No jailbreak on MDM enrolled device

[mat4n6]

What device + iOS version are you on? iPhone 7 iOS 13.1.2 MDM enrolled device

What checkra1n version are you using? 0.9.5 (also tried with 0.9.2 and 0.9.3)

What are the steps to reproduce the issue?

1. Start checkra1n_gui -v -
2. Connect phone in DFU
3. First step seems OK (re: picture)
4. Then phone boot normally

What do you expect, and what is happening instead?

5. phone boot with jailbreak

Any other info, error logs, screenshots, ...?

#
# Checkra1n beta 0.9.5
#
# Proudly written in nano
# (c) 2019 Kim Jong Cracks
#
#========  Made by  =======
# argp, axi0mx, danyl931, jaywalker, kirb, littlelailo
# nitoTV, nullpixel, pimskeks, qwertyoruiop, sbingner, siguza
#======== Thanks to =======
# haifisch, jndok, jonseals, xerub, lilstevie, psychotea, sferrini
# Cellebrite (ih8sn0w, cjori, ronyrus et al.)
#==========================

- [*] Waiting for DFU devices
- [*] DFU mode device found
- [*] Attempting to perform checkm8 on 8010 11...
- [*] == Checkm8 Preparation stage ==
- [*] Stalled input endpoint
- [*] DFU device disconnected
- [*] DFU mode device found
- [*] == Checkm8 Setup stage ==
- [*] Entered initial checkm8 state after 0 steps, issuing DFU abort..
- [*] DFU device disconnected
- [*] DFU mode device found
- [*] == Checkm8 Trigger stage ==
- [*] Checkmate!
- [*] DFU device disconnected
- [*] DFU mode device found
- [*] == Checkm8 Trying to run payload... ==
- [*] If everything went correctly, you should now have code execution.
- [*] DFU device disconnected
- [*] Download mode device found
- [*] Download mode device disconnected
- [!] Timed out waiting for bootstrap upload (Error -20)

--- Error Report - Request for Permission ---

Unfortunately, an error has occured during installation of the jailbreak. With your permission,
the error can be sent back to us so we can investigate this further.
we only send the error code and the device's CPU type. No trackable or other personal information will be sent.

Send report? <y/n>:

[DanyL]

Did you try using the GUI and following the on screen instructions? Also please make sure to use a USB-A to lightning cable.

[mat4n6]

didn't try GUI.. I am using USB-C to USB-A adapter (with HDMI output as well). May this cause troubleshoot? First stage seems OK

[DanyL]

USB-C to USB-A adapters should be fine. Please try following the GUI instructions to enter DFU mode cleanly, entering DFU manually may cause different kind of issues.

[mat4n6]

I tried again with GUI instruction, I can see iboot debug lines for a second, then it boots normally and I get the same error (-20). Would it be MDM protecting against some installations ?

[DanyL]

It is possible but unfortunately we currently have no device to test with. If your'e able to test this on another Mac and report back, it would be very helpful.

I'm keeping the issue open until we are able to verify if this is in fact caused by MDM.

[abdulk4d1r]

this happened to me a few times on my mac. I had to run this in terminal sudo killall -STOP -c usbd OR go into activity monitor and find usbd and force quit it. Once this is done, re jailbreak it. should work.

[DanyL]

@abdulk4d1r interesting, we'll look into this. @mat4n6 can you confirm?

[mat4n6]

same behaviour on another MAC. I also tried to kill usbd, no improvement... Picture attached just before reboot (no very clear, sorry...)

[DanyL]

Do you have another, recent iPhone model you can use on hand? If so, please try to record the screen while booting with slomo turned on

Basically what happens, is that the exploit does work and the phone did boot jailbroken, but simply failed to fetch the bootstrap.

What I think might be the case here is that the device was configured to prevent processes from muxing connections or listening on certain port ranges which were using to transfer the image with, thous breaking the last stage.

[kpwn]

can you take a slow-mo video of the logs?

[mat4n6]

Here is the complete video with slo-mo (same quality...) https://gofile.io/?c=81y8iO

[mat4n6]

I tried to a have better quality but I need to get my hands on my serial cable to have more debug.

Device seems rebooting after iboot. usbmuxing denial would cause a reboot ? Do you have a way to boot a minimal ramdisk with ssh, (so not MDM system) to see if this would solve the issue ?

[DanyL]

If everything went correctly, you should have ssh enabled on port 44. MDM shouldn't prevent you from booting tho.

[mat4n6]

Port 44 is closed on the device once booted :-( Checkra1n is using the phone own system to boot. Can we boot pushing a stock firmware in RAM instead ?