search

checkra1n / BugTracker

checkra1n bug tracker
720 stars 108 forks source link

Hang on "If everything went correctly, you should now have code execution." with T2 on MacBookAir9,1 #2307

Closed MrMan314 closed 1 year ago

MrMan314 commented 1 year ago

Setup:

Device: T2 on MacBookAir9,1 Checkra1n Version: 0.12.4 Host System: Arch Linux (latest packages) Connection: USB A to USB C

Steps:

  1. Connect macbook to computer using USB-A to USB-C cable
  2. Boot macbook into DFU Mode (Device shows up in lsusb 05ac:1227)
  3. Run checkra1n as root using command sudo checkra1n -cvV (tried with safe mode too)

Expectation:

Successfully jailbreaks the T2 chip with SSH connection

Outcome:

Stuck on If everything went correctly, you should now have code execution. Device disappears from lsusb (no apple devices at all (vendor ids of 05ac)) Full log: 

#
# Checkra1n beta 0.12.4
#
# Proudly written in nano
# (c) 2019-2021 Kim Jong Cracks
#
#========  Made by  =======
# argp, axi0mx, danyl931, jaywalker, kirb, littlelailo, nitoTV
# never_released, nullpixel, pimskeks, qwertyoruiop, sbingner, siguza
#======== Thanks to =======
# haifisch, jndok, jonseals, xerub, lilstevie, psychotea, sferrini
# Cellebrite (ih8sn0w, cjori, ronyrus et al.)
#==========================

 - [08/25/22 22:39:56] <Info>: Waiting for DFU devices
 - [08/25/22 22:39:56] <Verbose>: DFU device connected: XXXXXXXXXXXXXX
 - [08/25/22 22:39:56] <Info>: Exploiting
 - [08/25/22 22:39:56] <Verbose>: Attempting to perform checkm8 on 8012 10...
 - [08/25/22 22:39:56] <Info>: Checking if device is ready
 - [08/25/22 22:39:56] <Verbose>: == Checkm8 Preparation stage ==
 - [08/25/22 22:39:57] <Info>: Setting up the exploit (this is the heap spray)
 - [08/25/22 22:39:57] <Verbose>: == Checkm8 Setup stage ==
 - [08/25/22 22:39:57] <Verbose>: Disabled probabilistic mode since we encountered a partial xfer
 - [08/25/22 22:39:57] <Verbose>: Deterministic approach was successful!
 - [08/25/22 22:39:57] <Info>: Right before trigger (this is the real bug setup)
 - [08/25/22 22:39:57] <Verbose>: Entered initial checkm8 state after 0 steps, issuing DFU abort..
 - [08/25/22 22:39:58] <Verbose>: DFU device connected: XXXXXXXXXXXXXX
 - [08/25/22 22:39:58] <Verbose>: == Checkm8 Trigger stage ==
 - [08/25/22 22:39:58] <Verbose>: Checkmate!
 - [08/25/22 22:39:59] <Verbose>: DFU device connected: XXXXXXXXXXXXXX
 - [08/25/22 22:39:59] <Verbose>: == Checkm8 Trying to run payload... ==
 - [08/25/22 22:39:59] <Verbose>: If everything went correctly, you should now have code execution.
(hangs here)
linuxmagic-mp commented 1 year ago

Now have the same problem with iPhone 8 Plus, using the GUI I always ended up stuck on the trigger, https://github.com/checkra1n/BugTracker/issues/2330 So tried it by connecting in manually, manually setting it into DRU mode, then running checkra1n in CLI mode, and now stuck here. What did you end up discovering?

MrMan314 commented 1 year ago

versions >= 6.0 is not supported by checkra1n so...

linuxmagic-mp commented 1 year ago

On 2022-12-03 19:30, MrMan314 wrote:

versions >= 6.0 is not supported by checkra1n so...

— Reply to this email directly, view it on GitHub https://github.com/checkra1n/BugTracker/issues/2307#issuecomment-1336311622, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK24I7RFTUSGRFWJNO4ZJALWLQF4JANCNFSM57VFI3EQ. You are receiving this because you commented.Message ID: @.***>

You mean it does not support any Apple device since the iPhone 6?

That doesn't appear to be the case. In any case, the program can be a little more explicit on what the problem is, and if there is an error condition to properly error out rather than hanging.

Or were you responding to the original Airbook issue?

The GUI version just hung after 'Right before trigger (this is the real bug setup)', rather than picking up on the error and exiting.

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "MagicSpam" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Tirante-el-Blanco commented 1 year ago

@MrMan314 Hello, this tool doesn't support newer BridgeOS I think. But did you find an alternative tool? I'm just investigating building a custom ramdisk with ssh access, it's apparently possible so it's a challenge I'm trying

MrMan314 commented 1 year ago

@Tirante-el-Blanco I tried the SSHRD_Script from https://github.com/verygenericname/SSHRD_Script, but it did nothing at boot for my specific T2 model (no ssh, no iproxy connection)

Tirante-el-Blanco commented 1 year ago

@MrMan314 same for me when I tried, unfortunately I won't have time anytime soon. But someone gave me this tool to downgrade BridgeOS which theoretically might work or not, and then run checkra1n

https://github.com/mineek/iostethereddowngrade

Other thing I was trying was to patch the image SSHRD uses (which seems to boot judging from the text I see on the touchbar display although without sshd exposing anything, see https://github.com/danieltroger/telnetd_ramdisk) to use telnet and not dropbear

I'll report back when I manage to have couple days off to tinker with this. Checkra1n team will most likely support newer BridgeOSes in upcoming releases though