ivdok closed 4 years ago

ivdok commented 4 years ago

Tell us about your setup:

  1. iPhone 5S which has previously been successfully pwned twice
  2. 12.4.5
  3. 0.10.2
  4. Arch Linux on ThinkPad T450 or Debian Buster on generic Sandy bridge PC
  5. Generic Lightning cable (which still works, and has been used in aforementioned pwns twice)

What are the steps to reproduce the issue?

  1. 1169

  2. Unplug/replug device, as a known workaround
  3. Expect it to work, like it did twice before that. ...

What do you expect, and what is happening instead? Instead of booting into payload, get stuck with "DFUSync Upload FAILED: -1", and "can't set config #1, error -110" in dmesg for times eternal.

Does the issue also occur if you tick "Safe Mode" in the checkra1n options? Yes

Any other info, error logs, screenshots, ...? Only following dmesg snippet:

[  +0.006678] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.013265] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 65 ret -110
[  +0.000401] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 33 rq 4 len 0 ret -71
[  +0.001244] usb 2-2: USB disconnect, device number 55
[  +0.288309] usb 2-2: new high-speed USB device number 56 using xhci_hcd
[  +0.140728] usb 2-2: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[  +0.000006] usb 2-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[  +0.000004] usb 2-2: Product: Apple Mobile Device (DFU Mode)
[  +0.000003] usb 2-2: Manufacturer: Apple Inc.
[  +0.000003] usb 2-2: SerialNumber: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:0000004C4E98CD14 IBFL:1C SRTG:[iBoot-1704.10]
[  +0.126028] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.006674] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.006610] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[Jun 5 19:52] INFO: task checkra1n:1422152 blocked for more than 122 seconds.
[  +0.000005]       Tainted: G     U    I       5.6.15-arch1-1 #1
[  +0.000002] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  +0.000003] checkra1n       D    0 1422152 1415682 0x00000080
[  +0.000005] Call Trace:
[  +0.000015]  __schedule+0x2a0/0x8a0
[  +0.000009]  schedule+0x46/0xf0
[  +0.000006]  schedule_timeout+0x12a/0x160
[  +0.000008]  wait_for_completion_timeout+0xc7/0x140
[  +0.000006]  ? wake_up_q+0xa0/0xa0
[  +0.000009]  usb_start_wait_urb+0xa8/0x190
[  +0.000008]  usb_control_msg+0xe7/0x150
[  +0.000010]  proc_control+0x18a/0x2e0
[  +0.000008]  usbdev_ioctl+0xaa2/0x1300
[  +0.000006]  ? hrtimer_nanosleep+0xd1/0x1c0
[  +0.000011]  ksys_ioctl+0x82/0xc0
[  +0.000007]  __x64_sys_ioctl+0x16/0x20
[  +0.000007]  do_syscall_64+0x49/0x90
[  +0.000007]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  +0.000006] RIP: 0033:0x7f32b77ea8eb
[  +0.000011] Code: Bad RIP value.
[  +0.000003] RSP: 002b:00007f32b6004a88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  +0.000004] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00007f32b77ea8eb
[  +0.000003] RDX: 00007f32b6004ab0 RSI: 00000000c0185500 RDI: 0000000000000017
[  +0.000002] RBP: 00007f32b6004b90 R08: 0000000000000000 R09: 0000000000000004
[  +0.000002] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000a46315f4
[  +0.000002] R13: 0000000019f8704f R14: 0000000000000040 R15: 0000000001870340
[Jun 5 19:53] usb 2-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 33 rq 1 len 64 ret -71
[  +0.000017] usb 2-2: USB disconnect, device number 56
[  +1.374660] usb 2-2: new high-speed USB device number 57 using xhci_hcd
[  +0.140472] usb 2-2: config index 0 descriptor too short (expected 25, got 9)
[  +0.000007] usb 2-2: config 1 has 0 interfaces, different from the descriptor's value: 1
[  +0.000347] usb 2-2: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[  +0.000006] usb 2-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[  +0.000004] usb 2-2: Product: Љ
[  +0.000003] usb 2-2: Manufacturer: Apple Mobile Device (DFU Mode)
[  +0.000002] usb 2-2: SerialNumber: Apple Inc.
[  +5.095864] usb 2-2: can't set config #1, error -110

And no, this isn't a duplicate #1169 - old "workaround" stopped, well, "working around", despite doing just fine previously. I've tried all Linux releases so far, and it doesn't seem like regression in 0.10.2.

demhademha commented 4 years ago

Downgrade to 0.10.1

ivdok commented 4 years ago

I believe I did mention that any version from 0.9.x to latest stopped working, on two different rigs, so that's why I have dismissed the possibility of a regression.

On June 6, 2020 12:36:37 AM GMT+03:00, demhademha notifications@github.com wrote:

Downgrade to 0.10.1

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/checkra1n/BugTracker/issues/1445#issuecomment-639834399

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Siguza commented 4 years ago

The replug workaround never worked reliably. And literally none of that code changed between 0.10.1 and 0.10.2. I'm also skeptical as to whether A7 devices ever worked on Linux...

ivdok commented 4 years ago

They did - I still have Cydia.app on the springboard - but my dumb ass forgot to charge it, so there's that. Thought that my laptop has janky USB controller, tried on a desktop for good measure, but nope, it's out of luck too. I don't usually use Windows/macOS, so currently I can't pwn it again. No big deal, it's not even my personal phone, just a little bit annoyed.

On June 6, 2020 1:57:45 AM GMT+03:00, Siguza notifications@github.com wrote:

The replug workaround never worked reliably. And literally none of that code changed between 0.10.1 and 0.10.2. I'm also skeptical as to whether A7 devices ever worked on Linux...

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/checkra1n/BugTracker/issues/1445#issuecomment-639880537

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

johnhaxx commented 4 years ago

Having the same issue, iPad Mini 2, ran in Linux Mint and Bootra1n, hangs in the same spot and quickly disconnecting it isn't working, it just loops back to exploiting. Commenting to follow for updates

beverneus commented 4 years ago

I just successfully used the unplug workaround on 0.10.2 on an iPad mini 2 with Ubuntu.

ivdok commented 4 years ago

Tried updating to 12.4.7, obviously it didn't help, but felt the need to document just in case. Shell:

[root@ThinkPad-t450 ~]# checkra1n -vV --gui
#
# Checkra1n beta 0.10.2
#
# Proudly written in nano
# (c) 2019-2020 Kim Jong Cracks
#
#========  Made by  =======
# argp, axi0mx, danyl931, jaywalker, kirb, littlelailo, nitoTV
# never_released, nullpixel, pimskeks, qwertyoruiop, sbingner, siguza
#======== Thanks to =======
# haifisch, jndok, jonseals, xerub, lilstevie, psychotea, sferrini
# Cellebrite (ih8sn0w, cjori, ronyrus et al.)
#==========================

Gtk-Message: 21:56:22.099: Failed to load module "topmenu-gtk-module"

** (checkra1n:1543316): WARNING **: 21:56:22.223: Unable to connect to dbus: Error spawning command line “dbus-launch --autolaunch=bca2206d232547f2a244f1fd33ba50aa --binary-syntax --close-stderr”: Child process exited with code 1

(checkra1n:1543316): GLib-GIO-CRITICAL **: 21:56:22.462: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(checkra1n:1543316): GLib-GIO-CRITICAL **: 21:56:22.463: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(checkra1n:1543316): GLib-GIO-CRITICAL **: 21:56:22.463: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
 - [06/09/2020 09:57:14 PM] <Info>: Waiting for DFU devices
 - [06/09/2020 09:57:14 PM] <Verbose>: using libusb hotplug API
 - [06/09/2020 09:57:14 PM] <Verbose>: DFU device connected: 4c4e98cd14
 - [06/09/2020 09:57:14 PM] <Info>: Exploiting
 - [06/09/2020 09:57:14 PM] <Verbose>: Attempting to perform checkm8 on 8960 11...
 - [06/09/2020 09:57:14 PM] <Info>: Checking if device is ready
 - [06/09/2020 09:57:14 PM] <Verbose>: == Checkm8 Preparation stage ==
 - [06/09/2020 09:57:15 PM] <Info>: Setting up the exploit (this is the heap spray)
 - [06/09/2020 09:57:15 PM] <Verbose>: == Checkm8 Setup stage ==
 - [06/09/2020 09:57:15 PM] <Verbose>: Disabled probabilistic mode since we encountered a partial xfer
 - [06/09/2020 09:57:15 PM] <Verbose>: Deterministic approach was successful!
 - [06/09/2020 09:58:12 PM] <Info>: Right before trigger (this is the real bug setup)
 - [06/09/2020 09:58:12 PM] <Verbose>: Entered initial checkm8 state after 0 steps, issuing DFU abort..
 - [06/09/2020 09:58:12 PM] <Verbose>: libusb: waiting for USB events
 - [06/09/2020 09:58:12 PM] <Verbose>: DFU device connected: 4c4e98cd14
 - [06/09/2020 09:58:12 PM] <Verbose>: == Checkm8 Trigger stage ==
DFUSyncUpload FAILED: -1
 - [06/09/2020 10:01:38 PM] <Verbose>: Checkmate!
 - [06/09/2020 10:01:44 PM] <Error>: libusb: Failed to get active config descriptor: LIBUSB_ERROR_NOT_FOUND

Dmesg:

[shitton usbfs alerts later]
[  +0.009994] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.016679] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 65 ret -110
[  +0.000215] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 33 rq 4 len 0 ret -71
[  +0.001238] usb 1-2: USB disconnect, device number 15
[  +0.298491] usb 1-2: new high-speed USB device number 16 using xhci_hcd
[  +0.147082] usb 1-2: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[  +0.000002] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[  +0.000003] usb 1-2: Product: Apple Mobile Device (DFU Mode)
[  +0.000001] usb 1-2: Manufacturer: Apple Inc.
[  +0.000001] usb 1-2: SerialNumber: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:0000004C4E98CD14 IBFL:1C SRTG:[iBoot-1704.10]
[  +0.109653] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.006655] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[  +0.006698] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 128 rq 6 len 64 ret -110
[Jun 9 22:01] INFO: task checkra1n:1543935 blocked for more than 122 seconds.
[  +0.000002]       Tainted: G     U    I       5.6.15-arch1-1 #1
[  +0.000000] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  +0.000001] checkra1n       D    0 1543935 1542396 0x00000080
[  +0.000002] Call Trace:
[  +0.000006]  __schedule+0x2a0/0x8a0
[  +0.000003]  schedule+0x46/0xf0
[  +0.000002]  schedule_timeout+0x12a/0x160
[  +0.000002]  wait_for_completion_timeout+0xc7/0x140
[  +0.000002]  ? wake_up_q+0xa0/0xa0
[  +0.000003]  usb_start_wait_urb+0xa8/0x190
[  +0.000002]  usb_control_msg+0xe7/0x150
[  +0.000003]  proc_control+0x18a/0x2e0
[  +0.000002]  usbdev_ioctl+0xaa2/0x1300
[  +0.000002]  ? hrtimer_nanosleep+0xd1/0x1c0
[  +0.000003]  ksys_ioctl+0x82/0xc0
[  +0.000002]  __x64_sys_ioctl+0x16/0x20
[  +0.000003]  do_syscall_64+0x49/0x90
[  +0.000001]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  +0.000002] RIP: 0033:0x7feb329538eb
[  +0.000004] Code: Bad RIP value.
[  +0.000001] RSP: 002b:00007feb2d45ca88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  +0.000001] RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 00007feb329538eb
[  +0.000001] RDX: 00007feb2d45cab0 RSI: 00000000c0185500 RDI: 0000000000000012
[  +0.000000] RBP: 00007feb2d45cb90 R08: 0000000000000000 R09: 0000000000000004
[  +0.000001] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000a46315f4
[  +0.000001] R13: 0000000019f8704f R14: 0000000000000040 R15: 0000000001870340
[  +7.665907] usb 1-2: usbfs: USBDEVFS_CONTROL failed cmd checkra1n rqt 33 rq 1 len 64 ret -71
[  +0.000011] usb 1-2: USB disconnect, device number 16
[  +0.633945] usb 1-2: new high-speed USB device number 17 using xhci_hcd
[  +0.140196] usb 1-2: config index 0 descriptor too short (expected 25, got 9)
[  +0.000003] usb 1-2: config 1 has 0 interfaces, different from the descriptor's value: 1
[  +0.000283] usb 1-2: New USB device found, idVendor=05ac, idProduct=1227, bcdDevice= 0.00
[  +0.000002] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[  +0.000002] usb 1-2: Product: Љ
[  +0.000001] usb 1-2: Manufacturer: Apple Mobile Device (DFU Mode)
[  +0.000001] usb 1-2: SerialNumber: Apple Inc.
[  +5.212902] usb 1-2: can't set config #1, error -110
nergzd723 commented 4 years ago

The replug workaround never worked reliably. And literally none of that code changed between 0.10.1 and 0.10.2. I'm also skeptical as to whether A7 devices ever worked on Linux...

Yes they did.

Unfortunately, my iPad is broken and I can't test it now, but I think I've updated to 0.10.2 as soon as it came out(for iPad Air 2 13.4.1 support), and I've jailbreaked A7 on 0.10.2 too but I'm not too sure.

[ +5.212902] usb 1-2: can't set config #1, error -110

This seems strange and frustrating. Try using ehci instead of xhci, maybe that would help(I always jailbreak with ehci USB2)

johnhaxx commented 4 years ago

So I got it to work last night, apparently I was missing some packages (or they were incomplete) that were causing it to not work.

iPad Mini 2 wifi Ubuntu and Mint Official Apple cable

I was also having issues with my 7th generation iPad and this fixed it for both of them.

Run /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install.sh)"

brew install usbmuxd

Then run checkra1n and like someone else said in another ticket, in another terminal run

cat /dev/kmsg

Watch that log after you get hung on "right before trigger" and eventually you'll see it time out with a message. I'm not at my computer so I can't get a screen grab and I don't recall what it looks like, but it will happen few minutes after the stream of USBDEVFS_FAILED messages.

Instead of unplugging it all the way, I just lightly popped the cable out by like a millimeter. Just enough that I felt it "pop" and then pushed it back in. From there it quickly finished the jailbreak.

I was on a device that is activation locked, but I was able to confirm root through SSH before moving on to bypassing the lock (iPad isn't stolen it was found at work months ago and I made multiple attempts to find the owner)

Siguza commented 4 years ago

I'm just gonna mark this as a dupe of #1169 and ask you to continue any discussion about this over there.

paulshriner commented 4 years ago

I have this same exact issue. Previously I was able to jailbreak A7 devices with checkra1n on Linux Mint 19.3 but when I updated to Mint 20.0 beta checkra1n didn't work. I even tried downgrading back to Mint 19.3 and it does not work. I think this may be an issue with one of the dependencies checkra1n requires, maybe one of them was updated which is causing checkra1n to not work on A7.

ForgottenGods commented 3 years ago

I have been trying with an iPad mini 2, and I have found another partial workaround. I was able to replicate it as well but in my test I did it 20 times and was only able to get it to work 3 times.

What I did was when it got at "right before trigger " I rapidly unplugged and replugged my iPad it toke about 3 times then I would see the "booting" line ,however most of time what happened was it just booted back to the setup menu (my device was reset to act as an icloud locked device) But 3 out of the 20 times I tried it went through the whole process. This is on a windows pc using bootra1n as I don't own a mac, also I'm seemed to have better success rate using the 32bit version of bootra1n ,even though my pc is 64bit

I hope this helps somebody as it seems to be a little more consistent. Have a good day

zamceaser commented 3 years ago

So I got it to work last night, apparently I was missing some packages (or they were incomplete) that were causing it to not work.

iPad Mini 2 wifi Ubuntu and Mint Official Apple cable

I was also having issues with my 7th generation iPad and this fixed it for both of them.

Run /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install.sh)"

brew install usbmuxd

Then run checkra1n and like someone else said in another ticket, in another terminal run

cat /dev/kmsg

Watch that log after you get hung on "right before trigger" and eventually you'll see it time out with a message. I'm not at my computer so I can't get a screen grab and I don't recall what it looks like, but it will happen few minutes after the stream of USBDEVFS_FAILED messages.

Instead of unplugging it all the way, I just lightly popped the cable out by like a millimeter. Just enough that I felt it "pop" and then pushed it back in. From there it quickly finished the jailbreak.

I was on a device that is activation locked, but I was able to confirm root through SSH before moving on to bypassing the lock (iPad isn't stolen it was found at work months ago and I made multiple attempts to find the owner)

what did you then use to bypass your icloud

Siguza commented 3 years ago

Locking this as we don't want iCloud bypass discussions here.