Service AppleAVEDriver not found

[ajsacco]

When running the exploit on my iPhone 5S 10.2.1, I get stuck at:

msg too large: Error retrieving name Service AppleAVEDriver not found! Error initiating a connection to the AppleAVE driver

[hobbitlv1]

Hi how you running exploit ?

[ajsacco]

I added the files to yalu102 as Luca suggested, triggering main() when the app opens. I feel like ziVA might be running in the sandbox but I'm not completely sure. (I'm pretty new to iOS exploitation; I'm just playing around with it and I don't really know much.)

P.S. I've also created a project with triple_fetch and ziVA; I have gotten triple_fetch to work but I'm not 100% sure how to implement ziVA.

[soup6020]

ziVA requires a sandbox escape, and I’m fairly sure Yalu doesn’t contain one. You would need triple_fetch, ziVA, and Yalu’s KPP bypass.

[ajsacco]

Do you have any ideas on how I should implement Yalu? Again, I don't have any experience in iOS exploits, so I will take any advice.

[soup6020]

Neither do I. I’m just going off of what people like S1guza have said.

[arinc9]

I got the absolute same problem with my triple_fetch combined ziVA exploit. I posted my issue 9 days ago but @doadam has a job and doesn't have time for explaining dummies to fix dummy problems lol. Anyway I saw you are asking how to use ziVa exploit with triple_fetch. Here is how I made it work: First my device is iPhone7,1 (6+) so it is not supported by official ziVA, so I've downloaded @Mila432's offsets.m commit. Then I downloaded the project, unzipped to my MacOS Sierra's desktop then replaced the offsets.m file. After that I easily build it with terminal app by cd and make. Then I downloaded triple_fetch project from bugs.chromium.org. Then I copied the executable and pasted to the triple_fetch's nsxpc2pc/pocs location, I just renamed the ziVA exploit to hello_world and replaced with the original one. Then I launched the triple_fetch project from Xcode and installed to my iPhone, It automatically launched the app and the debug window showed up in Xcode, after some reboots to get the triple_fetch exploit work i runned to ziVA exploit by simply pressing the exec bundles button on the nsxpc2pc app on my iPhone. Then I checked the debug panel in my Xcode and got the same error code you got. Here is my issue link: https://github.com/doadam/ziVA/issues/5

[ajsacco]

Do you know exactly what ziVA does? It says kernel exploit but what does that do? Gain root access?

[arinc9]

Actually I don't know because I didn't get it to work.

[arinc9]

I was trying to enable tfp0 to downgrade don't care about jailbreak for 10.3 it is slower than 10.2

[ajsacco]

Doesn't triple_fetch get tfp0? If so, you might be able to modify nonceenabler and run it as a poc.

[ajsacco]

How did you get the ziVA poc to output in the xcode debugger? I'm not getting any output from ziVA itself, just the nsxpc2pc app.

[arinc9]

Oh sorry I forgot to mention about that. I got debug process in only @Mila432's ziVA exploit fork. But don't forget to change the offsets, because Mila closed his pull request so it is not included in his/her fork.

[arinc9]

And no triple_fetch has nothing to do with tfp0. In order to enable tfp0 on 10.3 siguza has wrote an article about it. Because there is some changes in tfp0 in 10.3 than 10.2

[jakeajames]

Run ziVA with a sandbox bypass: http://github.com/coffeebreakerz/CheekiJailbreeki (not jailbreak)

[arinc9]

Coffeebreakerz are fake i won't use any tools created by them.

[arinc9]

Plus if this project was working why nobody posted it in r/jailbreak?

[ajsacco]

Can you send me the ziva binary that you used? I can't seem to get the debug log.

[arinc9]

I'm on a trip sorry. You should do it on your own, this is the best way to learn, experience by yourself!

[Sticktron]

I don't think the 5s has an AppleAVEDriver kext. I don't see it in iOS 10.1.1 or 10.2.

[jakeajames]

@arinc9 "Coffeebreakerz are fake i won't use any tools created by them."

You're a complete idiot. triple_fetch needs to be modified to run ziVA correctly. And CheekiJailbreeki is the ONLY project which does that right now. Try it yourself, everything is open-source

There are posts in /r/jailbreak but they get downvoted by idiots like you

[ajsacco]

Does anyone know where in the filesystem AppleAVEDriver is stored? I've opened the ipsw for both ip5s and ip6s on 10.2.1 but cant seem to find it.

[Sticktron]

It is a kernel extension (driver), you have to extract it from the kernel cache.

You can use img4tool to decompress the kernelcache and then user joker to extract kexts from it.