What is supposed to happen after tapping "Jailbreak"

[datatwo]

I prepared my bootstrap.tgz with Cydia and openssh, removed patcyh files, and fixed the zcat error using gzcat instead, since OSX doesn't seem to like zcat

Trying this on an iPhone 5 (so, 32 bit), I get this on the syslog, and the black screen goes back to SpringBoard. The syslog messages make me think the jailbreak script is not succeeding, but I'll let the experts give me any hints ?

Thanks

Nov 27 15:52:20 Datas-iPhone SpringBoard[43] <Warning>: Forcing crash report of <FBApplicationProcess: 0x190f47c0; MobileReplayer; pid: 176> (reason: 1, description: developer.apple.wwdc-Release failed to launch in time)
Nov 27 15:52:20 Datas-iPhone ReportCrash[177] <Error>: task_set_exception_ports(B07, 400, D03, 0, 0) failed with error (4: (os/kern) invalid argument)
Nov 27 15:52:20 Datas-iPhone ReportCrash[177] <Error>: [CrashReport _extractBinaryImageInfoUsingSymbolicator] caught exception: *** setObjectForKey: object cannot be nil (key: ExecutablePath) (0x2734cf8f 0x359fdc8b 0x272687d3 0xf2f3b 0x2d2af2a9 0xf2c57 0xf1dff 0xfb143 0xf1273 0xf146d 0x36072b85 0xfac1d 0x360f4e17 0x360f4d8b 0x360f2b14)
Nov 27 15:52:20 Datas-iPhone com.apple.xpc.launchd[1] (UIKitApplication:developer.apple.wwdc-Release[0x5b63][176]) <Notice>: Service exited due to signal: Killed: 9
Nov 27 15:52:20 Datas-iPhone SpringBoard[43] <Warning>: Finished crash reporting.
Nov 27 15:52:20 Datas-iPhone ReportCrash[177] <Notice>: Saved report to /var/mobile/Library/Logs/CrashReporter/MobileReplayer_2015-11-27-155220_Datas-iPhone.ips
Nov 27 15:52:20 Datas-iPhone SpringBoard[43] <Warning>: Application 'UIKitApplication:developer.apple.wwdc-Release[0x5b63]' exited abnormally via signal.
Nov 27 15:52:20 Datas-iPhone UserEventAgent[17] <Warning>: Tracking com.apple.MobileReplayer (via activity)
Nov 27 15:52:20 Datas-iPhone SpringBoard[43] <Warning>: Unable to deliver -[UIRemoteApplication showTopMostMiniAlertWithSynchronizationPort:] message to port 0: (ipc/send) invalid destination port
Nov 27 15:52:20 Datas-iPhone SpringBoard[43] <Warning>: LICreateIconForImage passed NULL CGImageRef image
Nov 27 15:52:21 Datas-iPhone locationd[64] <Notice>: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Nov 27 15:52:41 Datas-iPhone SpringBoard[43] <Warning>: Forcing crash report of <FBApplicationProcess: 0x19491940; MobileReplayer; pid: 178> (reason: 1, description: developer.apple.wwdc-Release failed to launch in time)
Nov 27 15:52:41 Datas-iPhone ReportCrash[179] <Error>: task_set_exception_ports(B07, 400, D03, 0, 0) failed with error (4: (os/kern) invalid argument)
Nov 27 15:52:41 Datas-iPhone ReportCrash[179] <Error>: [CrashReport _extractBinaryImageInfoUsingSymbolicator] caught exception: *** setObjectForKey: object cannot be nil (key: ExecutablePath) (0x2734cf8f 0x359fdc8b 0x272687d3 0x101f3b 0x2d2af2a9 0x101c57 0x100dff 0x10a143 0x100273 0x10046d 0x36072b85 0x109c1d 0x360f4e17 0x360f4d8b 0x360f2b14)
Nov 27 15:52:41 Datas-iPhone com.apple.xpc.launchd[1] (UIKitApplication:developer.apple.wwdc-Release[0x9aa1][178]) <Notice>: Service exited due to signal: Killed: 9
Nov 27 15:52:41 Datas-iPhone SpringBoard[43] <Warning>: Finished crash reporting.
Nov 27 15:52:41 Datas-iPhone ReportCrash[179] <Notice>: Saved report to /var/mobile/Library/Logs/CrashReporter/MobileReplayer_2015-11-27-155241_Datas-iPhone.ips
Nov 27 15:52:41 Datas-iPhone SpringBoard[43] <Warning>: Application 'UIKitApplication:developer.apple.wwdc-Release[0x9aa1]' exited abnormally via signal.
Nov 27 15:52:41 Datas-iPhone SpringBoard[43] <Warning>: Unable to deliver -[UIRemoteApplication showTopMostMiniAlertWithSynchronizationPort:] message to port 0: (ipc/send) invalid destination port

here's kjc_jb.log

yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 257f1000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 257f1000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 257f1000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 23189000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 25937000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 25937000
ret: 00000000
found overlapping object
ret: 00000048

[kot2002]

yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 2171f000
ret: 00000000
found overlapping object
found overlapped object
ret: ffffff80
ret: 8d10bc00
ret: ffffff80
ret: 0bdfc780
ret: 00000000
ret: 08e00000
ret: ffffff80
ret: 0ae02000
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 255d3000
ret: 00000000
found overlapping object
found overlapped object
ret: ffffff80
ret: 89912800
ret: ffffff80
ret: 085fc780
ret: 00000000
ret: 05600000
ret: ffffff80
ret: 07602000

iPhone 6.

I get these. It seems that files in the bootstrap.tar was extracted on the root, but I cannot get ssh connection even if I run 'idevicediagnostics restart' .

I prepared bootstrap.tar with Cydia-8.4r3-Raw + OpenSSH + OpenSSL with /sbin/reboot edited.

[qfdk]

i think your jb should work . if you use the zcat i don'tthink it will be extract in root but in /a/*

[kot2002]

@qfdk I made bootstrap.tar without removing Cydia.app and cydia app appeared on springboard. So, it should have been extracted in root.

By the way, my iPhone had been bricked so I had to upgrade mine to 9.1. Goodbye yalu :(

[qfdk]

@kot2002 I am so sorry to hear that, by the way ,can your share your bootstrap.tar ? You can ask @kpwn , Congratulation any way :+1: So i have a list, the people who gets a log with 5-6 RET

iPhone 4 ?
iPhone 4s X
iPhone 5 X
iPhone 5s X
iPhone 6 √ (bricked) thx for your info
iPhone 6 p ?

[mstg]

If you don't remove the patched installd from the bootstrap the device will get bricked.

[qfdk]

@mstg I retry to do that but it doest work en iPhone 5S

yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 27cd9000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 22c84000
ret: 00000000
ret: 0000000d

[kpwn]

@kot2002's log seems correct. to start ssh you need to swap /sbin/reboot (remember to +x the file!) with a file that loads the OpenSSH launchdeamon .plist. You should be able to use launchctl for it since it was still present in 8.4.1.

[kpwn]

@qfdk that logs means failure. i have no clue why that'd be the case since that part of the exploit always had >50% reliability in my tests. Just double checking: are you mounting the DDI after each panic? The codesign bypass needs the DDI's TrustCache to be loaded in AMFI to successfully execute.

[kpwn]

A tip for debugging: idevicesyslog tells you a lot about issues such as non-working SSH. As always; remember to remove patcyh and do not under any circumstance run Cydia.

Also to clear the whole zcat mess up: that was supposed to be a gzcat; my mistake.

Remember code signatures have been bypassed (and dyldmagic has run) when you get this output:

Forcing crash report of <FBApplicationProcess: 0x190f47c0; MobileReplayer; pid: 176> (reason: 1, description: developer.apple.wwdc-Release failed to launch in time)

Kernel exploit success implies a bunch of kernel pointers logged as per @kot2002

found overlapping object
found overlapped object
ret: ffffff80
ret: 8d10bc00
ret: ffffff80
ret: 0bdfc780
ret: 00000000
ret: 08e00000
ret: ffffff80
ret: 0ae02000

[qfdk]

yes, each time i use my script fetchsymbols_armv7 , the first thing is that mount_ddi :) Sometime fetchsymbols_armv7 works sometime fetchsymbols_arm64 works, i have no idea :X I can get Nov 29 10:58:16 iPhone SpringBoard[50] <Warning>: Forcing crash report of <FBApplicationProcess: 0x12d5f4e80; MobileReplayer; pid: 162> (reason: 1, description: developer.apple.wwdc-Release failed to launch in time) but not all the time. so i got Blue Screen OR

ret: 27cd9000
ret: 00000000
found overlapping object
ret: 00000048

OR

ret: 22c84000
ret: 00000000
ret: 0000000d

Thx anyway

[kpwn]

I believe there may be a specific per-device offset involved, and that's the cause of the issue. I believe a kernel dump for your device is needed. There's some commented out code for that in dyldmagic.

[datatwo]

if Cydia can't be touched, what is the point of putting it in the bootstrap tar ? how can we get a Cydia version that works ?

Thanks for all the help

[qfdk]

@kpwn If you have some free time could you help me to do that things?

[ericcastro]

can anyone please upload some working bootstrap.tar / tgz please?

[russspooner]

@ericcastro did you manage to get hold of a bootstrap? I am looking for one as well :-/

[ericcastro]

nope as i haven't gotten a response.

@qfdk and @kpwn would you mind providing us a working bootstrap tar ?

I can't figure out what is wrong from the logs I get so the only thing I can think of is that my bootstrap tar isn't properly formed despite having carefully read every single detail in each of your comments...

[qfdk]

@ericcastro Je ne suis pas sur si mon bootstrap marche... Normalement ça doit marcher, car le code Yalu a un bug sur 5S je ne peux pas le tester. Si tu veux le tester le vais le partager alors. =) Bonne chance

[kamh1]

Hello, so I've gone through the whole process and the only place it seems to be going wrong is here:

zcat: can't stat: ./data/bootstrap.tgz (./data/bootstrap.tgz.Z): No such file or directory Uploaded 0 bytes to PhotoData/KimJongCracks/bootstrap.tar

When tapping Jailbreak the first time I got a blue screen, the second time a black one. Do you know where I go from here? And please give me as many specific instructions as possible as I'm entirely new to this

Thanks

[ericcastro]

merci qfdk je vais essayer, mais est-ce que t'as réussi à le faire marcher sur quelque device ?

moi j'ai un iphone 5

[ericcastro]

nope, it doesn't work. after tapping "Jailbreak" I get this black screen for a few seconds, and I get this in the syslog:

Dec 14 16:05:41 Datas-iPhone SpringBoard[43] <Warning>: Forcing crash report of <FBApplicationProcess: 0x163bce60; MobileReplayer; pid: 193> (reason: 1, description: developer.apple.wwdc-Release failed to launch in time)
Dec 14 16:05:41 Datas-iPhone ReportCrash[196] <Error>: task_set_exception_ports(B07, 400, D03, 0, 0) failed with error (4: (os/kern) invalid argument)
Dec 14 16:05:41 Datas-iPhone ReportCrash[196] <Error>: [CrashReport _extractBinaryImageInfoUsingSymbolicator] caught exception: *** setObjectForKey: object cannot be nil (key: ExecutablePath) (0x24ce7f8f 0x33398c8b 0x24c037d3 0xf6f3b 0x2ac4a2a9 0xf6c57 0xf5dff 0xff143 0xf5273 0xf546d 0x33a0db85 0xfec1d 0x33a8fe17 0x33a8fd8b 0x33a8db14)
Dec 14 16:05:41 Datas-iPhone com.apple.xpc.launchd[1] (UIKitApplication:developer.apple.wwdc-Release[0x2af5][193]) <Notice>: Service exited due to signal: Killed: 9
Dec 14 16:05:41 Datas-iPhone SpringBoard[43] <Warning>: Finished crash reporting.
Dec 14 16:05:41 Datas-iPhone ReportCrash[196] <Notice>: Saved report to /var/mobile/Library/Logs/CrashReporter/MobileReplayer_2015-12-14-160541_Datas-iPhone.ips
Dec 14 16:05:41 Datas-iPhone SpringBoard[43] <Warning>: Application 'UIKitApplication:developer.apple.wwdc-Release[0x2af5]' exited abnormally via signal.
Dec 14 16:05:41 Datas-iPhone SpringBoard[43] <Warning>: Unable to deliver -[UIRemoteApplication showTopMostMiniAlertWithSynchronizationPort:] message to port 0: (ipc/send) invalid destination port
Dec 14 16:05:41 Datas-iPhone UserEventAgent[17] <Warning>: Tracking com.apple.MobileReplayer (via activity)

which doesn't look good to me, but as I cannot be sure whether this is normal or not, I will still run a "idevidediagnostics restart", and once phone reboots, I try connecting via SSH and it won't work.

to whoever made this jailbreak, it needs tons of work. success rate seems to be 1% as I haven't seen any other person than @kpwn be successful with it.

[qfdk]

voir ton log d'abord , kot2002 a réussi à 6 mais son bootstrap n'est pas bon , si le code ne passe pas le fichier bootstrap sera rien:/

[stek29]

@ericcastro @russspooner Did you find ANY working bootstrap.tgz?

[ericcastro]

nope. I gave up on this a while ago since nobody seems to be able to provide a confirmed-working bootstrap.tgz and for the ones I try I have very little understanding on the problem

[stek29]

@ericcastro i made one but can't test -- jailbreak just crashes kernel, does'n "0wn" it

[EvilSeabass]

Hey,

I dont mean to be a free loader but i have no idea how to build a bootstrap. Would you mind uploading it and sending it to me? If not its cool.

Thanks

[stek29]

bootstrap file will be untared to root. So you just need to extract 'payload' from debs you want to install I'd suggest getting openssh only.